Financial Cryptography

ThreatWatch - markets in loss, Visa's take, 419 "chairmen"

Two articles tracking hackers and looking into
markets for trading stolen assets. The latter has better info:

Gaffan says these credit card numbers and data are almost never obtained by criminals as a result of legitimate online card use. More often the fraudsters get them through offline credit card number thefts in places like restaurants, when computer tapes are stolen or lost, or using "pharming" sites, which mimic a genuine bank site and dupe cardholders into entering precious private information. Another source of credit card data are the very common "phishing" scams, in which an e-mail that looks like it's from a bank prompts someone to hand over personal data.

Also available on TalkCash is access to hijacked home broadband computers - many of them in the United States - which can be used to host various kinds of criminal exploits, including phishing e-mails and pharming sites.

RSA's Einav says there are about a dozen marketplace sites like TalkCash in operation at any given time. Unfortunately, he and Gaffan suggest it's unlikely this nefarious activity will end anytime soon (though of course that's good for their business).

"When the FBI shuts down a site they just move to another site," says Einav, "The URL changes but the community stays intact."

RSA doesn't even bother trying to shut down such sites, because by monitoring them it can help banks protect themselves. Says Einav: "If you see abnormal demand for accounts from a specific bank, you can assume an exploit is underway."

That's when it goes into action. RSA Cyota claims to have shut down 10,000 phishing and other schemes since Cyota was formed in 1999. (RSA Security bought Cyota last December.) The company maintains a blacklist of sites, which partners use to warn customers.

Over on payment news:

Visa USA has posted its summary of performance data for the first quarter 2006 (PDF) detailing year over year growth rates across its various card products. Net fraud as a percentage of total volume increased from 6 to 7 basis points during the quarter.

OK, so either net fraud went up by a sixth ... or overall net fraud is so low that it's lost in the noise ... or Visa just doesn't know how to count. We could be forgiven for thinking it's so low we can all rest easy, but check out this:

Akin buys things online - laptops, BlackBerries, cameras, flat-screen TVs - using stolen credit cards and aliases. He has the loot shipped via FedEx or DHL to safe houses in Europe, where it is received by friends, then shipped on to Lagos to be sold on the black market. (He figures Americans are too smart to sell a camera on eBay to a buyer with an address in Nigeria.)

Akin's main office is an Internet cafe in the Ikeja section of Lagos. He spends up to ten hours a day there, seven days a week, huddled over one of 50 computers, working his scams.

And he's not alone: The cafe is crowded most of the time with other teenagers, like Akin, working for a "chairman" who buys the computer time and hires them to extract e-mail addresses and credit card information from the thin air of cyberspace. Akin's chairman, who is computer illiterate, gets a 60 percent cut and reserves another 20 percent to pay off law enforcement officials who come around or teachers who complain when the boys cut school. That still puts plenty of cash in Akin's pocket.

A sign at the door of the cafe reads, WE DO NOT TOLERATE SCAMS IN THIS PLACE. DO NOT USE E-MAIL EXTRACTORS OR SEND MULTIPLE MAILS OR HACK CREDIT CARDS. YOU WILL BE HANDED OVER TO THE POLICE. NO 419 ACTIVITY IN THIS CAFE. The sign is a joke; 419 activity, which refers to the section of the Nigerian law dealing with obtaining things by trickery, is a national pastime. There are no coherent laws relating to e-scams, the police are mostly computer illiterate, and penalties for financial crimes are light.

Tracking you, tracking me, tracking everyone

You, me, everyone is trackable by our cellphones. Not just Greek Prime Ministers. Here's how.

Each phone has a SIM ("subscriber identity module?") card, which is the smart card that holds the billing arrangement. Each SIM card has a number, so it is uniquely identified in the packets of information flashing across the network. That made it trackable.

So a common trick was for mafia bosses and other delightful characters was to keep the same phone but change the SIM (by opening the back up, dropping the battery out, and switching the little chip card). This meant that access to the billing records would not automatically be useful for tracking purposes, as the SIM number is what is billed.

This trick was known as far back as the early 90s, when some drugs dealer was caught with 80 SIMs in his briefcase. He'd use them for one call each.

Unfortunately this was futile, and here's why. Each phone has a number, which is internationally and centrally coordinated in the standard telco committee fashion. That is, the mobile phone manufacturers get together in a smoke-filled room and allocate a batch of numbers to each of them, so each phone the world around is unique.

This number is called the IMEI, or international mobile equipment identity, which includes the manufacturer's prefix and the phone's number (it's the same concept as your ethernet card's MAC address if you know what that means). The IMEI is also trackable, but you need a separate set of records to get access to it: call records. These are the technical records of what traffic is passing up and down, phone to phone. This is the real time stuff, and it has the raw IMEIs in there, which are later filtered out for billing purposes.

So our friendly mafiosa were caught by anyone who could get access to those traffic records. And, if you think about it, the bad guys stuck out like a sore thumb because the SIMs kept changing and the IMEI did not. Now of course this trick is widely known:

ICE officials said that they're working with Mexican authorities to return [Castorena-Ibarra] to the United States but that the mustachioed fugitive moves frequently and changes cellphones every few days.

It's also possible to rewrite the IMEI if you have the right phones and the know-how. But, a good friend advises me, that's illegal in many countries, and you'll get into heap big trouble if you're caught doing it.

Another little trick - it turns out that it is possible to ping anyones cell phone by sending a zero-length SMS message. As it is zero length, the phone drops it without further ado but if the "acknowledge receipt" bit is set the phone replies. This reply SMS is free, but it still shows up bright and clear in the records. Which leads us to the next issue. [this paragraph edited improved heavily!]

Think about how the network works. You are walking down the street, and you are always in contact. You can always be phoned. Yet, the transmitters in built-up areas only have a range of less than a kilometer ... sometimes only a few hundred meters.

How do they do that? It's called "hand-off". Each tower recognises the phone's presence and tells the "center" that it's in comms with your phone. Then, when you walk past the next tower, the two towers have a little chit chat and hand you over. Of course, the center has to know so as to re-route incoming calls to you.

So the center knows where you are - to the accuracy of the towers. And, anyone who is looking at that feed of information knows where you are. And, anyone who shares that info also knows.

That's why there is all this talk about adverts popping up on your phone saying "turn left here for a special price on lunch!" Actually it gets even more juicy as there is a thing called triangulation where the towers can reveal signal strengths, times, and directions, and a bit of maths will coordinate you down to tens of metres.

None of this is secret. In conferences, and in articles, people have been talking about the marketing implications of such cellphone "traffic analysis" for years. Some of this is directed at sales opportunities, other at "social networking" analysis, and some of course at the "tracking bad guys" angle.

This is so un-secret that in the USA and other places, they have been trying to make it law that cell phone operators provide your location every time you punch in 911.

What has not been discussed at all are the ramifications of your telco knowing where you are. Within pretty close paramaters. Every moment your cellphone is switched on.

What has not been thought about at all is who they are selling this information to and who they are sharing it with - inadvertently or otherwise. And whether those that are doing the listening are operating with due regard to your privacy, with oversight, or what.

Instead, there is the steady rumble of scandals, as the public finds out what the insiders have known all along. Let's close with this one:

Alexis Papahelas -- so you are saying even the crypto phones that the [Greek] prime minister/government/military are using they are vulnerable to this kind of penetration you say.

James Bamford: Well, crypto phones are probably NSA's biggest targets around the world, whether or not the NSA was able to break the encryption of the algorithm to get into those phones I don't know. I don't have this information, but I know obviously NSA's key job, NSA's first job is intercepting communications, and second job is breaking codes such as the codes that encrypts that communications, and third job is making USA encryption systems.

(oops, sorry, that'll all be greek to you!)

Tracking Threats - USA Telco, Inc., shares billing records with NSA, Pretexters, foreign governments, anyone, really

More evidence that tracking by cell/mobile is a routine threat to all - this time from America, and this time concerning the billing records as opposed to the tower handoff records.

A congressional panel investigating the fraudulent acquisition and sale of mobile phone records by Internet Web firms has collected evidence that indicates law enforcement officials at the local, state and federal levels use the Internet-based services as an investigative short-cut, MSNBC.com has learned. At least one Web-based data seller has told Congress that the FBI is a client.

As I've asserted before, if this was limited to law enforcement pursuent to lawful warrants, etc, etc there would be no complaint. (Citizens not having anything to hide, right?) But it is not.

The phone records are generally acquired by the resellers through fraudulent means and would not be admissible in court as evidence, but they are still helpful as an investigative tool, say officials familiar with the investigation. ... One seller, Advanced Research Inc., which operates ADVSearch.com, told the committee that it has sold data to the FBI. "On occasion, ARI (Advanced Research) has done work for municipalities, banks, mortgage and insurance companies, private companies, foreign governments, law enforcement, even the FBI," ARI's letter to Congress said. ... The dozens of Web sites now being investigated by Congress sell to a wide cross-section of customers buying data. Evidence gathered so far suggests many purchasers are involved in debt collection. But a steady stream of evidence also implicates law enforcement officials, who occasionally use the services as a shortcut, avoiding the need for court orders generally required to see phone records.

