November 23, 2019

HTTPS reaches 80% - mission accomplished after 14 years

A post on Matthew Green's blog highlights that Snowden revelations helped the push for HTTPS everywhere.

Firefox also has a similar result, indicating a web-wide world result of 80%.

(It should be noted that google's decision to reward HTTPS users by prioritising it in search results probably helped more than anything, but before you jump for joy at this new-found love for security socialism, note that it isn't working too well in the fake news department.)

The significance of this is that back in around 2005 some of us first worked out that we had to move the entire web to HTTPS. Logic at the time was:

Why is this important? Why do we care about a small group of sites are still running SSL v2. Here's why - it feeds into phishing:
1. In order for browsers to talk to these sites, they still perform the SSL v2 Hello. 2. Which means they cannot talk the TLS hello. 3. Which means that servers like Apache cannot implement TLS features to operate multiple web sites securely through multiple certificates. 4. Which further means that the spread of TLS (a.k.a. SSL) is slowed down dramatically (only one protected site per IP number - schlock!), and 5, this finally means that anti-phishing efforts at the browser level haven't a leg to stand on when it comes to protecting 99% of the web.

Until *all* sites stop talking SSL v2, browsers will continue to talk SSL v2. Which means the anti-phishing features we have been building and promoting are somewhat held back because they don't so easily protect everything.

For the tl;dr: we can't protect the web when HTTP is possible. Having both HTTP and HTTPS as alternatives broke the rule: there is only one mode, and it is secure, and allowed attackers like phishers to just use HTTP and *pretend* it was secure.

The significance of this for me is that, from that point of time until now, we can show that a typical turn around the OODA loop (observe, orient, decide, act) of Information Security Combat took about 14 years. Albeit in the Internet protocol world, but that happens to be a big part of it.

During that time, a new bogeyman turned up - the NSA listening to everything - but that's ok. Decent security models should cover multiple threats, and we don't so much care which threat gets us to a comfortable position.

Posted by iang at 12:27 PM | Comments (0)

February 20, 2018

Tesla’s cloud was used by hackers to mine cryptocurrency

Just because I get the photo op, here's The Verge on Tesla's operations being cryptojacked.

Tesla’s cloud account was hacked and used to mine cryptocurrency, according to a security research firm. Hackers gained access to the electric car company’s Amazon cloud account, where they were able to view “sensitive data” such as vehicle telemetry.

...

According to RedLock, using Tesla’s cloud account to mine cryptocurrency is more valuable than any data stored within. The cybersecurity firm said in a report released Monday that it estimates 58 percent of organizations that use public cloud services, such as AWS, Microsoft Azure, or Google Cloud, have publicly exposed “at least one cloud storage service.” Eight percent have had cryptojacking incidents.

“The recent rise of cryptocurrencies is making it far more lucrative for cybercriminals to steal organizations’ compute power rather than their data,” RedLock CTO Gaurav Kumar told Gizmodo. “In particular, organizations’ public cloud environments are ideal targets due to the lack of effective cloud threat defense programs. In the past few months alone, we have uncovered a number of cryptojacking incidents including the one affecting Tesla.”

Posted by iang at 03:51 PM | Comments (4)

September 12, 2017

Over 1.65 Million Computers Infected With Cryptocurrency Miners in 2017 So Far

Over 1.65 Million Computers Infected With Cryptocurrency Miners in 2017 So Far

By Catalin Cimpanu
September 12, 2017 08:33 AM 0
Cryptocurrency mining malware evolution

Telemetry data collected by Kaspersky Lab shows that in the first nine months of 2017, malware that mines for various types of cryptocurrencies has infected more than 1.65 million endpoints.

According to Kaspersky, detections for cryptocurrency mining trojans rose from a lowly 205,000 infections in 2013 to nearly 1.8 million in 2016, and 2017 looks like it will easily surpass that number.

Zcash and Monero miners on the rise


Of all virtual currencies, Zcash and Monero were the favorites, primarily because of their support for anonymous transactions, which comes in handy to anyone looking to hide a money trail from criminal operations.

While Monero is a long-time favorite of cryptocurrency mining trojans, Zcash is a recent addition, as the cryptocurrency launched only last November.

Nonetheless, one month later, several criminal mining operations had adopted the currency, with one group's earnings estimated at $75,000/year/~1,000 computers.

A review of past major operations


Since last year, the rise in cryptocurrency mining malware distribution was easily observable by the number of reports put out by cyber-security firms. Such reports often help infosec industry observers to gauge new trends.

Below is a list with the most important malware distribution campaigns that pushed cryptocurrency miners in 2017.

⬗ Terror Exploit Kit dropped a Monero miner back in January
⬗ Even some Mirai botnet variants tested a cryptocurrency mining function
⬗ Adylkuzz cryptocurrency miner deployed via EternalBlue NSA exploit
⬗ Bondnet botnet installed Monero miners on around 15,000 computers, mostly Windows Server instances
⬗ Linux.MulDrop.14 malware mines for cryptocurrency using Raspberry Pi devices exposed online
⬗ Crooks targeted Linux servers via SambaCry exploit to deploy EternalMiner malware.
⬗ Trojan.BtcMine.1259 miner uses NSA's DobulePulsar to infect Windows computers
⬗ DevilRobber cryptocurrency miner became the second most popular Mac malware in July
⬗ Linux.BTCMine.26, a Monero miner that included references to Brian Krebs in its source code.
⬗ CoinMiner campaign that used EternalBlue and WMI to infect users
⬗ Zminer trojan found infecting Amazon S3 servers
⬗ CodeFork gang used fileless malware to push a Monero miner
⬗ Hiking Club malvertising campaign dropped Monero miners via Neptune Exploit Kit
⬗ A CS:GO cheat that delivered a Monero miner for MacOS users
⬗ Jimmy banking trojan adds support for a Monero miner
⬗ New Monero miner advertised via Telegram

These are only some of the major campaigns, but there are countless of other smaller operations that went unreported.

If you're wondering why is this rise in cryptocurrency mining malware taking place, the answer is quite simple. During the past year, trading prices for virtual currencies have skyrocketed across the board, almost for all major cryptocurrencies. Bitcoin, Monero, Ethereum, Zcash, and others, have seen huge price spikes that have fueled market speculation and attracted both legitimate users and the criminal underground looking to make a quick buck.


I've copied this completely for the record as it forms the best evidence seen so far of the critical paper on Bitcoin's mining effects: Bitcoin & Gresham's Law - the economic inevitability of Collapse.

Posted by iang at 10:57 AM | Comments (18)

October 23, 2016

Bitfinex - Wolves and a sheep voting on what's for dinner

When Bitcoin first started up, although I have to say I admired the solution in an academic sense, I had two critiques. One is that PoW is not really a sustainable approach. Yes, I buy the argument that you have to pay for security, and it worked so it must be right. But that's only in a narrow sense - there's also an ecosystem approach to think about.

Which brings us to the second critique. The Bitcoin community has typically focussed on security of the chain, and less so on the security of the individual. There aren't easy tools to protect the user's value. There is excess of focus on technologically elegant inventions such as multisig, HD, cold storage, 51% attacks and the like, but there isn't much or enough focus in how the user survives in that desperate world.

Instead, there's a lot of blame the victim, saying they should have done X, or Y or used our favourite toy or this exchange not that one. Blaming the victim isn't security, it's cannibalism.


Unfortunately, you don't get out of this for free. If the Bitcoin community doesn't move to protect the user, two things will happen. Firstly, Bitcoin will earn a dirty reputation, so the community won't be able to move to the mainstream. E.g., all these people talking about banks using Bitcoin - fantasy. Moms and pops will be and remain safer with money in the bank, and that's a scary thought if you actually read the news.

Secondly, and worse, the system remains vulnerable to collapse. Let's say someone hacks Mt.Gox and makes a lot of money. They've now got a lot of money to invest in the next hack and the next and the next. And then we get to the present day:

Message to the individual responsible for the Bitfinex security incident of August 2, 2016

We would like to have the opportunity to securely communicate with you. It might be possible to reach a mutually agreeable arrangement in exchange for an enormous bug bounty (payable through a more privacy-centric and anonymous way).


So it turns out a hacker took a big lump of Bitfinex's funds. However, the hacker didn't take it all. Joseph VaughnPerling tells me:

"The bitfinex hack took just about exactly what bitfinex had in cold storage as business profit capital. Bitfinex could have immediately made all customers whole, but then would have left insufficient working capital. The hack was executed to do the maximal damage without hurting the ecosystem by putting bitfinex out of business. They were sure to still be around to be hacked again later.

It is like a good farmer, you don't cut down the tree to get the apples."

A carefully calculated amount, coincidentally about the same as Bitfinex's working capital! This is annoyingly smart of the hacker - the parasite doesn't want to kill the host. The hacker just wants enough to keep the company in business until the next mafiosa-style protection invoice is due.

So how does the company respond? By realising that it is owned. Pwn'd the cool kids say. But owned. Which means a negotiation is due, and better to convert the hacker into a more responsible shareholder or partner than to just had over the company funds, because there has to be some left over to keep the business running. The hacker is incentivised to back off and just take a little, and the company is incentivised to roll over and let the bigger dog be boss dog.

Everyone wins - in terms of game theory and economics, this is a stable solution. Although customers would have trouble describing this as a win for them, we're looking at it from an ecosystem approach - parasite versus host.

But, that stability only survives if there is precisely one hacker. What happens if there are two hackers? What happens when two hackers stare at the victim and each other?

Well, it's pretty easy to see that two attackers won't agree to divide the spoils. If the first one in takes an amount calculated to keep the host alive, and then the next hacker does the same, the host will die. Even if two hackers could convert themselves into one cartel and split the profits, a third or fourth or Nth hacker breaks the cartel.

The hackers don't even have to vote on this - like the old joke about democracy, when there are 2 wolves and 1 sheep, they eat the sheep immediately. The talk about voting is just the funny part for human consumption. Pardon the pun.

The only stability that exists in the market is if there is between zero and one attacker. So, barring the emergence of some new consensus protocol to turn all the individual attackers into one global mafiosa guild, a theme frequently celebrated in the James Bond movies, this market cannot survive.


To survive in the long run, the Bitcoin community have to do better than the banks - much better. If the Bitcoin community wants a future, they have to change course. They have to stop obsessing about the chain's security and start obsessing about the user's security.

The mantra should be, nobody loses money. If you want users, that's where you have to set the bar - nobody loses money. On the other hand, if you want to build an ecosystem of gamblers, speculators and hackers, by all means, obsess about consensus algorithms, multisig and cold storage.


ps; I first made this argument of ecosystem instability in "Bitcoin & Gresham's Law - the economic inevitability of Collapse," co-authored with Philipp Güring.

Posted by iang at 12:35 PM | Comments (0)

June 18, 2016

Ethereum is one step away from creating a workable smart contracting community

To live in interesting times!

First TheDAO started up as a crowd funded smart contract which took in about $160m of contributions. Hoorah!

Then, a programmer spotted a bug and used it to sweep about $60m across to own account. Howzat!?

Next, the Ethereum coredevs reacted in collective angst and moved to unwind the 'theft.' Hooray!

Finally, someone called "attacker" claimed credit for the actions, and reminded everyone that there was a legal contract in place. YeeHaa!

Ethereum is the reality TV of the new financial cryptographic generation. However, let's not be entirely damning, it is also important to take pause and review what they have achieved. Positively.

Firstly, Ethereum has established beyond a doubt that the smart code needs to be part of a wider agreement at law. You can see this on the Explainer page of TheDAO where it carefully lays out:

"When you click the “I Accept” button or check box presented with the terms you are agreeing that you are taking part in The DAO’s Creation under the terms set forth in The DAO’s smart contract code at your own risk."

By clicking "I Accept", you enter into a legal contract, with the above text as part thereof.

To see that it is a legal contract, imagine if it didn't exist - in the absence of an agreement, there is no party who claims responsibility for TheDAO, and therefore TheDAO is abandoned at law. Which means that anyone can do whatever they like. Indeed, that means whoever can claim the value within can do so - it's like an abandoned ship at sea or unclaimed land; first person to plant a flag is the winner.

Clearly, the founders of TheDAO were smart enough not to want their smart contract to be 'abandoned' so it/they must and did enter into a legal agreement with contributors to (a) exert existence and (b) exert its authority to control the assets on behalf of the beneficiaries.

Having asserted its capacity to act, it also asserts that the smart code dominates over the legal prose:

The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code.

This is the correct order, which you can divine if you follow the logic: the legal agreement is prime over the smart code because it can bind the humans, and the legal agreement then has to defer primacy explicitly to any or all terms in the smart code. In summary, TheDAO has now exemplified 3 principles.

  1. The smart contract is a contract at law.
  2. The smart contract includes both code and prose.
    1. The legal prose asserts the capacity of the contract to act, a role outside the capability of the code;
    2. a purported smart contract without that capacity is likely abandoned, and also a statement that the authors are not smart enough to defend the property they create;
    3. the code requests that you click "I agree," a role outside the capability of the legal prose; and
    4. if you as user haven't clicked "I agree" or otherwise recorded your intent, then the smart contract is at liberty to ignore you - no intent established, no contract entered into.
  3. The legal prose rules over the smart contract.
    1. Then, the legal prose may with words pass the legal dominance to any part or all of the smart code; and
    2. indeed that might be the only thing that the legal prose does! But see below...

With these principles in hand, we are almost at the point of a viable smart contracting industry. And, we can thank the evolutionary efforts of many for this: Nick Szabo for the abstraction now called the smart contract, Satoshi for converting Nick's abstraction into the inspired form in Bitcoin, the Ethereum team for their more Turing-complete environment, and the authors of TheDAO for their big reveal of what it takes to make a real smart contract. What a social experiment!

On behalf of the entire Internet, I thank you. But we are still one step short of a complete smart contracting environment.

Recall that the point of a contract be it smart, simple, dumb or otherwise, is to create certainty over the uncertain agreements of human agents. Think about that statement for a moment - the goal is to create certainty. Got it? Now look at TheDAO and ask what you see?

Uncertainty.

If there is a better example of uncertainty in cryptographic affairs than TheDAO, I do not know of it, off hand. Indeed, the current life of TheDAO is so uncertain, it is likely to become a catchphrase for uncertainty in smart contracting!

Right? Let's list the ways. We have half the community up in arms that the terms of the smart code are going to be overridden and thus their contractual worldview is going to be overturned. We've the other half up in arms over the fact that someone has scarfed up a good chunk of the contents, and thus has breached the intent of the contract. And, now we have the Ethereum coredev team asserting their authority for a hard fork, and "Attacker" reminding them that there is a legal contract:

I am disappointed by those who are characterizing the use of this intentional feature as "theft". I am making use of this explicitly coded feature as per the smart contract terms and my law firm has advised me that my action is fully compliant with United States criminal and tort law. For reference please review the terms of the DAO:

"The terms of The DAO Creation are set forth in the smart contract code existing on the Ethereum blockchain at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413. Nothing in this explanation of terms or in any other document or communication may modify or add any additional obligations or guarantees beyond those set forth in The DAO’s code. Any and all explanatory terms or descriptions are merely offered for educational purposes and do not supercede or modify the express terms of The DAO’s code set forth on the blockchain; to the extent you believe there to be any conflict or discrepancy between the descriptions offered here and the functionality of The DAO’s code at 0xbb9bc244d798123fde783fcc1c72d3bb8c189413, The DAO’s code controls and sets forth all terms of The DAO Creation."

A soft or hard fork would amount to seizure of my legitimate and rightful ether, claimed legally through the terms of a smart contract. ...

When we have such strong, valid-on-the-face arguments, at dramatically opposing poles, we have ... a dispute. TheDAO is now in fatal dispute. And what Ethereum lacks is a clear way forward to resolve that dispute.

Let's check the options. "Attacker" suggests a United States reading of the law, which suggests a USA court. USA courts typically accept any case for any nexus. But they will likely not accept the contract as valid under the securities laws in the USA, so Attacker will likely also find surprise in the event that it goes there. No matter, at $60million or whatever it is is well worth this minute, someone might try their luck in court.

And for the most part, Ethereum people are apparently located in Europe - London, Berlin, Switzerland. I'm not saying TheDAO was done by these people, but if Attacker knows who they are, and this seems reasonable, and any lawsuit names the authors and founders of TheDAO, what have we got?

A mess. What we haven't got is resolution. We can see a law suit that ricochets around the globe and locks a lot of people up in a world of pain. Everyone loses. We can see echoes of Assange and Snowden - we'll get articles, books, movies, but the one thing we won't get is ... resolution.

Certainty, this ain't.

And this is the critical step that Ethereum is short of - resolution, certainty. The traditional courts of law are not well suited to resolving this sort of dispute for a myriad of reasons - both good and bad.

Which brings us to the inevitable discovery that Ethereum must now make. There is a way that can give certainty to this mess in the general case; there is a way to resolve this sort of dispute. It is beholden on the community to find that forum of dispute resolution that can bring certainty to the smart contract when the smart contract itself has lost certainty.

Ethereum needs to set up its own forum - its own court - a court of smart contract dispute resolution.

This is not a trivial task; but it is a lot easier than you think. It's a matter of law, the choice is called Arbitration, and if you search around you can find volumes written on it. I'll leave that as an exercise for the reader, but you might want to look at DAMN. That's not how I would do it, but hey - compare and contrast!

Know it now - you face a fork in the road. On the one hand you have the failed social experiment known as TheDAO. On the other hand, you have your own forum of dispute resolution, designed to resolve precisely this mess, the smart contract in trouble. Like some science fiction movie, the choice is clear: choose to repeat the failure in TheDAO, or choose to engage in informed dispute resolution, customised for your disputes.

Choose quickly, before the next big reveal. Good luck.


Some notes.

  1. I'm handwaving over some elements of the legal arguments above, as I haven't identified precisely where the contract is entered. But that can be left as an exercise to the reader.
  2. Vitalik argues that there is no cryptographic connection. That's an odd argument, because (a) nobody's argued in court yet that there has to be a cryptographic connnection, (b) that argument reduces to "Vitalik doesn't attest to it being the contract" whereas (c) we need to go much much more, like "it isn't the contract because this other thing is the contract." Oh, and (d) we can guarantee that the court will look favourably on anything that looks like a contract, and will be entirely skeptical of a prose-free lump of code.
  3. I haven't talked about the parties to the contract at all in the above. That's because we don't need to - in this context. A given case may need to, but actually in TheDAO case, we don't need to. It could be entirely sufficient for the ethcore team to present the evidence as expert witnesses, and the Arbitrator to return a ruling authorising a hard fork. The parties do not need to be examined unless the case demands it.
Posted by Prometheus at 11:22 AM | Comments (0)

October 25, 2015

When the security community eats its own...

If you've ever wondered what that Market for Silver Bullets paper was about, here's Pete Herzog with the easy version:

When the Security Community Eats Its Own

BY PETE HERZOG
http://isecom.org

The CEO of a Major Corp. asks the CISO if the new exploit discovered in the wild, Shizzam, could affect their production systems. He said he didn't think so, but just to be sure he said they will analyze all the systems for the vulnerability.

So his staff is told to drop everything, learn all they can about this new exploit and analyze all systems for vulnerabilities. They go through logs, run scans with FOSS tools, and even buy a Shizzam plugin from their vendor for their AV scanner. They find nothing.

A day later the CEO comes and tells him that the news says Shizzam likely is affecting their systems. So the CISO goes back to his staff to have them analyze it all over again. And again they tell him they don’t find anything.

Again the CEO calls him and says he’s seeing now in the news that his company certainly has some kind of cybersecurity problem.

So, now the CISO panics and brings on a whole incident response team from a major security consultancy to go through each and every system with great care. But after hundreds of man hours spent doing the same things they themselves did, they find nothing.

He contacts the CEO and tells him the good news. But the CEO tells him that he just got a call from a journalist looking to confirm that they’ve been hacked. The CISO starts freaking out.

The CISO tells his security guys to prepare for a full security upgrade. He pushes the CIO to authorize an emergency budget to buy more firewalls and secondary intrusion detection systems. The CEO pushes the budget to the board who approves the budget in record time. And almost immediately the equipment starts arriving. The team works through the nights to get it all in place.

The CEO calls the CISO on his mobile – rarely a good sign. He tells the CISO that the NY Times just published that their company allegedly is getting hacked Sony-style.

They point to the newly discovered exploit as the likely cause. They point to blogs discussing the horrors the new exploit could cause, and what it means for the rest of the smaller companies out there who can’t defend themselves with the same financial alacrity as Major Corp.

The CEO tells the CISO that it's time they bring in the FBI. So he needs him to come explain himself and the situation to the board that evening.

The CISO feels sick to his stomach. He goes through the weeks of reports, findings, and security upgrades. Hundreds of thousands spent and - nothing! There's NOTHING to indicate a hack or even a problem from this exploit.

So wondering if he’s misunderstood Shizzam and how it could have caused this, he decides to reach out to the security community. He makes a new Twitter account so people don’t know who he is. He jumps into the trending #MajorCorpFail stream and tweets, "How bad is the Major Corp hack anyway?"

A few seconds later a penetration tester replies, "Nobody knows xactly but it’s really bad b/c vendors and consultants say that Major Corp has been throwing money at it for weeks."

Read on for the more deeper analysis.

Posted by iang at 06:04 AM | Comments (0)

June 17, 2015

Cash seizure is a thing - maybe this picture will convince you

There are many many people who do not believe that the USA police seize cash from people and use it for budget. The system is set up for the benefit of police - budgetary plans are laid, you have no direct recourse to the law because it is the cash that defends itself, the proceeds are carved up.

Maybe this will convince you - if cash seizure by police wasn't a 'thing' we wouldn't need this chart:

Posted by iang at 08:00 PM | Comments (1)

April 03, 2015

Training Day 2: starring Bridges & Force

Readers might have probably been watching the amazing story of the Bridges & Force arrests in USA. It's starting to look much like a film, and the one I have in mind is this: Training Day.

In short: two agents were sent in to bring down the Silk Road website for selling anything (guns, drugs, etc). In the process, the agents stole a lot of the money. And in the process, went on a rampage through the Bitcoin economy robbing, extorting, and manipulating their way to riches.

You can't make this up. Worse, we don't need to. The problem is deep, underlying and demented within our society. We're going to see much more of it, and the reason we know this is that we have decades of experience in other countries outside the OECD purview.

This is our own actions coming back to destroy us. In a nutshell here it is, here is the short story that gets me on the FATF's blacklist and you too if you spread it:

In the 1980s, certain European governments got upset about certain forms of arbitrage across nations by multinationals and rich folk. These people found a ready consensus with others in policing work who said that "follow the money" was how you catch the really bad people, a.k.a. criminals. Between these two groups of public servants they felt they could crack open the bank secrecy that was protecting criminals and rich people alike.

So the Anti Money Laundering or AML project was born, under the aegis of FATF or financial action task force, an office created in Paris under OECD. Their concept was that they put together rules about how to stop bad money moving through the system. In short: know your customer, and make sure their funds were good. Add in risk management and suspicious activity reporting and you're golden.

On passing these laws, every politician faithfully promised it was only for the big stuff, drugs and terrorism, and would never be used against honest or wealthy or innocent people. Honest Injun!

If only so simple. Anyone who knows anything about crime or wealth realises within seconds that this is not going to achieve anything against the criminals or the wealthy. Indeed, it may even make matters worse, because (a) the system is too imperfect to be anything but noise, (b) criminals and wealthy can bypass the system, and (c) criminals can pay for access. Hold onto that thought.

So, if the FATF had stopped there, then AML would have just been a massive cost on society. Westerners would paid basis points for nothing, and it would have just been a tool that shut the poor out of the financial system; something some call the problem of the 'unbanked' but that's a subject for another day (and don't use that term in my presence, thanks!). Criminals would have figured out other methods, etc.

If only. Just. But they went further.

In imposing the FATF 40 recommendations (yes, it got a lot more complicated and detailed, of course) everyone everywhere everytime also stumbled on an ancient truth of bureaucracy without control: we could do more if we had more money! Because of course the society cost of following AML was also hitting the police, implementing this wonderful notion of "follow the money" cost a lot of money.

Until someone had the bright idea: if the money is bad, why can't we seize the bad money and use it to find more bad money?

And so, it came to pass. The centuries-honoured principle of 'consolidated revenue' was destroyed and nobody noticed because "we're stopping bad people." Laws and regs were finagled through to allow money seized from AML operations to be then "shared" across the interested good parties. Typically some goes to the local police, and some to the federal justice. You can imagine the heated discussions about percentage sharing.

What could possibly go wrong?

Now the police were empowered not only to seize vast troves of money, but also keep part of it. In the twinkling of an eye, your local police force was now incentivised to look at the cash pile of everyone in their local society and 'find' a reason to bust. And, as time went on, they built their system to be robust to errors: even if they were wrong, the chances of any comeback were infinitesimal and the take might just be reduced.

AML became a profit center. Why did we let this happen? Several reasons:

1. It's in part because "bad guys have bad money" is such a compelling story that none dare question those who take "bad money from bad guys."

Indeed, money laundering is such a common criminal indictment in USA simply because people assume it's true on the face of it. The crime itself is almost as simple as moving a large pot of money around, which if you understand criminal proceedings, makes no sense at all. How can moving a large pot of money around be proven as ML before you've proven a predicate crime? But so it is.

2. How could we as society be so stupid? It's because the principle of 'consolidated revenue' has been lost in time. The basic principle is simple: *all* monies coming into the state must go to the revenue office. From there they are spent according to the annual budget. This principle is there not only for accountability but to stop the local authorities becoming the bandits The concept goes back all the way to the Magna Carta which was literally and principally about the barons securing the rights to a trial /over arbitrary seizure of their wealth/.

We dropped the ball on AML because we forgot history.

So what's all this to do with Bridges & Force? Well, recall that thought: the serious criminals can buy access. Which of course they've been doing since the beginning, the AML authorities themselves are victims to corruption.

As the various insiders in AML are corrupted, it becomes a corrosive force. Some insiders see people taking bribes and can't prove anything. Of course, these people aren't stupid, these are highly trained agents. Eventually they work out how they can't change anything and the crooks will never be ousted from inside the AML authorities. And they start with a little on the side. A little becomes a lot.

Every agent in these fields is exposed to massive corruption right from the start. It's not as if agents sent into these fields are bad. Quite the reverse, they are good and are made bad. The way AML is constructed it seems impossible that there could be any other result - Quis custodiet ipsos custodes? or Who watches the watchers?

Remember the film Training Day ? Bridges and Force are a remake, a sequel, this time moved a bit further north and with the added sex appeal of a cryptocurrency.

But the important things to realise is that this isn't unusual, it's embedded. AML is fatally corrupted because (a) it can't work anyway, and (b) they breached the principle of consolidated revenue, (c) turned themselves into victims, and then (d) the bad guys.

Until AML itself is unwound, we can't ourselves - society, police, authorities, bitcoiners - get back to the business of fighting the real bad guys. I'd love to talk to anyone about that, but unfortunately the agenda is set. We're screwed as society until we unwind AML.

Posted by iang at 06:15 PM | Comments (0)

February 16, 2015

Google's bebapay to close down, Safaricom shows them how to do it

In news today, BebaPay, the google transit payment system in Nairobi, is shutting down. As predicted in this blog, the payment system was a disaster from the start, primarily because it did not understand the governance (aka corruption) flow of funds in the industry. This resulted in the erstwhile operators of the system conspiring to make sure it would not work.

How do I know this? I was in Nairobi when it first started up, and we were analysing a lot of market sectors for payments technology at the time. It was obvious to anyone who had actually taken a ride on a Matatu (the little buses that move millions of Kenyans to work) that automating their fares was a really tough sell. And, once we figured out how the flow of funds for the Matatu business worked, from inside sources, we knew a digital payments scheme was dead on arrival.

As an aside there is a play that could have been done there, in a nearby sector, which is the tuk-tuks or motorbike operators that are clustered at every corner. But that's a case-study for another day. The real point to take away here is that you have to understand the real flows of money, and when in Africa, understand that what we westerners call corruption means that our models are basically worthless.

Or in shorter terms, take a ride on the bus before you decide to improve it.

Meanwhile, in other news, Safaricom are now making a big push into the retail POS world. This was also in the wings at the time, and when I was there, we got the inside look into this field due to a friend who was running a plucky little mPesa facilitation business for retails. He was doing great stuff, but the elephant in the room was always Safaricom, and it was no polite toilet-trained beast. Its reputation for stealing other company's business ideas was a legend; in the payment systems world, you're better off modelling Safaricom as a bank.

Ah, that makes more sense... You'll note that Safaricom didn't press over-hard to enter the transit world.

The other great takeway here is that westerners should not enter into the business of Africa lightly if at all. Westerners' biggest problem is that they don't understand the conditions there, and consequently they will be trapped in a self-fulfilling cycle of western psuedo-economic drivel. Perhaps even more surprising, they also can't turn to their reliable local NGOs or government partners or consultancies because these people are trained & paid by the westerners to feed back the same academic models.

How to break out of that trap economically is a problem I've yet to figure out. I've now spent a year outside the place, and I can report that I have met maybe 4 or 5 people amongst say 100 who actually understand the difference? Not a one of these is employed by an NGO, aid department, consultant, etc. And, these impressive organisations around the world that specialise in Africa are in this situation -- totally misinformed and often dangerously wrong.

I feel very badly for the poor of the world, they are being given the worst possible help, with the biggest smile and a wad of cash to help it along its way to failure.

Which leads me to a pretty big economic problem - solving this requires teaching what I learnt in a few years over a single coffee - can't be done. I suspect you have to go there, but even that isn't saying what's what.

Luckily however the developing world -- at least the parts I saw in Nairobi -- is now emerging with its own digital skills to address their own issues. Startup labs abound! And, from what I've seen, they are doing a much better job at it than the outsiders.

So, maybe this is a problem that will solve itself? Growth doesn't happen at more than 10% pa, so patience is perhaps the answer, not anger. We can live and hope, and if an NGO does want to take a shot at the title, I'm in for the 101th coffee.

Posted by iang at 07:59 AM | Comments (1)

June 05, 2014

Reset the Net. Don't ask for your privacy. Take it back.

"On June 5, I will take strong steps to protect my freedom from government mass surveillance. I expect the services I use to do the same."

Once you pledge, get the privacy pack.

Posted by iang at 09:20 AM | Comments (1) | TrackBack

May 19, 2014

How to make scientifically verifiable randomness to generate EC curves -- the Hamlet variation on CAcert's root ceremony

It occurs to me that we could modify the CAcert process of verifiably creating random seeds to make it also scientifically verifiable, after the event. (See last post if this makes no sense.)

Instead of bringing a non-deterministic scheme, each participant could bring a deterministic scheme which is hitherto secret. E.g., instead of me using my laptop's webcam, I could use a Guttenberg copy of Hamlet, which I first declare in the event itself.

Another participant could use Treasure Island, a third could use Cien años de soledad.

As nobody knew what each other participate was going to declare, and the honest players amongst did a best-efforts guess on a new statically consistent tome, we can be sure that if there is at least one honest non-conspiring party, then the result is random.

And now verifiable post facto because we know the inputs.

Does this work? Does it meet all the requirements? I'm not sure because I haven't had time to think about it. Thoughts?

Posted by iang at 10:19 AM | Comments (1) | TrackBack

April 08, 2014

A very fast history of cryptocurrencies BBTC -- before Bitcoin

Before Bitcoin, there was cryptocurrency. Indeed, it has a long and deep history. If only for the lessons learnt, it is worth studying, and indeed, in my ABC of Bitcoin investing, I consider not knowing anything before the paper as a red flag. Hence, a very fast history of what came before (also see podcasts 1 and 2).


The first known (to me) attempt at cryptocurrencies occurred in the Netherlands, in the late 1980s, which makes it around 25 years ago or 20BBTC. In the middle of the night, the petrol stations in the remoter areas were being raided for cash, and the operators were unhappy putting guards at risk there. But the petrol stations had to stay open overnight so that the trucks could refuel.

Someone had the bright idea of putting money onto the new-fangled smartcards that were then being trialled, and so electronic cash was born. Drivers of trucks were given these cards instead of cash, and the stations were now safer from robbery.

At the same time the dominant retailer, Albert Heijn, was pushing the banks to invent some way to allow shoppers to pay directly from their bank accounts, which became eventually to be known as POS or point-of-sale.

Even before this, David Chaum, an American Cryptographer had been investigating what it would take to create electronic cash. His views on money and privacy led him to believe that in order to do safe commerce, we would need a token money that would emulate physical coins and paper notes. Specifically, the privacy feature of being able to safely pay someone hand-to-hand, and have that transaction complete safely and privately.

As far back as 1983 or 25BBTC, David Chaum invented the blinding formula, which is an extension of the RSA algorithm still used in the web's encryption. This enables a person to pass a number across to another person, and that number to be modified by the receiver. When the receiver deposits her coin, as Chaum called it, into the bank, it bears the original signature of the mint, but it is not the same number as that which the mint signed. Chaum's invention allowed the coin to be modified untraceably without breaking the signature of the mint, hence the mint or bank was 'blind' to the transaction.

All of this interest and also the Netherlands' historically feverish attitude to privacy probably had a lot to do with David Chaum's decision to migrate to the Netherlands. When working in the late 1980s at CWI, a hotbed of cryptography and mathematics research in Amsterdam, he started DigiCash and proceeded to build his Internet money invention, employing amongst many others names that would later become famous: Stefan Brands, Niels Ferguson, Gary Howland, Marcel "BigMac" van der Peijl, Nick Szabo, and Bryce "Zooko" Wilcox-Ahearn.

The invention of blinded cash was extraordinary and it caused an unprecedented wave of press attention. Unfortunately, David Chaum and his company made some missteps, and fell foul of the central bank (De Nederlandsche Bank or DNB). The private compromise that they agreed to was that Digicash's e-cash product would only be sold to banks. This accommodation then led the company on a merry dance attempting to field a viable digital cash through many banks, ending up eventually in bankruptcy in 1998. The amount of attention in the press brought very exciting deals to the table, with Microsoft, Deutsche Bank and others, but David Chaum was unable to use them to get to the next level.

On the coattails of Digicash there were hundreds of startups per year working on this space, including my own efforts. In the mid 1990s, the attention switched from Europe to North America for two factors: the Netscape IPO had released a huge amount of VC interest, and also Europe had brought in the first regulatory clampdown on digital cash: the 1994 EU Report on Prepaid Cards, which morphed into a reaction against DigiCash.

Yet, the first great wave of cryptocurrencies spluttered and died, and was instead overtaken by a second wave of web-based monies. First Virtual was a first brief spurt of excitement, to be almost immediately replaced by Paypal which did more or less the same thing.

The difference? Paypal allowed the money to go from person to person, where as FV had insisted that to accept money you must "be a merchant," which was a popular restriction from banks and regulators, but people hated it. Paypal also leapt forward by proposing its system as being a hand-to-hand cash, literally: the first versions were on the Palm Pilot, which was extraordinarily popular with geeks. But this geek-focus was quickly abandoned as Paypal discovered that what people -- real users -- really wanted was money on the web browser. Also, having found a willing userbase in ebay community, its future was more or less guaranteed as long as it avoided the bank/regulatory minefield laid out for it.

As Paypal proved the web became the protocol of choice, even for money, so Chaum's ideas were more or less forgotten in the wider western marketplace, although the tradition was alive in Russia with WebMoney, and there were isolated pockets of interest in the crypto communities. In contrast, several ventures started up chasing a variant of Paypal's web-hybrid: gold on the web. The company that succeeded initially was called e-gold, an American-based operation that had its corporation in Nevis in the Caribbean.

e-gold was a fairly simple idea: you send in your physical gold or 'junk' silver, and they would credit e-gold to your account. Or you could buy new e-gold, by sending a wire to Florida, and they would buy and hold the physical gold. By tramping the streets and winning customers over, the founder managed to get the company into the black and up and growing by around 1999. As e-gold the currency issuer was offshore, it did not require US onshore approval, and this enabled it for a time to target the huge American market of 'goldbugs' and also a growing worldwide community of Internet traders who needed to do cross-border payments. With its popularity on the increase, the independent exchange market exploded into life in 2000, and its future seemed set.

e-gold however ran into trouble for its libertarian ideal of allowing anyone to have an account. While in theory this is a fine concept, the steady stream of ponzis, HYIPs, 'games' and other scams attracted the attention of the Feds. In 2005, e-gold's Florida offices were raided and that was the end of the currency as an effective force. The Feds also proceeded to mop up any of the competitors and exchange operations they could lay their hands on, ensuring the end of the second great wave of new monies.

In retrospect, 9/11 marked a huge shift in focus. Beforehand, the USA was fairly liberal about alternative monies, seeing them as potential business, innovation for the future. After 9/11 the view switched dramatically, albeit slowly; all cryptocurrencies were assumed to be hotbeds of terrorists and drugs dealers, and therefore valid targets for total control. It's probably fair to speculate that e-gold didn't react so well to the shift. Meanwhile, over in Europe, they were going the other way. It had become abundantly clear that the attempt to shutdown cryptocurrencies was too successful, Internet business preferred to base itself in the USA, and there had never been any evidence of the bad things they were scared of. Successive generations of the eMoney law were enacted to open up the field, but being Europeans they never really understood what a startup was, and the less-high barriers remained deal killers.

Which brings us forward to 2008, and the first public posting of the Bitcoin paper by Satoshi Nakamoto.



What's all this worth? The best way I can make this point is an appeal to authority:

Satoshi Nakamoto wrote, on releasing the code:
> You know, I think there were a lot more people interested in the 90's,
> but after more than a decade of failed Trusted Third Party based systems
> (Digicash, etc), they see it as a lost cause. I hope they can make the
> distinction that this is the first time I know of that we're trying a
> non-trust-based system.

Bitcoin is a result of history; when decisions were made, they rebounded along time and into the design. Nakamoto may have been the mother of Bitcoin, but it is a child of many fathers: David Chaum's blinded coins and the fateful compromise with DNB, e-gold's anonymous accounts and the post-9/11 realpolitik, the cypherpunks and their libertarian ideals, the banks and their industrial control policies, these were the whole cloth out of which Nakamoto cut the invention.

And, finally it must be stressed, most all successes and missteps we see here in the growing Bitcoin sector have been seen before. History is not just humming and rhyming, it's singing loudly.

Posted by iang at 07:14 PM | Comments (1) | TrackBack

April 06, 2014

The evil of cryptographic choice (2) -- how your Ps and Qs were mined by the NSA

One of the excuses touted for the Dual_EC debacle was that the magical P & Q numbers that were chosen by secret process were supposed to be defaults. Anyone was at liberty to change them.

Epic fail! It turns out that this might have been just that, a liberty, a hope, a dream. From last week's paper on attacking Dual_EC:

"We implemented each of the attacks against TLS libraries described above to validate that they work as described. Since we do not know the relationship between the NIST- specified points P and Q, we generated our own point Q′ by first generating a random value e ←R {0,1,...,n−1} where n is the order of P, and set Q′ = eP. This gives our trapdoor value d ≡ e−1 (mod n) such that dQ′ = P. (Our random e and its corresponding d are given in the Appendix.) We then modified each of the libraries to use our point Q′ and captured network traces using the libraries. We ran our attacks against these traces to simulate a passive network attacker.

In the new paper that measures how hard it was to crack open TLS when corrupted by Dual_EC, the authors changed the Qs to match the P delivered, so as to attack the code. Each of the four libraries they had was in binary form, and it appears that each had to be hard-modified in binary in order to mind their own Ps and Qs.

So did (a) the library implementors forget that issue? or (b) NIST/FIPS in its approval process fail to stress the need for users to mind their Ps and Qs? or (c) the NSA knew all along that this would be a fixed quantity in every library, derived from the standard, which was pre-derived from their exhaustive internal search for a special friendly pair? In other words:

"We would like to stress that anybody who knows the back door for the NIST-specified points can run the same attack on the fielded BSAFE and SChannel implementations without reverse engineering.

Defaults, options, choice of any form has always been known as bad for users, great for attackers and a downright nuisance for developers. Here, the libraries did the right thing by eliminating the chance for users to change those numbers. Unfortunately, they, NIST and all points thereafter, took the originals without question. Doh!

Posted by iang at 07:32 PM | Comments (0) | TrackBack

April 01, 2014

The IETF's Security Area post-NSA - what is the systemic problem?

In the light of yesterday's newly revealed attack by the NSA on Internet standards, what are the systemic problems here, if any?

I think we can question the way the IETF is approaching security. It has taken a lot of thinking on my part to identify the flaw(s), and not a few rants, with many and aggressive defences and counterattacks from defenders of the faith. Where I am thinking today is this:

First the good news. The IETF's Working Group concept is far better at developing general standards than anything we've seen so far (by this I mean ISO, national committees, industry cartels and whathaveyou). However, it still suffers from two shortfalls.

1. the Working Group system is more or less easily captured by the players with the largest budget. If one views standards as the property of the largest players, then this is not a problem. If OTOH one views the Internet as a shared resource of billions, designed to serve those billions back for their efforts, the WG method is a recipe for disenfranchisement. Perhaps apropos, spotted on the TLS list by Peter Gutmann:

Documenting use cases is an unnecessary distraction from doing actual work. You'll note that our charter does not say "enumerate applications that want to use TLS".

I think reasonable people can debate and disagree on the question of whether the WG model disenfranchises the users, because even though a a company can out-manouver the open Internet through sheer persistence and money, we can still see it happen. In this, IETF stands in violent sunlight compared to that travesty of mouldy dark closets, CABForum, which shut users out while industry insiders prepared the base documents in secrecy.

I'll take the IETF any day, except when...

2. the Working Group system is less able to defend itself from a byzantine attack. By this I mean the security concept of an attack from someone who doesn't follow the rules, and breaks them in ways meant to break your model and assumptions. We can suspect byzantium disclosures in the fingered ID:

The United States Department of Defense has requested a TLS mode which allows the use of longer public randomness values for use with high security level cipher suites like those specified in Suite B [I-D.rescorla-tls-suiteb]. The rationale for this as stated by DoD is that the public randomness for each side should be at least twice as long as the security level for cryptographic parity, which makes the 224 bits of randomness provided by the current TLS random values insufficient.

Assuming the story as told so far, the US DoD should have added "and our friends at the NSA asked us to do this so they could crack your infected TLS wide open in real time."

Such byzantine behaviour maybe isn't a problem when the industry players are for example subject to open observation, as best behaviour can be forced, and honesty at some level is necessary for long term reputation. But it likely is a problem where the attacker is accustomed to that other world: lies, deception, fraud, extortion or any of a number of other tricks which are the tools of trade of the spies.

Which points directly at the NSA. Spooks being spooks, every spy novel you've ever read will attest to the deception and rule breaking. So where is this a problem? Well, only in the one area where they are interested in: security.

Which is irony itself as security is the field where byzantine behaviour is our meat and drink. Would the Working Group concept past muster in an IETF security WG? Whether it does or no depends on whether you think it can defend against the byzantine attack. Likely it will pass-by-fiat because of the loyalty of those involved, I have been one of those WG stalwarts for a period, so I do see the dilemma. But in the cold hard light of sunlight, who is comfortable supporting a WG that is assisted by NSA employees who will apply all available SIGINT and HUMINT capabilities?

Can we agree or disagree on this? Is there room for reasonable debate amongst peers? I refer you now to these words:

On September 5, 2013, the New York Times [18], the Guardian [2] and ProPublica [12] reported the existence of a secret National Security Agency SIGINT Enabling Project with the mission to “actively [engage] the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs.” The revealed source documents describe a US $250 million/year program designed to “make [systems] exploitable through SIGINT collection” by inserting vulnerabilities, collecting target network data, and influencing policies, standards and specifications for commercial public key technologies. Named targets include protocols for “TLS/SSL, https (e.g. webmail), SSH, encrypted chat, VPNs and encrypted VOIP.”
The documents also make specific reference to a set of pseudorandom number generator (PRNG) algorithms adopted as part of the National Institute of Standards and Technology (NIST) Special Publication 800-90 [17] in 2006, and also standardized as part of ISO 18031 [11]. These standards include an algorithm called the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC). As a result of these revelations, NIST reopened the public comment period for SP 800-90.

And as previously written here. The NSA has conducted a long term programme to breach the standards-based crypto of the net.

As evidence of this claim, we now have *two attacks*, being clear attempts to trash the security of TLS and freinds, and we have their own admission of intent to breach. In their own words. There is no shortage of circumstantial evidence that NSA people have pushed, steered, nudged the WGs to make bad decisions.

I therefore suggest we have the evidence to take to a jury. Obviously we won't be allowed to do that, so we have to do the next best thing: use our collective wisdom and make the call in the public court of Internet opinion.

My vote is -- guilty.

One single piece of evidence wasn't enough. Two was enough to believe, but alternate explanations sounded plausible to some. But we now have three solid bodies of evidence. Redundancy. Triangulation. Conclusion. Guilty.

Where it leaves us is in difficulties. We can try and avoid all this stuff by e.g., avoiding American crypto, but it is a bit broader that that. Yes, they attacked and broke some elements of American crypto (and you know what I'm expecting to fall next.). But they also broke the standards process, and that had even more effect on the world.

It has to be said that the IETF security area is now under a cloud. Not only do they need to analyse things back in time to see where it went wrong, but they also need some concept to stop it happening in the future.

The first step however is to actually see the clouds, and admit that rain might be coming soon. May the security AD live in interesting times, borrow my umbrella?

Posted by iang at 11:56 PM | Comments (0) | TrackBack

March 31, 2014

NSA caught again -- deliberate weakening of TLS revealed!?

In a scandal that is now entertaining that legal term of art "slam-dunk" there is news of a new weakness introduced into the TLS suite by the NSA:

We also discovered evidence of the implementation in the RSA BSAFE products of a non-standard TLS extension called "Extended Random." This extension, co-written at the request of the National Security Agency, allows a client to request longer TLS random nonces from the server, a feature that, if it enabled, would speed up the Dual EC attack by a factor of up to 65,000. In addition, the use of this extension allows for for attacks on Dual EC instances configured with P-384 and P-521 elliptic curves, something that is not apparently possible in standard TLS.

This extension to TLS was introduced 3 distinct times through an open IETF Internet Draft process, twice by an NSA employee and a well known TLS specialist, and once by another. The way the extension works is that it increases the quantity of random numbers fed into the cleartext negotiation phase of the protocol. If the attacker has a heads up to those random numbers, that makes his task of divining the state of the PRNG a lot easier. Indeed, the extension definition states more or less that:

4.1. Threats to TLS

When this extension is in use it increases the amount of data that an attacker can inject into the PRF. This potentially would allow an attacker who had partially compromised the PRF greater scope for influencing the output.

The use of Dual_EC, the previously fingered dodgy standard, makes this possible. Which gives us 2 compromises of the standards process that when combined magically work together.

Our analysis strongly suggests that, from an attacker's perspective, backdooring a PRNG should be combined not merely with influencing implementations to use the PRNG but also with influencing other details that secretly improve the exploitability of the PRNG.

Red faces all round.

Posted by iang at 06:12 PM | Comments (0) | TrackBack

February 08, 2014

US State Department rolled, as NSA slides further off-mission. Shoulda used a BlackPhone :D

In what is either belly laugh-level hilarity, or a serious wakeup call for the American taxpayer, Reuters reports on the recent "Fuck the EU" leaks of phone calls. (h/t to zerohedge.) It turns out the recordings may have been (gasp) lifted off the airwaves:

Some U.S. officials blamed Moscow for leaking the call, noting that the recording, posted anonymously, was first highlighted in a tweet from a Russian official.

In Washington, U.S. officials said Nuland and Pyatt apparently used unencrypted cellphones, which are easy to monitor. The officials said smart phones issued to State Department officials had data encryption *but not voice encryption*.

Wtf? Where the hell are you, oh, NSA's security division aka Central Security Service?

The Information Assurance mission confronts the formidable challenge of preventing foreign adversaries from gaining access to sensitive or classified national security information.

How is it that officials of the State Department have zero, zip, nada, nuttin security while blathering on about international negotiations involving an entire strategic country, a major pipeline, and the number one PR circle-jerk for the nation-states?

I had thought that all these things were in the killing zone for the NSA. Ukraine, energy, the Olympic Games, check check check!

But apparently not. The evidence on mission drift is somewhat damning, and becoming deafening.

They have dropped the baby in many ways. They recently downgraded their irrational fear of terrorism, by prioritising the insider threat as a 'national security threat'. Without apparently understanding the bleeding obvious, that insiders such as Snowden and Manning are a threat to them, not to the people who pay their salaries:

“[Snowden and the insider threat] certainly puts us at risk of missing something that we are trying to see, which could lead to [an attack],” said Matthew Olsen, the director of the National Counterterrorism Center.

Spoken without any cynicism or humility!

If they got back to work, and crafted their mission to deliver return on investment to the taxpayer, instead of stealing from other countries' taxpayers, they wouldn't have time to worry about schoolboy plots like terrorism and rogue sysadms.

Message to the American taxpayer: demand your money back. Buy a blackphone instead.

Posted by iang at 03:36 PM | Comments (1) | TrackBack

February 03, 2014

FC++ -- Bitcoin Verification Latency -- The Achilles Heel for Time Sensitive Transactions

New paper for circulation by Ken Griffith and myself:

Bitcoin Verification Latency
The Achilles Heel for Time Sensitive Transactions

Abstract.Bitcoin has a high latency for verifying transactions, by design. Averaging around 8 minutes, such high latency does not resonate with the needs of financial traders for speed, and it opens the door for time-based arbitrage weaknesses such as market timing attacks. Although perhaps tractable in some markets such as peer to peer payments, the Achilles heel of latency makes Bitcoin unsuitable for direct trading of financial assets, and ventures seeking to exploit the market for financial assets will need to overcome this burden.

As with the Gresham's paper, developments moved fast on this question, and there are now more ventures looking at the contracts and trading question. For clarification, I am the secondary author, Ken is lead.

Posted by iang at 08:03 AM | Comments (0) | TrackBack

December 29, 2013

The Ka-Ping challenge -- so you think you can spot a bug?

It being Christmas and we're all looking for a little fun, David Wagner has posted a challenge that was part of a serious study conducted by Ka-Ping Yee and himself:

can good coders find security bugs?

Are you up to it? Are you a hacker-hero or a manager-mouse? David writes:


I believe I've managed to faithfully reconstruct the version of Ping's code that contains the deliberately inserted bug. If you would like to try your hand at finding the bug, you can look at it yourself:

http://www.cs.berkeley.edu/~daw/tmp/pvote-backdoored.zip

I'm copying Ping, in case he wants to comment or add to this.

Some grounds rules that I'd request, if you want to try this on your own:

  1. Please don't post spoilers to the list. If you think you've found a bug, email Ping and David privately (off-list), and I'll be happy to confirm your find, but please don't post it to the list (just in case others want to take a look too).
  2. To help yourself avoid inadvertently coming across spoilers, please don't look at anything else on the web. Resist the temptation to Google for Pvote, check out the Pvote web site, or check out the links in the code. You should have everything you need in this email. We've made no attempt to conceal the details of the bug, so if you look at other resources on the web, you may come across other stuff that spoils the exercise.
  3. I hope you'll think of this as something for your own own personal entertainment and edification. We can't provide a controlled environment and we can't fully mimic the circumstances of the review over the Internet.


Here's some additional information that may help you.

We told reviewers that there exists at least one bug, in Navigator.py, in a region that contains 100 lines of code. I've marked the region using comments. So, you are free to focus on only that part of the code (I promise you that we did not deliberately insert any bug anywhere else outside that region). Of course, I'm providing all the code, because you may need to understand how it all interacts. The original Pvote code was written to be as secure and verifiable as we could make it; I'm giving you a modified version that was modified to add a bug after the fact. So, this is not some "obfuscated Python" contest where the entire thing was designed to conceal a malicious backdoor: it was designed to be secure, and we added a backdoor only as an afterthought, as a way to better understand the effectiveness of code review.

To help you conduct your code review, it might help to start by understanding the Pvote design. You can read about the theory, design, and principles behind Pvote in our published papers:

The Pvote code probably won't make sense without understanding some aspects of its design and how it is intended to be used, so this background material might be helpful to you.

We also gave reviewers an assurance document, which outlines the "assurance case" (a detailed argument describing why we believe Pvote is secure and fit for purpose and free of bugs). Here's most of it:

http://www.cs.berkeley.edu/~daw/tmp/pvad-excerpts.pdf

Why not all of it? Because I'm lazy. The full assurance document contains the actual, unmodified Pvote code. We wrote the assurance document for the unmodified version of Pvote (without the deliberately inserted bug), and the full assurance document includes the code of the unmodified Pvote. If you were to look at that and compare it to the code I gave you above, you could quickly identify the bug by just doing a diff -- but that would completely defeat the purpose of the exercise. If I had copious free time, I'd modify the assurance document to give you a modified document that matches the modified code -- but I don't have time to do that. So, instead, I've just removed the part of the assurance document that contained the region of the code where we inserted our bug (namely, Navigator.py), and I'm giving you the rest of the assurance document.

In the actual review, we provided reviewers with additional resources that won't be available to you. For instance, we outlined for them the overall design principles of Pvote. We also were available to interactively answer questions, which helped them quickly get up to speed on the code. During the part where we had them review the modified Pvote with a bug inserted, we also answered their questions -- here's what Ping wrote about how we handled that part:

Since insider attacks are a major unaddressed threat in existing systems, we specifically wanted to experiment with this scenario. Therefore, we warned the reviewers to treat us as untrusted adversaries, and that we might not always tell the truth. However, since it was in everyone’s interest to use our limited time efficiently, we settled on a time-saving convention. We promised to truthfully answer any question about a factual matter that the reviewers could conceivably verify mechanically or by checking an independent source — for example, questions about the Python language, about static properties of the code, about its runtime behaviour, and so on.

Of course, since this is something you're doing on your own, you won't get the benefit of interacting with us and having us answer questions for you (to save you time). I realize this does make code review harder. My apologies.

You can assume that someone else has done some runtime testing of the code. We deliberately chose a bug that would survive "Logic & Accuracy Testing" (a common technique in elections, where election officials conduct a test in advance where they cast some ballots, typically chosen so that at least one vote has been cast for each candidate, and then check that the system accurately recorded and tallied those votes). Focus on code review.

-- David

Posted by iang at 02:53 PM | Comments (0) | TrackBack

October 29, 2013

Confirmed: the US DoJ will not put the bankers in jail, no matter how deep the fraud

I've often asked the question why no-one went to jail for the frauds of the financial crisis, and now the US government has answered it: they are complicit in the cover-up, which means that the financial rot has infected the Department of Justice as well. Bill Black writes about the recent Bank of America verdict:

The author of the most brilliantly comedic statement ever written about the crisis is Landon Thomas, Jr. He does not bury the lead. Everything worth reading is in the first sentence, and it should trigger belly laughs nationwide.

Bank of America, one of the nation’s largest banks, was found liable on Wednesday of having sold defective mortgages, a jury decision that will be seen as a victory for the government in its aggressive effort to hold banks accountable for their role in the housing crisis."

“The government,” as a statement of fact so indisputable that it requires neither citation nor reasoning, has been engaged in an “aggressive effort to hold banks accountable for their role in the housing crisis.” Yes, we have not seen such an aggressive effort since Captain Renault told Rick in the movie Casablanca that he was “shocked” to discover that there was gambling going on (just before being handed his gambling “winnings” which were really a bribe).

There are four clues in the sentence I quoted that indicate that the author knows he’s putting us on, but they are subtle. First, the case was a civil case. “The government’s” “aggressive effort to hold banks accountable” has produced – zero convictions of the elite Wall Street officers and banks whose frauds drove the crisis. Thomas, of course, knows this and his use of the word “aggressive” mocks the Department of Justice (DOJ) propaganda. The jurors found that BoA (through its officers) committed an orgy of fraud in order to enrich those officers. That is a criminal act. Prosecutors who are far from “aggressive” prosecute elite frauds criminally because they know it is essential to deter fraud and safeguard our financial system. The DOJ refused to prosecute the frauds led by senior BoA officers. The journalist’s riff is so funny because he portrays DOJ’s refusal to prosecute frauds led by elite BoA officers as “aggressive.” Show the NYT article to friends you have who are Brits and who claim that Americans are incapable of irony. The article’s lead sentence refutes that claim for all time.

The twin loan origination fraud epidemics (liar’s loans and appraisal fraud) and the epidemic of fraudulent sales of the fraudulently originated mortgages to the secondary market would each – separately – constitute the most destructive frauds in history. These three epidemics of accounting control fraud by loan originators hyper-inflated the real estate bubble and drove our financial crisis and the Great Recession. By way of contrast, the S&L debacle was less than 1/70 the magnitude of fraud and losses than the current crisis, yet we obtained over 1,000 felony convictions in cases DOJ designated as “major.” If DOJ is “aggressive” in this crisis what word would be necessary to describe our approach?

Read on for the details of how Bill Black forms his conclusion.

Posted by iang at 05:27 AM | Comments (0) | TrackBack

May 01, 2013

MayDay! MayDay! British Banking Launches new crisis of titanic proportions...

Yes, it's the first of May, also known as May Day, and the communist world's celebration of the victory over capitalism. Quite why MayDay became the international distress message over radio is not known to me, but I'd like to know!

Meanwhile, the British Banking sector is celebrating its own version of MayDay:

The bank went through their customer base and identified which businesses were asset rich and cash poor.

Typically, the SME (small to medium enterprise) would require funding for expansion or to cover short term exposures, and the bank’s relationship manager would work with the business owner on a loan funding cover.

The loan may be for five or ten years, and the relationship manager would often call the client after a short time and say “congratulations, you’ve got the funding”.

The business owner would be delighted and would start committing the funds.

Only then would the relationship manager call them back and say, “ah, we have a concern here about interest rates”.

This would start the process of the disturbance sale of the IRSA.

The rest you can imagine - the bank sold an inappropriate derivative with false information, and without advising the customer of the true costs. This time however the costs were more severe, as it seems that many such businesses went out of business in whole or in part because of the dodgy sale.

In particular, the core issue is that no-one has defined whether the bank will be responsible for contingent liabilities.

The liabilities are for losses made by those businesses that were mis-sold these products and, as a result, have now gone into bankruptcy or been constrained so much that they have been unable to compete or grow their business as they would have if they had not taken these products.

Ouch! I have to applaud Chris Skinner and the Financial Services Club here for coming forth with this information. It is time for society to break ranks here and start dealing with the banks. If this is not done, the banks will bring us all down, and it is not clear at all that the banks aren't going to do just that.

Meanwhile back to the scandal du jour. We are talking about 40k businesses, with average suggested compensation of 2.5 million quid - so we are already up to a potential exposure of 100 billion pounds. Given this, there is no doubt that even the most thickest of the dumbest can predict what will happen next:

Mainly because of the Parliamentary investigation, the Financial Services Authority was kicked into action and, on June 29 2012, announced that it had found "serious failings in the sale of IRSAs to small and medium sized businesses and that this has resulted in a severe impact on a large number of these businesses.”

However, it then left the banks to investigate the cases and work out how to compensate and address them .

The banks response was released on January 31 2013, and it was notable that between the June announcement and bank response in January that the number of cases rose from 28,000 to 40,000. It was also noteworthy that of those 40,000 cases investigated, over 90% were found to have been mis-sold. That’s a pretty damning indictment.

Even then the real issue, according to Jeremy [of Bully Banks], is that the banks are in charge of the process.

Not only is the fox in charge of the chickens, it's also paying off them off for their slaughter. Do we really need to say more? The regulators are in bed with the banks in trying to suppress this scandal.

Obviously, this cunning tactic will save poor banks money and embarrassment. But the emerging problem here is that, as suggested many times in this blog (e.g., 2, 3, 4, ...) and elsewhere, the public is now becoming increasingly convinced that banks are not healthy, honest members of society.

Which is fine, as long as nothing happens.

But I see an issue emerging in the next systemic shock to hit the financial world: if the public's patience is exhausted, as it appeared to be over Cyprus, then the next systemic shock is going to cause the collapse of some major banks. For right or wrong, the public is not going to accept any more talk of bailouts, taxpayer subsidies, etc etc.

The chickens are going to turn on the foxes, and they will not be satisfied with anything less than blood.

One hopes that the old Lady's bank tear-down team is boned up and ready to roll, because they'll be working hard soon.

Posted by iang at 04:34 AM | Comments (3) | TrackBack

February 09, 2012

PKI and SSL - the jaws of trust snap shut

As we all know, it's a right of passage in the security industry to study the SSL business of certificates, and discover that all's not well in the state of Denmark. But the business of CAs and PKI rolled on regardless, seemingly because no threat ever challenged it. Because there was no risk, the system successfully dealt with the threats it had set itself. Which is itself elegant proof that academic critiques and demonstrations and phishing and so forth are not real attacks and can be ignored entirely...

Until 2011.

Last year, we crossed the Rubicon for the SSL business -- and by extension certificates, secure browsing, CAs and the like -- with a series of real attacks against CAs. Examples include the DigiNotar affair, the Iranian affair (attacks on around 5 CAs), and also the lesser known attack a few months back where certificates may have been forged and may have been used in an APT and may have... a lot of things. Nobody's saying.

Either way, the scene is set. The pattern has emerged, the Rubicon is crossed, it gets worse from here on in. A clear and present danger, perhaps? In California, they'd be singing "let's partly like it's 2003," the year that SB1386 slid past our resistance and set the scene for an industry an industry debacle in 2005.

But for us long term observers, no party. There will now be a steady series of these shocks, and journalists will write of our brave new world - security but no security.

With one big difference. Unlike the SB1386 breach party, where we can rely on companies not going away (even as our data does), the security system of SSL and certificates is somewhat optional. Companies can and do expose their data in different ways. We can and do invent new systems to secure or mitigate the damage. So while SB1386 didn't threaten the industry so much as briskly kicked it around, this is different.

At an attacks level, we've crossed a line, but at a wider systems level, we stand on the line.

And that line is a cliff.

Which brings us to this week's news. A CA called Trustwave has just admitted to selling a sub-root for the explicit purpose of MITM'ing. Read about that elsewhere.



Now, we've known that MITMing for fun and profit was going on for a long time. Mozilla's community first learnt of it in the mid 2000s as it was finalising its policy on CAs (a ground-breaking work that I was happy to be involved with). At that time, accusations were circulating against unknown companies listing their roots for the explicit purpose of doing MITMs on unwitting victims. Which raised the hairs, eyebrows and heckles on not a few of us. These accusations have been repeated from time to time, but in each case the "insiders" begged off on the excuse: we cannot break NDA or reputation.

Each time then the industry players were likewise able to fob it off. Hard Evidence? none. Therefore, it doesn't exist, was they industry's response. We knew as individuals, yet as an industry we knew not.

We are all agreed it does exist and it doesn't. We all have jobs to preserve, and will practice cognitive dissonance to the very end.

Of course this situation couldn't last, because a secret of this magnitude never survives. In this case, the company that sold the MITM sub-root, Trustwave, has looked at 2011, and realised the profit from that one CA isn't worth the risk of the DigiNotar experience (bankruptcy). Their decision is to 'fess up now, take it on the chin, because later may be too late.

Which leads to a dilemma, and we the players have divided on each side, one after the other, of that dilemma:

To drop the Trustwave root, or not?



That is the question. First the case for the defence: On the one hand, we applaud the honesty of a CA coming forward and cleaning up house. It's pretty clear that we need our CAs to do this. Otherwise we're not going to get anywhere with this Trust thing. We need to encourage the CAs to work within the system.

Further, if we damage a CA, we damage customers. The cost to lost business is traumatic, and the list of US government agencies that depend on this CA has suddenly become impressive. Just like DigiNotar, it seems, which spread like a wave of mistrust through the government IT departments of the Netherlands. Also, we have to keep an eye on (say) a bigger more public facing CA going down in the aftermath - and the damage to all its customers. And the next, etc.

Is lost business more important than simple faith in those silly certificates? I think lost business is much more important - revenue, jobs, money flowing keeping all of the different parts of the economy going are our most important asset. Ask any politician in USA or Europe or China; this is their number one problem!

Finally, it is pretty clear and accepted that the business purpose to which the sub-Root was put was known and tolerated. Although it is uncomfortable to spy on ones employees, it is just business. Organisations own their data systems, have the responsibility to police them, and have advised their people that this is what they are going to do. SSL included, if necessary.

This view has it that Trustwave has done the right thing. Therefore, pass. And, the more positive proponents suggest an amnesty, after which period there is summary execution for the sins - root removal from the list distributed by the browsers. It's important to not cause disruption.



Now the case for the Prosecution! On the other hand, damn spot: the CA clearly broke their promise. Out!

Three ways, did they breach the trust: It is expressed in the Mozilla policy and presumably of others that certificates are only issued to people who own/control their domains. This is no light or optional thing -- we rely on the policy because CAs and Mozilla and other vendors and auditors and all routinely practice secrecy in this business.

We *must rely on the policy* because they deny us the right to rely on anything else!

Secondly, it is what the public believe in, it is the expectations of any purchaser or user of the product, written or not. It is a simple message, and brooks no complicated exceptions. Either your connection is secure to your online bank, and nobody else can see it *including your employer or IT department*. Or not.

Try explaining this exception to your grandmother, if the words do not work for you.

Finally, the raison d'être: it is the purpose and even the entire goal of the certificate design to do exactly the opposite. The reason we have CAs like TrustWave is to stop the MITM. If they don't stop the MITM, then *we don't need the heavyweight certificate system*, we don't need CAs, and we don't need Mozilla's root list or that of any other vendor.

We can do security much more cost-effectively if we drop the 100% always-on absolutist MITM protection.

Given this breach of trust, what else can we trust in? Can we trust their promises that the purpose was maintained? That the cert never left the building? That secret traffic wasn't vectored in? That HSMs are worth something and audits ensure all is well in Denmark?

This rather being a problem with trust. Lie once, lose it.



There being two views presented, it has to be said that both views are valid. The players are lining up on either side of the line, but they probably aren't so well aware of where this is going.

Only one view is going to win out. Only one side wins this fight.

And in so-doing, in winning, the winner sews the seeds for own destruction.

Because if you religiously take your worldview, and look at the counter-argument to your preferred position, your thesis crumbles for the fallacies.

The jaws of trust just snapped shut on the players who played too long, too hard, too profitably.

Like the financial system. We are no longer worried about the bankruptcy of one or two banks or a few defaults by some fly specks on the map of European. We are now looking at a change that will ripple out and remove what vestiges of purpose and faith were left in PKI. We are now looking at all the other areas of the business that will be effected; ones that brought into the promise even though they knew they shouldn't have.

Like the financial system, a place of uncanny similarity, each new shock makes us wonder and question. Wasn't all this supposed to be solved? Where are the experts? Where is the trust?

We're about to find out the timeless meaning of Caveat Emptor.

Posted by iang at 10:54 PM | Comments (7) | TrackBack

January 29, 2012

Why Threat Modelling fails in practice

I've long realised that threat modelling isn't quite it.

There's some malignancy in the way the Internet IT Security community approached security in the 1990s that became a cancer in our protocols in the 2000s. Eventually I worked out that the problem with the aphorism What's Your Threat Model (WYTM?) was the absence of a necessary first step - the business model - which lack permitted threat modelling to be de-linked from humanity without anyone noticing.

But I still wasn't quite there, it still felt like wise old men telling me "learn these steps, swallow these pills, don't ask for wisdom."

In my recent risk management work, it has suddenly become clearer. Taking from notes and paraphrasing, let me talk about threats versus risks, before getting to modelling.

A threat is something that threatens, something that can cause harm, in the abstract sense. For example, a bomb could be a threat. So could an MITM, an eavesdropper, or a sniper.

But, separating the abstract from the particular, a bomb does not necessarily cause a problem unless there is a connection to us. Literally, it has to be capable of doing us harm, in a direct sense. For this reason, the methodologists say:

Risk = Threat * Harm

Any random bomb can't hurt me, approximately, but a bomb close to me can. With a direct possibility of harm to us, a threat becomes a risk. The methodologists also say:

Risk = Consequences * Likelihood

That connection or context of likely consequences to us suddenly makes it real, as well as hurtful.

A bomb then is a threat, but just any bomb doesn't present a risk to anyone, to a high degree of reliability. A bomb under my car is now a risk! To move from threats to risks, we need to include places, times, agents, intents, chances of success, possible failures ... *victims* ... all the rest needed to turn the abstract scariness into direct painful harm.

We need to make it personal.

To turn the threatening but abstract bomb from a threat to a risk, consider a plane, one which you might have a particular affinity to because you're on it or it is coming your way:

⇒ people dying
⇒ financial damage to plane
⇒ reputational damage to airline
⇒ collateral damage to other assets
⇒ economic damage caused by restrictions
⇒ war, military raids and other state-level responses

Lots of risks! Speaking of bombs as planes: I knew someone booked on a plane that ended up in a tower -- except she was late. She sat on the tarmac for hours in the following plane.... The lovely lady called Dolly who cleaned my house had a sister who should have been cleaning a Pentagon office block, but for some reason ... not that day. Another person I knew was destined to go for coffee at ground zero, but woke up late. Oh, and his cousin was a fireman who didn't come home that day.

Which is perhaps to say, that day, those risks got a lot more personal.

We all have our very close stories to tell, but the point here is that risks are personal, threats are just theories.

Let us now turn that around and consider *threat modelling*. By its nature, threat modelling only deals with threats and not risks and it cannot therefore reach out to its users on a direct, harmful level. Threat modelling is by definition limited to theoretical, abstract concerns. It stops before it gets practical, real, personal.

