May 17, 2007

The Myth of the Superuser, and other frauds by the security community

The meme is starting to spread. It seems that the realisation that the security community is built on self-serving myths leading to systemic fraud has now entered the consciousness of the mainstream world.

Over on the Volokh Conspiracy, Paul Ohm, exposes the Myth of the Superuser. His view is that too often, the sense of the Superuser is one of an overpowering ability of this uber-attacker. Once this sense enters the security agenda, the belief that there is this all-powerful evil criminal mastermind out there, watching and waiting, leads us into dangerous territory.

Ohm does not make the case that they do not exist, but that their effect or importance is greatly exaggerated. I agree, and this is exactly the case I made for MITM. In brief, the Man-in-the-middle is claimed to be out there lurking, and we must protect, at any costs. Wrong on all counts, and the result is a security disaster called phishing, which in itself is an MITM.

Then, phishing can be interpreted as a result of our obsession with Ohm's Superuser, the uber-attacker. In part, at least, and I'd settle for running the experiment without the uber-obsession. Specifically, Ohm points at some bad results he has identified:

Very briefly, in addition to these two harms — overbroad laws and civil liberties infringements — the other four harms I identify are guilt by association (think Ed Felten); wasted investigative resources (Superusers are expensive to catch); wasted economic resources (how much money is spent each year on computer security, and is it all justified?); and flawed scholarship (See my comment from yesterday about DRM).

All of which we can see, and probably agree on. What makes this essay stand out is that he goes the extra mile and examines what the root causes might be:

I have essentially been saying that we (policymakers, lawyers, law professors, computer security experts) do a lousy job calculating the risks posed by Superusers. This sounds a lot like what is said elsewhere, for example involving the risks of global warming, the safety of nuclear power plants, or the dangers of genetically modified foods. But there is a significant, important difference: researchers who study these other risks rigorously analyze data. In fact, their focus on numbers and probabilities and the average person’s seeming disregard for statistics is a central mystery pursued by many legal scholars who study risk, such as Cass Sunstein in his book, Laws of Fear.

In stark contrast, experts in the field of computer crime and computer security are seemingly uninterested in probabilities. Computer experts rarely assess a risk of online harm as anything but, “significant,” and they almost never compare different categories of harm for relative risk. Why do these experts seem so willing to abdicate the important risk-calculating role played by their counterparts in other fields?

Does that sound familiar? To slide into personal anecdote, consider the phishing debate (the real one back in 2004 or so, not the current phony one).

When I was convinced that we had a real problem, and people were ignoring it, I reasoned that the lack of scientific approach was what was holding people back from accepting the evidence. So I started collecting numbers on costs, breaches, and so forth (you'll see frequent posts on the blog, also mail postings around). I started pushing these numbers out there so that we had some grounding in what we were talking about.

What happened? Nothing. Nobody cared. I was able around 2004 to state that phishing already cost the USA about a billion dollars a year, and sometime shortly after that, that basically all data was compromised. In fact, I'm not even sure when we passed these points, because ... it's not worth my trouble to even go back and identify it!

Worse than nobody caring, the security field simply does not have the conceptual tools to deal with this. A little bit like "everyone was in denial" but worse, there is a collective glazed view to the whole problem.

What's going on? Ohm identifies 4 explanations (in point form here, but read his larger descriptions):

  1. Pervasive secrecy...
  2. Everyone is an Expert...
  3. Self-Interest...
  4. The Need for Interdisciplinary Work...

No complaint there! Readers will recognise those frequent themes, and we could probably collectively get it to a list of 10 explanations without too much mental sweat.

But I would go further. Deeper. Harsher.

I would suggest that there is one underlying cause, and it is structural. It is because security is a market for silver bullets, in the deep and economic sense explained in that long paper. All of the above arise, in varying degrees, in the market first postulated by Michael Spence.

The problem with this is that it forces us to face truths that few can deal with. It asks us to choose between the awful grimness of helplessness, and the temptation to the dark side of security fraud, before we can enter any semblance of a professional existance. Nobody wants to go there.

Posted by iang at May 17, 2007 08:21 AM | TrackBack

It is true, as Richard Clayton said:
"Security vendors are happy to accept inflated (and ever-increasing) statistics to make the problem seem more important and even PhishTank trumpets the increase in the number of reports rather than their true uniqueness."

However, it is equally dangerous, in my opinion, to play down the "Super User", the "uber attacker" threat. Those guys are more real and active than ever:

"We also identified a significant subset of websites (over half of all URLs being reported to the PhishTank database we used) which were clearly being operated by a single “rock-phish” gang." (from Richard's post linked above)

Now, this is real data that you can translate into probabilities... e.g. you have over 50% probability to be phished by the same "uber gang" and that a new innovation from "Super User" attackers increased the median of phishing web site availability by 300% (see the same post).

