News of active MITM attacks have reached us with Yahoo being the one attacked. This involves the phisher driving the traffic from his fake site back to Yahoo in real time. Previously, phishers just collected the data and used it later, now they get access directly, which gives them immediate possibilities in the event that they tripped any alarm bells that would later on close of access.
Bad news for Lloyds TSB who are experimenting with what look like SecureId tokens. These tokens do a crypto maths problem that is syncronised with a matching server program back at the website. It is based on time, and the numbers change as the minutes roll by.
It's a nice token to prove (to some definition of the word) that you are talking to is who you want to be talking to. The problem is, as discussed and predicted not just here but in security groups elsewhere, this only works if the phisher delays acting. It specifically and famously doesn't work against the above man-in-the-middle (MITM) attack as it can't tell if anyone else is sitting in between you and the other party! Sorry about that, but you do insist on buying these things from big companies and not doing the proper due diligence.
How significant is all this? Well, quite important: it's the last link. Every piece is now in place for the perfect phish. The phishers recently tried out SSL attacks in anger so they have all that cert and SSL code in place, they are now doing MITMs so they have the real-time backend work in place (this is just multi-tiered or webservice work, recall) and we've had easy-to-obtain popup-tax certs for about 2-3 years now (even works with a stolen credit card...).
When the perfect phish takes place is difficult to predict, but I'll stick my neck out and say by the end of the year. Users will be looking at a perfectly good website, with SSL and the little padlock, and talking to their banks. The only thing that will be wrong will be the URL, but it will be camouflaged somehow. Is this realistic? Very. For the last year or more we've been in a holding pattern as phishers have migrated their model from area to area looking for new schools of fresh phish.
Posted by iang at October 14, 2005 03:34 PM | TrackBackAccording to my wife's pal who is a bank manager at Lloyds, they've had this technology for managers for quite a while, now (2 years?).
Second point ... have a look at Loyal bank ... is their device an example of what you're writing about, iang?
Posted by: Darren at October 15, 2005 08:39 AMHa, sure. These tokens have been around for over 10 years... In America the market is dominated by RSADSI which sells SecureId. It is a curious observation that they were designed in a bygone age, almost lost as a product that was well before its time, and now that RSADSI has got this far, they've found their time. But the product is woefully out of date and not up to this challenge.
As to Loyal bank - the answer is "probably." There are ways of doing this properly, but the cost is not in the gbp2-5 range, more like the gbp25-100 range, which is not cosy or happy for banks. OTOH, there are ways to do this for free; but it requires the banks to lighten up a bit, and hell doth not freeze up so quickly.
Posted by: Iang at October 15, 2005 09:44 AMThere's a competing company in Ottawa, called CryptoCard, which produces compatible, non-expiring tokens (basically, enclosed block ciphers). Having had a glimpse of how they work and what they do, I feel sorry for their customers.
I think, there's a lot of room for decent security solutions in the two-factor market.
Most of the currently available products are not satisfactory in the face of contemporary threats.
If it's the Perfect Phish, then the URL *is* correct, but the phisher has subverted DNS in one of various known ways. If you want a particularly easy one, assume that the victim is sitting in a wireless coffeeshop, naively trusting that the security software on his laptop, combined with the security software running at his bank, are cooperating to protect him from any thieves who happen to be lurking in the area of the coffeeshop.
Posted by: Zooko at October 16, 2005 09:06 PMZooko, well spotted! The DNS subversion techniques are also in place.
I've heard anecdotal reports of coffee shop phishing but I don't recall any actual hard evidence. I'm somewhat skeptical that it is sustainable economically as it involves a very traceable activity and very low number of victims; the guy has to be sitting close and has to be active on the network, and for all that he only picks up a few victims.
But as you suggest, it's easy enough to do this, and some mug is going to try it sometime.
Posted by: Iang at October 17, 2005 05:08 AMIsn't it part of your doctrine, that MITM attacks never actually happen in practice, hence all that silly nonsense about SSL certificates was just a fraud designed to extract money from innocent web site operators?
Posted by: Cyphrpunk at October 19, 2005 07:48 PMWell, MITMs at the cryptoprotocol level "never happen" in practice, sure. That is, SSH is "notoriously vulnerable" to MITM but I've never heard of it being hacked like that. And there is good reason to believe that even if SSL was vulnerable to a protocol level MITM (with say SSCs or ADH) then it would still never be MITM'd at the protocol level and thus it would be a good economic choice.