Maybe this all amounts to no more than a lot of fuss about semantics?

To see if it matters, let's look at some examples: If we look at that old saw, SSL, we see rhyme. The threat modelling done for SSL took the rather abstract notions of CIA -- confidentiality, integrity and authenticity -- and ended up inverse-pyramiding on a rather too-perfect threat of MITM -- Man-in-the-Middle.

We can also see from the lens of threat analysis versus risk analysis that the notion of creating a protocol to protect any connection, an explicit choice of the designers, led to them not being able to do any risk analysis at all; the notion of protecting certain assets such as credit cards as stated in the advertising blurb was therefore conveniently not part of the analysis (which we knew, because any risk analysis of credit cards reveals different results).

Threat modelling therefore reveals itself to be theoretically sound but not necessarily helpful. It is then no surprise that SSL performed perfectly against its chosen threats, but did little to offend the risks that users face. Indeed, arguably, as much as it might have stopped some risks, it helped other risks to proceed in natural evolution. Because SSL dealt perfectly with all its chosen threats, it ended up providing a false sense of false security against harm-incurring risks (remember SSL & Firewalls?).

OK, that's an old story, and maybe completely and boringly familiar to everyone else? What about the rest? What do we do to fix it?

The challenge might then be to take Internet protocol design from the very plastic, perfect but random tendency of threat modelling and move it forward to the more haptic, consequences-directed chaos of risk modelling.

Or, in other words, we've got to stop conflating threats with risks.

Critics can rush forth and grumble, and let me be the first: Moving to risk modelling is going to be hard, as any Internet protocol at least at the RFC level is generally designed to be deployed across an extremely broad base of applications and users.

Remember IPSec? Do you feel the beat? This might be the reason why we say that only end-to-end security cuts the mustard, because end-to-end implies an application, and this draw in the users to permit us to do real risk modelling.

It might then be impossible to do security at the level of an Internet-wide, application-free security protocol, a criticism that isn't new to the IETF. Recall the old ISO layer 5, sometimes called "the security layer" ?

But this doesn't stop the conclusion: threat modelling will always fail in practice, because by definition, threat modelling stops before practice. The place where users are being exposed and harmed can only be investigated by getting personal - including your users in your model. Threat modelling does not go that far, it does not consider the risks against any particular set of users that will be harmed by those risks in full flight. Threat modelling stops at the theoretical, and must by the law of ignorance fail in the practical.

Risks are where harm is done to users. Risk modelling therefore is the only standard of interest to users.

Posted by iang at 02:02 PM | Comments (6) | TrackBack

December 08, 2011

Two-channel breached: a milestone in threat evaluation, and a floor on monetary value

Readers will know we first published the account on "Man in the Browser by Philipp Güring way back when, and followed it up with news that the way forward was dual channel transaction signing. In short, this meant the bank sending an SMS to your handy mobile cell phone with the transaction details, and a check code to enter if you wanted the transaction to go through.

On the face of it, pretty secure. But at the back of our minds, we knew that this was just an increase in difficulty: a crook could seek to control both channels. And so it comes to pass:

In the days leading up to the fraud being committed, [Craig] had received two strange phone calls. One came through to his office two-to-three days earlier, claiming to be a representative of the Australian Tax Office, asking if he worked at the company. Another went through to his home number when he was at work. The caller claimed to be a client seeking his mobile phone number for an urgent job; his daughter gave out the number without hesitation.

The fraudsters used this information to make a call to Craig’s mobile phone provider, Vodafone Australia, asking for his phone number to be “ported” to a new device.

As the port request was processed, the criminals sent an SMS to Craig purporting to be from Vodafone. The message said that Vodafone was experiencing network difficulties and that he would likely experience problems with reception for the next 24 hours. This bought the criminals time to commit the fraud.

The unintended consequence of the phone being used for transaction signing is that the phone is now worth maybe as much as the fraud you can pull off. Assuming the crooks have already cracked the password for the bank account (something probably picked up on a market for pennies), the crooks are now ready to spend substantial amounts of time to crack the phone. In this case:

Within 30 minutes of the port being completed, and with a verification code in hand, the attackers were spending the $45,000 at an electronics retailer.

Thankfully, the abnormally large transaction raised a red flag within the fraud unit of the Commonwealth Bank before any more damage could be done. The team tried – unsuccessfully – to call Craig on his mobile. After several attempts to contact him, Craig’s bank account was frozen. The fraud unit eventually reached him on a landline.

So what happens now that the crooks walked with $45k of juicy electronics (probably convertible to cash at 50-70% off face over ebay) ?

As is standard practice for online banking fraud in Australia, the Commonwealth Bank has absorbed the hit for its customer and put $45,000 back into Craig's account.

A NSW Police detective contacted Craig on September 15 to ensure the bank had followed through with its promise to reinstate the $45,000. With this condition satisfied, the case was suspended on September 29 pending the bank asking the police to proceed with the matter any further.

One local police investigator told SC that in his long career, a bank has only asked for a suspended online fraud case to be investigated once. The vast majority of cases remain suspended. Further, SC Magazine was told that the police would, in any case, have to weigh up whether it has the adequate resources to investigate frauds involving such small amounts of money.

No attempt was made at a local police level to escalate the Craig matter to the NSW Police Fraud and Cybercrime squad, for the same reasons.

In a paper I wrote in 2008, I stated for some value below X, police wouldn't lift a finger. The Prosecutor has too much important work to do! What we have here is a very definate floor beyond which Internet systems which transmit and protect value are unable to rely on external resources such as the law . Reading more:

But the Commonwealth Bank claims it has forwarded evidence to the NSW and Federal Police forces that could have been used to prosecute the offenders.

The bank’s fraud squad – which had identified the suspect transactions within minutes of the fraud being committed - was able to track down where the criminals spent the stolen money.

A spokesman for the bank said it “dealt with both Federal and State (NSW) Police regarding the incident” and that “both authorities were advised on the availability of CCTV footage” of the offenders spending their ill-gotten gains.

“The Bank was advised by one of the authorities that the offender had left the country – reducing the likelihood of further action by that authority,” the spokesperson said.

This number goes up dramatically once we cross a border. In that paper I suggested 25k, here we have a reported number of $45k.

Why is that important? Because, some systems have implicit guarantees that go like "we do blah and blah and blah, and then you go to the police and all your problems are solved!" Sorry, not if it is too small, where small is surprisingly large. Any such system that handwaves you to the police without clearly indicating the floor of interest ... is probably worthless.

So when would you trust a system that backstopped to the police? I'll stick my neck out and say, if it is beyond your borders, and you're risking >> $100k, then you might get some help. Otherwise, don't bet your money on it.

Posted by iang at 04:34 PM | Comments (5) | TrackBack

November 15, 2011

Advanced Persistent Threat (APT) - why did we resist so long?

Bruce Schneier posts on something I've felt as well:

Advanced Persistent Threat (APT)

It's taken me a few years, but I've come around to this buzzword. It highlights an important characteristic of a particular sort of Internet attacker.

A conventional hacker or criminal isn't interested in any particular target. He wants a thousand credit card numbers for fraud, or to break into an account and turn it into a zombie, or whatever. Security against this sort of attacker is relative; as long as you're more secure than almost everyone else, the attackers will go after other people, not you. An APT is different; it's an attacker who -- for whatever reason -- wants to attack you. Against this sort of attacker, the absolute level of your security is what's important. It doesn't matter how secure you are compared to your peers; all that matters is whether you're secure enough to keep him out.

APT attackers are more highly motivated. They're likely to be better skilled, better funded, and more patient. They're likely to try several different avenues of attack. And they're much more likely to succeed.

So, this becomes a really classic case of that old saw: "What's your threat model?"

There are apparently two sterotypical attackers out there (at least in this dichotomy):

  1. the random agnostic thief: "A conventional hacker or criminal isn't interested in any particular target. He wants a thousand credit card numbers for fraud, or to break into an account and turn it into a zombie, or whatever." He doesn't share our economic beliefs of society and trade, but he certainly subscribes to the power of our money.
  2. the advanced persistent threat: the spy who's after your state-level secrets. He's not economic, in the sense that he isn't constrained by normal commercial levels of investment, instead he's got a very large budget behind, with very large strategic interests directing the target choice.

Very different agents, leading to very different models of security. And all other things, such as how we as society deal with these issues.

Schneier finishes on this:

This is why APT is a useful buzzword.

Sure, no matter how uncomfortable we are with the background, it's the buzzword we've got.

Why then did we disbelieve the APT for so long? I think there are three factors.

  • We the people aren't bothered by the APT, we're bothered by the random agnostic thief.
  • The credibility of the USA industrial-military machine is at an all time low. Since the low-point of Colin Powell's speech to the UN, the people routinely disbelieve anything said, and now demand evidence.
  • They presented no evidence. We had to wait until DigiNotar and the surrounding other events (the other CAs) to understand that this was the real deal.

We still aren't so totally accepting. We still have the problem that our attacker is the random agnostic thief.

Why still resist? My feeling is this: I'm annoyed that the state has managed more success in swinging the major Internet vendors around to dealing with selling to the state's APT -- NIST's pogrom on small numbers, ESG’s U.S. Advanced Persistent Threat Analysis, etc -- than we ever had as an open community in dealing with our random agnostic thieves.

We're still following the NSA's drumbeat.

Posted by iang at 12:57 PM | Comments (1) | TrackBack

October 20, 2011

next-gen Stuxnet targets SCADA companies for intelligence

As an example of good disclosure that we can use to analyse our risks on new attacks come from Symantec:

Key points:

  • Executables using the Stuxnet source code have been discovered. They appear to have been developed since the last Stuxnet file was recovered.
  • The executables are designed to capture information such as keystrokes and system information.
  • Current analysis shows no code related to industrial control systems, exploits, or self-replication.
  • The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
  • The exfiltrated data may be used to enable a future Stuxnet-like attack.
  • Now, Symantec are somewhat 'interested' in this disclosure, in the commercial sense, because they gain reputation and thence sell more defences to more customers. They could just shout FUD out to the world. But in this sense, the market has moved to a sense of competition on solid disclosures, as compared by competitor McAfee also putting its own analysis out there.

    And, it turns out that Symantec is doubly interested as the new trojan was signed by one of their (Verisign?) certificates:

    *Update [October 18, 2011] - *Symantec has known that some of the malware files associated with the W32.Duqu threat were signed with private keys associated with a code signing certificate issued to a Symantec customer. Symantec revoked the customer certificate in question on October 14, 2011. Our investigation into the key's usage leads us to the conclusion that the private key used for signing Duqu was stolen, and not fraudulently generated for the purpose of this malware. At no time were Symantec's roots and intermediate CAs at risk, nor were there any issues with any CA, intermediate, or other VeriSign or Thawte brands of certificates. Our investigation shows zero evidence of any risk to our systems; we used the correct processes to authenticate and issue the certificate in question to a legitimate customer in Taiwan.

    Still, I can't fault the disclosure: they investigated and now claim it was a good cert, stolen from the client. They revoked it the same day of being shown the code/sig.

    This information is provided in a way we can RELY on it. From this we can make risk management judgements. See more here.

    Posted by iang at 09:29 PM | Comments (0) | TrackBack

    June 09, 2011

    1st round in Internet Account Fraud World Cup: Customer 0, Bank 1, Attacker 300,000

    More grist for the mill -- where are we on the security debate? Here's a data point.

    In May 2009, PATCO, a construction company based in Maine, had its account taken over by cyberthieves, after malware hijacked online banking log-in and password credentials for the commercial account PATCO held with Ocean Bank. ....

    There are two ways to look at this: the contractual view, and the responsible party view. The first view holds that contracts describe the arrangement, and parties govern themselves. The second holds that the more responsible party is required to be <ahem> more responsible. PATCO decided to ask for the second:

    A magistrate has recommended that a U.S. District Court in Maine deny a motion for a jury trial in an ACH fraud case filed by a commercial customer against its former bank. According to the order, which must still be reviewed by the presiding judge, the bank fulfilled its contractual obligations for security and authentication through its requirement for log-in and password credentials. ....

    At issue for PATCO is whether banks should be held responsible when commercial accounts, like PATCO's, are drained because of fraudulent ACH and wire transfers approved by the bank. How much security should banks and credit unions reasonably be required to apply to the commercial accounts they manage?

    "Obviously, the major issue is the banks are saying this is the depositors' problem," Patterson says, "but the folks that are losing money through ACH fraud don't have enough sophistication to stop this."

    And lost.

    David Navetta, an attorney who specializes in IT security and privacy, says the magistrate's recommendation, if accepted by the judge, could set an interesting legal precedent about the security banks are expected to provide. And unless PATCO disputes the order, Navetta says it's unlikely the judge will overrule the magistrate's findings. PATCO has between 14 and 21 days to respond.

    "Many security law commentators, myself included, have long held that *reasonable security does not mean bullet-proof security*, and that companies need not be at the cutting edge of security to avoid liability," Navetta says. "The court explicitly recognizes this concept, and I think that is a good thing: For once, the law and the security world agree on a key concept."

    My emphasis added, and it is an important point that security doesn't mean absolute security, it means reasonable security. Which from the principle of the word, means stopping when the costs outweigh the benefits.

    But that is not the point that is really addressed. The question is whether (a) how we determine what is acceptable (not reasonable), and (b) if the Customer loses out when acceptable wasn't reasonable, is there any come-back?

    In the disposition, the court notes that Ocean Bank's security could have been better. "It is apparent, in the light of hindsight, that the Bank's security procedures in May 2009 were not optimal," the order states. "The Bank would have more effectively harnessed the power of its risk- profiling system if it had conducted manual reviews in response to red flag information instead of merely causing the system to trigger challenge questions."

    But since *PATCO agreed to the bank's security methods when it signed the contract*, the court suggests then that PATCO considered the bank's methods to be reasonable, Navetta says. The law also does not require banks to implement the "best" security measures when it comes to protecting commercial accounts, he adds.

    So, we can conclude that "reasonable" to the bank meant putting in place risk-profiling systems. Which it then bungled (allegedly). However, the standard of security was as agreed in the contract, *reasonable or not*.

    That is, *reasonable security* doesn't enter into it. More on that, as the observers try and mold this into a "best practices" view:

    "Patco in effect demands that Ocean Bank have adopted the best security procedures then available," the order states. "As the Bank observes, that is not the law."

    (Where it says "best" read "best practices" which is lowest common denominator, a rather different thing to best. In particular, the case is talking about SecureId tokens and the like.)

    Patterson argues that Ocean Bank was not complying with the Federal Financial Institutions Examination Council's requirement for multifactor authentication when it relied solely on log-in and password credentials to verify transactions. Navetta agrees, but the court in this order does not.

    "The court took a fairly literal approach to its analysis and bought the bank's argument that the scheme being used was multifactor, as described in the [FFIEC] guidance," Navetta says. "The analysis on what constitutes multifactor and whether some multifactor schemes [out of band; physical token] are better than others was discussed, and, to some degree, the court acknowledged that the bank's security could have been better. Even so, it was technically multifactor, as described in the FFEIC guidance, in the court's opinion, and "the best" was not necessary."

    Navetta says the court's view of multifactor does not jibe with common industry understanding. Most industry experts, he says, would not consider Ocean Bank's authentication practices in 2009 to be true multifactor. "Obviously, the 'something you have' factor did not fully work if hackers were able to remotely log into the bank using their own computer," he says. "I think that PATCO's argument was the additional factors were meaningless since the challenge question was always asked anyway, and apparently answering it correctly worked even if one of the factors failed. In other words, it appears that PATCO was arguing that the net result of the other two factors failing was going back to a single factor."

    This problem has been known for a long time. When the "best practices" approach is used, as in this FFIEC example, there is a list of things you do. You do them, and you're done. You are encouraged to (a) not do any better, and (b) cheat. The trick employed above, to interpret the term "multi-factor" in a literal fashion, rather than using the security industry's customary (and more expensive) definition, has been known for a long long time.

    It's all part of the "best practices" approach, and the court may have been wise to avoid further endorsing it. There is now more competition in security practices, says this court, and you'll find it in your contract.


    Caveat: as with all such cases, this is a preliminary ruling, and it can be overturned including several times... before we see a precedent.

    Posted by iang at 06:10 AM | Comments (4) | TrackBack

    April 05, 2011

    If data breaches are feared more than hackers, what is the perverse result?

    This headline struck my attention:

    Data Breaches Feared More than Hackers

    The majority of compliance professionals feel that their organizations are well or very well prepared to fend off hacker attacks, however, their confidence wanes significantly when assessing other data breach threats. This according to a survey conducted by the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA).

    This mirrored my results in The Market for Silver Bullets, in that the cost of the loss to intangibles and indirects such as reputation and compliance reviews would far outweigh the direct losses to the individuals. Consequently, this would have perverse effects on the treatment of risks.

    I didn't really go into what those perverse effects were. Suffice, I thought at the time, to say, security's really screwed up, there is no way you can expect a rational result from this mess. But one thing struck me on reading that heading.

    If the indirect effects of the data breach are feared more than the direct effects of the hacker's impacted damages, then there is an easy solution. Simply share the results, and generate a win-win for both. E.g., if the hacker manages to breach, and steal X data sets, he now has two opportunities. He can either exploit the breach set for some gain X*y where y is the average gain per identity, or he can settle with the lead victim.

    Because we know that the indirect costs to the victim will far outweigh the direct gain to the attacker, there is an easy settlement. The victim is easily incentivised to pay for the breach to be settled without additional costs. And the attacker gains too as he has less work to do. Negotiation will find a convenient price between the two bounds.

    Thus, this state of affairs predicts that the market for silver bullets leads to a market for extortion. Hack citibank, sell them their data back. I have no firm data, but I am comfortable with predicting that the difference is an order of magitude. That is, the costs to the victim are around 10 times the benefit to the attacker. Plenty of room there for a win-win solution.

    (For those who are worried about the impact of an illegal contract, it is easy enough to put a silk dress on the pig and sell the breach techniques, with an NDA attached. This of course is the worry behind those breach markets. How close to extortion does it take us? Where do the morals stop and where does the crime start? A topic for another day...)

    As a slight footnote, to confirm my prediction of this particular perverse result, I followed the article. Here's the relevant section found on the survey provider's site, two groups called Society of Corporate Compliance and Ethics and Health Care Compliance Association.

    Fears of an accidental breach far outweigh fears of an intentional breach. Respondents were asked how likely they felt that data would be released through hacking attacks, intentional breaches by employees and third party vendors, and accidental breaches by employees and vendors. In general the feeling was that accidental breaches were far more likely. Just 8% felt that it was somewhat or very likely a hacker would gain access to the system, When it came to breaches by employees, 61% thought an accidental breach was somewhat or very likely, but just 30% thought the same of an intentional breach. Likewise 41% thought an accidental breach by a third party vendor was somewhat or very likely but only 13% thought an intentional breach was somewhat or very likely.

    Unfortunately, no such luck. Right crowd, different story :) Oh well. So markets in extortion won't happen, right?

    Posted by iang at 06:55 PM | Comments (0) | TrackBack

    December 18, 2010

    "Compound threats" to appear in 2011 ?

    One of the things that happened a while back was the arisal of the MITB, which spooked the online banks in Europe. They aggressively pushed forward on their multi-factor approach: using the cell-phone (which Europeans colloquially call the Handy) to confirm the transaction.

    It was recognised at the time that his was a good solution due to the divergence of the two platforms. A hacker could hack the browser, but not the phone. But the next development was also expected: an attack that covered both platforms.

    Now, there is suggestion that this might be expected to emerge:

    McDaid warned, for example, that criminals are increasingly targeting mobile banking and NFC-enabled payments. “I 100 per cent expect these kinds of attacks to increase next year, not just malware attacks but compound threats too,” he explained.

    “This is where criminals exploit SMS, email, phone calls and other channels to target victims.”

    Next step after that? Well, we go back to dumb phones. But this time, the phones are tasked just to do the online payments, and there are no other apps downloadable. Reasonable? Yes, because the basic phone price in bulk has now dropped to a few bucks. Downside is convincing consumers to use it. Upside is that we can do it if we can get them to think of them as credit cards ...

    All in a days work for the strategic marketing department of your bank. If they've got one :)

    Posted by iang at 06:23 AM | Comments (5) | TrackBack

    December 14, 2010

    Threatwatch: taking money & code from "interested parties" (OpenBSD + FBI = backdoors)

    Following email is circulating amongst crypto-plumber communities. I have no idea whether it is accurate or not. It was sent to Theo de Raadt, a shaker & mover over at security-leading OpenBSD group. He also doesn't know...

    Offered here in the spirit of documenting the potential threats to the ITSec world.


    From: Gregory Perry <Gregory.Perry@Go.something.example.tv>
    To: "deraadt@openbsd.org" <deraadt@o.o>
    Subject: OpenBSD Crypto Framework

    Hello Theo,

    Long time no talk. If you will recall, a while back I was the CTO at NETSEC and arranged funding and donations for the OpenBSD Crypto Framework. At that same time I also did some consulting for the FBI, for their GSA Technical Support Center, which was a cryptologic reverse engineering project aimed at backdooring and implementing key escrow mechanisms for smart card and other hardware-based computing technologies.

    My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI. Jason Wright and several other developers were responsible for those backdoors, and you would be well advised to review any and all code commits by Wright as well as the other developers he worked with originating from NETSEC.

    This is also probably the reason why you lost your DARPA funding, they more than likely caught wind of the fact that those backdoors were present and didn't want to create any derivative products based upon the same.

    This is also why several inside FBI folks have been recently advocating the use of OpenBSD for VPN and firewalling implementations in virtualized environments, for example Scott Lowe is a well respected author in virtualization circles who also happens top be on the FBI payroll, and who has also recently published several tutorials for the use of OpenBSD VMs in enterprise VMware vSphere deployments.

    Merry Christmas...

    Gregory Perry
    Chief Executive Officer
    GoVirtual Education

    "VMware Training Products & Services"

    540-........ x111 (local)
    866-........ x111 (toll free)
    540-........ (mobile)
    877-........ (fax)

    http://www.facebook.com/GregoryVPerry
    http://www.facebook.com/GoVirtual

    Posted by iang at 10:22 PM | Comments (2) | TrackBack

    November 06, 2010

    NSA loses the crown jewels, or, Law of Unintended Consequences meets Flights of Brittleness

    Lynn points to a long story in The New Yorker that gives a well-written and strong story by Seymour M. Hersh on the origins of the current Cyber War propaganda push by the US Department of Defence. I and many others of the community called this a budgetary war, not a real threat, and it is good to see that there are many in the USA administration that have called "bull" on the Cyber War claim.

    Picking up from page 7:

    Why not ignore the privacy community and put cyber security on a war footing? Granting the military more access to private Internet communications, and to the Internet itself, may seem prudent to many in these days of international terrorism and growing American tensions with the Muslim world. But there are always unintended consequences of military activity—some that may take years to unravel.

    Of particular note for those who subscribe to the "heavy" approach to secure systems, and poo-poo the doctrine of risk management in favour of absolute security, is an example of the Law of Unintended Consequences, and how complicated it is when you push the envelope at so many levels.

    Ironically, the story of the EP-3E aircraft that was downed off the coast of China provides an example. The account, as relayed to me by a fully informed retired American diplomat, begins with the contested Presidential election between Vice-President Al Gore and George W. Bush the previous November. That fall, a routine military review concluded that certain reconnaissance flights off the eastern coast of the former Soviet Union—daily Air Force and Navy sorties flying out of bases in the Aleutian Islands—were redundant, and recommended that they be cut back.

    “Finally, on the eve of the 2000 election, the flights were released,” the former diplomat related. “But there was nobody around with any authority to make changes, and everyone was looking for a job.” The reality is that no military commander would unilaterally give up any mission. “So the system defaulted to the next target, which was China, and the surveillance flights there went from one every two weeks or so to something like one a day,” the former diplomat continued. By early December, “the Chinese were acting aggressively toward our now increased reconnaissance flights, and we complained to our military about their complaints. But there was no one with political authority in Washington to respond, or explain.” The Chinese would not have been told that the increase in American reconnaissance had little to do with anything other than the fact that inertia was driving day-to-day policy. There was no leadership in the Defense Department, as both Democrats and Republicans waited for the Supreme Court to decide the fate of the Presidency.

    The predictable result was an increase in provocative behavior by Chinese fighter pilots who were assigned to monitor and shadow the reconnaissance flights. This evolved into a pattern of harassment in which a Chinese jet would maneuver a few dozen yards in front of the slow, plodding EP-3E, and suddenly blast on its afterburners, soaring away and leaving behind a shock wave that severely rocked the American aircraft. On April 1, 2001, the Chinese pilot miscalculated the distance between his plane and the American aircraft. It was a mistake with consequences for the American debate on cyber security that have yet to be fully reckoned.

    For what went wrong after that, read the rest of the story!

    Posted by iang at 05:24 PM | Comments (0) | TrackBack

    October 23, 2010

    Apple's Mac moment of truth arriving? Or just the silver bullet salesman?

    Mac's moment of truth is arriving:

    "We are approaching a tipping point, where it will soon be financially viable for cybercriminals to target their efforts at Mac users," says Ivan Fermon, senior vice president of product management, Panda Security. "When Apple reaches 15 percent market share worldwide, which Panda expects will happen very soon, we predict that hackers will begin to aggressively target attacks against this platform. The rapid increase in use of Apple-powered devices--iPhones, iPods, iPads--is also making the Mac platform a much more attractive target."

    Not just any tipping point, the one where crooks target the platform. It is an interesting phenomena when such a large user base as Macs aren't an appealing target, but what can one say? It's a theory... More numbers:

    "We receive an average of 55,000 new threats every day at PandaLabs. .... Panda has identified approximately 5,000 malware variants that specifically target Apple systems, and claims to see an average of 500 new samples each month. The Mac has been getting more security research and attention as well. There were only 34 vulnerabilities identified for the Mac in 2009, but with two months to go that number is already at 175 for 2010.

    I'm not sure what to make of 55,000 new threats per day, does that mean PandaLabs has a factory of 1000 people with targets to qualify 55 threats per day? Outstanding productivity! But I know what to make of this:

    So, the short answer to the question of whether or not your Mac needs malware protection is "Yes". Or, at least, it will soon need malware protection if the Apple platform continues to grow as a lucrative target. Consider it a badge of honor in recognition of gaining enough market share for cyber criminals to care. That is why Panda Security is launching Panda Antivirus for Macintosh.


    Ahhh... So all the rest is in support of a sales call from our friendly silver bullet salesman. Well, of course :)

    Posted by iang at 05:15 AM | Comments (6) | TrackBack

    October 05, 2010

    Cryptographic Numerology - our number is up

    Chit-chat around the coffeerooms of crypto-plumbers is disturbed by NIST's campaign to have all the CAs switch up to 2048 bit roots:

    On 30/09/10 5:17 PM, Kevin W. Wall wrote:
    > Thor Lancelot Simon wrote:
    > See below, which includes a handy pointer to the Microsoft and Mozilla policy statements "requiring" CAs to cease signing anything shorter than 2048 bits.
    <...snip...>
    > These certificates (the end-site ones) have lifetimes of about 3 years maximum. Who here thinks 1280 bit keys will be factored by 2014? *Sigh*.
    No one that I know of (unless the NSA folks are hiding their quantum computers from us :). But you can blame this one on NIST, not Microsoft or Mozilla. They are pushing the CAs to make this happen and I think 2014 is one of the important cutoff dates, such as the date that the CAs have to stop issuing certs with 1024-bit keys.

    I can dig up the NIST URL once I get back to work, assuming anyone actually cares.


    The world of cryptology has always been plagued by numerology.

    Not so much in the tearooms of the pure mathematicians, but all other areas: programming, management, provisioning, etc. It is I think a desperation in the un-endowed to understand something, anything of the topic.

    E.g., I might have no clue how RSA works but I can understand that 2048 has to be twice as good as 1024, right? When I hear it is even better than twice, I'm overjoyed!

    This desperation to be able to talk about it is partly due to having to be part of the business (write some code, buy a cert, make a security decision, sell a product) and partly a sense of helplessness when faced with apparently expert and confident advice. It's not an unfounded fear; experts use their familiarity with the concepts to also peddle other things which are frequently bogus or hopeful or self-serving, so the ignorance leads to bad choices being made.

    Those that aren't in the know are powerless, and shown to be powerless.

    When something simple comes along and fills that void people grasp onto them and won't let go. Like numbers. As long as they can compare 1024 to 2048, they have a safety blanket that allows them to ignore all the other words. As long as I can do my due diligence as a manager (ensure that all my keys are 2048) I'm golden. I've done my part, prove me wrong! Now do your part!


    This is a very interesting problem [1]. Cryptographic numerology diverts attention from the difficult to the trivial. A similar effect happens with absolute security, which we might call "divine cryptography." Managers become obsessed with perfection in one thing, to the extent that they will ignore flaws in another thing. Also, standards, which we might call "beliefs cryptography" for their ability to construct a paper cathedral within which there is room for us all, and our flock, to pray safely inside.

    We know divinity doesn't exist, but people demand it. We know that religions war all the time, and those within a religion will discriminate against others, to the loss of us all. We know all this, but we don't; cognitive dissonance makes us so much happier, it should be a drug.


    It was into this desperate aching void that the seminal paper by Lenstra and Verheul stepped in to put a framework on the numbers [2]. On the surface, it solved the problem of cross-domain number comparison, e.g., 512 bit RSA compared to 256 bit AES, which had always confused the managers. And to be fair, this observation was a long time coming in the cryptographic world, too, which makes L&V's paper a milestone.

    Cryptographic Numerology's star has been on the ascent ever since that paper: As well as solving the cipher-public-key-hash numeric comparison trap, numerology is now graced with academic respectability.

    This made it irresistible to large institutions which are required to keep their facade of advice up. NIST like all the other agencies followed, but NIST has a couple of powerful forces on it. Firstly, NIST is slightly special, in ways that other agencies represented in keylength.com only wish to be special. NIST, as pushed by the NSA, is protecting primarily US government resources:

    This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems.

    That's US not us. It's not even protecting USA industry. NIST is explicitly targetted by law to protect the various multitude of government agencies that make up the beast we know as the Government of the United States of America. That gives it unquestionable credibility.

    And, as has been noticed a few times, Mars is on the ascendancy: *Cyberwarfare* is the second special force. Whatever one thinks of the mess called cyberwarfare (equity disaster, stuxnet, cryptographic astrology, etc) we can probably agree, if anyone bad is thinking in terms of cracking 1024 bit keys, then they'll be likely another nation-state interested in taking aim against the USG agencies. c.f., stuxnet, which is emerging as a state v. state adventure. USG, or one of USG's opposing states, are probably the leading place on the planet that would face a serious 1024 bit threat if one were to emerge.

    Hence, NIST is plausibly right in imposing 2048-bit RSA keys into its security model. And they are not bad in the work they do, for their client [3]. Numerology and astrology are in alignment today, if your client is from Washington DC.

    However, real or fantastical, this is a threat model that simply doesn't apply to the rest of the world. The sad sad fact is that NIST's threat model belongs to them, to US, not to us. We all adopting the NIST security model is like a Taurus following the advice in the Aries section of today's paper. It's not right, however wise it sounds. And if applied without thought, it may reduce our security not improve it:


    Writes Thor:
    > At 1024 bits, it is not. But you are looking
    > at a factor of *9* increase in computational
    > cost when you go immediately to 2048 bits. At
    > that point, the bottleneck for many applications
    > shifts, particularly those ...
    > Also,...
    > ...and suddenly...
    >
    > This too will hinder the deployment of "SSL everywhere",...

    When US industry follows NIST, and when worldwide industry follows US industry, and when open source Internet follows industry, we have a classic text-book case of adopting someone else's threat, security and business models without knowing it.

    Keep in mind, our threat model doesn't include crunching 1024s. At all, any time, nobody's ever bothered to crunch 512 in anger, against the commercial or private world. So we're pretty darn safe at 1024. But our threat model does include

    *attacks on poor security user interfaces in online banking*

    That's a clear and present danger. And one of the key, silent, killer causes of that is the sheer rarity of HTTPS. If we can move the industry to "HTTPS everywhere" then we can make a significant different. To our security.

    On the other hand, we can shift to 2048, kill the move to "HTTPS everywhere", and save the US Government from losing sleep over the cyberwarfare it created for itself (c.f., the equity failure).

    And that's what's going to happen. Cryptographic Numerology is on a roll, NIST's dice are loaded, our number is up. We have breached the law of unintended consequences, and we are going to be reducing the security of the Internet because of it. Thanks, NIST! Thanks, Mozilla, thanks, Microsoft.



    [1] As well as this area, others have looked at how to make the bounty of cryptography more safely available to non-cognicenti. I especially push the aphorisms of Adi Shamir and Kerckhoffs. And, add my own meagre efforts in Hypotheses and Pareto-secure.

    [2] For detailed work and references on Lenstra & Verheul's paper, see http://www.keylength.com/ which includes calculators of many of the various efforts. It's a good paper. They can't be criticised for it in the terms in this post, it's the law of unintended consequences again.

    [3] Also, other work by NIST to standardise the PRNG (psuedo-random-number-generator) has to be applauded. The subtlety of what they have done is only becoming apparent after much argumentation: they've unravelled the unprovable entropy problem by unplugging it from the equation.

    But they've gone a step further than the earlier leading work by Ferguson and Schneier and the various quiet cryptoplumbers, by turning the PRNG into a deterministic algorithm. Indeed, we can now see something special: NIST has turned the PRNG into a reverse-cycle message digest. Entropy is now the MD's document, and the psuedo-randomness is the cryptographically-secure hash that spills out of the algorithm.

    Hey Presto! The PRNG is now the black box that provides the one-way expansion of the document. It's not the reverse-cycle air conditioning of the message digest that is exciting here, it's the fact that it is now a new class of algorithms. It can be specified, paramaterised, and most importantly for cryptographic algorithms, given test data to prove the coding is correct.

    (I use the term reverse-cycle in the sense of air-conditioning. I should also stress that this work took several generations to get to where it is today; including private efforts by many programmers to make sense of PRNGs and entropy by creating various application designs, and a couple of papers by Ferguson and Schneier. But it is the black-boxification by NIST that took the critical step that I'm lauding today.)

    Posted by iang at 10:55 AM | Comments (1) | TrackBack

    September 28, 2010

    Crypto-plumbers versus the Men in Black, round 16.

    Skype, RIM, and now CircleTech v. the governments. This battle has been going on for a while. Here's today's battle results:

    BIS [Czech counter-intelligence] officers first offered to Satanek that his firm would supply an encryption system with "a defect" to the market which would help the secret service find out the content of encrypted messages. "This is out of question. It is as if we were proclaiming we are selling bullet-proof vests that would actually not be bullet-proof," Satanek told MfD.

    This is why BIS offered a deal to the firm's owners. BIS wanted CircleTech to develop a programme to decipher the codes. It would only partially help the secret service since not even CircleTech is capable of developing a universal key to decipher all of its codes. Nevertheless, software companies are offering such partial services, and consequently it would not be a problem for CircleTech to meet the order, MfD notes.

    However, BIS officers said the firm need not register the money it would receive from BIS for the order, the paper writes. "You will have on opportunity to get an income that need not be subject to taxation," MfD cites the secret recording of a BIS officer at a meeting with the firm. Satanek rejected the offer and recorded the meetings with BIS.

    BIS then gave it up. However, two months ago it contacted Satanek again, MfD writes. "They told me that we are allegedly meeting suspicious persons who pose a security risk to the state. In such a case we may not pass security vetting of the National Security Office (NBU)," Satanek told MfD.

    Subversion, bribes, and threats, it's all in there! And, no wonder every hot new code jockey goes all starry-eyed at the thought of working on free, open encryption systems.

    Posted by iang at 07:55 AM | Comments (0) | TrackBack

    September 13, 2010

    threatwatch: 1st signs of attacks on certificates?

    An Adobe PDF is being circulated in spam that exploits bugs in Adobe's Reader and/or Windows. The PDF itself is code-signed by a stolen certificate:

    The attack, which has been spotted attached to e-mails touting renowned golf coach and author David Leadbetter, also includes a malicious file that's digitally signed with a valid signature from Missouri-based Vantage Credit Union.

    VeriSign has revoked the signature, but the already baked malware will still carry what appears to be a valid digital signature, Wisniewski said.

    Then, there's a hint of speculation that the expected users of the certificate will be fine. That is, people logging into the Vantage Credit Union will be facing a new certificate as soon as it is in place.

    No mention of what happens to the people who aren't doing that, and when they can expect their fix, sometimes known as revocation.

    [Wisniewski] compared the Reader zero-day exploit with the Stuxnet worm, which caused concern in July when it was discovered attacking industrial control systems at large manufacturing and utility companies. Symantec traced Stuxnet back to June 2009, with attacks likely beginning the following month, when hackers apparently stole digital certificate keys from a pair of Taiwanese software firms and then used them to sign two versions of the worm.

    "This makes two [attacks] that have used valid certificates," Wisniewski said. "I'm starting to wonder if [hackers] aren't using other malware that's specifically targeting certificates and their keys."

    One of the things that was very evident in the last decade as phishing rose up to challenge secure browsing, and now similar things like Money/Quicken "embedded" access over SSL, is this: why aren't more attacks simply stealing the certificates or buying them with bad intentions?

    We theorised that the ordinary downgrade to HTTP was the best alternative. Crooks being economic, that is. This may be the first public signs of a shift or broadening to attacking the certificate itself. There have been private signs of worry for the last year or so.

    Posted by iang at 07:37 PM | Comments (0) | TrackBack

    September 09, 2010

    Security Planning - who watches the watchers?

    I spotted this on a Git doco page:

    As the comments on miskan's page intimate, there is a logic there if one is desperate...

    Posted by iang at 02:08 AM | Comments (0) | TrackBack

    September 01, 2010

    profound misunderstandability in your employee's psyche

    Speaking of profound misunderstandings, this:

    BitDefender created a "test profile" of a nonexistent, 21-year-old woman described as a "fair-haired" and "very, very naïve interlocutor" -- basically a hot rube who was just trying to "figure out how this whole social networking thing worked" by asking a bunch of seemingly innocent, fact-finding questions.

    With the avatar created, the fictitious person then sent out 2,000 "friendship requests," relying on the bogus description and made-up interests as the presumptive lure. Of the 2,000 social networks pinged with a "friendship" request, a stunning 1,872 accepted the invitation. And the vast majority (81 percent) of them did it without asking any questions at all. Others asked a question or two, presumably like, "Who are you?" or "How do I know you?" before eventually adding this new "friend."

    ...

    But it gets worse. An astonishing 86 percent of those who accepted the bogus profile's "friendship" request identified themselves as working in the IT industry. Even worse, 31 percent said they worked in some capacity in IT security.

    Posted by iang at 09:46 PM | Comments (1) | TrackBack

    August 13, 2010

    Turning the Honeypot

    I'm reading a govt. security manual this weekend, because ... well, doesn't everyone?

    To give it some grounding, I'm building up a cross-reference against my work at the CA. I expected it to remain rather dry until the very end, but I've just tripped up on this Risk in the section on detecting incidents:

    2.5.7. An agency constructs a honeypot or honeynet to assist in capturing intrusion attempts, resulting in legal action being taken against the agency for breach of privacy.

    My-oh-my!

    Posted by iang at 08:06 PM | Comments (4) | TrackBack

    August 11, 2010

    Hacking the Apple, when where how... and whether we care why?

    One of the things that has been pretty much standard in infosec is that the risks earnt (costs incurred!) from owning a Mac have been dramatically lower. I do it, and save, and so do a lot of my peers & friends. I don't collect stats, but here's a comment from Dan Geer from 2005:

    Amongst the cognoscenti, you can see this: at security conferences of all sorts you’ll find perhaps 30% of the assembled laptops are Mac OS X, and of the remaining Intel boxes, perhaps 50% (or 35% overall) are Linux variants. In other words, while security conferences are bad places to use a password in the clear monoculture on the back of the envelope over a wireless channel, there is approximately zero chance of cascade failure amongst the participants.

    I recommend it on the blog front page as the number 1 security tip of all:

    #1 buy a mac.

    Why this is the case is of course a really interesting question. Is it because Macs are inherently more secure, in themselves? The answer seems to be No, not in themselves. We've seen enough evidence to suggest, at an anecdotal level, that when put into a fair fight, the Macs don't do any better than the competition. (Sometimes they do worse, and the competition ensures those results are broadcast widely :)

    However it is still the case that the while the security in the Macs aren't great, the result for the user is better -- the costs resulting from breaches, installs, virus slow-downs, etc, remain lower [1]. Which would imply the threats are lower, recalling the old mantra of:

    Business model ⇒ threat model ⇒ security model

    Now, why is the threat (model) lower? It isn't because the attackers are fans. They generally want money, and money is neutral.

    One theory that might explain it is the notion of monoculture.

    This idea was captured a while back by Dan Geer and friends in a paper that claimed that the notion of Microsoft's dominance threated the national security of the USA. It certainly threatened someone, as Dan lost his job the day the paper was released [2].

    In brief, monoculture argues that when one platform gains an ascendency to dominate the market, then we enter a situation of particular vulnerability to that platform. It becomes efficient for all economically-motivated attackers to concentrate their efforts on that one dominant platform and ignore the rest.

    In a sense, this is an application of the Religion v. Darwin argument to computer security. Darwin argued that diversity was good for the species as a whole, because singular threats would wipe out singular species. The monoculture critique can also be seen as analogous to Capitalism v. Communism, where the former advances through creative destruction, and the latter stagnates through despotic ignorance.

    A lot of us (including me) looked at the monoculture argument and thought it ... simplistic and hopeful. Yet, the idea hangs on ... so the question shifts for us slower skeptics to how to prove it [3]?

    Apple is quietly wrestling with a security conundrum. How the company handles it could dictate the pace at which cybercriminals accelerate attacks on iPhones and iPads.

    Apple is hustling to issue a patch for a milestone security flaw that makes it possible to remotely hack - or jailbreak - iOS, the operating system for iPhones, iPads and iPod Touch.

    Apple's new problem is perhaps early signs of good evidence that the theory is good. Here we have Apple struggling with hacks on its mobile platform (iPads, iPods, iPhones) and facing a threat which it seemingly hasn't faced on the Macs [4].

    The differentiating factor -- other than the tech stuff -- is that Apple is leading in the mobile market.

    IPhones, in particular, have become a pop culture icon in the U.S., and now the iPad has grabbed the spotlight. "The more popular these devices become, the more likely they are to get the attention of attackers," says Joshua Talbot, intelligence manager at Symantec Security Response.

    Not dominating like Microsoft used to enjoy, but presenting enough of a nose above the pulpit to get a shot taken. Meanwhile, Macs remain stubbornly stuck at a reported 5% of market share in the computer field, regardless of the security advice [5]. And nothing much happens to them.

    If market leadership continues to accrue to Apple in the iP* mobile sector, as the market expect it does, and if security woes continue as well, I'd count that as good evidence [6].


    [1] #1 security tip remains good: buy a Mac, not because of the security but because of the threats. Smart users don't care so much why, they just want to benefit this year, this decade, while they can.

    [2] Perhaps because Dan lost his job, he gets fuller attention. The full cite would be like: Daniel Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, Charles P. Pfleeger, John S. Quarterman, Bruce Schneier, "CyberInsecurity: The Cost of Monopoly How the Dominance of Microsoft's Products Poses a Risk to Security." Preserved by the inestimable cryptome.org, a forerunner of the now infamous wikileaks.org.

    [3] Proof in the sense of scientific method is not possible, because we can't run the experiment. This is economics, not science, we can't run the experiment like real scientists. What we have to do is perhaps psuedo-scientific-method; we predict, we wait, and we observe.

    [4] On the other hand, maybe the party is about to end for Macs. News just in:

    Security vendor M86 Security says it's discovered that a U.K.-based bank has suffered almost $900,000 (675,000 Euros) in fraudulent bank-funds transfers due to the ZeuS Trojan malware that has been targeting the institution.

    Bradley Anstis, vice president of technology strategy at M86 Security, said the security firm uncovered the situation in late July while tracking how one ZeuS botnet had been specifically going after the U.K.-based bank and its customers. The botnet included a few hundred thousand PCs and even about 3,000 Apple Macs, and managed to steal funds from about 3,000 customer accounts through unauthorized transfers equivalent to roughly $892,755.

    Ouch!

    [4] I don't believe the 5% market share claim ... I harbour a suspicion that this is some very cunning PR trick in under-reporting by Apple, so as to fly below the radar. If so, I think it's well past its sell-by date since Apple reached the same market cap as Microsoft...

    [5] What is curious is that I'll bet most of Wall Street, and practically all of government, notwithstanding the "national security" argument, continue to keep clear of Macs. For those of us who know the trick, this is good. It is good for our security nation if the governments do not invest in Macs, and keep the monoculture effect positive. Perverse, but who am I to argue with the wisdom in cyber-security circles?

    Posted by iang at 09:30 AM | Comments (1) | TrackBack

    August 01, 2010

    memes in infosec I - Eve and Mallory are missing, presumed dead

    Things I've seen that are encouraging. Bruce Schneier in Q&A:

    Q: We've also seen Secure Sockets Layer (SSL) come under attack, and some experts are saying it is useless. Do you agree?

    A: I'm not convinced that SSL has a problem. After all, you don't have to use it. If I log-on to Amazon without SSL the company will still take my money. The problem SSL solves is the man-in-the-middle attack with someone eavesdropping on the line. But I'm not convinced that's the most serious problem. If someone wants your financial data they'll hack the server holding it, rather than deal with SSL.

    Right. The essence is that SSL solves the "easy" part of the problem, and leaves open the biggest part. Before the proponents of SSL say, "not our problem," remember that AADS did solve it, as did SOX and a whole bunch of other things. It's called end-to-end, and is well known as being the only worthwhile security. Indeed, I'd say it was simply responsible engineering, except for the fact that it isn't widely practiced.

    OK, so this is old news, from around March, but it is worth declaring sanity:

    Q: But doesn't SSL give consumers confidence to shop online, and thus spur e-commerce?

    A: Well up to a point, but if you wanted to give consumers confidence you could just put a big red button on the site saying 'You're safe'. SSL doesn't matter. It's all in the database. We've got the threat the wrong way round. It's not someone eavesdropping on Eve that's the problem, it's someone hacking Eve's endpoint.

    Which is to say, if you are going to do anything to fix the problem, you have to look at the end-points. The only time you should look at the protocol, and the certificates, is how well they are protecting the end-points. Meanwhile, the SSL field continues to be one for security researchers to make headlines over. It's BlackHat time again:

    "The point is that SSL just doesn't do what people think it does," says Hansen, an security researcher with SecTheory who often goes by the name RSnake. Hansen split his dumptruck of Web-browsing bugs into three categories of severity: About half are low-level threats, 10 or so are medium, and two are critical. One example...

    Many observers in the security world have known this for a while, and everyone else has felt increasingly frustrated and despondent about the promise:

    There has been speculation that an organization with sufficient power would be able to get a valid certificate from one of the 170+ certificate authorities (CAs) that are installed by default in the typical browser and could then avoid this alert ....

    But how many CAs does the average Internet user actually need? Fourteen! Let me explain. For the past two weeks I have been using Firefox on Windows with a reduced set of CAs. I disabled ALL of them in the browser and re-enabled them one by one as necessary during my normal usage....


    On the one hand, SSL is the brand of security. On the other hand, it isn't the delivery of security; it simply isn't deployed in secure browsing to provide the user security that was advertised: you are on the site you think you are on. Only as we moved from a benign world to a fraud world, around 2003-2005, this has this been shown to matter. Bruce goes on:

    Q: So is encryption the wrong approach to take?

    A: This kind of issue isn't an authentication problem, it's a data problem. People are recognising this now, and seeing that encryption may not be the answer. We took a World War II mindset to the internet and it doesn't work that well. We thought encryption would be the answer, but it wasn't. It doesn't solve the problem of someone looking over your shoulder to steal your data.

    Indeed. Note that comment about the World War II mindset. It is the case that the entire 1990s generation of security engineers were taught from the military text book. The military assumes its nodes -- its soldiers, its computers -- are safe. And, it so happens, that when armies fight armies, they do real-life active MITMs against each other to gain local advantage. There are cases of this happening, and oddly enough, they'll even do it to civilians if they think they can (ask Greenpeace). And the economics is sane, sensible stuff, if we bothered to think about it: in war, the wire is the threat, the nodes are safe.

    However, adopting "the wire" as the weakness and Mallory as the Man-In-The-Middle, and Eve as the Eavesdropper as "the threat" in the Internet was a mistake. Even in the early 1990s, we knew that the node was the problem. Firstly, ever since the PC, nodes in commercial computing are controlled by (dumb) users not professional (soldiers). Who download shit from the net, not operate trusted military assets. Secondly, observation of known threats told us where the problems lay: floppy viruses were very popular, and phone-line attacks were about spoofing and gaining entry to an end-point. Nobody was bothering with "the wire," nobody was talking about snooping and spying and listening [*].

    The military model was the precise reverse of the Internet's reality.

    To conclude. There is no doubt about this in security circles: the SSL threat model was all wrong, and consequently the product was deployed badly.

    Where the doubt lies is how long it will take the software providers to realise that their world is upside down? It can probably only happen when everyone with credibility stands up and says it is so. For this, the posts shown here are very welcome. Let's hear more!


    [*] This is not entirely true. There is one celebrated case of an epidemic of eavesdropping over ethernets, which was passwords being exchanged over telnet and rsh connections. A case-study in appropriate use of security models follows...

    PS: Memes II - War! Infosec is WAR!

    Posted by iang at 04:33 PM | Comments (3) | TrackBack

    March 24, 2010

    Why the browsers must change their old SSL security (?) model

    In a paper Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL_, by Christopher Soghoian and Sid Stammby, there is a reasonably good layout of the problem that browsers face in delivering their "one-model-suits-all" security model. It is more or less what we've understood all these years, in that by accepting an entire root list of 100s of CAs, there is no barrier to any one of them going a little rogue.

    Of course, it is easy to raise the hypothetical of the rogue CA, and even to show compelling evidence of business models (they cover much the same claims with a CA that also works in the lawful intercept business that was covered here in FC many years ago). Beyond theoretical or probable evidence, it seems the authors have stumbled on some evidence that it is happening:

    The company’s CEO, Victor Oppelman confirmed, in a conversation with the author at the company’s booth, the claims made in their marketing materials: That government customers have compelled CAs into issuing certificates for use in surveillance operations. While Mr Oppelman would not reveal which governments have purchased the 5-series device, he did confirm that it has been sold both domestically and to foreign customers.

    (my emphasis.) This has been a lurking problem underlying all CAs since the beginning. The flip side of the trusted-third-party concept ("TTP") is the centralised-vulnerability-party or "CVP". That is, you may have been told you "trust" your TTP, but in reality, you are totally vulnerable to it. E.g., from the famous Blackberry "official spyware" case:

    Nevertheless, hundreds of millions of people around the world, most of whom have never heard of Etisalat, unknowingly depend upon a company that has intentionally delivered spyware to its own paying customers, to protect their own communications security.

    Which becomes worse when the browsers insist, not without good reason, that the root list is hidden from the consumer. The problem that occurs here is that the compelled CA problem multiplies to the square of the number of roots: if a CA in (say) Ecuador is compelled to deliver a rogue cert, then that can be used against a CA in Korea, and indeed all the other CAs. A brief examination of the ways in which CAs work, and browsers interact with CAs, leads one to the unfortunate conclusion that nobody in the CAs, and nobody in the browsers, can do a darn thing about it.

    So it then falls to a question of statistics: at what point do we believe that there are so many CAs in there, that the chance of getting away with a little interception is too enticing? Square law says that the chances are say 100 CAs squared, or 10,000 times the chance of any one intercept. As we've reached that number, this indicates that the temptation to resist intercept is good for all except 0.01% of circumstances. OK, pretty scratchy maths, but it does indicate that the temptation is a small but not infinitesimal number. A risk exists, in words, and in numbers.

    One CA can hide amongst the crowd, but there is a little bit of a fix to open up that crowd. This fix is to simply show the user the CA brand, to put faces on the crowd. Think of the above, and while it doesn't solve the underlying weakness of the CVP, it does mean that the mathematics of squared vulnerability collapses. Once a user sees their CA has changed, or has a chance of seeing it, hiding amongst the crowd of CAs is no longer as easy.

    Why then do browsers resist this fix? There is one good reason, which is that consumers really don't care and don't want to care. In more particular terms, they do not want to be bothered by security models, and the security displays in the past have never worked out. Gerv puts it this way in comments:

    Security UI comes at a cost - a cost in complexity of UI and of message, and in potential user confusion. We should only present users with UI which enables them to make meaningful decisions based on information they have.

    They love Skype, which gives them everything they need without asking them anything. Which therefore should be reasonable enough motive to follow those lessons, but the context is different. Skype is in the chat & voice market, and the security model it has chosen is well-excessive to needs there. Browsing on the other hand is in the credit-card shopping and Internet online banking market, and the security model imposed by the mid 1990s evolution of uncontrollable forces has now broken before the onslaught of phishing & friends.

    In other words, for browsing, the writing is on the wall. Why then don't they move? In a perceptive footnote, the authors also ponder this conundrum:

    3. The browser vendors wield considerable theoretical power over each CA. Any CA no longer trusted by the major browsers will have an impossible time attracting or retaining clients, as visitors to those clients’ websites will be greeted by a scary browser warning each time they attempt to establish a secure connection. Nevertheless, the browser vendors appear loathe to actually drop CAs that engage in inappropriate be- havior — a rather lengthy list of bad CA practices that have not resulted in the CAs being dropped by one browser vendor can be seen in [6].

    I have observed this for a long time now, predicting phishing until it became the flood of fraud. The answer is, to my mind, a complicated one which I can only paraphrase.

    For Mozilla, the reason is simple lack of security capability at the *architectural* and *governance* levels. Indeed, it should be noticed that this lack of capability is their policy, as they deliberately and explicitly outsource big security questions to others (known as the "standards groups" such as IETF's RFC committees). As they have little of the capability, they aren't in a good position to use the power, no matter whether they would want to or not. So, it only needs a mildly argumentative approach on the behalf of the others, and Mozilla is restrained from its apparent power.

    What then of Microsoft? Well, they certainly have the capability, but they have other fish to fry. They aren't fussed about the power because it doesn't bring them anything of use to them. As a corporation, they are strictly interested in shareholders' profits (by law and by custom), and as nobody can show them a bottom line improvement from CA & cert business, no interest is generated. And without that interest, it is practically impossible to get the various many groups within Microsoft to move.

    Unlike Mozilla, my view of Microsoft is much more "external", based on many observations that have never been confirmed internally. However it seems to fit; all of their security work has been directed to market interests. Hence for example their work in identity & authentication (.net, infocard, etc) was all directed at creating the platform for capturing the future market.

    What is odd is that all CAs agree that they want their logo on their browser real estate. Big and small. So one would think that there was a unified approach to this, and it would eventually win the day; the browser wins for advancing security, the CAs win because their brand investments now make sense. The consumer wins for both reasons. Indeed, early recommendations from the CABForum, a closed group of CAs and browsers, had these fixes in there.

    But these ideas keep running up against resistance, and none of the resistance makes any sense. And that is probably the best way to think of it: the browsers don't have a logical model for where to go for security, so anything leaps the bar when the level is set to zero.

    Which all leads to a new group of people trying to solve the problem. The authors present their model as this:

    The Firefox browser already retains history data for all visited websites. We have simply modified the browser to cause it to retain slightly more information. Thus, for each new SSL protected website that the user visits, a Certlock enabled browser also caches the following additional certificate information:
    A hash of the certificate.
    The country of the issuing CA.
    The name of the CA.
    The country of the website.
    The name of the website.
    The entire chain of trust up to the root CA.

    When a user re-visits a SSL protected website, Certlock first calculates the hash of the site’s certificate and compares it to the stored hash from previous visits. If it hasn’t changed, the page is loaded without warning. If the certificate has changed, the CAs that issued the old and new certificates are compared. If the CAs are the same, or from the same country, the page is loaded without any warning. If, on the other hand, the CAs’ countries differ, then the user will see a warning (See Figure 3).

    This isn't new. The authors credit recent work, but no further back than a year or two. Which I find sad because the important work done by TrustBar and Petnames is pretty much forgotten.

    But it is encouraging that the security models are battling it out, because it gets people thinking, and challenging their assumptions. Only actual produced code, and garnered market share is likely to change the security benefits of the users. So while we can criticise the country approach (it assumes a sort of magical touch of law within the countries concerned that is already assumed not to exist, by dint of us being here in the first place), the country "proxy" is much better than nothing, and it gets us closer to the real information: the CA.

    From a market for security pov, it is an interesting period. The first attempts around 2004-2006 in this area failed. This time, the resurgence seems to have a little more steam, and possibly now is a better time. In 2004-2006 the threat was seen as more or less theoretical by the hoi polloi. Now however we've got governments interested, consumers sick of it, and the entire military-industrial complex obsessed with it (both in participating and fighting). So perhaps the newcomers can ride this wave of FUD in, where previous attempts drowned far from the shore.

    Posted by iang at 07:52 PM | Comments (1) | TrackBack

    December 05, 2009

    Phishing numbers

    From a couple of sources posted by Lynn:

    • A single run only hits 0.0005 percent of users,
    • 1% of customers will follow the phishing links.
    • 0.5% of customers fall for phishing schemes and compromise their online banking information.
    • the monetary losses could range between $2.4 million and $9.4 million annually per one million online banking clients
    • in average ... approximately 832 a year ... reached users' inboxes.
    • costs estimated at up to $9.4 million per year per million users.
    • based on data colleded from "3 million e-banking users who are customers of 10 sizeable U.S. and European banks."

    The primary source was a survey run by an anti-phishing software vendor, so caveats apply. Still interesting!

    For more meat on the bigger picture, see this article: Ending the PCI Blame Game. Which reads like a compressed version of this blog! Perhaps, finally, the thing that is staring the financial operators in the face has started to hit home, and they are really ready to sound the alarm.

    Posted by iang at 06:35 PM | Comments (1) | TrackBack

    November 26, 2009

    Breaches not as disclosed as much as we had hoped

    One of the brief positive spots in the last decade was the California bill to make breaches of data disclosed to effected customers. It took a while, but in 2005 the flood gates opened. Now reports the FBI:

    "Of the thousands of cases that we've investigated, the public knows about a handful," said Shawn Henry, assistant director for the Federal Bureau of Investigation's Cyber Division. "There are million-dollar cases that nobody knows about."

    That seems to point at a super-iceberg. To some extent this is expected, because companies will search out new methods to bypass the intent of the disclosure laws. And also there is the underlying economics. As has been pointed out by many (or perhaps not many but at least me) the reputation damage probably dwarfs the actual or measurable direct losses to the company and its customers.

    Companies that are victims of cybercrime are reluctant to come forward out of fear the publicity will hurt their reputations, scare away customers and hurt profits. Sometimes they don't report the crimes to the FBI at all. In other cases they wait so long that it is tough to track down evidence.

    So, avoidance of disclosure is the strategy for all properly managed companies, because they are required to manage the assets of their shareholders to the best interests of the shareholders. If you want a more dedicated treatment leading to this conclusion, have a look at "the market for silver bullets" paper.

    Meanwhile, the FBI reports that the big companies have improved their security somewhat, so the attackers direct at smaller companies. And:

    They also target corporate executives and other wealthy public figures who it is relatively easy to pursue using public records. The FBI pursues such cases, though they are rarely made public.

    Huh. And this outstanding coordinated attack:

    A similar approach was used in a scheme that defrauded the Royal Bank of Scotland's (RBS.L: Quote, Profile, Research, Stock Buzz) RBS WorldPay of more than $9 million. A group, which included people from Estonia, Russia and Moldova, has been indicted for compromising the data encryption used by RBS WorldPay, one of the leading payment processing businesses globally.

    The ring was accused of hacking data for payroll debit cards, which enable employees to withdraw their salaries from automated teller machines. More than $9 million was withdrawn in less than 12 hours from more than 2,100 ATMs around the world, the Justice Department has said.

    2,100 ATMs! worldwide! That leaves that USA gang looking somewhat kindergarten, with only 50 ATMs cities. No doubt about it, we're now talking serious networked crime, and I'm not referring to the Internet but the network of collaborating, economic agents.

    Compromising the data encryption, even. Anyone know the specs? These are important numbers. Did I miss this story, or does it prove the FBI's point?

    Posted by iang at 01:23 PM | Comments (0) | TrackBack

    October 01, 2009

    Man-in-the-Browser goes to court

    Stephen Mason reports that MITB is in court:

    A gang of internet fraudsters used a sophisticated virus to con members of the public into parting with their banking details and stealing £600,000, a court heard today.

    Once the 'malicious software' had infected their computers, it waited until users logged on to their accounts, checked there was enough money in them and then insinuated itself into cash transfer procedures.

    (also on El Reg.) This breaches the 2-factor authentication system commonly in use because it (a) controls the user's PC, and (b) the authentication scheme that was commonly pushed out over the last decade or so only authenticates the user, not the transaction. So as the trojan now controls the PC, it is the user. And the real user happily authenticates itself, and the trojan, and the trojan's transactions, and even lies about it!

    Numbers, more than ordinarily reliable because they have been heard in court:

    'In fact as a result of this Trojan virus fraud very many people - 138 customers - were affected in this way with some £600,000 being fraudulently transferred.

    'Some of that money, £140,000, was recouped by NatWest after they became aware of this scam.'

    This is called Man-in-the-browser, which is a subtle reference to the SSL's vaunted protection against Man-in-the-middle. Unfortunately several things went wrong in this area of security: Adi's 3rd law of security says the attacker always bypasses; one of my unnumbered aphorisms has it that the node is always the threat, never the wire, and finally, the extraordinary success of SSL in the mindspace war blocked any attempts to fix the essential problems. SSL is so secure that nobody dare challenge browser security.

    The MITB was first reported in March 2006 and sent a wave of fear through the leading European banks. If customers lost trust in the online banking, this would turn their support / branch employment numbers on their heads. So they rapidly (for banks) developed a counter-attack by moving their confirmation process over to the SMS channel of users' phones. The Man-in-the-browser cannot leap across that air-gap, and the MITB is more or less defeated.

    European banks tend to be proactive when it comes to security, and hence their losses are miniscule. Reported recently was something like €400k for a smaller country (7 million?) for an entire year for all banks. This one case in the UK is double that, reflecting that British banks and USA banks are reactive to security. Although they knew about it, they ignored it.

    This could be called the "prove-it" school of security, and it has merit. As we saw with SSL, there never really was much of a threat on the wire; and when it came to the node, we were pretty much defenceless (although a lot of that comes down to one factor: Microsoft Windows). So when faced with FUD from the crypto / security industry, it is very very hard to separate real dangers from made up ones. I felt it was serious; others thought I was spreading FUD! Hence Philipp Güring's paper Concepts against Man-in-the-Browser Attacks, and the episode formed fascinating evidence for the market for silver bullets. The concept is now proven right in practice, but it didn't turn out how we predicted.

    What is also interesting is that we now have a good cycle timeline: March 2006 is when the threat first crossed our radars. September 2009 it is in the British courts.

    Postscript. More numbers from today's MITB:

    A next-generation Trojan recently discovered pilfering online bank accounts around the world kicks it up a notch by avoiding any behavior that would trigger a fraud alert and forging the victim's bank statement to cover its tracks.

    The so-called URLZone Trojan doesn't just dupe users into giving up their online banking credentials like most banking Trojans do: Instead, it calls back to its command and control server for specific instructions on exactly how much to steal from the victim's bank account without raising any suspicion, and to which money mule account to send it the money. Then it forges the victim's on-screen bank statements so the person and bank don't see the unauthorized transaction.

    Researchers from Finjan found the sophisticated attack, in which the cybercriminals stole around 200,000 euro per day during a period of 22 days in August from several online European bank customers, many of whom were based in Germany....

    "The Trojan was smart enough to be able to look at the [victim's] bank balance," says Yuval Ben-Itzhak, CTO of Finjan... Finjan found the attackers had lured about 90,000 potential victims to their sites, and successfully infected about 6,400 of them. ...URLZone ensures the transactions are subtle: "The balance must be positive, and they set a minimum and maximum amount" based on the victim's balance, Ben-Itzhak says. That ensures the bank's anti-fraud system doesn't trigger an alert, he says.

    And the malware is making the decisions -- and alterations to the bank statement -- in real time, he says. In one case, the attackers stole 8,576 euro, but the Trojan forged a screen that showed the transferred amount as 53.94 euro. The only way the victim would discover the discrepancy is if he logged into his account from an uninfected machine.

    Posted by iang at 09:26 AM | Comments (1) | TrackBack

    September 14, 2009

    OSS on how to run a business

    After a rather disastrous meeting a few days ago, I finally found the time to load up:

    OSS's Simple Sabotage Field Manual

    The Office of Strategic Services was the USA dirty tricks brigade of WWII, which later became the CIA. Their field manual was declassified and published, and, lo and behold, it includes some mighty fine advice. This manual was noticed to the world by the guy who presented the story of the CIA's "open intel" wiki, he thought it relevant I guess.

    Sections 11, 12 are most important to us, the rest concentrating on the physical spectrum of blowing up stuff. Onwards:

    (11) General Interference with Organizations and Production


    (a) Organizations and Conferences

    (1) Insist on doing everything through "channels." Never permit short-cuts to be taken in order to, expedite decisions.

    (2) Make "speeches." Talk as frequently as possible and at great length. Illustrate your "points" by long anecdotes and accounts of personal experiences. Never hesitate to make a few appropriate "patriotic" comments.

    (3) When possible, refer all matters to committees, for "further study and consideration." Attempt to make the committees as large as possible - never less than five.

    (4) Bring up irrelevant issues as frequently as possible.

    (5) Haggle over precise wordings of communications, minutes, resolutions.

    (6) Refer back to matters decided upon at the last meeting and attempt to reopen the question of the advisability of that decision.

    (7) Advocate "caution." Be "reasonable" and urge your fellow-conferees to be "reasonable" and avoid haste which might result in embarrassments or difficulties later on.


    (8) Be worried about the propriety of any decision -raise the question of whether such action as is contemplated lies within the jurisdiction of the group or whether it might conflict with the policy of some higher echelon.


    Read the full sections 11,12 and for reference, also the entire manual. As some have suggested, it reads like a modern management manual, perhaps proving that people don't change over time!

    Posted by iang at 09:42 PM | Comments (1) | TrackBack

    September 10, 2009

    Hide & seek in the terrorist battle

    Court cases often give us glimpses of security issues. A court in Britain has just convicted three from the liquid explosives gang, and now that it is over, there are press reports of the evidence. It looks now like the intelligence services achieved one of two possible victories by stopping the plot. Wired reports that NSA intercepts of emails have been entered in as evidence.

    According to Channel 4, the NSA had previously shown the e-mails to their British counterparts, but refused to let prosecutors use the evidence in the first trial, because the agency didn’t want to tip off an alleged accomplice in Pakistan named Rashid Rauf that his e-mail was being monitored. U.S. intelligence agents said Rauf was al Qaeda’s director of European operations at the time and that the bomb plot was being directed by Rauf and others in Pakistan.

    The NSA later changed its mind and allowed the evidence to be introduced in the second trial, which was crucial to getting the jury conviction. Channel 4 suggests the NSA’s change of mind occurred after Rauf, a Briton born of Pakistani parents, was reportedly killed last year by a U.S. drone missile that struck a house where he was staying in northern Pakistan.

    Although British prosecutors were eager to use the e-mails in their second trial against the three plotters, British courts prohibit the use of evidence obtained through interception. So last January, a U.S. court issued warrants directly to Yahoo to hand over the same correspondence.

    So there are some barriers between intercept and use in trial. The reason they came from the NSA is probably that old trick of avoiding prohibitions on domestic surveillance: if the trial had been in the USA, GCHQ might have provided the intercepts.

    What however was more interesting is the content of the alleged messages. This BBC article includes 7 of them, here's one:

    4 July 2006: Abdulla Ahmed Ali to Pakistan Accused plotter Abdulla Ahmed Ali

    Listen dude, when is your mate gonna bring the projectors and the taxis to me? I got all my bits and bobs. Tell your mate to make sure the projectors and taxis are fully ready and proper I don't want my presentation messing up.

    WHAT PROSECUTORS SAID IT MEANT Prosecutors said that projectors and taxis were code for knowledge and equipment because Ahmed Ali still needed some guidance. The word "presentation" could mean attack.

    The others also have interesting use of code words, such as Calvin Klein aftershave for hydrogen peroxide (hair bleach). The use of such codes (as opposed to ciphers) is not new; historically they were well known. Code words tend not to be used now because ciphers cover more of the problem space, and once you know something of the activity, the listener can guess at the meanings.

    In theory at least, and code words clearly didn't work to protect the liquid bombers. Worse for them, it probably made their conviction easier, because Muslims discussing the purchase of 4 litres of aftershave with other Mulsims in Pakistan seems very odd.

    One remaining question was whether the plot would actually work. We all know that the airlines banned liquids because of this event. Many amateurs have opined that it is simply too hard to do liquid explosives. However, the BBC employed an expert to try it, and using what amounts to between half a litre to a liter of finished product, they got this result:

    Certainly a dramatic explosion, enough to kill people within a few metres, and enough to blow a 2m hole in the fuselage. (The BBC video is only a minute long, well worth watching.)

    Would this have brought down the aircraft? Not necessarily as there are many examples of airlines with such damage that have survived. Perhaps if the bomb was in a strategic spot (over wing? or near the fuel lines?) or the aircraft was stuck over the Atlantic with no easy vector. Either way, a bad day to fly, and as the explosives guy said, pity the passengers that didn't have their seat belt on.