The author seems to be missing the basic understanding of the value chain in online threats: the role of "tool builders" (usually v. smart) vs "data collectors" etc. There is just a passing reference to a potential for "Super users" producing tools for "script kiddies" and then: "Superusers inhabit the Internet, but they are often so uncommon as safely to be ignored."

Even if it was the case that "some online crimes are committed by ordinary users much more often than by Superusers" - who did produce the tools used to commit those crimes? The ordinary users themselves? I doubt so.

I am also concerned by the dismissal of all computer experts as ignorant to risk assesment:

"Computer experts rarely assess a risk of online harm as anything but, “significant,” and they almost never compare different categories of harm for relative risk. "

If this was the case, selling security would've been a walk in the park :) Just claim that a new tool "significantly reduces the risk" and you'll have buyers fighting for it. What actually happens is that "computer experts" are spending a lot of time on trying to quantify the risk reduction and ultimately Return on Investment with different degrees of success.

Anyway, of course, there is no silver bullet and, of course, measuring anything, assessing the threats etc. is helpful. I am just not sure that the main claim of the article is true, the "Super user" is not a myth, they are live and kicking and now, more than ever, their time and effort could be easily monitized with a very low risk. More thought on the subject:

Posted by: Igor Drokov at May 17, 2007 03:04 PM

Hey Igor, thanks for your comment.

How did you make the jump from "rock-phish gang" ==> SuperUser?

I don't get it. The Phishing industry is widely known to be pretty simple stuff. Hell, we can buy the tools to do it, it is industrialised on a scale that we've never seen before, and it is totally well understood what they are doing.

Uber gang != Uber user. If anything it is the other way around, the industrialisation has shown that it is possible to commoditise every part, they don't need experts. Even the so-called tool producers are not doing anything but automating fairly unsophisticated parts, in a chain, bit by tiny bit.

There is no Uber-attacker here. Track back the sophistication of phishing attacks and we can see that they evolved only slightly each month.

His point is also that we all want to believe in the Uber-attacker, the superuser. That makes us feel better about being powerless, after all these years of hanging it out, claiming to be professionals. "We were beaten by a better enemy" is kind of OK, honourable. "We were beaten by idiots using our own hubris against us" isn't much fun.

Posted by: Iang at May 17, 2007 03:34 PM


Just to state my position, I do agree with that the phishing/spam etc. are a big problem because of the scale rather than because of the attacks are especially clever. I further agree that using the line that attackers outsmart the defenders is also weak.

However, my point is that if it is easy to make money for average attackers, imagine how much more money can a clever well-organised group make...

"The Phishing industry is widely known to be pretty simple stuff. Hell, we can buy the tools to do it, it is industrialised on a scale that we've never seen before, and it is totally well understood what they are doing."

I'd respectufully disagree... until the Security group guys (links above) actually monitored the phishing activity on a fairly low level, most anti-phishing suggestions didn't see the need go beyond collecting and validating phishing urls...

In particular, the "fast-flux" technique they discovered is a very clear indicator that those guys are not sitting back with their feet up, but looking for more efficient ways to make more money with less risk...

From the paper:
"While we were collecting data for this paper the gang introduced a new system dubbed `fast-flux', with trials in February and wider deployment from March onwards. They arranged for their domains to resolve to a set of five IP addresses for a short period, then switched to another five. This of course `eats up' many hundreds of IP addresses a week, but the agility makes it almost entirely impractical to `take down' the hosting machine".

So, my point being that those guys are clever and constantly innovating which makes them "SuperUser" in the terms of the article you refer to (unless I'm missing the point). Hence, it is dangerous, in my opinion, to overlook the increasing sophisitication of the most efficient attackers.

I would also like to re-iterate that I am not advocating some magic technology solution. If anything the research by the Security group suggests that a lot could be done by improving collaboration between ISP/registars and phish targets. At the same time, if one assume that "the Phishing industry is widely known to be pretty simple stuff" then we will keep fighting yesterday's war...

Posted by: Igor Drokov at May 18, 2007 06:07 AM

> I'd respectufully disagree... until the Security group guys (links above) actually monitored the phishing activity on a fairly low level, most anti-phishing suggestions didn't see the need go beyond collecting and validating phishing urls...

I don't follow who the "Security group guys" are ... I had a quick look at that paper. It's good stuff, and it is good that the broader academic community is now taking the activity seriously, perhaps in the face of lack of progress in the commercial world. But it suffers from the normal academic embarrassment of too much evaluation, too much reliance on academic peers, and too little broad thought.

If they said "most anti-phishing suggestions didn't see the need go beyond collecting and validating phishing urls..." then they are wrong, but this is typical in the academic world.

I'd say that they also fall into the trap of the Superuser / uber-attacker myth.

"a new and particularly pernicious category of phishing site called ‘rock-phish ’, which simultaneously impersonates many banks and regularly cycles through domain names and IP addresses."

Pernicious ==> devilishly evil ==> Uber-attacker, Superuser.

