October 09, 2004

SANS - top 20 solutions confirms no solution for phishing yet!

Reading the new SANS list of top 20 vulnerabilities leaves one distinctly uncomfortable. It's not that it is conveniently sliced into top 10s for Unix and Microsoft Windows, I see that as a practical issue when so much of the world is split so diametrically.

The bias is what bothers. The Windows side is written with excrutiating care to avoid pointing any blame at Microsoft. For example, wherever possible, general cases are introduced with lists of competing products, before concentrating on how it afflcts Microsoft product in particular. Also, the word Microsoft appears with only positive connotations: You have this Microsoft security tool, whereas you have a buggy Windows application.

One would think that such a bias is just a reflection of SANS' use of institutions and vendors as the source of its security info. For example, "p2p file sharing" is now alleged to be a "vulnerability" which has to be a reflection of the FBI responding to the RIAA over falling sales of CD music.

But what did strike me as totally weird was that phishing wasn't mentioned!

Huh? Surely there can't be a security person on the planet who hasn't heard of phishing and realised that it's one of the top serious issues? Why would SANS not list it as a vulnerability? Is the FBI too busy worrying about Hollywood's bottom lines to concentrate on theft from banks and other payment operators?

The answer is, I think, that the list only includes stuff for which there is a solution. Looking at the website confirms that SANS sells solutions. Scads of them, in fact. Well, it can't sell a solution for phishing because ... there isn't a solution to be sold. Not yet, at least.

Which is to say that the list is misnamed, it's the top 20 solutions we can sell you: SANS says they are "The Trusted Source for Computer Security Training, Certification and Research" and it's unlikely that they can instill that trust in their customers if they teach about a vulnerability they can't also solve.

No doubt they are working on one, as are hundreds of other security vendors. But it does leave one wondering how we go about securing the net when security itself is coopted to other agendas.

Posted by iang at October 9, 2004 07:51 AM | TrackBack

Phishing is not a vulnerability. It is the utilization of vulnerabilities to exploit a technical platform to enable using social engineering to obtain identifying authorization information in order to leverage systemic flaws in the financial system.

Every vulnerabililty that enables the creation of zombies is a phishing vulnerability.

But the real phishing vulnerability is our completely broken identity system - the social security number and its use.

Hmmmm. If phishing were legal it would be subject to a business method patent.

Posted by: Jean at October 13, 2004 05:30 PM


thanks for posting! I don't disagree with what you say, but bear in mind that your pov there applies more or less equally to many of the other categories in the list. SANS have lost any sense of precision, presumably in the fight to keep their sponsors and lawyers happy, so the list is like any coopted player's pronouncements.

For example, look at "W9 Mail Clients." What are they saying there if its not that email allows potentially harmful messages (viruses, spams, email checks) to be introduced into a user's computer? And what's that if not a description of a systemic flaw in our system of identity and mail communications?

Where phishing should be listed is in W6 Web Browsers, IMHO. Phishing is an attack on the secure browser, which is the one constant between the phisher and the user (not email). It is that security model that is breached in convincing the user that she is on some secure banking site.

Posted by: Iang at October 13, 2004 06:13 PM