    Score one for the intel agencies. But the terrorists still achieved their second victory out of two: passengers are still terrorised in their millions when they forget to dispose of their innocent drinking water. What is somewhat of a surprise is that the terrorists have not as yet seized on the disruptive path that is clearly available, a la John Robb. I read somewhere that it only takes a 7% "security tax" on a city to destroy it over time, and we already know that the airport security tax has to be in that ballpark.

    the state of the CAPTCHA nation:

    The biggest flaw with all CAPTCHA systems is that they are, by definition, susceptible to attack by humans who are paid to solve them. Teams of people based in developing countries can be hired online for $3 per 1,000 CAPTCHAs solved. Several forums exist both to offer such services and parcel out jobs. But not all attackers are willing to pay even this small sum; whether it is worth doing so depends on how much revenue their activities bring in. “If the benefit a spammer is getting from obtaining an e-mail account is less than $3 per 1,000, then CAPTCHA is doing a perfect job,” says Dr von Ahn.

    And here, outside our normal programme, is news from RAH that people pay for the privilege of being a suicide bomber:

    A second analysis with Palantir uncovered more details of the Syrian networks, including profiles of their top coordinators, which led analysts to conclude there wasn't one Syrian network, but many. Analysts identified key facilitators, how much they charged people who wanted to become suicide bombers, and where many of the fighters came from. Fighters from Saudi Arabia, for example, paid the most -- $1,088 -- for the opportunity to become suicide bombers.

    It's important to examine security models remote to our own, because it it gives us neutral lessons on how the economics effects the result. An odd comparison there, that number $1088 is about the value required to acquire a good-but-false set of identity documents.

    Posted by iang at 09:25 AM | Comments (2) | TrackBack

    July 15, 2009

    trouble in PKI land

    The CA and PKI business is busy this week. CAcert, a community Certification Authority, has a special general meeting to resolve the trauma of the collapse of their audit process. Depending on who you ask, my resignation as auditor was either the symptom or the cause.

    In my opinion, the process wasn't working, so now I'm switching to the other side of the tracks. I'll work to get the audit done from the inside. Whether it will be faster or easier this way is difficult to say, we only get to run the experiment once.

    Meanwhile, Mike Zusman and Alex Sotirov are claiming to have breached the EV green bar thing used by some higher end websites. No details available yet, it's the normal tease before a BlabHat style presentation by academics. Rumour has it that they've exploited weaknesses in the browsers. Some details emerging:

    With control of the DNS for the access point, the attackers can establish their machines as men-in-the-middle, monitoring what victims logged into the access point are up to. They can let victims connect to EV SSL sites - turning the address bars green. Subsequently, they can redirect the connection to a DV SSL sessions under a certificates they have gotten illicitly, but the browser will still show the green bar.

    Ah that old chestnut: if you slice your site down the middle and do security on the left and no or lesser security on the right, guess where the attacker comes in? Not the left or the right, but up the middle, between the two. He exploits the gap. Which is why elsewhere, we say "there is only one mode and it is secure."

    Aside from that, this is an interesting data point. It might be considered that this is proof that the process is working (following the GP theory), or it might be proof that the process is broken (following the sleeping-dogs-lie model of security).

    Although EV represents a good documentation of what the USA/Canada region (not Europe) would subscribe as "best practices," it fails in some disappointing ways. And in some ways it has made matters worse. Here's one: because the closed proprietary group CA/B Forum didn't really agree to fix the real problems, those real problems are still there. As Extended Validation has held itself up as a sort of gold standard, this means that attackers now have something fun to focus on. We all knew that SSL was sort of facade-ware in the real security game, and didn't bother to mention it. But now that the bigger CAs have bought into the marketing campaign, they'll get a steady stream of attention from academics and press.

    I would guess less so from real attackers, because there are easier pickings elsewhere, but maybe I'm wrong:

    "From May to June 2009 the total number of fraudulent website URLs using VeriSign SSL certificates represented 26% of all SSL certificate attacks, while the previous six months presented only a single occurrence," Raza wrote on the Symantec Security blogs.

    ... MarkMonitor found more than 7,300 domains exploited four top U.S. and international bank brands with 16% of them registered since September 2008.
    .... But in the latest spate of phishing attempts, the SSL certificates were legitimate because "they matched the URL of the fake pages that were mimicking the target brands," Raza wrote.

    VeriSign Inc., which sells SSL certificates, points out that SSL certificate fraud currently represents a tiny percentage of overall phishing attacks. Only two domains, and two VeriSign certificates were compromised in the attacks identified by Symantec, which targeted seven different brands.

    "This activity falls well within the normal variability you would see on a very infrequent occurrence," said Tim Callan, a product marketing executive for VeriSign's SSL business unit. "If these were the results of a coin flip, with heads yielding 1 and tails yielding 0, we wouldn't be surprised to see this sequence at all, and certainly wouldn't conclude that there's any upward trend towards heads coming up on the coin."

    Well, we hope that nobody's head is flipped in an unsurprising fashion....

    It remains to be seen whether this makes any difference. I must admit, I check the green bar on my browser when online-banking, but annoyingly it makes me click to see who signed it. For real users, Firefox says that it is the website, and this is wrong and annoying, but Mozilla has not shown itself adept at understanding the legal and business side of security. I've heard Safari has been fixed up so probably time to try that again and report sometime.

    Then, over to Germany, where a snafu with a HSM ("high security module") caused a root key to be lost (also in German). Over in the crypto lists, there are PKI opponents pointing out how this means it doesn't work, and there are PKI proponents pointing out how they should have employed better consultants. Both sides are right of course, so what to conclude?

    Test runs with Germany's first-generation electronic health cards and doctors' "health professional cards" have suffered a serious setback. After the failure of a hardware security module (HSM) holding the private keys for the root Certificate Authority (root CA) for the first-generation cards, it emerged that the data had not been backed up. Consequently, if additional new cards are required for field testing, all of the cards previously produced for the tests will have to be replaced, because a new root CA will have to be generated. ... Besides its use in authentication, the root CA is also important for card withdrawal (the revocation service).

    The first thing to realise was that this was a test rollout and not the real thing. So the test discovered a major weakness; in that sense it is successful, albeit highly embarrassing because it reached the press.

    The second thing is the HSM issue. As we know, PKI is constructed as a hierarchy, or a tree. At the root of the tree is the root key of course. If this breaks, everything else collapses.

    Hence there is a terrible fear of the root breaking. This feeds into the wishes of suppliers of high security modules, who make hardware that protect the root from being stolen. But, in this case, the HSM broke, and there was no backup. So a protection for one fear -- theft -- resulted in a vulnerability to another fear -- data loss.

    A moment's thought and we realise that the HSM has to have a backup. Which has to be at least as good as the HSM. Which means we then have some rather cute conundrums, based on the Alice in Wonderland concept of having one single root except we need multiple single roots... In practice, how do we create the root inside the HSM (for security protection) and get it to another HSM (for recovery protection)?

    Serious engineers and architects will be reaching for one word: BRITTLE! And so it is. Yes, it is possible to do this, but only by breaking the hierarchical principle of PKI itself. It is hard to break fundamental principles, and the result is that PKI will always be brittle, the implementations will always have contradictions that are swept under the carpet by the managers, auditors and salesmen. The PKI design is simply not real world engineering, and the only thing that keeps it going is the institutional deadly embrace of governments, standards committees, developers and security companies.

    Not the market demand. But, not all has been bad in the PKI world. Actually, since the bottoming out of the dotcom collapse, certs have been on the uptake, and market demand is present albeit not anything beyond compliance-driven. Here comes a minor item of success:

    VeriSign, Inc. [SNIP] today reported it has topped the 1 billion mark for daily Online Certificate Status Protocol (OCSP) checks.

    [SNIP] A key link in the online security chain, OCSP offers the most timely and efficient way for Web browsers to determine whether a Secure Sockets Layer (SSL) or user certificate is still valid or has been revoked. Generally, when a browser initiates an SSL session, OCSP servers receive a query to check to see if the certificate in use is valid. Likewise, when a user initiates actions such as smartcard logon, VPN access or Web authentication, OCSP servers check the validity of the user certificate that is presented. OSCP servers are operated by Certificate Authorities, and VeriSign is the world's leading Certificate Authority.

    [SNIP] VeriSign is the EV SSL Certificate provider of choice for more than 10,000 Internet domain names, representing 74 percent of the entire EV SSL Certificate market worldwide.

    (In the above, I've snipped the self-serving marketing and one blatant misrepresentation.)

    Certificates are static statements. They can be revoked, but the old design of downloading complete lists of all revocations was not really workable (some CAs ship megabyte-sized lists). We now have a new thing whereby if you are in possession of a certificate, you can do an online check of its status, called OCSP.

    The fundamental problem with this, and the reason why it took the industry so long to get around to making revocation a real-time thing, is that once you have that architecture in place, you no longer need certificates. If you know the website, you simply go to a trusted provider and get the public key. The problem with this approach is that it doesn't allow the CA business to sell certificates to web site owners. As it lacks any business model for CAs, the CAs will fight it tooth & nail.

    Just another conundrum from the office of security Kafkaism.

    Here's another one, this time from the world of code signing. The idea is that updates and plugins can be sent to you with a digital signature. This means variously that the code is good and won't hurt you, or someone knows who the attacker is, and you can't hurt him. Whatever it means, developers put great store in the apparent ability of the digital signature to protect themselves from something or other.

    But it doesn't work with Blackberry users. Allegedly, a Blackberry provider sent a signed code update to all users in United Arab Emirates:

    Yesterday it was reported by various media outlets that a recent BlackBerry software update from Etisalat (a UAE-based carrier) contained spyware that would intercept emails and text messages and send copies to a central Etisalat server. We decided to take a look to find out more.

    ...
    Whenever a message is received on the device, the Recv class first inspects it to determine if it contains an embedded command — more on this later. If not, it UTF-8 encodes the message, GZIPs it, AES encrypts it using a static key (”EtisalatIsAProviderForBlackBerry”), and Base64 encodes the result. It then adds this bundle to a transmit queue. The main app polls this queue every five seconds using a Timer, and when there are items in the queue to transmit, it calls this function to forward the message to a hardcoded server via HTTP (see below). The call to http.sendData() simply constructs the POST request and sends it over the wire with the proper headers.

    Oops! A signed spyware from the provider that copies all your private email and sends it to a server. Sounds simple, but there's a gotcha...

    The most alarming part about this whole situation is that people only noticed the malware because it was draining their batteries. The server receiving the initial registration packets (i.e. “Here I am, software is installed!”) got overloaded. Devices kept trying to connect every five seconds to empty the outbound message queue, thereby causing a battery drain. Some people were reporting on official BlackBerry forums that their batteries were being depleted from full charge in as little as half an hour.

    So, even though the spyware provider had a way to turn it on and off:

    It doesn’t seem to execute arbitrary commands, just packages up device information such as IMEI, IMSI, phone number, etc. and sends it back to the central server, the same way it does for received messages. It also provides a way to remotely enable/disable the spyware itself using the commands “start” and “stop”.

    There was something wrong with the design, and everyone's blackberry went mad. Two points: if you want to spy on your own customers, be careful, and test it. Get quality engineers on to that part, because you are perverting a brittle design, and that is tricky stuff.

    Second point. If you want to control a large portion of the population who has these devices, the centralised hierarchy of PKI and its one root to bind them all principle would seem to be perfectly designed. Nobody can control it except the center, which puts you in charge. In this case, the center can use its powerful code-signing abilities to deliver whatever you trust to it. (You trust what it tells you to trust, of course.)

    Which has led some wits to label the CAs as centralised vulnerability partners. Which is odd, because some organisations that should know better than to outsource the keys to their security continue to do so.

    But who cares, as long as the work flows for the consultants, the committees, the HSM providers and the CAs?

    Posted by iang at 07:13 AM | Comments (7) | TrackBack

    April 02, 2009

    Are the "brightest minds in finance" finally onto something?

    [Lynn writes somewhere else, copied without shame:]

    A repeated theme in the Madoff hearing (by the person trying for a decade to get SEC to do something about Madoff) was that while new legislation and regulation was required, it was much more important to have transparency and visibility; crooks are inventive and will always be ahead of regulation.

    however ... from The Quiet Coup:

    But there's a deeper and more disturbing similarity: elite business interests -- financiers, in the case of the U.S. -- played a central role in creating the crisis, making ever-larger gambles, with the implicit backing of the government, until the inevitable collapse. More alarming, they are now using their influence to prevent precisely the sorts of reforms that are needed, and fast, to pull the economy out of its nosedive. The government seems helpless, or unwilling, to act against them.

    From The DNA of Corruption:

    While the scale of venality of Wall Street dwarfs that of the Pentagon's, I submit that many of the central qualities shaping America's Defense Meltdown (an important new book with this title, also written by insiders, can be found here) can be found in Simon Johnson's exegesis of America's even more profound Financial Meltdown.

    ... and related to above, Mark-to-Market Lobby Buoys Bank Profits 20% as FASB May Say Yes:

    Officials at Norwalk, Connecticut-based FASB were under "tremendous pressure" and "more or less eviscerated mark-to-market accounting," said Robert Willens, a former managing director at Lehman Brothers Holdings Inc. who runs his own tax and accounting advisory firm in New York. "I'd say there was a pretty close cause and effect."

    From Now-needy FDIC collected little in premiums:

    The federal agency that insures bank deposits, which is asking for emergency powers to borrow up to $500 billion to take over failed banks, is facing a potential major shortfall in part because it collected no insurance premiums from most banks from 1996 to 2006.

    with respect to taxes, there was roundtable of "leading expert" economists last summer about current economic mess. their solution was "flat rate" tax. the justification was:

    1. eliminates possibly majority of current graft & corruption in washington that is related to current tax code structure, lobbying and special interests
    2. picks up 3-5% productivity in GNP. current 65,000 page taxcode is reduced to 600 pages ... that frees up huge amount of people-hrs in lost productivity involved in dealing directly with the taxcode as well as lost productivity because of non-optimal business decisions.

    their bottom line was that it probably would only be temporary before the special interests reestablish the current pervasive atmosphere of graft & corruption.

    a semi-humorous comment was that a special interest that has lobbied against such a change has been Ireland ... supposedly because some number of US operations have been motivated to move to Ireland because of their much simpler business environment.

    with respect to feedback processes ... I (Lynn) had done a lot with dynamic adaptive (feedback) control algorithms as an undergraduate in the 60s ... which was used in some products shipped in the 70s & 80s. In theearly 80s, I had a chance to meet John Boyd and sponsor his briefings. I found quite a bit of affinity to John's OODA-loop concept (observe, orient, decide, act) that is now starting to be taught in some MBA programs.

    Posted by iang at 06:51 PM | Comments (3) | TrackBack

    February 13, 2009

    this one's significant: 49 cities in 30 minutes!

    No, not this stupidity: "The Breach of All Breaches?" but this one, spotted by JP (and also see Fraud, Phishing and Financial Misdeeds, scary, flashmob, and fbi wanted poster seen to right):

    * Reported by John Deutzman

    Photos from security video (see photo gallery at left at bottom right) obtained by Fox 5 show of a small piece of a huge scam that took place all in one day in a matter of hours. According to the FBI , ATMs from 49 cities were hit -- including Atlanta, Chicago, New York, Montreal, Moscow and Hong Kong.

    "We've seen similar attempts to defraud a bank through ATM machines but not, not anywhere near the scale we have here," FBI Agent Ross Rice told Fox 5.
    ....

    "Over 130 different ATM machines in 49 cities worldwide were accessed in a 30-minute period on November 8," Agents Rice said. "So you can get an idea of the number of people involved in this and the scope of the operation."

    Here is the amazing part: With these cashers ready to do their dirty work around the world, the hacker somehow had the ability to lift those limits we all have on our ATM cards. For example, I'm only allowed to take out $500 a day, but the cashers were able to cash once, twice, three times over and over again. When it was all over, they only used 100 cards but they ripped off $9 million.

    This lifts the level of capability of the attacker several notches up. This is a huge coordinated effort. Are we awake now to the problems that we created for ourselves a decade ago?

    (Apologies, no time to do the real research and commentary today! Thanks, JP!)

    Posted by iang at 08:25 AM | Comments (0) | TrackBack

    January 19, 2009

    Microsoft: Phishing losses greatly over-estimated

    Seen on the net:

    09 Jan 2009 14:21

    Phishers make much less from their scams than analysts have estimated, according to research from the software maker. The financial losses experienced by victims of phishing scams may be up to 50 times less than estimated by analysts, according to a Microsoft study. Previous studies by organisations such as Gartner, which in 2007 estimated US phishing losses at $3.2bn (£2bn), "crumble upon inspection", Microsoft researchers said in their report, published on Tuesday.

    Nevertheless, stories of easy money may be encouraging a phishing "gold rush" effect, where large numbers of newcomers enter the phishing business expecting huge returns, only to be preyed upon by more experienced phishers, according to A Profitless Endeavor: Phishing as Tragedy of the Commons.

    The study, undertaken by Microsoft researchers Cormac Herley and Dinei Florencio, also suggests there is less profit than thought in phishing because there is only a limited number of people who will be fooled by the scams, and that pool gets smaller as the scams claim victims.

    "Phishing is a classic example of tragedy of the commons, where there is open access to a resource that has limited ability to regenerate," the authors say in their report. "Since each phisher independently seeks to maximise his return, the resource is over-grazed and [on average] yields far less than it is capable of." Instead of getting a maximum return for a minimum effort, the majority of phishers make a weekly wage of hundreds, rather than thousands, of dollars, the researchers said.

    ....

    No comment from here, because I haven't read the source as yet.

    Posted by iang at 05:10 PM | Comments (0) | TrackBack

    December 07, 2008

    Unwinding secrecy -- how to do it?

    The next question on unwinding secrecy is how to actually do it. It isn't as trivial as it sounds. Perhaps this is because the concept of "need-to-know" is so well embedded in the systems and managerial DNA that it takes a long time to root it out.

    At LISA I was asked how to do this; but I don't have much of an answer. Here's what I have observed:

    • Do a little at a time.
    • Pick a small area and start re-organising it. Choose an area where there is lots of frustration and lots of people to help. Open it up by doing something like a wiki, and work the information. It will take a lot of work and pushing by yourself, mostly because people won't know what you are doing or why (even if you tell them).
    • What is needed is a success. That is, a previously secret area is opened up, and as a result, good work gets done that was otherwise inhibited. People need to see the end-to-end journey in order to appreciate the message. (And, obviously, it should be clear at the end of it that you don't need the secrecy as much as you thought.)
    • Whenever some story comes out about a successful opening of secrecy, spread it around. The story probably isn't relevant to your organisation, but it gets people thinking about the concept. E.g., that which I posted recently was done to get people thinking. Another from Chandler.
    • Whenever there is a success on openness inside your organisation, help to make this a showcase (here are three). Take the story and spread it around; explain how the openness made it possible.
    • When some decision comes up about "and this must be kept secret," discuss it. Challenge it, make it prove itself. Remind people that we are an open organisation and there is benefit in treating all as open as possible.
    • Get a top-level decision that "we are open." Make it broad, make it serious, and incorporate the exceptions. "No, we really are open; all of our processes are open except when a specific exception is argued for, and that must be documented and open!" Once this is done, from top-level, you can remind people in any discussion. This might take years to get, so have a copy of a resolution in your back pocket for a moment when suddenly, the board is faced with it, and minded to pass a broad, sweeping decision.
    • Use phrases like "security-by-obscurity." Normally, I am not a fan of these as they are very often wrongly used; so-called security-by-obscurity often tans the behinds of supposed open standards models. But it is a useful catchphrase if it causes the listener to challenge the obscure security benefits of secrecy.
    • Create an opening protocol. Here's an idea I have seen: when someone comes across a secret document (generally after much discussion ...) that should not have been kept secret, let them engage in the Opening-Up Protocol without any further ado. Instead of grumbling or asking, put the ball in their court. Flip it around, and take the default as to be open:
      "I can't see why document X is secret, it seems wrong. Therefore, in 1 month, I intend to publish it. If there is any real reason, let me know before then."
      This protocol avoids the endless discussions as to why and whether.

    Well, that's what I have thought about so far. I am sure there is more.

    Posted by iang at 01:24 PM | Comments (0) | TrackBack

    November 20, 2008

    Unwinding secrecy -- busting the covert attack

    Have a read of this. Quick summary: Altimo thinks Telenor may be using espionage tactics to cause problems.

    Altimo alleges the interception of emails and tapping of telephone calls, surveillance of executives and shareholders, and payments to journalists to write damaging articles.

    So instead of getting its knickers in a knot (court case or whatever) Altimo simply writes to Telenor and suggests that this is going on, and asks for confirmation that they know nothing about it, do not endorse it, etc.

    Who ya bluffin?

    ...Andrei Kosogov, Altimo's chairman, wrote an open letter to Telenor's chairman, Harald Norvik, asking him to explain what Telenor's role has been and "what activity your agents have directed at Altimo". He said that he was "reluctant to believe" that Mr Norvik or his colleagues would have sanctioned any of the activities complained of.

    .... Mr Kosogov said he first wrote to Telenor in October asking if the company knew of the alleged campaign, but received no reply. In yesterday's letter to Mr Norvik, Mr Kosogov writes: "We would welcome your reassurance that Telenor's future dealings with Altimo will be conducted within a legal and ethical framework."

    Think about it: This open disclosure locks down Telenor completely. It draws a firm line in time, as also, gives Telenor a face-saving way to back out of any "exuberance" it might have previously "endorsed." If indeed Telenor does not take this chance to stop the activity, it would be negligent. If it is later found out that Telenor's board of directors knew, then it becomes a slam-dunk in court. And, if Telenor is indeed innocent of any action, it engages them in the fight to also chase the perpetrator. The bluff is called, as it were.

    This is good use of game theory. Note also that the Advisory Board of Altimo includes some high-powered people:

    Evidence of an alleged campaign was contained in documents sent to each member of Altimo's advisory board some time before October. The board is chaired by ex-GCHQ director Sir Francis Richards, and includes Lord Hurd, a former UK Foreign Secretary, and Sir Julian Horn-Smith, a founder of Vodafone.

    We could speculate that those players -- the spooks and mandarins -- know how powerful open disclosure is in locking down the options of nefarious players. A salutory lesson!

    Posted by iang at 06:25 PM | Comments (1) | TrackBack

    November 19, 2008

    Unwinding secrecy -- how far?

    One of the things that I've gradually come to believe in is that secrecy in anything is more likely to be a danger to you and yours than a help. The reasons for this are many, but include:

    • hard to get anything done
    • your attacker laughs!
    • ideal cover for laziness, a mess or incompetence

    There are no good reasons for secrecy, only less bad ones. If we accept that proposition, and start unwinding the secrecy so common in organisations today, there appear to be two questions: how far to open up, and how do we do it?

    How far to open up appears to be a personal-organisational issue, and perhaps the easiest thing to do is to look at some examples. I've seen three in recent days which I'd like to share.

    First the Intelligence agencies: in the USA, they are now winding back the concept of "need-to-know" and replacing it with "responsibility-to-share".


    Implementing Intellipedia Within a "Need to Know" Culture

    Sean Dennehy, Chief of Intellipedia Development, Directorate of Intelligence, U.S. Central Intelligence Agency

    Sean will share the technical and cultural changes underway at the CIA involving the adoption of wikis, blogs, and social bookmarking tools. In 2005, Dr. Calvin Andrus published The Wiki and The Blog: Toward a Complex Adaptive Intelligence Community. Three years later, a vibrant and rapidly growing community has transformed how the CIA aggregates, communicates, and organizes intelligence information. These tools are being used to improve information sharing across the U.S. intelligence community by moving information out of traditional channels.

    The way they are doing this is to run a community-wide suite of social network tools: blogs, wikis, youtube-copies, etc. The access is controlled at the session level by the username/password/TLS and at the person level by sponsoring. That latter means that even contractors can be sponsored in to access the tools, and all sorts of people in the field can contribute directly to the collection of information.

    The big problem that this switch has is that not only is intelligence information controlled by "need to know" but also it is controlled in horizontal layers. For same of this discussion, there are three: TOP SECRET / SECRET / UNCLASSIFIED-CONTROLLED. The intel community's solution to this is to have 3 separate networks in parallel, one for each, and to control access to each of these. So in effect, contractors might be easily sponsored into the lowest level, but less likely in the others.

    What happens in practice? The best coverage is found in the network that has the largest number of people, which of course is the lowest, UNCLASSIFIED-CONTROLLED network. So, regardless of the intention, most of the good stuff is found in there, and where higher layer stuff adds value, there are little pointers embedded to how to find it.

    In a nutshell, the result is that anyone who is "in" can see most everything, and modify everything. Anyone who is "out" cannot. Hence, a spectacular success if the mission was to share; it seems so obvious that one wonders why they didn't do it before.

    As it turns out, the second example is quite similar: Google. A couple of chaps from there explained to me around the dinner table that the process is basically this: everyone inside google can talk about any project to any other insider. But, one should not talk about projects to outsiders (presumably there are some exceptions). It seems that SEC (Securities and Exchange Commission in USA) provisions for a public corporation lead to some sensitivity, and rather than try and stop the internal discussion, google chose to make it very simple and draw a boundary at the obvious place.

    The third example is CAcert. In order to deal with various issues, the Board chose to take it totally open last year. This means that all the decisions, all the strategies, all the processes should be published and discussable to all. Some things aren't out there, but they should be; if an exception is needed it must be argued and put into policies.

    The curious thing is why CAcert did not choose to set a boundary at some point, like google and the intelligence agencies. Unlike google, there is no regulator to say "you must not reveal inside info of financial import." Unlike the CIA, CAcert is not engaging in a war with an enemy where the bad guys might be tipped off to some secret mission.

    However, CAcert does have other problems, and it has one problem that tips it in the balance of total disclosure: the presence of valuable and tempting privacy assets. These seem to attract a steady stream of interested parties, and some of these parties are after private gain. I have now counted 4 attempts to do this in my time related to CAcert, and although each had their interesting differences, they each in their own way sought to employ CAcert's natural secrecy to own advantage. From a commercial perspective, this was fairly obvious as the interested parties sought to keep their negotiations confidential, and this allowed them to pursue the sales process and sell the insiders without wiser heads putting a stop to it. To the extent that there are incentives for various agencies to insert different agendas into the inner core, then the CA needs a way to manage that process.

    How to defend against that? Well, one way is to let the enemy of your enemy know who we are talking to. Let's take a benign example which happened (sort of): a USB security stick manufacturer might want to ship extra stuff like CAcert's roots on the stick. Does he want the negotiations to be private because other competitors might deal for equal access, or does he want it private because wiser heads will figure out that he is really after CAcert's customer list? CAcert might care more about one than they other, but they are both threats to someone. As the managers aren't smart enough to see every angle, every time, they need help. One defence is many eyeballs and this is something that CAcert does have available to it. Perhaps if sufficient info of the emerging deal is published, then the rest of the community can figure it out. Perhaps, if the enemy's enemy notices what is going on, he can explain the tactic.

    A more poignant example might be someone seeking to pervert the systems and get some false certificates issued. In order to deal with those, CAcert's evolving Security Manual says all conflicts of interest have to be declared broadly and in advance, so that we can all mull over them and watch for how these might be a problem. This serves up a dilemma to the secret attacker: either keep private and lie, and risk exposure later on, or tell all upfront and lose the element of surprise.

    This method, if adopted, would involve sacrifices. It means that any agency that is looking to impact the systems is encouraged to open up, and this really puts the finger on them: are they trying to help us or themselves? Also, it means that all people in critical roles might have to sacrifice their privacy. This latter sacrifice, if made, is to preserve the privacy of others, and it is the greater for it.

    Posted by iang at 05:16 PM | Comments (0) | TrackBack

    September 29, 2008

    Clickjacking -- the new browser wipe-out

    News is circulating about Clickjacking, an undisclosed vulnerability that effects all browsers (with the exception of Lynx, which you don't use :) . Apparently although exploit code is somewhat hard, it is an impressive result. Your browser is owned, once again.

    Hattip to BigMac, who might be the last person on the planet using Lynx. There appears to be limited options right now:

    From my side, I wonder whether another possibility is to close all tabs, restart the browser, do your sensitive work, then shut it all down again.

    OK, that's just idle speculation on my part, but it is worth thinking about. A large component of the current breaches are a result of the browser being a general purpose tool with not only cross-admin-border protocols, but also parallel applications in play. Not generally a good idea in security thinking, and it means that the browser can only ever work in medium security modes.

    Also, I have another open question: should NoScript become standard recommendations for Mon'N'Pop ?

    Posted by iang at 10:21 AM | Comments (6) | TrackBack

    April 09, 2008

    another way to track their citizens

    Passports were always meant to help track citizens. According to lore, they were invented in the 19th century to stop Frenchmen evading the draft (conscription), which is still an issue in some countries. BigMac points to a Dutch working paper "Fingerprinting Passports," that indicates that passports can now be used to discriminate against the bearer's country of issue, to a distance of maybe 25cm. Future Napoleons will be happy.

    Because terrorising the reader over breakfast is currently good writing style by governments and media alike, let's highlight the dangers first. The paper speculates:

    Given that we can remotely detect the presence of a passport of a particular country, how could this functionality be abused? One abuse case that has been suggested is a passport bomb, designed to go off if someone with a passport of a certain nationality comes close. One could even send such a bomb by post, say to an embassy. A less spectacular, but possibly more realistic, use of this functionality would by passport thieves, who can remotely check if someone is carrying passport and if it is of a ‘suitable’ nationality, before they decide to rob them.

    From the general fear department, we can also add that overseas travellers sometimes have a fear of being mugged, kidnapped, hijacked or simply shot because of their mere membership of a favourable or unfavourable country.

    Now that we have the FUD off our chest, let's talk details. The trick involves sending a series of commands (up to 4) to the RFID in the passport, each of which are presumably rejected by the passport. The manner of rejection differs from country to country, so a precise fingerprint-of-country can be formed simply by examining each rejection, and then choosing a different command to further narrow the choices.

    How did this happen? I would speculate that the root failure is derived from bureaucrats' never-ending appetite for complex technological solutions to simple problems. In this case, the first root cause is the use of the RFID, being by intention and design something that can be read from up to 10 cm.

    It is inherently attackable, and therefore by definition a very odd choice for security. The second complexity, then, involved implementing something to stop the attackers reading off the RFIDs without permission. The solution to an active read-off attack is encryption, of course! Which leads to our third complexity, a secret key, which is written inside the passport, of course! Which immediately raises issues of brute-forcing (of course!) and, as the paper references, it turns out, brute forcing attacks work on some countries' passports because the secret key is .. poorly chosen.

    All of this complexity, er, solution, means something called Basic Access Control is added to the RFID in order to ensure the use of the secret key. Which means a series of commands meant to defend the RFID. If we factor in the tendency for each country to implement passports entirely alone (because they are more scared of each other than they are of their citizens), we can see that each solution is proprietary and home-grown. To cope with this, the standard was written to be very flexible (of course!). Hence, it permits wide diversity in response to errors.

    Whoops! Security error. In the world of security, we say that one should be precise in what we send, and precise in what we return.

    From that point of view, this is poor security work by the governments of the world, but that's to be expected. The US State Department can now derive some satisfaction from earlier blunders; because of their failure to implement any form of encryption or access control, American passports can be read by all (terrorists and borderists alike), which apparently forced them to add aluminium foil into the passport cover to act as a Faraday cage. Likely, the other countries will now have to follow suit, and the smugness of being sophisticated and advanced in security terms ("we've got BAC!") will be replaced by a dawning realisation that they should have adopted the simpler solutions in the first place.

    Posted by iang at 03:33 AM | Comments (3) | TrackBack

    March 06, 2008

    Economics not repealed, just slow: Paypal blames Browsers for Phishing

    Well, it had to happen one day. A major player has finally broken the code of silence and blamed the browsers. In this case, it is PayPal, and Safari.

    Infoworld last week quoted Michael Barrett, PayPal’s CIO, saying the following:
    “Apple, unfortunately, is lagging behind what they need to do, to protect their customers. Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera.”

    The browser is the user's security tool. The browser is the only thing between you and the phisher. The browser is the point of all attack attention. The browser is it. That's why it had SSL built in -- to correctly identify the website as the one you wanted to go to.

    So above, Paypal blames Safari for not doing enough about phishing. It's true, Safari does nothing (as I found out recently and had to switch back to Firefox). It likely had to be Paypal because the regulated banks won't say boo without permission, and Paypal might be supposed to be net-savvy. It had to be Safari because (a) there is that popular alternate now, and (b) Apple is still small enough not to be offended, and (c) others have done something in the phishing area.

    A take-away then is not the names involved, but the fact that a large player has finally lost patience and is pointing fingers at those who are not addressing phishing:

    At issue is the fact that Safari lacks a built-in phishing filter to warn users about shady Web sites. Safari also doesn’t support so-called Extended Validation certificates, which turn the address bar green if a site is legit. Extended Validation certificates aren’t the complete answer but are a help.

    OK, so those are some ideas, and Safari could do something. However there may be more to this than meets the eye:

    An emerging technology, EV certificates are already supported in Internet Explorer 7, and they've been used on PayPal's Web site for more than a year now. When IE 7 visits PayPal, the browser's address bar turns green -- a sign to users that the site is legitimate. Upcoming versions of Firefox and Opera are expected to support the technology.

    Aha! It's not a general complaint to Apple at all. It is a complaint that EV has not been implemented in Safari. It's a very specific complaint!

    ( Long term readers know that EV implements the basic steps necessary to complete the SSL security model: By naming the CA that makes the claim, it clearly encapsulates the statement. By making it more clear what was going on to the user the final step was made to the risk-bearing party. )

    Paypal has purchased a green certificate. And now they want it to work. It works on IE, but not on others. (Firefox and Opera say "soon" and so are given a pass. For now.) Apple rarely comments on its plans, so it has been named and shamed for not adopting the agreed solution. More for not playing the game than anything.

    The sad thing about the EV is that it is (approximately) what the browsers should have done years ago, when phishing became apparent.

    But nothing could be done. I know, I tried. If there is any more elegant proof of the market for silver bullets, I'm hard pressed to find it. To break the equilibrium around SSL+cert-user-CA (that reads SSL plus cert minus user minus CA), EV had to be packaged as an industry consortium agreeing on an expensive product. Once so packaged, it was then sold to Microsoft and to some major websites. Once in the major places, influence is then brought to bear to get the rest to come into line.

    The problem with this, as I lay out in silver bullets, is that shifting from one equilibrium to another is a strictly weaker strategy. Firstly, we are not that confident in our choice of equilibrium. That's by definition; we wouldn't play this game if we knew how to play the game. Secondly, and to spin a leaf from John Boyd, the attacker can turn inside our OODA loop. Which is to say, he can create and modify his attacks faster than we can change equilibrium. Or, he is better at playing his game than we are.

    You can read a much more extended argument in the essay (new, improved with extra added focus!). But for now, what I find interesting is the questions we don't yet have answers to.

    What would be the attacker's best strategy, knowing all we do about the market and our claim that this is equilibrium shifting? Would the attacker destroy EV? Would he protect EV? Would he milk it?

    Another question is, what is Apple's best strategy? It is currently outside the consortium, but has been attacked. Should it join and implement EV? Go it alone? Ignore? Invent an own strategy?

    Posted by iang at 11:17 AM | Comments (0) | TrackBack

    December 30, 2007

    Why Security Modelling doesn't work -- the OODA loop of today's battle

    Editor's note: now with a Chinese translation

    I've been watching a security modelling project for a while now, and aside from the internal trials & tribulations that any such project goes through, it occurs to me that there are explanations of why there should be doubts. Frequent readers of FC will know that we frequently challenge the old wisdom. E.g., a year ago I penned an explanation of why, for simple money reasons, you cannot build security into the business from the early days.

    Another way of expressing this doubt surrounding Security Modelling is by reference to Col. Boyd's OODA loop. That stands for Observe, Orient, Decide, Act and it expresses Boyd's view of fighter combat. His thesis was that this was a loop of continuous cycles that characterised the fighter pilot's essential tactics.

    Two things made it more sexy: firstly, as a loop, he was able to suggest that the pilot with the tighter OODA loop would turn inside the other. This was a powerful metaphor because turning inside the enemy in fighter combat is as basic as it gets; every schoolboy knew how Spitfires could turn inside Messerschmitt 109s, and thus was won the Battle of Britain.

    Obviously things aren't quite so simple, but this made it easy to understand what Boyd was getting at. The second thing that made the concept sexy was that he then went on to show it applied to just about every form of combat. And, that's true: I recall from early soldiering lessons on soviet army doctrine, that the russkies could turn their defence into a counter-attack faster than our own army could turn our attack into a defence. At all unit sizes, the instructors pointed out.

    Taking a leaf from Sun Tzu's Art of War, the OODA loop concept may also be applied to other quasi-combat scenarios such as security and business. If we were to translate it to security modelling, we can break the process simply into four phases:

    • threat modelling
    • security modelling
    • architecture
    • implementation & deployment

    To do it properly, each of these phases is important. You can't skip them, says the classical wisdom. We can agree with that, at a simple level. Which leaves us a problem: each of those phases costs time and effort.

    A proper threat model for a medium sized project should take a month or so. A proper security model, I'd suggest 3 months and up. The other two phases are also 3 months and climbing, with overruns. So, for anything serious, we are talking a year, in total, for the project.

    Now consider the attacker. Today's aggressor appears very fast. So-called 0-day viruses, month-long migration cycles, etc. A couple of days ago, there was this report that talked about the ability of Storm and Son-of-Storm's ability to migrate dynamically: "what emerges is a picture of a group of skilled, professional software developers learning from their mistakes, improving their code on a weekly basis and making a lot of money in the process."

    Which means that the enemy is turning in his OODA loop in less than a month, sometimes as quickly as a day. Either way, the enemy today is turning faster than any security model-driven project is capable of doing.

    What to do? Adolf Galland apocryphally told Reichsmarschall Göring that he could win the Battle of Britain with a squadron of Spitfires, but he was only behind by a few percentage points. In security terms we are looking at an order of magnitude, at least, which seems to lead to two possible conclusions: either your security model results in perfect security, there are no weaknesses, and it matters not how fast the enemy spins on his own dime. Or, classical security modelling is simply and utterly too slow to help in today's battle.

    We need a new model. Now, this isn't to say "stop all security modelling." Even in the worst case, if the technique is completely outdated, it will remain a tremendously useful pedagogical discipline.

    Instead, what I am suggesting is that the conventional wisdom doesn't hold scrutiny; something has to break. Whatever it is, security modelling is likely to have to change its practices and wisdoms, if it is to survive as the wisdom of the future.

    Quite dramatically, indeed, as it possibly needs to achieve a 10-100 fold increase in its OODA loop performance in order to match the current enemy. In other words, a revolution in security thinking.

    Editor's note: now with a Chinese translation

    Posted by iang at 08:59 PM | Comments (10) | TrackBack

    December 15, 2007

    MITM spotted in Tor

    Bruce Schneier wrote in cryptogram:

    Man-in-the-middle attack by Tor exit node. So often man-in-the-middle attacks are theoretical; it's fascinating to see one in the wild. The guy claims that he just misconfigured his Tor node. I don't know enough about Tor to have any comment about this. [German commetary.] I've written about anonymity and the Tor network before.

    Can't agree more! MITMs are so rare that they really should not drive any threat model until shown to be economic. Making that mistake was one of the core failures that led to phishing (thanks guys!). Here's a more simple sniffing attack on the same network:

    I previously wrote about Dan Egerstad, a security researcher who ran a Tor anonymity network and was able to sniff some pretty impressive usernames and passwords. Swedish police arrested him last month.

    Pure eavesdropping is also worth recording because we need to establish the frequency so as to calculate how much attention to pay to it. For the interest of financial cryptographers here, let's add this one from the same source, pointing to BoingBoing pointing to b.wsj:

    In 1941, the British Secret Service asked the game's British licensee John Waddington Ltd. to add secret extras to some sets, which had become standard elements of the aid packages that the Red Cross delivered to allied prisoners of war. Along with the usual dog, top hat and and thimble, the sets had a metal file, compass, and silk maps of safe houses (silk, because it folds into small spaces and unfolds silently). Even better, real French, German and Italian currency was hidden underneath the game's fake money. Departing allied soldiers and pilots were told that if they were captured they should look out for the special editions, identified by a red dot in the Free Parking space. Any sets remaining in the U.K. were destroyed after the war. Of the 35,000 prisoners of war who escaped German prison camps by the end of the war, "more than a few of those certainly owe their breakout to the classic board game," says Mr. McMahon.
    Posted by iang at 08:10 AM | Comments (1) | TrackBack

    September 10, 2007

    Threatwatch - more data on cost of your identity

    In the long-running threatwatch theme of how much a set of identity documents will cost you, Dave Birch spots new data:

    Other than data breaches, another useful rule-of-thumb figure, I reckon, might come from identity card fraud since an identity card is a much better representation of a persons identity than a credit card record. Luckily, one of the countries with a national smart ID card just had a police bust: in Malyasia, the police seized fake MyKad, foreign workers identity cards, work permits and Indonesian passports and said that they thought the fake documents were sold for between RM300 and RM500 (somewhere between $100 to $150) each. That gives us a rule-of-thumb of $20 for a "credit card identity" and $100, say, for a "full identity". Since we don't yet have ID cards in the U.K., I thought that fake passports might be my best proxy. Here, the police says that 1,800 alleged counterfeit passports recovered in raid in North London were valued at £1m. If we round it up to 2,000 fakes, then that's £500 each. This, incidentally, was the largest seizure of fake passports in the U.K. so far and vincluded 200 U.K. passports, which, according to police, are often considered by counterfeiters to be too difficult to reproduce. Not!

    The point I actually wanted make is not that these figures a very variable, which they are, but that they're not comparing apples with apples. Hence the simplistic "what's your identity worth?" question cannot be answered with a simple number.

    OK, that's consistent with my long-standing estimate of 1000 (in the major units, pounds, dollars, euros) to get a set of docs. It is important to track this because if you are building a system based on identity, this gives you a solid number on which to base your economic security. E.g., don't protect much more than 1000 on the basis of identity, alone.

    As a curious footnote, I recently acquired a new high-quality document from the proper source, and it cost me around 1000, once all the checking, rechecking, couriered documents and double phase costs were all added up. If a data set of one could be extrapolated, this would tell us that it makes no difference to the user whether she goes for a fully authentic set or not!

    Luckily my experiences are probably an outlier, but we can see a fairly damning data point here: the cost of an "informal" document is far to similar to the cost of a "formal" document.

    Postscript: It turns out that there is no way to go through FC archives and see all the various categories, so I've added a button at the right which allows you to see (for example) the cost of your identity, in full posted-archive form.

    Posted by iang at 05:27 AM | Comments (1) | TrackBack

    July 23, 2007

    Threatwatch: how much to MITM, how quickly, how much lost

    It costs $500 for a kit to launch an MITM phishing attack. (Don't forget to add labour costs at 3rd world rates...)

    David Franklin, vice president for the Europe, Middle East and Africa told IT PRO that these sites are proliferating because they are actually easier for hackers to set up than traditional 'fake' phishing sites because they don't even have to maintain a fake website. He also said man-in-the-middle attacks defeat weak authentication methods including passwords, internet protocol (IP) geolocation, device fingerprinting, cookies and personal security images and tokens, for example.

    "A lot of the attacks you hear about are just the tip of the iceberg. Banks often won't even tell an affected customer that they have been a victim of these man-in-the-middle attacks," said Franklin, adding that kits that guide cybercriminals through setting up a man-in-the-middle attack are now so popular they can be bought for as little as $500 (£250) on the black market now.

    He also said "man-in-the-browser" attacks are emerging to compete in popularity with middleman threat.

    A couple of interesting notes from the above: it is now accepted that MITM is what phishing is (in the form mentioned above, the original email form, and the DNS form). These MITMs defeat the identity protection of SSL secure browsing, a claim made hereabouts first. and one that is still widely misunderstood: This is significant because SSL is engineered to defeat MITMs, but it only defeats internal or protocol MITMs, and can not stop the application itself being MITM'd. This typical "bypass attack" has important economic ramifications, such that SSL is now shown to be too heavy-weight to deliver value, unless it is totally free of cost and setup.

    Secondly, note that the mainstream news has picked up the MITB threat (also reported and documented here first). It's still rare, but in the next 6 months, expect your boss to ask what it's about, because he read it in Yahoo.

    More juicy threat modelling numbers:

    Analysts at RSA Security early last month spotted a single piece of PHP code that installs a phishing site on a compromised server in about two seconds,

    And....

    Despite efforts to quickly shut sites down, phishing sites averaged a 3.8-day life span in May, according to the Anti-Phishing Working Group, which released its latest statistics on Sunday.

    Data from market analyst Gartner released last month showed that phishing attacks have doubled over the last two years.

    Gartner said 3.5 million adults remembered revealing sensitive personal or financial information to a phisher, while 2.3 million said that they had lost money because of phishing. The average loss is US$1,250 per victim, Gartner said.

    In the past (June 2004: 1, 2), I've reported that phishing costs around one billion per year. Multiply those last two numbers above from Gartner, and we get around a billion over the last three years. Still a good rule of thumb then.

    Posted by iang at 06:39 AM | Comments (4) | TrackBack

    April 20, 2007

    Counting Chickens at eTrade, bankruptcy in Europe, and costs in America

    Gunnar Peterson posts:

    Identity Chickens Coming Home to 8 Figure Roost

    Reason number 2,503,201 why 1995 security architectures based on SSL, network firewalls, and a prayer are not good enough any more. Etrade's 10Q filing (hat tip Dan Geer):

    Other expenses increased 97% to $45.7 million and 55% to $101.9 million for the three and nine months ended September 30, 2006, respectively, compared to the same periods in 2005. These increases were primarily due to fraud related losses during the third quarter of 2006 of $18.1 million, of which $10.0 million was identity theft related. The identity theft situations arose from recent computer viruses that attacked the personal computers of our customers, not from a breach of the security of our systems. We reimbursed customers for their losses through our Complete Protection Guarantee. These fraud schemes have impacted our industry as a whole. While we believe our systems remain safe and secure, we have implemented technological and operational changes to deter unauthorized activity in our customer accounts.

    Over on EC I suggested that the cost depends on whether you are left or right of the Atlantic. In Europe, the Data Directive mandates fines, I was told it was around 25-50 thousand Euros per record lost . Lose your database, file for bankruptcy.

    (OK, so I make this claim. I heard it in a pub... I'd better check on it!)

    While we're counting cost, if not coup, here's some US numbers, finally with some serious if unconfirmed attention by Forrester Research:

    The average security breach can cost a company between $90 and $305 per lost record, according to a new study from Forrester Research. The research firm surveyed 28 companies that had some type of data breach.

    "After calculating the expenses of legal fees, call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be dizzying, if not impossible, to come up with a true number," wrote senior analyst Khalid Kark in the report. "Although studies may not be able to determine the exact cost of a security breach in your organization, the loss of sensitive data can have a crippling impact on an organization's bottom line, especially if it is ill-equipped, and it's important to be able to make an educated estimate of its cost."

    Posted by iang at 01:31 AM | Comments (0) | TrackBack

    April 02, 2007

    Threatwatch: MITB spotted: MITM over SSL from within the browser

    A long awaited browser MITB attack -- in essence an MITM against SSL launched within the browser -- has been spotted (by Lynn) in Netherlands:

    ...customers opened an email attachment that resulted in a virus being executed on their machines. This virus changed their browsers' behaviour so when they went to open the real ABN Amro online banking site, they were instead re-directed to a spoof site.

    The customers then typed in their passwords, which the attacker in turn used to access the bank's real Web site. The customer's own transactions were passed along to the real site, so they didn't notice anything wrong right away, while the attacker simultaneously made their own fraudulent transactions using the bank's urgent payment feature.

    ABN Amro has issued its customers with two-factor authentication tokens for several years. But the man-in-the middle attack gets around this security measure by passing the ever-changing part of the password from the token to the bank along with the never-changing part - essentially piggybacking on a legitimate log-in.

    Now, if it has been spotted here, it has been going on for some time. The first signs seen of an attack on SSL were late 2004. In essence it was still an uneconomic attack, but the proof of concepts were there. What remains to be seen is whether we are about to see a large scale shift into browser MITM attacks (known as Man-in-the-Browser) or whether we are seeing only tentative experimentation.

    Meanwhile, over at Mozilla, "our man in the SSL/UI security team" Johnath is trying to draft up a proposal to work with Firefox. State of play so far:

    Creating a simple UI to repair the padlock is no easy matter. EV is a complicating factor in that we need at least 3 states, and that means we need more than 3. This ain't new, but it is easier said than done.

    Further, nobody has any hope that EV changes anything. Firstly, it is very confusing, too small, rare, and ultimately spoofable. So people are looking to Mozilla to see whether it will break away and start working on the far stronger user-bank relationship, directly, a.k.a Petnames and Zooko's Triangle and all that.

    Maybe. As Gervase does not tire of pointing out, users won't do that. Worse, the above attack slices its way through both of those approaches, because it changes the browser from the inside.

    The number of balls in the air is now too many. We've all noticed the migration away from Microsoft to Mac because of security failures. (The press worms bury deeply into the wet soil on this one.) Will there be a wholesale migration away from online banking as all browsers are declared no more solid than swiss cheese in a fondue?

    This was what the European banks were worried about when we reported MITB earlier in 2006. One year later there has been no epidemic, and that gave them time to respond. Hopefully they are ready. Chances are, nobody else has or is. To live in interesting times...

    Posted by iang at 02:44 PM | Comments (6) | TrackBack

    April 01, 2007

    Threatwatch - bots, selling Ameritradelity, all your DNS belong to US

    In our side project of collecting reported threat statistics, here's lots of them:

    MessageLabs, a company that counts spam, recently stopped counting bot-infected computers because it literally could not keep up. It says it quit when the figure passed about 10 million a year ago. Symantec Corp. recently said it counted 6.7 million active bots during an Internet scan. Since all bots are not active at any given time, the number of infected computers is likely much higher. And Dave Dagon, who recently left Georgia Tech University to start a bot-fighting company named Damballa, pegs the number at closer to 30 million. The firm uses a "capture, mark, and release," strategy borrowed from environmental science to study the movement of bot armies and estimate their size.

    "It's like asking how many people are on the planet, you are wrong the second you give the answer. : But the number is in the tens of millions," Dagon said. "Had you told me five years ago that organized crime would control 1 out of every 10 home machines on the Internet, I would have not have believed that. And yet we are in an era where this is something that is happening."

    This transcript of a trading account fencing ("selling of stolen goods") spree reveals:

    Two accounts on TD Ameritrade. One has $7,000, $2,000 on the other. Plus I have a us.etrade.com account which has $1,300. I will sell all for $250. I also have a Fidelity valued at $50,000 that I'll sell for $350. Purse on webmoney Zxxxxxxxxxxxx. I can send them in parts so you can be sure I am not a fraud, but you make the first transaction, and then I send you the money.

    Funnily enough, the "fence" wasn't that smart, as the TV Intern doing the 'buying' tipped him off fairly early that he was probably an investigator.

    Not a number, but a threat (posted by Duane, pointed out by Philipp):

    DNSSec is poorly adopted already, and now the US Gov wants IANA to hand over private keys, giving people even less incentive to adopt.

    "At an ICANN meeting in Lisbon, the US Department of Homeland Security made it clear that it has requested the master key for the DNS root zone. The key will play an important role in the new DNSSec security extension, because it will make spoofing IP-addresses impossible. By forcing the IANA to hand out a copy of the master key, the US government will be the only institution that is able to spoof IP addresses and be able to break into computers connected to the Internet without much effort. There's a further complication, of course, because even 'if the IANA retains the key ... the US government still reserves the right to oversee ICANN/IANA. If the keys are then handed over to ICANN/IANA, there would be even less of an incentive [for the U.S.] to give up this role as a monitor. As a result, the DHS's demands will probably only heat up the debate about US dominance of the control of Internet resources.'"

    A Cook Report around 1997 laid out the basic case that it is US government formal but unstated policy that the net is controlled and kept as a US-managed institution. That makes the above an old and well understood threat; serious high security Internet systems do their "own DNS," including Skype, eCash, WebMoney, Ricardo. (All except the last are from memory and anecdotes.)

    The above can be seen as a power play between the overseers of the poodle ICANN (Commerce Dept?) and the DHS, being the new kid on the block. The solution to the above problem is simply to issue the DNS root zone master key to every government agency that asks for it. If the crazies in DHS have a right to it (as they will argue) then so do the mad mullahs of Persia ... and all points in between.

    Then, the root key moves to where Spire put it: 150,000 people with legitimate access to it, so no longer a security tool. Problem solved.

    Addendum: dead link was this:



    Hackers Pillaging Your Hard-Earned Retirement Funds
    The Following Are E-mail Exchanges Between a Russian Hacker and an ABC News
    Intern Dubbed 'Svetlana'

    March 20, 2007- -

    Hacker (March 9, 10:44 AM): Hello Svetlana! You need TD Ameritrade accounts?
    I have a couple and Fidelity.com as well. On one there is 7k for cash
    trading/withdrawal. How much are you willing to offer for it? Write me and
    we will discuss )

    Svetlana (11:42 AM): Hello! Thank you for responding...what percent do you
    usually take for the information and what exactly will you give me if we
    make a deal? Is the 7K in TD Ameritrade or in Fidelity.com?

    Hacker (11:46 AM): Ok 7k is on the Ameritrade and I do not take a
    percentage. I can just simply sell you the account. I am not a fraud you can
    ask Egold he knows me. A couple of hundred dollars will satisfy me
    completely.

    Svetlana (11:53 AM): Ok, do you have the password and the number of that
    account? And is this account American? How much money is in the Fidelity? A
    couple of hundred is feasible, how much exactly do you want?

    Hacker (12:03 PM): Two accounts on TD Ameritrade. One has $7,000, $2,000 on
    the other. Plus I have a us.etrade.com account which has $1,300. I will sell
    all for $250. I also have a Fidelity valued at $50,000 that I'll sell for
    $350. Purse on webmoney Zxxxxxxxxxxxx. I can send them in parts so you can
    be sure I am not a fraud, but you make the first transaction, and then I
    send you the money.

    Hacker (12:05 PM): Yes, all the accounts are American.

    Svetlana (12:14 PM): Ok, so I will send you the money, and you will give me
    1) username 2) password?

    Hacker (12:16 PM): Of course, I have these accounts from time to time and if
    you need them we can work together permanently. As soon as you make the
    transaction I will send you the information in the email.

    Hacker (12:34 PM): Svetlana, how do you like my offer? Are you going to buy,
    I need to know that they are yours so I don't sell them. Write back.

    Svetlana (12:52 PM): I will pay you double if along with this information
    you have the names of these people and their SS #.

    Hacker (12:56 PM): Ok when you enter you will see the owner's information.
    When are you planning to buy the accounts? Today?

    Hacker (1:00 PM): I also have two trading.scottrade.com accounts valued a
    little under $40,000. Need them?

    Svetlana (1:09 PM): Yes, I DEFINITELY need them. I never used a webmoney
    account, how do I sign up to it?

    Hacker (1:23 PM): Ok fine Svetlana I will help you make the transfer. Go to
    www.roboxchange.com, select "exchange electronic money," "forward," in the
    window select USD e-gold. For the receiver choose WMZ. Type in the amount in
    your e-golds and below it will say how much that equals in webmoney. Copy
    the number of the purse from the email Zxxxxxxxxxxxx. That's it, press
    "exchange," the money will be instantaneously transferred to me and I will
    send you the information for accessing the accounts, which will complete the
    transaction.

    Hacker (1:45 PM) So Svetlata, did you understand? Write back as soon as you
    send.

    Hacker (2:07 PM): Svetlana...

    Svetlana (2:07 PM) Ok I signed up. However, $600 is big money, how would I
    know FOR SURE that you will send them to me? Can you give me some kind of
    proof?

    Hacker (2:11 PM): I told you, Egold works with me, write him, he serves as
    the guarantee during transactions. He is also the forum's moderator on which
    you made the announcement. This is guarantee in itself. Believe me, I am not
    a fraud, I am a salesperson of accounts. I make money from this, I have no
    reason to ruin my reputation, especially since you are paying me good money
    and there is no point to lose you as a client, which I have to find anyway.

    Hacker (2:13 PM): My nickname is koloxxxx, he knows.

    Hacker (2:38 PM): Svetlana, did you make the transaction, or am I
    misunderstanding something?

    Hacker (2:40 PM): For proof, I can send you one small account. Look and
    understand that I am a real seller, this is my fraud-free business.
    [https://wwws.ameritrade.com/cgi-bin/apps/LogIn]
    Log on to TD AMERITRADE
    USERID=xxxxxxxxx
    PASSWORD=xxxxxxxxxxx

    Svetlana (2:50 PM): I can not find the person's name and SSN# on this
    account.

    Hacker (2:54 PM): Ok this is just with Ameritrades, Fidelity has them. Make
    the transfer and I will send you the rest, then we will talk in detail.

    Hacker (2:56 PM): Fidelity has the SS #.

    Svetlana (3:02 PM): So Ameritrades never have SSN#'s? I need the people's
    names and their SSN#'s.

    Hacker (3:11 PM): Ok Svetlana you wrote: "I need to access Schwab, E-trade,
    TD Ameritrade accounts. I do not need credit cards -- only savings accounts
    or 401(K)s. Pay good money, willing to make a deal. Write back asap, or
    email me at Sveta.xxxx@gmail.com". So I showed you an account,
    Ameritrade...unfortunately it lacks the information you need, specifically
    the name of the owner, but on the Fidelity I have that information plus the
    SS#. I also have us.etrade.com where the person's information can be seen. I
    am completing my part of the deal, and am awaiting the same on your part.
    Svetlana, what do you want from me, let's make the exchange and and I will
    send you your accounts, or consequently I will open them up for sale. Make a
    decision...

    Hacker (3:31 PM): Do you need them or not?

    Hacker (3:37 PM): Svetlana, are you still there?

    Svetlana (3:47 PM): Yes, I need them but I will not have the money till
    Monday (I am awaiting a transfer), can you wait till then? If not, will you
    have anything remaining or will you have anything new on Monday?

    Hacker (3:51 PM): Of course, and I will keep this material for you. It would
    be nice if you would send me at least $50 as a sort of a guarantee for me.
    If not then not...I will keep the accounts till Monday and I will be online
    at that time so feel free to write me. Good luck Svetlana.

    Svetlana (4:06 PM): I would rather send you the total amount on
    Monday...thank you very much for your patience...talk to you soon!!

    Hacker (March 12, 11:44 AM): Hello Svetlana! How are you today? Are you able
    to make the transfer to the purse? As I promised I left you those accounts
    and I also have 6-8 new fidelity each valued at $20-40k. Of course each has
    a SS# and FIO of the owner as you needed. Write back as soon as you get
    this.

    Svetlana (11:54 AM): Hello! Yes I have the money, but how do I extract the
    money from these accounts?

    Hacker (12:01 PM): Svetlana I merely sell the accounts, the people that
    purchase them they do everything as they wish and I have nothing to do with
    it...You asked me to find accounts and I found them for you, will you be
    buying those for $600?

    Svetlana (12:08 PM): Sergey, actually I work for ABC News in New York. We
    are doing a report on hackers that break into accounts. What you showed me
    is very interesting, and we would like to interview you about your business.

    Hacker (12:11 PM): ) Best of luck to you.

    This exchange was translated from Russian to English.

    Copyright © 2007 ABC News Internet Ventures
    http://abcnews.go.com/wnt/print?id=2966583

    Posted by iang at 04:51 PM | Comments (1) | TrackBack

    March 27, 2007

    Cost of an identity

    Some figures on the cost to build a new identity:

    In all, seven defendants pleaded guilty in Corpus Christi this past week to charges of selling their birth certificates and Social Security cards for $100 each. Seven other defendants pleaded guilty to buying or reselling those documents as part of a ring that sold documents to illegal immigrants seeking jobs in Dodge City, Kan.

    One other figure:

    Tim Counts, an Immigration and Customs Enforcement spokesman in Bloomington, Minn., said that investigation revealed documents were available for a price in places as open as Kmart parking lots. He said genuine documents were the most expensive, costing up to $1,500, and the most effective against detection.

    That remark looks suspicious, I'd guess he's talking about something else than SS cards and birth certificates.

    Also over in that center of expertise in identity theft, USA, a blog entry by Spire says:

    1. For as long as we continue to pretend that SSNs are secret and therefore may be used as authenticators, they will be.
    2. There are over 150,000 people (my estimate) with "defendable" access to your SSN right now. They aren't secret.
    3. You are more likely by a factor of 10 to be a victim of identity fraud via one of these "authorized" folks.
    4. The real problem is not how easy it is to get your SSN, but how creditors et.al. allow the SSN to be used as an authenticator (See #1).
    5. The SSN is fine as an identifier. No, it is not perfect, but its main benefit is that it is already used in so many places.

    Right. That's a number we wanted: 150k people in that country have access (legal, he says defendable) to the SSN. Presumably they have access to all the other PII as well.

    Posted by iang at 05:51 AM | Comments (7) | TrackBack

    March 17, 2007

    Finally, someone gets done for Money Laundering....

    Money Laundering (ML) was once tightly defined as washing the proceeds of (very) serious crime through an organised cycle.

    How you could tell was supposed to be that there was (a) an awful lot of it, (b) there was a hot-button crime like drugs, and (c) an organisation that processed the cash. That's what the big drugs rings did; in effect, they outsourced the money problem to the professionals.

    This is "real" money laundering:

    Three members of a money laundering gang were jailed for a total of 15 years at Ipswich Crown Court today. Between June 2003 and September 2005 the gang laundered more than £100 million in cash for criminal organisations and individuals throughout the United Kingdom.

    The court heard that this large scale money laundering operation was centred around a Money Services Bureau (MSB) on the London Road in Croydon, called Deans Exchange. This was run by Zaka Ud Din, with the assistance of Sabz Ali Khojo. As well as offering legitimate money services to the local community, Deans Exchange was being used as a front for a much larger operation, offering the laundering of cash.

    My hat off to the guys who busted that ring.

    These days, however, ML is a catch-all crime of no semantic meaning, given the massive preponderance of convictions where the only relationship was that it was a crime of some trivial amount of value. ML these days is more likely to mean a well-off professional goes down for one count of slapping his wife and 6 counts of ML.

    Technically, this is the best it gets:

    BRITAIN'S biggest and most feared gangster got away with murder yesterday when he was jailed for just seven years. Terry Adams, linked by police to 25 unsolved killings, was finally brought to justice after running a £200million crime empire for more than 25 years.

    Like Al Capone, police were unable to make any serious charges stick against the crime kingpin and it was a financial scam that proved his downfall. Adams pleaded guilty to a single charge of money laundering - but was told he will be eligible for parole in three and a half years.

    More public applaud to the British criminal authorities (and MI5 apparently). That was the case that AML (anti-money laundering) was designed for: get a notorious crime boss on the financials, because he killed all the witnesses (25 in the above case). You can't kill the flow of money, so the theory goes.

    La Procuraduría General de la República investiga los vínculos internacionales de la compañía Unimed Pharm Chem de México, la cual fue fachada para que por lo menos desde 2004 un grupo de presuntos productores de drogas sintéticas acumulara en una residencia de las Lomas de Chapultepec más de 205 millones de dólares en efectivo, así como unos 200 mil euros y 157 mil pesos FOTO Ap /PGR

    (Sorry about the spanish, haven't found an english article yet.) Which is why there was a rationale that if you could seize the cash, you did the crimeboss harm. The $205 million in cash in the photo above was seized this week in Mexico in some sort of financing deal for a complete factory to produce drugs.

    When cash like that gets seized from MLers, this helps. Nobody can object to that!

    But the more popular meaning of ML seizures is "police need money to finance more ML seizures." When someone you know gets accused of 5 counts of ML and 1 count of using the postal service, all because he rubbed the local FBI agent up the wrong way, AML becomes the enemy of civil society.

    Relevance to FC: as we design systems of value, we must protect our users from illegal ML and from immoral AML. No easy task, given the lack of discrimination in the tools. Above, all the cases are clearly bad guys being caught by the good guys, and we applaud. Indeed, an honest ML bust is so rare that it's worth posting about.

    Posted by iang at 08:35 AM | Comments (0) | TrackBack

    An ordinary crime: stock manipulation

    Sometimes when we can't seem to get anywhere on analysing our own sector of criminal activity, it helps to look at some ordinary stuff. Here's one:

    According to the Commission's complaint, between July and November 2006, the Defendants repeatedly hijacked the online brokerage accounts of unwitting investors using stolen usernames and passwords. Prior to intruding into these accounts, the Defendants acquired positions in the securities of at least fourteen securities, including Sun Microsystems, Inc., and "out of the money" put options on shares of Google, Inc. Then, without the accountholders' knowledge, and using the victims' own accounts and funds, the Defendants placed scores of unauthorized buy orders at above-market prices. After these unauthorized buy orders were placed, the Defendants sold the positions held in their own accounts at the artificially inflated prices, realizing profits of over $121,500.

    To achieve this benefit, the prosecution alleges that $875,000 of damage was done.

    It's a point worth underscoring: a criminal attack in our world often involves doing much more damage than the gain to the criminal. For that reason, we must focus on the overall result and not on the headline number. Here's a more aggressive damages number:

    The pump and dump scheme, which occured between July and November 2006, has cost one brokerage firm at least $2m in losses. An estimated 60 customers and nine US brokerage firms were identified as victims.

    Also, funds seized.

    Posted by iang at 08:05 AM | Comments (0) | TrackBack

    February 23, 2007

    Any good definitions of Phishing?

    Somehow I ended up on Wikipedia's entry on phishing, and added a link from the AOL playtime era to its more modern incarnation of the rape & pillage of a financial district swollen with multi-nationals, conglomerates and fat, bloated merchant banks:

    Transition from AOL to Financial Institutions

    Capture of AOL account information may have led phishers to capture and misuse of (real) credit card information, which then evolved to attacks against online payment systems. The first direct attempt against a payment system may have been against e-gold, "going out of biz," June 2001, and was followed by "post-911 id check" shortly after 9/11.[14] Both were viewed at the time as failures, but can now be seen as early experiments towards more fruitful attacks against mainstream banks. By 2004, phishing was recognised as fully industrialised, in the sense of an economy of crime: specialisations emerged on a global scale and provided components for cash which were assembled into a finished attack. [15][16]

    [edit]

    Anyone can edit that page, honest injun! Also, at the top, it defines:

    In computing, phishing is a criminal activity using social engineering techniques.[1]

    Come on, surely we can do better than that!? What happened to the successful MITM? What happened to the failure of the browser security model? I think at least we need to inject some hubris in there: security designs failed. Sorry about that, let's get it fixed.

    What are the potential definitions of phishing, then?

    Posted by iang at 03:27 PM | Comments (1) | TrackBack

    February 22, 2007

    Threatwatch: $400 to 'own' your account

    Some numbers from Guillaume Lovet on what it costs to gain control of an online bank account:

    The most straightforward is to buy the 'finished product'. In this case we'll use the example of an online bank account. The product takes the form of information necessary to gain authorised control over a bank account with a six-figure balance. The cost to obtain this information is $400 (cybercriminals always deal in dollars).

    Also, roles:

    Coders - comparative veterans of the hacking community. With a few years' experience at the art and a list of established contacts, 'coders' produce ready-to-use tools (i.e. Trojans, mailers, custom bots) or services (such as making a binary code undetectable to AV engines) to the cybercrime labour force - the 'kids'. Coders can make a few hundred dollars for every criminal activity they engage in.

    Kids - so-called because of their tender age: most are under 18. They buy, trade and resell the elementary building blocks of effective cyber-scams such as spam lists, php mailers, proxies, credit card numbers, hacked hosts, scam pages etc. 'Kids' will make less than $100 a month, largely because of the frequency of being 'ripped off' by one another.

    Drops - the individuals who convert the 'virtual money' obtained in cybercrime into real cash. Usually located in countries with lax e-crime laws (Bolivia, Indonesia and Malaysia are currently very popular), they represent 'safe' addresses for goods purchased with stolen financial details to be sent, or else 'safe' legitimate bank accounts for money to be transferred into illegally, and paid out of legitimately.

    Mobs - professionally operating criminal organisations combining or utilising all of the functions covered by the above. Organised crime makes particularly good use of safe 'drops', as well as recruiting accomplished 'coders' onto their payrolls.

    And now for the big picture:

    All of the following phishing tools can be acquired very cheaply: a scam letter and scam page in your chosen language, a fresh spam list, a selection of php mailers to spam-out 100,000 mails for six hours, a hacked website for hosting the scam page for a few days, and finally a stolen but valid credit card with which to register a domain name. With all this taken care of, the total costs for sending out 100,000 phishing emails can be as little as $60. This kind of 'phishing trip' will uncover at least 20 bank accounts of varying cash balances, giving a 'market value' of $200 - $2,000 in e-gold if the details were simply sold to another cybercriminal. The worst-case scenario is a 300% return on the investment, but it could be ten times that.

    Better returns can be accomplished by using 'drops' to cash the money. The risks are high, though: drops may take as much as 50% of the value of the account as commission, and instances of 'ripping off' or 'grassing up' to the police are not uncommon. Cautious phishers often separate themselves from the physical cashing of their spoils via a series of 'drops' that do not know one another. However, even taking into account the 50% commission, and a 50% 'rip-off' rate, if we assume a single stolen balance of $10,000 - $100,000, then the phisher is still looking at a return of between 40 and 400 times the meagre outlay of his/her phishing trip.