The phone records are often obtained by private investigators through a tactic known as "pretexting." Investigators call mobile-phone companies posing as legitimate customers and trick service representatives into delivering copies of records.

Many Web site sellers maintain the practice is legal, but cell phone companies, the Federal Communications Commissions and numerous state attorneys general have said impersonation of consumers is fraud. Several states also have sued data brokers over the acquisition and sale of phone records in recent months.

The tracking of people by cellphone is equally shared by law enforcement - without a warrant - and anyone else with a credit card number, raising the amusing prospect of your own card paying for someone to spy on you. Hardly a high standard of protection.

A further indication that the NSA is operating outside the law comes from Chris Walsh's comment over on EC:

Trying to put pressure on Qwest, NSA representatives pointedly told Qwest that it was the lone holdout among the big telecommunications companies. It also tried appealing to Qwest's patriotic side: In one meeting, an NSA representative suggested that Qwest's refusal to contribute to the database could compromise national security, one person recalled.

In addition, the agency suggested that Qwest's foot-dragging might affect its ability to get future classified work with the government. Like other big telecommunications companies, Qwest already had classified contracts and hoped to get more.

Unable to get comfortable with what NSA was proposing, Qwest's lawyers asked NSA to take its proposal to the FISA court. According to the sources, the agency refused.

The NSA's explanation did little to satisfy Qwest's lawyers. "They told (Qwest) they didn't want to do that because FISA might not agree with them," one person recalled. For similar reasons, this person said, NSA rejected Qwest's suggestion of getting a letter of authorization from the U.S. attorney general's office. A second person confirmed this version of events.

(Also see CDT.) US Congress is or has moved to rule it more difficult, but recent attempts to regulate technology abuses don't raise many hopes in this area. Indeed, even Congress seems to be getting skeptical. Chris Walsh posts on EC:

Massachusetts Congressman Ed Markey asks Dennis Hastert whether legislation protecting mobile phone users' privacy has been sent to a "legislative 'Guantanamo Bay'" in order to modify it so that intelligence gathering activities analogous to those affecting land lines would be unimpeded.

The problem is a little more deep-seated than that I fear. Probably, the battle to protect cell phone records from the intel community is already lost. (Including other than with your own national agencies who are looking out for your interests. Above, it mentions foreign governments buying US records, and I wouldn't be surprised if the NSA already has access in Europe.) The question is whether anything else can be saved.

Probably not, I would guess, if the data mining juggernauts are anything to go by. But it does bring up the amusing contrast between Europeans and Americans. Europeans don't mind that much if government gets their records, but are horrified if private companies do. Whereas Americans speak with utter fear of their government spying on them, but happily accept that it is the private sector's right to trade this information. Perhaps for the first time, people on both sides of the Atlantic have some angst to share.

Numbers on British Fraud and Debt

A list of numbers on fraud, allegedly from The Times (also) repeated here FTR (for the record).

THE BIG NUMBERS

£56.4 ($100) billion:	Total amount owed on British credit cards
141.1 million:	Number of credit, debit and charge cards in Britain
1.9 billion:	Number of purchases on credit and charge cards in Britain a year
£123 billion:	Total value of credit and charge card purchases a year
5:	Number of credit, debit and charge cards held by 1 in 10 consumers
£58:	Average value of a purchase on a credit card
£41:	Average value of a debit card purchase
88 percent:	Proportion of applicants who have been issued with a credit card without providing proof of income
£504.8 ($895) million:	Total plastic-card fraud losses on British cards a year
£1.3 ($2.3) million:	Amount of fraud committed against cards each day
7:	Number of seconds between instances of fraud
£696 ($1,235):	Average size of fraud, 2004

(Printing them in USD is odd, but there you go... I've preferred the Times' UKP amounts above, as there were a number of mismatches.)

Threatwatch - Voice Threat Models are Snafu - Situation Normal All F***ed Up

Something bothers me about the recent spate of crypto voice news - it looks like we have bungled the threat model, yet again. Do we never learn?

For some reason phone tapping, VoIP and the like is much in the news, and a couple of references have been spotted to suggestions that we should rise to defend that space. Firstly over at the cryptography list, where all are agog about wiretapping in Greece, secondly in many articles to-ing and fro-ing over zFone and Skype (go guys!) and now a more serious call from Bruce Schneier in Wired:

"This is why encryption for VOIP is so important. VOIP calls are vulnerable to a variety of threats that traditional telephone calls are not. Encryption is one of the essential security technologies for computer data, and it will go a long way toward securing VOIP."

I'm all for it! But the repeated references to encryption have that earthly Douglas Adams feel to them - somewhere between "mostly harmless" and downright dangerous through systemic underestimation.

We all love encryption. But when it comes down to it, encrypting the voice channel is such a small part of the equation that I wonder why the fuss? Is it because we all get that wonderful geeky buzz when we shove 256 bits of full blooded AES right back up the NSA's pipe? Smoke that, spook!

I think that's a lot to do with it. And I wouldn't want to ruin anyone's fun - coz crypto should be fun - but while all the cryptographers are dancing around counting bits on a pinhead, they are in danger of missing the real threat.

No, I'll go further than that. We, they, me, all of us - the whole Internet security community - has actually missed the threat. Quite possibly by a decade or so.

The real threat is tracking.

Why is this? Lots of reasons, but unfortunately they are ho-hum, low tech, under the radar reasons. Not things that the geeks can get addicted to, not ones that give them a buzz. Nothing you can write about in Wired, or in cryptography lists, or the popular journalism of the security press, I suppose.

Still, let's give it a shot and see if we can't save the voice threat model before it follows its predecessors into a decade of confusion, waste, and endless laugh value for the attackers. There are a number of ways of looking at this. I'm not shy, I'll try them all.

Consider GSM, as a great forerunner to encrypted VoIP. It uses something like a 40-bit crypto algorithm that's as weak as water. After cryptoplumber Lucky Green reverse-engineered it out of the chips in a 3 month marathon hacking effort, cryptobuddies Dave and Iang (the other one) cracked the actual algorithm in an afternoon. By the time that was done, GSM as a cryptosystem was just so many bits strewn across the floor, or at least the standard version of A5 was. The journalists loved it!

Or so it seems. In fact, the security model was still good! GSM was unchallenged because Lucky and friends weren't in GSM's threat model - the papparazzi and the phone spoofers were the threat and those scum still have some deal of trouble making their attack.

Meanwhile, the GSM juggernaut rumbled on, untroubled. We are now in a Europe where there are as many phones as people - everyone but everyone has one, and every Finn has two. (And they're all encrypted - Yoo Hoo! Plus, if you have one of those supercool cryptophones, they are doubly encrypted at 256+256 volts .. er .. bits!)

The Americans aren't that far behind, with the slight notable exception of having many different systems. Asian and Latino cultures show no real slackening in cellphone worship either, probably because the lack of good copper systems overcame any braking effect of lower incomes.

Now, consider the facts. That is, the facts that are extracted from tracking versus the facts that are extracted from wiretapping. The facts we can get from tracking are hard - when, where, with whom. They look good in a database, they cross-correlate, they datamine, they stand in court. Indeed, all of society's investigative, dispute and judicial processes are based on these sorts of facts, so the new technology of person tracking fits in well with the old ways of doing things.

In contrast consider the facts in a voice conversation. They are hard to put in a database (so forget about datamining), they consume racks and racks of data storage, they have to be searched for quality, and when it comes down to it, they are pretty darn soft - recordings of voice don't stand well in court. Ludicrously, there seems to be research that suggests that use of wiretaps correlates negatively with conviction rates.

So we have this little thing in our pocket - all of us - and it's trackable. It generates a quality set of facts. All the time, whenever it's powered on. Which leaves one question only - are the facts available?

Nominally, most governments and telcos will say that such data are not available. But evidence is starting to suggest another picture. I have it on reasonable but anecdotal authority that the police in a few countries in Europe have full access to GSM tracking - at the tower. The developments in the US would suggest that the NSA isn't that far behind, unless they are already there (there's that silly story about machines collecting data not being against the rules -- what to make of that? -- well, the story is there and repeated by the spooks, so they must be saying it for a reason . . .). And, plans proceed afoot to integrate this data-that's-not-illegal across the usual suspects, the TLAs.

Here's one anecdote I might have heard. Police - your ordinary plod - can pick you up off the streets, like at a demonstration or something, and show you on TV in the vicinity of other demonstrations ... other months ... other places ... with other people ... using public surveillance cameras.

Now, how could they have correlated all that information? Perhaps they were using a blue tooth rifle on your iPod? Maybe the police are tracking the RFIDs in your clothing?

Nah - the only systems approach that makes sense is that they are datamining the tower hand-off records. How this works we leave as an exercise to the victim.

