Paid Advertising
web application security lab

Statistical Probabilities of Time Coordination

A few weeks ago I saw three cops on the same stretch of road that I normally see none. They were all hiding in their typical speed trap stance, waiting for the next unlikely victim to hit the gas. I had to think for a second why they would suddenly be patrolling so heavily, and then it occured to me - yup, it’s the end of the month and the cops have to make their quotas. Just like lots of systems, even the cops have phases, and those phases can be calculated. For instance there is less likelihood that a cop will be patrolling at noon than at midnight. It got me thinking about computer security.

When May 6th hit (6/6/6) there was a lot of speculation that there would be some sort of attack against the global network by a band of hell bent hackers. So, everyone went on full alert, and ever security operations person was on call. What happened? A fat lot of nothing. Maybe there were a few isolated incidents, but no more than normal. If you were an attacker you’d have to be retarded to attack when the target is being as vigilant as possible.

So there I was, narrowly avoiding my third speeding ticket in a row that day, and I got to thinking, there really is no difference between cops and security operations personelle. SOC staff work normal hours (9-5 in Silicon Valley) and you might have one or two working 24/7 on certain ultra mission critical systems, but generally these are also your NOC staff that work the graveyard shifts and are less likely to be aware of the issues at hand to make an informed decision.

So when is the best time to attack? Logic would tell you that in the evenings of major holidays are probably the most likely time, when the fewest people are around or even within cell phone range. People are more likely to be on vacation during the summer. There is next to no one in the offices between 9PM and 5AM. There are even fewer during those times on the weekends. If you are attacking a highly Christian organization, Sunday mornings are a prime time. An Islamic organization should be targeted during Friday prayers, and so on.

The statistical liklihood of being detected goes down sigificantly if you take these factors into account. Of course, automation (like IPS devices) are paving the way to making this sort of thing far less likely. But this doesn’t just apply to attacks per se. What about search engine spamming? When Matt Cutts from Google when on vacation the spammers did a countdown of how long they had until he returned. What about email spam? It is well known that spamming Monday nights is the most effective time to spam, so that Tuesday morning, the user’s inbox’s first email will be a nice juicy spam.

Of course you have to take the timezone of the target into account, if it is critical to deliver the payload at a particular time of day, but in the case of police officers, it can be on monthly swings. In the case of security operations, it can be a yearly swings like the Christmas holidays or in the case of teachers you have summer vacations. These subtle variences can dramatically decrease your likelihood of being caught.

But what if your goal isn’t to be caught, but rather to have the maximum effect of payload delivery? Let’s go back in time to 1995-1996. There was a small group of people that built a website called HP Bug of the week. Every Friday night they would release a new buffer overflow in HP/UX. They did it for weeks on end, which caused the security operations and development and QA staff for HP stay the entire weekend trying to verify the vulnerabilities, fix, QA and release patches. The same is true with Viruses. There are definite times of day that are more likely to have damaging effects on propogation (start early in the morning, Japan time and watch it follow the globe as more and more computers turn on as it becomes daytime around the globe).

It’s an interesting anomaly of human existance, that follows itself into the online world.

3 Responses to “Statistical Probabilities of Time Coordination”

  1. netsecurity Says:

    This is a lot like the way MicroSloth does the tracking for WMP when you turn of the GUID. They put in a time stamp that is measured to a 100 nanoseconds. Granted, the system clock is not all that accurate, but how many people put WMP into play at a time? A little statistical correlation and, bingo!, they can track your tastes in whatever WMP plays.


    Also see: for another variation of the same invasion of privacy.

  2. RSnake Says:

    Ugh, that’s funky, I hadn’t heard that one, but it makes complete sense. It’s trivial enough to add and to your windows hosts file so that data isn’t sent anywhere. I wonder how many people do that. Not many is my guess.

  3. MERLiiN Says:

    Just a quick heads up, May 6 is actually 6/5/6 or 5/6/6 depending on how you write your dates :)