    Good foundation for the risk analysis.

    Posted by iang at 12:56 PM | Comments (1) | TrackBack

    November 22, 2006

    CFP: 6W on the Economics of Information Security (WEIS 2007)

    The Sixth Workshop on the Economics of Information Security (WEIS 2007)

    The Heinz School, Carnegie Mellon University Pittsburgh (PA), USA
    June 7-8, 2007

    http://weis2007.econinfosec.org/

    C A L L F O R P A P E R S

    Submissions due: March 1, 2007

    How much should we spend on security? What incentives really drive privacy decisions? What are the trade-offs that individuals, firms, and governments face when allocating resources to protect data assets? Are there good ways to distribute risks and align goals when securing information systems?

    The 2007 Workshop on the Economics of Information Security builds on the success of the previous five Workshops and invites original research papers on topics related to the economics of information security and the economics of privacy. Security and privacy threats rarely have purely technical causes. Economic, behavioral, and legal factors often contribute as much as technology to the dependability of information and information systems. Until recently, research in security and dependability focused almost exclusively on technical factors, rather than incentives. The application of economic analysis to these problems has now become an exciting and fruitful area of research.

    We encourage economists, computer scientists, business school researchers, law scholars, security and privacy specialists, as well as industry experts to submit their research and attend the Workshop. Suggested topics include (but are not limited to) empirical and theoretical economic studies of:


    - Optimal security investment
    - Software and system dependability
    - Privacy, confidentiality, and anonymity
    - Vulnerabilities, patching, and disclosure
    - DRM and trusted computing
    - Trust and reputation systems
    - Security models and metrics
    - Behavioral security and privacy
    - Information systems liability and insurance
    - Information threat modeling and risk management
    - Phishing and spam


    **Important dates**

    - Submissions due: March 1, 2007
    - Notification of acceptance: April 10, 2007
    - Workshop: June 7-8, 2007

    For more information visit http://weis2007.econinfosec.org/.

    Posted by iang at 09:56 AM | Comments (0) | TrackBack

    October 18, 2006

    Tracking email - the disappearing myth, the #1 threat, versus ultra rare sighting of eavesdropping attack

    Shades of OTR -- off-the-record -- a protocol that claims to provide plausible deniability.

    A START-UP communications outfit is flogging a web-based email system that destroys the message after it has been read.

    VaporStream system from Void Communications, which apparently is not a euphemism for VapourWare, works from an encrypted webpage. A punter visits the site, lists the person they want to talk too and chats away.

    The names of the parties, or their messages are not stored anywhere and details can't be cut and pasted. Instead it is held on a temporary memory segment in a VaporStream server. When it is delivered, the server forgets that it ever existed.

    The big problem is that these approaches completely fail to understand the real threat models for real people, and arguably make matters worse by creating a false sense of security, and encouraging people to deny the truths that can be proved in other ways.

    The non-sexy #1 threat to email is breach of the node, and that threat breaches both of those approaches. Here's a reminder:

    Last fall, agents on the FBI's public corruption squad faced a problem: They couldn't read encrypted e-mail seized from State Sen. Vincent J. Fumo's offices.

    On Oct. 18, they got a break. Donald Wilson, a state Senate computer technician who had been granted immunity, suddenly remembered something, according to a newly unsealed FBI affidavit. He still had two portable data cards - with all the passwords to open the e-mail.

    Wilson's lawyer called authorities and turned over the passwords. The feds were in.

    With that breakthrough, the affidavit said, agents were able to read more Fumo office e-mails talking about destroying records and fretting about the FBI - a trail that helped lead to obstruction-of-justice charges against two other Fumo computer technicians, Leonard Luchko and Mark Eister.

    An actual eavesdropping attack on "aircraft email" spotted by Steve Bellovin:

    ... ACARS is like an automated email system used by aircraft and ground control. An ACARS-enabled plane will transmit all kinds of information about what the plane is doing: where it is and where it's going, how much fuel it has, what the weather is like, and so on. These automated "emails" between aircraft and their ground controllers are encoded into radio signals clustered around the 131 megahertz and 136 megahertz frequencies.

    A good scanner can receive these radio signals. To the ear, the transmissions sound like noise, but when filtered through a computer equipped with a software-based decoder the information contained in the airplanes' messages becomes comprehensible. Like notebooks filled with tail numbers and landing times, ACARS monitoring produces an endless stream of ridiculously detailed information, which ACARS enthusiasts from around the world dutifully post online.

    The "open source" attack (c.f. John Robb) on the CIA's illegal renditions -- known as the torture taxi -- makes for fascinating reading. How relevant is such a threat model to general FC? In the past I would have said not relevant due to the context, but the recent open source work on the AOL privacy breach makes me think it is a valid threat, and the article is therefore valid case material.

    It is curious to see how they would solve the ACARS problem. The only way that I can see is to use open source techniques of opportunistic cryptography, something that obviously has been fought against by the CIA and others. So the eavesdropping attack on plane traffic can be considered to be yet another example of how the USG's policy of low Internet security bites back. Chalk up another "Own Goal" like the Israeli "Defence" Force (IDF) results of last month (1, 2).

    September 27, 2006

    Threatwatch - the Feds are back, Israel finds it cuts both ways, Cybersecurity Enemy #1

    A while back I postulated that email spying was now a present danger, and only lacking in clarity before it becomes a full-blooded validated threat. This sets us the task of tracking the trackers of email, so that we can create a model to predict how that threat effects us and our designs.

    I haven't seen statistics on email snooping as yet, but here's some related news. The FBI is back with intent to spy:

    The FBI has drafted sweeping legislation that would require Internet service providers to create wiretapping hubs for police surveillance and force makers of networking gear to build in backdoors for eavesdropping, CNET News.com has learned.

    FBI Agent Barry Smith distributed the proposal at a private meeting last Friday with industry representatives and indicated it would be introduced by Sen. Mike DeWine, an Ohio Republican, according to two sources familiar with the meeting.

    News of tracking email in US universities aimed at those protesting against unpopular policies:

    The Department of Defense monitored e-mail messages from college students who were planning protests against the war in Iraq and against the military's "don't ask, don't tell" policy against gay and lesbian members of the armed forces, according to surveillance reports released last month. While the department had previously acknowledged monitoring protests on campuses as national-security threats, it was not until recently that evidence surfaced showing that the department was also monitoring e-mail communications that were submitted by campus sources.

    The surveillance reports -- which were released to lawyers for the Servicemembers Legal Defense Network on June 15 in response to a Freedom of Information Act request filed by the organization last December -- concern government surveillance at the State University of New York at Albany, Southern Connecticut State University, the University of California at Berkeley, and William Paterson University of New Jersey. The documents contain copies of e-mail messages sent in the spring semester of 2005 detailing students' plans to protest on-campus military recruitment.

    The reports are part of a government database known as Talon that the Department of Defense established in 2003 to keep track of potential terrorist threats. Civilians and military personnel can report suspicious activities through the Talon system using a Web-based entry form. A Pentagon spokesman, Greg Hicks, would not verify whether the reports released last month were follow-ups to tips from military or government personnel, or from civilians at the universities.

    This is a little different in that civilians seem to monitor and report the emails to the Pentagon. Universities are places were one would expect at least passing familiarity with civil rights and so forth, so it is somewhat curious to speculate who on campuses would be tipping off the authorities about protests against on-campus military activities...

    The Talon reporting system gained national attention in December 2005 when NBC News obtained a copy of a 400-page Department of Defense document listing more than 1,500 "suspicious incidents" that had taken place across the country. Only 21 pages were released to the Servicemembers Legal Defense Network, since the group requested only documents related to lesbian, gay, bisexual, and transgender individuals and student groups. Mr. Hicks would not disclose the total number of reports that have been filed under the Talon program.

    OK, Numbers! We can conclude that minority sexual preferences represent 5% of the current threat level to the DoD. If each page has an email on it, that gives 1500 emails reported in the programme -- that's not a particularly robust estimate but it might represent a lower bound.

    And, wait until they get their mits on phone viruses, which store all that juicy lovetalk.

    A company, Trust Digital of McLean, Va., bought 10 different phones on eBay this summer to test phone-security tools it sells for businesses. The phones all were fairly sophisticated models capable of working with corporate e-mail systems.

    Curious software experts at Trust Digital resurrected information on nearly all the used phones, including the racy exchanges between guarded lovers. The other phones contained:

    1. One company's plans to win a multimillion-dollar federal transportation contract.
    2. E-mails about another firm's $50,000 payment for a software license.
    3. Bank accounts and passwords.
    4. Details of prescriptions and receipts for one worker's utility payments.

    A while back I reported that people worrying about cell/mob/handy phone tapping where missing the point - there is tracking ability which is far more useful than tapping ability. Sad to say, that battle is pretty much all over as phones move to include GPS by default.

    One Facebook user, signing the petition opposing the recent changes, noted: "I find it sad this is one of the few issues our generation can band together, complain online and take little real action over. (ROFL)". Therein lies the crux about privacy and tracking: most vehement complaining takes place after people feel they have been victimised by technology, and long after it has been popularised.

    We are moving as a society to total tracking, and the privacy community didn't notice until it was all over.

    So who loses? Well, the Israeli Defence Force, for one. Alexander Klimov made the connection on the crypto list (which I missed even as I reported on the Sigint story):

    My guess that at least some information was leaked due to cellular phones (the solders were routinely calling their families).
    "Besides radio transmissions, the official said Hezbollah also monitored cell phone calls among Israeli troops. But cell phones are usually easier to intercept than military radio, and officials said Israeli forces were under strict orders not to divulge sensitive information over the phone."

    Even if one don't care what was said over the phone, a lot of information can be extracted from mere location of a phone (especially, if one knows the owner of each phone):

    "Israeli officials said the base also had detailed maps of northern Israel, lists of Israeli patrols along the border and cell phone numbers for Israeli commanders."

    The Hezbollah tracking was on the individuals. They tracked the commanders as indicative of where the units were. Oops. I'd just love to be part of the design exercise to fix that blooper :)

    This is the core failure that the US government foistered on the world. Since time immemorial, the USG has maintained crypto as a munition, and thus it is to be suppressed. This has led to two effects: firstly, the civilian Internet infrastructure is weak and brittle, due to the effect of lots of little barriers against crypto. Our best ally in security suffered the "death of a thousand cuts," as it were.

    Secondly, as the civilian infrastructure overtook the military infrastructure, it left the military operations vulnerable when inevitably civilian assets were used for military tasks. If you've ever used military radio gear, you know you have a big problem when every soldier carries a much more powerful device in his pocket, albeit one deliberately weakened by government intervention.

    Without dwelling on these points, we can also suggest that this explains why the job of Cybersecurity Czar is a woftam: the employer is cybersecurity's enemy number one.

    Posted by iang at 09:03 AM | Comments (3) | TrackBack

    September 20, 2006

    Threatwatch - sigint by Hezbollah, nyms by torture units, closed source weaponry

    Felix points to a Newsday article that describes signals intelligence in the recent Lebanon battle.

    Hezbollah guerrillas were able to hack into Israeli radio communications during last month's battles in south Lebanon, an intelligence breakthrough that helped them thwart Israeli tank assaults, according to Hezbollah and Lebanese officials.

    Using technology most likely supplied by Iran, special Hezbollah teams monitored the constantly changing radio frequencies of Israeli troops on the ground. That gave guerrillas a picture of Israeli movements, casualty reports and supply routes. It also allowed Hezbollah anti-tank units to more effectively target advancing Israeli armor, according to the officials.

    "We were able to monitor Israeli communications, and we used this information to adjust our planning," said a Hezbollah commander involved in the battles, speaking on the condition of anonymity.

    First off, article tries and fails to make the case that the codes were cracked. If that article is anything to go by, it was straightforward -- and well done -- signals intelligence, not code cracking. (El Reg describes it more fairly.) Secondly, it provides more evidence for the reasons behind the Israeli defeat at the hands of the Hezbollah (defeat in straight military mission terms):

    "The Israelis did not realize that they were facing a guerrilla force with the capabilities of a regular army," said a senior Lebanese security official who asked not to be identified. "Hezbollah invested a lot of resources into eavesdropping and signals interception."

    The Israelis like many modern political movements have been so well fed on a diet of terrorism that they missed the transition. Hezbollah has moved from terrorism through guerilla and up to army status, as laid out in the theory of guerilla warfare. The depth of sigint capability bears this out.

    Aside from minor criticisms, a good article. Why talk matters military on an FC blog? One of the reasons that the Internet is so messed up, security wise, is that the threat models derived from military and spook lore. For example, the MITM is more of a threat in the military, less of a threat on the net (rising commercial use of wireless might have been expected to change that, but there isn't much empirical evidence). This failure to understand the different threat models caused massive rollouts of unneeded infrastructure, stuff that could help us now but is instead being slowly built around by banks, merchants and other institutions.

    Just because we were fooled once doesn't mean we can't be fooled again, so it is important to keep an eye on related threat fields. Here's some older notes on recent threats in the military world.

    In the ongoing saga of institutional torture in the US forces, the NYT published a new case regarding an elite terrorist unit known briefly as Task-Force 6-26 (SMH). Not only does the unit change its name from time to time the individual soldiers have picked up the trick:

    Army investigators were forced to close their inquiry in June 2005 after they said task force members used battlefield pseudonyms that made it impossible to identify and locate the soldiers involved. The unit also asserted that 70 percent of its computer files had been lost.

    Pseudonyms are not perfect. But, they can do a lot to help privacy, in that they break the chain of investigation. It's not so easy in digital systems, because the pseudonyms are generally used to communicate with other pseudonyms or persons, and that leaves a chain to track back, as well as the tendency for server software to log lots of events. But with persons, it is a grand trick.

    Military and legal experts say the full breadth of abuses committed by Task Force 6-26 may never be known because of the secrecy surrounding the unit, and the likelihood that some allegations went unreported. In the summer of 2004, Camp Nama closed and the unit moved to a new headquarters in Balad, 45 miles north of Baghdad. The unit's operations are now shrouded in even tighter secrecy.

    Secrecy is always a threat to your operations. It may bring benefits, but the costs are severe as secrecy hides weaknesses from yourself as well as your enemy, and there is no easy way to know who can breach that veil. It is the canonical two-edged sword, and we generally address such threats-to-self with governance techniques - separation of roles also known as the 4 eyes principle, publication of key events, entangled logging, shared signed receipts, and so forth.

    Which leads us to the age-old problem of buying stuff from people you don't trust. Ben pointed to:

    The UK has warned America that it will cancel its £12bn order for the Joint Strike Fighter if the US does not hand over full access to the computer software code that controls the jets. Lord Drayson, minister for defence procurement, told the The Daily Telegraph that the planes were useless without control of the software as they could effectively be "switched off" by the Americans without warning.

    Well, of course. The software for those planes is quite something, and only the source code is going to give you some confidence that there aren't any backdoors.

    In a related episode, Washington DC discovered around the same timeframe that there may be an issue with the Boeing 787, so they have asked Boeing to not hand over any military or secret related material to the Chinese. Whoops, too late, it turns out the wing is being manufactured in China ... for those who don't know, in avionics terms, the wing is the prize as it is the one component that limits and dominates everything else, design wise.

    Posted by iang at 06:27 AM | Comments (1) | TrackBack

    July 18, 2006

    Threatwatch - "you again operate impulsively in the manner"

    Apparently, I sent this email to someone, and it bounced, possibly because of the attached viruses!

    Subject: Re: The Proof !!!
    From: iang
    Date: Tue, 18 Jul 2006 09:26:04 +0200
    To: anton

    Hello,

    Monday, July 17, 2006,3:14:35 PM, you wrote:

    > >I think that you again operate impulsively in the manner
    > >calm down and tell though that any that simply more than
    > >simple charges your jealousy does not know a limit!!!!!

    I do not understand why you still screen its all.
    I have collected already so much proofs, that
    listening to your remarks is inclined to think
    as at you with it something too was.
    Now I already avoiding half-words send photos
    where it does sucked to my boss!
    Well, also what you to me on it will tell?

    P.S. To anybody it do not show.
    If I from your neighbour learn as you have transformed it into a
    circus, I to you guarantee troubles. Within the next few days
    do not write, I have already drunk in office and I think
    to go for city that and you I wish.

    --
    Best regards,
    iang mailto:iang

    What answer is there to that?

    Posted by iang at 06:49 AM | Comments (3) | TrackBack

    July 10, 2006

    Threatwatch - 2-factor tokens attacked by phishers - another "must-have" security tool shown to be fighting the last war

    Lance James points out that Phishers have moved on to attacking 2-factor authentication tokens:

    The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit -- a tactic used by some security-savvy people -- you might be fooled. That's because this site acts as the "man in the middle" -- it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.

    This news (Brian Krebs in a Washington Post blog) has been expected (#10.3) for a long time. It's a timeline point -- we've moved to that stage.

    More bad news for suppliers of 2-factor tokens and also US Banks which got a quasi-recommendation to implement something like this. I say, quasi-something, because the FDIC carefully did not recommend any specific technology, choosing instead to recommend that banks carefully review their risk-based exposure (although I also called it wrongly, initially). The banks themselves may have assumed tokens or similar, for whatever reason.

    It has been interesting to watch RSASecurity deal with this. I'd say they saw the writing on the wall maybe a year or two ago. They aggressively expanded from their older PKI roots and their staple SecureId 2-factor token by buying more modern companies such as Cyota in Britain. It was Cyota that pushed them into "defence in depth" which involved transaction monitoring and risk-graduated authentication mechanisms.

    RSASecurity also purchased PassMark which had a big deal to provide Bank Of America with unique pictures for each account user, in what they call their "2-factor-2way" solution. Between the two of them, these two companies buried the older "2-way authentication" system known as SSL which RSASecurity had had so much to do with in the early days (the one the phishers showed to be a Maginot defence).

    Now the phishers count coup again -- PassMark's technology is also vulnerable to the new phishing attack. Being bought out by EMC might have been a good move alround.

    Now, the casual marketeer will take this as gloating. We've predicted this for so long, we must be overjoyed. No such. That would be their own lack of familiarity at open criticism, an essential tool in risk management, because attackers brook no marketing fools. Here's where we are at.

    Firstly, the industry is in dire straights and the sooner we recognise it the better. RSASecurity, or Cyota as it happens, recognised the broken SSL system a while back.

    Secondly, it is absolutely vital that this information be put out in to the wider community. European banks have been working like mad for 6 months. American banks are still fighting the last war, and while they are looking backwards, there are more enemies coming up. American banks, for lethargy and bad advice, and American security suppliers, for liability *1, 2) and overzealous histories, are especially vulnerable.

    It is American account holders to whom this column is devoted, today.

    Posted by iang at 05:48 PM | Comments (3) | TrackBack

    Galileo (EuroGPS) cracked

    Darren points to a development reminiscent of satellite TV: the codes to protect the European Galileo satellite's positioning signals have been cracked by a team from Cornell University in USA. Full story below:


    Cracking the secret codes of Europe's Galileo satellite

    Members of Cornell's Global Positioning System (GPS) Laboratory have cracked the so-called pseudo random number (PRN) codes of Europe's first global navigation satellite, despite efforts to keep the codes secret. That means free access for consumers who use navigation devices -- including handheld receivers and systems installed in vehicles -- that need PRNs to listen to satellites.

    The codes and the methods used to extract them were published in the June issue of GPS World.

    The navigational satellite, GIOVE-A (Galileo In-Orbit Validation Element-A), is a prototype for 30 satellites that by 2010 will compose Galileo, a $4 billion joint venture of the European Union, European Space Agency and private investors. Galileo is Europe's answer to the United States' GPS.

    Because GPS satellites, which were put into orbit by the Department of Defense, are funded by U.S. taxpayers, the signal is free -- consumers need only purchase a receiver. Galileo, on the other hand, must make money to reimburse its investors -- presumably by charging a fee for PRN codes. Because Galileo and GPS will share frequency bandwidths, Europe and the United States signed an agreement whereby some of Galileo's PRN codes must be "open source." Nevertheless, after broadcasting its first signals on Jan. 12, 2006, none of GIOVE-A's codes had been made public.

    In late January, Mark Psiaki, associate professor of mechanical and aerospace engineering at Cornell and co-leader of Cornell's GPS Laboratory, requested the codes from Martin Unwin at Surrey Space Technologies Ltd., one of three privileged groups in the world with the PRN codes.

    "In a very polite way, he said, 'Sorry, goodbye,'" recalled Psiaki. Next Psiaki contacted Oliver Montenbruck, a friend and colleague in Germany, and discovered that he also wanted the codes. "Even Europeans were being frustrated," said Psiaki. "Then it dawned on me: Maybe we can pull these things off the air, just with an antenna and lots of signal processing."

    Within one week Psiaki's team developed a basic algorithm to extract the codes. Two weeks later they had their first signal from the satellite, but were thrown off track because the signal's repeat rate was twice that expected. By mid-March they derived their first estimates of the code, and -- with clever detective work and an important tip from Montenbruck -- published final versions on their Web site (http://gps.ece.cornell.edu/galileo) on April 1. The next day, NovAtel Inc., a Canadian-based major manufacturer of GPS receivers, downloaded the codes from the Web site and within 20 minutes began tracking GIOVE-A for the first time.

    Galileo eventually published PRN codes in mid-April, but they weren't the codes currently used by the GIOVE-A satellite. Furthermore, the same publication labeled the open source codes as intellectual property, claiming a license is required for any commercial receiver. "That caught my eye right away," said Psiaki. "Apparently they were trying to make money on the open source code."

    Afraid that cracking the code might have been copyright infringement, Psiaki's group consulted with Cornell's university counsel. "We were told that cracking the encryption of creative content, like music or a movie, is illegal, but the encryption used by a navigation signal is fair game," said Psiaki. The upshot: The Europeans cannot copyright basic data about the physical world, even if the data are coming from a satellite that they built.

    "Imagine someone builds a lighthouse," argued Psiaki. "And I've gone by and see how often the light flashes and measured where the coordinates are. Can the owner charge me a licensing fee for looking at the light? … No. How is looking at the Galileo satellite any different?"


    Adam pointed to more here and slashdot.

    Posted by iang at 05:26 AM | Comments (4) | TrackBack

    June 25, 2006

    FC++3 - Concepts against Man-in-the-Browser Attacks

    This emerging threat has sent a wave of fear through the banks. Different strategies have been formulated and discussed in depth, and just this month the first roll-outs have been seen in Germany and Austria. This information cries out for release as there are probably 10,000 other banks out there that would have to go through and do the work again.

    Philipp Gühring has collected the current best understanding together in a position paper entitled "Concepts against Man-in-the-Browser Attacks."

    Abstract. A new threat is emerging that attacks browsers by means of trojan horses. The new breed of new trojan horses can modify the transactions on-the-fly, as they are formed in in browsers, and still display the user's intended transaction to her. Structurally they are a man-in-the-middle attack between the the user and the security mechanisms of the browser. Distinct from Phishing attacks which rely upon similar but fraudulent websites, these new attacks cannot be detected by the user at all, as they are use real services, the user is correctly logged-in as normal, and there is no difference to be seen.

    The WYSIWYG concept of the browser is successfully broken. No advanced authentication method (PIN, TAN, iTAN, Client certificates, Secure-ID, SmartCards, Class3 Readers, OTP, ...) can defend against these attacks, because the attacks are working on the transaction level, not on the authentication level. PKI and other security measures are simply bypassed, and are therefore rendered obsolete.

    If you are not aware of these emerging threats, you need to be. You can either get it from sellers of private information or you can get it from open source information sharing circles like FC++ !

    Posted by iang at 12:43 PM | Comments (8) | TrackBack

    June 24, 2006

    SWIFT breached - Big Badda Boom - will this hasten dollar shift?

    SWIFT has been breached. We can argue about the definition of this, but we'll knock that one right on the head:

    CIA operatives trying to track Osama bin Laden's money in the late 1990s figured out clandestine ways to access the SWIFT network. But a former CIA official said Treasury officials blocked the effort because they did not want to anger the banking community.
    ...
    Unlike telephone lines and e-mail communications, the SWIFT network cannot be easily tapped. It uses secure log-ins and state-of-the-art encryption technology to prevent intercepted messages from being deciphered. "It is arguably the most secure network on the planet," said the former SWIFT executive who spoke on condition of anonymity. "This thing is locked down like Fort Knox."

    So what was holding back the CIA from tracing Osama's cash through SWIFT in the late 1990s? The Treasury department, that's who:

    Historically, "there was always a line of contention" inside the government, said Paul Pillar, former deputy director of the CIA's counterterrorism center. "The Treasury position was placing a high priority on the integrity of the banking system. There was considerable concern from that side about anything that could be seen as compromising the integrity of international banking."

    The money system is the be-all and end-all. It is the rock on which society is built - it intermediates all transactions. It counts all wealth, at the end of the day. It delivers the information that makes the economy work. So when the Treasury said to the spooks "mitts off" it was speaking with more than ordinary concern.

    Which all vanished when 9/11 came along. The economy -- the money system -- became second priority, and the US isn't a country for second places. Damage control is immediate by John Snow, Treasury Secretary:

    "President Bush has made it clear that ensuring the safety of the American people and citizens around the globe must be our number one priority.

    "Consistent with this charge, one of the most important things we at Treasury do is to follow the flow of terrorist monies. They don't lie. Skillfully followed, they lead us to terrorists themselves, thereby protecting our citizens.

    Some more damage control here.

    The danger of breaching SWIFT and putting the database into the hands of the various and many US agencies is still present, or the US Treasury was talking out its hat to the CIA in the 1990s. This is obviously going to surprise the banks around the world, not to mention governments like Iran which are "by US fiat" terrorist supporting, China that is locked in a resource battle, and Russia which is emerging from the old cold war days as power that wants reckoning with. Even in the cold war, Russia and allies like Cuba dealt in dollars.

    Does this system work? Does John Snow have the picture? We have to make a judgement call here. Every official will leap to the defence, but these are the same officials that kept it secret in the first place. But we can expect some ex-officials to express their skepticism:

    Current and former U.S. officials said the effort has been only marginally successful against Al Qaeda, which long ago began transferring money through other means, including the highly informal banking system common in Islamic countries.

    The value of the program, Levey and others said, has been in tracking lower- and mid-level terrorist operatives and financiers who believe they have not been detected, and militant groups, such as Hezbollah, Hamas and Palestinian Islamic Jihad, that also operate political and social welfare organizations.

    Of course there is another reason why this won't be much good: If Osama Bin Laden or his team were congenitally stupid, they might imagine that SWIFT had not been breached, and the somewhat famed Belgian penchant for banking secrecy would protect them. Sadly for all his victims, we have plenty of evidence that he is fairly smart, he is very far from dumb, and even if this were the case, even the stupidist and thuggiest of drugs dealers seem to be quite adept at hiring good money launderers, if the claimed growth of that money flow is any guide.

    (To be frank, I'm a bit surprised at the blow up of this one. I suppose I simply assumed from way back that SWIFT records were already being funnelled to the UST. Consider any outrage written here to be journalistic.)

    In effect, the Bush administration have taken on the ire of the banking world, for no gain. It remains to be seen what will be made of this in other countries. John Snow, Treasury Secretary, says response is isolated to the Press. Keep reading those papers, Mr Snow - Banks normally do not signal their displeasure so openly, so you can be sure that you won't have too much worry there...

    Moving on from the mild gossip stuff, let's get to the harder governance questions.

    We can imagine that many banks and many governments will be going through that "Big Badda Boom" moment as they realise who's reading their traffic. Expect more pressure on the dollar, and more pressure for independent systems. The islamic world will almost certainly push for something, but probably not Sealand, which burnt out today. Any country on the axis-of-evil list is a gonna, as they are by US-definition terrorist-related.

    Examine the case of SWIFT. In comes the subpoena, which they make great stress of as compulsory. But let's make no bones about it -- this was a force-based subpoena, and probably an illegal one at that, or backed up by an Executive Order that was probably itself "presidential writ of the novel kind."

    What then to do? Comply, probably, in the instance. There is no point in SWIFT leaving the United States, as there are more banks there than the rest of the world put together (an artifact of State banking, not necessarily anything else.) But, in the meantime, design of systems to very carefuly limit the damage would be appreciated. Minimal information, and oversight.

    Oversight? Let's talk about oversight.

    In a major departure from traditional methods of obtaining financial records, the Treasury Department uses a little-known power - administrative subpoenas - to collect data from the SWIFT network, which has operations in the U.S., including a main computer hub in Manassas, Va. The subpoenas are secret and not reviewed by judges or grand juries, as are most criminal subpoenas. ... Treasury shares the data with the CIA, the FBI and analysts from other agencies, who can run queries on specific individuals and accounts believed to have terrorist connections, Levey said Thursday in an interview with The Times. ... Levey said the program is subject to "robust" checks and balances designed to prevent misuse of the data. He noted that requests to access the data are reviewed by Treasury's assistant secretary for intelligence; that analysts can only access the data for terrorism-related searches; and that records are kept of each search and are reviewed by an outside auditor for compliance.

    Levey said there had been one instance of abuse in which an analyst had conducted a search that did not meet the terrorist-related criteria. The analyst was subsequently denied access to the database, he said. New safeguards have been added, he said, noting that SWIFT officials are now allowed to be present when analysts search the data and to raise objections with top officials.

    Officials from other government agencies have raised the issue of accessing the records for other investigative purposes, but Levey said such proposals have been rejected - largely out of concern that doing so might erode support for the program.

    Asked what would prevent the data from being used for other purposes in the future, Levey said doing so would likely trigger objections from SWIFT and the outside auditor. A SWIFT representative said that Booz Allen Hamilton, an international consulting firm, is the auditor, but provided no further details on how the oversight process works.

    OK, so this time they have taken data sharing seriously. They know this data is hot, hot, hot, given the unprecedented step to protect it before being caught. They have 3 sets of guardians (2 better than hapless Sealand).

    Unfortunately the oversight is crippled: An internal review of requests. SWIFT officers, who are already compromised and an auditor who is unlikely to blow the lid on it, as he's covered by national security, secrecy, and great pay. In short, nothing independent, nothing open and nothing with teeth. No judge, not even FISA. Signs are Congressional oversight is limited to the extent that they cannot see what it does:

    Lee Hamilton, a former congressman and co-chairman of the commission who said he has been briefed on the SWIFT program, said U.S. intelligence agencies have made significant progress in recent years, but are still falling short. "I still cannot point to specific successes of our efforts here on terrorist financing," he said.

    I'd give it 3 years before it is comprehensively breached. If they didn't want that then they would have set up the tracking in Brussels, and put in international oversight. Curiously, maybe Congress will wake up at this point and realise that they've got a tiger by the tail. When that transaction tracking starts getting used for non-terrorist purposes, there are going to be some very annoyed people.

    Posted by iang at 02:10 PM | Comments (3) | TrackBack

    June 19, 2006

    White Helicopter - Is eavesdropping a "Clear and Present Danger" - the definition of a validated threat?

    We have often discussed how threats arise and impact security models. The hugely big question is whether to include this threat or this other threat? I think there is a metaphor to address part of this question - whether a threat is a clear and present danger. Let me meander in that general direction before I try and define it.

    We cannot include all threats as to some extent everything is a threat - a chance of stubbing ones toe, a harsh word from your spouse, a neighbour looking over the fence, the theft of your notebook. Removal of all threats would result in death of the soul, and can probably only be accomplished by death of the body.

    So we must choose - which threats to protect against and which to accept. We give it the exotic title of risk management, but a more common definition is real life: we can only live by choosing to accept the greater body of the minor threats to us, and minimising the dangerous ones.

    How we choose which threats to address is based on many factors. Some are easy - we can defend against them for free. Others are so cheap that we don't notice, or they come with substantial other benefits. So, to preserve our modesty, we wear clothes - and that keeps us warm so we get the security for free. Except in summer, where humans are exposed to interesting social games between the threat model of modesty and the heat of the sun, which raise for some deep questions as to whether nudity is the threat, or is the modesty? But then winter comes again and the argument is shelved for another year.

    Other threats are not so easy nor so endearing to discuss. These are the ones that run slap bang into costs. The canonical case in financial cryptography is the MITM - the man in the middle attack -- and its defence in the SSL protocol. I think I have shown in compelling, albeit long winded, terms, that this threat was not valid and not worth protecting against in the application sometimes known as ecommerce. It raised many costs, one amongst them being a heightened risk of MITM in another form - phishing. See many rants on that elsewhere.

    One of the things that came out of that long research into SSL and its failure to preserve the very harm it was intended to protect is the concept that a threat should be validated. I only had a hazy idea that this meant that we should be able to prove its danger to us, clearly, enough for us to protect against it.

    Now, in addressing the emerging threat of eavesdropping, the question arises whether it is validated? We can see it, we can feel it - it is in the papers and the blogs and in the "denials." But is it validated?

    I think not. Until we know how much it is, we don't know how what the risk of it happening to us is, and therefore we do not know how much to spend protecting against it. We simply do not know -- yet -- how much the eavesdropping is going to cost us, either individually or as a society. So we are not informed enough to make economic decisions.

    But wait! I've laid out a case that the danger of eavesdropping is right there in front of us -- how can we possibly ignore it? Let's look a little further.

    The possibility of eavesdropping by national agencies has always been there. I first heard of Echelon in the early 80s -- so far back in time that I can't recall where or when it was mentioned. But, I also knew -- or discovered at that time -- that it was ineffective. That is, it did not achieve the dream of the technologists at the UKUSA agencies. (For the answer to why you probably need to resort to computer science and the emergence of datamining.)

    So we know that eavesdropping has always been there, in Internet time. It is present. But also, we know that traditionally, societies did not permit the eavesdroppers to share that information. History is replete with examples where the spooks were not permitted to pass valuable local intelligence to the authorities, and no doubt they all have stories about how they know who the killer was in this or that unsolved murder case.

    So we know that however effective the eavesdropping was, it wasn't dangerous to us because it was so tightly constrained that it would never be passed into general society. That was the quid pro quo, the deal with the devil.

    And indeed, that is what has changed -- the eavesdropping information is now being shared across a wide group of agencies. It's only a step away from being commercially shared, once you can pick and choose which agency to pervert. So it is now dangerous to society - to you, me and everyone - because there is always someone with money to pay for data that we are trying to keep private.

    But we lack clarity. As a community of Internet engineers, we still do not know how much this danger is going to cost us. I simply do not know whether to drop everything I'm doing and start working on cryptoplumbing again, or whether for the most part, someone can still hide in the noise levels of the net? We lack clarity, or clearness, in our threat.

    Out of which thoughts gives me a general definition for a validated threat: Is it a clear and present danger?

    • It is Clear if I can measure it and risk-analyse it, so as to present a cost model to drive our economic choices.
    • It is Present if I can show it to exist, actively, today.
    • It is a Danger if it can do our beneficiaries harm.

    Eavesdropping is Present and Dangerous. It is not yet Clear, so we are now challenged as a community to measure it. Once we can inform ourselves of the clarity of the threat, we can declare it to be a validated threat - a clear and present danger. We're not there yet, but at least I can propose a definition on how to get there!

    Posted by iang at 05:56 PM | Comments (0) | TrackBack

    Black Helicopter #2 (ThreatWatch) - It's official - Internet Eavesdropping is now a present danger!

    A group of American cryptographers and Internet engineers have
    criticised the FCC for issuing an order that amounts to a wiretap instruction for all VoIP providers.

    For many people, Voice over Internet Protocol (VoIP) looks like a nimble way of using a computer to make phone calls. Download the software, pick an identifier and then wherever there is an Internet connection, you can make a phone call. From this perspective, it makes perfect sense that anything that can be done with a telephone, including the graceful accommodation of wiretapping, should be able to be done readily with VoIP as well.

    The FCC has issued an order for all ``interconnected'' and all broadband access VoIP services to comply with Communications Assistance for Law Enforcement Act (CALEA) --- without specific regulations on what compliance would mean. The FBI has suggested that CALEA should apply to all forms of VoIP, regardless of the technology involved in the VoIP implementation.

    In brief the crypto community's complaint is that it is very difficult to implement such enforced access, and to do so may introduce risks. I certainly agree with the claim of risks, as any system that has confused requirements becomes brittle. But I wouldn't bet on a company not coming out with a solution to these issues, if the right way to place the money was found. I've previously pointed out that Skype left in a Centralised Vulnerability Party (CVP, sometimes called a TTP), and last week we were reminded of the PGP Inc blunder by strange and bewildering news over in Mozilla's camp.

    So where are we? The NSA has opened up the ability to pen-trace all US phones, more or less. Anyone who believes this is as far as it goes must be disconnected from the net. The EFF's suit alleges special boxes that split out the backbone fibre and suck it down to Maryland in real time. The FBI has got the FCC to order all the VoIP suppliers into line. Mighty Skype has been brought to heel by the mighty dollar, so it's only a phone call away.

    Over in other countries - where are they, again? - there is some evidence that police in European countries have routine access to all cellphone records. There is other evidence that the EU may already have provided the same call records to the US (but not the other way around, how peculiar of those otherwise charming Europeans) in much the same way as last week the EU were found to be illegally passing private data on air travellers. To bring this into perspective, China of course leads the *public* battle for most prominent and open eavesdropper with their Cisco Specials, but one wonders whether they would be actually somewhat embarrassed if their capabilities were audited and compared?

    If you are a citizen of any country, it seems, you need not feel proud. What can we conclude?

    1. Eavesdropping has now moved to a real threat for at least email and VoIP, in some sense or other.
    2. Can we say that it is a validated threat? No, I think not. We have not measured the frequency and cost levels so we have no actuarial picture. We know it is present, but we don't know how big it is. I'll write more on this shortly.
    3. The *who* that is doing it is no longer the secure, secret world of the spooks who aren't interested in you. The who now includes the various other agencies, and they *are* interested in you.
    4. Which means we are already in a world of widespread sharing across a wide range of government agencies. (As if sharing intel has not been a headline since 9/11 !)
    5. it is only one step from open commercial access. Albeit almost certainly illegal, there isn't likely to be anything you can do about illegally shared data, because it is the very agents of the law which are responsible for the breach, and they will utter the defence of "national security," to you, and the price, to your attacker.
    6. An assault on crypto can't be that far off. The crypto wars are either already here again, or so close we can smell them.
    7. We are not arguing here, today, whether this is a good thing for the mission to keep us safe from terrorists, or a bad thing. Which is just as well, because it appears that when they are given the guy's head on a plate, the law enforcement officers still prefer to send out for takeaway.

    My prediction #1for 2006 that government will charge into cyberspace in a big way is pretty much confirmed at this stage. Obviously this was happening all along, so it was going to come out. How important is this to you the individual? Here's an answer: quite important. And here's
    some evidence:

    What is Political Intelligence?Political intelligence is information collected by the government about individuals and groups.
    Files secure under the Freedom of Information Act disclose that government officials have long been
    interested in all forms of data. Information gathered by government agents ranges from the most personal data about sexual liaisons and preferences to estimates of the strength of groups opposing U.S. policies. Over the years, groups and individuals have developed various ways of limiting the collection of information and preventing such intelligence gathering from harming their work.

    It has now become routine for political activists -- those expressing their rights under democracy -- to be investigated by the FBI. In what is a blowback to the days of J.Edgar Hoover, these activists now routinely advising their own people on how to lawfully defend themselves.

    Hence the pamphlet above. There are two reasons for gathering information on 'sexual liasons and preferences.' Firstly, blackmail or extortion. Once an investigator has secret information on someone, the investigator can blackmail -- reveal that information -- in order to extort the victim to turn on someone else. Secondly, there may be some act that is against the law somewhere, which gives a really easy weapon against the person. Actually, they are both the same reason.

    If there is anyone on the planet who thinks that such information shouldn't be protected then, I personally choose not to be persuaded by that person's logic ("I've got nothing to hide") and I believe that we now have a danger. It's not only from the harvesting by the various authorities:

    Peter G, 41, asked for a divorce from his wife of six years, Lori G, 38, in March 2001. ... Lori G filed a counterclaim alleging the following: <snip...> and wiretapping. The wiretapping charges are what make this unfortunate case relevant to Police Blotter. ... But Peter admitted to "wiretapping" Lori's computer.

    The description is general: Peter used an unspecified monitoring device to track his wife's computer transactions and record her e-mails. Lori was granted $7,500 on the wiretapping claim. ...

    This is hardly the first time computer monitoring claims have surfaced in marital spats. As previously reported by CNET News.com, a Florida court ruled last year that a wife who installed spyware on her husband's computer to secretly record evidence of an extramarital affair violated state law.

    Some hints on how to deal with that danger. Skype is probably good for the short term in talking to your loved one while he still loves you, notwithstanding their CVP, as that involves an expensive, active aggressive act which incurs a risk for the attacker. However, try and agree to keep the message history off - you have to trust each other on this, as the node and your partner's node remain at greater danger. Email remains poor because of the rather horrible integration of crypto into standard clients - so use Skype or other protected chat tools.

    Oh, and buy a Mac laptop. Although we do expect Macs to come under increased attention as they garner more market share, there is still a benefit in being part of a smaller population, and the Mac OS is based on Unix and BSD, which has approximately 30 years of attention to security. Windows has approximately 3 years, and that makes a big difference.

    (Disclosure: I do not own a Mac myself, but I do sometimes use one. I hate the GUI, and the MacMini keyboards are trash.)

    Posted by iang at 01:20 PM | Comments (1) | TrackBack

    Black Helicoptor #1 - Is the data theft epidemic more than coincidental?

    [Note - don't normally post speculative or black helicoptor stuff, but this one is at least tantalisingly plausible, and deserves to be debunked. Darren posts:]

    According to Wayne Madsen http://www.waynemadsenreport.com/

    "June 17, 2006 -- What's behind all the personal data thefts?

    Populating the surveillance databases specified by John Poindexter's Total Information Awareness (TIA) system. WMR has learned that the thefts of personal data from corporations and government agencies, most of which were accomplished by stealing computer hard drive devices, is more than coincidental. Intelligence sources report that many of the large scale thefts are part of a well-planned covert intelligence operation to obtain data on hundreds of millions of people in order to accomplish what former Defense Advanced Research Projects Agency (DARPA) official John Poindexter was not able to bring about through his defunct (but secretly restored) Total Information Awareness (TIA) system -- the population of intelligence and surveillance databases with files on the financial, medical, employment, telecommunications, and other sensitive data of Americans and foreigners. Much of the new TIA work is being conducted under the umbrella of the National Security Agency and Department of Homeland Security Advanced Research Projects Agency.

    A number of computer security experts have said the recent rash of data thefts is unprecedented in scope, method, and frequency. Some claim that the thefts appear to be coordinated and targeted at
    specific data types."

    Huge Table, followed by ...

    "Amid all the above personal data thefts, WMR has learned from a U.S. intelligence source that these data thefts pale in comparison to the largest, and as yet, largely unreported, personal data theft in history. Some 30 million Americans were affected and they included customers of Citigroup, Bank of America, and SunTrust. The thefts were conducted between March and April of this year."
    Posted by iang at 07:12 AM | Comments (3) | TrackBack

    June 07, 2006

    Firefox to check in with Google-central - Is Mozilla in unconstrained commercial rampage already?

    It would be remiss of me not to pass on news that Mozilla have finally crafted a strategy for phishing protection in Firefox. It actually took me a few days to realise this is news, indeed, the news we had been working towards for when the fight against phishing was still browser-centric. But I'm no longer looking in that area as the threats have moved on - frequent readers of FC need no reminder of that - and Mozilla's actions may be welcome albeit late.

    Unfortunately, Mozilla appear to be shooting themselves in the feet. At least, they have taken a direction that is mysterious to those of us in the open source world: They have partnered with Google to use their central database to monitor for phishing sites.

    The more I think of it, the only way to understand it is if one considers Mozilla Corporation as a commercial entity, only. They have partnered with another big player, rather than work with the community of software developers. This is what companies do - there is a preference to work with players larger than themselves if possible as that improves their brand and strength, and which helps them for the next deal. As Google and Mozilla have a strong relationship, and much funding has come via their google search box placement and other deals, it makes sense to further the relationship rather than go with Netcraft or Microsoft or the other central database players. And if one considers the offerings of other parties in the central database wars, it may well be that Google's are the best, or the least bad, depending on how you view it.

    This all makes good business sense. But it comes with dangers - serious if not blindingly obvious ones. Firstly, Google's reputation has shifted from being the honest white knight riding in to save us from the evil Microsoft with amazing googley solutions .. to one of being the sneaky invader of all our data. Although not yet seen as 'evil' as Microsoft, their original strong capital from the 'do no evil' motto is now frittered away and they are seen as somewhere like 'evil in evolution' or perhaps 'evil in training'. (I see this a lot in the arts community where there are many projects looking at a future world of Google as master of our data - Google's recent foray in court against USG helped some there, but not enough to sway the undercurrent of concern.)

    Mozilla for their part had a fantastic image in the public's mind as being a volunteer, open source, public minded organisation. But this view has also suffered, perhaps inevitably due to growth and the runaway success of Firefox, but also due to decisions made. Now, Mozilla is quite happily planning to pass all the URLs across without even debating it with the users ... Mozilla's good reputation can only suffer from this arrogance.

    Mozilla's support base still believes that it is an open source operation, and this is a second danger. Such deals are not acceptable in that world and over on Mitchell's blog, she tussles with that dilemma:

    A number of the comments I received refer to the dangers of doing anything with money. They express the concern that any programs involving money run the risk of contaminating our community, or of turning it into a mercenary group interested only in money. I understand the risks. I also believe there are risks in ignoring money. Firefox generates revenue now, that's a fact. So we need to deal with money. (And we have the privilege of being able to employ people to work full time on Mozilla, which I believe is necessary for a project of our size and scope. Not all open source projects believe this however, and some are wary of employees or almost any activity that requires the distribution of funds.)

    When volunteers work for free and take away slices of their own lives to devote to the cause of getting good, free software out there, they do not expect someone else to then take it and rape it for their own profit. Especially, in preferring a good financial deal over the user's needs for privacy, and ignoring the free offerings of their own community, these decisions will only serve to exacerbate the split between Mozilla Corp's newly discovered commerciality and the original long-term support-base of volunteers.

    This calls for a quite serious change management exercise, and also has severe ramifications for the brand. It's pretty clear that Mozilla knows as much about branding as the average brand manager knows about software. E.g., so close to nothing it is worthless or dangerous, notwithstanding their accidental acquiring of the stunning Firefox brand. Or, perhaps that underscores the point - the brand was as much or more built by community efforts.

    To their credit, Mozilla now seems to know this: MBA preferred. Thank heavens for that. Some tips, to be violently ignored like all the earlier free "community" advice, no doubt: MBAs know the basics of branding but they are not specialists, and Mozilla probably needs a specialist in this area now, as well as a PR specialist. Evidently... Further, MBAs are just as useful over on the tech side. Some recent writings by Mitchell may also indicate that the coding monoculture that is Mozilla's archilles heel is finally being addressed:

    Another issue is that we don't have an established path to meritocracy for non-technical roles. For potential developers, we know about several paths for getting involved and developing legitimacy - we know about the Quality Assurance path, we know about fixing bugs, we know something about hacking on the code, we know about writing a great extension and so on. We also have clear ways of identifying a person's known expertise -- they may be a peer for code, a "module owner" for code, etc. All of these are reasonably well understood roles within the project that convey a person's expertise.

    We don't have analogous paths for non-engineering roles. We don’t yet have ways for the non-engineering staff to indicate the scope of expertise of their colleagues.

    Why is this Mozilla's archillies heel? It's been two years since people outside the above formal 'meritocracy' paths have been suggesting the path that was announced last week!

    All that said, and drying our eyes over spilt milk, I'm not sure you need an MBA to tell you that handing over data is not a good strategy for the today's market. If you read the newspapers (any of them in America at least since February of 2005) you would have known that the hot issue for the public mind when it comes to IT and the net was and remains data safety - identity theft and the like.

    So at a minimum, there must be some expectation that this has to have been discussed at great length within the company. So why no realisation that this could be a PR disaster?

    Posted by iang at 12:10 PM | Comments (3) | TrackBack

    June 02, 2006

    ThreatWatch - the war on our own fears

    Several articles on scary, ooo, so scary cyberwar scenarios. We will see a steady stream of this nonsense as the terrorist-watchers, china-watchers and every-other-bogeyman-watchers all combine in a war on our own fears.

    A hyperventilating special from the US DHS:

    According to cyber-security experts, the terror attacks of 11 September and 7 July could be seen as mere staging posts compared to the havoc and devastation that might be unleashed if terrorists turn their focus from the physical to the digital world.

    Scott Borg, the director and chief economist of the US Cyber Consequences Unit (CCU), a Department of Homeland Security advisory group, believes that attacks on computer networks are poised to escalate to full-scale disasters that could bring down companies and kill people. He warns that intelligence "chatter" increasingly points to possible criminal or terrorist plans to destroy physical infrastructure, such as power grids. Al-Qa'ida, he stresses, is becoming capable of carrying out such attacks.

    Summarised over on risks, the US DOD also partakes liberally of the oxygen tank:

    From the nation that enjoys U.S. Most Favored Nation trade status, and a permanent member of the WTO...

    China is stepping up its information warfare and computer network attack capabilities, according to a Department of Defense (DoD) report released last week. The Chinese People's Liberation Army (PLA) is developing information warfare reserve and militia units and has begun incorporating them into broader exercises and training. Also, China is developing the ability to launch preemptive attacks against enemy computer networks in a crisis, according to the document, ...

    The tendency for public officials to try and scare the public into more funding is never-ending. The positive feedback loop is stunningly safe for them - if there is a cyber attack, they are proved right. If there isn't a cyber attack, it's just about to happen and they'll be proven right. And every one of our enemies is ... Huff, puff, huff!

    Is D.C. ready for terrorist attack? Two unrelated traffic accidents within an hour of each other yesterday in Northeast shut down two major highways during the busy morning commute, causing massive gridlock and seemingly endless delays -- but also providing an ominous warning: What if it had been a terrorist attack?

    About the best we can do is patiently point out that what they are talking about doesn't happen because in most cases it is evidently uneconomic. When the economic attack develops, we'll deal with it. Londoners walked home, that one day, and those that were a bit late that morning like me stayed home. The next day everyone went back to work, the same way as before. The next week, nobody noticed. It's not a particularly economic attack.

    Some things you deal with by preparation. But other things you just have to let happen, because the attack goes around your preparations. By definition. Can anybody guess what would have happened if instead of a couple of traffic accidents, it was a couple of bombs? All of the greater Washington area would probably enter gridlock, because the authorities would hand it to the terrorists.

    Posted by iang at 05:27 PM | Comments (1) | TrackBack

    May 26, 2006

    How much is all my email worth?

    I have a research question. How much is all my email worth? As a risk / threat / management question.

    Of course, that's a difficult thing to price. Normally we would price a thing by checking the market for the thing. So what market deals with such things?

    We could look at the various black markets but they are more focussed on specific things not massive data. Sorry, bad guys, not your day.

    Alternatively, let's look at the US data brokers market. There, lots and lots of data is shared without necessarily concentrating on tiny pickings like credit theft identifiers. (Some of it you might know about, and you may even be rewarded for some of it. Much is just plain stolen out of sight. But that's not today's question.) So how much would one of those data broker's pay for *full* access to my mailbox?

    Let's assume I'm a standard boring rich country middle class worker bee.

    Another way to look at this is to look at google. It makes most of the money in advertising, and it does this on the tiny hook of your search query. It is also experimenting with "catalogue your hard drive" products (as with Apple's spotlight and no doubt Microsoft and Yahoo are hyperventilating over this already). So it must have a view as to the value of *everything*.

    So, what would it be worth to those companies to *sell* the entire monitoring contents of my email, etc, for a year to Yahoo, Google, Microsoft, or Apple? Imagine a market where instead of credit card offers to my dog clogging up mailbox, I get data sharing agreements from the big friendly net media conglomerates.

    Sponsored Link
    Google Head Specials
    www.google.com/headspecials
    Failing to nail your hammer?   Your marketing seems like all thumbs?
    Try Google's get-in-his-head program.
    Today's only, Iang's emails, buy one, get two free.


    Does anyone know any data brokers? Does anyone have hooks into google that can estimate this?

    Posted by iang at 06:43 AM | Comments (6) | TrackBack

    May 23, 2006

    ThreatWatch - markets in loss, Visa's take, 419 "chairmen"

    Two articles tracking hackers and looking into
    markets for trading stolen assets. The latter has better info:

    Gaffan says these credit card numbers and data are almost never obtained by criminals as a result of legitimate online card use. More often the fraudsters get them through offline credit card number thefts in places like restaurants, when computer tapes are stolen or lost, or using "pharming" sites, which mimic a genuine bank site and dupe cardholders into entering precious private information. Another source of credit card data are the very common "phishing" scams, in which an e-mail that looks like it's from a bank prompts someone to hand over personal data.

    Also available on TalkCash is access to hijacked home broadband computers - many of them in the United States - which can be used to host various kinds of criminal exploits, including phishing e-mails and pharming sites.

    RSA's Einav says there are about a dozen marketplace sites like TalkCash in operation at any given time. Unfortunately, he and Gaffan suggest it's unlikely this nefarious activity will end anytime soon (though of course that's good for their business).

    "When the FBI shuts down a site they just move to another site," says Einav, "The URL changes but the community stays intact."

    RSA doesn't even bother trying to shut down such sites, because by monitoring them it can help banks protect themselves. Says Einav: "If you see abnormal demand for accounts from a specific bank, you can assume an exploit is underway."

    That's when it goes into action. RSA Cyota claims to have shut down 10,000 phishing and other schemes since Cyota was formed in 1999. (RSA Security bought Cyota last December.) The company maintains a blacklist of sites, which partners use to warn customers.

    Over on payment news:

    Visa USA has posted its summary of performance data for the first quarter 2006 (PDF) detailing year over year growth rates across its various card products. Net fraud as a percentage of total volume increased from 6 to 7 basis points during the quarter.

    OK, so either net fraud went up by a sixth ... or overall net fraud is so low that it's lost in the noise ... or Visa just doesn't know how to count. We could be forgiven for thinking it's so low we can all rest easy, but check out this:

    Akin buys things online - laptops, BlackBerries, cameras, flat-screen TVs - using stolen credit cards and aliases. He has the loot shipped via FedEx or DHL to safe houses in Europe, where it is received by friends, then shipped on to Lagos to be sold on the black market. (He figures Americans are too smart to sell a camera on eBay to a buyer with an address in Nigeria.)

    Akin's main office is an Internet cafe in the Ikeja section of Lagos. He spends up to ten hours a day there, seven days a week, huddled over one of 50 computers, working his scams.

    And he's not alone: The cafe is crowded most of the time with other teenagers, like Akin, working for a "chairman" who buys the computer time and hires them to extract e-mail addresses and credit card information from the thin air of cyberspace. Akin's chairman, who is computer illiterate, gets a 60 percent cut and reserves another 20 percent to pay off law enforcement officials who come around or teachers who complain when the boys cut school. That still puts plenty of cash in Akin's pocket.

    A sign at the door of the cafe reads, WE DO NOT TOLERATE SCAMS IN THIS PLACE. DO NOT USE E-MAIL EXTRACTORS OR SEND MULTIPLE MAILS OR HACK CREDIT CARDS. YOU WILL BE HANDED OVER TO THE POLICE. NO 419 ACTIVITY IN THIS CAFE. The sign is a joke; 419 activity, which refers to the section of the Nigerian law dealing with obtaining things by trickery, is a national pastime. There are no coherent laws relating to e-scams, the police are mostly computer illiterate, and penalties for financial crimes are light.

    Posted by iang at 12:58 PM | Comments (2) | TrackBack

    May 15, 2006

    Tracking you, tracking me, tracking everyone

    You, me, everyone is trackable by our cellphones. Not just Greek Prime Ministers. Here's how.

    Each phone has a SIM ("subscriber identity module?") card, which is the smart card that holds the billing arrangement. Each SIM card has a number, so it is uniquely identified in the packets of information flashing across the network. That made it trackable.

    So a common trick was for mafia bosses and other delightful characters was to keep the same phone but change the SIM (by opening the back up, dropping the battery out, and switching the little chip card). This meant that access to the billing records would not automatically be useful for tracking purposes, as the SIM number is what is billed.

    This trick was known as far back as the early 90s, when some drugs dealer was caught with 80 SIMs in his briefcase. He'd use them for one call each.

    Unfortunately this was futile, and here's why. Each phone has a number, which is internationally and centrally coordinated in the standard telco committee fashion. That is, the mobile phone manufacturers get together in a smoke-filled room and allocate a batch of numbers to each of them, so each phone the world around is unique.

    This number is called the IMEI, or international mobile equipment identity, which includes the manufacturer's prefix and the phone's number (it's the same concept as your ethernet card's MAC address if you know what that means). The IMEI is also trackable, but you need a separate set of records to get access to it: call records. These are the technical records of what traffic is passing up and down, phone to phone. This is the real time stuff, and it has the raw IMEIs in there, which are later filtered out for billing purposes.

    So our friendly mafiosa were caught by anyone who could get access to those traffic records. And, if you think about it, the bad guys stuck out like a sore thumb because the SIMs kept changing and the IMEI did not. Now of course this trick is widely known:

    ICE officials said that they're working with Mexican authorities to return [Castorena-Ibarra] to the United States but that the mustachioed fugitive moves frequently and changes cellphones every few days.

    It's also possible to rewrite the IMEI if you have the right phones and the know-how. But, a good friend advises me, that's illegal in many countries, and you'll get into heap big trouble if you're caught doing it.

    Another little trick - it turns out that it is possible to ping anyones cell phone by sending a zero-length SMS message. As it is zero length, the phone drops it without further ado but if the "acknowledge receipt" bit is set the phone replies. This reply SMS is free, but it still shows up bright and clear in the records. Which leads us to the next issue. [this paragraph edited improved heavily!]

    Think about how the network works. You are walking down the street, and you are always in contact. You can always be phoned. Yet, the transmitters in built-up areas only have a range of less than a kilometer ... sometimes only a few hundred meters.

    How do they do that? It's called "hand-off". Each tower recognises the phone's presence and tells the "center" that it's in comms with your phone. Then, when you walk past the next tower, the two towers have a little chit chat and hand you over. Of course, the center has to know so as to re-route incoming calls to you.

    So the center knows where you are - to the accuracy of the towers. And, anyone who is looking at that feed of information knows where you are. And, anyone who shares that info also knows.

    That's why there is all this talk about adverts popping up on your phone saying "turn left here for a special price on lunch!" Actually it gets even more juicy as there is a thing called triangulation where the towers can reveal signal strengths, times, and directions, and a bit of maths will coordinate you down to tens of metres.

    None of this is secret. In conferences, and in articles, people have been talking about the marketing implications of such cellphone "traffic analysis" for years. Some of this is directed at sales opportunities, other at "social networking" analysis, and some of course at the "tracking bad guys" angle.

    This is so un-secret that in the USA and other places, they have been trying to make it law that cell phone operators provide your location every time you punch in 911.

    What has not been discussed at all are the ramifications of your telco knowing where you are. Within pretty close paramaters. Every moment your cellphone is switched on.

    What has not been thought about at all is who they are selling this information to and who they are sharing it with - inadvertently or otherwise. And whether those that are doing the listening are operating with due regard to your privacy, with oversight, or what.

    Instead, there is the steady rumble of scandals, as the public finds out what the insiders have known all along. Let's close with this one:

    Alexis Papahelas -- so you are saying even the crypto phones that the [Greek] prime minister/government/military are using they are vulnerable to this kind of penetration you say.

    James Bamford: Well, crypto phones are probably NSA's biggest targets around the world, whether or not the NSA was able to break the encryption of the algorithm to get into those phones I don't know. I don't have this information, but I know obviously NSA's key job, NSA's first job is intercepting communications, and second job is breaking codes such as the codes that encrypts that communications, and third job is making USA encryption systems.

    (oops, sorry, that'll all be greek to you!)

    Posted by iang at 07:41 AM | Comments (5) | TrackBack

    May 12, 2006

    Tracking Threats - USA Telco, Inc., shares billing records with NSA, Pretexters, foreign governments, anyone, really

    More evidence that tracking by cell/mobile is a routine threat to all - this time from America, and this time concerning the billing records as opposed to the tower handoff records.

    A congressional panel investigating the fraudulent acquisition and sale of mobile phone records by Internet Web firms has collected evidence that indicates law enforcement officials at the local, state and federal levels use the Internet-based services as an investigative short-cut, MSNBC.com has learned. At least one Web-based data seller has told Congress that the FBI is a client.

    As I've asserted before, if this was limited to law enforcement pursuent to lawful warrants, etc, etc there would be no complaint. (Citizens not having anything to hide, right?) But it is not.

    The phone records are generally acquired by the resellers through fraudulent means and would not be admissible in court as evidence, but they are still helpful as an investigative tool, say officials familiar with the investigation. ... One seller, Advanced Research Inc., which operates ADVSearch.com, told the committee that it has sold data to the FBI. "On occasion, ARI (Advanced Research) has done work for municipalities, banks, mortgage and insurance companies, private companies, foreign governments, law enforcement, even the FBI," ARI's letter to Congress said. ... The dozens of Web sites now being investigated by Congress sell to a wide cross-section of customers buying data. Evidence gathered so far suggests many purchasers are involved in debt collection. But a steady stream of evidence also implicates law enforcement officials, who occasionally use the services as a shortcut, avoiding the need for court orders generally required to see phone records.

    The phone records are often obtained by private investigators through a tactic known as "pretexting." Investigators call mobile-phone companies posing as legitimate customers and trick service representatives into delivering copies of records.

    Many Web site sellers maintain the practice is legal, but cell phone companies, the Federal Communications Commissions and numerous state attorneys general have said impersonation of consumers is fraud. Several states also have sued data brokers over the acquisition and sale of phone records in recent months.

    The tracking of people by cellphone is equally shared by law enforcement - without a warrant - and anyone else with a credit card number, raising the amusing prospect of your own card paying for someone to spy on you. Hardly a high standard of protection.

    A further indication that the NSA is operating outside the law comes from Chris Walsh's comment over on EC:

    Trying to put pressure on Qwest, NSA representatives pointedly told Qwest that it was the lone holdout among the big telecommunications companies. It also tried appealing to Qwest's patriotic side: In one meeting, an NSA representative suggested that Qwest's refusal to contribute to the database could compromise national security, one person recalled.

    In addition, the agency suggested that Qwest's foot-dragging might affect its ability to get future classified work with the government. Like other big telecommunications companies, Qwest already had classified contracts and hoped to get more.

    Unable to get comfortable with what NSA was proposing, Qwest's lawyers asked NSA to take its proposal to the FISA court. According to the sources, the agency refused.

    The NSA's explanation did little to satisfy Qwest's lawyers. "They told (Qwest) they didn't want to do that because FISA might not agree with them," one person recalled. For similar reasons, this person said, NSA rejected Qwest's suggestion of getting a letter of authorization from the U.S. attorney general's office. A second person confirmed this version of events.

    (Also see CDT.) US Congress is or has moved to rule it more difficult, but recent attempts to regulate technology abuses don't raise many hopes in this area. Indeed, even Congress seems to be getting skeptical. Chris Walsh posts on EC:

    Massachusetts Congressman Ed Markey asks Dennis Hastert whether legislation protecting mobile phone users' privacy has been sent to a "legislative 'Guantanamo Bay'" in order to modify it so that intelligence gathering activities analogous to those affecting land lines would be unimpeded.

    The problem is a little more deep-seated than that I fear. Probably, the battle to protect cell phone records from the intel community is already lost. (Including other than with your own national agencies who are looking out for your interests. Above, it mentions foreign governments buying US records, and I wouldn't be surprised if the NSA already has access in Europe.) The question is whether anything else can be saved.

    Probably not, I would guess, if the data mining juggernauts are anything to go by. But it does bring up the amusing contrast between Europeans and Americans. Europeans don't mind that much if government gets their records, but are horrified if private companies do. Whereas Americans speak with utter fear of their government spying on them, but happily accept that it is the private sector's right to trade this information. Perhaps for the first time, people on both sides of the Atlantic have some angst to share.

    Posted by iang at 02:26 PM | Comments (1) | TrackBack

    April 19, 2006

    Numbers on British Fraud and Debt

    A list of numbers on fraud, allegedly from The Times (also) repeated here FTR (for the record).

    INTERNET CHATROOM PRICE LIST

    Regular credit card number: $1
    Credit card with 3-digit security code: $3-$5
    Credit card with code and PIN: $10-$100
    Social security number (US): $5-$10
    Mother's maiden name: $5-$10
    THE BIG NUMBERS
    £56.4 ($100) billion:Total amount owed on British credit cards
    141.1 million:Number of credit, debit and charge cards in Britain
    1.9 billion:Number of purchases on credit and charge cards in Britain a year
    £123 billion:Total value of credit and charge card purchases a year
    5:Number of credit, debit and charge cards held by 1 in 10 consumers
    £58:Average value of a purchase on a credit card
    £41:Average value of a debit card purchase
    88 percent:Proportion of applicants who have been issued with a credit card without providing proof of income
    £504.8 ($895) million:Total plastic-card fraud losses on British cards a year
    £1.3 ($2.3) million:Amount of fraud committed against cards each day
    7:Number of seconds between instances of fraud
    £696 ($1,235):Average size of fraud, 2004

    (Printing them in USD is odd, but there you go... I've preferred the Times' UKP amounts above, as there were a number of mismatches.)

    Posted by iang at 10:01 AM | Comments (2) | TrackBack

    April 11, 2006

    Threatwatch - Voice Threat Models are Snafu - Situation Normal All F***ed Up

    Something bothers me about the recent spate of crypto voice news - it looks like we have bungled the threat model, yet again. Do we never learn?

    For some reason phone tapping, VoIP and the like is much in the news, and a couple of references have been spotted to suggestions that we should rise to defend that space. Firstly over at the cryptography list, where all are agog about wiretapping in Greece, secondly in many articles to-ing and fro-ing over zFone and Skype (go guys!) and now a more serious call from Bruce Schneier in Wired:

    "This is why encryption for VOIP is so important. VOIP calls are vulnerable to a variety of threats that traditional telephone calls are not. Encryption is one of the essential security technologies for computer data, and it will go a long way toward securing VOIP."

    I'm all for it! But the repeated references to encryption have that earthly Douglas Adams feel to them - somewhere between "mostly harmless" and downright dangerous through systemic underestimation.

    We all love encryption. But when it comes down to it, encrypting the voice channel is such a small part of the equation that I wonder why the fuss? Is it because we all get that wonderful geeky buzz when we shove 256 bits of full blooded AES right back up the NSA's pipe? Smoke that, spook!

    I think that's a lot to do with it. And I wouldn't want to ruin anyone's fun - coz crypto should be fun - but while all the cryptographers are dancing around counting bits on a pinhead, they are in danger of missing the real threat.

    No, I'll go further than that. We, they, me, all of us - the whole Internet security community - has actually missed the threat. Quite possibly by a decade or so.

    The real threat is tracking.

    Why is this? Lots of reasons, but unfortunately they are ho-hum, low tech, under the radar reasons. Not things that the geeks can get addicted to, not ones that give them a buzz. Nothing you can write about in Wired, or in cryptography lists, or the popular journalism of the security press, I suppose.

    Still, let's give it a shot and see if we can't save the voice threat model before it follows its predecessors into a decade of confusion, waste, and endless laugh value for the attackers. There are a number of ways of looking at this. I'm not shy, I'll try them all.

    Consider GSM, as a great forerunner to encrypted VoIP. It uses something like a 40-bit crypto algorithm that's as weak as water. After cryptoplumber Lucky Green reverse-engineered it out of the chips in a 3 month marathon hacking effort, cryptobuddies Dave and Iang (the other one) cracked the actual algorithm in an afternoon. By the time that was done, GSM as a cryptosystem was just so many bits strewn across the floor, or at least the standard version of A5 was. The journalists loved it!

    Or so it seems. In fact, the security model was still good! GSM was unchallenged because Lucky and friends weren't in GSM's threat model - the papparazzi and the phone spoofers were the threat and those scum still have some deal of trouble making their attack.

    Meanwhile, the GSM juggernaut rumbled on, untroubled. We are now in a Europe where there are as many phones as people - everyone but everyone has one, and every Finn has two. (And they're all encrypted - Yoo Hoo! Plus, if you have one of those supercool cryptophones, they are doubly encrypted at 256+256 volts .. er .. bits!)

    The Americans aren't that far behind, with the slight notable exception of having many different systems. Asian and Latino cultures show no real slackening in cellphone worship either, probably because the lack of good copper systems overcame any braking effect of lower incomes.

    Now, consider the facts. That is, the facts that are extracted from tracking versus the facts that are extracted from wiretapping. The facts we can get from tracking are hard - when, where, with whom. They look good in a database, they cross-correlate, they datamine, they stand in court. Indeed, all of society's investigative, dispute and judicial processes are based on these sorts of facts, so the new technology of person tracking fits in well with the old ways of doing things.

    In contrast consider the facts in a voice conversation. They are hard to put in a database (so forget about datamining), they consume racks and racks of data storage, they have to be searched for quality, and when it comes down to it, they are pretty darn soft - recordings of voice don't stand well in court. Ludicrously, there seems to be research that suggests that use of wiretaps correlates negatively with conviction rates.

    So we have this little thing in our pocket - all of us - and it's trackable. It generates a quality set of facts. All the time, whenever it's powered on. Which leaves one question only - are the facts available?