This all would have been fine and dandy 20-30 years ago when governments in the west were a bit better behaved. But these days, suppression of civil liberties, tracking the naysayers, secret databases and so forth is all the rage (much to the chagrin of the newly liberated eastern european peoples. "What, we got rid of communism . . . for this?").

As it all seems to be happening in secrecy, and as there are therefore no safeguards in place, this is a valid threat. If your local police can track you, they can also blackmail you. Even before we get to dishonest police, there are the telcos.

Here's how this this threat evolves. First, they say they don't collect the data. Then they say they don't use it, except for engineering purposes. Then, they say that there are safeguards. Then, they say they don't supply it outside the company. Then, they sell it.

Then, they just make it up. It takes less than 10 years across the full life-cycle from total privacy to total piracy, and telcos have had a decade or two, already. Governments aren't any help.

Your power in anonymity is stripped away by the secret availability of such tracking databases. We the people have no clue how this information is being used - and likely the first time we find out is when we can buy it ourselves to start spying on our spouses. (oops.)

Other than switching off the phone, what's to be done?

Well, all those cryptophone projects out there are still good - they just have to adjust their threat models. They've covered threats 2 through 9, now they need to think about threat #1. VoIP phones with any encryption are still fantastically good while there isn't massive and pervasive IP# tracking. (oops.)

To advance that theme - continue to support the cryptophones - Skype, Zfone, etc. They are your friends, both. But also cast an eye to the IP detrackers: Tor and the like. In my opinion, the whole P2P space (Jim says here) is far more relevent to the future of security, privacy, etc than any product that knows how to spell AES.

Give me RC4 layered over hazenet any day. Hell, give me Rot13 if you can make a good showing that it's deeply hidden in the noise. Fixing Rot13 is child's play compared to unfixing a static IP# or a Sim#.

Threatwatch - pricing the password crack

Some stats on how much it costs to crack a password:

Found on crackspider. I'm a bit suspicious of the site as it sent firefox and konqueror into contortions ... so I'll refrain from posting the URL.

ThreatWatch - Sony is your friend, Game Over?, Meccano costs, and it'll all be better in two years

Dan Kaminsky writes on the Sony experience:

Learning from Sony: An External Perspective

‘What happens when the creators of malware collude with the very companies we hire to protect us from that malware?’ Bruce Schneier, one of the godfathers of computer security, was pretty blunt when he aired his views on the AVindustry’s disappointing response to the Sony rootkit (for an overview of the rootkit and its discovery see VB, December 2005, p.11). His question was never answered, which is fine, but his concerns were not addressed either, and that’s a problem.

The incident represents much more than a black eye on the AV industry, which not only failed to manage Sony’s rootkit, but failed intentionally. The AV industry is faced with a choice. It has long been accused of being an unproductive use of system resources with an insufficient security return on investment. It can finally shed this reputation, or it can wait for the rest of the security industry to finish what Sony started. Is AV useful? The Sony incident is a distressingly strong sign that it is not.

I'm not sure what to make of the threats situation here. On the one hand, it is shocking, simply shocking to think of corporates deliberately increasing the risks of consumers so as to make more money. But, in reality, this has been going on for decades. So what we need is not less but more of the Sony threats. We need more information out in the public view so that we can all more clearly analyse the threats here. I call for more Sony rootkits :)

Has Microsoft declared Game Over?

In a rare discussion about the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation.

"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here.

Basically, the OS cannot be protected, and in the event of infection, you have to re-install. That's one brave disclosure, but better they start seeding the public with this info less later than later still.

Fear of security is starting to bite in the US - in contrast to anecdotal evidence. Entrust did a survey that said:

Fear of alienating customers

Banks recognize they must increase online security, but are equally concerned that making Web sites harder to use will drive customers back to telephone and branch banking.

"Telephone transactions cost banks 10 times as much to process as Internet transactions. And an in-branch transactions cost 100 times Internet transactions," Voice said.

About 18 percent of online bank customers have already cut back or stopped banking online completely because of security worries, according to an Entrust survey.

It is the cutting back or stopping that is causing the fear from the Meccano trojans I reported on a bit back (also known as MITB or Man-in-the-Browser). Forcing people back to phone or branch has massive cost and deployment ramifications. In the face of these costs, expect many banks to simply suffer the losses. Unfortunately, this won't be socially acceptable, as the majority of the costs are borne by the consumer, not the institution.

Lynn spots the latest crazy threat to invade media mindspace - Beware the 'pod slurping' employee

A U.S. security expert who devised an application that can fill an iPod with business-critical data in a matter of minutes is urging companies to address the very real threat of data theft. ....

"(Microsoft Windows) Vista looks like it's going to include some capability for better managing USB devices, but with the time it's going to take to test it and roll it out, we're probably two years away from seeing a Microsoft operating system with the functionality built in," Usher said. "So companies have to ask themselves, 'Can we really wait two years?'"

This is not a new threat, just an old threat with a sexy new toy. Don't believe we had to wait for Apple for the innovative solution to employees' desperate needs to walk out with lots of data...

On the other hand, read that second paragraph above carefully. If you don't like today's scenario, you'll have to wait about 2 years, assuming that Vista has some sort of answer to whatever it is you don't like. I don't normally do stock picks but here's one that screams: buy Apple, sell Microsoft. Users will, even if you don't.

A bit of BitTorrent bother. In brief, ISPs have been using "traffic shaping" to identify Bittorrent traffic and drop it. In response, the top three clients have added an RC4 encryption capability. Threats everywhere...

In closing, 1 in 10 Laptops Stolen:

"Up to 1 in 10 laptops will be stolen during their lifetime according to one of the Law Enforcement Officers behind the new Web site Juststolen.net..."

Meccano Trojans coming to a desktop near you

Scuttlebut is circulating in the anti-virus world about the new class of trojan about to emerge. Details - facts - are scanty, and several exaggerations seem to already have fallen flat on their face already. Having said that, a general pattern is emerging, and it looks like a significant advance in the threat state of the Internet. Here's what I've picked up so far.

The new class of trojan evidences an ability to deconstruct and reconstruct the browser in the phisher's image. That is, it is a sort of meccano kit for phishers, which allows the construction of a new phisher-friendly browser. The meccano trojan operates on the Microsoft Windows operating system and allegedly is coded up for both IE and Firefox, so Firefox has crossed GP.

I say above "evidences an ability" because the view is that the kit is not quite there yet, but it's near enough to be "just around the corner." There is substantial uncertainty about this, because the details are being shared hush-hush. My feeling from the scuttlebut is that the first meccano trojans will roll into Windows machines within a month or so, in what could be considered to an alpha test of the concept. Within 6 months, that should shake out and the meccano concept will be well tried and tested. But that's just a feeling based on a secret stacked up on a prediction.

If you prefer to think in classical PKI terms, this means that the MITM is now inserted into the browser. Hence, this attack was later named as the Man in the Browser, or MITB (note inserted 2009). PKI is rendered bypassed, in a way that is indefensible to PKI at least. Deep security readers will recall that one hard-wired assumption of PKI was that the threat was on the wire, and the node was safe, and we've now reached the point where that assumption is broken in theory and in practice.

Let's summarise. First the facts: A new trojan class is capable of taking over the browser on Windows platforms. It covers both IE and Firefox. It renders all security within the browser theoretically breached.

Second, the anti-facts. Everything written above is unconfirmed, so they are not facts at all! Next, the notion that suddenly the browser disappears into a puff of smoke and the user is left naked and unprotected just doesn't make sense - to me at least. There still remain substantial economic defences against any given attack - just because one component is broken doesn't mean the system starts handing out your cash left and right. There are also things that users - both individuals and corporates - can do to protect themselves, and there many many things that sites can do to change the economics.

What then makes me believe that this is substantial without waiting for the unobtainable facts? Three things. Firstly, this is predicted in concept if not in detail. Any security researcher worth their salt has written off the nodal security model as far as Windows goes - I wrote about the fatal conceit of the threat reversal some time ago, and to many that was good logic but oh-so-ho-hum. Next, it is only the timeframe that we are arguing about, and we are about due for this. Note how last week's news predicts the browser attack:

"MetaFisher uses HTML injection techniques to phish information from victims after they've logged into a targeted bank account, said Dunham, which lets attackers steal legitimate TAN numbers (one-time PINs used by some banks overseas) and passwords without having to draw them onto phony sites."

Finally, those that are vulnerable and have seen more of the story are taking it seriously. Banks in one place that I know have already formulated their response and are moving to put it in place. In this case, it is a banking sector that is not particularly vulnerable anyway, and their solution will work - which already tells you what corner of the world it is. For the financial cryptographers, the solution is simply moving more towards the model Ricardo and x9.59 pioneered, c.f., Anne & Lynn, Gary & myself.

So where does that leave us? The fundamental statement would seem to be that the Windows platform can no longer be considered secure, not for any security that you might actually need. That day has arrived. Beyond that there is a huge amount of analysis needed to say more, far more than I can do in one post. I'll stop with these broad questions, recognising that asking the question is easier than answering it.