Then there are application level MITMs like phishing. That is, tricking the security model at the browser level, which is kinda kiddie stuff given the laxadaisical approach the browsers have. That is happening, and in tanker loads; it is called phishing. But, phishing hasn't really snuck inside SSL's certificate checking as yet; mostly for economic reasons - it just wasn't worth the bother. Now what we are seeing is that the "inside PKI but outside SSL phish" is ready to happen.
Also then there is the delayed MITM versus the realtime MITM. Yahoo's attack indicates an active realtime MITM at the browser level.
Is it a doctrine? No, it's just observations borne out by the market, I think. Is it confusing? Yes - there are three different levels of MITM going on here, and then there is active realtime versus passive delayed time.
Posted by: Iang at October 19, 2005 09:15 PM> "hence all that silly nonsense about SSL certificates was just a fraud designed to extract money from innocent web site operators?"
That's how many see it and they have a case. c.f., "search for the business model." I don't care as much about that as moving forward and encouraging people to address security.
These days my theory is this: the browsers are not going to change the model so the TLS part is more or less a system to protect passphrases from sniffing, which it does passably but not admirably (it will do better when ssl v2 is switched off). However the certificates can be a useful handle to do relationship tracking. Hence, access and manage the certs in a browser plugin and see what you can do. See Trustbar and Petname for that.
Others have other ideas. It is notable that companies prefer to go for the centralised database model, again delivered with a plugin. Netcraft were the first I think, but there is also a Comodo one and Microsoft have designs in that area. I personally don't think it will work, but at least these companies are thinking about the problem.
(You could say that this is further evidence that companies won't provide security unless they can see a way to extract more money from it, which matches what you say above. Commercially minded people won't understand that as a claim; what is a more interesting question is why companies provide crap security when given the money and why the good security tends to come from places that don't have the money?)
Posted by: Iang at October 20, 2005 02:19 AMOh, I see what you (cyphrpunk) are saying! No, that was never "the doctrine." Instead it was this: the MITM protection wasn't necessary, therefore it is possible to ease up and change the model to do relationship tracking using certs. But that was too hard to explain so I stopped.
Sorry for being dense.
Posted by: Iang at October 20, 2005 02:29 AMI guess phishing is all about having a wide pool of prey, so doing it at a coffeeshop isn't such a profitable route, but it serves as a proof of concept.
There's an attack called "Evil Twin" where you MITM wireless at a coffeeshop. Large scale DNS poisoning is called "pharming", apparently. I'm not really up on all the hip terminology...
I didn't follow Evil Twin, and the superficial thing there that appeared to me was more that it was a successful FUD campaign rather than a spotted-in-the-wild attack. I could be wrong though, hopefully someone will point me to actual case losses where someone was definitively hit by a coffee shop wavelan mugging which will allow us to track the arisal of MITMs in other fashions than the basic phishing. The more evidence of MITMs we can present the more we can convince the browser manufacturers to re-work the security model.
Posted by: Iang at October 20, 2005 11:45 AMRegarding Man in the Middle/Evil Twin Attacks -
I wonder if you have reviewed this software based Delayed Password Disclosure Protocol announced recently?
http://www.informatics.indiana.edu/markus/stealth-attacks.htm
A variety of computer networks are vulnerable to so-called stealth attacks. While there are many types of stealth attacks, they all have one thing in common (which is the very reason, of course, for their name) – the attackers are hard to detect. In some cases, it is even hard for a victim to determine that he was attacked – days or weeks may pass before this becomes evident. By then, it may be too late, as in the meantime, the attacker may collect and even modify information that was not intended for him. The attacks can be mounted against both wired and wireless networks, but the relative ease with which they can be used to attack users of wireless networks poses a particular threat within a variety of settings, including public hotspots. Moreover, stealth attacks pose a particular threat in the context of identity theft. A particular type of stealth attack we describe herein is the so-called “doppelganger window attack”. This can either be mounted in a similar fashion as the typical phishing attack is, but poses a greater threat than current phishing attacks. This is so since the doppelganger window attack defeats traditional methods for mutual authentication, which would otherwise have been a meaningful defense against phishing. We describe a new security technique, delayed password disclosure, that provides security against doppelganger window attacks. It can be based on any known method for mutual authentication, and its security can be proven to be the same as that of the underlying method – in addition to security against the doppelganger window attacks.