    Nominally, most governments and telcos will say that such data are not available. But evidence is starting to suggest another picture. I have it on reasonable but anecdotal authority that the police in a few countries in Europe have full access to GSM tracking - at the tower. The developments in the US would suggest that the NSA isn't that far behind, unless they are already there (there's that silly story about machines collecting data not being against the rules -- what to make of that? -- well, the story is there and repeated by the spooks, so they must be saying it for a reason . . .). And, plans proceed afoot to integrate this data-that's-not-illegal across the usual suspects, the TLAs.

    Here's one anecdote I might have heard. Police - your ordinary plod - can pick you up off the streets, like at a demonstration or something, and show you on TV in the vicinity of other demonstrations ... other months ... other places ... with other people ... using public surveillance cameras.

    Now, how could they have correlated all that information? Perhaps they were using a blue tooth rifle on your iPod? Maybe the police are tracking the RFIDs in your clothing?

    Nah - the only systems approach that makes sense is that they are datamining the tower hand-off records. How this works we leave as an exercise to the victim.

    This all would have been fine and dandy 20-30 years ago when governments in the west were a bit better behaved. But these days, suppression of civil liberties, tracking the naysayers, secret databases and so forth is all the rage (much to the chagrin of the newly liberated eastern european peoples. "What, we got rid of communism . . . for this?").

    As it all seems to be happening in secrecy, and as there are therefore no safeguards in place, this is a valid threat. If your local police can track you, they can also blackmail you. Even before we get to dishonest police, there are the telcos.

    Here's how this this threat evolves. First, they say they don't collect the data. Then they say they don't use it, except for engineering purposes. Then, they say that there are safeguards. Then, they say they don't supply it outside the company. Then, they sell it.

    Then, they just make it up. It takes less than 10 years across the full life-cycle from total privacy to total piracy, and telcos have had a decade or two, already. Governments aren't any help.

    Your power in anonymity is stripped away by the secret availability of such tracking databases. We the people have no clue how this information is being used - and likely the first time we find out is when we can buy it ourselves to start spying on our spouses. (oops.)

    Other than switching off the phone, what's to be done?

    Well, all those cryptophone projects out there are still good - they just have to adjust their threat models. They've covered threats 2 through 9, now they need to think about threat #1. VoIP phones with any encryption are still fantastically good while there isn't massive and pervasive IP# tracking. (oops.)

    To advance that theme - continue to support the cryptophones - Skype, Zfone, etc. They are your friends, both. But also cast an eye to the IP detrackers: Tor and the like. In my opinion, the whole P2P space (Jim says here) is far more relevent to the future of security, privacy, etc than any product that knows how to spell AES.

    Give me RC4 layered over hazenet any day. Hell, give me Rot13 if you can make a good showing that it's deeply hidden in the noise. Fixing Rot13 is child's play compared to unfixing a static IP# or a Sim#.

    Posted by iang at 12:49 PM | Comments (1) | TrackBack

    April 10, 2006

    Threatwatch - pricing the password crack

    Some stats on how much it costs to crack a password:





    Yahoo$150
    MSN Hotmail$175
    AOL$200
    GMail$200
    Others$250

    Found on crackspider. I'm a bit suspicious of the site as it sent firefox and konqueror into contortions ... so I'll refrain from posting the URL.

    Posted by iang at 11:08 AM | Comments (2) | TrackBack

    April 08, 2006

    ThreatWatch - Sony is your friend, Game Over?, Meccano costs, and it'll all be better in two years

    Dan Kaminsky writes on the Sony experience:

    Learning from Sony: An External Perspective

    ‘What happens when the creators of malware collude with the very companies we hire to protect us from that malware?’ Bruce Schneier, one of the godfathers of computer security, was pretty blunt when he aired his views on the AVindustry’s disappointing response to the Sony rootkit (for an overview of the rootkit and its discovery see VB, December 2005, p.11). His question was never answered, which is fine, but his concerns were not addressed either, and that’s a problem.

    The incident represents much more than a black eye on the AV industry, which not only failed to manage Sony’s rootkit, but failed intentionally. The AV industry is faced with a choice. It has long been accused of being an unproductive use of system resources with an insufficient security return on investment. It can finally shed this reputation, or it can wait for the rest of the security industry to finish what Sony started. Is AV useful? The Sony incident is a distressingly strong sign that it is not.

    I'm not sure what to make of the threats situation here. On the one hand, it is shocking, simply shocking to think of corporates deliberately increasing the risks of consumers so as to make more money. But, in reality, this has been going on for decades. So what we need is not less but more of the Sony threats. We need more information out in the public view so that we can all more clearly analyse the threats here. I call for more Sony rootkits :)

    Has Microsoft declared Game Over?

    In a rare discussion about the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation.

    "When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here.

    Basically, the OS cannot be protected, and in the event of infection, you have to re-install. That's one brave disclosure, but better they start seeding the public with this info less later than later still.

    Fear of security is starting to bite in the US - in contrast to anecdotal evidence. Entrust did a survey that said:

    Fear of alienating customers

    Banks recognize they must increase online security, but are equally concerned that making Web sites harder to use will drive customers back to telephone and branch banking.

    "Telephone transactions cost banks 10 times as much to process as Internet transactions. And an in-branch transactions cost 100 times Internet transactions," Voice said.

    About 18 percent of online bank customers have already cut back or stopped banking online completely because of security worries, according to an Entrust survey.

    It is the cutting back or stopping that is causing the fear from the Meccano trojans I reported on a bit back (also known as MITB or Man-in-the-Browser). Forcing people back to phone or branch has massive cost and deployment ramifications. In the face of these costs, expect many banks to simply suffer the losses. Unfortunately, this won't be socially acceptable, as the majority of the costs are borne by the consumer, not the institution.


    Lynn spots the latest crazy threat to invade media mindspace - Beware the 'pod slurping' employee

    A U.S. security expert who devised an application that can fill an iPod with business-critical data in a matter of minutes is urging companies to address the very real threat of data theft. ....

    "(Microsoft Windows) Vista looks like it's going to include some capability for better managing USB devices, but with the time it's going to take to test it and roll it out, we're probably two years away from seeing a Microsoft operating system with the functionality built in," Usher said. "So companies have to ask themselves, 'Can we really wait two years?'"

    This is not a new threat, just an old threat with a sexy new toy. Don't believe we had to wait for Apple for the innovative solution to employees' desperate needs to walk out with lots of data...

    On the other hand, read that second paragraph above carefully. If you don't like today's scenario, you'll have to wait about 2 years, assuming that Vista has some sort of answer to whatever it is you don't like. I don't normally do stock picks but here's one that screams: buy Apple, sell Microsoft. Users will, even if you don't.

    A bit of BitTorrent bother. In brief, ISPs have been using "traffic shaping" to identify Bittorrent traffic and drop it. In response, the top three clients have added an RC4 encryption capability. Threats everywhere...

    In closing, 1 in 10 Laptops Stolen:

    "Up to 1 in 10 laptops will be stolen during their lifetime according to one of the Law Enforcement Officers behind the new Web site Juststolen.net..."
    Posted by iang at 07:46 PM | Comments (0) | TrackBack

    March 25, 2006

    Meccano Trojans coming to a desktop near you

    Scuttlebut is circulating in the anti-virus world about the new class of trojan about to emerge. Details - facts - are scanty, and several exaggerations seem to already have fallen flat on their face already. Having said that, a general pattern is emerging, and it looks like a significant advance in the threat state of the Internet. Here's what I've picked up so far.

    The new class of trojan evidences an ability to deconstruct and reconstruct the browser in the phisher's image. That is, it is a sort of meccano kit for phishers, which allows the construction of a new phisher-friendly browser. The meccano trojan operates on the Microsoft Windows operating system and allegedly is coded up for both IE and Firefox, so Firefox has crossed GP.

    I say above "evidences an ability" because the view is that the kit is not quite there yet, but it's near enough to be "just around the corner." There is substantial uncertainty about this, because the details are being shared hush-hush. My feeling from the scuttlebut is that the first meccano trojans will roll into Windows machines within a month or so, in what could be considered to an alpha test of the concept. Within 6 months, that should shake out and the meccano concept will be well tried and tested. But that's just a feeling based on a secret stacked up on a prediction.

    If you prefer to think in classical PKI terms, this means that the MITM is now inserted into the browser. Hence, this attack was later named as the Man in the Browser, or MITB (note inserted 2009). PKI is rendered bypassed, in a way that is indefensible to PKI at least. Deep security readers will recall that one hard-wired assumption of PKI was that the threat was on the wire, and the node was safe, and we've now reached the point where that assumption is broken in theory and in practice.

    Let's summarise. First the facts: A new trojan class is capable of taking over the browser on Windows platforms. It covers both IE and Firefox. It renders all security within the browser theoretically breached.

    Second, the anti-facts. Everything written above is unconfirmed, so they are not facts at all! Next, the notion that suddenly the browser disappears into a puff of smoke and the user is left naked and unprotected just doesn't make sense - to me at least. There still remain substantial economic defences against any given attack - just because one component is broken doesn't mean the system starts handing out your cash left and right. There are also things that users - both individuals and corporates - can do to protect themselves, and there many many things that sites can do to change the economics.

    What then makes me believe that this is substantial without waiting for the unobtainable facts? Three things. Firstly, this is predicted in concept if not in detail. Any security researcher worth their salt has written off the nodal security model as far as Windows goes - I wrote about the fatal conceit of the threat reversal some time ago, and to many that was good logic but oh-so-ho-hum. Next, it is only the timeframe that we are arguing about, and we are about due for this. Note how last week's news predicts the browser attack:

    "MetaFisher uses HTML injection techniques to phish information from victims after they've logged into a targeted bank account, said Dunham, which lets attackers steal legitimate TAN numbers (one-time PINs used by some banks overseas) and passwords without having to draw them onto phony sites."

    Finally, those that are vulnerable and have seen more of the story are taking it seriously. Banks in one place that I know have already formulated their response and are moving to put it in place. In this case, it is a banking sector that is not particularly vulnerable anyway, and their solution will work - which already tells you what corner of the world it is. For the financial cryptographers, the solution is simply moving more towards the model Ricardo and x9.59 pioneered, c.f., Anne & Lynn, Gary & myself.

    So where does that leave us? The fundamental statement would seem to be that the Windows platform can no longer be considered secure, not for any security that you might actually need. That day has arrived. Beyond that there is a huge amount of analysis needed to say more, far more than I can do in one post. I'll stop with these broad questions, recognising that asking the question is easier than answering it.

    • Is the Mac safe? Is it next, and when does the Mac cross GP?
    • Is the authentication model dead? Or can it be redeemed?
    • Where does this leave PKI?
    • Should online banking stick with the browser? Or go for another platform?
    • Online banks have the resources to fix these things, but what about the rest of us?
    • Are the actions of the anti-virus community helping or hindering?
    • Where goes Microsoft? Is it game over?

    Far too much for one day. I'll leave you with Dan Kozen's fine bull, which symbolised my 2006 prediction of more government intervention, and today stands in for the running of the other more successful bulls.

    Thankfully, the regulators appear to be showing restraint, in that they are signalling that the problem belongs to the banks. The central banks have confirmed their intention to put risk sharing in place for online banking: the user will be on the hook for something like the first 150-250 of the fraud. After that, the bank picks up the rest. This is critical - both the bank and the user must engage in the security protocol, and any attempt to do otherwise is living in state of sin, to paraphrase John von Neumann.

    Let's hope the regulators hold the line on that one, and prove at least one of my predictions dead wrong.

    Posted by iang at 10:33 AM | Comments (12) | TrackBack

    March 18, 2006

    Threatwatch - trojan hijacking, proxy victims, breaching conflicts of legal interest, semi-opaque blue hats

    Bad news for Microsoft, but (other) browsers may breath a sigh of small relief. It seems that there is a shift from email-based phishing across to trojan hijacking. Predictable - as people gradually wake up to phishing, and as the easy targets are phished out, we can expect the well-funded attackers to shift to new waters.

    LURHQ’s description of an E-gold Trojan was an early foreshadowing of things to come. E-gold is an e-cash operation, similar to Paypal. Turns out they’ve been under constant attack from these advanced Trojans for a few years now.

    The E-gold Trojan waits for the victim to successfully authenticate to E-gold’s Web site, creates a second hidden browser session, and uses various spoofing tricks until it drains the victim’s account. Because the stealing and spoofing is started after the authentication is completed, no amount of fancy log-on authentication would prevent the heist. All too telling is LURHQ’s prediction that “other banking institutions are sure to be attacked in this manner in the future.”

    In the more mundane and routine phishing waters (thanks, Gordon):

    In a smart site redirection, the attacker creates several identical copies of the spoofed site, each with a different URL, often hosted by different ISPs. When the phishing e-mails go out, all include a link to yet another site, a "central redirector." When the potential victim clicks on the e-mailed link, the redirector checks all the phishing sites, identifies which are still live, and invisibly redirects the user to one.

    I see signs of a new trend in reportage of threats to US financial institutions. Above, and here:

    The report cites the W32/Grams Trojan that targets 'e-gold' but doesn't launch an attack until the authentication process has been monitored and completed, as e-gold uses a number of security measures, such as limiting account access to an individual IP address and the use of one-time passphrases.

    Spot it? If you can name e-gold then you can get away with embarressing someone who can't fight back. But if it is a regulated financial institution, it shouldn't be named - if the debit card PIN debacle in the US is anything to go by. Nobody quite knows what is going on there, what happened, and who it happened to. Other than the consumers, that is.

    Knowing what happened is critical to security. Only with hard facts as to the real breach can we understand the risks. Only with understanding the risks can we counter them. If big banks have to be embarressed in that process then so be it - the goal is security, right?

    Which means that naming e-gold is a net good - they become a proxy for the banks' woeful security practices. "Sucks to be them." But at least they got invited into a new coalition of the willing:

    A group of 18 financial institutions and internet providers have joined forces with child advocacy groups in the US and Europe in an effort to eradicate commercial child pornography by 2008. The internet has allowed child pornography to become a multi-billion dollar industry, and the newly formed Financial Coalition Against Child Pornography aims to kill the business model behind the sites by blocking access to payment services including credit cards.

    Again, e-gold have been a favourite target of blame for child pornography, and it is not exactly clear that the mud sticks. The reason for putting together a group is possibly explained here:

    One problem for the card companies is that it is illegal for anyone other than law-enforcement officials to look at child porn. This has made it difficult to proceed with their own internal controls.

    "The great thing about this coalition is that it gives us for the first time an independent entity to decide the validity of a particular image - and if it is child porn or not - and gives us actionable information," says Joshua Peirez, group executive of global public policy at MasterCard in Purchase, N.Y.

    How the coalition gets around that illegality question is an open question - but it certainly points the way towards a nominally independent body that can govern the question without other conflicts of interest. And, conflicts of interest and other disasters are the rule with such investigations, as reported here by Adam:

    An international investigation of internet-based child pornography has led to accusations against innocent victims of credit card fraud, a CBC News investigation has found. In other cases, victims of identity theft found themselves fighting to save their reputations, jobs and marriages after their names were used to buy child pornography.

    Just exactly how do you deal with a false accusation so severe that due process is foregone? Any security strategies for that?

    And finally, to return to Microsoft's bad news. They seem to have run something of a coup in security forums:

    MARCH 16, 2006 (IDG NEWS SERVICE) - Microsoft Corp. is going public with some of the hacking information discussed at its Blue Hat Security Briefings event. Just days after the end of its third Blue Hat conference, the software vendor today posted the first blog entries at a new Web site. Microsoft is also promising to publish more details on the secretive invitation-only event.

    The Web site will include Microsoft staffer's "reflections on BlueHat 3" as well as photos, podcasts and video interviews with some of the presenters, said Security Program Manager Kymberlee Price in a blog posting. "We sincerely hope that our BlueHat 3 speakers (and BlueHat 1 & 2 speakers) will post their comments to the site as well and share their BlueHat experience," she wrote.

    Which at first blush sounds almost convincing. So, if it is so open and touchy feely, why is it also so secretive? Routine champions of open process such as Adam have supported the secrecy agenda (albeit under a label of privacy) so we are definately hearing two messages here, among the many echoes of the past.

    The normal reason for secrecy is so as to control the agenda for own gain, whatever the headline reason is. In Microsoft's case they benefit if they can get the information they need and not reveal any themselves. Obviously, nobody is quite that naive these days, so some stuff may have to be revealed. Especially, what they do reveal should not reveal their more controversial intentions, so maybe what is not revealed is likely more interesting than what is not. And, as we saw with the "high assurance" case, there is a definate advantage in getting everyone else to respect privacy, as it gives Microsoft first-announcer privileges.

    Aside from that, I think we are still in net positive. Microsoft have failed to get their house in order, and we see more and more signs that they are trying various ideas to get outside help. Without admitting this, that is, but the observation remains that they are the only organisation that is doing any out-reach on security at all, and they are the only player that is looking at security for security's sake, albeit highly filtered with other monetary interests.

    (I should hasten to add that I doubt this is caused by any new-found public spirit on their part, it's almost certainly a rational analysis of the huge and growing risks Microsoft face in the security field.)

    Posted by iang at 01:46 PM | Comments (3) | TrackBack

    March 07, 2006

    ThreatWatch - the Mac gets hacked

    ZDNet Australia reports more substantial evidence that Mac OS X has a real problem with security has surfaced. In the interests of fairness and seeing my own predictions bite the dust, here's the news:

    On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.

    Participants were given local client access to the target computer and invited to try their luck.

    Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later this poor little Mac was owned and this page got defaced".

    The hacker that won the challenge, who asked ZDNet Australia to identify him only as "gwerdna", said he gained root control of the Mac in less than 30 minutes.

    "It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for Mac OS X," gwerdna told ZDNet Australia .

    Yowsa! Some work to do, guys! Maybe we're all back to OpenBSD again... A little more digging, and Arstechnica and MacWorld both indicate the hack was less dramatic than it sounds:

    Firstly, the hack was that of privilege escalation, not a pure remote exploit. The web site author had enabled SSH, the Unix "Secure Shell" tool that has replaced telnet as a means for accessing networked machines from the command line. He then configured an LDAP (Lightweight Directory Access Protocol) database and added a web-based interface so that visitors to the site could add their own shell accounts to the system. These shell accounts were given limited user access, so in theory they should not have been able to access or modify any files that were owned by the system or by other accounts. The hacker used a vulnerability in OS X to promote the privileges of this account, thus "gaining root" and becoming able to modify any file on the computer at will.

    Ah. You have to have a shell account on there in the first place. That's different. To counterbalance that, CS news reports:

    "In response to the woefully misleading ZDnet article, 'Mac OS X hacked under 30 minutes', the academic Mac OS X Security Challenge has been launched. The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open."

    Cool. Stopwatches running...

    Posted by iang at 02:47 PM | Comments (4) | TrackBack

    FraudWatch - Chip&Pin, a new tenner (USD10)

    Chip&Pin in Britain measured a nearly full year of implementation (since February) and found fraud had dropped by 13%. They say that's good. Well, it's not bad but it is a far cry from the 80% figures that I recall being touted when they were pushing it through.

    The Chip and Pin system cut plastic card fraud by 13% in 2005, according to the Association of Payment Clearing Services (Apacs). Losses due to the fraudulent use of credit and debit cards fell last year by £65m to £439m.

    Most categories of fraudulent card use dropped, except for transactions over the phone, internet or by mail. Chip and Pin cards were introduced in 2004, with their use becoming required in shops from February this year.

    The new type of card appears to have brought a decisive turnaround with fraud levels now back to the levels last seen in 2003. In 2004, as the new cards were being introduced, card fraud continued to shoot up, by 20%, costing banks and retailers more than half a billion pounds.

    Sandra Quinn of Apacs hailed the impact of Chip and Pin, which has been rolled out to most of the UK retailing and banking industries since October 2003:

    "Seeing card fraud losses come down is cast-iron proof that Chip and Pin is doing its job. Back in 2002 we forecast that fraud would have risen to £800m in 2005 if we didn't make the move to Chip and Pin so it's heartening to see total losses well beneath this figure" she said.

    So maybe if we factor in such a prediction of 800m, down now to 439, we are seeing a drop of 45%. I'd say that according to GP they moved too late and ended up with an institutionalised fraud at a high and economic level. Clawing that back is going to take some doing.

    And, also from PaymentNews, the US mint continues its sly dance to use other colours than green:

    Security Features
    The redesigned $10 note also retains three of the most important security features that were first introduced in the 1990s and are easy to check: color-shifting ink, watermark and security thread.

    Color-Shifting Ink: Tilt your ten to check that the numeral "10" in the lower right-hand corner on the face of the note changes color from copper to green. The color shift is more dramatic on the redesigned notes, making it even easier for people to check their money.

    Watermark: Hold your ten up to the light to see if a faint image of Treasury Secretary Alexander Hamilton appears to the right of his large portrait. It can be seen from both sides of the note. On the redesigned $10 note, a blank oval has been incorporated into the design to highlight the watermark's location.

    Security Thread: Hold your ten up to the light and make sure there's a small strip embedded in the paper. The words "USA TEN" and a small flag are visible in tiny print. It runs vertically to the right of the portrait and can be seen from both sides of the note. This thread glows orange when held under ultraviolet light.

    To protect our economy and your hard-earned money, the U.S. government expects to redesign its currency every seven to ten years.

    Everything is good fun about that page, even the URL!

    Posted by iang at 05:10 AM | Comments (16) | TrackBack

    February 19, 2006

    More dots than you or I can understand (Internet Threat Level is Systemic)

    fm points to Gadi Evron who writes an impassioned plea for openness in security. Why? He makes a case that we don't know the half of what the bad guys are up to. His message goes something like this:

    DDoS -> recursive DNS -> Fast Flux -> C2 Servers -> rendevous in cryptographic domainname space -> bots -> Phishing

    Connecting the dots is a current fad in america, and I really enjoyed those above. I just wish I knew what even half of them meant. Evron's message is that there are plenty of dots for us all to connect, so many that the tedium of imminent solution is not an issue. He attempted to describe them a bit later with his commentary on the recent SSL phishing news:

    Some new disturbing phishing trends from the past year:

    POST information in the mail message
    That means that the user fills his or her data in the HTML email message itself, which then sends the information to a legit-looking site. The problem with that, is how do you convince an ISP that a real (compromised) site is indeed a phishing site, if there is no phishy-looking page there, but rather a script hiding somewhere?

    Trojan horses
    This is an increasing problem. People get infected with these bots, zombies or whatever else you’d like to call them and then start sending out the phishing spam, while alternating the IP address of the phishing server, which brings us to…

    Fast-Flux
    Fast Flux is a term coined in the anti spam world to describe such Trojan horses’ activity. The DNS RR leading to the phishing server keeps changing, with a new IP address (or 10) every 10 minutes to a day. Trying to keep up and eliminate these sites before they move again is frustrating and problematic, making the bottle-neck the DNS RR which needs to be nuked.

    We may be able to follow that, but the bigger question is how to cope with it. Even if you can follow the description, dealing with all three of the above is going to stretch any skilled practitioner. And that's Evron's point:

    What am I trying to say here?

    All these activities are related, and therefore better coordination needs to be done much like we do on the DA and MWP groups, cross-industry and open-minded. R&D to back up operations is critical, as what’s good for today may be harmful tomorrow (killing C&C’s as an example).

    The industry needs to get off its high tree and see the light. There are good people who never heard about BGP but eat Trojans (sounds bad) for breakfast, and others need to see that just because some don’t know how to read binary code doesn’t mean they are not amazingly skilled and clued with how the network runs.

    This is not my research alone. I can only take credit for seeing the macro image and helping to connect the dots, as well as facilitate cooperation across our industry. Still, as much as many of this needs to remain quiet and done in secret-hand-shake clubs, a lot of this needs to get public and get public attention.

    Over-compartmentalizing and over-secrecy hurts us too, not just the US military. If we deal in secret only with what needs to be dealt in secret, people may actually keep that secret better, and more resources can be applied to deal with it.
    Some things are handled better when they are public, as obviously the bad guys already know about them and share them quite regularly. “Like candy” when it comes to malware samples, as an example.

    The Internet threat level is now systemic, and has been since the arisal of industrialised phishing, IMO. I've written many times before about the secrecy of the browser sector in dealing with phishing, and how the professional cryptographic community washed its hands of the problem. Microsoft's legendary castles of policy need no reminder, and it's not as if Apple, Sun, Symantec, Verisign or any other security company would ever do any better in measures of openness.

    Now someone over the other side of the phishing war is saying that he sees yet other tribes hiding in their fiefdoms, and I don't even know which tribes he's referring to. Gadi Evron concludes:

    -opinion-Our fault, us, the people who run these communities and global efforts, for being over-secretive on issues that should be public and thus also neglecting the issues that should really remain under some sort of secrecy, plus preventing you from defending yourself.

    Us, for being snobbish dolts and us, for thinking we invented the wheel, not to mention that we know everything or some of us who try to keep their spots of power and/or status by keeping new blood out (AV industry especially, the net-ops community is not alone in the sin of hubris).

    It’s time to wake up. The Internet is not about to die tomorrow and there is a lot of good effort from a lot of good people going around. Amazing even, but it is time to wake up and move, as we are losing the battle and the eventual war.

    Cyber-crime is real crime, only using the net. Cyber-terrorism will be here one day. If we can’t handle what we have on our plate today or worse, think we are OK, how will we handle it when it is here?

    Posted by iang at 08:03 AM | Comments (2) | TrackBack

    February 14, 2006

    SSL phishing, Microsoft moves to brand, and nyms

    fm points to Brian Krebs who documents an SSL-protected phishing attack. The cert was issued by Geotrust:

    Now here's where it gets really interesting. The phishing site, which is still up at the time of this writing, is protected by a Secure Sockets Layer (SSL) encryption certificate issued by a division of the credit reporting bureau Equifax that is now part of a company called Geotrust. SSL is a technology designed to ensure that sensitive information transmitted online cannot be read by a third-party who may have access to the data stream while it is being transmitted. All legitimate banking sites use them, but it's pretty rare to see them on fraudulent sites.

    (skipping details of certificate manufacturing...)

    Once a user is on the site, he can view more information about the site's security and authenticity by clicking on the padlock located in the browser's address field. Doing so, I was able to see that the certificate was issued by Equifax Secure Global eBusiness CA-1. The certificate also contains a link to a page displaying a "ChoicePoint Unique Identifier" for more information on the issuee, which confirms that this certificate was issued to a company called Mountain America that is based in Salt Lake City (where the real Mountain America credit union is based.)

    The site itself was closed down pretty quickly. For added spice beyond the normal, it also had a ChoicePoint unique Identifier in it! Over on SANS - something called the Internet Storm Center - Handler investigates why malware became a problem and chooses phishing. He has the Choicepoint story nailed:

    I asked about the ChoicePoint information and whether it was used as verification and was surprised to learn that ChoicePoint wasn't a "source" of data for the transaction, but rather was a "recipient" of data from Equifax/GeoTrust. According to Equifax/GeoTrust, "as part of the provisioning process with QuickSSL, your business will be registered with ChoicePoint, the nation's leading provider of identification and credential verification services."

    LOL... So now we know that the idea is to get everyone to believe in trusting trust and then sell them oodles of it. Quietly forgetting that the service was supposed to be about a little something called verification, something that can happen when there is no reason to defend the brand to the public.

    Who would'a thunk it? In other news, I attended an informal briefing on Microsoft's internal security agenda recently. The encouraging news is that they are moving to put logos on the chrome of the browser, negotiate with CAs to get the logos into the certificates, and move the user into the cycle of security. Basically, Trustbar, into IE. Making the brand work. Solving the MITM in browsers.

    There are lots of indicators that Microsoft is thinking about where to go. Their marketing department is moving to deflect attention with 10 Immutable Laws of Security:

    Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
    Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
    Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
    Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
    Law #5: Weak passwords trump strong security
    Law #6: A computer is only as secure as the administrator is trustworthy
    Law #7: Encrypted data is only as secure as the decryption key
    Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
    Law #9: Absolute anonymity isn't practical, in real life or on the Web
    Law #10: Technology is not a panacea

    Immutable! I like that confidence, and so do the attackers. #9 is worth reading - as Microsoft are thinking very hard about identity these days. Now, on the surface, they may be thinking that if they can crack this nut about identity then they'll have a wonderful market ahead. But under the covers they are moving towards that which #9 conveniently leaves out - the key is the identity is the key, and its called psuedonymity, not anonymity. Rumour has it that Microsoft's Windows operating system is moving over to a psuedonymous base but there is little written about it.

    There was lots of other good news, too, but it was an informal briefing, so I informally didn't recall all of it. Personally, to me, this means my battle against phishing is drawing to a close - others far better financed and more powerful are carrying on the charge. Which is good because there is no shortage of battles in the future.

    To close, deliciously, from Brian (who now looks like he's been slashdotted):

    I put a call in to the Geotrust folks. Ironically, a customer service representative said most of the company's managers are presently attending a security conference in Northern California put on by RSA Security, the company that pretty much wrote the book on SSL security and whose encryption algorithms power the whole process. When I hear back from Geotrust, I'll update this post.

    That's the company that also ditched SSL as a browsing security method, recently. At least they've still got the conference business.

    Posted by iang at 06:21 AM | Comments (1) | TrackBack

    February 07, 2006

    The Market Price of a Vulnerability

    More on threats. A paper Paul sent to me mentions that:

    Stuart Schechter’s thesis [11] on vulnerability markets actually discusses bug challenges in great detail and he coined the term market price of vulnerability (MPV) as a metric for security strength.

    A good observation - if we can price the value of a vulnerability then we can use that as a proxy for the strength of security. What luck then that this week, we found out that the price of the Windows Metafile (WMF) bug was ... $4000!.

    The Windows Metafile (WMF) bug that caused users -- and Microsoft -- so much grief in December and January spread like it did because Russian hackers sold an exploit to anyone who had the cash, a security researcher said Friday.

    The bug in Windows' rendering of WMF images was serious enough that Microsoft issued an out-of-cycle patch for the problem in early January, in part because scores of different exploits lurked on thousands of Web sites, including many compromised legitimate sites. At one point, Microsoft was even accused of purposefully creating the vulnerability as a "back door" into Windows.

    Alexander Gostev, a senior virus analyst for Moscow-based Kaspersky Labs, recently published research that claimed the WMF exploits could be traced back to an unnamed person who, around Dec. 1, 2005, found the vulnerability.

    "It took a few days for exploit-enabling code to be developed," wrote Gostev in the paper published online, but by the middle of the month, that chore was completed. And then exploit went up for sale.

    "It seems that two or three competing hacker groups from Russian were selling this exploit for $4,000," said Gostev.

    (That's a good article, jam-packed with good info.) Back to the paper. Rainer Bohme surveys 5 different vulnerability markets. Here's one:

    Vulnerability brokers are often referred to as “vulnerability sharing circles”. These clubs are built around independent organizations (mostly private companies) who offer money for new vulnerability reports, which they circulate within a closed group of subscribers to their security alert service. In the standard model, only good guys are allowed to join the club. The customer bases are said to consist of both vendors, who thus learn about bugs to fix, and corporate users, who want to protect their systems even before a patch becomes available. With annual subscription fees of more than ten times the reward for a vulnerability report, the business model seems so profitable that there are multiple players in the market: iDefense, TippingPoint, Digital Armaments, just to name a few.

    OK! He also considers Bug Challenges, Bug Auctions, Exploit derivatives, and insurance. Conclusion?

    It appears that exploit derivatives and cyber-insurance are both acceptable, with exploit derivatives having an advantage as timely indicator whereas cyber-insurance gets adeduction in efficiency due to the presumably high transaction costs. What’s more, both concepts complement one another. Please note the limitations of this qualitative assessment, which should be regarded as a starting point for discussion and exchange of views.
    Posted by iang at 10:52 AM | Comments (1) | TrackBack

    Picturing her location

    On this article there is a picture. Which is worth a thousand words.

    Coming to a mobile/cell near you. The text says "as of 04/11/2005 15:30:51 (2 months, 2 weeks ago), the GPS Device PERSONAL TRACKER was in the vicinity of Wimbledon"

    Which reminds me of the recent Woody Allen movie, Match Point. I should also pass on Fm's pointer that as of 05/23/2005 12:00:00 (2 years, 9 months ago), the NTK Threats Tracker was in the vicinity of spot on:

    Still, technology marches on. If you ask us, the real future is in *massively parallel peer-to-peer* elves. Take FLEET ONLINE. This Dutch business-oriented service was introduced a month ago to the UK. It's a pay-as-you-go site that lets companies instantly locate their employees' mobile phones, to a granularity of the nearest cell (ie 50m in urban areas). Positioning costs 25p a shot. Here's the real gimmick, though: you can sign up yourself, and then add any mobile phone you'd like to be geolocated. Oh sure, your victim will get an initial "Do you want to be tracked?" opt-in message, and then another in two weeks. But think of all the phones you can get physical access to long enough to say yes to that original text. Friends! Spouses! Potential stalking fodder! And what you could do in two weeks. Supposing you're a burgling elf: you could nick that phone, sign it up, give it back, find out where they live via the geolocator. And then *find out when they're out*! It's a RISKS Digest all of its own!

    http://www.fleetonline.net/ - that'll give the geourl people something to play with

    Posted by iang at 05:10 AM | Comments (1) | TrackBack

    February 05, 2006

    Threatwatch - tracking you, tracking me, tracking us all

    We all know that cell-phones have been trackable to the tower point quite trivially, and even beyond that if the operator deigns to do some triangulation. That's how they - allegedly - tracked the London bomber through Italy.

    But I admit to being surprised that the telco operators would *sell* this information. I suppose it is obvious, in hindsight, but what cojones!

    I unplugged her phone and took it upstairs to register it on a website I had been told about. It looks as if the service is mainly for tracking stock and staff movements: the Guardian, rather sensibly, doesn't want me to tell you any more than that. I ticked the website's terms and conditions without reading them, put in my debit card details, and bought 25 GSM Credits for £5 plusvat.

    Almost immediately, my girlfriend's phone vibrated with a new text message. "Ben Goldacre has requested to add you to their Buddy List! To accept, simply reply to this message with 'LOCATE'". I sent the requested reply. The phone vibrated again. A second text arrived: "WARNING: [this service] allows other people to know where you are. For your own safety make sure that you know who is locating you." I deleted both these text messages.

    On the website, I see the familiar number in my list of "GSM devices" and I click "locate". A map appears of the area in which we live, with a person-shaped blob in the middle, roughly 100 yards from our home. The phone doesn't go off at all. There is no trace of what I'm doing on her phone. I can't quite believe my eyes: I knew that the police could do this, and telecommunications companies, but not any old random person with five minutes access to someone else's phone. I can't find anything in her mobile that could possibly let her know that I'm checking her location. As devious systems go, it's foolproof. I set up the website to track her at regular intervals, take a snapshot of her whereabouts automatically, every half hour, and plot her path on the map, so that I can view it at my leisure. It felt, I have to say, exceedingly wrong.

    Well, that basically means we all now have the tracking devices that we all were scared off. Never mind the bluster about warning messages, somehow we all slipped into the tracking society without even knowing it.

    The tracking threat meter is now pegged hard ON. The response is likely to be IP telephony with bluetooth/802.11 bridging into the open network. Not because of the eavesdropping - that old silly worry about encryption - but because of the location searching. Eavesdropping is not an economic threat to most people most of the time, but tracking is. Tracking location can be used years afterwards, whereas nobody on the planet except the NSA has time to listen to 1000's of hours of chit chat with the spouse.

    Meanwhile something that didn't surprise me was the Greek Prime Minister's affair:

    Athens - Mobile phones belonging to top Greek military and government officials — including the Prime Minister — and the U.S. embassy were tapped for nearly a year beginning in the weeks before the 2004 Olympic games, the government said Thursday. .... Mr. Roussopoulos said the surveillance was carried out through spy software installed in the central system of Vodafone, the mobile telephony provider that served the targets. Calls were then diverted to mobile phones using pay-as-you-go services, which are difficult to trace.

    So, someone connected into the switches and installed some diverts or conference shares. Cunningly, they diverted the conference sharing to pre-paid mobiles which were probably hacked to record.

    Now, my experience in telcos doesn't go very far, having only worked twice for them, and then only peripherally to switches. But here's what I recall, FWIW (please, anyone with more uptodate info, chime in!) :

    Switches have very basic security. They are all digital, these days. They are all centrally manageable. And the source code is secret. e.g., it's almost as bad as windows - you google around, download a few docs and programs, hack in and you're in. The only reason this is unknown is because switches just aren't that interesting. (Waddya gonna do - divert your mother's few phone calls? Download Paris Hilton's billing records? Roight... Phone phreaking disappeared the minute Internet came along because the net was more fun.)

    Better, or worse, the security departments work hand in glove with the national authorities. The switches are after all built by very big companies, almost always "national champions." They are generally sold to other very big companies, who all used to be national champions back in the good old days, but these days are more likely to be wannabe champions with the same mindset.

    So I would conclude that this is in the "of course" basket. Of course you - anyone - can do this, the challenge would be to show that you couldn't. More apropos would be to ask if this sort of capability is built into Cisco routers. Just in the "China specials" or all of them?

    Cisco also released a statement recently aimed at dispelling the persistent rumor that it sold China custom hardware designed to make censorship simple. The company, it says , "has not designed or marketed products for any government to censor Internet content." Reporters without Borders disagrees - and they were the ones who had the Congressional ear today.

    Or, to ask what the Greek counter-intelligence people are up to - what were they doing all these years letting their assets use unprotected mobile phones over unprotected and wide-open commercial telco networks? How dumb is that?

    The list of about 100 people whose telephones were tapped included the ministers of foreign affairs, defence, public order and justice. Most of Greece's top military and police officers were also targeted, as were foreign ministry officials, a US embassy number and the prime minister's wife, Natasha.

    My advise - if Natasha divorces the PM, she should name the chief of counter-intelligence agencies in the filing.


    Greece reveals cellphone tap spy scandal
    By NICHOLAS PAPHITIS
    Thursday, February 2, 2006 Posted at 7:35 PM EST
    Associated Press
    Athens - Mobile phones belonging to top Greek military and government officials — including the Prime Minister — and the U.S. embassy were tapped for nearly a year beginning in the weeks before the 2004 Olympic games, the government said Thursday.
    It was not known who was responsible for the taps, which numbered about 100 and included Greek Prime Minister Costas Caramanlis and his wife, and the ministers of foreign affairs, defence, public order and justice. Most of Greece's top military and police officers were also targeted, as were foreign ministry officials and a U.S. embassy number. Also tapped were some journalists and human rights activists.
    The phone tapping “started before the 2004 Olympic Games and probably continued until March 2005, when it was discovered,” government spokesman Theodoros Roussopoulos said at a news conference.
    Mr. Roussopoulos said it had not been possible to identify who was behind the tapping.

    “It was an unknown individual, or individuals, who used high technology,” he said.
    Mr. Roussopoulos said the surveillance was carried out through spy software installed in the central system of Vodafone, the mobile telephony provider that served the targets.
    Calls were then diverted to mobile phones using pay-as-you-go services, which are difficult to trace.
    An investigation showed that these mobiles had been used in a central Athens area where many foreign embassies are located, though Mr. Roussopoulos refused to speculate on whether foreign agencies might be involved.
    “I estimate that no harm was caused to our national issues,” Mr. Roussopoulos said. “The prime minister does not just use one mobile phone.”
    He said the government first heard of the tapping in March 2005, when it was tipped off by Vodafone Greece CEO Giorgos Koronias.
    Vodafone — one of the country's four mobile telephony providers — discovered the tapping after receiving complaints from customers over problems operating their phones.
    Mr. Koronias issued a statement saying the company removed the spyware immediately after it was located, and informed the competent state authorities.
    Athens prosecutor Dimitris Papangelopoulos brought misdemeanor charges of breaching the privacy of phone calls against “unknown persons” earlier Thursday, the Justice Minister said.
    The prosecutor will also investigate whether there are grounds for bringing criminal charges of espionage, the Minister said.
    The government pledged the inquiry would be full and fair.

    Posted by iang at 08:49 AM | Comments (7) | TrackBack

    February 04, 2006

    The Price for Your Identity

    So what does it cost to forge an identity? Here's a list of costs (with updates moved to end) that lead us to the answer. First off, in Britain:

    When interviewed the duo said they were conducting at least eight transactions a day, totalling around 5,000 sales over two years. A passport would cost £350, a national insurance card or a driving license would cost £50 to £75.

    In Japan, driver's licences are no trouble if you know a Colombian (sorry, URL is duff, see below for full story).

    The Hyogo prefectural police and other police headquarters have arrested 12 members of the ring, nine of them Colombians. The police reported that some of the suspects said that in addition to the forged passports, they bought bogus driver's licenses and cash cards before entering Japan for only 20 dollars.

    Back to Britain, and the Sunday Herald dives into the business of undercover policework. Here's a heavily redacted snippage indicating a top-drawer contender.

    He tells us one passport costs just over £1000, but if we buy more, the price drops to around £800. ... There, Pavel brings out a sample of the kind of passport he will be able to get for us. The passports are 100% authentic to the eye. ... British immigration and passport experts who examined the document on guarantee of anonymity said it was “the very best [they’d] ever seen”. It even passed an ultraviolet light test which British passport controllers use to show up hidden watermarks which are in every genuine document.

    They said it was “real” and could easily be used to open a bank account without alerting any suspicion.
    ...
    The officer, who takes the lead on ID theft within the SDEA, added: “There has been an upswing in the trade in fake documentation.

    Addendums. Just found some numbers from an old post on EC:

    Social Security cards run about $20, green cards about $70 and a California driver's license between $60 and $250. The price jumps up for higher-quality documents, such as IDs with magnetic strips containing real information — often from victims of identity theft.

    Maybe that's where I got the idea from...


    Please note that the purpose of collecting this information is for security researchers to form a validated view of what it costs an attacker to breach their designs (so I won't bother to point out where you can buy them).

    Most security designs simply assume that collecting the identity of someone grants the holder magical security properties; unfortunately the truth is far less encouraging and the result is that relying on identity collection is probably only reliable for stopping honest people and your poorer class of criminal from defrauding the system.

    Here's my predicted benchmark - forging any identity costs approximately 1000 (in today's major units). I'll update that as we get better into it.


    20 dollars IDs foil immigration officials

    The Yomiuri Shimbun

    Colombians arrested here over their suspected involvement in a burglary ring entered Japan on fake passports and other forms of counterfeit identification purchased for only 20 dollars, police learned Thursday.

    The Hyogo prefectural police quoted one of the suspects as saying there is an organization in Colombia that forges such documents.

    The ring is suspected of committing more than 100 burglaries in 11 prefectures, including Osaka and Hyogo, over the last three years, netting items and cash worth hundreds of millions of yen.

    The Hyogo prefectural police and other police headquarters have arrested 12 members of the ring, nine of them Colombians. The police reported that some of the suspects said that in addition to the forged passports, they bought bogus driver's licenses and cash cards before entering Japan for only 20 dollars.

    Some of the suspects reportedly told the police that many houses are left unlocked in Japan, and people here pay little thought to crime prevention.

    The suspects are believed to have sold electrical appliances and other stolen items and sent the money to relatives in Colombia.

    According to the Hyogo prefectural police, one of the suspects previously had been deported from Japan, but returned on a fake passport.

    The police arrested the alleged ringleader Akihiro Nagashima, 36, and two Colombian men in November on suspicion of stealing a television and other items from a house in Wakayama. Nagashima has been indicted on the charge.

    The burglary ring is believed to comprise about 20 members, about 80 percent of whom are believed to be Colombians.

    (Jan. 28, 2006)

    ¿ The Yomiuri Shimbun.
    http://www.yomiuri.co.jp/dy/national/20060128tdy02001.htm


    Addendums.

    20060305 USA reports how much it costs to find false identities:

    Glendining offers his doormen $20 gift certificates for each fake ID pulled. In recent years, the fake IDs have gotten better. “You really gotta make the best effort you can,” Glendining said.

    The bar keeps a sample of real and fake IDs around for doormen to learn from. Telltale signs of a fake include IDs that crack when bent, eye color or height that doesn’t match or a nervous person shuffling. But oftentimes, it comes down to the feel of the ID.

    Spotted in EC.


    20060223. Israel:

    The Israeli passport is considered to be one of the easiest passports to forge and can be purchased in Asia, and especially in Thailand's markets, for anywhere from USD 500 to 2000. The Israeli passport is in great demand because people carrying it can enter Asian countries without a visa. .... During interrogation, [six Iranians] confessed that they purchased the passports in Thailand for USD 1,000 for the purpose of entering Macau easily.


    20060216, Britain:

    LONDON: The head of security at Arsenal’s new stadium ran a racket supplying guards on the site with fake passports. Ademola Adeniran, 39, an illegal immigrant, supplied documents stamped with "indefinite leave to remain" for men working there. Adeniran, of Hackney, was caught with more than 100 fake Nigerian and South African passports when police raided his home. They are thought to be worth £200 each on the black market.

    20060212. In Britain

    London is a major centre for Asian and African gangs based in Thailand to sell counterfeit European passports, mostly to people from the Middle East, immigration police chief Pol Lt-Gen Suwat Thamrongsrisakul says. Immigration police last year seized 572 fake passports, of which 184 were Belgian, 155 Portuguese, 139 Spanish and 94 French, he said yesterday. All the counterfeits were printed in Bangkok, taken to London and sold for about 1,000 (about 68,000 baht) each by brokers who made about 20% profit on them, he said.


    20060516. In Britain

    "I charge £700 for each one but can give you a £100 discount if you order two. I can do most EU countries including Greece, Denmark, Spain, Italy, Poland, Latvia and Lithuania."
    Posted by iang at 04:56 PM | Comments (1) | TrackBack

    January 19, 2006

    The node is the threat: Mozilla, the CIA, Skype, Symantec, Sony, .... and finally a WIRE THREAT: Bush

    Firefox reaches around 20% market share in one "weekend" survey in Europe. Bull-rating! If this keeps going on, I'll run out of predictions by the end of January.

    In other news, a Firefox developer caused a furore on slashdot by adding a URL tracking feature. Firefox needs to meet the interests of parties other than yourself in your browsing habits. In this case, it is probably Google; the fact that the developer put the feature in without any way to turn it off is telling.

    Readers will recall a recent thread on governance in non-profits which goes some way to explaining this confusion (1, 2). Mozilla now has two interested groups - those that supply money and those that don't. How Mozilla brings itself to reconcile the conflicts between these two groups is worth watching - but also difficult to divine, as Mozilla have a fairly consistent policy of debating in secret and announcing later (the root list policy was a notable exception!).

    The threats situation is daily growing more complex. Let's review more evidence (as if it is needed) on threat models. Over in Milan, prosecutors have revealed some details of the CIA kidnapping case. The alleged kidnappers left behind disk drives with emails that warned the agents to get out of Italy, as well as indicated who was the leader of the kidnapping crew.

    On June 23, the day the warrants were issued, police searched the villa in the Italian wine region of Asti where Lady had retired with his wife at the end of 2003. From the hard drive of one of his computers police recovered the e-mail message, which someone had attempted to delete, plus other documents they say establish Lady as the organizer of the kidnapping.

    The prosecutors have distributed 22 search warrants throughout Europe and intend to seek extradition from the US next. One of the alleged kidnappers was reached by reporters in Washington DC, but her name was not published at the request of the CIA, who say she is still active and undercover. (Which would then put the reporters in the curious position of obstructing justice if they ever travel to Europe!)

    Back to threat models. That email on that drive! Darn it, the threat is on the node, says I. For a long time now I have been asserting that _the node is the threat_ and I've conducted a search for evidence that there is any threat to the wire. Long, boring, and ultimately futile was the quest! But now, I can at last reveal the quest may be over:

    The Bush administration is engaged in the novel legal experiment of ordering illegal wiretaps so as to show why it needs the facility to harvest Americans' conversations without a court supervision. We now have an Executive Order, no less, mandating the NSA to threaten the wires of civilian America. Now, in times past one could have said that the NSA would have been strictly interested in bad guys outside the country, giving some protection to the populace who weren't plotting the overthrow of the USA. But those days are gone, even inside supporters of the administration are admitting that these extraordinary powers are desperately needed to get back at the internal enemies that made life so difficult for them in the past years. And I'm not just referring to the democrats or democracy. So this means we have bona fide evidence of a major eavesdropping threat to the wire - albeit one to Americans only.

    Still, even with this stunning Executive Order, no less, the threat to the node remains more severe, I claim. News just in from Skype in China:

    Skype had a dilemma. The Internet telephony and messaging service wanted to enter China with TOM Online (TOMO), a Beijing company controlled by Hong Kong billionaire Li Ka-shing. Li's people told their Skype Technologies (EBAY) partners that, to avoid problems with the Chinese leadership, they needed filters to screen out words in text messages deemed offensive by Beijing. No filtering, no service.

    At first Skype executives resisted, says a source familiar with the venture. But after it became clear that Skype had no choice, the company relented: TOM and Skype now filter phrases such as "Falun Gong" and "Dalai Lama." Neither company would comment on the record.

    First blood! This might be the first news that Skype is not protecting its users, which might explain why that other panda-shaped company, eBay, was ready to buy it. OTOH, the news comes from BusinessWeek, who aren't exactly above a hatchet job for political favours.

    Either way, Skype was good while it lasted. In the department of corporate attackers it seems that Symantec has also been caught out installing root kits on Windows machines. They issued a patch, but not before saying that they were unaware of any hackers taking advantage... Oh, and poor old Sony, another corporate attacker caught with its hands in the root kit cookie jar has waved the white flag:

    Federal judge Naomi Rice Buchwald gave tentative approval on Jan. 12th to a settlement in one of the many lawsuits filed against Sony over the rootkits. The settlement terms included offering cash payments or free music downloads to buyers of the affected CD's, and prevents Sony from selling any CD's with copy-protected software until 2008 at the earliest.

    Lawsuits filed by Texas Attorney General Greg Abbott and the Electronic Frontier Foundation against Sony are still going ahead.

    Thank heavens someone is taking on the attackers. Security observers (I no longer use the term 'security expert', a new year's resolution) scurried for cover in case they were asked to suggest whether a crime had been committed. Windows users may as well get used to it - with friends like that, they're not in dire need of new enemies.

    Posted by iang at 06:53 AM | Comments (0) | TrackBack

    December 28, 2005

    2006 - The Year of the Bull

    2005 was when the Snail lost its identity. What is to come in 2006? Prediction always being a fool's game compared to the wiser trick of waiting until it happens and then claiming credit, here's a list of strategic plays for the year to come.

    1. Government will charge into cybersecurity. So far, the notion of government involvement has been muted, as there have been enough voices pointing out that while the private sector may not have a good idea, it certainly has a less bad idea than the government. Cybersecurity departments have been duly and thankfully restricted.

    I suspect in 2006, the Bull will begin to Roar through our China Shop. Calls seem to be escalating in all areas. This is a reflection of many factors:

    For all that, calls to send in the cavalry will increase. Oh course, we know that we the user will be more insecure and poorer as a result of the Bull market for cybersecurity. What we don't know is how much worse it will be, and I daren't predict that :)

    2. Anti-virus manufacturers will have a bad year. Not so much in profits, which might perversely go up, but in terms of their ability to make a difference. Kapersky of eponymously named company points out that it is getting much harder. We know the crooks are getting much more focussed due to their revenues cycle. Also of note is that Microsoft has entered the game of selling you (not me) protection for their OS breaches - bringing with it a whole messy smelly pile of conflicts which will make it even harder for the "independent" anti-virus providers.

    3. Firefox will continue to grow. My guess is that it will get past 15%, probably to 20%. Microsoft won't fight back seriously, they have other battles, even though this would leave them at say 70-75% (Safari, Opera, Konqueror take 5-10%).

    3.b But sometime by the end of the 2006, Firefox will be seriously bloodied as it runs into security attacks targetted directly at it. What does this mean? Firefox crosses GP sometime soon, in terms of financial fraud.

    The only ones this will surprise will be Mozilla. Most observers with a clue have realised that Firefox has enjoyed its reputation due to reasonably sound factors, but these factors are just basic engineering issues like a re-write and solid coding practices, not those high level practices that distinguish the security projects (BSD, PGP, etc).

    This probably won't hold back Firefox's growth, as their mission to give browser users a choice remains aligned with our needs, and it remains tremendously useful even if the security rep takes a knock. So be it. But by the end of the year, expect some hand-wringing and moaning and more than usually confusing comments from Mozo Central's revolving security spokesman of the day.

    3.c Also expect Mozilla to start talking about the next step in commercialisation -- the IPO. The discipline of the public company will start to look very attractive to those tasked with sorting out intractable internal conflicts inherited from the touchy-feely open source world.

    4. In payments, the number of non-bank payment systems looks like it will increase dramatically. Gift card systems are exploding as companies discover that they take the money up front so they get financing at a better rate than the bank offers -- Free! -- and the wastage rate is better than any retail margin seen outside monopoly products. It doesn't take much for these to be integrated into an online account system - after all, what is a gift card but a psuedonymous account identifier. Then, once the alignment takes place, adding user-to-user payments is just a switch to throw one the weekend when your bank isn't looking. Maybe 2006 will be the year of the indie payment system?

    5. No predictions for the gold sector. Even though the gold unit is skyrocketing and will continue to do that, there are continuing woes facing the issuers which they haven't sorted out long term. The bounty of people rushing up the gold price curve is offset by the cowboy image of the gold issuers.

    6. Mac OSX will get to 7 or 8% of the market, maybe 10% if the intel change goes well. Given the aggressiveness of the PC world, that can be considered to be a stunning result. The BSDs and the Linuxes still won't penetrate the desktop as much as we'd like, but it will become reasonable to talk about a Microsoft-free environment.

    6.b I might finally acquire a Mac. Not because I want to -- I hate the UI, the keyboards suck, and they haven't got the reliability of the old thinkpad workhorses -- but for reasons too irrelevent and arcane to go into today.

    7. Google will grow and prosper and survive. This might be an odd thing to predict, but the thing with Google is that it is a bit like a Netscape with an endless supply of revenue. As one insider put it to me recently, it was a boon to the world when Netscape was cleaned out as that meant we could get on with business. Unfortunately, google has lots of revenue, so the mad cats will be financed and the projects just go on and on and on... I expect by the end of the year, though, we'll see adverts for cat herders as long term insiders realise that some chaos is good but most is just chaos.

    8. Microsoft will not succeed in sorting out its security mess and will continue to lose market share. Let's get this in perspective - it will probably drop down from around 90% to around 80% allround. Nothing worth crying over, and indeed, it will give the company some sorely lacking focus.

    Some time around the end of 2006, some soul searching will result in serious investigation of other operating systems. So, who wants to bet on what OS Microsoft will pick up? Here's my anti-picks: it won't be Unix, and it won't be Java (which in its J2EE form is more or less a server OS, and then there's Swing...).

    9. Macs won't be seriously hit by security issues, but will suffer a few minor embarrassments which will be trumped up in the press. The Mac application space will come under attack. On the other hand, Apple doesn't look ready for a security war, and will muff it, regardless. Welcome to the Hotel California!

    10. I've predicted these before and not seen them so I'll predict them again:

    • class action suites on security against suppliers.
    • the perfect phish - one that includes the SSL+certs within, rather than goes around
    • Also look for a real-time phish to defeat the two-factor authentication tools that the banks are rushing out now.

    In the security world, it is important to avoid the disclosure of being completely and utterly wrong; these above predictions are my way of avoiding that terrible fate. Neat, huh? On the other hand, I probably needn't have bothered. The security discipline is missing, presumed dead. Experts have hummed and hahed and shuffled feet over the mess for so long that it is now at the point where when anyone hears a so-called 'security expert' talk, they mentally discount most of what is said.

    Try it! By the end of the year, I predict open derision of anyone who pretends to be a security professional. Dilbert, anyone?

    11. By the end of 2006, the secure browsing system that we know and love to hate -- SSL, $30 certificates, popup madness and that sodding padlock -- will have been bypassed. By the good guys, I mean -- it's been bypassed by the bad guys for several years, already.

    It will no longer be part of the security model for browsing. What will become the security model will depend on what sector is doing the securing:

    • banks will have their two-factor tokens because they were told to,
    • smart users (and their mothers) will have their Trustbars and Petnames,
    • smart companies will customise the above plugins, and
    • even smarter operators will send out confirmations by email and by cell/mob

    That's for the lightweight stuff. For the heavyweight stuff, look for alternate plaforms, like....

    12. We'll see the much more use of two-factor authentication by cellular or mobile phone. I.e., SMS messages, or downloadable programs on phones to calculate the challenge/response. Why? Everyone's got a phone and they are a separate means of communication. (Why it's taking so long bothers me - is there something I'm missing?)


    13. Unluckily for authors, artists, and blog writers, nothing much will change in DRM. Music sellers will sue file swappers, concentrating on the demographic of 12-17. File swappers will continue to swap, and learn how much better their own music is. The techniques of both sides will advance and both will be widely copied and nobody will make any money.

    My bulls here are courtesy images.google.com, and if I made any money from this blog, I'd be one sorry matador. Some time around 2007, all IP owners will realise they cannot win this war, and all swappers will get religious about DRM. A papal bull will be issued and a property love-in will ensue. Nobody will fight over the rights for the book, musical, philosophical or TV. By then we will have worked out the killer rights paradigm - convenience.

    Hopefully we will be invited back for the love-in. Merry Xmas, Happy New Year, Season's Greetings, and may your packets move at Kelvin speed. I wish you a happy Year of the Bull.


    Some other predictions:

    Posted by iang at 04:14 PM | Comments (5) | TrackBack

    December 17, 2005

    Sighting of near-extinct beast - the profitable crypto attacker

    Regular readers know that I frequently stress that many threats are unvalidated in that they derive from a textbook or a security salesman's hyperactive imagination. So it behoves to collect data on what are validated threats. In what might be a first and is certainly an event of rarity, we now have a report that indicates two cryptosystems that were breached in an attack of value.

    The first looks like a classical insider attack against a digsig system by tricks that bypassed the checking of the signatures by switching their need off.

    It is the second one that is of more interest as it looks like a direct attack on the encryption system, rather than a bypass attack.

    E-Hijacking new threat to trucking

    by Sean Kilcarr, senior editor - Nov 3, 2005 4:02 PM

    WASHINGTON D.C. The growing use of telematics for both gathering truck performance data and for sending and receiving shipping documents also exposes trucking to a new form of crime called "e-hijacking."

    At a special trucking safety and security seminar hosted by law firm Patton Boggs LLP here in the nation's capital, Stephen Spoonamore, CEO of data security consulting firm Cybrinth, gave examples of recent e-hijacking events to illustrate why data security in trucking needs tightening.

    He pointed to the supposed loss of 3.9-million banking records stored on computer backup tapes that were being shipped by UPS from New York-based Citigroup to an Experian credit bureau in Texas. "These tapes were not lost - they were stolen," Spoonamore said. "Not only were they stolen, the theft occurred by altering the electronic manifest in transit so it would be delivered right to the thieves." He added that UPS, Citigroup, and Experian spent four days blaming each other for losing the shipment before realizing it had actually been stolen.

    Spoonamore, a veteran of the intelligence community, said in his analysis of this e-hijacking, upwards of 15 to 20 people needed to be involved to hack five different computer systems simultaneously to breach the electronic safeguards on the electronic manifest. The manifest was reset from "secure" to "standard" while in transit, so it could be delivered without the required three signatures, he said. Afterward the manifest was put back to "secure" and three signatures were uploaded into the system to appear as if proper procedures had been followed.
    "What's important to remember here is that there is no such thing as 'security' in the data world: all data systems can and will be breached," Spoonamore said. "What you can have, however, is data custody so you know at all times who has it, if they are supposed to have it, and what they are doing with it. Custody is what begets data security."

    Another case involved a fleet of 350 trucks shipping hazardous materials using telematics to download and track vehicle operating data in real-time - monitoring engine speed, hard braking events, etc.

    Spoonamore said the data streams coming from those vehicles only used a basic level of encryption - codes broken by what he called an "enterprising" local law firm that proceeded to download four months of operating data on each truck - especially the actual road speed of each truck over that period, down to the decimal point. The law firm then sued the trucking company for speeding violations, using the carrier's own telematics data against it.

    "[Telematics] can tell you at 2 a.m. precisely where your truck is - but do you know where your data is at that time? That's why you can't totally trust your computer anymore," Spoonamore cautioned.

    Note the difference between the two: the hackers in the first had to expose themselves to significant costs to attack the system; this is in accordance with the goal of the security, being to raise the costs of the attack. In the second, once cracked, the costs of the attack were fairly minimal and there was little exposure. So much so that the attacker successfully entered court and displayed all!

    Other bloggers have picked it up (EC pointed to Bruce Schneier). Chris Walsh quite correctly points out it is uncorroborated, and the notion of an insider attack involving 15-20 people has to be treated with care if not outright suspicion. Still, something happened, and this is one to watch in our developing threat scenario.

    Maybe we can now start a count of how many times the crypto is attacked!

    Addendum:I incorrectly attributed the comments above to Adam, it was Chris who posted over on Emergent Chaos.

    Posted by iang at 09:48 AM | Comments (2) | TrackBack

    November 27, 2005

    Who v. Who - more on the dilemma of the classical attacker

    In the military they say no plan survives the first shot, and call this aptly "the fog of war." The best laid plans of the security industry and various parliaments (US Congress, the European Union, etc) are being challenged in war as in music. Now comes news that one DRM supplier is threatening to reverse-engineer the DRM of another supplier.

    A company that specializes in rights-management technology for online stores has declared its plans to reverse-engineer the FairPlay encoding system Apple uses on iTunes Music Store purchases. The move by Cupertino-based Navio Systems would essentially break Apple’s Digital Rights Management (DRM) system in order to allow other online music retailers to sell downloads that are both DRM-encoded and iPod-compatible by early 2006.

    “Typically, we embrace and want to work with the providers of the DRM,” said Ray Schaaf, Navio’s chief operating officer. “With respect to FairPlay, right now Apple doesn’t license that, so we take the view that as RealNetworks allows users to buy FairPlay songs on Rhapsody, we would take the same approach.”

    In 2004, after unsuccessfully courting Apple to license FairPlay, RealNetworks introduced its Harmony technology, which allowed users to buy music from online sources other than the iTunes Music Store and transfer it to their iPod. RealNetworks’ move was then denounced by Apple as adopting “the tactics and ethics of a hacker to break into the iPod.” In December of 2004, Apple shot back by releasing an iPod software update that disabled support for RealNetworks-purchased songs.

    I forgot to add: This trend is by no mean isolated, as pointed to by Adam. Here's an account of AOL inserting capabilities into our computers. I noticed this myself, and had to clean out these bots while making a mental note to never trust AOL with any important data or contacts.

    Big mistake. That was my list, not AOL's. They've violated my personal space. By doing this they've demonstrated that my data — my list of contacts — can be tampered with at their whim. I have to wonder what comes next? Can my lists be sold, or mined for more data? Will they find out if my buddies purchase something online and then market that thing to me, on the assumption that I share mutual tastes? Just what is AOL doing with my data?


    Posted by iang at 10:00 AM | Comments (1) | TrackBack

    November 19, 2005

    Security is failing - more evidence from Sony

    In the fall-out from the Sony root-kit affair, here's an interesting view:

    Sony Rootkits: A Sign Of Security Industry Failure?

    Nov. 18, 2005 By Gregg Keizer TechWeb News

    One analyst wonders why it took so long to catch onto Sony's use of rootkits on CDs and whether customers may have a false sense of security.

    Sony's controversial copy-protection scheme had been in use for seven months before its cloaking rootkit was discovered, leading one analyst to question the effectiveness of the security industry.

    "[For] at least for seven months, Sony BMG Music CD buyers have been installing rootkits on their PCs. Why then did no security software vendor detect a problem and alert customers?" asked Joe Wilcox, an analyst with JupiterResearch.

    "Where the failure is, that's the question mark. Is it an indictment of how consumers view security software, that they have a sense of false protection, even when they don't update their anti-virus and anti-spyware software?

    "Or is it in how data is collected by security companies and how they're analyzing to catch trends?"

    Ouch! I wondered before who was attacking who, but this is a good point that goes further. Why didn't anti-virus programs detect the attack from Sony? We rely on the anti-virus sellers in the Microsoft field to protect from the weakness of the underlying OS.

    It shouldn't be a surprise to discover that there is some form of selective detection going on in the Microsoft security world - the rest of the article identifies that their source of information is problem reports, honeynets, and a vague but interesting comment:

    "Frankly, we were busy looking for where the [spyware] money was going," said Curry. "We weren't looking at legitimate industries."

    This is probably as it should be. Microsoft creates the vulnerabilities and the rest of the industry follows along cleaning up. It isn't possible to be more than reactive in this business, as to be proactive will lead to making mistakes - at cost to the company selling the security software. So companies will routinely promise to clean up 100% of the viruses on their list of viruses that they clean up 100% of.

    (Note that this still leaves the cost of missed attacks like the Sony rootkit, but that is borne by the user, a problem for another day.)

    The next interesting question is whether Sony, or the inevitable imitators that come along, are going to negotiate a pass with the anti-virus sellers. That is, pay blood money to anti-virus scanners for their rootkit. In the spam world, these are called "pink sheets" for some obscure reason. Will an industry in acceptable, paid for attacks on Microsoft's OS spring up? Or has it already sprung up and we just don't know it?

    If so, I'd have to change the title of this rant to "Security is getting more economic..."

    Addendum:

    Posted by iang at 08:58 AM | Comments (1) | TrackBack

    November 13, 2005

    anti-forensics - why do vapourware security tools sell so well?

    Hagai Bar-El points to a paper on the market for anti-forensic tools - ones that wipe your tracks after you've done your naughty deed.

    I have just enjoyed reading "Evaluating Commercial Counter-Forensic Tools" by Matthew Geiger from Carnegie Mellon University. The paper presents failures in commercially-available applications that offer covering the user's tracks. These applications perform removal of (presumably) all footprints left by browsing and file management activities, and so forth. To make a long story short: seven out of seven such applications failed, to this or that level, in fulfilling their claims. ...

    The next thing I was wondering about is how come these products sell so well, given that they do not provide what they state they do, in a way that is sometimes so evident.

    I think a partial answer to why these things sell so well might be found in the debate about security as viewed as a market in insufficient information. It has been suggested that security is a market for lemons (one where the customer does not know the good from the bad) but I prefer to refer to security as a market for silver bullets (one where neither the customer nor the supplier know good from bad).

    Either way, in such insufficient markets, the way sales arise is often quite counter intiutive. In a draft paper (html and PS), I make the claim that sales in the market for security have nothing to do with security, but are driven by other factors.

    So, once we appreciate that disconnect in the market, it's quite easy to prediuct that vapourware sells better than real product, because the real product has higher costs which means less marketing. All other things being equal of course.

    Another partial answer is that the bad guys that do need to evade the FBI (and competitors) will know the score. They also know something that shows them
    to be generally astute: they generally mistrust privacy-oriented technology as being fraudulent in claims because it can't be easily checked up on. So sales of products will tend to go to people who believe claims - being those who actually have no strong reason to rely on the claims.

    Posted by iang at 10:21 AM | Comments (0) | TrackBack

    October 26, 2005

    Breaking Payment Systems and other bog standard essentials

    Many people have sent me pointers to How ATM fraud nearly brought down British banking. It's well worth reading as a governance story, it's as good a one as I've ever seen! In this case, a fairly bog standard insider operation in a major brit bank (not revealed but I guess everyone knows which one) raided some 2000 user accounts and probably more. They did all this through the bank's supposedly fool proof transaction system, and the bank aided and abetted by refusing to believe there was an issue! Further, given the courts willingness to protect the banks' secrecy, one can say that the courts also aided and abetted the crooks.

    This is the story of how the UK banking system could have collapsed in the early 1990s, but for the forbearance of a junior barrister who also happened to be an expert in computer law - and who discovered that at that time the computing department of one of the banks issuing ATM cards had "gone rogue", cracking PINs and taking money from customers' accounts with abandon.

    This is bog standard. Once a system grows to a certain point, insider fraud is almost a given, and it is to this that the wiser FCer turns. As I say, this is a must-read, especially if you are new to FC. Here's news for local currency pundits on how easy it is to forge basic paper tokens.

    In a world of home laser printers and multimedia PCs, counterfeiting has become increasingly easy. With materials available at any office supply store, those with a cursory knowledge of photo-editing software can duplicate the business-card-size rewards cards once punched at Cold Stone Creamery or the stamps once given out at Subway sandwich sho........

    Steven Bellovin reports that Skype have responded to criticisms over their "secret cryptoprotocol."

    Skype has released an external security evaluation of its product; you can find it at http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf (Skype was also clueful enough to publish the PGP signature of the report, an excellent touch -- see http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf.sig) The author of the report, Tom Berson, has been in this business for many years; I have a great deal of respect for him.
    --Steven M. Bellovin, http://www.cs.columbia.edu/~smb

    Predictibly, people have pored over the report and criticised that, but most have missed the point that unless you happen to have an NSA-built phone on your desk, it's still more secure than anything else you have available. More usefully, Cubicle reports that there is an update to Skype that repairs a few bugs. As he includes some analysis of how to exploit and create some worms... it might be worth it to plan on updating:

    The Blackhat in me salivates at the prospect. It’s beautiful security judo, leveraging tools designed to protect confidentiality (crypto) and Availability (peer-to-peer) to better hide my nefarious doings. Combine it with a skype API-based payload and you’ve got a Skype worm that can leverage the implicit trust relationship of contact lists to propagate further, all potentially wrapped inside Skype’s own crypto.