• Is the Mac safe? Is it next, and when does the Mac cross GP?
• Is the authentication model dead? Or can it be redeemed?
• Where does this leave PKI?
• Should online banking stick with the browser? Or go for another platform?
• Online banks have the resources to fix these things, but what about the rest of us?
• Are the actions of the anti-virus community helping or hindering?
• Where goes Microsoft? Is it game over?

Far too much for one day. I'll leave you with Dan Kozen's fine bull, which symbolised my 2006 prediction of more government intervention, and today stands in for the running of the other more successful bulls.

Thankfully, the regulators appear to be showing restraint, in that they are signalling that the problem belongs to the banks. The central banks have confirmed their intention to put risk sharing in place for online banking: the user will be on the hook for something like the first 150-250 of the fraud. After that, the bank picks up the rest. This is critical - both the bank and the user must engage in the security protocol, and any attempt to do otherwise is living in state of sin, to paraphrase John von Neumann.

Let's hope the regulators hold the line on that one, and prove at least one of my predictions dead wrong.

Threatwatch - trojan hijacking, proxy victims, breaching conflicts of legal interest, semi-opaque blue hats

Bad news for Microsoft, but (other) browsers may breath a sigh of small relief. It seems that there is a shift from email-based phishing across to trojan hijacking. Predictable - as people gradually wake up to phishing, and as the easy targets are phished out, we can expect the well-funded attackers to shift to new waters.

LURHQ’s description of an E-gold Trojan was an early foreshadowing of things to come. E-gold is an e-cash operation, similar to Paypal. Turns out they’ve been under constant attack from these advanced Trojans for a few years now.

The E-gold Trojan waits for the victim to successfully authenticate to E-gold’s Web site, creates a second hidden browser session, and uses various spoofing tricks until it drains the victim’s account. Because the stealing and spoofing is started after the authentication is completed, no amount of fancy log-on authentication would prevent the heist. All too telling is LURHQ’s prediction that “other banking institutions are sure to be attacked in this manner in the future.”

In the more mundane and routine phishing waters (thanks, Gordon):

In a smart site redirection, the attacker creates several identical copies of the spoofed site, each with a different URL, often hosted by different ISPs. When the phishing e-mails go out, all include a link to yet another site, a "central redirector." When the potential victim clicks on the e-mailed link, the redirector checks all the phishing sites, identifies which are still live, and invisibly redirects the user to one.

I see signs of a new trend in reportage of threats to US financial institutions. Above, and here:

The report cites the W32/Grams Trojan that targets 'e-gold' but doesn't launch an attack until the authentication process has been monitored and completed, as e-gold uses a number of security measures, such as limiting account access to an individual IP address and the use of one-time passphrases.

Spot it? If you can name e-gold then you can get away with embarressing someone who can't fight back. But if it is a regulated financial institution, it shouldn't be named - if the debit card PIN debacle in the US is anything to go by. Nobody quite knows what is going on there, what happened, and who it happened to. Other than the consumers, that is.

Knowing what happened is critical to security. Only with hard facts as to the real breach can we understand the risks. Only with understanding the risks can we counter them. If big banks have to be embarressed in that process then so be it - the goal is security, right?

Which means that naming e-gold is a net good - they become a proxy for the banks' woeful security practices. "Sucks to be them." But at least they got invited into a new coalition of the willing:

A group of 18 financial institutions and internet providers have joined forces with child advocacy groups in the US and Europe in an effort to eradicate commercial child pornography by 2008. The internet has allowed child pornography to become a multi-billion dollar industry, and the newly formed Financial Coalition Against Child Pornography aims to kill the business model behind the sites by blocking access to payment services including credit cards.

Again, e-gold have been a favourite target of blame for child pornography, and it is not exactly clear that the mud sticks. The reason for putting together a group is possibly explained here:

One problem for the card companies is that it is illegal for anyone other than law-enforcement officials to look at child porn. This has made it difficult to proceed with their own internal controls.

"The great thing about this coalition is that it gives us for the first time an independent entity to decide the validity of a particular image - and if it is child porn or not - and gives us actionable information," says Joshua Peirez, group executive of global public policy at MasterCard in Purchase, N.Y.

How the coalition gets around that illegality question is an open question - but it certainly points the way towards a nominally independent body that can govern the question without other conflicts of interest. And, conflicts of interest and other disasters are the rule with such investigations, as reported here by Adam:

An international investigation of internet-based child pornography has led to accusations against innocent victims of credit card fraud, a CBC News investigation has found. In other cases, victims of identity theft found themselves fighting to save their reputations, jobs and marriages after their names were used to buy child pornography.

Just exactly how do you deal with a false accusation so severe that due process is foregone? Any security strategies for that?

And finally, to return to Microsoft's bad news. They seem to have run something of a coup in security forums:

MARCH 16, 2006 (IDG NEWS SERVICE) - Microsoft Corp. is going public with some of the hacking information discussed at its Blue Hat Security Briefings event. Just days after the end of its third Blue Hat conference, the software vendor today posted the first blog entries at a new Web site. Microsoft is also promising to publish more details on the secretive invitation-only event.

The Web site will include Microsoft staffer's "reflections on BlueHat 3" as well as photos, podcasts and video interviews with some of the presenters, said Security Program Manager Kymberlee Price in a blog posting. "We sincerely hope that our BlueHat 3 speakers (and BlueHat 1 & 2 speakers) will post their comments to the site as well and share their BlueHat experience," she wrote.

Which at first blush sounds almost convincing. So, if it is so open and touchy feely, why is it also so secretive? Routine champions of open process such as Adam have supported the secrecy agenda (albeit under a label of privacy) so we are definately hearing two messages here, among the many echoes of the past.

The normal reason for secrecy is so as to control the agenda for own gain, whatever the headline reason is. In Microsoft's case they benefit if they can get the information they need and not reveal any themselves. Obviously, nobody is quite that naive these days, so some stuff may have to be revealed. Especially, what they do reveal should not reveal their more controversial intentions, so maybe what is not revealed is likely more interesting than what is not. And, as we saw with the "high assurance" case, there is a definate advantage in getting everyone else to respect privacy, as it gives Microsoft first-announcer privileges.

Aside from that, I think we are still in net positive. Microsoft have failed to get their house in order, and we see more and more signs that they are trying various ideas to get outside help. Without admitting this, that is, but the observation remains that they are the only organisation that is doing any out-reach on security at all, and they are the only player that is looking at security for security's sake, albeit highly filtered with other monetary interests.

(I should hasten to add that I doubt this is caused by any new-found public spirit on their part, it's almost certainly a rational analysis of the huge and growing risks Microsoft face in the security field.)

ThreatWatch - the Mac gets hacked

ZDNet Australia reports more substantial evidence that Mac OS X has a real problem with security has surfaced. In the interests of fairness and seeing my own predictions bite the dust, here's the news:

On February 22, a Sweden-based Mac enthusiast set his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.

Participants were given local client access to the target computer and invited to try their luck.

Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later this poor little Mac was owned and this page got defaced".

The hacker that won the challenge, who asked ZDNet Australia to identify him only as "gwerdna", said he gained root control of the Mac in less than 30 minutes.

"It probably took about 20 or 30 minutes to get root on the box. Initially I tried looking around the box for certain mis-configurations and other obvious things but then I decided to use some unpublished exploits -- of which there are a lot for Mac OS X," gwerdna told ZDNet Australia .

Yowsa! Some work to do, guys! Maybe we're all back to OpenBSD again... A little more digging, and Arstechnica and MacWorld both indicate the hack was less dramatic than it sounds:

Firstly, the hack was that of privilege escalation, not a pure remote exploit. The web site author had enabled SSH, the Unix "Secure Shell" tool that has replaced telnet as a means for accessing networked machines from the command line. He then configured an LDAP (Lightweight Directory Access Protocol) database and added a web-based interface so that visitors to the site could add their own shell accounts to the system. These shell accounts were given limited user access, so in theory they should not have been able to access or modify any files that were owned by the system or by other accounts. The hacker used a vulnerability in OS X to promote the privileges of this account, thus "gaining root" and becoming able to modify any file on the computer at will.

Ah. You have to have a shell account on there in the first place. That's different. To counterbalance that, CS news reports:

"In response to the woefully misleading ZDnet article, 'Mac OS X hacked under 30 minutes', the academic Mac OS X Security Challenge has been launched. The ZDnet article, and almost all of the coverage of it, failed to mention a very critical point: anyone who wished it was given a local account on the machine (which could be accessed via ssh). The challenge is as follows: simply alter the web page on this machine, test.doit.wisc.edu. The machine is a Mac mini (PowerPC) running Mac OS X 10.4.5 with Security Update 2006-001, has two local accounts, and has ssh and http open - a lot more than most Mac OS X machines will ever have open."

Cool. Stopwatches running...

