June 14, 2005

A hand of Pennies

Adam points at the Underhanded C Contest. This is a good idea - write some C which is totally readable but does something underhanded. This year's challenge is to do some basic image processing but to conceal a fingerprint in the image you spit out.

I don't know whether this will work or not but it will be fun to see a new generation of hackers try (I'm too old for such tight elegant and intraverted code). Any bets as to whether the contest sponsors are in the DRM camp or the anti-DRM camp?

More news of techies fighting back to get some respect. Dbourse / slashdot / LA Times says the $100,000 Poker Bot Tournament is now ON! Tickle your PRNGs, tune and prune those search trees, limber up those card dealing digits.

| $100,000 Poker Bot Tournament                                      |
|   from the upped-my-bet-now-up-yours-robot dept.                   |
|   posted by timothy on Sunday June 12, @21:28 (Programming)        |
|   http://games.slashdot.org/article.pl?sid=05/06/12/2326207        |
[0]Costa Galanis writes "The LA Times is reporting that a poker tournament will be held where engineers will be able to [1]pit their automatic poker-playing programs against each other in a tournament similar to the upcoming World Series of Poker main event, with a 100,000 dollar cash prize for the winning program. The article mentions how the recent rise in popularity of poker has encouraged many to try and create the poker equivalent of chess' Big Blue, the chess playing computer program that defeated the world's top chess player in a widely publicized event, and also talks about how many engineers also are trying to make bots that are good enough to play and beat human players for money in online casinos." Discuss this story at:
0. mailto:cgalanis@gmail.com
1. http://www.latimes.com/news/printedition/la-fi-pokerbots12jun12,0,6050364.story?track=mostemailedlink

Bruce Schneier reports in this month's Cryptogram that "Sudanese currency is printed on plain paper with very inconsistent color and image quality, and has no security features -- not even serial numbers. How does that work? Because anyone who counterfeits will be put in front of a firing squad and shot." This link doesn't check out the story, but FC historians will recall that forgery was kept to basically zero in the scottish banking period by two rules: any forged note would be paid out in full by the bank if you cooperated with their investigation, and when they found the forger they hung him.

More links in Cryptogram point to info on the T-mobile hack - it was mostly social engineering. Also a fascinating and learned article on phishing from the Honeypot projects - I learnt some good stuff in there. Check out this corker of an observation:

"Parallel phishing operations are also indicated by the timing of the first inbound HTTP request for phishing content after the UK honeypot was compromised:

2004-07-23 21:23:14.118902 XXX.XXX.XXX.XXX -> HTTP GET /.internetBankingLogon HTTP/1.1

This inbound HTTP request to the honeypot occurred before the attackers had finished setting up the fake online banking content on the honeypot, and confirms the hypothesis that the attacker knew in advance that this server was available for use as a phishing web site. Spam messages advertising the new phishing web site were already being emailed to victims from another host, even whilst the attacker was setting up the new phishing web site."

A coordinated attack, a pincer movement! It's war out there.

Posted by iang at June 14, 2005 12:00 PM | TrackBack

> http://www.honeynet.org/papers/phishing/

I wonder about the number of *fake* honeypots out there...

If a naive friend of Ivan had a vulnerable machine tweaked to report back hijacking for the purpose of phishing, Ivan could phish the phisher's phishing, or, in other words, harvest the same data the phisher harvested through his innocent friend's machine. It would be easy for Ivan to protect his friend from prosecution by proving his machine was compromised, and highly improbable that the 'authorities' would detect 1) Ivan was deliberately monitoring the vulnerable machine 2) had harvested the harvested identity data.

Posted by: HB at June 16, 2005 07:09 AM

Too Cunning :-)

I suspect you would have to be a bit lucky and get access to the right machine; as phishing is generally a multi-phase operation, and different phases go over different machines and different channels. You wouldn't want to monitor the mail-out machines, you'd have to get the web-server machines.

It might also be a cover for an inside job I suppose, so as to rake out the data as an insider, and if ever there was an investigation one could simply point at the naive machine that had been compromised.

Posted by: Iang at June 16, 2005 07:19 AM

Speaking of insiders raking out data. How does one identify the source of the leak of a secret known by more than two people? I am almost convinced that it is theoretically impossible and hence we have a huge tragedy-of-commons situation with every secret shared by three or more parties: if the per-individual slice of the shared cost of compromise is significantly lower than the private benefit of selling the secret, it will be sold. Hence, I tend to be suspicious of any system where more than two people have access to any particular secret.

Posted by: Daniel A. Nagy at June 17, 2005 05:24 PM

I do not think phishing per se is illegal under anything more than tort or trademark law. If your friend uses the information for financial fraud then, duh, its illegal. If your friend does not us the information for fraud then it is not illegal but it is also without value. In one case your friend is phishing. In the other case your friend is taking a risk with no benefit.

Security can be evaluated based on the risk in a large system. "I know the data" is not itself fraud or every merchant who sells on the net (START YOUR ACCOUNT, not PAY FOR YOUR PURCHASE) would be busted.


Posted by: L Jean Camp at June 20, 2005 02:56 PM

In spy novels, the mole is caught by feeding in lots of tracer secrets to different people and seeing which tracers pop up on the other side.

Posted by: Spy v. spy at June 24, 2005 06:34 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.