    Too bad the first that most of Skype’s 60 million-and-growing users will ever hear of it will be after someone who does pay attention to these sorts of things decides they want to see if it’s possible to create a 60-million node botnet or retire after making The One Big Score with SkypeOut and toll fraud.

    Hey Skype, Ignoring Risk is Accepting Risk–NOT Avoiding it. Put this on your main page while upgrading is still prevention rather than incident response.

    A little hyperventilated, but consider yourself in need of a Skype upgrade.

    Posted by iang at 03:08 PM | Comments (1) | TrackBack

    September 20, 2005

    Phishing in Pogo's Swamp

    This week's phishing roundup starts with (thanks Lynn) sighting of a HTTPS phish. The attacker used a self-signed cert, and as we know browsers commonly fall to self-signed MITMs because of the popup madness ...

    A new, advanced form a phishing dubbed "secured phishing" because it relies on self-signed digital certificates, can easily fool all but the most cautious consumers, a security firm warned Thursday.

    Browser manufacturers were warned of the problem, were told how to fix it, and even given fine demos. Opera reports that it has made its browser ad-free. Welcome, but I continue to be confused about Opera's security - they claim:

    Already regarded as the world's fastest, most secure browser, Opera speeds up your Web browsing with these innovative features: ...
  • Protect against identity theft and phishing with integrated security features
  • yet looking at the screen shots on the page it seemed very much like last time I looked - underwhelming. Opera practically haven't updated their security beyond the default Netscape model of 1995, so to say it's the world's most secure browser is just marketing hype; it seems more to me that Opera is fighting with other browser manufacturers for the award of "browser least responsive to user security needs."

    Meanwhile, evidence is beginning to accrue that the US (at least, the non-techie part) is starting to take the issue seriously, and americans do not like what they find...

    Adam reports on 'the story of a mother whose child was stillborn, and her inability to get the marketing to stop, from "A Lost Baby, and the Pain of Endless Reminders in the Mail," in the New York Times.'

    My first reaction was shock, then anger. Why did the baby formula company have her due date? I had shared our baby's due date with only two businesses: my health insurance company and a Web site for expectant and new parents. When I registered to enter the Web site, I specifically requested that it not share my information with third parties.

    And also on how mandatory ID cards will make for yet another database full of SSNs as yet another aid to identity theft. Good stuff. There are now a steady stream of reports of surveys that suggest that Americans will leave their banks if they get hit by identity theft. Glenbrook points at EDS slams banking security - Financial Services

    Gartner suggests that this is part of a $50bn problem. When they numbers get that big it makes for a lot of difficulty rationalising them ("oh, it's less than Katrina, so that's ok?") but a careful reading doesn't seem to challenge the overall level of phishing at about a $1bn problem. It might have stabilised at this point.

    Litan said that banks in Britain were far better at sharing information and working with each other to minimise exposure to this kind of fraud. The incentive to sign up new customers is great in Europe but in the US it's even more pronounced because banks send out 1,937 pieces of marketing information for every new sign-up. "The goal is getting new customers and banks are not that hungry about eating into fraud," she said.

    Here's an article that reminds us that there are two problems, not just one (the Microsoft PC is woefully infected with viruses and keyloggers and other malware, as well as your browser's inability to tell you who you are talking to...)
    "Tremendous growth of cybercrime, report says." I'd remind them not to forget that online banks aren't that secure themselves... but it seems that banks also have other problems to deal with (Perfect Storm).

    And to wrap up, (Adam again reports) chat of the underlying systemic issue - if you trade data like it was property, then you might not want to include your identity in the catalogue.

    ''As an aside [writes Chapell], some might argue that there's little distinction between "evil doer" and "data broker". I prefer to view the latter as the poster children for another unregulated industry that is screaming for the Government to step in. ... Of course, the trouble with choking off data flow is that it tends to be contrary to the concept of a free society. And since none of us seem to want to live under an EU privacy regime, then what's a privacy conscious American to do?''

    First, [writes Adam]I think that Chapell is spot on here: The gossip-mongers would love to trade higher costs in the form of regulation for limits on their liability and high barriers to entry.

    Second, the industry relies heavily on government subsidies, in the form of social security numbers, and data collected under threat of legal penalties. (Like the property registers in the article Chapell quotes, or DMV records, or voting lists.) In a free society, I can choose to be known by whatever name I like. That is a right long established in the common law. We can impose regulations on the product of government action without making ourselves less free.

    We have met the enemy, and he is us. For those readers who aren't American, Pogo's comment is a famous comic line from the 60s and inspires today's roundup.

    Posted by iang at 11:42 AM | Comments (0) | TrackBack

    September 14, 2005

    RSA keys - crunchable at 1024?

    New factoring hardware designs suggest that 1024 bit numbers can be factored for $1 million. That's significant - that brings ordinary keys into the reach of ordinary agencies.

    If so, that means most intelligence agencies can probably already crunch most common key sizes. It still means that the capability is likely limited to intelligence agencies, which is some comfort for many of us, but not of comfort if you happen to live in a country where civil liberties are not well respected and keys and data are considered to be "on loan" to citizens - you be the judge on that call.

    Either way, with SHA1 also suffering badly at the hands of the Shandong marauders, it puts DSA into critical territory - not expected to survive even given emergency surgery and definately no longer Pareto-complete. For RSA keys, jump them up to 2048 or 4096 if you can afford the CPU.

    Here is the source of info, posted by Steve Bellovin.

    Open to the Public

    DATE: TODAY * TODAY * TODAY * WEDNESDAY, Sept. 14 2005
    TIME: 4:00 p.m. - 5:30 p.m.
    PLACE: 32-G575, Stata Center, 32 Vassar Street
    TITLE: Special-Purpose Hardware for Integer Factoring
    SPEAKER: Eran Tromer, Weizmann Institute

    Factoring of large integers is of considerable interest in cryptography and algorithmic number theory. In the quest for factorization of larger integers, the present bottleneck lies in the sieving and matrix steps of the Number Field Sieve algorithm. In a series of works, several special-purpose hardware architectures for these steps were proposed and evaluated.

    The use of custom hardware, as opposed to the traditional RAM model, offers major benefits (beyond plain reduction of overheads): the possibility of vast fine-grained parallelism, and the chance to identify and exploit technological tradeoffs at the algorithmic level.

    Taken together, these works have reduced the cost of factoring by many orders of magnitude, making it feasible, for example, to factor 1024-bit integers within one year at the cost of about US$1M (as opposed to the trillions of US$ forecasted previously). This talk will survey these results, emphasizing the underlying general ideas.

    Joint works with Adi Shamir, Arjen Lenstra, Willi Geiselmann, Rainer Steinwandt, Hubert K?pfer, Jim Tomlinson, Wil Kortsmit, Bruce Dodson, James Hughes and Paul Leyland.

    Some other notes:

    http://www.keylength.com/index.php
    http://citeseer.ist.psu.edu/287428.html

    Posted by iang at 01:54 PM | Comments (1) | TrackBack

    September 11, 2005

    Spooks' corner: listening to typing, Spycatcher, and talking to Tolkachev

    A team of UCB researchers have coupled the sound of typing to various artificial intelligence learning techniques and recovered the text that was being typed. This recalls to mind Peter Wright's work. Poking around the net, I found that Shamir and Tromer started from here:

    Preceding modern computers, one may recall MI5's "ENGULF" technique (recounted in Peter Wright's book Spycatcher), whereby a phone tap was used to eavesdrop on the operation of an Egyptian embassy's Hagelin cipher machine, thereby recovering its secret key.

    I haven't _Spycatcher_ to hand, but from memory the bug was set up by fiddling the phone in the same room to act as a microphone, and the different sounds of the typewriter keys hitting being pressed on the cipher machine were what allowed the secret key to be recovered. Here's some more of Wright's basic techniques:

    One of Peter Wright's successes was in listening to (i.e. bugging) the actions of a mechanical cipher machine, in order to break their encryption. This operation was code-named ENGULF, and enabled MI5 to read the cipher of the Egyptian embassy in London at the time of the Suez crisis. Another cipher-reading operation, code-named STOCKADE, read the French embassy cipher by using the electro-magnetic echoes of the input teleprinter which appeared on the output of the cipher machine. Unfortunately, Wright says this operation "was a graphic illustration of the limitations of intelligence" - Britain was blocked by the French from joining the Common Market and no amount of bugging could change that outcome.

    Particularly interesting is MI5's invention code-named RAFTER, which is used to detect the frequency a radio receiver is tuned to, by tracing emissions from the receiver's local oscillator circuit. RAFTER was used against the Soviet embassy and consulate in London to detect whether they were listening in to A4-watcher radios. Wright also used this technique to try to track down Soviet "illegals" (covert agents) in London who received their instructions by radio from the USSR.

    Unlike Wright's techniques from the 60s, the UCB team and their forerunners have the ability to couple up their information to vastly more powerful processing (Ed Felton comments, the paper and pointer from Adam). They manage to show how not only can the technique extract pretty accurate text, it can do so after listening to only 10-15 minutes of typing without prior clues.

    That's a pretty impressive achievement! Does this mean that next time a virus invades your PC, you also need to worry about whether it captures your microphone and starts listening to your password typing? No, it's still not that likely, as if the audio card can be grabbed your windows PC is probably "owned" already and the keyboard will be read directly. Mind you, the secure Mac that you use to do your online banking next to it might be in trouble :-)

    While we are on the subject, Adam also points at (Bruce who points at) the CIA's Tolkachev case, the story of an agent who passed details on Russian avionics until caught in 1985 (and executed a year later for high treason).

    The tradecraft information in there is pretty interesting. Oddly, for all their technical capability the thing that worked best was old-fashioned systems. At least the way the story reads, microfilm cameras, personal crypto-communicators and efforts to forge library passes all failed to make the grade and simpler systems were used:

    In November 1981, Tolkachev was passed a commercially purchased shortwave radio and two one-time pads, with accompanying instructions, as part of an "Interim-One-Way Link" (IOWL) base-to-agent alternate communication system. He was also passed a demodulator unit, which was to be connected to the short wave radio when a message was to be received.

    Tolkachev was directed to tune into a certain short wave frequency at specific times and days with his demodulator unit connected to his radio to capture the message being sent. Each broadcast lasted 10 minutes, which included the transmission of any live message as well as dummy messages. The agent could later break out the message by scrolling it out on the screen of the demodulator unit. The first three digits of the message would indicate whether a live message was included for him, in which case he would scroll out the message, contained in five-digit groups, and decode the message using his one-time pad. Using this system, Tolkachev could receive over 400 five-digit groups in any one message.

    Tolkachev tried to use this IOWL system, but he later informed his case officer that he was unable to securely monitor these broadcasts at the times indicated (evening hours) because he had no privacy in his apartment. He also said that he could not adhere to a different evening broadcast schedule by waiting until his wife and son went to bed, because he always went to bed before they did.

    As a result, the broadcasts were changed to the morning hours of certain workdays, during which Tolkachev would come home from work using a suitable pretext. This system also ran afoul of bad luck and Soviet security. Tolkachev's institute initiated new security procedures that made it virtually impossible for him to leave the office during work hours without written permission. In December 1982, Tolkachev returned his IOWL equipment, broadcast schedule, instructions, and one-time pad to his case officer. The CIA was never able to use this system to set up an unscheduled meeting with him.

    Sounds like a familiar story! The most important of Kherchkoffs' 6 laws is that last one, which says that a crypto-system must be usable. The article also describes another paired device that could exchange encrypted messages over distances of a few hundred metres, with similar results (albeit with some successful message deliveries).

    Posted by iang at 10:41 AM | Comments (4) | TrackBack

    August 29, 2005

    New Threats on the Airwaves

    From the "why won't wireless show me an MITM" department, Risks advises of these new threats to consider to your secure phone app:

    "Andre Kramer" ... Thu, 18 Aug 2005 11:31:28 +0100

    The Cambridge Evening News reported yesterday ("Phone Pirates in seek and steal mission" 17th August 2005) that several laptop computers have been stolen from car boots (automobile trunks for US readers) in Cambridge (UK). The article claimed that "Bluetooth" was used to detect the laptops presence. While the thefts appear related, the claimed modus operanti seems unlikely as short range wireless would be inactive unless the laptops were powered on (to be fair, the article also mentioned "other electronics"). The risk: thinking your devices are safe in the car boot when they don't have wireless.

    Makes sense. Closing the top of a laptop may not have closed off Bluetooth. Or, it might be easy to construct something that otherwise sniffs laptops in power saving mode. Lead-lined laptop bags, anyone?

    And, taking the shine off the cell/mobile phone as the ultimate in secure platforms, consider just how much a peeping tom your telco is:

    Cellphone carriers can listen in through your phone?

    Posted Aug 5, 2005, 10:20 AM ET by Ryan Block

    We’re always a little wary of that very blurry line between protection of the general public and infringements on basic civil liberties, but it would appear that according to the Financial Times by way of the Guardian, at least one UK cellphone carrier not only has the power (and mandate) to remotely install software over the air to users’ handsets that would allow for the kind of monitoring we thought only perverts and paranoiacs had access to: picking up audio from the phone’s mic when the device isn’t on a call. While don’t think the backlash on this one has really gotten underway yet, and though we do hate to rock a cliché, we can’t help but be reminded of that classic Benjamin Franklin quote, “They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” What’s worse, a cellphone carrier and The Man are gonna take it from us without our permission on the sly?

    Now, the big issue here is whether a telco (or any other party) can download a program to sniff out your keys. For this reason, the favoured platform is a PDA, with one and only one program on it, and no comms 'cept those we said. Anything else is a compromise, but that's ok, for those markets that can deal with the risks.

    These can be considered to be an addendum to last week's wireless threats, but alas, still no MITMs recorded.

    Posted by iang at 06:51 PM | Comments (0) | TrackBack

    August 20, 2005

    Notes on today's market for threats

    A good article on Malware for security people to brush up their understanding. On honey clients Balrog writes (copied verbatim):

    In my earlier post about Microsoft’s HoneyMonkey project I mentioned that the HoneyNet Project will probably latch on and develop something along the same lines.

    In the meantime, I was notified of Kathy Wang's Honeyclient project and the client-side honeypots diploma project at the Laboratory for Dependable Distributed Systems at Rheinisch-Westfälische Technische Hochschule in Aachen.

    From PaymentNews:

    TowerGroup has announced new research examining the impact that phishing attacks may be having on fraud perpetrated at ATMs and debit POS locations that concludes that losses from fraud due to phishing runs about $81 million annually in the US.

    That report is confused, it is looking at card skimming and seems to be conflating that with phishing. This may explain the lower-than-others estimate of $81m, or it may be explained by the fact that they only looked at identifiable banks' losses, not consumer losses and other costs. So I feel this number is a low outlyer, rather that really representative of phishing.

    (Addendum: Having read the Tower link, I can now see that they are more just looking at the crossover from phishing to ATM Fraud,)

    There is a lot of buzz on how wireless networks are being used "routinely" to attack people. So far it's all the same: the attacks are generally of access, rarely listening and no known cases of MITMs _even though they are trivial_! Here's a typical case pointed out by Jeroen from El Reg where the attack is misrepresented as a bank hack over wireless:

    The data security chief at the Helsinki branch of financial services firm GE Money has been arrested on suspicion of conspiracy to steal €20,000 from the firm's online bank account. The 26 year-old allegedly copied passwords and e- banking software onto a laptop used by accomplices to siphon off money from an unnamed bank.

    "Investigators told local paper Helsingin Sanomat that the suspects wrongly believed that the use of an insecure wireless network in commission of the crime would mask their tracks. This failed when police identified the MAC address of the machine used to pull off the theft from a router and linked it to a GE Money laptop. Police say that stolen funds have been recovered. Four men have been arrested over the alleged theft with charges expected to follow within the next two months. ®

    Now, we have to read that fairly carefully to figure out what happened, and the information is potentially unreliable, but here goes. To me, it looks like the perpetrator stole the passwords from the inside and then used a wireless connected laptop (in a cafe?) to empty the account. So this is an inside job! The use of the wireless was nothing more than a forlorn hope to cover tracks and is totally incidental to the nature of the crime.

    (Also, it doesn't say much for the security at GE Money ... "Maybe they should have employed a CISP" ... or whatever those flyswatter certifications are called.)

    Addendum See here for some new wireless threats.

    Posted by iang at 07:54 AM | Comments (0) | TrackBack

    August 03, 2005

    The Phishing Borg - now absorbing IM, spam, viruses, lawyers, courts and you

    Dramatic increase in threats to IM (instant messaging or chat) seen as the IMLogic Threat Center reports a 28 times increase over the last year.

    Right on cue. Meanwhile, new tool to download for your browser shows that independent researchers at Stanford know where to put the protection: Spoofguard detects and warns against phishing, and PwdHash augments the password calculation to make each transmitted password site-dependent.

    Good stuff guys! We need to induct you into the anti-fraud coffee room before you get swallowed up by the anti-borg of secret committees in smoke-filled rooms.

    And in Korea is looking to legalise class-action suits in cases where small losses make it uneconomic for victims to punish negligent providers.

    Much as I wonder if class action suits aren't a net loss to society and shouldn't be treated within the threat model rather than the security model, they do seem to be the only non-technical defence that suppliers will listen to. Such suits and others by regulators are filed against data providers (and losers), banks and Microsoft on various causes. Nobody has yet pinned one directly on phishing, but I give it a better than evens chance that it will be tried on the banks, and then on the software suppliers.

    Although it is hard to decipher, a new report from IBM reports that spam is down from 83% of all email to 67% in June. That's the "good news." The bad news is that it's almost certainly because phishing and viruses have skyrocketed even this year, with IBM reporting that phishing has now reached around 20% and viruses around 4% of all email. The article is ridiculously muddled in its use of numbers, but I make that around a 91% garbage rate in email.

    This to my mind confirms predictions made here that phishing is still the #1 threat to email (by value!), browsing and Internet commerce; viruses are now economically being driven by phishing; and email is dying under the one-two punch of spam and phishing.

    Is phishing and related fraud becoming the #1 threat to the net, or is it already there?

    Posted by iang at 06:56 PM | Comments (3) | TrackBack

    July 06, 2005

    George's story - watching my Ameritrade account get phished out in 3 minutes

    On the morning of May 5 2005, I decided to work from home [writes George Rodriguez in a great expose of how phishing is spreading through American retail finance].

    As I'm checking emails I start receiving email notifications from my on-line broker Ameritrade. The email notifications kept coming one after the other, you just sold out of Duke, you just sold out of Home Depot, you just sold out of Ford, I watched on my screen as the flurry of emails kept coming across my screen, pretty much my entire portfolio of Stocks was being sold out right before my eyes. I took notice of the time when I received the first email confirmation, it was 9:31AM and as you know the equity market opens up at 9:30AM. My heart was racing, I was stunned and I said to myself this can be happening to me, I'm a business and technology savvy as I've worked for major investment banks and brokers as a consultant in the areas of technology trading for equity and fixed income markets.


    I looked at my watch and it was now 9:34AM, it seemed like hours have gone by. I picked up the phone and called Ameritrade and spoke to a client-rep and walked him through the entire activities to my account. As I'm the phone with the client rep, I continue to get more email notifications selling out more stocks in my portfolio. I also noticed an email that was sent to me by Ameritrade, you requested and have changed your primary email address to some hotmail address I did not recognize, the interesting piece of information on the email was the time it was sent, 4:45AM. I quickly related this information to the client rep and asked him what bank information he had on file. He went on to say, you requested to have your bank account changed from Wachovia bank to Bank of America in Dallas Texas. I said well let's get on the phone with Bank of America and see who's behind the account. Well Ameritrade said we can't do that. I said wait a minute, someone is committing bank fraud, internet fraud as we speak and you can't represent me your client? No sir the client rep responded, you need to call your local authorities, you mean the Sheriff as I live out in Union County. I responded fine, well please give me the account number and routing number for Bank of America I will call them myself, oh and by the way cancel all these fraudulent trades and freeze the account, I do not want any funds to move. Luckily in the equity markets it takes three days for the trades to settle before the cash is moved out, so much for straight through processing and trying to settle and move cash on the same day, a goal the industry is trying to move towards.

    My first call was to Bank of America and it took a while to get though to their fraud department and then trying to explain that it was not the Bank of America brokerage arm but my on-line broker Ameritrade where the fraudulent trades were placed. I gave the BoA fraud department the BoA account number now on file with my Ameritrade broker and they confirmed it was their account but no available information will be provided as it was not my account. Due to the Privacy Act they need it to protect their customers, who's getting protected here I said the thieves or the innocent victims. I quickly hung up the phone and called the Union County Sheriff and within 20 minutes a patrol car was at my driveway, a bit weird for white collar crime but nevertheless a police report was in order. I greeted the officer, we sat in my office and I gave him copies of all the emails, Ameritrade and bank information for him to follow up with all parties. He said, love to help you but after I finish typing this up I will turn it over to the detective and someone will be in touch with you. I did receive a police report number right away from him. As soon as the police officer left I filed a complaint with the Federal Trade Commission and an electronic identity theft report with the FBI. I got a call back from the detective on Monday May 9, and we discussed the details of the fraudulent activities.

    I can't imaging what would have happened if I was away on vacation and had no access to email for several days, over $50,000 would have left my Ameritrade brokerage account and moved out to the fraudulent Bank of America account which I'm sure would have been cleaned out right away. I'm sure I can't be the only one who has had this problem as these on-line brokers have millions of accounts. I'm not sure how my userid and password were stolen, perhaps it is an inside job, my account is a passive account as I only logged every six to eight weeks to check the account, I don't day trade anymore since the dot.com crash. But another scenario can be I was hacked on my home computer as I have timewarner road runner and a wireless network. I run Norton Anti-Virus on my machines but unfortunately I don't have a secured firewall running, again I'm not sure how secure these products can safe proof your computer. I'm now waiting for the local authorities, the FBI, Ameritrade and Bank of America to provide me with information on how and who is behind this attack.

    George Rodriguez
    Waterstone Capital Advisors
    Partner
    Email: george.rodriguez at waterstonecap.com

    Posted by iang at 03:38 PM | Comments (24) | TrackBack

    June 22, 2005

    Google payment system confirmed - let the trimming of tall poppies begin

    Google confirms they are doing a payment system. It may be like Paypal's but I wouldn't bet on it. Google claims it will be unlike. Either way a new sport is about to erupt in the payments systems world - sniping at Google's payments system.

    Let's just be clear about this - it already has a name, it's called chopping down the tall poppies. This is a game of envy and spite. It comes because a successful player uses its money and muscle to take on a new field in which others have failed, when all the smart people knew how to get in there but couldn't muster that money and muscle (in this case, I'm referring to cognitive muscle as well as user base muscle).

    It's going to happen so get used to it, guys. I'll go first: I'll bet you didn't think of this:

    I was opening up my almost brand new Dell 600m laptop, to replace a broken PCMCIA slot riser on the motherboard. As soon as I got the keyboard off, I noticed a small cable running from the keyboard connection underneath a piece of metal protecting the motherboard.

    I figured "No Big Deal", and continued with the dissasembly. But when I got the metal panels off, I saw a small white heatshink-wrapped package. Being ever-curious, I sliced the heatshrink open. I found a little circuit board inside.

    Being an EE by trade, this piqued my curiosity considerably. On one side of the board, one Atmel AT45D041A four megabit Flash memory chip.

    On the other side, one Microchip Technology PIC16F876 Programmable Interrupt Controller, along with a little Fairchild Semiconductor CD4066BCM quad bilateral switch.

    Looking further, I saw that the other end of the cable was connected to the integrated ethernet board.

    What could this mean? I called Dell tech support about it, and they said, and I quote, "The intregrated service tag identifier is there for assisting customers in the event of lost or misplaced personal information." He then hung up.

    A little more research, and I found that that board spliced in between the keyboard and the ethernet chip is little more than a Keyghost hardware keylogger.

    The reasons Dell would put this in thier laptops can only be left up to your imagination. It would be very impractical to hand-anylze the logs, and very CPU-intensive to do so on a computer for every person that purchased a dell laptop. Why are these keyloggers here? I recently almost found out.

    I called the police, as having a keylogger unknown to me in my laptop is a serious offense. They told me to call the Department of Homeland Security. At this point, I am in disbelief. Why would the DHS have a keylogger in my laptop? It was surreal.

    So I called them, and they told me to submit a Freedom of Information Act request. This is what I got back:

    Google are entering into the payments system world at a dangerous time. This could be a unique time in the history of payments systems, simply because all those theoretical threat models that we have all trained with, sweated over and loved for a decade or more, now, are coming true. There's one you'll have to deal with, and you won't have the luxury of saying "oh, that's not our problem" this time.

    This change has occurred in these pages mostly under the cover of a runctous attack on the idle ostriches of the browser world. Phishing is just the headline, but the real story is that there is now an industrial scale threat to payment systems. Some very few engineers know how to deal with these threats on a real basis - primarily those grounded in European banking experience - but for the most part a lot of the payments systems are learning the hard way right now.

    For google, the lessons will be different. There will be no breathing space, no easy ramp up to the critical mass. It is I predict highly likely that from day one, attention will bear down on them from the phishing attackers. I suspect google will weather the security storm, but that's only a guess. The problem here is that there is a difference between facing statistical or safety threats and the aggressive crook. Security goods are different because they have an unruly third party in the transaction.

    It will also shoot all the profitability figures to outhouse. Because the attacks will take up a larger support component per transaction than expected then there will be only a loss-leader rationale for the payments system for many a year. I would still do it, but I'm a strategic kinda guy, still if google are in this for anything but the long term, save yourselves the trouble and exit stage left now. Or cull your team of short term thinkers.

    (There is a perfect face-saving way out, but it'll cost the price of a Dell *equivalent* laptop ;-) )

    (Expect Dell laptops to drop like a stone if this pans out...)

    (Expect all hell to break loose if this is true...)

    (Are we living in interesting times again?)

    (But even if not true, it's the perfect description of a "today" threat model!)

    (Looks like we have confirmation ... see comments below!)

    Posted by iang at 09:21 AM | Comments (9) | TrackBack

    June 02, 2005

    A shortcut for bootstrapping trust

    From the light-hearted threats department, Mark points to an article on how to bypass trusting defences.

    Scientists develop revolutionary 'trust spray'

    MICHAEL BLACKLEY

    A REVOLUTIONARY nasal spray could have the power to make a person more trusting, scientists have found.

    Experiments show that after a few squirts of a spray containing the hormone oxytocin, humans were significantly more trusting. It has even been suggested that the spray could be used as a therapy for trust-diminishing conditions, such as autism or some social phobias.

    The research, carried out by a team of American and Swiss scientists and published in today’s issue of Nature, showed that after using the spray, volunteers became more willing to risk losing money to a stranger.

    One of the scientists who worked on the project, Dr Michael Kosfeld, of the University of Zurich, said those who had sniffed oxytocin gave away their money much more easily. He also said animal studies had proved that oxytocin takes away the unwillingness to approach strangers. "It helps animals approach one another - which is a parallel with trust in our game," he said. "In companion with psychotherapy it could have a positive effect."

    Oxytocin has traditionally been seen as a "love hormone", and is released during orgasm. It has also been proved to be released when cuddling or touching takes place, and women release it when in labour and during breastfeeding.

    The idea that it could be released when people express feelings of trust was first raised in 2003, but this research is the first attempt to show that increasing the amount of the hormone present in the body could directly influence the extent that one person trusts another.

    Antonio Damasio, a neurologist at the University of Iowa, who reviewed the experiments for Nature, believes the findings could be significant scientifically. He said:

    "Some may worry about the prospect that political operators will generously spray the crowd with oxytocin at rallies of their candidates.

    "The scenario may be rather too close to reality for comfort, but those with such fears should note that current marketing techniques - for political and other products - may well exert their effects through the natural release of molecules such as oxytocin in response to well-crafted stimuli."

    However, the idea that it could be used to help autism was met with scepticism by the National Autistic Society. A spokeswoman said: "The outcome of any approach will depend on the needs of the individual, which vary greatly, and the appropriate application of the intervention."

    Addendum Zooko recommends Neuromarketing: Peeking Inside the Black Box

    Posted by iang at 09:09 AM | Comments (2) | TrackBack

    May 31, 2005

    Industrial Espionage using Trojan horses

    One of the things that bedevils financial cryptography is not knowing just what crimes are for real and what crimes are fantasy. Amir points to a developing scandal in Israel over a threat that has been predicted for yonks but rarely if ever seen. In a fairly massive sweep, the Israeli police have picked up dozens of CEOs and PIs involved in what they claim is an organised industrial espionage ring.

    It comes down to one Trojan horse writer who targetted the wrong couple - the parents of his ex-wife! When the parents found pages of their book on the Internet, they called the police, who found the Trojan. This led them to the author, their ex son-in-law, and from there to three private investigation firms that had contracted his services. And of course, to *their* customers...

    It's got intrigue, public personalities, jilted husbands and good old scary FUD words like Trojan horse. As Amir suggests, the film rights are probably worth a bit!


    Court remands top Israeli execs in industrial espionage affair

    By Roni Singer, Haaretz Correspondent and Haaretz Service

    The Tel Aviv Magistrate's Court Monday remanded several people from some of Israel's leading commercial companies and private investigators suspected of commissioning and carrying out industrial espionage against their competitors, which was carried out by planting Trojan horse software in their competitors' computers.

    Uzi Mor, CEO of Mayer and his deputies Avner Kez and Or Schachar, Moriah Katriel, financial vice president of Yes as well as Yoram Cohen, CEO of Hamafil were placed under an eight-day house arrest.

    The court also extended by four days the remand of two private investigators suspected of carrying out the espionage.

    Earlier Monday, police searched the Tel Aviv offices of Haaretz sister publication TheMarker to check for any signs of Trojan horse software infiltration on their computers.

    Also on Monday, the Tel Aviv fraud squad discovered Trojan horse software in computers belonging to AMC, a company that produces transmitters for planes and unmanned aerial vehicles. The inspection found that only financial material was extracted from the computers, although the company specializes in security.

    Other companies suspected of espionage include the satellite television company Yes, which is suspected of spying on cable television company HOT; cell-phone companies Pelephone and Cellcom, suspected of spying on their mutual rival Partner; and Mayer, which imports Volvos and Hondas to Israel and is suspected of spying on Champion Motors, importer of Audis and Volkswagens. Spy programs were also located in the computers of major companies such as Strauss-Elite, Shekem Electric and the business daily Globes.

    The case took a twist, when Bezeq - parent company of two of the companies suspected of the espionage - revealed that it too was apparently among the victims. Police now suspect that Cellcom cellular networks commissioned the spying against Bezeq.

    This suspicion was strengthened when internal documents belonging to Bezeq were found in the drawers of senior executives at Cellcom. The name of the CEO of Cellcom, "Peterburg" was written on some of the documents. However, the police did not have decisive evidence Monday that the documents were obtained through Trojan horse software, and hence did not summon CEO Itzhak Peterburg for questioning under caution. Instead, Peterburg was only asked to give a testimony.

    When, in the testimony he gave Sunday, Peterburg was asked why his name appeared on the classified documents of a competing company, he answered that he does not know.

    A statement from the police said, "It's hard to believe that top executives at these companies don't know what is happening. Even if a security department manager requested the material of the competitor, it reached the CEO, and therefore it's clear to us that the CEOs can absolutely guess how the it was obtained."

    Police said they intended to ask for the extension of the remand of several private investigators. But all of the executives in the involved companies will released to their homes under restricting conditions, police said.

    Police are currently investigating several other companies that may have been involved in the affair, which was under a court gag order until Sunday.

    The Trojan horse software program allows the person who plants it to track all activity conducted via the "victim's" computer and even to seize control of the computer. Police suspect that this program was employed by three private investigation agencies to conduct industrial espionage against their clients' commercial rivals. The software apparently enabled the PIs to obtain vast quantities of secret information from the targeted computers.

    The investigation began last November, when author Amnon Jacont and his wife, Varda Raziel-Jacont, complained to the Tel Aviv police that someone had hacked into their computer and stolen information from it. They reached this conclusion after discovering that personal documents, as well as parts of a book Jacont was writing, which had thus far never left his personal computer, had been posted on the Internet. Police examined their computer and concluded that it had been infected with a Trojan horse.

    Police investigators eventually determined that the program had been written by Michael Haephrati, 41, a former in-law of Varda Raziel-Jacont. Haephrati, an Israeli citizen, currently lives in Germany and England and has no previous police record.

    Investigators then found that Haephrati had sold his program to three private investigation agencies: Modi'in Ezrahi, Zvika Krochmal and Pilosof-Balali. All three agencies are licensed by the Israel Justice Ministry and enjoy excellent reputations.

    "The program was essentially customized for each and every one of the 'victims' that the PI agencies wanted to attack," said Chief Inspector Nir Nativ, one of the officers who investigated the case. "Haephrati adapted the software to penetrate a specific company, at the request of the PI agency's client."

    For each customized program, the agencies paid Haephrati about NIS 16,000. Haephrati took care of planting the virus in the target computer, then gave the PIs a username and password that enabled them to access the program, and thereby the victim's computer.

    According to Chief Superintendent Arye Edelman, head of the Tel Aviv fraud squad, which ran the investigation, Haephrati used two methods to plant his malicious software (or malware) in the target computers. One was to send it via e-mail. The other was to send a disk to the target company that purported to contain a business proposal from a well-known company that would arouse no suspicions. Then, when an employee loaded the disk to view the proposal, the Trojan horse would infect his computer.

    Police eventually obtained court orders to access several FTP servers based in Israel and the United States, and then discovered tens of thousands of documents stored there that belonged to major Israeli companies, including many files labeled "internal" and "secret." For the past two weeks, police have been examining these documents to determine which companies have been victimized.

    Nativ explained that even anti-virus programs cannot detect Haephrati's malware, because each is unique. Moreover, the Trojan horses were generally unwittingly introduced by company employees who inserted the infected disks, rather than "attacking" from outside, making detection even more difficult.

    Police believe that industrial espionage using Haephrati's programs has been going on for at least a year and a half. But because none of the victims knew about the malware, no one ever filed a complaint with the police. Only last week did police inform the victims about the software implanted in their computers.

    Police said that they are not yet able to quantify the economic damage suffered by the victims, but it appears to have been considerable -thanks both to the program's capabilities and to the sheer number of companies involved.

    Last week, police finally decided to end their undercover investigation. They therefore had Haephrati and his wife, Ruti, arrested in London, with the help of Interpol and the London police. Last Thursday, Haephrati was brought to a London court for a remand hearing, and Israel has requested his extradition as soon as possible.

    Two days before his arrest, police raided the three private investigation agencies suspected of using the Trojan horse program, confiscated their computers and arrested nine PIs. From Modi'in Ezrahi, they arrested CEO Yitzhak Rath plus investigators Eyal Abramowitz, Haim Zisman and Assaf Zlotovsky; from Krochmal they arrested CEO Zvika Krochmal plus investigators Ofer Fried and Alex Weinstein; and from Pilosof-Balali they arrested the joint CEOs, Eliezer Pilosof and Avraham Balali. Police also arrested the 17-year-old son of one suspect after investigators caught him trying to erase information from his arrested father's computer.

    Later that week, police also arrested Shai Raz, director of Pelephone's security department and Ofer Reichman, director of Cellcom's security department.

    At a remand hearing for the PIs last Wednesday, police told the Tel Aviv Magistrate's Court that the investigators are suspected of penetrating a computer for the purpose of committing a crime, making and propagating a computer virus, violating the Protection of Privacy Law, conspiring to commit a crime, wiretapping and fraud. Police also suspect the three agencies of cooperating with each other to perpetrate their industrial espionage.

    Rath, like many of the others, claimed at the hearing that he had no idea he was committing a crime. "When the investigators came, I opened the safe for them and helped with the papers. We didn't know we were breaking the law."

    But that did not persuade Judge Mordechai Peled, who remanded them for nine days. Peled said the evidence indicated that they not only engaged in widespread industrial espionage, but made great efforts to conceal their illegal activities.

    At a separate remand hearing for three of the corporate executives, Mor, Cohen and Katriel, last Thursday, the suspects admitted to commissioning the investigations, but claimed that they had no idea the material they were being given had been obtained illegally. All stressed that their contracts with the PI agencies explicitly obligated the agencies not to violate the law.

    Police argued in response that upon being given their rivals' most closely guarded internal documents, they could hardly have failed to realize that the documents were obtained illegally.

    Judge Peled accepted the police's argument on this score and remanded the three executives for five days.

    On Friday, two more executives, Raz and Reichman, were remanded, along with two more PIs, Roni Barhum of Modi'in Ezrahi and Yitzhak Dekel of Krochmal.

    That same day, however, police encountered their first hitch: A corporate executive whom they had planned to arrest that very morning left the country. Police blame his sudden departure on a report of Haephrati's arrest that appeared in that morning's daily Yedioth Ahronoth, and was later picked up by the Globes Web site. They have therefore begun investigating both newspapers on suspicion of violating the gag order on the affair.

    The next step, police sources said, is to meet with executives of the victim companies to determine whether any have recently suffered damage from rivals that could be attributed to industrial espionage. That will give them leads to other corporate lawbreakers, the sources explained.

    Posted by iang at 10:18 AM | Comments (2) | TrackBack

    May 25, 2005

    The Crypto Wars are On/Off/On/Off...

    The Brits have let out a cheer and declared the Crypto Wars over. And "we won" they say in a press release from the Foundation for Information Policy Research, according to a post on politech:

    The Crypto Wars Are Over!

    The "crypto wars" are finally over - and we've won!

    On 25th May 2005, Part I of the Electronic Communications Act 2000 will be torn out of the statute book and shredded, finally removing the risk of the UK Government taking powers to seize encryption keys."

    I don't think that's an accurate assessment. In fact I think it's dead wrong. Read on for today's news....

    Over in the US there are worrying signs of more regulations coming to re-criminalise mathematics. Already, there are moves that foreign students will have to be "licensed to operate" any sensitive equipment. ISPs can now be served with spy&gag orders, sans court approval, and nobody's ever debunked the conflicts of interest that now bedevill the certificate authorities in positions of root power.

    Today's news, from CACert, is that mere possession of PGP is to be taken as intent to commit a crime. "What has to be a huge blow for anyone with PGP or virtually any other encryption program on their computer, (in fact most computers these day come with cryptographic programs pre-installed). A man found guilty on child pornography related charges, was also found to have PGP software on his system and a court ruled that this was admissible as intent to commit and/or hide crimes in his case. This has huge ramifications if you are found guilty of a crime and then they find any cryptography software installed on your computer."

    I hope that's wrong, Nope, it's true. And it was the Appeals Court that said it!

    The general message is clear: if you think the war's over, that's because you're fighting the last war. Turn around and meet your new enemy.


    PS: Then comes this new twist from Jim:

    Now hackers can hold your files hostage...

    By Ted Bridis

    Washington - Computer users already anxious about viruses and identity
    theft have a new reason to worry: hackers have found a way to lock up the
    electronic documents on your computer and then demand $200 (about R1 200)
    over the Internet to get them back.

    Security researchers at the San Diego-based Websense uncovered the unusual
    extortion plot when a corporate customer they would not identify fell
    victim to the infection, which encrypted files that included documents,
    photographs and spreadsheets.

    A ransom note left behind included an e-mail address, and the attacker
    using the address later demanded $200 for the digital keys to unlock the
    files.

    "This is equivalent to someone coming into your home, putting your
    valuables in a safe and not telling you the combination," said Oliver
    Friedrichs, a security manager for Symantec Corporation.

    ....


    Here's the FIPR pres release, at least most of the copy I received.

    
    

    Press release - Foundation for Information Policy research

    Release time: 00.01, 25th May 2005


    The Crypto Wars Are Over!


    The "crypto wars" are finally over - and we've won!

    On 25th May 2005, Part I of the Electronic Communications Act 2000
    will be torn out of the statute book and shredded, finally removing
    the risk of the UK Government taking powers to seize encryption keys.

    The crypto wars started in the 1970s when the US government started
    treating cryptographic algorithms and software as munitions and
    interfering with university research in cryptography. In the early
    1990s, the Clinton administration tried to get industry to adopt the
    Clipper chip - an encryption chip for which the government had a
    back-door key. When this failed, they tried to introduce key escrow -
    a policy that all encryption systems should leave a spare key with a
    `trusted third party' that would hand the key over to the FBI on
    demand. They tried to crack down on encryption products that did not
    contain key escrow. When software developer Phil Zimmermann developed
    PGP, a free mass-market encryption product for emails and files, the
    US government even started to prosecute him, because someone had
    exported his software from the USA without government permission.

    In its dying days, John Major's Conservative Government proposed
    draconian controls in the UK too. Any provider of encryption services
    would have to be licensed and encryption keys would have to be placed
    in escrow just in case the Government wanted to read your email. New
    Labour opposed crypto controls in opposition, which got them a lot of
    support from the IT and civil liberties communities. They changed
    their minds, though, after they came to power in May 1997 and the US
    government lobbied them.

    However, encryption was rapidly becoming an important technology for
    commercial use of the Internet - and the new industry was deeply
    opposed to any bureaucracy which prevented them from innovating and
    imposed unnecessary costs. So was the banking industry, which worried
    about threats to payment systems from corrupt officials. In 1998, the
    Foundation for Information Policy Research was established by
    cryptographers, lawyers, academics and civil liberty groups, with
    industry support, and helped campaign for digital freedoms.

    In the autumn of 1999, Tony Blair finally conceded that controls would
    be counterproductive. But the intelligence agencies remained nervous
    about his decision, and in the May 2000 Electronic Communications Act
    the Home Office left in a vestigial power to create a registration
    regime for encryption services. That power was subject to a five year
    "sunset clause", whose clock finally runs out on 25th May 2005.

    Ross Anderson, chair of the Foundation of Information Policy Research
    (FIPR) and a key campaigner against government control of encryption
    commented, "We told government at the time that there was no real
    conflict between privacy and security. On the encryption issue, time
    has proved us right. The same applies to many other issues too - so
    long as lawmakers take the trouble to understand a technology before
    they regulate it."

    Phil Zimmermann, a FIPR Advisory Council member and the man whose role
    in developing PGP was crucial to winning the crypto wars in the USA
    commented, "It's nice to see the last remnant of the crypto wars
    in Great Britain finally laid to rest, and I feel good about our win.
    Now we must focus on the other erosions of privacy in the post-9/11
    world."

    Notes to Editors:

    1. The Foundation for Information Policy Research
    is an independent body that studies the
    interaction between information technology and society. Its goal is to
    identify technical developments with significant social impact,
    commission and undertaken research into public policy alternatives, and
    promote public understanding and dialogue between technologists and
    policy-makers in the UK and Europe.

    2. The late Professor Roger Needham, who was a founder and trustee of
    FIPR, as well as being Pro-Vice-Chancellor of Cambridge University, a
    lifelong Labour party member and, for the last five years of his life,
    Managing Director of Microsoft Research Europe, once said: `Our enemy
    is not the government of the day - our enemy is ignorance. If
    ignorance and government happen to be co-located, then we'd better do
    something about it.'

    3. The Electronic Communications Act 2000 received Royal Assent on
    the 25th May 2000. Part I provides for the Secretary of State to create
    a Register of Cryptography Support Services. s16(4) reads: "If no order
    for bringing Part I of this Act into force has been made under
    subsection (2) by the end of the period of five years beginning with the
    day on which this Act is passed, that Part shall, by virtue of this
    subsection, be repealed at the end of that period."

    4. The crypto wars ended in the USA when Al Gore, the most outspoken
    advocate of key escrow, was found by the US Supreme Court to have lost
    the presidential election of 2000.

    5. The last battle in the crypto wars to be fought on UK soil was
    in the House of Lords over the Export Control Act 2002. In this bill,
    Tony Blair's government took powers to license the export of intangibles
    such as software, where previously the law had only enabled them to
    criminalise the unlicensed export of physical goods such as guns. This
    caused resistance from the IT industry, and also raised the prospect
    that scientific communications would become subject to licensing. FIPR
    organised a coalition of Conservative, Liberal and crossbench peers to
    insert a research exemption (section 8) into the Act, and an Open
    General Export License was created for developers of crypto software.

    6. Phil Zimmermann is arriving in London on the 25th May to take par
    ...

    Posted by iang at 01:37 PM | Comments (2) | TrackBack

    May 22, 2005

    ShadowCrew - more advanced than you think

    An article in BusinessWeek documents the rise and fall of ShadowCrew, a community of crackers and traders. The story mirrors much of the net world and if you took away the bias and the element of crime, you could be forgiven for mistaking them for any of dozens of sophisticated online communities Here are some choice quotes.

    Indeed, today's cybercrooks are becoming ever more tightly organized. Like the Mafia, hacker groups have virtual godfathers to map strategy, capos to issue orders, and soldiers to do the dirty work. Their omertà, or vow of silence, is made easier by the anonymity of the Web. And like legit businesses, they're going global. The ShadowCrew allegedly had 4,000 members operating worldwide -- including Americans, Brazilians, Britons, Russians, and Spaniards. "Organized crime has realized what it can do on the street, it can do in cyberspace," says Peter G. Allor, a former Green Beret who heads the intelligence team at Internet Security Systems Inc. (ISSX ) in Atlanta.

    This place was organised as a market - buying and selling. The owners' innovation was to bring buyers together with sellers in a trading market and make their crime more efficient.

    Because most of the gang members held day jobs, the crew came alive on Sunday nights. From 10 p.m. to 2 a.m. hundreds would meet online, trading credit-card information, passports, and even equipment to make fake identity documents. Platinum credit cards cost more than gold ones. Discounts were offered for package deals. How big was the business? One day in May, 2004, a crew member known as "Scarface" sold 115,695 stolen credit-card numbers in one trade. Overall, the gang made more than $4.3 million in credit-card purchases during its two-year run. The actual tally could be more than twice as large, the feds say. It was like an eBay for the underworld.

    Much of the information in the article is unclear in factual terms but it is very good for giving one the scope of the problem. Here's a case of a stupid "money launderer" being caught:

    This was a big break, since the cops could use the doorway to monitor all the members' communications. Among the communiqués: Omar Dhanani, aka Voleur (French for "thief"), bragged he could set up a special payment system for cybercrime transactions, police say. For a 10% commission, he would exchange cash for "eGold," an electronic currency backed by gold bullion. The Secret Service watched as he laundered money from at least a dozen deals for ShadowCrew members.

    A professional money launderer would know that e-gold and other online currencies are pretty much completely traceable, and not the money laundering nirvana that competitors would have you believe.

    In sum, a great story of one such gang. We need this information widely disseminated so as to assess the threats to our own operations, and the Secret Service and the FBI of the US are to be thanked for their openness. Still, this is only one such gang, and there are hundreds others out there. The scope of the problem is ... huge.

    Posted by iang at 03:47 PM | Comments (17) | TrackBack

    The Suits Own You - FBI hacking wireless LANs

    The FBI in the US presented how to own your wireless LAN (By way of Tom's hardware and Dan). This is welcome. We need full open disclosure and full open research into cracking if we are to get an edge over the bad guys. Does this mean the laws about cracking someone's encryption scheme are now null and void? Apparently so:

    "About half a dozen different software tools were then used by the FBI team, and they are listed-along with their download links-at the end of the article. Thankfully, the Auditor's Security Collection, which we reviewed last year, is a live CD that has all of these tools already installed. Even the FBI likes this distribution."

    To get the real facts about the attack, and see the fun pictures of (were those guys really running a WLan at the conference??), read the full article.

    "If a hacker is lucky enough to find an extremely busy wireless network, passive sniffing should provide enough good packets to allow the WEP key to be recovered. In most cases, however, an active attack or series of attacks are needed to jump start the process and produce more packets. Note that active attacks generate wireless traffic that can itself be detected and possibly alert the target of the attack."

    It takes about 5-10 minutes to get the key. I especially liked tip #5 for protecting your LAN - put a $5 lamp timer on the power and switch it off when not using it. Very practical, very easy to explain to those non-technical people in the world who also have security problems.

    Elsewhere in threats news there are signs that phishing is stabilising at its current level. And rumours abound that Netscape is about to release a "blacklist feature" for anti-phishing in its browser update. Details are sparse.

    "Security is a big issue in Netscape 8, and the way they have chosen to implement this is with the new Site Controls feature, which consists of a continuously updated list of trusted websites. This gives you a visual rating for each site you visit, for a quick idea of a sites trustworthiness."

    Which makes you wonder what other browsers think about security...

    Posted by iang at 07:45 AM | Comments (0) | TrackBack

    May 18, 2005

    $850 million dollar email had Perfect Forward Secrecy

    For those who consider the goal to be Perfect Forward Secrecy (or PFS as the acronymoids have it) think about the $850 million punitive damages awarded by a jury in Florida against Morgan Stanley and to the former owner of Sunbeam.

    "The billionaire investor started the trial with an advantage after the judge in the case punished Morgan Stanley for failing to turn over e-mails related to the 1998 Coleman deal."

    "Judge Elizabeth Maass ordered jurors to assume Morgan Stanley helped Sunbeam inflate its earnings. To recover damages, Perelman only had to prove that he relied on misstatements by Morgan Stanley or other parties to the transaction about Sunbeam's finances."

    "Maass also allowed Perelman's lawyers to make reference to the missing e-mails in the punitive damage phase of the case Jurors examined whether any bad conduct by Morgan Stanley merited a punishment in addition to compensation they gave Perelman to offset his losses."

    This is the core problem with PFS of course - which is the promise that your emails or IMs won't be provable in the future. It matters not that someone eavesdropping can't prove anything cryptographically, because it simply doesn't matter in the scheme of things. The node is where the threat is, and you are thousands of times more likely to come to blows with your partner than any other party.

    Your partner has the emails. So whatever you said, no matter how secret, gets plonked in front of you in the court case, and you've got a choice: rely on PFS and lie about the emails, or say "it's a fair cop, I said that!" Unless this issue is addressed, PFS doesn't really effect the vast majority of the us.

    Unfortunately addressing second-party-copies is very hard. I had mused that it would be possible to mark emails as "Without Prejudice" which is a legal term signalling that these conversations were to be kept out of court. Nicholas Bohm set me straight there when he explained that this only applied *after* you have entered dispute, by which time you are taking all care anyway.

    Alternatively it may be possible to enter into what amounts to a contract with your companion to agree to keep these conversations private and ex-judicial. That might work but it has two big powerful limitations: it doesn't effect other parties seizing them and it doesn't apply to criminal cases.

    Still there may be some merit in that and it will be interesting to experiment with once I get back into IM coding mode. Meanwhile, I'm wondering just what we have to do to convince Morgan Stanley to get into a $850 million tussle with us ... nice work if you can get it.

    Posted by iang at 07:40 PM | Comments (1) | TrackBack

    May 09, 2005

    Threats are two a penny

    Good story about a success at defending from a DDOS. As a company sprung out of it, this is obviously a marketing story, but it still gives a lot of good background into the DDOS world. Postini reports that phishing traffic is 45% down in April, over March. Also, viruses are down a bit. Valid email is 13% of messages.

    Whoops - here's a wakeup - SSH has been attacked and was implicated in the Cisco source code heist:

    Shortly after being stolen last May, a portion of the Cisco programming instructions appeared on a Russian Web site. With such information, sophisticated intruders would potentially be able to compromise security on router computers of Cisco customers running the affected programs.

    There is no evidence that such use has occurred. "Cisco believes that the improper publication of this information does not create increased risk to customers' networks," the company said last week.

    (I'll bet they're regretting that statement in the post-Choicepoint world. Here's the details on SSH.)

    The crucial element in the password thefts that provided access at Cisco and elsewhere was the intruder's use of a corrupted version of a standard software program, SSH. The program is used in many computer research centers for a variety of tasks, ranging from administration of remote computers to data transfer over the Internet.

    The intruder probed computers for vulnerabilities that allowed the installation of the corrupted program, known as a Trojan horse, in place of the legitimate program.

    In many cases the corrupted program is distributed from a single computer and shared by tens or hundreds of users at a computing site, effectively making it possible for someone unleashing it to reel in large numbers of log-ins and passwords as they are entered.

    Once passwords to the remote systems were obtained, an intruder could log in and use a variety of software "tool kits" to upgrade his privileges - known as gaining root access. That makes it possible to steal information and steal more passwords.

    The operation took advantage of the vulnerability of Internet-connected computers whose security software had not been brought up to date.

    In the Cisco case, the passwords to Cisco computers were sent from a compromised computer by a legitimate user unaware of the Trojan horse. The intruder captured the passwords and then used them to enter Cisco's computers and steal the programming instructions, according to the
    security investigators.

    Peversely this is good long expected news: it confirms that which we have always predicted, that when SSH is attacked it will be attacked around the system rather than the supposed weakness of the MITM. This is an economically rational attack; break in some other way, and replace a trusted tool with a trojan. Security experts may be wild-eyed zealots, but at least their attackers are economically rational.

    In closing, cautionary tale of a security breaches misanalysed. Bob spotted this one:

    Sherlock Holmes and Dr Watson go on a camping trip. After a good dinner and a bottle of wine, they retire for the night, and go to sleep.

    Some hours later, Holmes wakes up and nudges his faithful friend. "Watson, look up at the sky and tell me what you see."

    "I see millions and millions of stars Holmes," replies Watson.

    "And what do you deduce from that?"

    Watson ponders for a minute.

    "Well, astronomically, it tells me that there are millions of galaxies and potentially billions of planets. Astrologically, I observe that Saturn is in Leo. Logically, I deduce that the time is approximately a quarter past three. Meteorologically, I suspect that we will have a beautiful day tomorrow. Theologically, I can see that God is all powerful, and that we are a small and insignificant part of the universe. What does it tell you, Holmes?"

    Holmes is silent for a moment and then says: "Watson you idiot, someone has stolen our tent!"

    Posted by iang at 07:44 AM | Comments (0) | TrackBack

    April 12, 2005

    How much is your finger worth?

    Adam points at the story of the S-Class Mercedes owner who lost his finger. The finger now makes a comeback in the fight against poorly thought out biometrics.

    (Links: BBC, Scheier, German commentary, bigger)

    The problem with the biometrics push is as always poorly thought out risk scenarios. If I as a corporate decide that all my employees will make their fingers available to the juggernaught of corporate security, that's fine, as within that world, we have a strictly contained risk analysis. The fingers are at risk, and these risks are offset against the rewards and risks of the corporate. Frankly, there ain't nothing in my corporate offices that's worth a finger.

    But it changes when we get into a federated scenario. If my system is being used by some other corporate, my risk analysis is broken; even if I calculate that requiring my employees to use fingerprints to gain access to offices is a good risk, I cannot calculate the risks involved if the local bank starts using my biometrics system to issue banking products to the fingerprints of my employees.

    And when national governments start working the biometrics genie, it shifts the risk unreality up several more notchs. The governments are calculating vague and unspecifiable benefits in some "war against today's enemy" but what they cannot calculcate is the risks involved with the use of the system in ordinary businesses.

    We see this writ large in the US. Initially, social security numbers were only to be used for ... social security. Then it was tax. Then, employee identification... and loans and credit and banking accounts and ... well, everything. The system was designed with an assumption of one use only; which just marginally made it acceptable from a security risk analysis.

    Use by others might be termed federated security, but from a risk analysis point of view it looks more like parasitic security, and if the fraud by impersonation (a.k.a. identity theft) example of the USA is anything to go by, nobody would adopt that risk knowingly.

    Posted by iang at 08:11 AM | Comments (0) | TrackBack

    April 11, 2005

    Big Bad Black Market

    Online fraud has been organised, industrialised, institutionalised and big for some time now. When I tell people that they just look blank, they have no conception of what this means. In a nutshell, it means they're making money, scads of it, and they ain't going away. If that doesn't make any sense, then read this:

    "I work in the fraud dept. for a well known US company, and have access to hundreds of CCs (credit card numbers) on a daily basis. All I'm looking for is an easy way to make some money and stay anonymous ..."



    New, smarter generation of Internet crooks
    Personal-information thieves hook up with people who may help them profit

    Carrie Kirby, Chronicle Staff Writer Monday, April 11, 2005

    "I work in the fraud dept. for a well known US company, and have access to hundreds of CCs (credit card numbers) on a daily basis. All I'm looking for is an easy way to make some money and stay anonymous ..."

    Late last year, someone known as "Elric" posted this message on a Web site for hackers and credit card thieves called Network Terrorism Forums. Within an hour, the Web site shows that Elric received the first of a half-dozen replies -- business offers and advice on how to carry out the theft.

    This is the online underworld, where stolen private information is quickly and easily sold over the Internet. The credit card numbers, bank account numbers, eBay accounts and other data sold there are stolen in corporate security breaches like the one at ChoicePoint, through offline crime like old-fashioned pickpocketing, and through scams known as "phishing" attacks, in which criminals trick people into revealing account information with slick-looking fake e-mails.

    Cyber crime investigators say deals like the one proposed in Elric's posting are common on a number of similar underground Web sites.

    "When you take into account the reach of the Internet and the level of sophistication of the trading in this information, it makes your hair stand on end," said Mike Drewniak, spokesman for the U.S. attorney's office in New Jersey.

    These sites have become a dangerous training ground for criminals, where con artists are gaining technical chops and hackers are developing a taste for profit. The result is that online fraud is becoming much more sophisticated and organized.

    "It's no longer teenage hackers in a garage trying to rip off credit cards. It is coordinated, organized crime," said Stratton Sclavos, chief executive of VeriSign, a Mountain View security and network infrastructure company that processes and monitors Internet transactions.

    Last October, New Jersey prosecutors, along with the Secret Service and the Department of Justice's Computer Crime and Intellectual Property Section, announced they had shut down three of the major online crime Web sites -- Shadowcrew, Carderplanet and Darkprofits -- and arrested 28 alleged participants who are scheduled to go on trial in October.

    On Shadowcrew alone, 4,000 members trafficked in at least 1.5 million stolen credit cards, causing losses to financial institutions of more than $4 million, according to the indictment.

    But new sites pop up all the time to replace those that law enforcement takes down. The ones that can be easily found online represent just the tip of the iceberg, said David Thomas, chief of the Federal Bureau of Investigation's computer intrusion squad.

    "A lot of the more organized groups will be more clandestine about what they do," with invitation-only Web sites, Thomas said. The Internet Relay Chat, or IRC, network, a series of chat rooms that predate the Web, is also a popular meeting place for online crooks.

    Denizens of the Internet underworld range from young computer whizzes, to career criminals just getting into computers, to traditional mobsters from established crime families. They live all over the world.

    The site where Elric's posting appeared, www.mazafaka.cc, is dominated by Russians, but Americans, Romanians and others can be found on the English-language portion of the site.

    When contacted by The Chronicle via instant messenger, Elric said he was a 22-year-old Midwestern college student who had been hacking as a hobby since he was 9 years old. He said he knew little about how to turn his skills into money -- until a Russian man who responded to his posting helped him run up charges on some of the credit cards in his employer's database.

    Elric would not reveal his true identity for fear of being arrested, so his story could not be verified. However, his story is typical of a change that's going on in the hacking world, said Christopher Painter, deputy chief of the Justice Department's computer crime unit.

    "There's been a convergence," Painter said. "It used to be that the hackers were very technically sophisticated but often didn't do things for a profit." Many hackers were curiosity-driven. They explored corporate networks just to see what was there and wrote viruses just to show they could.

    But over the last five years, Painter said, "you see hackers who are doing things for monetary rewards, and the fraudsters becoming sophisticated."

    One reason for the growing interest in online fraud: Increasingly, that's where the money is. A quarter of all adults, or 44 percent of Internet users, now use Internet banking, according to the Pew Internet & American Life Project.

    How it works

    The black market Web sites are part of what the FBI's Thomas calls "nontraditional organized crime." People work together, but they may never meet one another. They may carry out just one illegal transaction together or many.

    Here's a typical scenario: A hacker in California steals a batch of credit card numbers from a corporate database. On an underground Web site, he posts a request for help getting money off the cards, just like Elric did.

    A Russian partner takes the credit card numbers and uses them to order electronics online. The goods are delivered to a "drop," an address where the resident has agreed to receive stolen merchandise, in the United Kingdom.

    The recipient sells the merchandise and sends the proceeds back to the Russian partner, minus the reseller's cut. The Russian partner sends half to the hacker and keeps the other half.

    However, since the hackers, thieves and others doing business often don't know one another and remain anonymous, no one knows whom to trust. Rip-offs are rampant. An archive of the now-defunct Shadowcrew site obtained by The Chronicle, and the still-functioning Network Terrorism Forums, show that almost every new offer is met with suspicion.

    "If it ain't a rip-off, or an attempt of (Secret Service) to f*** around with us, contact me ..." read one response to Elric's posting.

    This has led some Web sites to develop review systems of the sellers not unlike those of eBay and other legitimate e-commerce sites.

    According to the indictment, Shadowcrew required the "vendors" to submit their product or service to a trusted community member for review.

    Shadowcrew's archives show people who were reviewed for selling merchandise such as stolen credit card numbers and counterfeit credit cards that were created using stolen account information.

    In a typical review, the potential seller would provide the reviewer with several credit card numbers -- along with important details such as the expiration date or the three-digit code from the back of the card. The reviewer would try using the card numbers to make purchases, and if they worked, would post a favorable review on the site.

    Other vendors were reviewed for selling eBay accounts, which would allow a scam artist to auction off nonexistent merchandise and collect payment while remaining anonymous.

    Vendors on the Network Terrorism Forums and other sites are encouraged to get reviewed as well.

    To be sure, credit card and bank account fraud is done without using the Internet. But the online world has made it much easier to form sprawling cooperatives to quickly exploit accounts that are often shut down within a day or so after numbers are purloined, law enforcement officials said.

    "Because on the Internet you are able to communicate so easily 24 hours a day ... then it's a lot easier to do something on a larger scale and to do so with people overseas," said Assistant U.S. Attorney Arif Alikhan, chief of the computer crimes section for the Central District of California.

    Crime families plug in

    At the same time that hackers and thieves are forming loose networks online, traditional crime families are also increasingly operating on the Internet.

    On Feb. 14, alleged members of the New York Gambino crime family pleaded guilty to a scheme in which they charged the credit cards of consumers who visited pornographic Web sites for "free tours."

    According to the indictment in the case, the family had been involved in Internet fraud since the late 1990s.

    Traditional mafia in Eastern Europe have been involved in online fraud for years, said Thomas of the FBI.

    The Web sites in the online underworld are not just trading posts for stolen information, however. They are places where would-be crooks can get advice on masking their identities online, techniques for stealing data and ideas for how to move around their ill-gotten cash.

    One nervous "carder," or stolen credit card user, told peers on Shadowcrew of panicking when a counterfeit card had failed to go through at a store. The carder used his own real credit card instead.

    Some members advised the foiled carder to go on the lam, since the store now had his real identity. Others said there was little chance the store would report the incident.

    Services are also for sale on these sites, such as creating and hosting phishing Web sites designed to trick people into giving up banking and credit card information.

    Phishing e-mails -- one of the fastest-growing threats on the Internet, according to security companies -- look like legitimate messages from banks or online services, but they are really scams. They usually ask recipients to click on a link that sends them to a Web site that also looks real, but is fake. Once there, users are lured into entering account numbers and passwords to "verify" their accounts.

    The scammer then uses that information to steal money from victims' accounts or commit identity theft.

    One post at the Network Terrorism Forums using the name "Children_Of_Console" offered Web sites that mimic those of 34 banks, including Wells Fargo and Bank of America, for $50 each. For $100, the seller would also provide the wording for the scam e-mail message. All the buyer would have to do is find a way to blast out the e-mail message to as many addresses as possible, then sit back and collect the account information.

    Conveniently, e-mail hosting services for sending spam or phishing e-mails can also be found on these sites. Hackers use viruses to secretly take control of hundreds or thousands of personal computers, then use the computers to send spam, for a fee.

    Making the digital bust

    Catching and prosecuting online fraudsters is not an easy task, especially since the crimes so often involve people overseas, sometimes in many countries.

    "It's very difficult working international cases. We get cooperation in countries where we can," said the FBI's Thomas.

    While the United States is one of the top sources of fraudulent transactions -- due to heavy Internet use here -- there are other countries where a high percentage of transactions appear to be fraudulent, according to security firm VeriSign.

    Belarus, Slovenia and Vietnam had the highest percentages of fraudulent transactions in 2004, but the list is in constant flux. And 58 percent of the Web sites used in phishing attacks are hosted outside the United States, VeriSign said.

    There are some successful busts.

    Last summer, the U.S. attorney's office for the Northern District of California extradited Ukrainian Roman Vega from Cyprus, for allegedly operating a Web site for trafficking stolen credit card numbers. He was charged with 20 counts of wire fraud and 20 counts of using unauthorized credit cards. If convicted, he faces fines of $250,000 per count, as well as 10 to 20 years in prison for each count, plus possible restitution.

    But cases like that aren't the norm, said Ken Silva, vice president of network and security at VeriSign.

    "Truth be told, there haven't been very many prosecutions," he said. "The FBI and Secret Service and local law enforcement have had a number of successes, but by and large it goes unpunished. These people don't often get caught."

    The FBI has an extensive cyber crime unit and a newly opened computer forensics laboratory in Menlo Park. But the unit acknowledges that Internet fraud is a relatively low priority, taking a backseat to cyber terrorism, computer intrusions, theft of trade secrets and online crimes against children.

    "That does not mean we don't work on" Internet fraud, said FBI Special Agent LaRae Quy, "but it is the fifth priority in this division."

    Keep it private

    Here are tips on protecting your personal information:

    -- Guard private information in the physical world by using a locked mailbox and a crosscut paper shredder on mail such as credit card offers and bills.

    -- Keep a separate credit card for online transactions, so if anything unusual shows up, you're more likely to notice it and can easily close the account.

    -- Don't give your credit card or Social Security number to anyone -- online or over the phone -- without verifying his or her identity.

    -- Layering the security measures on your computer will help prevent you from becoming a victim -- or part of the problem. Use a firewall and antivirus software, and download all the updates.

    Source: Chronicle research

    Chronicle staff writer Dan Fost contributed to this report. E-mail Carrie Kirby at ckirby@sfchronicle.com.


    Addendum; new paper on The Economy of Phishing.

    Posted by iang at 02:10 PM | Comments (0) | TrackBack

    April 01, 2005

    Nicking folk's identities is easy, says researcher

    Tools required: clipboard, pen, plausible yarn
    By Paul Hales: Thursday 24 March 2005, 16:48
    http://www.theinquirer.net/?article=22103

    SNOOPS in the employ of Infosecurity Europe, an exhibition company, wandered around London streets with clipboards and managed to extract enough information out of gullible shoppers to enable them to perpetrate identity theft on over 90 per cent of those they questioned.

    The company said the intention of the stunt was to "raise awareness of the need to be very careful about the information people give to complete strangers."

    A copper, detective Inspector, Chris Simpson of the Yard, said he was "disturbed" by the findings.

    The researchers admitted to a certain amount of subterfuge in extracting information such mothers’ maiden names, or first schools attended from the 200 folk interviewed.

    Pretending to be looking into Londoners’ theatre-going habits, the researchers told pedestrians that if they took part in the survey they would be entered into a draw for theatre ticket vouchers worth £20. Using this tactic they managed to get the names and address of all those questioned. Ninety-nine per cent coughed up their address and postcode and 92 per cent their home phone number.

    Interviewees were told actors often combined their pets name and mother’s maiden name to come up with their stage name and were asked what they thought their stage name would be. Ninety four percent of respondents were thus duped into giving up their mother’s maiden name and their pet’s name.

    Continuing the theatre-based theme, the question: "Did you get involved in acting in plays at school?" was followed by: "What was the name of your first school?". Ninety-six percent coughed this information too, giving over the key pieces of security information used by banks.

    Infosecurity said the three-minute questionnaire gave researchers sufficient information to open bank accounts, credit cards, or even to start stealing their victim’s identity. The researchers did not offer any verification of their identity, their only tool was a clipboard and the offer of the chance to win a voucher for theatre tickets, the company said.

    Claire Sellick Event Director for Infosecurity Europe who took part in the research said, one man provided all his information without question, "but returned five minutes later asking for it back, as he thought that we could use it to gain access to his on-line bank account, we gave him back his survey form," she said, "but did not provide any evidence of who we were. If we had been fraudsters he would have been too late."

    Detective Inspector, Simpson, Head of Scotland Yard’s Computer Crime Unit said, "The results of the survey are disturbing to say the least, however they do highlight the need to raise public awareness of identity theft, what it actually means, how it can happen and the potential consequences".

    By a spooky coincidence, DI Simpson is speaking in a keynote session on, ‘Law Enforcement - Cybercrime and International Co-Operation, Prevention, Detection and Punishment,’ at Infosecurity Europe 2005 – Olympia, London, UK 26th–28th April. µ
    I’Inq
    © 2005 Breakthrough Publishing Ltd.
    http://www.theinquirer.net/?article=22103

    Posted by iang at 11:03 AM | Comments (5) | TrackBack

    March 30, 2005

    New Password Cracking Threat: Grid + your laptop

    The following article is quite significant. My comments are at the end so as not to bias reading.

    washingtonpost.com
    DNA Key to Decoding Human Factor
    Secret Service's Distributed Computing Project Aimed at Decoding Encrypted Evidence

    By Brian Krebs washingtonpost.com Staff Writer Monday, March 28, 2005; 6:48 AM

    For law enforcement officials charged with busting sophisticated financial crime and hacker rings, making arrests and seizing computers used in the criminal activity is often the easy part.