FraudWatch - Chip&Pin, a new tenner (USD10)

Chip&Pin in Britain measured a nearly full year of implementation (since February) and found fraud had dropped by 13%. They say that's good. Well, it's not bad but it is a far cry from the 80% figures that I recall being touted when they were pushing it through.

The Chip and Pin system cut plastic card fraud by 13% in 2005, according to the Association of Payment Clearing Services (Apacs). Losses due to the fraudulent use of credit and debit cards fell last year by £65m to £439m.

Most categories of fraudulent card use dropped, except for transactions over the phone, internet or by mail. Chip and Pin cards were introduced in 2004, with their use becoming required in shops from February this year.

The new type of card appears to have brought a decisive turnaround with fraud levels now back to the levels last seen in 2003. In 2004, as the new cards were being introduced, card fraud continued to shoot up, by 20%, costing banks and retailers more than half a billion pounds.

Sandra Quinn of Apacs hailed the impact of Chip and Pin, which has been rolled out to most of the UK retailing and banking industries since October 2003:

"Seeing card fraud losses come down is cast-iron proof that Chip and Pin is doing its job. Back in 2002 we forecast that fraud would have risen to £800m in 2005 if we didn't make the move to Chip and Pin so it's heartening to see total losses well beneath this figure" she said.

So maybe if we factor in such a prediction of 800m, down now to 439, we are seeing a drop of 45%. I'd say that according to GP they moved too late and ended up with an institutionalised fraud at a high and economic level. Clawing that back is going to take some doing.

And, also from PaymentNews, the US mint continues its sly dance to use other colours than green:

Security Features
The redesigned $10 note also retains three of the most important security features that were first introduced in the 1990s and are easy to check: color-shifting ink, watermark and security thread.

Color-Shifting Ink: Tilt your ten to check that the numeral "10" in the lower right-hand corner on the face of the note changes color from copper to green. The color shift is more dramatic on the redesigned notes, making it even easier for people to check their money.

Watermark: Hold your ten up to the light to see if a faint image of Treasury Secretary Alexander Hamilton appears to the right of his large portrait. It can be seen from both sides of the note. On the redesigned $10 note, a blank oval has been incorporated into the design to highlight the watermark's location.

Security Thread: Hold your ten up to the light and make sure there's a small strip embedded in the paper. The words "USA TEN" and a small flag are visible in tiny print. It runs vertically to the right of the portrait and can be seen from both sides of the note. This thread glows orange when held under ultraviolet light.

To protect our economy and your hard-earned money, the U.S. government expects to redesign its currency every seven to ten years.

Everything is good fun about that page, even the URL!

More dots than you or I can understand (Internet Threat Level is Systemic)

fm points to Gadi Evron who writes an impassioned plea for openness in security. Why? He makes a case that we don't know the half of what the bad guys are up to. His message goes something like this:

DDoS -> recursive DNS -> Fast Flux -> C2 Servers -> rendevous in cryptographic domainname space -> bots -> Phishing

Connecting the dots is a current fad in america, and I really enjoyed those above. I just wish I knew what even half of them meant. Evron's message is that there are plenty of dots for us all to connect, so many that the tedium of imminent solution is not an issue. He attempted to describe them a bit later with his commentary on the recent SSL phishing news:

Some new disturbing phishing trends from the past year:

POST information in the mail message
That means that the user fills his or her data in the HTML email message itself, which then sends the information to a legit-looking site. The problem with that, is how do you convince an ISP that a real (compromised) site is indeed a phishing site, if there is no phishy-looking page there, but rather a script hiding somewhere?

Trojan horses
This is an increasing problem. People get infected with these bots, zombies or whatever else you’d like to call them and then start sending out the phishing spam, while alternating the IP address of the phishing server, which brings us to…

Fast-Flux
Fast Flux is a term coined in the anti spam world to describe such Trojan horses’ activity. The DNS RR leading to the phishing server keeps changing, with a new IP address (or 10) every 10 minutes to a day. Trying to keep up and eliminate these sites before they move again is frustrating and problematic, making the bottle-neck the DNS RR which needs to be nuked.

We may be able to follow that, but the bigger question is how to cope with it. Even if you can follow the description, dealing with all three of the above is going to stretch any skilled practitioner. And that's Evron's point:

What am I trying to say here?

All these activities are related, and therefore better coordination needs to be done much like we do on the DA and MWP groups, cross-industry and open-minded. R&D to back up operations is critical, as what’s good for today may be harmful tomorrow (killing C&C’s as an example).

The industry needs to get off its high tree and see the light. There are good people who never heard about BGP but eat Trojans (sounds bad) for breakfast, and others need to see that just because some don’t know how to read binary code doesn’t mean they are not amazingly skilled and clued with how the network runs.

This is not my research alone. I can only take credit for seeing the macro image and helping to connect the dots, as well as facilitate cooperation across our industry. Still, as much as many of this needs to remain quiet and done in secret-hand-shake clubs, a lot of this needs to get public and get public attention.

Over-compartmentalizing and over-secrecy hurts us too, not just the US military. If we deal in secret only with what needs to be dealt in secret, people may actually keep that secret better, and more resources can be applied to deal with it.
Some things are handled better when they are public, as obviously the bad guys already know about them and share them quite regularly. “Like candy” when it comes to malware samples, as an example.

The Internet threat level is now systemic, and has been since the arisal of industrialised phishing, IMO. I've written many times before about the secrecy of the browser sector in dealing with phishing, and how the professional cryptographic community washed its hands of the problem. Microsoft's legendary castles of policy need no reminder, and it's not as if Apple, Sun, Symantec, Verisign or any other security company would ever do any better in measures of openness.

Now someone over the other side of the phishing war is saying that he sees yet other tribes hiding in their fiefdoms, and I don't even know which tribes he's referring to. Gadi Evron concludes:

-opinion-Our fault, us, the people who run these communities and global efforts, for being over-secretive on issues that should be public and thus also neglecting the issues that should really remain under some sort of secrecy, plus preventing you from defending yourself.

Us, for being snobbish dolts and us, for thinking we invented the wheel, not to mention that we know everything or some of us who try to keep their spots of power and/or status by keeping new blood out (AV industry especially, the net-ops community is not alone in the sin of hubris).

It’s time to wake up. The Internet is not about to die tomorrow and there is a lot of good effort from a lot of good people going around. Amazing even, but it is time to wake up and move, as we are losing the battle and the eventual war.

Cyber-crime is real crime, only using the net. Cyber-terrorism will be here one day. If we can’t handle what we have on our plate today or worse, think we are OK, how will we handle it when it is here?

SSL phishing, Microsoft moves to brand, and nyms

fm points to Brian Krebs who documents an SSL-protected phishing attack. The cert was issued by Geotrust:

Now here's where it gets really interesting. The phishing site, which is still up at the time of this writing, is protected by a Secure Sockets Layer (SSL) encryption certificate issued by a division of the credit reporting bureau Equifax that is now part of a company called Geotrust. SSL is a technology designed to ensure that sensitive information transmitted online cannot be read by a third-party who may have access to the data stream while it is being transmitted. All legitimate banking sites use them, but it's pretty rare to see them on fraudulent sites.

(skipping details of certificate manufacturing...)

Once a user is on the site, he can view more information about the site's security and authenticity by clicking on the padlock located in the browser's address field. Doing so, I was able to see that the certificate was issued by Equifax Secure Global eBusiness CA-1. The certificate also contains a link to a page displaying a "ChoicePoint Unique Identifier" for more information on the issuee, which confirms that this certificate was issued to a company called Mountain America that is based in Salt Lake City (where the real Mountain America credit union is based.)

The site itself was closed down pretty quickly. For added spice beyond the normal, it also had a ChoicePoint unique Identifier in it! Over on SANS - something called the Internet Storm Center - Handler investigates why malware became a problem and chooses phishing. He has the Choicepoint story nailed:

I asked about the ChoicePoint information and whether it was used as verification and was surprised to learn that ChoicePoint wasn't a "source" of data for the transaction, but rather was a "recipient" of data from Equifax/GeoTrust. According to Equifax/GeoTrust, "as part of the provisioning process with QuickSSL, your business will be registered with ChoicePoint, the nation's leading provider of identification and credential verification services."

LOL... So now we know that the idea is to get everyone to believe in trusting trust and then sell them oodles of it. Quietly forgetting that the service was supposed to be about a little something called verification, something that can happen when there is no reason to defend the brand to the public.

Who would'a thunk it? In other news, I attended an informal briefing on Microsoft's internal security agenda recently. The encouraging news is that they are moving to put logos on the chrome of the browser, negotiate with CAs to get the logos into the certificates, and move the user into the cycle of security. Basically, Trustbar, into IE. Making the brand work. Solving the MITM in browsers.