What is pernicious about impersonating many banks at the same time? Fast-flux? ... So what? Are they saying the phishers are stoopid? Should be stupid? Are they saying that the phishing response to the take-down technique is "oh, bummer, that's torn it, let's go home now?"

The situation is that we are facing a competent enemy, and because they keep winning, the enemy shows us up as incompetent. But if we can make them out to be the uber-attacker, that might make us feel better about it!

Phishing is an evolution stretching back to 1996 or 1997. They have a decade of experience in small steps. They are not superusers in any heroic extraordinary sense, they are just competent guys doing competent work, albeit criminal.

Posted by: Iang at May 18, 2007 07:12 AM

I should point out that the academic literature is also in a trap of its own making: they tend to want to make out the attacker as devilishly clever, so as to increase the excitement level, and show their work in a better light.

It simply looks bad, unexciting, to go to a peer-review committee and say that the "enemy is competent, nothing special, he's like the average programmer down the hall."

Far better to say "I talk today of an enemy not seen since the days of Moriarty..."

This is a widely known (and indeed researched) problem in the academic world. There are studies that show that the number of papers confirming hypotheses with results far outweighs those that deny or do not confirm hypotheses. Yet anecdotally speaking, there is much more balance. The difference is due to many factors, mostly academically unsound ones such as the above.

Posted by: Iang at May 18, 2007 07:20 AM

"If they said "most anti-phishing suggestions didn't see the need go beyond collecting and validating phishing urls..." then they are wrong, but this is typical in the academic world."

Just to make it clear, these my words, not theirs...

Also, no one is claiming to have found "an enemy not seen since the days of Moriarty...", yet they did shed some lights on the new techniques employed, by what appears to be, the most successful phishing group. They also follow up with good recommendations. What's wrong with that?

If understand correctly it is yours not their position - "the phishers are stoopid" doing "pretty simple stuff".

Again, no one is claiming to that the treats are coming from Nobel prize candidates :) but to say that everyone on the other side is just average would be a mistake as well.

Posted by: Igor Drokov at May 18, 2007 10:23 AM

One needs to look at our figures and analysis carefully before doing calculations or drawing conclusions. First, about 50% of all phishing URLs in the collections we looked at are rock-phish, but once one canonicalises and removes the dross they're only 419 out of 1707. However, phishing victims are driven to the sites by spam email -- and here the rock-phish mail is around half. So it's this latter figure -- which we only have the broadest of estimates for -- which leads to the 50% chance of phished by a particular gang.

Second, The innovation (of fast-flux) isn't new to them (so no uber-behaviour here), but it was a change in behaviour during the measurement period. Our observations showed that it worked to extend phishing site lifetimes, though we don't speculate why this was -- there's no obvious reason for a ".com" domain name to stay up longer by exploiting fast-flux, and the associated IP address lifetime was essentially unchanged. We commented that it is hard to take down the hosting machine (the abuse@ person who checks out the report can't see the sites in an off-the-shelf web-browser once the DNS changes), but that's not an issue for the registrar.

Third : "But it suffers from the normal academic embarrassment of too much evaluation, too much reliance on academic peers, and too little broad thought." hmmm..... it's necessary to evaluate results, not just provide a table of website lifetimes, and there's also an obligation in all academic work to discuss the work by your peers, so as to set your work into context and distinguish what your contribution is. In fact, we don't cite much other work because no-ones done similar measurements before (though there has been some work looking at clusters of phishing sites).

As to broad thought, we're not writing a book on the whole phishing phenomenon -- we're just looking to see whether take-down does any good (we think it does, but it can't be the only strategy).

Fourth: what's "particularly pernicious" about rock-phish? Quite clearly they're better at their jobs when compared to everyone else (we may be able to pick out some other gangs in the future, and they may well be better than the mass as well, since the mass isn't necessarily any good at all!) Anway, we show that phishing visitors turn up at a site over several days -- and the rock-phish site URLs are working for twice as long as normal URLs, 8 times as long when using the fast-flux scheme. So "exceedingly harmful" or "highly injurious or destructive" seems an OK word for phishing, and "particularly" is, I think, justified by the data.

Fifth: are all phishers stoopid? Well some are! they leave their toolkits lying around, and some also leave their collected data in full view. Others leave records of who they are, where they think no-one can see. Do they go home after a take-down... well I doubt it. But we've other data (in papers to come) showing that Yahoo! removes sites 7 times faster than a comparable .ru site --- so it's pretty stupid to keep on using Yahoo! yet some of them do.

Finally, I don't think we can say whether the rock-phish gang are inherently clever, or whether they've just experimented a great deal and have stuck with the methods that work. Darwin was right about many things! Also, since we're measuring website lifetime (only one part of the way that you'd measure success for a phishing operation) then you need to keep the humble wood-louse in mind. If you look under a log in the forest you'll find lots of wood-lice. Is that because they like it there? or merely that it's cooler, and so they don't move as fast as they do out in the sunlight?

Posted by: Richard Clayton at May 19, 2007 09:33 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.