    More difficult can be making the case in court, where getting a conviction often hinges on whether investigators can glean evidence off of the seized computer equipment and connect that information to specific crimes.

    The wide availability of powerful encryption software has made evidence gathering a significant challenge for investigators. Criminals can use the software to scramble evidence of their activities so thoroughly that even the most powerful supercomputers in the world would never be able to break into their codes. But the U.S. Secret Service believes that combining computing power with gumshoe detective skills can help crack criminals' encrypted data caches.

    Taking a cue from scientists searching for signs of extraterrestrial life and mathematicians trying to identify very large prime numbers, the agency best known for protecting presidents and other high officials is tying together its employees' desktop computers in a network designed to crack passwords that alleged criminals have used to scramble evidence of their crimes -- everything from lists of stolen credit card numbers and Social Security numbers to records of bank transfers and e-mail communications with victims and accomplices.

    To date, the Secret Service has linked 4,000 of its employees' computers into the "Distributed Networking Attack" program. The effort started nearly three years ago to battle a surge in the number of cases in which savvy computer criminals have used commercial or free encryption software to safeguard stolen financial information, according to DNA program manager Al Lewis.

    "We're seeing more and more cases coming in where we have to break encryption," Lewis said. "What we're finding is that criminals who use encryption usually are higher profile and higher value targets for us because it means from an evidentiary standpoint they have more to hide."

    Each computer in the DNA network contributes a sliver of its processing power to the effort, allowing the entire system to continuously hammer away at numerous encryption keys at a rate of more than a million password combinations per second.

    The strength of any encryption scheme is based largely on the complexity of its algorithm -- the mathematical formula used to scramble the data -- and the length of the "key" required to encode and unscramble the information. Keys consist of long strings of binary numbers or "bits," and generally the greater number of bits in a key, the more secure the encryption.

    Many of the encryption programs used widely by corporations and individuals provide up to 128- or 256-bit keys. Breaking a 256-bit key would likely take eons using today's conventional "dictionary" and "brute force" decryption methods -- that is, trying word-based, random or sequential combinations of letters and numbers -- even on a distributed network many times the size of the Secret Service's DNA.

    "In most cases, there's a greater probability that the sun will burn out before all the computers in the world could factor in all of the information needed to brute force a 256-bit key," said Jon Hansen, vice president of marketing for AccessData Corp, the Lindon, Utah, company that built the software that powers DNA.

    Yet, like most security systems, encryption has an Achilles' heel -- the user. That's because some of today's most common encryption applications protect keys using a password supplied by the user. Most encryption programs urge users to pick strong, alphanumeric passwords, but far too often people ignore that critical piece of advice, said Bruce Schneier, an encryption expert and chief technology officer at Counterpane Internet Security Inc. in Mountain View, Calif.

    "Most people don't pick a random password even though they should, and that's why projects like this work against a lot of keys," Schneier said. "Lots of people -- even the bad guys -- are really sloppy about choosing good passwords."

    Armed with the computing power provided by DNA and a treasure trove of data about a suspect's personal life and interests collected by field agents, Secret Service computer forensics experts often can discover encryption key passwords.

    In each case in which DNA is used, the Secret Service has plenty of "plaintext" or unencrypted data resident on the suspect's computer hard drive that can provide important clues to that person's password. When that data is fed into DNA, the system can create lists of words and phrases specific to the individual who owned the computer, lists that are used to try to crack the suspect's password. DNA can glean word lists from documents and e-mails on the suspect's PC, and can scour the suspect's Web browser cache and extract words from Web sites that the individual may have frequented.

    "If we've got a suspect and we know from looking at his computer that he likes motorcycle Web sites, for example, we can pull words down off of those sites and create a unique dictionary of passwords of motorcycle terms," the Secret Service's Lewis said.

    DNA was developed under a program funded by the Technical Support Working Group -- a federal office that coordinates research on technologies to combat terrorism. AccessData's various offerings are currently used by nearly every federal agency that does computer forensics work, according to Hansen and executives at Pasadena, Calif.-based Guidance Software, another major player in the government market for forensics technology.

    Hansen said AccessData has learned through feedback with its customers in law enforcement that between 40 and 50 percent of the time investigators can crack an encryption key by creating word lists from content at sites listed in the suspect's Internet browser log or Web site bookmarks.

    "Most of the time this happens the password is some quirky word related to the suspect's area of interests or hobbies," Hansen said.

    Hansen recalled one case several years ago in which police in the United Kingdom used AccessData's technology to crack the encryption key of a suspect who frequently worked with horses. Using custom lists of words associated with all things equine, investigators quickly zeroed in on his password, which Hansen says was some obscure word used to describe one component of a stirrup.

    Having the ability to craft custom dictionaries for each suspect's computer makes it exponentially more likely that investigators can crack a given encryption code within a timeframe that would be useful in prosecuting a case, said David McNett, president of Distributed.net, created in 1997 as the world's first general-purpose distributed computing project.

    "If you have a whole hard drive of materials that could be related to the encryption key you're trying to crack, that is extremely beneficial," McNett said. "In the world of encrypted [Microsoft Windows] drives and encrypted zip files, four thousand machines is a sizable force to bring to bear."

    It took DNA just under three hours to crack one file encrypted with WinZip -- a popular file compression and encryption utility that offers 128-bit and 256-bit key encryption. That attack was successful mainly because investigators were able to build highly targeted word lists about the suspect who owned the seized hard drive.

    Other encrypted files, however, are proving far more stubborn.

    In a high-profile investigation last fall, code-named "Operation Firewall," Secret Service agents infiltrated an Internet crime ring used to buy and sell stolen credit cards, a case that yielded more than 30 arrests but also huge amounts of encrypted data. DNA is still toiling to crack most of those codes, many of which were created with a formidable grade of 256-bit encryption.

    Relying on a word-list approach to crack keys becomes far more complex when dealing with suspects who communicate using a mix of languages and alphabets. In Operation Firewall, for example, several of the suspects routinely communicated online in English, Russian and Ukrainian, as well as a mishmash of the Cyrillic and Roman alphabets.

    The Secret Service also is working on adapting DNA to cope with emergent data secrecy threats, such as an increased criminal use of "steganography," which involves hiding information by embedding messages inside other, seemingly innocuous messages, music files or images.

    The Secret Service has deployed DNA to 40 percent of its internal computers at a rate of a few PCs per week and plans to expand the program to all 10,000 of its systems by the end of this summer. Ultimately, the agency hopes to build the network out across all 22 federal agencies that comprise the Department of Homeland Security: It currently holds a license to deploy the network out to 100,000 systems.

    Unlike other distributed networking programs, such as the Search for Extra Terrestrial Intelligence Project -- which graphically display their number-crunching progress when a host computer's screen saver is activated -- DNA works silently in the background, completely hidden from the user. Lewis said the Secret Service chose not to call attention to the program, concerned that employees might remove it.

    "Computer users often experience system lockups that are often inexplicable, and many users will uninstall programs they don't understand," Lewis said. "As the user base becomes more educated with the program and how it functions, we certainly retain the ability to make it more visible."

    In the meantime, the agency is looking to partner with companies in the private sector that may have computer-processing power to spare, though Lewis declined to say which companies the Secret Service was approaching. Such a partnership would not endanger the secrecy of their operations, Lewis said, because any one partner would be given only tiny snippets of an entire encrypted message or file.

    Distributed.net's McNett said he understands all too well the agency's desire for additional computing power.

    "There will be such a thing as 'too much computing power' as soon as you can crack a key 'too quickly,' which is to say 'never' in the Secret Service's case."

    © 2005 TechNews.com


    So here's my comment. Up until now, we've known that groups like the NSA and GCHQ have had the capability to crunch bigger keys and do better searches. Yet, they are not threats to the world, because their information is kept too secret; they can't reveal their discoveries without risk of losing their edge. Perversely, it doesn't matter whether they can break our crypto, as our secret and their secret is safe with them.

    But any policing force is a different matter. The US Secret Service is just another policing agency, one with two missions, being the protection of the currency and the more famous mission of bodyguard. They have no special need to keep their discoveries secret, in fact quite the reverse as they like all policing forces pander to the big bust and the exposure seeking press release. They are by definition threats to the common man.

    And, they're talking about cooperating with other departments, both to share data and to share compute resource. Think J Edgar Hoover with a Grid, and it matters not that they are the good guys, it's all about incentives tomorrow, not today's recruitment poster.

    In sum, up until now, nobody threatening had access to 10,000 machines. Now they do. Give it another year and I'll bet every large force in the USA and a half dozen ones in other countries will have installed their screen saver style grids. The threats meter has shifted up a few dozen bits for the ordinary person.

    (That's the bad news. The good news was that it was a good article.)

    Posted by iang at 03:12 AM | Comments (3) | TrackBack

    March 24, 2005

    Mozilla wobbles on the ball of security

    Over at Mozilla, the honeymoon is definately over, as no less than Symantec's CEO casts some doubt on the notion that just because a browser is popular and open source doesn't mean it's secure. The full story. There is one weak comment from Mitchell Baker, of Mozilla, that is easy to dispose of:

    "There is this idea that market share alone will make you have more vulnerabilities," Baker said. "It is not relational at all."

    That's, um, slightly wrong. You create the vulnerabilities, and market share finds 'em. We can show it empirically, logically or economically, you pick. Not to worry. Now, I have a fond hope that Mozilla can show the way ahead in phishing, being open source and all that, but this has got me totally bemused:

    In general, classic code flaws tend to be fairly easy to fix once they are found, she said. More difficult problems to guard against are the ones that exploit human behavior, like phishing.

    "In some of these cases, the solution is very difficult to determine," she said. "There are some circumstances where the speed won't be as fast."

    In barely disguised politeness, I have to question this. While I'm happy that phishing is belatedly on the table, what does it mean that the solution is difficult to determine?

    If there is a question of how to handle phishing, then ask?! We've been talking about fixing phishing for an entire YEAR now on Mozilla's very crypto and security groups. There are bugs filed, there are no shortage of clues planted. Keyboards have smoked with the volume of emails, posts, and documents. GOOD ideas on fixing phishing will flood in faster than you can say "go-fish". There are at least two, maybe 3 or 4 completely coded up solutions running in Mozilla already! Today!

    What's difficult about it all? Maybe it hasn't been said today. Here's how to do it: download trustbar.mozdev.org and do that.

    Couldn't be simpler.



    Addendum: An article that makes a better showing for Mozilla. The comments from Symantec are based on identified vulnerabilities, which is either a good sign (you're finding them and fixing them) or a bad sign (others are finding them and exploiting them). Axel is probably right, immediately below.

    Posted by iang at 03:48 AM | Comments (9) | TrackBack

    March 22, 2005

    FUDWatch - NYT breathless on wireless terrorism

    In the humour department, Cubicle points to Wendy who says:

    Without a hint of irony, however [NYT breathlessly reported that]:

    “Two federal law enforcement officials said on condition of anonymity that while they were not aware of specific cases, they believed that sophisticated terrorists might also be starting to exploit unsecured Wi-Fi connections.”

    Yes, even law enforcement needs anonymity sometimes.

    To which Cubicle comments that "Personally, I think that the reason that most of the “sources” are anonymous is because they don’t exist." Say Amen to that. Read the rest for some good FUD trashing by Cubicle.

    There's a market here for a FUDwatch site that gives awards to the crappiest security news.

    Posted by iang at 10:43 AM | Comments (3) | TrackBack

    February 24, 2005

    Random phishing news

    Over in the phishing department, Simon pointed to a new payments blog that seems to cover phishing as well.

    A company called Corillian has a 'rule base' system that analyses a company's data to see if they or their customers are getting phished (hmmm.... lost the link. They claim 90% success rate; for now, that is. Short terms solutions like these are probably necessary until the infrastructure is in place to deal with phishing where it most happens, but we shouldn't be fooling ourselves that these are any more than bandaids.

    I briefly wandered by the Anti-phishing Working Group's site to see what's new in the war on phishing, and nothing much there. And, I mean nothing - there are lots of teasers, but no information. There are a lot of logos there, however, and this confirms my suspicion of the APWG as a sales forum. Their value-added is to collect all the vendors of phishing solutions for you in one place, and their value-added for vendors is to collect all customers together! My advice to any financial institution looking for help is to do your own research. You will have to anyway.

    Addendum: See Phishing Club: An Addict/Enabler Nest?

    Posted by iang at 11:18 AM | Comments (2) | TrackBack

    Microsoft's negative rep leads to startling new security strategy

    Triage is one thing, security is another. Last week's ground-shifting news was widely ignored in the press. Scanning a bunch of links, the closest I found to any acknowledgement of what Microsoft announced is this:

    In announcing the plan, Gates acknowledged something that many outside the company had been arguing for some time--that the browser itself has become a security risk. "Browsing is definitely a point of vulnerability," Gates said.

    Yet no discussion on what that actually meant. Still, to his sole credit, author Steven Musil admitted he didn't follow what Microsoft were up to. The rest of media speculated on compatibility, Firefox as a competitor and Microsoft's pay-me-don't-pay-me plans for anti-virus services, which I guess is easier to understand as there are competitors who can explain how they're not scared.

    So what does this mean? Microsoft has zero, zip, nada credibility in security.

    ...earlier this week the chairman of the World's Most Important Software Company looked an auditorium full of IT security professionals in the eye and solemnly assured them that "security is the most important thing we're doing."

    And this time he really means it.

    That, of course, is the problem: IT pros have heard this from Bill Gates and Microsoft many times before ...

    Whatever they say is not only discounted, it's even reversed in the minds of the press. Even when they get one right, it is assumed there must have been another reason! The above article goes on to say:

    Indeed, it's no accident that Microsoft is mounting another security PR blitz now, for the company is trying to reverse the steady loss of IE's browser market share to Mozilla's Firefox 1.0.

    Microsoft is now the proud owner of a negative reputation in security,

    Which leads to the following strategy: actions not words. Every word said from now until the problem is solved will just generate wheel spinning for no productivity, at a minimum (and not withstanding Gartner's need to sell those same words on). The only way that Microsoft can change their reputation for insecurity is to actually change their product to be secure. And then be patient.

    Microsoft should shut up and and do some security. Which isn't entirely impossible. If it is a browser v. browser question, it is not as if the competition has an insurmountable lead in security. Yes, Firefox has a reputation for security, but showing that objectively is difficult: their brand is indistinguishable from "hasn't got a large enough market share to be worth attacking as yet."

    Some agree:

    "This is a work in progress," Wilcox says. "The best thing for Microsoft to do is simply not talk about what it's going to do with the browser."

    Posted by iang at 11:08 AM | Comments (2) | TrackBack

    Choicepoint - 700 identities attacked

    As predicted, the states ganged up on Choicepoint and forced them to agree to notify all the victims of the identity thefts. Of the 145k or so identified sets of identity, 700 ... 750 have now been identified as having been (ab)used. Which leaves me confused - is the identity stolen when the data is acquired, or when the data is used to commit a fraud?

    Adam points to widening ripples of turmoil as the thought permeates of remote, inattantive and disinterested parties amass massive databases on everyone. My guess: the US will suddenly have a love affair with European-style data privacy directives, as the deal with the risks and interests. Whoops: spoke too soon.

    Also see this nice open governance site that monitors Choicepoint and other companies.

    Posted by iang at 10:30 AM | Comments (0) | TrackBack

    February 18, 2005

    A Blackbird Moment - Microsoft confirms phishing is an attack on the browser

    17th February 2005. Bill Gates has just spoken at the RSA security conference:

    "Microsoft's chairman and chief software architect announced plans for an updated Internet Explorer 7.0 browser and a slew of other initiatives to bolster security in Microsoft products. Reacting to increased phishing, spyware, and malicious software (commonly known as malware) being directed against the IE browser, Gates said that Microsoft now plans to release "a new IE 7 with added levels of security" in mid-2005 rather than include the new browser in the next version of Windows, code-named Longhorn, due in 2006."

    "Gates promised that the new IE would add protection from "Internet-enabled social engineering" scams like phishing, a prevalent type of online attack in which spammers send e-mail messages to dupe recipients into visiting fraudulent Web pages that look like legitimate e-commerce sites to steal sensitive personal information such as passwords and credit card details."

    Back in the early 90s, seeing the Internet evolve was quite extraordinary. It was the social and technical revolution of our times. I used to tell everyone this, how this shift was as big as Gutenberg. Of course, people who spend all their time on the net rant a lot.

    And then, one night, Bill Gates canned Blackbird.

    A decade later, we don't even know what that is, but in that one event, the biggest force in software rewrote the whole rule book of computing and communications. They went from competing with the greatest force of our time to joining it, in one evening demo. Ever since that moment, there was no longer a battle to explain to people. The battle was won, the Internet was one, ours for evermore.

    Yesterday's announcement is a Blackbird Moment. When Microsoft announces that they are releasing a new browser with new phishing defences, no longer is there any debate about what phishing is. It's an attack on the browser. That's it, that's what it is.

    And now we can get one with the hard work of fixing it. But at least we know what to fix.

    Posted by iang at 02:21 PM | Comments (0) | TrackBack

    February 15, 2005

    Smartphone attacks - a timeline

    Unlike most media articles, this one has body, in the form of a nice timeline showing the arisal and evolution of a threat. For that alone it is worth it! (Read the full story)

    The following timeline gives a sense of the stepped-up pace of mobile phone attacks:

  • Spring 2004: A trojanized game called "Mosquitos" secretly sends messages to expensive toll numbers at the user's expense.
  • 15 June 2004: The Cabir worm replicates over-the-air via Bluetooth connections.
  • 16 June 2004: Cabir.B, a variation on the Cabir worm, is discovered. Cabir.B, which began spreading in the wild in autumn 2004, continues to spread today. To date, it has been detected in China, India, Turkey, the Philippines, and Finland.
  • 19 November 2004: The Skulls.A trojan replaces icons on the phone with skull images, making the phone almost useless.
  • 29 November 2004: Skulls.B is discovered.
  • 9 December 2004: Cabir.C is discovered.
  • 9 December 2004: Cabir.D is discovered.
  • 9 December 2004: Cabir.E is discovered.
  • 21 December 2004: Skulls.C is discovered.
  • 21 December 2004: Cabir.F is discovered.
  • 21 December 2004: Cabir.G is discovered.
  • 21 December 2004: The METAL Gear.a trojan encourages users to download and install it by masquerading as the popular mobile phone game Metal Gear Solid.
  • The most recent in this new wave of exploits, the trojan METAL Gear.a, targets mobile devices using the Symbian operating system. When run, it installs Skulls and Cabir variants and tries to disable antivirus and file-browsing products installed on the device - thus making the device extremely difficult for the user to repair. In addition, METAL Gear.a also makes a file called SEXXXY.sis available to any Bluetooth phones that happen to be within range; if the user of a nearby phone accepts that file, it will disable that phone's application selection button.

    http://www.identitytheft911.com/education/articles/art20041223mobile.htm

    Posted by iang at 08:38 AM | Comments (1) | TrackBack

    February 07, 2005

    Firefox first blood - bug allows any domain to be "owned"

    Over at something called the Shmoo conference, an exploit was announced that effects all browsers except including IE. Florian reports that spam is already circulating attacking IE. If you want to test it, and see what happens, browse over to http://www.shmoo.com/idn/ and click on the links. (Solution is below, also see BoingBoing suggested fix .)

    Don't worry, nothing bad happens to you, this time. And don't be unduly alarmed as in practice, this is no more distinct an attack than ordinary phishing. To be exploited, you have to be sent a link in email or chat, and you have to click on it. Don't do that. If you still feel threatened ... browse over to BoingBoing and follow the instructions - this turns off IDN support, which disables the code paths that the bug exploits.

    What is much more interesting is that this seems to be 'first blood' for Firefox - their first big security bug after the recent massive success of Firefox 1.0. It was always going to happen - all code has bugs, right? - and now is as good a time as any.

    The major problem that's going to strike here is that this is not a bug. Yes, I know I said it was a bug, and now I'm changing my mind.... Let me explain: it's a not-bug,
    or a not-a-bug-but-a-feature.

    The IDN - international domain name - concept allows names to be created that do non-english lettering. As an artifact of this, you can do english lettering, but in a non-english character set. Which means that anyone can craft any other domain and also request a certificate in it.

    But, anyone could already do that. We've known for a long time that paypa1.com was available as a domain (notice the digit one '1' at the end!). This is simply yet another way to create a near-perfect copy of a domain name. Not only is it simply yet another way ... it's one of a string of them including future mechanisms that we can only dream of right now.

    So, the first thing to understand is that domain names can be copied. And we can't really stop that.

    How then does the user defend herself? Or, better yet, how does the user and the browser working together stop being fooled?

    Simple. (I will assume that SSL is indicated here because it is important.) What the browser has to do is to show the user several things:

    1. Who the CA is that signed the cert.
    2. What the user previously knew/set about that site.

    Those two simple things will give the user powerful tools. Remember, the user knows her trusted sites. She is the one that trusts Bank of America, not the CA and not the browser manufacturer. So when she goes to her bank, she can designate that bank as "her bank". Sort of like a bookmark or a favicon, but it has to be tied to the certificate, and it has to be generated by her, elsewise the spoofer simply copies the public info on the website.

    The best way to do this is to show the logo of the CA (can be shipped in the browser for added security) alongside a logo for the bank that the user selected when she first visited the bank in SSL form. Those logos should appear on the chrome, in a position that can't be touched by the HTML.

    Then, when the spoof BunkOfAmerika turns up, the HTML might look the same, but the browser should treat this is an untrusted site - no logos because the cert seen (if any) doesn't have any logos selected.

    Posted by iang at 07:51 AM | Comments (2) | TrackBack

    February 01, 2005

    Cyota reports "almost 5% have been hooked in phishing"

    I know some have been banding around these ridiculous figures of phishing success, but I simply discounted them as being ridiculous. Yet, a new survey by Cyota in New York has said the same thing: "almost 5% [of banking account holders] admitted to responding and divulging information."

    We're in the wrong business. Here are the other key results:

    Key results found in the survey include:

  • 50% of accountholders have received at least one phishing email, compared to less than 25% back in April - representing 100% growth in just six months.
  • 44% of online bankers utilize the same password for multiple online banking services - a password obtained by the fraudsters can be used at a number of banks.
  • 37% of online bankers use their online banking password at other, less secure sites - these sites are typically less protected and this poses a security risk for banks.
  • 79% of accountholders check for the little lock on the bottom of a secure web page, however less than 40% actually click on the lock to view the security certificate. Cyota's Anti-Fraud Command Center (AFCC) confirms: lock image can be and is easily spoofed by fraudsters.
  • 70% of accountholders are less likely to respond to an email from their bank, and more than half are less likely to sign-up or continue to use their bank's online services due to phishing.
  • Nah... I cannot believe that "79% of accountholders check for the little lock..." And, as for "less than 40% actually click on the lock" ... well, I guess that includes 4%.

    Posted by iang at 08:01 PM | Comments (0) | TrackBack

    January 21, 2005

    Internet 'Phishing' Scams Getting More Devious

    There are about 10 articles a day on phishing, so I don't read them. What else is there to say that hasn't been said since years ago? Including the fact that it gets better and better, it's enough to drive a security guy to drink. Anyway, here's a good summary article to set a flag on the date, and an even briefer summary paragraph:

    57 million americans, 122 "brands", organised crime, DNS redirection attacks, half based on spyware, convergance, get a hardware token, and this corker of a closing argument:

    "Internet engineers should also figure out a way to authenticate Web addresses, much as they are currently figuring out how to make sure e-mail addresses are legitimate, he said."

    Wed Jan 19, 3:03 PM ET

    Internet 'Phishing' Scams Getting More Devious
    By Andy Sullivan

    WASHINGTON (Reuters) - Internet "phishing" scams are becoming more difficult to detect as criminals develop new ways to trick consumers into revealing passwords, bank account numbers and other sensitive information, security experts say.

    Scam artists posed as banks and other legitimate businesses in thousands of phishing attacks last year, sending out millions of "spam" e-mails with subject lines like "account update needed" that pointed to fraudulent Web sites.

    These attacks now increasingly use worms and spyware to divert consumers to fraudulent sites without their knowledge, experts say.

    "If you think of phishers initially as petty thieves, now they're more like an organized crime unit," said Paris Trudeau, senior product manager for Internet-security firm SurfControl.

    Phishing attacks have reached 57 million U.S. adults and compromised at least 122 well-known brands so far, according to several estimates.

    At the end of 2004 nearly half of these attacks contained some sort of spyware or other malicious code, Trudeau said.

    One attack, first documented last month by the Danish security firm Secunia, misdirects Web surfers by modifying a little-known directory in Microsoft Windows machines called a host file. When an Internet user types a Web address into a browser, he is directed instead to a fraudulent site.

    This technique has shown up in attacks spoofing several South American banks, said Scott Chasin, chief technical officer of the security firm MX Logic.

    The convergence of all of these threats means "we can expect to see some large attacks in the near term," he said.

    Another more ambitious attack targets the domain-name servers that serve as virtual telephone books, matching domain names with numerical addresses given to each computer on the Internet.

    IDENTITY THIEVES

    If one of those computers is compromised, Internet users who type in "www.bankofamerica.com" could be directed to a look-alike site run by identity thieves.

    Domain-name servers are tougher to crack, as they are typically run by businesses rather than home users, but hackers can find a way in by posing as a company's tech-support department and asking new employees for their passwords, Trudeau said.

    Domain-name hijacking is suspected in incidents involving Google.com, Amazon.com, eBay Germany and HSBC Bank of Brazil, Chasin said.

    Even straightforward phishing attacks are getting more sophisticated. Spelling errors and mangled Web addresses made early scams easy to spot, but scam artists now commonly include legitimate-looking links within their Web addresses, said Kate Trower, associate product manager of protection software for EarthLink Inc.

    Consumers who click on links like www.citibank.com in these messages are directed to a fraudulent Web address buried in the message's technical code, she said.

    MasterCard International has caught at least 10 phishing scams involving www.mastercard.com over the past two months, said Sergio Pinon, senior vice president of security and risk services.

    Consumers can protect themselves with software that screens out viruses, spyware and spam. But online businesses will have to take steps as well, perhaps by issuing customers a physical token containing a changing password, Chasin said.

    Internet engineers should also figure out a way to authenticate Web addresses, much as they are currently figuring out how to make sure e-mail addresses are legitimate, he said.

    Copyright © 2005 Reuters Limited. All rights reserved.
    http://story.news.yahoo.com/news?tmpl=story&cid=581&e=4&u=/nm/20050119/tc_nm/tech_phishing_dc

    Posted by iang at 07:13 AM | Comments (1) | TrackBack

    January 02, 2005

    Security Signalling - the market for Lemmings

    Adam continues to grind away at his problem: how to signal good security. It's a good question, as we know that the market for security is highly inefficient, some would say dysfunctional. E.g., we perceive that many security products are good but ignored, and others are bad but extraordinarily popular, and despite repeated evidence of breaches, en masse, users flock to it with lemming-like behaviour.

    I think a real part of this is that the underlying question of just what security really is remains unstudied. So, what is security? Or, in more formal economics terms, what is the product that is sold in the market for security?

    This is not such an easy question from an economist's point of view. It's a bit like the market for lemons, which was thought to be just anomalous and weird until some bright economist sat down and studied it. AFAIK, nobody's studied the market for security, although I admit to only having asked one economist, and his answer was "there's no definition for *that* product that I know of!"

    Let's give it a go. Here's the basic issue: security as a product lacks good testability. That is, when you purchase your standard security product, there is no easy way to show that it achieves its core goal, which is to secure you against the threat.

    Well, actually, that's not quite correct; there are obviously two sorts of security products, those that are testable and those that are not. Consider a gate that is meant to guard against dogs. You can install this in a fence, then watch the rabid canines try and beat against the gate. With a certain amount of confidence you can determine that the gate is secure against dogs.

    But, now consider a burglar alarm. You can also install it with about the same degree of effort. You can conduct the basic workability tests, same as a gate. One opens and goes click on closing; the other sets and resets, with beeping.

    But there the comparison gets into trouble, as once you've shown the burglar alarm to work, you still have no real way of determining that it achieves its goal. How do you know it stops burglars?

    The threat that is being addressed cannot be easily simulated. Yes, you can pretend to be a burglar, but non-burglars are pretty poor at that. Whereas one doesn't need to be a dog to pretend to be a dog, and do so well enough to test a gate.

    What then is one supposed to do? Hire a burglar? Well, let's try that: put an ad in the paper, or more digitally, hang around IRC and learn some NuWordz. And your test burglar gets in and ... does what? If he's a real burglar, he might tell you or he might just take the stuff. Or, both, it's not unreasonable to imagine a real burglar telling you *and* coming back a month later...

    Or he fails to get in. What does that tell you? Only that *that* burglar can't get in! Or that he's lying.

    Let's summarise. We have these characteristics in the market for security:

    • a test of the product by a simulated threat is:
      • expensive, and
      • the results cannot be relied upon to predict defence against a real threat;
    • a test of the product by a real threat is:
      • difficult to arrange,
      • could be destructive, and
      • the results cannot be relied upon to predict defence against any _other_ real threat.

    Perhaps some examples might help. Consider a security product such as Microsoft Windows Operating System. Clearly they write it as well as they can, and then test it as much as they can afford. Yet, it always ships with bugs in it, and in time those bugs are exploited. So their testing - their simulated threats - is unsatisfactory. And their ability to arrange testing by real threats is limited by the inefficient market for blackhats (another topic in itself, but one beyond today's scope).

    Closer to (my) home, let's look at crypto protocols as a security product. We can see that it is fairly close as well: The simulated threat is the review by analysts, the open source cryptologists and cryptoplumbers that pore through the code and specs looking for weaknesses. Yet, it's expensive to purchase review of crypto, which is why so many people go open source and hope that someone finds it interesting enough. And, even when you can attract someone to review your code, it is never ever a complete review. It's just what they had time for; no amount of money buys a complete review of everything that is possible.

    And, if we were to have any luck in finding a real attacker, then it would only be by deploying the protocol in vast numbers of implementations or in a few implementations of such value that it would be worth his time to try and attack it. So, after crossing that barrier, we are probably rather ill-suited to watching for his arrival as a threat, simply due to the time and effort already undertaken to get that far. (E.g., the protocol designers are long since transferred to other duties.) And almost by default, the energy spent in cracking our protocol is an investment that can only be recouped by aggressive acquisition of assets on the breach.

    (Protocol design has always been known to have highly asymmetric characteristics in security. It is for this reason that the last few years have shown a big interest in provability of security statements. But this is a relatively young art; if it is anything like the provability of coding that I did at University it can be summarised as "showing great potential" for many decades to come.)

    Having established these characteristics, a whole bunch of questions are raised. What then can we predict about the market for Lemmings? (Or is it the market for Pied Pipers?) If we cannot determine its efficacy as a product, why is it that we continue to buy? What is it that we can do to make this market respond more ... responsibly? And finally, we might actually get a chance to address Adam's original question, to whit, how do we go about signalling security, anyway?

    Lucky we have a year ahead of us to muse on these issues.

    Posted by iang at 12:24 AM | Comments (7) | TrackBack

    December 28, 2004

    From the "real threats" department: Wanted: Chief Espionage Officer

    A long but good article by John McCormick and Debbie Gage on espionage against American companies, generally by their competitors. It's good because it is real. The threats are validated by court filings, research and surveys. This is what real security is about, determining what threats are out there, validating them and constructing economic models of their costliness. Only then can security people proceed to design economic security systems to address the threats. Any thing else is speculation, and you shouldn't be surprised if it works out as being worthless or worse, interfering with the real security needs of the users.

    Posted by iang at 04:05 PM | Comments (0) | TrackBack

    December 01, 2004

    2005 - The Year of the Snail

    So if 2004 depressingly swims past us as the Year of the Phish, what then will 2005 bring?

    Worse, much worse. The issue is this: during the last 12 months, the Internet security landscape changed dramatically. A number of known, theoretical threats surfaced, became real, and became institutionalised. Here's a quick summary:

    1. Viruses started to do more than just replicate and destroy: they started to steal. The first viruses that scanned for valuable information surfaced, and the first that installed keyloggers that targetted specific websites and banking passwords. Just this week, the first attack on the root list of SSL browsers was being tracked by security firms.
    2. Money started to be made in serious amounts in phishing. This then fed into other areas, as phishers *invested* their ill gotten gains, which led to the next development:
    3. Phishers started to use other techniques to gather their victims: viruses were used to harvest nodes for spam that were used to launch phishing attacks. Integration across all the potential threats was now a reality.
    4. DDOS, which seemed to seriously take off in 2002, became a serious *extortion* threat to larger companies in 2004. Companies that had something to lose, lost.
    5. In 2004, it now became clear that we were no longer dealing with a bunch of isolated hackers who were doing the crack as much to impress each other as to exercise their own skills. There is now a market phase for every conceivable tool out there, and mere hackers do not purchase the factors of their production.
    6. Malware, spyware, and any other sort of ware turned up as infesting average PCs with Windows at numbers quoted as 30 per machine. And this was just the mild and benign stuff that reported your every browse for marketing purposes.
    7. Microsoft were shown to be powerless to stem the tide. Their SP2 mid-life update caused as many problems as it might have solved. No progress was discernable overall, and 2004 might be marked as the year when even the bubble headed IT media started questioning the emporer's nakedness.

    How can I summarise the summary in one pithy aphorism? For most intents and purposes, the Internet was secure for Windows users until about 2004. From 2005 onwards, the Internet is not secure for Windows users. Are you depressed, yet?

    2005 will be the Year of the Snail. Your machine will move slowly and slipperily to a fate that you can't avoid. The security of the Windows system on which the vast majority of the net depends for its leaf nodes will repeat the imagery of a snail's house. Ever toiling, slithering slowly across the garden with an immense burden on its back, and ever fearful of approaching predator. The snail is quick to retreat into its house, but all to no avail, as that crunching sound announces that your machine just got turned into more phish compost.

    I had hoped - foolish, I know - that Firefox and the like would have at least addressed the phishing threat by now. But now we are fighting a two fronts war: phishing attacks the browser's security model and UI, while all the rest attacks the Windows platform.

    It's really easy to offer a solution: download Firefox, and buy a Mac. But this is like asking a snail to become a hedgehog; it is simply out of the budget of way too many users to rush out and buy a Mac. Those that can do so, do so!

    Those that cannot, prepare for the Year of the Snail. And check in with us in a year's time to see how the two fronts war is going. The good news is that statistically, a few snails always survive to populate the garden for the next year. The bad news is that it will decidedly take more than a year for your house to evolve away from the sound of the crunch.


    Addendum 30th December: The Independent's Charles Arthur wrote The shape of things to come in 2005, which centrepoints security, but also comments on wider issues.

    3rd January 2005: The New Scientist's The year in technology.

    Posted by iang at 08:47 AM | Comments (6) | TrackBack

    2004 - The Year of the Phish

    Last year, 2003, was a depressing year. We watched the phishing thing loom and rise, and for the most part, security experts fudged, denied, shuffled and ignored while the phish was reeled in. Now, 2004 can truly be said to be the Year of the Phish.

    There is progress. Firefox have added two small but nice additions to their browser to address phishing. If you download Firefox (and if you haven't yet, you are now classified as too insecure to be permitted to browse) you can see these when you go to your banking site. On the bottom right, there is a little box containing the domain that is seen by the browser. Also, notice how the URL bar changes colour.

    Get used to these things, as they are about the only things protecting you from phishing.

    More is needed, however, much much more. Whilst I am somewhat ecstatic that Mozilla programmers have started on this journey, the amount done so far is dwarfed by what would be required to fully address phishing in the browser, and no other manufacturer of browsers seems to have even woken up yet.

    (Just briefly, the Certificate Authority needs to be shown. Further, the cert needs to "tracked" by the browser, and a relationship built up. I've suggested a usage count - 100 times to this site, you must like it! Amir and Ahmad have suggested that the user sign off on the cert and even coded it up as Trustbar, while Tyler has suggested the use of petnames for the user's idea of what each site is. They all have their purposes and benefits, and a solution that used all of these and more would be very powerful against phishing. Oh, and all this needs to be "in the face" and not discretely hidden down in some forgotten corner.)

    Most of this was known in 2003, by one means or another. But even though we have now to all intents and purposes had a full year of devastating losses due to phishing (more money lost than was ever spent on SSL certs) we still can't say with any degree of confidence that people understand that the browser is being attacked and the browser is where the defences should be placed.


    Addendum 2004-12-23: John Leyden wrote this 2004 security review for The Register which echoes a similar message.
    Also, In 2005, Organized Crime Will Back Phishers we can take as an echo, given that we already saw it in 2004!

    Addendum 2005-09-03; new paper on The Economy of Phishing.

    Posted by iang at 08:32 AM | Comments (2) | TrackBack

    November 27, 2004

    Burglary that called in its own "burglary in progress..."

    Some targets have their own security for certain threats. Here's a case of a burglary that went wrong, when the crooks tried to lift the circuit boards that drove the 911 system in the district!

    A Burglary Foiled by Calls That Didn't Reach 911
    By MARC SANTORA Published: November 27, 2004

    The plan seemed simple enough. The building had been cased and the burglars knew exactly what they wanted - advanced computer circuit panels that could be sold on the black market for hundreds of thousands of dollars.

    The night before Thanksgiving, about 8 p.m., they entered the Verizon building in White Plains undetected and set to work.

    But as the criminals removed the panels, they soon triggered problems across Westchester County. Most problematic, 911 systems across the region began to crash. By the time some 150 panels were removed, roughly 25,000 people had lost 911 service.

    At 9:51 p.m., the White Plains Police received a call alerting them to the fact that there might be a problem at the Verizon building. Still unaware that burglars were at work inside, a patrol car rolled up to the site, according to Inspector Daniel Jackson.

    ...

    Posted by iang at 07:53 AM | Comments (0) | TrackBack

    November 17, 2004

    NY Fed hit by inside saboteur?

    Another day, another threat. Here's the story of an electrician who was caught using a strange device with strange wires inside the electronic bowels of the New York Federal Reserve. Rather than pre-judge this one, I'll put my say in the comments on the site. You be the judge!

    http://www.nydailynews.com/front/story/251774p-215484c.html

    How a guy's gizmo spread fear at Fed

    BY THOMAS ZAMBITO
    DAILY NEWS STAFF WRITER

    It nearly sparked a financial catastrophe.

    An electrician's homemade gadget wreaked havoc on the Federal Reserve Bank of New York, causing computer convulsions at a facility that houses the world's biggest cash vault, the Daily News has learned.

    The foulup short-circuited the career of journeyman electrician John Cravetts, who was fired though he insists he meant no harm.

    But it could have been much worse, according to papers filed in Manhattan Federal Court.

    "The results could have been catastrophic," said Barry Schindler, an attorney for the New York Fed.

    Fed officials say they might have had to shut down computers that process some $2.5 trillion in funds and securities payments and $4 billion in checks every day.

    Fortunately, backup systems kicked in after the Nov. 17, 2002, incident.

    The heavily guarded facility in East Rutherford, N.J., is also home to a vault that handles more than $1 billion in currency, coins and food coupons.

    Cravetts, 62, was canned two weeks after the incident. A surveillance tape caught him using the crude device - two red wires strung between an ordinary household switch and plug.

    He later filed an age discrimination suit and also charged his firing was retaliation for reporting an electrocution hazard at the facility where he'd worked for almost 10 years.

    Manhattan Federal judge Harold Baer tossed out Cravetts' claim this week.

    "I had an unblemished record," Cravetts told The News yesterday.

    "What I did was in good faith. I did not do anything malicious," added the licensed electrician, who has since found a new job. "What do they think I'm going to do, sabotage it?"

    Although Fed attorneys presented a near-doomsday scenario in court filings, Fed spokesman Peter Bakstansky downplayed the incident yesterday.

    "There was no point at which the operations of the Fed were in danger," Bakstansky said. "We stopped him. ... We have a lot of redundancy."

    Cravetts had been asked to locate circuit breakers on the Fed computers that had not been properly labeled.

    He used his gizmo to conduct the search, plugging it in and tripping breakers, knocking out power as he went along.

    Cravetts told The News his superiors knew he used the device. He had made four of them at work.

    Fed attorneys say he should have used a device that sends a harmless tone back to the breaker and doesn't cause disruptions.

    Cravetts said that for more than a year, he had asked his bosses to order the manufactured device needed for the job, but they never did.

    Originally published on November 11, 2004

    Posted by iang at 04:23 AM | Comments (2) | TrackBack

    Kids' Secret Cells - defeating security by learning

    Following on from recent reports that the UK and the US are trialling advanced back-scatter millimetre radar scanners that see through clothing ... comes this story about how school children are defeating security systems to sneak their cell phones into school. See the article below for the basic techniques.

    The lesson for those who aren't familiar with security is not what they did, but how they discovered it. Basically, we can guess that the school children tried different measures, discarded those that didn't work, and shared those that did. In other words, a learning attack.

    Which, incidentally, we should find quite encouraging, right? After all, that's what school is about.

    Getting back to the wider security implications, the question is whether other security systems are secured against attackers who can learn.

    ========================================

    KIDS' SECRET 'CELLS'
    By MATTHEW SWEENEY

    October 25, 2004 -- Savvy students are figuring out all kinds of ways to get their cellphones past metal-detectors and school-security staff at city high schools, where the devices are banned.

    Kids at Martin Luther King Jr. HS on the Upper West Side put the phones behind a belt buckle - and blame the buckle for the beeping metal-detector.

    Some girls hide the phones where security guards won't look - in their bras or between their legs.

    "You tell them you're wearing an underwire bra," said Gleneshia Jesquith, 17. "What are they going to do, strip us apart for a cellphone?"

    "They put the phone in their thighs and they walk in with their legs together through the metal-detector," said Lauree, 16, another MLK student. La Guardia HS, across the street from King, has no metal-detectors, and lets students keep cellphones under what a staffer called an "as long as we don't see it" approach to the city's policy.

    "There's a ban, but it's not enforced," said a La Guardia staffer, who declined to give her name.

    So La Guardia students keep cellphones off and out of sight, and take advantage of the school's hallway "mood lighting" to make calls from darkened corners.

    La Guardia even has an area in the lobby set aside for kids to make emergency calls.

    Some approaches don't always work.

    "I put my phone in between two pieces of bread and wrapped it in tin foil," said Lauren Nocco, 15, a sophomore at James Madison HS in Brooklyn.

    The school took away her phone - and won't give it back until a parent retrieves it.

    Mom-and-pop businesses near schools are getting more traffic from the ban.

    Madison Deli, near James Madison HS, stores kids' cellphones in labeled paper bags behind the counter while they're in school. When school's out, kids surge into the deli to pick up their phones - and buy drinks and snacks.

    The owner, Timothy Thompson, doesn't charge for the phone-storage service - but he does require the kids to bring in their own self-labeled paper bags.

    "This is a good school," Thompson said. "They're good kids. Without them, we wouldn't be here."

    Posted by iang at 04:08 AM | Comments (0) | TrackBack

    November 05, 2004

    e-gold to track Cisco extortioner

    In line with my last post about using payment systems to stupidly commit crimes, here's what's happening over in the hacker world. In brief, some thief is trying to sell some Cisco source code he has stolen, and decided to use e-gold to get the payout. Oops. Even though e-gold has a reputation for being a den of scammers, any given payment can be traced from woe to go. All you have to do is convince the Issuer to do that, and this case, e-gold has a widely known policy of accepting any court order for such work.

    The sad thing about these sorts of crooks and crimes is that we have to wait until they've evolved by self destruction to find out the really interesting ways to crack a payment system.


    E-gold Tracks Cisco Code Thief
    November 5, 2004 By Michael Myser

    The electronic currency site that the Source Code Club said it will use to accept payment for Cisco Systems Inc.'s firewall source code is confident it can track down the perpetrators.

    Dr. Douglas Jackson, chairman of E-gold Ltd., which runs www.e-gold.com, said the company is already monitoring accounts it believes belong to the Source Code Club, and there has been no activity to date. ADVERTISEMENT

    "We've got a pretty good shot at getting them in our system," said Jackson, adding that the company formally investigates 70 to 80 criminal activities a year and has been able to determine the true identity of users in every case.

    On Monday, a member of the Source Code Club posted on a Usenet group that the group is selling the PIX 6.3.1 firewall firmware for $24,000, and buyers can purchase anonymously using e-mail, PGP keys and e-gold.com, which doesn't confirm identities of its users.

    PointerClick here to read more about the sale of Cisco code.

    "Bad guys think they can cover their tracks in our system, but they discover otherwise when it comes to an actual investigation," said Jackson.

    The purpose of the e-gold system, which is based on 1.86 metric tons of gold worth the equivalent of roughly $25 million, is to guarantee immediate payment, avoid market fluctuations and defaults, and ease transactions across borders and currencies. There is no credit line, and payments can only be made if covered by the amount in the account. Like the Federal Reserve, there is a finite value in the system. There are currently 1.5 million accounts at e-gold.com, 175,000 of those Jackson considers "active."

    eWEEK.com Special Report: Internet Security To have value, or e-gold, in an account, users must receive a payment in e-gold. Often, new account holders will pay cash to existing account holders in return for e-gold. Or, in the case of SCC, they will receive payment for a service.

    The only way to cash out of the system is to pay another party for a service or cash trade, which Jackson said creates an increasingly traceable web of activity.

    He did offer a caveat, however: "There is always the risk that they are clever enough to figure out an angle for offloading their e-gold in a way that leads to a dead end, but that tends to be much more difficult than most bad guys think."

    This is all assuming the SCC actually receives a payment, or even has the source code in the first place.

    PointerDavid Coursey says securing source code must be a priority. Read about it here.

    It's the ultimate buyer beware-the code could be made up, tampered with or may not exist. And because the transaction through e-gold is instantaneous and guaranteed, there is no way for the buyer to back out.

    Next Page: Just a publicity stunt?

    Dave Hawkins, technical support engineer with Radware Inc. in Mahwah, N.J., believes SCC is merely executing a publicity stunt.

    "If they had such real code, it's more likely they would have sold it in underground forums to legitimate hackers rather than broadcasting the sale on Usenet," he said. "Anyone who did have the actual code would probably keep it secret, examining it to build private exploits. By selling it, it could find its way into the public, and all those juicy vulnerabilities [would] vanish in the next version."

    PointerFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzer's Weblog.

    "There's really no way to tell if this is legitimate," said Russ Cooper, senior scientist with security firm TruSecure Corp. of Herndon, Va. Cooper, however, believes there may be a market for it nonetheless. By posting publicly, SCC is able to get the attention of criminal entities they otherwise might not reach.

    "It's advertising from one extortion team to another extortion team," he said. "These DDOS [distributed denial of service] extortionists, who are trying to get betting sites no doubt would like to have more ways to do that."

    PointerCheck out eWEEK.com's Security Center for the latest security news, reviews and analysis.

    Posted by iang at 11:38 AM | Comments (1) | TrackBack

    October 18, 2004

    Phishing - companies are mostly powerless

    The media is talking about some report that calls for companies to cooperate and not display information on web sites as an aid on phishing [1][2]. Yeah, that'll make a difference. Over in Korea they are reporting some little group arrested after selling an estimated 6 million user profiles [3].

    That's one company that we don't want anywhere near our data; but unfortunately that's how it happens. Asking companies to get involved in phishing is like asking cops to get involved in crime. Sure, they can do something, but only afterwards. The phish happens between the phisher and the user. The only thing that's constant between the two is the browser. The thing that happens afterwards is that the company gets it in the neck.

    So you have a choice of three possibilities. Educate the user, "educate" the phisher, or stop it at the browser. One doesn't need a PhD in security to recognise the company isn't present in that little equation, and education of the user is like telling the crime victim to stay clear of crime next time.

    Only attention to the browser has any merit whatsoever, as its the only agent that can tell the difference. It's the only one with a security model that implementors can adjust. It's the only one with some crypto blah blah - stuff that could make a difference [4]. Luckily for phishers, the crypto is currently widely deployed pointing in the wrong direction.

    One thing caught my eye. Markus Jacobsson (who must have been missreported) has submitted this report to the annual Financial Cryptography conference. Well, that makes sense. If phishing isn't a fraud involving finance, crypto, software engineering, governance of data, and a whole lot in between, then ... what else is FC?

    ( While we're on the depressing subject of phishing, here's an interesting report: most of the attacks come from a stable set of 1000 or so (hacked DSL) machines and it is claimed that there are only a very few groups, and maybe only one involved [5]. I don't believe it, but it's food for thought. )

    [1] Identity thieves' 'phishing' attacks could soon get a lot nastier
    [2] Identity thieves' "phishing" attacks could soon get a lot nastier
    [3] Six Million People Have Personal Information Stolen
    [4] See for example the work that Amir Herzberg and Ahmad Gbara are doing at
    Protecting (even) Naïve Web Users, or: Preventing Spoofing and Establishing Credentials of Web Sites
    [5] Phishing attacks may be coming from your computer

    Posted by iang at 04:51 PM | Comments (14) | TrackBack

    October 11, 2004

    Great intro to social engineering - "Catch me if you can"

    Now appearing on the not-ridiculously-priced racks at your local supermarket, the film "Catch me if you can" follows the life of a young fraudster in the 1960s. Frank Abagnale followed his heart if not his elders and developed strong techniques in how to engineer his way into many a closed shop.

    Systems that he breached: medical practice, law, airline pilots, family. All systems that owed their security more to their marketing and belief systems than to good technology. Oh, yes, and he "kited" a lot of checks along the way, as the Americans would say.

    What strikes is the successful integration of different techniques into a concerted attack. Yes Abagnale presented a fraudulent cheque or two. And yes, the system was pretty darn bad in those days. But it was the way he integrated his different social engineering approaches together that made the difference, not the single issue of credit or reliance on pieces of paper.

    The film is well worth seeing for the financial cryptographer. It's integrated, balanced, and it includes little or no crypto. Just like the real world! Oh, and it's also a fun film for all the family, which makes it shareable with those who exercise patience in our lives.

    Posted by iang at 10:22 AM | Comments (1) | TrackBack

    October 09, 2004

    Know your enemy - Interview with a hacker

    "Knowing what makes your antagonist tick is the key to getting the result you want," says a hacker who's being pursued by journalists and the FBI. Computer Weekly interviewed him and he came out with some answers worth pondering.

    Wednesday 6 October 2004
    Know your enemy

    A young Asian hacker who easily penetrated the databases of several large US corporations, and whose exploits made him a top target for the FBI, offers advice for dealing with foreign cybercriminals.

    "Knowing what makes your antagonist tick is the key to getting the result you want," he says.

    Do you think it is more difficult to hack into US corporate networks today than it was four years ago?

    If we are talking about the network that existed four years ago and exists now, then it would probably be more difficult, especially if during those years a given target had experienced trespasses by hackers.

    If it is a recently developed network, then chances to get access are probably better.

    In general it is easier for hackers to get access to networks in countries with growing and well-developed economies, because such companies have resources to expand their networks.

    In third-world countries the companies do not have the ability or resources to expand the networks, so they have to fine-tune them and work with what they have.

    Should US companies worry about hackers in Russia and other countries?

    Hackers from countries where the economy is less developed than the US are more motivated by money than by pride when they start trespassing on US companies - as opposed to US hackers, who are motivated more by pride than money. (There are many other ways that you can make money in the US.)

    Also, money is a stronger motivator than pride. That's why people motivated by money are more dangerous. Hackers are businesspeople [if they are motivated by money]. In most cases, they are probably just having difficulties in their countries finding and exploring opportunities to work.

    If a company that is hacked into can explore with a hacker his or her talents in a more peaceful way, the victim can only benefit. If these hackers are businesspeople, they can be redirected by being offered a better deal than the one they might get by creating pressure through hacking.

    I deeply believe in this point. It is hard, however, to generalise too much because every case involves different kinds of people and different circumstances.

    What security measures offer the best protection against hackers?

    Keep the hackers occupied if you recognise them as a threat. This might be similar to what some countries have done with their nuclear scientists - Russia, for example, keeps them under close supervision and treats them well, but above all keeps them busy professionally.

    Is there a certain type of network that is particularly easy to hack?

    There are two types. First, those that develop custom software. They usually invest money in developing the features that software provides, but often forget about securing parts of this software.

    The second type is where there is a breach in the company's infrastructure. It is not the hacking per se that is dangerous; what should concern the company is being taken advantage of by the use of that information.

    For example, if one got account numbers of users of PayPal, the hacker could then contact the users in huge numbers and attempt various kinds of fraud.

    Will security technologies ever be able to keep hackers out, or will hackers always find a way into corporate networks?

    Software and hardware can be improved to protect against trespasses. But then hackers will concentrate on security breaches in the infrastructure of a company, or do "social engineering".

    The ultimate goal is to obtain information for subsequent use, and hacking is just one of the many ways to obtain it.

    Posted by iang at 06:55 AM | Comments (1) | TrackBack

    October 08, 2004

    Hurricanes reduce Spam

    TechWeb reports that the hurricanes that gave Florida a good whipping over September seemed to drop the amount of spam seen on the net. The reason? It's suggested that "A lot of the biggest spammers are based in and around Boca Raton, Florida... When their power went out, they weren't able to spam."

    Well, there you go. For once, I have no polite comment ...

    Posted by iang at 01:43 PM | Comments (2) | TrackBack

    September 28, 2004

    The DDOS dilemma - change the mantra

    The DDOS (distributed denial of service) attack is now a mainstream threat. It's always been a threat, but in some sense or other, it's been possible to pass it off. Either it happens to "those guys" and we aren't effected. Or, the nuisance factor of some hacker launching a DOS on our ISP is dealt with by waiting.

    Or we do what the security folks do, which is to say we can't do anything about it, so we won't. Ignoring it is the security standard. I've been guilty of it myself, on both sides of the argument: Do X because it would help with DOS, to which the response is, forget it, it won't stop the DOS.

    But DOS has changed. First to DDOS - distributed denial of service. And now, the application of DDOS has become over the last year or two so well institutionalised that it is a frequent extortion tool.

    Authorize.com, a processor of credit cards, suffered a sustained extortion attack last week. The company has taken a blow as merchants have deserted in droves. Of course, they need to, because they need their payments to keep their own businesses alive. This signals a shift in Internet attacks to a systemic phase - an attack on a payment processor is an attack on all its customers as well.

    Hunting around for some experience, Gordon of KatzGlobal.com gave this list of motives for DDOS:

    • #1. Revenge Attack. A site may have ripped off someone and in revenge they ddos the site or hire it out. You can actually hire this service like a website hitman. $50 to kill your site sort of thing from most eastern block countries. Did I just coin something? The Webhit.
    • #2. Field Reduction: Say I no longer like Robert and he no longer likes me and we get into a pissing match and we ddos each other... Or say we were jerks and didn't want any competition at all. We could ddos all of our competitiors into oblivion. This type of thing happens more than you might think.
    • #3. Enacting God's Will: These are the DDOSERS from GOD. They are rightous and they ddos sites that do not align with their views on the world.
    • #4. HYIPer Dossers: If anything looks scammy about a HYIP (high yield investment programme) site there is a particular DDOS team running around out there who ddosses HYIPs damn near on a daily basis. This falls into category 3 and 5 below:
    • #5. Extortioners: Hackers or wannabees usually from Eastern European countries (usually) trying to make a living becasue their governemnt could gve a crap what they do to us citizens in general.

    Great list, Gordon! He reports that extortion attacks are 1 in 100 of the normal, and I'm not sure whether to be happier or more worried.

    So what to do about DDOS? Well, the first thing that has to be addressed is the security mantra of "we can't do anything about it, so we'll ignore it." I think there are a few things to do.

    Firstly, change the objective of security efforts from "stop it" to "not make it worse." That is, a security protocol, when employed, should work as well as the insecure alternative when under DOS conditions. And thus, the user of the security protocol should not feel the need to drop the security and go for the insecure alternative.

    Perhaps better put as: a security protocol should be DOS-neutral.

    Connection oriented security protocols have this drawback - SSL and SSH both add delay to the opening of their secure connection from client to server. Packet-oriented or request-response protocols should not, if they are capable of launching with all the crypto included in one packet. For example, OpenPGP mail sends one mail message, which is exactly the same as if it was a cleartext mail. (It's not even necessarily bigger, as OpenPGP mails are compressed.) OpenPGP is thus DOS-neutral.

    This makes sense, as connection-oriented protocols are bad for security and reliability. About the best thing you can do if you are stuck with a connection-oriented architecture is to turn it immediately into a message-based architecture, so as to minimise the cost. And, from a DOS pov, it seems that this would bring about a more level playing field.

    A second thing to look at is to be DNS neutral. This means not being slavishly dependent on DNS to convert ones domain names (like www.financialcryptography.com) into the IP number (like 62.49.250.18). Old timers will point out that this still leaves one open to an IP-number-based attack, but that's just the escapism we are trying to avoid. Let's close up the holes and look at what's left.

    Finally, I suspect there is merit in make-work strategies in order to further level the playing field. Think of hashcash. Here, a client does some terribly boring and long calculation to calculate a valid hash that collides with another. Because secure message digests are generally random in their appearance, finding one that is not is lots of work.

    So how do we use this? Well, one way to flood a service is to send in lots of bogus requests. Each of these requests has to be processed fully, and if you are familiar with the way servers are moving, you'll understand the power needed for each request. More crypto, more database requests, that sort of thing. It's easy to flood them by generating junk requests, which is far easier to do than to generate a real request.

    The solution then may be to put guards further out, and insist the client matches the server load, or exceeds it. Under DOS conditions, the guards far out on the net look at packets and return errors if the work factor is not sufficient. The error returned can include the current to-the-minute standard. A valid client with one honest request can spend a minute calculating. A DDOS attack will then have to do much the same - each minute, using the new work factor paramaters.

    Will it work? Who knows - until we try it. The reason I think of this is that it is the way many of our systems are already structured - a busy tight center, and a lot of smaller lazy guards out front. Think Akamai, think smart firewalls, think SSL boxes.

    The essence though is to start thinking about it. It's time to change the mantra - DOS should be considered in the security equation, if only at the standards of neutrality. Just because we can't stop DOS, it is no longer acceptable to say we ignore it.

    Posted by iang at 06:38 AM | Comments (5) | TrackBack

    September 26, 2004

    Eavesdropping threats: Listening to chat

    In the IHT, Hal Varian reports analysis of 1.5 million messages from online trading chat rooms [1]. Two researchers, Werner Antweiler and Murray, used their statistical tools and were able to glean a few clues and predictions for markets trades [2].

    Not terrifically much, it seems, but that's to be expected if one follows the efficient market hypothesis. However, it's not that far off a scam or two that's been going on. Allegedly, I hear, rumour has it, and all normal caveats....

    The place to look at is not the public chat rooms, which anyone will tell you is mostly noise, but the private places. The chat community of choice is the traders in the large banks. To get access to their chat, which is much more focused on big and real trading, you either have to be an insider, or very cunning.

    The cunning way to do it is to attract the traders to get into your own chatroom and encourage them to think about trading. This can be done by setting up a fantasy trading system. In these systems, you post trades that are nominal or virtual, and encourage traders to get involved and play. It's a bit like fantasy football, if you've seen that. As traders do well on the predictions, they get rewarded, with value that is "outside" their normal salary system in some sense or other (extra points if the rewards can be delivered tax free!).

    So the traders are encouraged to reveal the insider secrets of their employer banks in order to score big in the game. Is it that simple? Yup. Traders really don't care about the secrets, but they sure as hell care about scoring big in the games ... and perversely, the banks enourage this behaviour as they go hunting for analysts who've proven themselves in the game world!

    Then, of course, the system operator takes all the chat and all the trades and pumps it into their black boxes. Out spews the predictions, the operator passes it on to another sister company who arbitrages the banks, and they make out like bandits.

    Here's how the insider does it. Being on the inside, and being able to tap directly into the networks, one can collect all the trader and analyst chat in real time, and pump it into an analytics engine. Then out comes all the predictions ... so far so good.

    But, if the insider does all this, they need some infrastructure, and it's hard to do that without getting noticed. Not to mention that if they were able to make a trade, they'd be betting against their own bank!

    So one could be excused for thinking this was unlikely. Until the advent of the mutual funds scandal that is, where we discover all sorts of egregious behaviour, including mutual funds trading against their own parent manager banks [3]. In that scandal, many mutual funds were operated by major banks or other large institutions. Some of them, it seems, were simply listening to all the insider info, analysing it, and betting against their own organisation.

    What's going on here? Well, the mistake of the outsider is two-fold: firstly, to assume that the bank operates with one goal in mind, and secondly to assume that if they bet against their own trades, they are stealing their own money.

    It turns out that all the trading that they are arbitraging is trades of clients. For which fees are earnt, in a competitive framework. So as long as the client doesn't know, nobody cares. And, it turns out that what with Chinese walls and results-oriented management, there is no problem whatsover with one department betting against another; some banks even do it as a matter of policy.

    So, what we have is a fairly aggressive framework where managers of mutual funds are sucking their own trading floors for profits. Where it gets eggregious would be if they are doing it via insider information - chat, for example. And if they are doing it in such a fashion where the insiders that are getting paid off are keeping the scam a secret: encouraging the traders to reveal and perform worse than they otherwise would.

    Of course, we don't know where or if this precise scam is going on. But, all the building blocks are in place: the means, the motive, the weapon. It would be a shock to me if it wasn't a done deal.



    Commentary: Internet stock talk may have statistical meaning

    Hal R. Varian NYT Friday, September 24, 2004

    Online messages presage active trading

    Talk is cheap, particularly on the Internet. Stock message boards are a case in point. Every day, participants post tens of thousands of tips about which way various stocks are heading. Is any of this worth reading?

    Recently, two financial economists from the University of British Columbia, Werner Antweiler and Murray Frank, examined the message board phenomenon in a paper titled "Is All That Talk Just Noise? The Information Content of Internet Stock Message Boards," published in the June 2004 issue of The Journal of Finance.

    They collected more than 1.5 million messages from two online boards, Yahoo Finance and Raging Bull, and analyzed them using methods of computational linguistics and econometrics.

    The computational linguistics techniques allowed them to classify messages with respect to whether they advocated buying, holding, or selling the stock in question. Most of the messages were short and direct, allowing the algorithms to do a pretty good job of classification.

    Antweiler and Frank then merged the estimated buy, sell or hold signals into one "bullishness measure," which was a slightly modified version of the ratio of buy to sell recommendations.

    During the period they examined in their article, January to December 2000, the Internet bubble dissipated. Bullish messages, however, continued to proliferate.

    But did the message volume, timing, and sentiment forecast anything useful? The three most interesting features of a stock on a given day are its return, its volume and its volatility.

    The authors found that the characteristics of messages helped predict volume and volatility. Perhaps more surprisingly, they also found that the number of messages on one day helped predict stock returns the next day. The degree of predictability, however, was weak and reversed itself the next trading day.

    The bullish sentiment of messages was positively associated with contemporaneous returns, but has no predictive power for future returns. Traders post bullish messages about a given stock on days when its price goes up, but it is hard to determine which way the causation runs. Since postings do not predict future returns, it may be that the returns cause the postings.

    The story was different with respect to volatility. It appeared that the more messages posted about a stock one day, the higher its volatility was the next day.

    Trading volume was also correlated with messages. However, the apparent causation here was somewhat subtle. Message posting appeared to cause volume when the researchers examined daily data. But when they looked at the market at 15-minute intervals, trading volume seemed to cause messages.

    One hypothesis consistent with these observations about volume and messages was that people might tend to post messages shortly after buying a stock. Even though there are two sides to every trade, the seller has little incentive to brag about the dog he just unloaded, while the buyer has a strong incentive to recommend that others buy the stock he has just purchased.

    The authors conclude that the talk on message boards is not just noise. Though the predictive power for returns is too small to be meaningful, message board activity does seem to help predict volatility and volume. Varian is a professor of business, economics and information management at the University of California at Berkeley.


    [1] Hal R. Varian NYT, "Internet stock talk may have statistical meaning"
    [2] Werner Antweiler and Murray Frank, "Is All That Talk Just Noise? The Information Content of Internet Stock Message Boards," published in the June 2004 issue of The Journal of Finance.
    [3] James Nesfield and Ian Grigg, Mutual Funds and Financial Flaws, testimony to the U.S. Senate's finance subcommittee, 27th January 2004.

    Posted by iang at 01:54 PM | Comments (1) | TrackBack

    September 18, 2004

    The Node is the Threat

    Slowly, inch by inch, by hack and by phish, the Internet security community is coming to realise that the Node is the Threat, and the Wire is incidental. The military-inspired security textbooks of the 80s that led to 90s security practice never had much relevance for the net, simply because in military and national security places, the nodes were well guarded. It was the antennas of the NSA and the GRU that those guys were focused on.

    Whether you agree with the following judgement or not (and one judge did not), it highlights how the node is where the action is [1]. If you secure the wire and ignore the node, then you've only done a tiny part of the job. Probably still worth doing, but don't hold any illusions as to the overall security benefit, and don't sell any of those illusions to the customer.

    [1] See also the Wired article on E-Mail Snooping Ruled Permissible and the court record.


    ISPs Can Check E-Mail

    By Roy Mark July 1, 2004

    Backed by the clear, though perhaps out-of-date, language of the Wiretap Act, e-mail providers have the right to read and copy the inbound e-mail of their clients, a federal appeals court ruled Wednesday. The decision sparked howls of protest from privacy advocates, despite immediate assurances from some of the nation's largest ISPs that they would never engage in such practices.

    The U.S. Court of Appeals for the 1st Circuit in Boston voted 2-1 Wednesday to uphold the dismissal of a 2001 indictment against Branford C. Councilman, the vice president of now-defunct Interloc Inc., a rare and out-of-print books site.

    The U.S. district attorney for Massachusetts charged Councilman, who maintained an e-mail service for his clients, with illegal wiretapping for making copies of e-mail sent to his clients from Amazon.com. The district attorney claimed Councilman copied the e-mail to gain a competitive advantage.

    But Councilman's attorneys argued his actions were within the legal limits, because he did not intercept the messages in transit. E-mail, often only momentarily, is routed through servers. The U.S. District Court for Massachusetts ultimately ruled that counted as storage and dismissed the indictment.

    Yesterday's decision echoed that ruling in voting to uphold the indictment dismissal, saying e-mail does not enjoy the same eavesdropping protections as telephone conversations, because it is stored on servers before being routed to recipients.

    Samantha Martin of the Massachusetts district attorney's office said, "We are still in the process of reviewing that decision and weighing our options on what steps to take next."

    The two-judge majority deferred to the language of the Wiretap Act, noting it prohibits the unauthorized interception and storage of "wire communications," but only makes reference to the interception of "electronic communications."

    "The Wiretap Act's purpose was, and continues to be, to protect the privacy of communications. We believe that the language of the statute makes clear that Congress meant to give lesser protection to electronic communications than wire and oral communications," Appeals Court Judge Juan R. Torruella wrote. "Moreover, at this juncture, much of the protection may have been eviscerated by the realities of modern technology."

    "We observe, as most courts have, that the language may be out of step with the technological realities of computer crimes," Torruella wrote. "However, it is not the province of this court to graft meaning onto the statute where Congress has spoken plainly."

    In his dissenting opinion, Appeals Court Judge Kermit V. Lipez said there is no distinction between the electronic transmission and storage of e-mail.

    "All digital transmissions must be stored in RAM or on hard drives while they are being processed by computers during transmission," Lipez wrote. "Every computer that forwards the packets that comprise an e-mail message must store those packets in memory while it reads their addresses, and every digital switch that makes up the telecommunications network through which the packets travel between computers must also store the packets while they are being routed across the network."

    Lipez concluded: "Since this type of storage is a fundamental part of the transmission process, attempting to separate all storage from transmission makes no sense."

    America Online, EarthLink (Quote, Chart) and Yahoo (Quote, Chart), three of the country's largest ISPs, all have privacy policies prohibiting them from reading customer e-mail, except in the case of a court order.

    "Consistent with Yahoo's terms of service and privacy policy, we do not monitor user communications," said Yahoo spokeswoman Mary Osako said.

    Also jumping to the ISP defense was EarthLink spokeswoman Carla Shaw.

    "EarthLink has a long history of protecting customer privacy, and that protection extends to e-mail," she said. "We don't retain copies of customer e-mail, and we don't read customer e-mail."

    But this does little to alleviate the concerns of folks like Kevin Bankston, an attorney for the online privacy group Electronic Frontier Foundation.

    "By interpreting the Wiretap Act's protections very narrowly," Bankston said in a statement, "this court has effectively given Internet communications providers free reign to invade the privacy of their users for any reason and at any time."

    Bankston added that the law "has failed to adapt to the realities of Internet communications and must be updated to protect online privacy."

    Posted by iang at 08:00 AM | Comments (1) | TrackBack

    September 03, 2004

    DNS spoofing - spoke too soon?

    Just the other day, in discussing VeriSign's conflict of interest, I noted that absence of actual theft-inspired attacks on DNS. I spoke too soon - The Register now reports that the German eBay site was captured via DNS spoofing.

    What makes this unusual is that DNS spoofing is not really a useful attack for professional thieves. The reason for this is cost: attacking the DNS roots and causing domains to switch across is technically easy, but it also brings the wrath of many BOFHs down on the heads of the thieves. This doesn't mean they'll be caught but it sure raises the odds.

    In contrast, if a mail header is spoofed, who's gonna care? The user is too busy being a victim, and the bank is too busy dealing with support calls and trying to skip out on liability. The spam mail could have come from anywhere, and in many cases did. It's just not reasonable for the victims to go after the spoofers in this case.