There are lots of indicators that Microsoft is thinking about where to go. Their marketing department is moving to deflect attention with 10 Immutable Laws of Security:

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy
Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Law #9: Absolute anonymity isn't practical, in real life or on the Web
Law #10: Technology is not a panacea

Immutable! I like that confidence, and so do the attackers. #9 is worth reading - as Microsoft are thinking very hard about identity these days. Now, on the surface, they may be thinking that if they can crack this nut about identity then they'll have a wonderful market ahead. But under the covers they are moving towards that which #9 conveniently leaves out - the key is the identity is the key, and its called psuedonymity, not anonymity. Rumour has it that Microsoft's Windows operating system is moving over to a psuedonymous base but there is little written about it.

There was lots of other good news, too, but it was an informal briefing, so I informally didn't recall all of it. Personally, to me, this means my battle against phishing is drawing to a close - others far better financed and more powerful are carrying on the charge. Which is good because there is no shortage of battles in the future.

To close, deliciously, from Brian (who now looks like he's been slashdotted):

I put a call in to the Geotrust folks. Ironically, a customer service representative said most of the company's managers are presently attending a security conference in Northern California put on by RSA Security, the company that pretty much wrote the book on SSL security and whose encryption algorithms power the whole process. When I hear back from Geotrust, I'll update this post.

That's the company that also ditched SSL as a browsing security method, recently. At least they've still got the conference business.

The Market Price of a Vulnerability

More on threats. A paper Paul sent to me mentions that:

Stuart Schechter’s thesis [11] on vulnerability markets actually discusses bug challenges in great detail and he coined the term market price of vulnerability (MPV) as a metric for security strength.

A good observation - if we can price the value of a vulnerability then we can use that as a proxy for the strength of security. What luck then that this week, we found out that the price of the Windows Metafile (WMF) bug was ... $4000!.

The Windows Metafile (WMF) bug that caused users -- and Microsoft -- so much grief in December and January spread like it did because Russian hackers sold an exploit to anyone who had the cash, a security researcher said Friday.

The bug in Windows' rendering of WMF images was serious enough that Microsoft issued an out-of-cycle patch for the problem in early January, in part because scores of different exploits lurked on thousands of Web sites, including many compromised legitimate sites. At one point, Microsoft was even accused of purposefully creating the vulnerability as a "back door" into Windows.

Alexander Gostev, a senior virus analyst for Moscow-based Kaspersky Labs, recently published research that claimed the WMF exploits could be traced back to an unnamed person who, around Dec. 1, 2005, found the vulnerability.

"It took a few days for exploit-enabling code to be developed," wrote Gostev in the paper published online, but by the middle of the month, that chore was completed. And then exploit went up for sale.

"It seems that two or three competing hacker groups from Russian were selling this exploit for $4,000," said Gostev.

(That's a good article, jam-packed with good info.) Back to the paper. Rainer Bohme surveys 5 different vulnerability markets. Here's one:

Vulnerability brokers are often referred to as “vulnerability sharing circles”. These clubs are built around independent organizations (mostly private companies) who offer money for new vulnerability reports, which they circulate within a closed group of subscribers to their security alert service. In the standard model, only good guys are allowed to join the club. The customer bases are said to consist of both vendors, who thus learn about bugs to fix, and corporate users, who want to protect their systems even before a patch becomes available. With annual subscription fees of more than ten times the reward for a vulnerability report, the business model seems so profitable that there are multiple players in the market: iDefense, TippingPoint, Digital Armaments, just to name a few.

OK! He also considers Bug Challenges, Bug Auctions, Exploit derivatives, and insurance. Conclusion?

It appears that exploit derivatives and cyber-insurance are both acceptable, with exploit derivatives having an advantage as timely indicator whereas cyber-insurance gets adeduction in efficiency due to the presumably high transaction costs. What’s more, both concepts complement one another. Please note the limitations of this qualitative assessment, which should be regarded as a starting point for discussion and exchange of views.

Picturing her location

On this article there is a picture. Which is worth a thousand words.

Coming to a mobile/cell near you. The text says "as of 04/11/2005 15:30:51 (2 months, 2 weeks ago), the GPS Device PERSONAL TRACKER was in the vicinity of Wimbledon"

Which reminds me of the recent Woody Allen movie, Match Point. I should also pass on Fm's pointer that as of 05/23/2005 12:00:00 (2 years, 9 months ago), the NTK Threats Tracker was in the vicinity of spot on:

Still, technology marches on. If you ask us, the real future is in *massively parallel peer-to-peer* elves. Take FLEET ONLINE. This Dutch business-oriented service was introduced a month ago to the UK. It's a pay-as-you-go site that lets companies instantly locate their employees' mobile phones, to a granularity of the nearest cell (ie 50m in urban areas). Positioning costs 25p a shot. Here's the real gimmick, though: you can sign up yourself, and then add any mobile phone you'd like to be geolocated. Oh sure, your victim will get an initial "Do you want to be tracked?" opt-in message, and then another in two weeks. But think of all the phones you can get physical access to long enough to say yes to that original text. Friends! Spouses! Potential stalking fodder! And what you could do in two weeks. Supposing you're a burgling elf: you could nick that phone, sign it up, give it back, find out where they live via the geolocator. And then *find out when they're out*! It's a RISKS Digest all of its own! http://www.fleetonline.net/ - that'll give the geourl people something to play with

Threatwatch - tracking you, tracking me, tracking us all

We all know that cell-phones have been trackable to the tower point quite trivially, and even beyond that if the operator deigns to do some triangulation. That's how they - allegedly - tracked the London bomber through Italy.

But I admit to being surprised that the telco operators would *sell* this information. I suppose it is obvious, in hindsight, but what cojones!

I unplugged her phone and took it upstairs to register it on a website I had been told about. It looks as if the service is mainly for tracking stock and staff movements: the Guardian, rather sensibly, doesn't want me to tell you any more than that. I ticked the website's terms and conditions without reading them, put in my debit card details, and bought 25 GSM Credits for £5 plusvat.

Almost immediately, my girlfriend's phone vibrated with a new text message. "Ben Goldacre has requested to add you to their Buddy List! To accept, simply reply to this message with 'LOCATE'". I sent the requested reply. The phone vibrated again. A second text arrived: "WARNING: [this service] allows other people to know where you are. For your own safety make sure that you know who is locating you." I deleted both these text messages.

On the website, I see the familiar number in my list of "GSM devices" and I click "locate". A map appears of the area in which we live, with a person-shaped blob in the middle, roughly 100 yards from our home. The phone doesn't go off at all. There is no trace of what I'm doing on her phone. I can't quite believe my eyes: I knew that the police could do this, and telecommunications companies, but not any old random person with five minutes access to someone else's phone. I can't find anything in her mobile that could possibly let her know that I'm checking her location. As devious systems go, it's foolproof. I set up the website to track her at regular intervals, take a snapshot of her whereabouts automatically, every half hour, and plot her path on the map, so that I can view it at my leisure. It felt, I have to say, exceedingly wrong.

Well, that basically means we all now have the tracking devices that we all were scared off. Never mind the bluster about warning messages, somehow we all slipped into the tracking society without even knowing it.

The tracking threat meter is now pegged hard ON. The response is likely to be IP telephony with bluetooth/802.11 bridging into the open network. Not because of the eavesdropping - that old silly worry about encryption - but because of the location searching. Eavesdropping is not an economic threat to most people most of the time, but tracking is. Tracking location can be used years afterwards, whereas nobody on the planet except the NSA has time to listen to 1000's of hours of chit chat with the spouse.

Meanwhile something that didn't surprise me was the Greek Prime Minister's affair:

Athens - Mobile phones belonging to top Greek military and government officials — including the Prime Minister — and the U.S. embassy were tapped for nearly a year beginning in the weeks before the 2004 Olympic games, the government said Thursday. .... Mr. Roussopoulos said the surveillance was carried out through spy software installed in the central system of Vodafone, the mobile telephony provider that served the targets. Calls were then diverted to mobile phones using pay-as-you-go services, which are difficult to trace.

So, someone connected into the switches and installed some diverts or conference shares. Cunningly, they diverted the conference sharing to pre-paid mobiles which were probably hacked to record.

Now, my experience in telcos doesn't go very far, having only worked twice for them, and then only peripherally to switches. But here's what I recall, FWIW (please, anyone with more uptodate info, chime in!) :

Switches have very basic security. They are all digital, these days. They are all centrally manageable. And the source code is secret. e.g., it's almost as bad as windows - you google around, download a few docs and programs, hack in and you're in. The only reason this is unknown is because switches just aren't that interesting. (Waddya gonna do - divert your mother's few phone calls? Download Paris Hilton's billing records? Roight... Phone phreaking disappeared the minute Internet came along because the net was more fun.)

Better, or worse, the security departments work hand in glove with the national authorities. The switches are after all built by very big companies, almost always "national champions." They are generally sold to other very big companies, who all used to be national champions back in the good old days, but these days are more likely to be wannabe champions with the same mindset.

So I would conclude that this is in the "of course" basket. Of course you - anyone - can do this, the challenge would be to show that you couldn't. More apropos would be to ask if this sort of capability is built into Cisco routers. Just in the "China specials" or all of them?

Cisco also released a statement recently aimed at dispelling the persistent rumor that it sold China custom hardware designed to make censorship simple. The company, it says , "has not designed or marketed products for any government to censor Internet content." Reporters without Borders disagrees - and they were the ones who had the Congressional ear today.

Or, to ask what the Greek counter-intelligence people are up to - what were they doing all these years letting their assets use unprotected mobile phones over unprotected and wide-open commercial telco networks? How dumb is that?

The list of about 100 people whose telephones were tapped included the ministers of foreign affairs, defence, public order and justice. Most of Greece's top military and police officers were also targeted, as were foreign ministry officials, a US embassy number and the prime minister's wife, Natasha.

My advise - if Natasha divorces the PM, she should name the chief of counter-intelligence agencies in the filing.

Greece reveals cellphone tap spy scandal
By NICHOLAS PAPHITIS
Thursday, February 2, 2006 Posted at 7:35 PM EST
Associated Press
Athens - Mobile phones belonging to top Greek military and government officials — including the Prime Minister — and the U.S. embassy were tapped for nearly a year beginning in the weeks before the 2004 Olympic games, the government said Thursday.
It was not known who was responsible for the taps, which numbered about 100 and included Greek Prime Minister Costas Caramanlis and his wife, and the ministers of foreign affairs, defence, public order and justice. Most of Greece's top military and police officers were also targeted, as were foreign ministry officials and a U.S. embassy number. Also tapped were some journalists and human rights activists.
The phone tapping “started before the 2004 Olympic Games and probably continued until March 2005, when it was discovered,” government spokesman Theodoros Roussopoulos said at a news conference.
Mr. Roussopoulos said it had not been possible to identify who was behind the tapping.

“It was an unknown individual, or individuals, who used high technology,” he said.
Mr. Roussopoulos said the surveillance was carried out through spy software installed in the central system of Vodafone, the mobile telephony provider that served the targets.
Calls were then diverted to mobile phones using pay-as-you-go services, which are difficult to trace.
An investigation showed that these mobiles had been used in a central Athens area where many foreign embassies are located, though Mr. Roussopoulos refused to speculate on whether foreign agencies might be involved.
“I estimate that no harm was caused to our national issues,” Mr. Roussopoulos said. “The prime minister does not just use one mobile phone.”
He said the government first heard of the tapping in March 2005, when it was tipped off by Vodafone Greece CEO Giorgos Koronias.
Vodafone — one of the country's four mobile telephony providers — discovered the tapping after receiving complaints from customers over problems operating their phones.
Mr. Koronias issued a statement saying the company removed the spyware immediately after it was located, and informed the competent state authorities.
Athens prosecutor Dimitris Papangelopoulos brought misdemeanor charges of breaching the privacy of phone calls against “unknown persons” earlier Thursday, the Justice Minister said.
The prosecutor will also investigate whether there are grounds for bringing criminal charges of espionage, the Minister said.
The government pledged the inquiry would be full and fair.

The Price for Your Identity

So what does it cost to forge an identity? Here's a list of costs (with updates moved to end) that lead us to the answer. First off, in Britain:

When interviewed the duo said they were conducting at least eight transactions a day, totalling around 5,000 sales over two years. A passport would cost £350, a national insurance card or a driving license would cost £50 to £75.

In Japan, driver's licences are no trouble if you know a Colombian (sorry, URL is duff, see below for full story).

The Hyogo prefectural police and other police headquarters have arrested 12 members of the ring, nine of them Colombians. The police reported that some of the suspects said that in addition to the forged passports, they bought bogus driver's licenses and cash cards before entering Japan for only 20 dollars.

Back to Britain, and the Sunday Herald dives into the business of undercover policework. Here's a heavily redacted snippage indicating a top-drawer contender.

He tells us one passport costs just over £1000, but if we buy more, the price drops to around £800. ... There, Pavel brings out a sample of the kind of passport he will be able to get for us. The passports are 100% authentic to the eye. ... British immigration and passport experts who examined the document on guarantee of anonymity said it was “the very best [they’d] ever seen”. It even passed an ultraviolet light test which British passport controllers use to show up hidden watermarks which are in every genuine document.

They said it was “real” and could easily be used to open a bank account without alerting any suspicion.
...
The officer, who takes the lead on ID theft within the SDEA, added: “There has been an upswing in the trade in fake documentation.

Addendums. Just found some numbers from an old post on EC:

Social Security cards run about $20, green cards about $70 and a California driver's license between $60 and $250. The price jumps up for higher-quality documents, such as IDs with magnetic strips containing real information — often from victims of identity theft.

Maybe that's where I got the idea from...

Please note that the purpose of collecting this information is for security researchers to form a validated view of what it costs an attacker to breach their designs (so I won't bother to point out where you can buy them).

Most security designs simply assume that collecting the identity of someone grants the holder magical security properties; unfortunately the truth is far less encouraging and the result is that relying on identity collection is probably only reliable for stopping honest people and your poorer class of criminal from defrauding the system.

Here's my predicted benchmark - forging any identity costs approximately 1000 (in today's major units). I'll update that as we get better into it.

20 dollars IDs foil immigration officials The Yomiuri Shimbun Colombians arrested here over their suspected involvement in a burglary ring entered Japan on fake passports and other forms of counterfeit identification purchased for only 20 dollars, police learned Thursday. The Hyogo prefectural police quoted one of the suspects as saying there is an organization in Colombia that forges such documents. The ring is suspected of committing more than 100 burglaries in 11 prefectures, including Osaka and Hyogo, over the last three years, netting items and cash worth hundreds of millions of yen. The Hyogo prefectural police and other police headquarters have arrested 12 members of the ring, nine of them Colombians. The police reported that some of the suspects said that in addition to the forged passports, they bought bogus driver's licenses and cash cards before entering Japan for only 20 dollars. Some of the suspects reportedly told the police that many houses are left unlocked in Japan, and people here pay little thought to crime prevention. The suspects are believed to have sold electrical appliances and other stolen items and sent the money to relatives in Colombia. According to the Hyogo prefectural police, one of the suspects previously had been deported from Japan, but returned on a fake passport. The police arrested the alleged ringleader Akihiro Nagashima, 36, and two Colombian men in November on suspicion of stealing a television and other items from a house in Wakayama. Nagashima has been indicted on the charge. The burglary ring is believed to comprise about 20 members, about 80 percent of whom are believed to be Colombians. (Jan. 28, 2006) ¿ The Yomiuri Shimbun. http://www.yomiuri.co.jp/dy/national/20060128tdy02001.htm

Addendums.

20060305 USA reports how much it costs to find false identities:

Glendining offers his doormen $20 gift certificates for each fake ID pulled. In recent years, the fake IDs have gotten better. “You really gotta make the best effort you can,” Glendining said.

The bar keeps a sample of real and fake IDs around for doormen to learn from. Telltale signs of a fake include IDs that crack when bent, eye color or height that doesn’t match or a nervous person shuffling. But oftentimes, it comes down to the feel of the ID.

Spotted in EC.

20060223. Israel:

The Israeli passport is considered to be one of the easiest passports to forge and can be purchased in Asia, and especially in Thailand's markets, for anywhere from USD 500 to 2000. The Israeli passport is in great demand because people carrying it can enter Asian countries without a visa. .... During interrogation, [six Iranians] confessed that they purchased the passports in Thailand for USD 1,000 for the purpose of entering Macau easily.

20060216, Britain:

LONDON: The head of security at Arsenal’s new stadium ran a racket supplying guards on the site with fake passports. Ademola Adeniran, 39, an illegal immigrant, supplied documents stamped with "indefinite leave to remain" for men working there. Adeniran, of Hackney, was caught with more than 100 fake Nigerian and South African passports when police raided his home. They are thought to be worth £200 each on the black market.

20060212. In Britain

London is a major centre for Asian and African gangs based in Thailand to sell counterfeit European passports, mostly to people from the Middle East, immigration police chief Pol Lt-Gen Suwat Thamrongsrisakul says. Immigration police last year seized 572 fake passports, of which 184 were Belgian, 155 Portuguese, 139 Spanish and 94 French, he said yesterday. All the counterfeits were printed in Bangkok, taken to London and sold for about 1,000 (about 68,000 baht) each by brokers who made about 20% profit on them, he said.

20060516. In Britain

"I charge £700 for each one but can give you a £100 discount if you order two. I can do most EU countries including Greece, Denmark, Spain, Italy, Poland, Latvia and Lithuania."

The node is the threat: Mozilla, the CIA, Skype, Symantec, Sony, .... and finally a WIRE THREAT: Bush

Firefox reaches around 20% market share in one "weekend" survey in Europe. Bull-rating! If this keeps going on, I'll run out of predictions by the end of January. In other news, a Firefox developer caused a furore on slashdot by adding a URL tracking feature. Firefox needs to meet the interests of parties other than yourself in your browsing habits. In this case, it is probably Google; the fact that the developer put the feature in without any way to turn it off is telling.