    It will be interesting to see who it is. One thing could be read from this attack - phishers are getting more brazen. Whether that means they are increasingly secure in their crime or whether the field is being crowded out by wannabe crooks remains to be seen.


    Addendum 20040918: The Register reports that the Ebay domain hijacker was arrested and admitted to doing the DNS spoof. Reason:

    "The 19 year-old says he didn't intend to do any harm and that it was 'just for fun'. He didn't believe the ploy was possible.

    So, back to the status quo we go, and DNS attacks are not a theft-inspired attack. In celebration of the false alert to a potential change to the threats model, I've added a '?' to the title of this blog.

    Posted by iang at 01:15 PM | Comments (0) | TrackBack

    September 01, 2004

    VeriSign's conflict of interest creates new threat

    There's a big debate going on the US and Canada about who is going to pay for Internet wire tapping. In case you hadn't been keeping up, Internet wire-tapping *is* coming. The inevitability of it is underscored by the last ditched efforts of the ISPs to refer to older Supreme Court rulings that the cost should be picked up by those requiring the wire tap. I.e., it's established in US law that the cops should pay for each wiretap [1].

    I got twigged to a new issue by an article [2] that said:

    "To make wiretapping possible, Internet phone companies have to buy equipment and software as well as hire technicians, or contract with VeriSign or one of its competitors. The costs could run into the millions of dollars, depending on the size of the Internet phone company and the number of government requests."

    What caught me by surprise was the mention of Verisign. So I looked, and it seems they *are indeed* in the business of subpoena compliance [3]. I know most won't believe me, given their public image as a trusted ecommerce player, so here's the full page:

    NetDiscovery Service for CALEA Compliance

    Complete Lawful Intercept Service

    VeriSigns NetDiscovery service provides telecom network operators, cable operators, and Internet service providers with a streamlined service to help meet requirements for assisting government agencies with lawful interception and subpoena requests for subscriber records. Net Discovery is the premier turnkey service for provisioning, access, delivery, and collection of call information from operators to law enforcement agencies (LEAs).

    Reduce Operating Expenses

    Compliance also requires companies to maintain extensive records and respond to government requests for information. The NetDiscovery service converts content into required formats and delivers the data directly to LEA facilities. Streamlined administrative services handle the provisioning of lawful interception services and manage system upgrades.

    One Connection to LEAs

    Compliance may require substantial capital investment in network elements and security to support multiple intercepts and numerous law enforcement agencies (LEAs). One connection to VeriSign provides provisioning, access, and delivery of call information from carriers to LEAs.

    Industry Expertise for Continued Compliance

    VeriSign works with government agencies and LEAs to stay up-to-date with applicable requirements. NetDiscovery customers benefit from quick implementation and consistent compliance through a single provider.

    CALEA is the name of the bill that mandates law enforcement agency (LEA) access to telcos - each access should carry a cost. The cops don't want to pay for it, and neither do the suppliers. Not to mention, nobody really wants to do this. So in steps VeriSign with a managed service to handle wiretaps, eavesdropping, and other compliance tasks as directed under subpoena. On first blush, very convenient!

    Here's where the reality meter goes into overdrive. VeriSign is also the company that sells about half of the net's SSL certificates for "secure ecommerce [4]." These SSL certificates are what presumptively protect connections between consumers and merchants. It is claimed that a certificate that is signed by a certificate authority (CA) can protect against the man-in-the-middle (MITM) attack and also domain name spoofing. In security reality, this is arguable - they haven't done much of a job against phishing so far, and their protection against some other MITMs is somewhere between academic and theoretical [5].

    A further irony is that VeriSign also runs the domain name system for the .com and the .net domains. So, indeed, they do have a hand in the business of domain name spoofing; the trivial ease of mounting this attack has in many ways influenced the net's security architecture by raising domain spoofing to something that has to be protected against [6]. But so far nothing much serious has come of that [7].

    But getting back to the topic of the MITM protection afforded by those expensive VeriSign certificates. The point here is that, on the one hand, VeriSign is offering protection from snooping, and on the other hand, is offering to facilitate the process of snooping.

    The fox guarding the chicken coop?

    Nobody can argue the synergies that come from the engineering aspects of such a mix: we engineers have to know how to attack it in order to defend it. This is partly the origin of the term "hacker," being one who has to crack into machines ... so he can learn to defend.

    But there are no such synergies in governance, nor I fear in marketing. Can you say "conflict of interest?" What is one to make of a company that on the one hand offers you a "trustworthy" protection against attack, and on the other hand offers a service to a most likely attacker [8]?

    Marketing types, SSL security apologists and other friends of VeriSign will all leap to their defence here and say that no such is possible. Or even if it was, there are safeguards. Hold on to that thought for a moment, and let's walk through it.

    How to MITM the CA-signed Cert, in one easy lesson

    Discussions on the cryptography list recently brought up the rather stunning observation that the Certificate Authority (CA) can always issue a forged certificate and there is no way to stop this. Most attack models on the CA had assumed an external threat; few consider the insider threat. And fair enough, why would the CA want to issue a bogus cert?

    In fact the whole point of the PKI exercise was that the CA is trusted. All of the assumptions within secure browsing point at needing a trusted third party to intermediate between two participants (consumer and merchant), so the CA was designed by definition to be that trusted party.

    Until we get to VeriSign's compliance division that is. Here, VeriSign's role is to facilitate the "provisioning of lawful interception services" with its customers, ISPs amongst them [9]. Such services might be invoked from a subpoena to listen to the traffic of some poor Alice, even if said traffic is encrypted.

    Now, we know that VeriSign can issue a certificate for any one of their customers. So if Alice is protected by a VeriSign cert, it is an easy technical matter for VeriSign, pursuant to subpoena or other court order, to issue a new cert that allows them to man-in-the-middle the naive and trusting Alice [10].

    It gets better, or worse, depending on your point of view. Due to a bug in the PKI (the public key infrastructure based on x.509 keys that manages keys for SSL), all CAs are equally trusted. That is, there is no firewall between one certificate authority and another, so VeriSign can issue a cert to MITM *any* other CA-issued cert, and every browser will accept it without saying boo [11].

    Technically, VeriSign has the skills, they have the root certificate and now they are in the right place. MITM never got any easier [12]. Conceivably, under orders from the court Verisign would now be willing to conduct an MITM against its own customers and its own certs, in every place that it has a contract for LEA compliance.

    Governance? What Governance?

    All that remains is the question of whether VeriSign would do such a thing. The answer is almost certainly yes: Normally, one would say that the user's contract, the code of practice, and the WebTrust audit would prevent such a thing. After all, that was the point of all the governance and contracts and signing laws that VeriSign wrote back in the mid 90s - to make the CA into a trusted third party.

    But, a court order trumps all that. Judges strike down contract clauses, and in the English common law and the UCC, which is presumably what VeriSign uses, a judge can strike out clauses in the law or even write an entire law down.

    Further, the normal way to protect against over zealous insiders or conflicts of interests is to split the parties: one company issues the certs, and another breaches them. Clearly, the first company works for its clients and has a vested interest in protecting the clients. Such a CA will go to the judge and argue against a cert being breached, if it wants to keep selling its wares [13].

    Yet, in VeriSign's case, it's also the agent for the ISP / telco - and they are the ones who get it in the neck. They are paying a darn sight more money to VeriSign to make this subpoena thing go away than ever Alice paid for her cert. So it comes down to "big ISP compliance contract" versus "one tiny little cert for a dirtbag who's probably a terrorist."

    The subpoena wins all ways, well assisted by economics. If the company is so ordered, it will comply, because it is its stated goal and mission to comply, and it's paid more to comply than to not comply.

    All that's left, then, is to trust in the fairness of the American juridical system. Surely such a fight of conscience would be publically viewed in the courts? Nope. All parties except the victim are agreed on the need to keep the interception secret. VeriSign is protected in its conflict of interest by the judge's order of silence on the parties. And if you've been following the news about PATRIOT 1,2, National Security Letters, watchlists, no-fly lists, suspension of habeus corpus, the Plame affair, the JTTF's political investigations and all the rest, you'll agree there isn't much hope there.

    What's are we to do about it?

    Then, what's VeriSign doing issuing certs? What's it doing claiming that users can trust it? And more apropos, do we care?

    It's pretty clear that all three of the functions mentioned today are real functions in the Internet market place. They will continue, regardless of our personal distaste. It's just as clear that a world of Internet wire-tapping is a reality.

    The real conflict of interest here is in a seller of certs also being a prime contractor for easy breachings of certs. As its the same company, and as both functions are free market functions, this is strictly an issue for the market to resolve. If conflict of interest means anything to you, and you require your certs to be issued by a party you can trust, then buy from a supplier that doesn't also work with LEAs under contract.

    At least then, when the subpoena hits, your cert signer will be working for you, and you alone, and may help by fighting the subpoena. That's what is meant by "conflict of interest."

    I certainly wouldn't recommend that we cry for the government to fix this. If you look at the history of these players, you can make a pretty fair case that government intervention is what got us here in the first place. So, no rulings from the Department of Commerce or the FCC, please, no antitrust law suits, and definitely no Star Chamber hearings!

    Yet, there are things that can be done. One thing falls under the rubric of regulation: ICANN controls the top level domain names, including .net and .com which are currently contracted to VeriSign. At least, ICANN claims titular control, and it fights against VeriSign, the Department of Commerce, various other big players, and a squillion lobbyists in exercising that control [14].

    It would seem that if conflict of interest counts for anything, removing the root server contracts from VeriSign would indicate displeasure at such a breach of confidence. Technically, this makes sense: since when did we expect DNS to be anything but a straight forward service to convert domain names into numbers? The notion that the company now has a vested interest in engaging in DNS spoofing raises a can of worms that I suspect even ICANN didn't expect. Being paid to spoof doesn't seem like it would be on the list of suitable synergies for a manager of root servers.

    Alternatively, VeriSign could voluntarily divest one or other of the snooping / anti-snooping businesses. The anti-snooping business would be then a potential choice to run the DNS roots, reflecting their natural alignments of interest.


    Addendum: 2nd February 2005. Adam Shostack and Ian Grigg have written to ICANN to stress the dangers in conflict of interest in selection of the new .net TLD.

    [1] This makes only sense. If the cops didn't pay, they'd have no brake on their activity, and they would abuse the privilege extended by the law and the courts.

    [2] Ken Belson, Wiretapping on the Net: Who pays? New York Times, http://www.iht.com/articles/535224.htm

    [3] VeriSign's pages on Calea Compliance and also Regulatory Compliance.

    [4] Check the great statistics over at SecuritySpace.com.

    [5] In brief, I know of these MITMs: phishing, click-thru-syndrome, CA-substitution. The last has never been exploited, to my knowledge, as most attacks bypass certificates, and attack the secure browsing system at the browser without presenting an SSL certificate.

    [6] , D. Atkins, R. Austein, Threat Analysis of the Domain Name System (DNS), RFC 3833.

    [7] There was the famous demonstration by some guy trying to get into the DNS business.

    [8] Most likely? 'fraid so. The MITM is extraordinarily rare - so rare that it is unmeasurable and to all practical intents and purposes, not a practical threat. But, as we shall see, this raises the prospects of a real threat.

    [9] VeriSign, op cit.

    [10] I'm skipping here the details of who Alice is, etc as they are not relevent. For the sake of the exercise, consider a secure web mail interface that is hosted in another country.

    [11] Is the all-CAs-are-equal bug written up anywhere?

    [12] There is an important point which I'm skipping here, that the MITM is way too hard under ordinary Internet circumstances to be a threat. For more on that, see Who's afraid of Mallory Wolf?.

    [13] This is what is happening in the cases of RIAA versus the ISPs.

    [14] Just this week: VeriSign to fight on after ICANN suit dismissed
    U.S. Federal District Court Dismisses VeriSign's Anti-Trust Claim Against ICANN with Prejudice and the Ruling from the Court.
    Today: VeriSign suing ICANN again

    Posted by iang at 06:20 AM | Comments (5) | TrackBack

    August 31, 2004

    Phishing Kits

    James Sherwood of ZDNet reports: "Some Web sites are now offering surfers the chance to download free "phishing kits" containing all the graphics, Web code and text required to construct the kind of bogus Web sites used in Internet phishing scams. "



    So you want to be a cybercrook...
    Published: August 19, 2004, 3:24 PM PDT
    By James Sherwood
    ZDNet UK

    Some Web sites are now offering surfers the chance to download free "phishing kits" containing all the graphics, Web code and text required to construct the kind of bogus Web sites used in Internet phishing scams.

    According to security firm Sophos, the kits allow users to design sites that have the same look and feel as legitimate online banking sites that can then be used to defraud unsuspecting users by getting them to reveal the details of their financial accounts.

    "By putting the necessary tools in the hands of amateurs, it's likely that the number of attacks will continue to rise," said Graham Cluley, senior technology consultant at Sophos.

    Sophos warned that many of the kits also contain spamming software that enables potential fraudsters to send out thousands of phishing e-mails with direct links to their do-it-yourself fraud sites.

    "The emergence of these 'build your own phish' kits means that anyone can now mimic bona fide banking Web sites and convince customers to disclose sensitive information such as passwords," Cluley said.

    Many online banking Web sites now carry messages urging users not to open any e-mail that they suspect may be fraudulent and to telephone their bank for further information if they do receive suspicious e-mail.

    Phishing has become such a problem that there are now several online antiphishing guides to educate users about the con artists' common tricks.

    James Sherwood of ZDNet UK reported from London

    Posted by iang at 05:12 AM | Comments (0) | TrackBack

    August 26, 2004

    Paranoia Goes Better With Coke

    Most threats are mundane and well known. Some are just plain silly. Then, there are some that slice through the over-paranoid security systems and make them look daft. Here's one. Is it a threat? You be the judge.

    Paranoia Goes Better With Coke
    Associated Press 09:57 AM Jul. 02, 2004 PT

    There's a new security threat at some of the nation's military bases - and it looks uncannily like a can of Coke. Specially rigged Coke cans, part of a summer promotion, contain cell phones and global positioning chips. That has officials at some installations worried the cans could be used to eavesdrop, and they are instituting protective measures.

    Coca-Cola says such concerns are nothing but fizz.

    Mart Martin, a Coca-Cola spokesman, said no one would mistake one of the winning cans from the company's "Unexpected Summer" promotion for a regular Coke. "The can is dramatically different looking," he said. The cans have a recessed panel on the outside and a big red button. "It's very clear that there's a cell phone device."

    Winners activate it by pushing the button, which can only call Coke's prize center, he said. Data from the GPS device can only be received by Coke's prize center. Prizes include cash, a home entertainment center and an SUV.

    "It cannot be an eavesdropping device," he said.

    Nonetheless, military bases, including the U.S. Army Armor Center at Fort Knox, Kentucky, are asking soldiers to examine their Coke cans before bringing them in to classified meetings.

    "We're asking people to open the cans and not bring it in if there's a GPS in it," said Master Sgt. Jerry Meredith, a Fort Knox spokesman. "It's not like we're examining cans at the store. It's a pretty commonsense thing."

    Sue Murphy, a spokeswoman for Wright-Patterson Air Force Base in Dayton, Ohio, said personal electronic devices aren't permitted in some buildings and conference rooms on base.

    "We've taken measures to make sure everyone's aware of this contest and to make sure devices are cleared before they're taken in" to restricted areas, she said. "In the remote possibility a can were found in one of these areas, we'd make sure the can wasn't activated, try to return it to its original owner and ask that they activate it at home," she said. "It's just another measure we have to take to keep everyone out here safe and secure."

    The Marine Corps said all personnel had been advised of the cans and to keep them away from secure areas.

    Paul Saffo, research director at The Institute for the Future, a technology research firm, compared the concern about the Coke cans to when the Central Intelligence Agency banned Furbies, the stuffed toys that could repeat phrases.

    "There are things generals should stay up late at night worrying about," he said. "A talking Coke can isn't one of them."

    But Bruce Don, a senior analyst at the Rand Corp., said the military's concern is rational and appropriate.

    "There's a lot of reason to worry about how that technology could be taken advantage of by a third party without Coke's knowledge," he said. "I wouldn't worry if one was in my refrigerator, but if you had a sensitive discussion or location, it's not inconceivable the thing could be used for something it was not designed for."

    Martin said Thursday the world's largest soft drink maker has received phone calls inquiring about the promotion from Hill Air Force Base in Ogden, Utah, and from a military base in Anchorage, Alaska. The callers did not mention any concerns, and Coke has not been contacted by the bases in Ohio and Kentucky, Martin said.

    Asked if Coke would curtail the promotional campaign because of the security issues raised, Martin said, "No. There's no reason to."

    ¿ Copyright 2004, Lycos, Inc. All Rights Reserved.
    http://www.wired.com/news/technology/0,1282,64078,00.html

    Posted by iang at 04:58 AM | Comments (0) | TrackBack

    August 12, 2004

    crypto wars - NSA the victor

    Here's a long but worthwhile article full of clues as to how the NSA benefitted in the aftermath of the crypto wars of the 1990s [1]. In brief, there has been little impact on their operations, and massive net mining flags the few encrypted packets out there for further traffic analysis. On the whole, good stuff, for them.

    It's pretty obvious that the NSA won the crypto wars, even if the net won some of the battles. Open source warriers managed to force the hugely uncrackable 128 bits and 1024 bits into open international distribution, but simply failed to deploy it in any significant numbers [2]. In some senses, we won the right to fight, and then went home feeling mighty chuffed with ourselves.

    Director of NSA shifts to new path
    Hayden makes changes to keep up with technology; 'He's had to move the culture'

    By Scott Shane, Baltimore Sun National Staff, August 8, 2004

    Last year, long before CIA Director George J. Tenet resigned in advance of a series of damning reports on intelligence failures before the Sept. 11, 2001, attacks, the chief of an even larger spy agency was quietly asked to extend his term.

    Lt. Gen. Michael V. Hayden, director of the National Security Agency, was asked by Tenet and Defense Secretary Donald H. Rumsfeld to stay on as director until at least September 2005. The 6 1/2 -year term will make the three-star Air Force general by far the longest-serving NSA boss in the agency's 52-year history.

    Hayden's survival amid the harsh assessment of pre-Sept. 11 intelligence may reflect his ability to turn around the gargantuan eavesdropping agency in an era of shifting technology and threats.

    Even as stateless terrorists have replaced Soviet missile bases as the agency's prime target, so the boom in cell phones, the Internet and the spread of fiber-optic cable and computerized encryption have forced it to reinvent eavesdropping technology.

    "The whole ballgame of where and how you collect signals intelligence changed," says Charles G. Boyd, a retired Air Force general who was executive director of the Hart-Rudman Commission on national security in the late 1990s and now heads Business Executives for National Security.

    "And that's where [Hayden] has moved this institution. To do that, he's not only changed technologies and processes. He's had to move the culture itself, and that's very difficult to do."

    Boyd knows Hayden well from their Air Force service and has followed his work at NSA closely. "As a manager of change and a manager of intelligence overall, I think Mike Hayden is the best we have," he says.

    Agency changes

    Matthew M. Aid, a respected intelligence historian in Washington who is writing a book on the NSA, says the changes under Hayden appear to be producing results.

    "The al-Qaida operatives who are being tracked down and caught - that's largely the result of signals intelligence," which is spy lingo for the intercept of phone calls, e-mail and other messages that is NSA's turf, Aid says. "NSA is flush with cash. It's hiring thousands of new people. It's clearly an agency that's going places."

    Some NSA veterans complain that Hayden "brought in corporate types who gave him Harvard Business School models" that "don't work for an intelligence agency," Aid says.

    But the people at the CIA, the White House, the State Department and the Pentagon who receive NSA's reports see a difference, he says: NSA "has a lot more respect from intelligence consumers than it had when Hayden arrived in 1999."

    The changes at NSA have been wrenching, with large numbers of veterans taking early retirement and contractors brought in to handle much of the agency's retooling. More than 22 percent of the agency's civilian work force has been hired since 2000, with more than 1,300 new employees expected to come on board this year, agency officials say.

    Aid estimates that 25,000 civilian and military employees work on NSA's sprawling Fort Meade campus off the Baltimore-Washington Parkway, although the exact number is classified. At least an additional 10,000 eavesdroppers are scattered elsewhere in the United States and around the world, he says.

    Many agency old-timers aren't happy, says retiree Mike Levin, who worked at the agency from 1947 to 1993. "I have a very negative view of General Hayden. Before he had a chance to know what was going on, he announced he was going to clean the place out," Levin says.

    But others say the NSA was in need of radical surgery well before the Sept. 11 attacks.

    "NSA was set up to monitor an enormous country, the Soviet Union, that didn't go anywhere," says James Bamford, author of two books on the agency. "It was never set up to follow individual terrorists around the world using phone cards, disposable cell phones and e-mail."

    Of Hayden, Bamford says, "I think he's done about as good a job as anyone could do given the limitations."

    In fact, the author says, the cerebral 59-year-old intelligence veteran, a Bulgarian linguist early in his career, might emerge as a candidate for the post of national intelligence director proposed by the Sept. 11 commission.

    Keeping up

    When Hayden arrived in March 1999, the agency was by all accounts hurting. Its budget had been cut by about a third since the height of the Cold War, but it had to devise new intercept systems to keep up with what Hayden calls "the greatest revolution in communications since Gutenberg discovered movable type."

    The shift of international communications traffic from satellites and microwave links to hard-to-tap fiber-optic cables posed a major challenge. Encryption described by NSA officials as impossible to break was spreading. National magazine stories on the secret agency began to ask: Is the NSA going deaf?

    Then, in January 2000, a huge computer crash took the agency offline for days, dramatizing the need for an updated infrastructure.

    Russian linguists were in oversupply, while there was an extreme shortage of speakers of Arabic and other languages more relevant to terrorism. Older employees who had mastered radio and microwave intercepts were not so adept at monitoring cellular networks and the Internet.

    After Sept. 11, 2001 - when most of NSA was evacuated for fear it might be the hijackers' next target - it became obvious that the agency would be permitted to expand. But Hayden decided to go forward the next month with a final early-retirement program, watching 765 employees leave even as the agency geared up to hire.

    "It was not because anyone was dumb, incompetent, lazy or calcified or anything else," Hayden said in an interview last week in his whisper-quiet office at the top of one of NSA's massive glass towers at Fort Meade. "It was just a work force that historically did not change over very much. ... So if we were going to get new skills, we were going to have to get new people."

    The old Soviet target, Hayden said, was "exceptionally slow-moving, oligarchic and technologically inferior," and what NSA was then interested in was "big things. You wanted to know where their nuclear missile submarines were. You wanted to know about Soviet forces in Germany - were they in garrison or in the field? You wanted to know if there were bombers at Arctic staging bases."

    By contrast, he said, "in the current war, you're looking for infinitely more granular information. You want to know where this human being is. And it's not good enough to say he's in Afghanistan. In terms of our current ops [operations] tempo, it's not even good enough to know what city. You have to know what building he's in."

    Rather than the special communications systems used by foreign militaries, "al-Qaida rides on the global [commercial] communications structure." To listen in, "you're putting yourself into their communication pattern. If your pattern doesn't match their pattern ... you don't hear."

    Technology revolution

    Given the dire assessments a few years ago, it is notable that Hayden says the communications revolution has on the whole been a plus, not a minus, for the NSA.

    The NSA director declines to elaborate. But interviews with outside experts suggest that the agency has managed to overcome the challenges posed by fiber-optic cable and encryption.

    "My opinion is that at this point, those are little more than a speed bump to NSA," says Steve Uhrig, president of SWS Security, a Harford County firm that builds eavesdropping and counter-eavesdropping systems for U.S. and foreign police agencies. "They have a virtually unlimited budget, and they can put amazing resources to work on a problem."

    Several sources who regularly speak with NSA officials say they believe Uhrig is right. Although they do not know the details, they say the agency has almost certainly managed to tap fiber cables on a large-scale basis, making access to the information inside less of a problem than its overwhelming volume.

    The NSA has also found a silver lining to the use of encrypted e-mail: Even if a particular message cannot be read, the very use of encryption can flag it for NSA's attention. By tracking the relatively few Internet users in a certain country or region who take such security measures, NSA analysts might be able to sketch a picture of a terrorist network.

    Information 'in motion'

    And by focusing their electronic tricks on messages as they are first typed on a computer or when they are read on the other end - what security experts call "information at rest" - NSA technical experts might be able to bypass otherwise-unbreakable encryption used when the information is "in motion."

    Meanwhile, the popularity of e-mail and particularly of cell phones has worked to the NSA's advantage in the battle against terrorism.

    The NSA's computers can track and sort huge volumes of e-mail far more easily than they can manage telephone intercepts, because text is consistently represented in digital code.

    And cell phones - as handy for terrorist plotters as for everyone else - provide not just an eavesdropping target but also a way to physically track the user.

    Uhrig, who has installed cellular intercept systems in several countries, says that as cell phones have proliferated, the "cells" served by a tower or other antenna have correspondingly grown smaller. "A big hotel may have a cell for every other floor. Every big office building is its own cell," he says.

    Easier tracking

    By following a switched-on cell phone as it shifts from cell to cell, "you can watch the person move," Uhrig says. "You can tell the direction he's moving. If he's moving slow, he's walking. If he's moving fast, he's in a car. The tracking is sometimes of much more interest than the contents of a call."

    But Hayden will say nothing about reports in the news media and from outside specialists that NSA telephone intercepts led to the recent series of arrests of suspected terrorists in Pakistan. Confirming the agencies' victories would only warn future targets to take precautions against eavesdropping.

    The most devastating such loss in recent years came in 1998, when al-Qaida leader Osama bin Laden stopped using the satellite phone the NSA had used for years to track him and his plans.

    Whether he was tipped off by press reports - as the Sept. 11 commission has claimed - or by the United States' cruise missile attack on his camp in Afghanistan remains unclear.

    "This is the most fragile of all intelligence disciplines," Hayden said. "We would not want many of our successes broadcast."

    Copyright © 2004, The Baltimore Sun

    [1] Original article over on Cryptome.org
    [2] "How effective is open source crypto?"

    Posted by iang at 05:25 AM | Comments (1) | TrackBack

    August 09, 2004

    FCC votes to tap Internet calls

    In the US, the FCC has voted to enforce CALEA - wiretap rules - on VoIP operators [1] [2]. These businesses (like Vonage) provide Internet calls to their switches and then onto the public network. They are fantastically successful, because they deliver good service for cheap, something so implausible for the fixed wire competitors (like Sprint, AT&T and the baby bells) that it must be against FCC rules.

    VoIP (voice over IP) operators are of course ideally placed to listen to the calls, something that is currently only done under subpoena. CALEA will force them to provide high performance infrastructure to enable massive monitoring.

    This could presage a new phase in crypto deployment. Obviously, direct PC to PC comms cannot be covered by such rules, and equally obviously, people will prefer to talk privately. Products like Skype and the rough predecessors PGPPhone and SpeakFreely will get a boost.

    IMHO, the FCC will do more damage to the eavesdroppers' objectives than they realise. The FCC has been one of the agencies at the forefront of letting the Internet develop without overbearing regulation, knowing that they can't help, but they can certainly hinder. Perhaps they do realise?

    [2] FCC approves taps on broadband and VoIP
    [1] Wiretap law would apply to broadband

    Posted by iang at 04:09 AM | Comments (1) | TrackBack

    August 04, 2004

    When is a phish not a phish?

    When it's a class action payout! Yep, Paypal got into a mess when it had to mail out notifications to many users announcing a class action payout and encouraging them to ... you guessed it, click on the link and register their details.

    http://www.internetnews.com/bus-news/article.php/3390191

    August 3, 2004
    Mass Action on PayPal Settlement Site
    By Susan Kuchinskas

    An awful lot of people want a piece of PayPal. They overwhelmed a site offering a minimum of $50 to anyone with an account, the result of a class action suit.

    The site went live in late July, after the United States District Court for the Northern District of California in San Jose approved a $9.25 million settlement in a class action suit alleging that the online payment platform owned by eBay unreasonably restricted, froze or closed customer accounts.

    Under the terms of the settlement, anyone who had a PayPal account from October 1, 1999 to January 31, 2004 can receive up to $50 by filing a short form; those who went through PayPal's dispute resolution process or want to claim a higher damage award fill out a longer form and receive a portion of the $5.92 million left after the attorneys are paid.

    Although claims must be submitted online, the site at times was unavailable or extremely slow, and some e-mails requesting information bounced.

    A notice on the index page reads, "The website is experiencing delays and other problems due to an extremely high volume of traffic." Noting that the deadline for submitting claims isn't until October 23, it advises people to check back in a week or so.

    Aside from the sheer volume of hits on the site, there were other glitches: The online form refuses to accept e-mail addresses that contain hyphens or multiple periods, and some people were unable to print the required certification firm, which must be mailed.

    "The PayPal settlement site is being hosted by a company hired by the plaintiffs' side of the agreement," said a PayPal spokesperson. "They are aware of the issues with this site and have been working to get them fixed. We've done everything on our end to assist with that, but ultimately it's their site."

    While some claimants had difficulty using the site, others worried about whether they should even click on the link in the PayPal e-mail. Internet users are right to be wary of e-mails purporting to be from PayPal. It's been one of the top victims of phishing schemes.

    Phishers try to lure the unsuspecting to phony sites that mimic those of reputable companies. Once there, they're asked to input credit card, Social Security and bank account numbers that the fraudsters then exploit.

    Most e-mail users receive a relentless barrage of fake PayPal requests to "Update your account immediately!" So, when present and former PayPal account holders received notice last Friday that the company was ready to pay up, it might have seemed a little dodgy.

    The link in the e-mail read "paypal.com," but it redirected surfers to the somewhat spam-sounding settlement4onlinepayments.com. That site is hosted by a company with the suspiciously generic-sounding moniker "The Garden City Group."

    It's for real, said A.J. De Bartolomeo, one of the lead attorneys in the suit. "This Web site is the official and only official Web site," she said.

    De Bartolomeo, a principal in the San Francisco law firm of Girard Gibbs & De Bartolomeo, said all elements of the settlement site and notification e-mails were carefully considered in light of the phishing problem.

    Regarding the settlement site's URL, "We realized that using PayPal in the actual Web address might make people think it was a scam," she said. "So we tried to do something that was descriptive. It's an online payment service, and this is the settlement for it."

    On the other hand, PayPal sent out the notification e-mails, rather than a third party, she said, because "an e-mail notice from a third party would look a lot like a spoof." Including a link to PayPal's site, which redirected surfers to the Garden City site, she added, "seemed the best way to have the highest legitimacy possible for people who are, for a lot of reasons, suspicious. No notice program is ever perfect," she said.

    According to the June Phishing Attack Trends Report from the Anti-Phishing Working Group, Tumbleweed Communications and Websense, in that month there were 1,422 new, unique phishing attacks, a 19 percent increase over the 1,197 attacks reported in May.

    Girard Gibbs & De Bartolomeo has several other class action suits against technology companies in the works. It recently filed a class action against Apple Computer on behalf of iPod owners whose batteries have died or lost their ability to hold a charge.

    De Bartolomeo said that so far, response to the PayPal settlement has been about what she expected. A judgment won by the firm against MCI (Quote, Chart) for overcharging, in which claims could be filed via paper, the Internet or the telephone, garnered an 8 percent claim rate, while a recent settlement with Hyundai Motor Co. for overstating the horsepower of vehicles drew a whopping 23 percent of eligible claimants. De Bartolomeo said it's too early to tell whether the ability to file claims online combined with widespread consumer Internet use might up the average claim rate.

    The PayPal settlement will be a good test.

    Posted by iang at 01:11 PM | Comments (0) | TrackBack

    Professional email snooping

    The below Register article " America - a nation of corporate email snoops" reports on the trend in email snooping by US corporates. I'll spare you the trouble of reading it - 44% of large companies pay someone to monitor email, and 38% regularly audit the content.

    In the search for the eavesdropper, it was always clear that this was a real threat. A small one, but a real one. Unfortunately, the entire crypto industry got distracted on protecting against another threat, the MITM, which was too difficult and obscure to be real. Consequently, the net community fielded systems that didn't really work because of their grossly costly rollouts, and eavesdropping wasn't covered in any real sense (1% of servers use SSL, and 2% of email is encrypted, after a decade of trying).

    Since the dawn of Internet crypto time, we've now gone from eavesdropping as a small threat to a potentially large threat. What is really worrying is not so much the corporate eavesdropping, but that we are on the verge of seeing massive ISP-based eavesdropping. All to be reported with a shrug and smile. All because Internet security experts are convinced that the MITM is a threat.



    America - a nation of corporate email snoops

    By John Leyden
    Published Tuesday 27th July 2004 17:16 GMT

    Forget Big Brother, US conglomerates are paying low-tech snoopers to read workers' emails.

    According to research from Forrester Consulting, 44 per cent of large US companies (20,000 workers and above) pay someone to monitor the firm's outgoing mail, with 38 per cent regularly auditing email content. According to the study - reported without question in the mainstream press - companies' motivation was mostly due to fears that employees were leaking confidential memos.

    Proof, were it needed, that your own staff are the biggest security risk. If the study is to be believed, the dystopian visions of films such as Brazil and George Orwell's 1984 are an everyday reality of today's corporate America. Yes, that's right: "privacy officers" are scouring your email looking for incriminating snippets among the flirtatious email, jokes exchanged between mates and the small amount of work-related stuff you might send during the course of the day.

    Scary stuff. And we're asked to believe they are often doing this with little recourse to technology. Even scarier.

    Paranoid Android

    Joking aside, the 44 per cent figure on corporate snoops struck us as very high. So we got in touch with Forrester asking it to justify its conclusions. Forrester directed our enquiries towards Proofpoint, the email filtering firm which sponsored the research. Forrester Consulting, the custom research arm of Forrester Research, did the leg work for the survey but it was Proofpoint which wrote up the final report.

    So how does Proofpoint explain its findings on email monitoring? It's all to do with complying with external regulations.

    A wide variety of external regulations applying to email are driving the monitoring trend, according to Keith Crosley, director of corporate communications at Proofpoint. He cited US regulations such as HIPAA (which regulates the handling of personal health information) and Gramm-Leach-Bliley (which regulates the handling of private personal and financial information) as examples.

    "It's because of these concerns that companies employ staff to monitor outbound email. Technology solutions for detecting confidential information or for detecting other breaches of email policy or external regulations have, to date, not been particularly effective or popular so the best recourse that companies have has been to have human beings monitor email," he said.

    Proofpoint's angle here is that its anti-spam technology can be used as a way of ensuring that outbound emails comply with government regulations. "We believe that companies will, over time, turn to technology to help enforce their internal policies," said Crosley.

    The (email) Conversation

    If low-tech snooping is currently so widespread, could Proofpoint name a company which is paying someone specifically to check emails? We'd welcome the chance to have a chat to a modern day Harry Call (the lead charecter played by Gene Hackman in 70s classic The Conversation) but sadly we're out of luck.

    "We have come into contact with numerous companies that employ staff (even full time staff) to monitor or audit outbound email, but I don't have a company name that you could use," said Crosley. "Because of this 'anecdotal' information, I can say that the results of the survey didn't really surprise us. But as you might imagine, most companies are not willing to talk openly about the use of these sorts of techniques even though they are completely legal in the US."

    "To people not familiar with this issue, however, the number does seem astonishing. But our findings on other points are not out of line with other recent email related research. In a somewhat similar survey conducted by the ePolicy Institute, which found that about 60 per cent of companies use some sort of technology to monitor incoming and outgoing email."

    Readers can review Proofpoint's survey here. ®

    Related stories

    netReplay is watching you
    Google's Gmail: spook heaven?
    US defends cybercrime treaty
    Security fears over UK 'snooper's charter'
    Merrill Lynch shackles employee Net access
    Privacy in the workplace is a 'myth'

    Posted by iang at 06:55 AM | Comments (3) | TrackBack

    July 23, 2004

    Ordinary Threats

    I see a lot of threat articles come through from many sources. Each describes the latest threat to our net lives in an entertaining way - at least, as presented by the journalists who try and create a sense of excitement in their work.

    We've seen them all before, in one variant or another. Still, reminders are good - these are the things that we have to balance when we build financial cryptography systems, and as there are so many and so varied a scale of threats, compromises are always needed. Here's the collected threats from the last month or so.

    "Via eavesdropping, terror suspects nabbed" Intelligence officials use cellphone signals to track Al Qaeda operatives, as number of mid-level arrests rises.
    By Faye Bowers June 02, 2004
    http://www.csmonitor.com/2004/0602/p02s01-usmi.html

    "NHTCU and Russian police foil online extortion racket" which was really clever, amounting to extortion for not DOSing the gambling sites.
    http://www.finextra.com/fullstory.asp?id=12208

    "Oops! Firm accidentally eBays customer database," when a disk drive sold on eBay carried data that it shouldn't. 7th June 2004, The Register.

    "Venezuela: Fear for Sale" is an article about how government contractors are compiling databases on citizens in foreign countries. They just happen to have detailed files on countries in South America who are opposed to US interests.
    GregPalast.com http://www.inthesetimes.com/site/main/article/fear_for_sale/

    "Door locks know a lot more than you think" about how hotel door lock cards apparently don't know who you are, nor your credit cards, but they do (in concert with other systems) track entry to your hotel room.
    June 12, 2004, Joe Sharkey NYT.

    "Monaco banker faces re-imprisonment for not being French" is the story about the Brit who got caught doing special transfers for famous private clients of the bank. Whether he was acting for the client, or whether he was stealing, or whether the bank wanted a money laundering head is not clear and may never be clear.
    Paul Murphy The Guardian Thursday June 17, 2004

    "Iris scans at UK airports, says Home Office" is a story about testing iris scanners at borders, with no real hard indication that it will save anything, as yet.
    By Lucy Sherriff 15th June 2004

    "Google's Gmail: spook heaven?" argues that if Google can scan mail, then it puts in place the infrastructure for others to scan mail.
    By Mark Rasch, SecurityFocus 15th June 2004

    "How safe are the in-room safes in hotels?" says not safe enough for anything important, as it's too easy to break the pin code.
    Roger Collis International Herald Tribune Friday, June 25, 2004

    "Plan Would Pay Tax Whistleblowers" addresses how the IRS seeks to pay insiders to reveal on activity. A classic insider attack.
    Mary Dalrymple AP.

    "From a life of privilege to an English jail" reports on an all-American high school star who among other things fenced stolen account info from a ring of Russian thieves. Not clear how the "hackers" got the info, but they had access: "The Russians "were sitting there watching the accounts drain and recording everything so they knew how much money to expect at the end of the day," he said. "It was millions and m
    illions of dollars." "
    PAUL MEYER and MATT STILES / The Dallas Morning News June 27, 2004

    "Email Spying and Attorney Client Privilege - US Government Reads All About It"
    reports that the AG was secretly spying on the email of a lawyer for a Muslim mother of three. Emails made available from AOL, under warrant.

    "Press card scam investigated" reports on one place to buy a fake press card.
    30 June 2004 By: Jemima Kiss http://www.journalism.co.uk/news/story967.shtml

    "The secrets your computer just can't keep safe" talks about malware - spying programs that are inserted into your PC: "On average every PC has 28 so-called spyware programs installed on it"
    Mark Ward
    http://news.bbc.co.uk/2/hi/technology/3845835.stm

    "How [he who must not be named] Became a Dictator" talks about how a minority leader engineered a suspension of rights through a pogrom against bad people and took leadership of a country.
    Jacob Hornberger
    http://www.fff.org/freedom/fd0403a.asp


    "Web sites allow gamblers to be their own bookmakers" talks about how offshore gambling sites (primarily Britain and Australia) are being financed by US investors. But, they don't take US customers.
    Matt Richtel NYT July 7, 2004
    http://www.iht.com/articles/528222.html


    "Globalization, deregulation allow stock fraud industry to thrive" and it's Boiler Room all over again: this time the operation phones from one country, sells to an investor (read: victim) in another country for some Nasdaq loser stock in the US.
    http://www.jewishworldreview.com/0604/stock_fraud.asp

    "Text Messages May Turn Up in Bryant Case" about an alleged case of rape in the US, where the accuser exchanged cell phone text messages shortly after the incident. In this case, people are suprised that the telco can ... recover the messages!
    JON SARCHE, Jun 07, 2004 AP


    "Laptops containing sensitive financial details and all manner of corporate secrets can be snapped up at auctions for a pittance, a security firm revealed Wednesday."
    (Reuters) By Bernhard Warner, European Internet Correspondent
    http://www.reuters.com/newsArticle.jhtml?type=oddlyEnoughNews&storyID=5381490

    "Smart-phone worm has a hang-up" reports about attempts to write a worm for cellular phones.
    By Robert Lemos CNET News.com June 15, 2004
    http://zdnet.com.com/2100-1105_2-5234953.html?tag=sas.email


    "The Mystery of the Voynich Manuscript" New analysis of a famously cryptic medieval document suggests that it contains nothing but gibberish
    Scientific American: June 21, 2004 By Gordon Rugg
    http://www.sciam.com/print_version.cfm?articleID=0000E3AA-70E1-10CF-AD1983414B7F0000

    "Spyware Sneaking into the Enterprise" ... well where else would it go?
    By Roy Mark June 30, 2004
    http://www.internetnews.com/security/article.php/3375661

    "Woman allegedly stole law firm's identity" is another case of an insider shifting things around to steal money.
    June 28, 2004, AP
    http://www.cnn.com/2004/US/Northeast/06/28/corporate.id.theft.ap/index.html

    "iPods are the latest security risk" because they can carry data out of corporates? Don't forget cameras, pocket drives, USB fobs, .....
    John Leyden 7th July 2004 The Register
    http://www.theregister.com/2004/07/07/ipod_security_risks/

    Posted by iang at 07:56 AM | Comments (1) | TrackBack

    July 15, 2004

    New Attack on Secure Browsing

    Over on PGP Corp's web site, they've inadvertantly revealed a new way to futz with secure browsing [0].

    Click on http://www.pgp.com/ and you will see an SSL-protected page with that cute little padlock next to domain name. And they managed that over HTTP, as well! (This may not be seen in IE which doesn't load the padlock unless you add it to favourites, or some such. So you need Firefox or Konqueror or Opera, it seems.)

    Whoops! That padlock is in the wrong place, but who's going to notice? It looks pretty bona fide to me, and you know, for half the browsers I use, I often can't find the darn thing anyway. This is so good, I just had to add one to my SSL page. I feel so much safer now, and it's cheaper than the ones that those snake oil vendors sell :-)

    What does this mean? It's a bit of a laugh, is all, maybe. But it could fool some users, and as Mozilla Foundation recently stated, the goal is to protect those that don't know how to protect themselves. Us techies may laugh, but we'll be laughing on the other side when some phisher tricks users with the new, improved favicon-SSL.

    It all puts more pressure on the oh-so-long overdue project to bring the "secure" back into "secure browsing." Microsoft have befuddled the already next-to-invisible security model even further with their favicon invention, and getting it back under control should really be a priority.

    Putting the CA logo on the chrome now seems inspired - clearly the padlock is useless. See countless rants [1] listing the 4 steps needed and also a new draft paper from Amir Herzberg and Ahmad Gbara [2] exploring the use of logos on the chrome.


    [0] An earlier version of this blog credited PGP Corp with this discovery. I had assumed that they had realised the security significance of the favicon with respect to the browser security model. This appears incorrect - they simply put the logo from their corporate documents there.

    [1] SSL considered harmful
    http://iang.org/ssl/

    [2] Protecting (even) Naïve Web Users, or: Preventing Spoofing and Establishing Credentials of Web Sites
    http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm

    Posted by iang at 08:29 AM | Comments (19) | TrackBack

    July 13, 2004

    Conducting blackmail with private payment systems - Daft!

    I must have written a hundred times that privacy enhancing payments are only private to a degree. From eCash to Ricardo to e-gold to PayPal to greenbacks to ... well, all of them can be tracked somewhat. They help protect honest people from bad trackers, but they don't protect real serious criminals from serious sustained levels of tracking.

    In a sort of Darwin award for criminals, here's the story of a major heist that went wrong, because the crooks believed they could use a privacy-based payment system to get their ill-gotten gains. Oh well, no great loss to society here.

    http://www.crime-research.org/news/13.07.2004/485/

    (one section quoted from the interview)

    What kinds of Internet crimes are the most dangerous at the moment? Can you explain them? What can you say about blackmail?

    Spread of computer viruses, plastic card frauds, theft of money from bank accounts, theft of computer information and violation of operation rules of computer systems are among the most dangerous offences on the Internet. In order to get one million of UAH (about $185-190 thousand) certain people phoned director of Odessa Airport, Ukraine and informed that they had placed an explosive device on board of a plane flying for Vienna and they also had blown up a bomb in the building opposite to the airport building to confirm their serious intentions.

    The Security Service of Ukraine and the Air Security Office were informed of the accident right away. Criminals put detailed instructions on fulfillment of their requirements on the Internet. The main demand was one million of UAH. Criminals planned to use Privatbank's "Privat-24" Internet payment system to get the money. The useful feature for criminals in that case was that this system allowed anonymous creation and control over an account knowing only login and password. Therefore they used the Internet to secure anonymous and remote distribution of their threats and receipt of money.

    Besides typical operational measures, there was a need to operationally establish data on technical information in computer networks as criminals used the Internet at all stages of their criminal offence. The Security Service decided to engage experts of a unit on fighting crimes in the sphere of high technologies at the Ministry of Internal Affairs. They were committed to establish senders of threat e-mails and the initiators of bank payments.

    The response of ISP and the information they provided helped to determine phone numbers and addresses related to criminals, and also allowed to get firm evidences stored in log data bases of ISP and Privatbank.

    Logs allowed to find out IP addresses of computers, e-mails and phones that helped to review concrete computers at the scenes.

    The chronicle of events proves that prompt and qualified aid, provided by the unit on fighting crimes in the sphere of high technologies at the Ministry of Internal Affairs in January 2002, to officers of departments fighting terrorist and protecting state organization at Security Service allowed to reveal a criminal group, to prevent their criminal activity, and thus to give due to cyber terrorists.

    Posted by iang at 11:03 AM | Comments (1) | TrackBack

    July 02, 2004

    Putting the chat back into IM

    An interesting article about how a manager lost his job when an instant messaging virus sent his entire recorded conversations to his buddy list. This brings out the ticking time bomb that is the archive of all ones conversations. I've always treated chat and IM as just that - idle chat, and don't record those comments please!


    Yet I seem to be a minority - I know lots of people who record their every message. And they've got good reasons, which makes me feel even worse. This permanent archiving kind of takes the spontaneity out of it, and it certainly makes it un-chat-like. How does one feel about teasing around with ones partner, as one does, when the threat of a divorce case in 4 years time brings out how cruel you were? Or, idle musings on the safety features of a product, in an open whiteboard fashion, gets dragged into liability suits?

    I don't think there is an easy answer to this dilemma. The medium of chat is as it is, and no amount of wishing for that personal, forgiving experience can make the chat archiving devil vanish.

    But there are some things that could be done. Here's one idea - perhaps a chat client could present a policy button with a buddy connection. For example, there might be different buttons for partner/confidential, business/confidential, negotiation/confidential and client/attorney privilege.

    The first might extend husband-wife protection, with an intent of making the chat not useable against each party in a court of law. The second might create an internally confidential status, so that any forwarding could be warned against. The third would extend confidentiality to the documents such that they couldn't be used in a dispute (this is a trap for young players that I fell into). And the fourth could make the discussions inaccessible to aggressive plaintiffs. (And, we'd of course need another button for "write your own." Not that many people would of course.)

    To support these buttons, there would need to be a textual understanding. A contract, lawyers would call it. If we both selected the same contract, then we'd agreed up front to its provisions. In legal terms, this gives us some protection - the courts generally agree with what you said up front.

    There are limits of course - for example contract protection gets weaker if criminal proceedings are being undertaken. In which case, if you murder your spouse, you shouldn't expect the marital confidentiality button to save you. Also, even if the words can't be presented in court, there might be a lot of value in just reading them.

    But it could bring back enough peace of mind to enable IM to get chatty again. What say you? Select your chat confidence policy and IM me with comments....

    Posted by iang at 09:08 AM | Comments (1) | TrackBack

    June 23, 2004

    Phishing I - Penny Black leads to Billion Dollar Loss

    Today, the Financial Times leads its InfoTech review with phishing [1]. The FT has new stats: Brightmail reports 25 unique phishing scams per day. Average amount shelled out for 62m emails by corporates that suffer: $500,000. And, 2.4bn emails seen by Brightmail per month - with a claim that they handle 20% of the world's mail. Let's work those figures...

    That means 12bn emails per month are scams. If 62m emails cause costs of half a million, then that works out at $0.008 per email. 144bn emails per year makes for ... $1.152 billion dollars paid out every year [2].

    In other words, each phishing email is generating losses to business of a penny. Black indeed - nobody has been able to show such a profit model from email, so we can pretty much guarantee that the flood is only just beginning.

    (The rest of the article included lots of cartels trying to peddle solutions, and a mention that the IETF things email authentication might help. Fat chance of that, but it did mention one worrying development - phishers are starting to use viral techniques to infect the user's PC with key loggers. That's a very worrying development - as there is no way a program can defeat something that is permitted to invade by the Microsoft operating system.)

    [1] The Financial Times, London, 23rd June 2004,
    "Gone phishing," FT-IT Review.
    [2] Compare and contrast this 1 billion dollar loss to the $5bn claimed by NYT last week:
    "Phishing an epidemic, Browsers still snoozing"
    http://www.financialcryptography.com/mt/archives/000153.html



    Addendum 2004-07-17: One article reports that Phishing will cost financial firms $400m in 2004, and another article, Firms hit hard by identity theft reports:

    "While it's difficult to pin down an exact dollar amount lost when identity thieves strike such institutions, Jones said 20 cases that have been proposed for federal prosecution involve $300,000 to $1 million in losses each."

    This matches the amount reported in the Texas phishing case, although it refers to identity theft, not phishing (yes, they are not the same).



    Addendum 2004-07-27: Amir Herzberg and Ahmad Gbara report in their draft paper :
    A study by Gartner Research [L04] found that about two million users gave such information to spoofed web sites, and that "Direct losses from identity theft fraud against phishing attack victims -- including new-account, checking account and credit card account fraud" cost U.S. banks and credit card issuers about $1.2 billion last year.

    [L04] Avivah Litan, Phishing Attack Victims Likely Targets for Identity Theft, Gartner FirstTake, FT-22-8873, Gartner Research, 4 May 2004



    Addendum 2008-09-03 Fighting Phish, Fakes and Frauds talks about additional support calls costs and users who depart from ecommerce.

    Posted by iang at 10:30 AM | Comments (1) | TrackBack

    June 22, 2004

    DTCC accused of counterfeiting shares

    I had heard about Stockgate a while back when the Nanopierce lawsuit was filed. At the time, it looked like a hopeful settlement deal, but now more details have come to light [1].

    And what details! This may well be bigger than the mutual funds scandal, which was the biggest scandal of all time as far as I can see. The Nanopierce class action team has 65 lawyers in it! They have (allegedly) uncovered 1200 funds and 150 broker dealers in naked short selling.

    Here's how it works. Short selling is supposed to involve borrowing the stock, then selling the borrowed stock on the market, anticipating a drop in price. It's "good" because it moves information more quickly. It's "bad" because someone with a lot of time and money on their hands can just dump the stock and then buy it back at a cheaper price. Like all things valued by people over the age of 12, there are goods and bads in it.

    Where it gets egregious is if the stock is not borrowed at all, and simply "sold" on a promise. Now, if you are a big bad player and you can "not borrow" enough of it, and "sell" enough of what you don't have, then the price has to go down. Supply and demand, and all that. Then you can "buy" it on the cheap, transfer a few things around in the accounts, and end up with a profit.

    Having the actual stock on hand is supposed to put a brake on this practice. And, when the DTCC - the single depository and clearing agency in the US - set up its stock lending facility, it was quite popular, as it was relatively easy to just borrow the shares from DTCC, and dump them on the market.

    All supposing that DTCC had acquired them from somewhere. Now it transpires that DTCC took a fee for this activity, and worked out that they could over-lend. That is, they could simply counterfeit the shares. It's alleged by the lawsuit that DTCC turned off its governance, and turned on the equity tap. Anyone who wanted to borrow, presumably could - even if there were none to borrow.

    "The Stock Borrow Program was purportedly set up to facilitate expedited clearance of stock trades. Somewhere along the line, the DTCC became aware that if it could lend a single share an unlimited number of times, it could collect a fee each time, according to Burrell. "There are numerous cases of a single share being lent ten or many more times," giving rise to the complaint that the DTCC has been electronically counterfeiting just as was done via printed certificates before the Crash."

    "Such re-hypothecation has in effect made the potential 'float' in a single company's shares virtually unlimited and the term 'float' meaningless. Shares could be electronically created/counterfeited/kited without a registration statement being filed, and without the underlying company having any knowledge such shares are being sold or even in existence." ...

    But, says the cunning governance observer, what happens if the price moves against the naked short seller? Surely he's then caught with his pants down? No. Here's the game: DTCC, instead of taking a clearing agency role as they are supposed and covering the particpants, simply refers the dispute to arbitration between the parties! And, they leave an open position book until it has been resolved.

    If true, this makes a mockery of governance, regulation, the system, and any sense of investment. What is the point in investing in shares in a small company if the big players are naked short selling it out of existance, simply to transfer wealth from your pocket into their pocket?

    The mutual funds scandal was pretty rude - big players conspired with insiders to strip out percentage points worth of value every year. This sort of salami scam works as long as the amounts taken out don't appear too large. 1% per annum is fine ... always remembering that we are talking about 1% of a 7 trillion dollar amount here.

    But stockgate is a whole other ballgame, as the Americans would say - here, broker dealers and investment banks were conspiring allegedly to transfer the *whole* value of small companies to them. One expert claims that 7,000 public companies and from one to three trillion dollars have been raided.

    [1] http://www.investors.com/breakingnews.asp?journalid=21660437&brk=1
    StockGate: London Companies on Berlin Exchange Ask for Investigation, Reg SHO Hearing Reset

    Posted by iang at 07:26 AM | Comments (7) | TrackBack

    June 15, 2004

    Phishing an epidemic, Browsers still snoozing

    Phishing, the sending of spoof emails to trick you into revealing your browser login passphrase, now seems to be the #1 threat to Internet users. A dubious award, indeed. An article in the New York Times claims that online identity theft caused damages of $5 billion worldwide, while spamming was a mere $3.5 billion [1]. That was last year, and phishing was just a sniffle then. Expect something like 20-30 billion this year in phishing, as now, we're facing an epidemic [2].

    That article also mentions that 5-20% of these emails work - the victim clicks through using that nice browser-email feature and enters their hot details into the bogus password harvesting site.

    Reported elsewhere today [3]:

    "Nearly 2 million Americans have had their checking accounts raided by criminals in the past 12 months, according to a soon-to-be released survey by market research group Gartner. Consumers reported an average loss per incident of $1,200, pushing total losses higher than $2 billion for the year."
    "Gartner researcher Avivah Litan blamed online banking for most of the problem."

    A recent phishing case in a Texas court gave something like $200 damages per victim [4]. That's a court case - so the figures can have some credibility. The FTC reports an average loss rate of about $5300 per victim for all identity theft [5].

    So we are clearly into the many many millions of dollars of damage. It is not out of the question that we are reaching for the billion dollar mark, especially if we add in the associated costs. The FTC reported about $53b of losses last year; while most of identity theft is non-Internet related, it only needs to be 10% of total identity theft to look like the NYT's figure of $5bn, above.

    Let's get our skepticisms up front here: I don't believe these figures. Firstly, they are reported quite loosely, with no backing. There is no pretence at academic seriousness. Secondly, they seem to derive from a bunch of vested interest players, such as mi2g.com and AFWG.org (both being peddlers of some sort of solution). Oh, and here's another group [6].

    We know that there is a shortage of reliable figures to go on. Having said that, even if the figures are way off, we still have a conclusion:

    This is real money, folks!

    Wake up time! This is actual fraud, money being taken from real average Internet users, people who download the email programs and browsers and web servers that many of us worked on and used. Forget the hypothetical attacks postulated by Internet security experts a decade or so back. Those attacks were not real, they were a figment of some academic's imagination.

    The security model built in to standard browsing is broken. Get over it, guys.

    Every year, since 2003, Americans will lose more money than was ever paid out to CAs for those certificates to protect them from MITM [7]. By the end of this year, Americans will have been defrauded - I predict - to the same extent as Verisign's peak in market cap.

    The secure browser falls to the MITM three ways that I know of - phishing, click thru syndrome, and substitute CA.

    The new (since 2002) phishing attack is a classical MITM that breaches secure browsing. This attack convinces some users to go to an MITM site. It's what happens when a false sense of security goes on to long. The fact that secure browsing falls to the MITM is unfortunate, but what's really sad is that the Internet security community declines to accept the failure of the SSL/CA/secure browsing model.

    Until this failure is recognised, there is no hope of moving on: What needs to be done is to realise that the browser is the front line of defence for the user - it's the only agent that knows anything about the user's browsing activity, and it's the only agent that can tell a new spoof site from an old, well-used and thus trusted site.

    Internet security people need to wind the clock forward by about a decade and start thinking about how to protect ordinary Internet users from the billions of dollars being taken from their pockets. Or not, as the case may be. But, in the meantime, let's just accept that the browser has a security model worth diddly squat. And start thinking about how to fix it.

    [1] New York Times, Online crime engenders a new hero: cybersleuth, 11th June 2004. (below)
    [2] Epidemic is defined as more than one article on an Internet fraud in Lynn Wheeler's daily list.
    http://seattlepi.nwsource.com/business/apbiz_story.asp?category=1310&slug=Japan%20Citibank
    http://www.epaynews.com/index.cgi?survey=&ref=browse&f=view&id=1087301938622215212&block=
    florida cartel stole identities of 1100 cardholders
    http://www.msnbc.msn.com/id/5184077/
    [3] http://www.msnbc.msn.com/id/5184077/
    Survey: 2 million bank accounts robbed
    [4] http://www.financialcryptography.com/mt/archives/000129.html
    "Cost of Phishing - Case in Texas"
    [5] http://www.ftc.gov/opa/2003/09/idtheft.htm
    FTC Releases Survey of Identity Theft in U.S.
    [6] http://www.reuters.com/financeNewsArticle.jhtml?type=governmentFilingsNews&story
    ID=5429333§ion=investing
    Large companies form group to fight "phishing"
    [7] Identity Theft - the American Disease
    http://www.financialcryptography.com/mt/archives/000146.html


    Online crime engenders a new hero: cybersleuth
    Christopher S. Stewart NYT

    Friday, June 11, 2004

    A lot of perfectly respectable small businesses are raking in money from
    Internet fraud.

    From identity theft to bogus stock sales to counterfeit prescription drugs,
    crime is rife on the Web. But what has become the Wild West for savvy
    cybercriminals has also developed into a major business opportunity for
    cybersleuths.

    The number of security companies that patrol the shady corners of the
    virtual world is small but growing.

    "As more and more crime is committed on the Internet, there will be growth
    of these services," said Rich Mogull, research director for information
    security and risk at Gartner, a technology-market research firm in Stamford,
    Connecticut.

    ICG, a Princeton, New Jersey, company founded in 1997, has grown to 35
    employees and projected revenue of $7 million this year from eight employees
    and $1.5 million in revenue just four years ago, said Michael Allison, its
    founder and chief executive.

    ICG, which is licensed as a private investigator in New Jersey, tracks down
    online troublemakers for major corporations around the world, targeting
    spammers and disgruntled former employees as well as scam artists, using
    both technology and more traditional cat-and-mouse tactics.

    "It's exciting getting into the hunt," said Allison, a 45-year-old British
    expatriate. "You never know what you're going to find. And when you identify
    and finally catch someone, it's a real rush."

    According to Mi2g, a computer security firm, online identity theft last year
    cost businesses and consumers more than $5 billion worldwide, while spamming
    drained $3.5 billion from corporate coffers. And those numbers are climbing,
    experts say.

    "The Internet was never designed to be secure," said Alan Brill, senior
    managing director at Kroll Ontrack, a technology services provider that was
    set up in 1985 by Kroll Associates, an international security company based
    in New York. "There are no guarantees."

    Kroll has seven crime laboratories around the world and is opening two more
    in the United States because of the growing demand for such work.

    ICG clients, many of whom Allison will not identify because of privacy
    agreements, include pharmaceutical companies, lawyers, financial
    institutions, Internet service providers, digital entertainment groups and
    telecommunication giants.

    One of the few cases that ICG can talk about is a spamming problem that
    happened a few years ago at Ericsson, the Swedish telecommunications
    company. Hundreds of thousands of e-mail messages promoting a telephone-sex
    service inundated its servers hourly, crippling the system.

    "They kept trying to filter it out," said Jeffrey Bedser, ICG chief
    operating officer. "But the spam kept on morphing and getting around the
    filter."

    Bedser and his team plugged the spam message into search engines and located
    other places on the Web where it appeared. Some e-mail addresses turned up,
    which led to a defunct e-fax Web site. And that Web site had in its registry
    the name of the spammer, who turned out to be a middle-aged man living in
    the Georgetown section of Washington.

    Several weeks later, the man was sued. He ultimately agreed to a $100,000
    civil settlement, though he didn't go away, Bedser said.

    "The guy sent me an e-mail that said, 'I know who you are and where you
    are,'" Bedser recalled. "He also signed me up for all kinds of spam and I
    ended up getting flooded with e-mail for sex and drugs for the next year."

    Allison says ICG's detective work is, for the most part, unglamorous,
    involving mostly sitting in front of computers and "looking for ones and
    zeros." Still, there are some private-eye moments. Computer forensic work,
    for instance, takes investigators to corporate offices all over America,
    sometimes in the dead of night.

    Searching through the hard drives of suspects - always with a company lawyer
    or executive present - the investigators hunt for "vampire data," or old
    e-mails and documents that the computer users thought they had deleted long
    ago.

    In some cases, investigators have to be a little bit sneaky themselves.
    Once, an ICG staffer befriended a suspect in a "pump-and-dump" scheme - in
    which swindlers heavily promote a little-known stock to get the price up,
    then sell their holdings at artificially high prices - by chatting with him
    electronically on a chess Web site.

    The Internet boom almost guarantees an unending supply of cybercriminals.
    "They're like mushrooms," Allison said.

    Right now, the most crowded fields of criminal activity are the digital
    theft of music and movies, illegal prescription-drug sales and "phishers,"
    identity thieves who pose as representatives of financial institutions and
    send out fake e-mails to people asking for their account information. The
    Anti-Phishing Working Group, an industry association, estimates that 5
    percent to 20 percent of recipients respond to these phony e-mails.

    In 2003, 215,000 cases of identity theft were reported to the Federal Trade
    Commission, an increase of 33 percent from the year before.

    This bad news for consumers is a growth opportunity for ICG. "The bad guys
    will always be out there," Allison said. "But we're getting better and
    better. And we're catching up quickly."

    The New York Times

    Posted by iang at 07:24 PM | Comments (3) | TrackBack

    May 25, 2004

    Identity Theft - the American Disease

    Identity theft is a uniquely American problem. It reflects the massive - in comparison to other countries - use of data and credit to manage Americans' lives. Other countries would do well to follow the experiences, as "what happens there, comes here." Here are two articles on the modus operandi of the identity thief [1], and the positive side of massive data collection [2].

    First up, the identity thief [1]. He's not an individual, he's a gang, or more like a farm. Your identity is simply a crop to process. Surprisingly, it appears that garbage collected from the streets (Americans call it trash) is still the seed material. Further, the database nation's targetting characteristics work for the thief as he doesn't need to "qualify" the victim any. If you receive lots of wonderful finance deals, he wants your business too.

    Once sufficient information is collected (bounties paid per paper) it becomes a process of using PCs and innocent address authorities to weezle ones way into the prime spot. For example, your mail is redirected to the farm, the right mails are extracted, and your proper mail is conveniently re-delivered - the classic MITM. We all know paper identity is worthless for real security, but it is still surprising to see how easily we can be brought in to harvest.

    [Addendum: Lynn Wheeler reports that a new study by Professor Judith Collins of Michigan State University reveals up to 70% of identity theft starts with employee insider theft [1.b]. This study, as reported by MSNBC, directly challenges the above article.]


    Next up, a surprisingly thoughtful article on how data collection delivers real value - cost savings - to the American society [2]. The surprise is in the author, Declan McCullagh, who had previously been thought to be a bit of a Barbie for his sallacious use of gossip in the paparazzi tech press. The content is good but very long.

    The real use of information is to make informed choices - not offer the wrong thing. Historically, this evolved as networks of traders that shared information. To counteract fraud that arose, traders kept blacklists and excluded no-gooders. A dealer exposed as misusing his position of power stood to lose a lot, as Adam Smith argued, far more indeed than the gain on any one transaction [3].

    In the large, merchants with businesses exposed to public scrutiny, or to American-style suits, can be trusted to deal fairly. Indeed, McCullagh claims, the US websites are delivering approximately the same results in privacy protection as those in Europe. Free market wins again over centralised regulations.

    Yet there is one area where things are going to pot. The company known as the US government, a sprawling, complex interlinking of huge numbers of databases, is above any consumer scrutiny and thus pressure for fair dealings. Indeed, we've known for some years that the policing agencies did an endrun around Congress' prohibition on databases by outsourcing to the private sector. The FBI's new purchase of your data from Checkpoint is "so secret that even the contract number may not be disclosed." This routine dishonesty and disrespect doesn't even raise an eyebrow anymore.


    Where do we go from here? As suggested, the challenge is to enjoy the benefits of massive data conglomeration without losing the benefit of privacy and freedom. It'll be tough - the technological solutions to identity frauds at all levels from financial cryptographers have not succeeded in gaining traction, probably because they are so asymmetric, and deployment is so complicated as to rule out easy wins. Even the fairly mild SSL systems the net community put in place in the '90s have been rampantly bypassed by phishing-based identity attacks, not leaving us with much hope that financial cryptographers will ever succeed in privacy protection [4].

    What is perhaps surprising is that we have in recent years redesigned our strong privacy systems to add optional identity tokens - for highly regulated markets such as securities trading [5]. The designs haven't been tested in the full, but it does seem as though it is possible to build systems that are both identity strong and privacy strong. In fact, the result seems to be stronger than either approach alone.

    But it remains clear that deployment against an uninterested public is a hard issue. Every company selling privacy to my knowledge has failed. Don't hold your breath, or your faith, and keep an eye on how this so-far American disease spreads to other countries.

    [1] Mike Lee & Brian Hitchen, "Identity Theft - The Real Cause,"
    http://www.ebcvg.com/articles.php?id=217
    [1.b] Bob Sullivan, "Study: ID theft usually an inside job,"
    http://www.msnbc.msn.com/id/5015565
    [2] Declan McCullagh, 'The upside of "zero privacy,"'
    http://www.reason.com/0406/fe.dm.database.shtml
    [3] Adam Smith, "Lecture on the Influence of Commerce on Manners," 1766.
    [4] I write about the embarrassment known as secure browsing here:
    http://iang.org/ssl/
    [5] The methods for this are ... not publishable just yet, embarrassingly.

    Posted by iang at 08:34 AM | Comments (6) | TrackBack

    May 24, 2004

    The Myth of Systemic Risk

    At a St. Louis Banking Conference, Professor George Kaufman presented a thesis of his that "systemic risk" is a myth [1]. It goes like this: Systemic Risk is that risk of contagion, whereby a failure causes a domino-like collapse of large segments of the system. Professor Kaufman makes the claim that an institution that is financially sick should fail, and that isn't a case of systemic risk. Those that are financially healthy should not fail, and if they do, it could be systemic risk.

    He then goes on to challenge his listeners to find an example of an economically solvent bank that was brought down by a run, anywhere in the world. So far, no joy - he's not been presented with any such cases, although like myself and the MITM, he holds out hope.

    Which leaves us rethinking the S&L scandal, the Asian crisis, and sundry other squillion dollar collapses (in another paper, he presents just how devastating these collapses are [2]). If all those countries in Asia back in the late 90s were insolvent, or at least financially unsound, then he asserts that they shouldn't have been propped up. When the Asian dominos wobbled and fell, that was an example of proper bankrupcy procedures, albeit at a national level, rather than systemic risk.

    What are the consequences of this? One of the underlying justifications for central banking was that they could protect the system from systemic risk. That crutch is now removed from the Central Banks and their role as centralised regulators. Other crutches such as monopoly issuance of money, and the myth of "banking is special" have been under stress for many a year.

    To some extent this has already been predicted; it's been clear for some time that the 20th century was the Golden Age of Central Banks and now everyone is posturing for, or at least fearing, a gradual waning of their influence and place in financial society.

    On a more personal note, when we built Ricardo and our real time gross settlement system of trading, we used to say that we'd eliminated sources of systemic risk. Maybe we should back off from that and just claim the elimination of other classes of risk, and a reliance on the supreme savings of cheap RTGS trades (one or two orders of magnitude, but who's counting?). Or maybe not; is there a contradiction in claiming the elimination of something that doesn't exist?

    [1] Professor George Kaufman, "The Myth of Systemic Risk," remarks presented at the St Louis Banking Conference,
    http://www.fed-soc.org/Publications/practicegroupnewsletters/financialservices/myth-finv3i3.htm
    [2] Professor George Kaufman, "Banking and currency crises and systemic risk: Lessons from recent events," Federal Reserve Bank of Chicago,
    http://www1.worldbank.org/economicpolicy/managing volatility/contagion/documents/3qep2.pdf

    Posted by iang at 04:22 PM | Comments (3) | TrackBack