Readers will recall a recent thread on governance in non-profits which goes some way to explaining this confusion (1, 2). Mozilla now has two interested groups - those that supply money and those that don't. How Mozilla brings itself to reconcile the conflicts between these two groups is worth watching - but also difficult to divine, as Mozilla have a fairly consistent policy of debating in secret and announcing later (the root list policy was a notable exception!).

The threats situation is daily growing more complex. Let's review more evidence (as if it is needed) on threat models. Over in Milan, prosecutors have revealed some details of the CIA kidnapping case. The alleged kidnappers left behind disk drives with emails that warned the agents to get out of Italy, as well as indicated who was the leader of the kidnapping crew.

On June 23, the day the warrants were issued, police searched the villa in the Italian wine region of Asti where Lady had retired with his wife at the end of 2003. From the hard drive of one of his computers police recovered the e-mail message, which someone had attempted to delete, plus other documents they say establish Lady as the organizer of the kidnapping.

The prosecutors have distributed 22 search warrants throughout Europe and intend to seek extradition from the US next. One of the alleged kidnappers was reached by reporters in Washington DC, but her name was not published at the request of the CIA, who say she is still active and undercover. (Which would then put the reporters in the curious position of obstructing justice if they ever travel to Europe!)

Back to threat models. That email on that drive! Darn it, the threat is on the node, says I. For a long time now I have been asserting that _the node is the threat_ and I've conducted a search for evidence that there is any threat to the wire. Long, boring, and ultimately futile was the quest! But now, I can at last reveal the quest may be over:

The Bush administration is engaged in the novel legal experiment of ordering illegal wiretaps so as to show why it needs the facility to harvest Americans' conversations without a court supervision. We now have an Executive Order, no less, mandating the NSA to threaten the wires of civilian America. Now, in times past one could have said that the NSA would have been strictly interested in bad guys outside the country, giving some protection to the populace who weren't plotting the overthrow of the USA. But those days are gone, even inside supporters of the administration are admitting that these extraordinary powers are desperately needed to get back at the internal enemies that made life so difficult for them in the past years. And I'm not just referring to the democrats or democracy. So this means we have bona fide evidence of a major eavesdropping threat to the wire - albeit one to Americans only.

Still, even with this stunning Executive Order, no less, the threat to the node remains more severe, I claim. News just in from Skype in China:

Skype had a dilemma. The Internet telephony and messaging service wanted to enter China with TOM Online (TOMO), a Beijing company controlled by Hong Kong billionaire Li Ka-shing. Li's people told their Skype Technologies (EBAY) partners that, to avoid problems with the Chinese leadership, they needed filters to screen out words in text messages deemed offensive by Beijing. No filtering, no service.

At first Skype executives resisted, says a source familiar with the venture. But after it became clear that Skype had no choice, the company relented: TOM and Skype now filter phrases such as "Falun Gong" and "Dalai Lama." Neither company would comment on the record.

First blood! This might be the first news that Skype is not protecting its users, which might explain why that other panda-shaped company, eBay, was ready to buy it. OTOH, the news comes from BusinessWeek, who aren't exactly above a hatchet job for political favours.

Either way, Skype was good while it lasted. In the department of corporate attackers it seems that Symantec has also been caught out installing root kits on Windows machines. They issued a patch, but not before saying that they were unaware of any hackers taking advantage... Oh, and poor old Sony, another corporate attacker caught with its hands in the root kit cookie jar has waved the white flag:

Federal judge Naomi Rice Buchwald gave tentative approval on Jan. 12th to a settlement in one of the many lawsuits filed against Sony over the rootkits. The settlement terms included offering cash payments or free music downloads to buyers of the affected CD's, and prevents Sony from selling any CD's with copy-protected software until 2008 at the earliest.

Lawsuits filed by Texas Attorney General Greg Abbott and the Electronic Frontier Foundation against Sony are still going ahead.

Thank heavens someone is taking on the attackers. Security observers (I no longer use the term 'security expert', a new year's resolution) scurried for cover in case they were asked to suggest whether a crime had been committed. Windows users may as well get used to it - with friends like that, they're not in dire need of new enemies.

2006 - The Year of the Bull

2005 was when the Snail lost its identity. What is to come in 2006? Prediction always being a fool's game compared to the wiser trick of waiting until it happens and then claiming credit, here's a list of strategic plays for the year to come.

1. Government will charge into cybersecurity. So far, the notion of government involvement has been muted, as there have been enough voices pointing out that while the private sector may not have a good idea, it certainly has a less bad idea than the government. Cybersecurity departments have been duly and thankfully restricted.

I suspect in 2006, the Bull will begin to Roar through our China Shop. Calls seem to be escalating in all areas. This is a reflection of many factors:

• the failure of private sector security to dampen the data breaches, phishing, viruses, malware, etc...
• countries have woken up to the fact that at the end of the day, the USA controls enough of the core to have its way, and as a policy won't give that up. This annoys some and worries others, so expect on Internet governance to be well stoked, along with a dozen other global copycats.
• especially, we live in the interesting times of White House insensitivity to the law, logic and history. Those that read America better than I point out that the reason it's getting worse is that ... the Democrats are just as bad as the Republicans, which means that the opposition is unlikely to care too much about opposing.
• people -- that's users to you and me -- have shifted in their perceptions from the Internet as a benign but fun place to a dangerous wild wild west.
• all sorts of academics and legal folks from outside the field are pointing out how we solve these things elsewhere, and these methods all require laws, agencies, police, training, budgets, ...

For all that, calls to send in the cavalry will increase. Oh course, we know that we the user will be more insecure and poorer as a result of the Bull market for cybersecurity. What we don't know is how much worse it will be, and I daren't predict that :)

2. Anti-virus manufacturers will have a bad year. Not so much in profits, which might perversely go up, but in terms of their ability to make a difference. Kapersky of eponymously named company points out that it is getting much harder. We know the crooks are getting much more focussed due to their revenues cycle. Also of note is that Microsoft has entered the game of selling you (not me) protection for their OS breaches - bringing with it a whole messy smelly pile of conflicts which will make it even harder for the "independent" anti-virus providers.

3. Firefox will continue to grow. My guess is that it will get past 15%, probably to 20%. Microsoft won't fight back seriously, they have other battles, even though this would leave them at say 70-75% (Safari, Opera, Konqueror take 5-10%).

3.b But sometime by the end of the 2006, Firefox will be seriously bloodied as it runs into security attacks targetted directly at it. What does this mean? Firefox crosses GP sometime soon, in terms of financial fraud. The only ones this will surprise will be Mozilla. Most observers with a clue have realised that Firefox has enjoyed its reputation due to reasonably sound factors, but these factors are just basic engineering issues like a re-write and solid coding practices, not those high level practices that distinguish the security projects (BSD, PGP, etc). This probably won't hold back Firefox's growth, as their mission to give browser users a choice remains aligned with our needs, and it remains tremendously useful even if the security rep takes a knock. So be it. But by the end of the year, expect some hand-wringing and moaning and more than usually confusing comments from Mozo Central's revolving security spokesman of the day.

3.c Also expect Mozilla to start talking about the next step in commercialisation -- the IPO. The discipline of the public company will start to look very attractive to those tasked with sorting out intractable internal conflicts inherited from the touchy-feely open source world.

4. In payments, the number of non-bank payment systems looks like it will increase dramatically. Gift card systems are exploding as companies discover that they take the money up front so they get financing at a better rate than the bank offers -- Free! -- and the wastage rate is better than any retail margin seen outside monopoly products. It doesn't take much for these to be integrated into an online account system - after all, what is a gift card but a psuedonymous account identifier. Then, once the alignment takes place, adding user-to-user payments is just a switch to throw one the weekend when your bank isn't looking. Maybe 2006 will be the year of the indie payment system?

5. No predictions for the gold sector. Even though the gold unit is skyrocketing and will continue to do that, there are continuing woes facing the issuers which they haven't sorted out long term. The bounty of people rushing up the gold price curve is offset by the cowboy image of the gold issuers.

6. Mac OSX will get to 7 or 8% of the market, maybe 10% if the intel change goes well. Given the aggressiveness of the PC world, that can be considered to be a stunning result. The BSDs and the Linuxes still won't penetrate the desktop as much as we'd like, but it will become reasonable to talk about a Microsoft-free environment. 6.b I might finally acquire a Mac. Not because I want to -- I hate the UI, the keyboards suck, and they haven't got the reliability of the old thinkpad workhorses -- but for reasons too irrelevent and arcane to go into today.

7. Google will grow and prosper and survive. This might be an odd thing to predict, but the thing with Google is that it is a bit like a Netscape with an endless supply of revenue. As one insider put it to me recently, it was a boon to the world when Netscape was cleaned out as that meant we could get on with business. Unfortunately, google has lots of revenue, so the mad cats will be financed and the projects just go on and on and on... I expect by the end of the year, though, we'll see adverts for cat herders as long term insiders realise that some chaos is good but most is just chaos.

8. Microsoft will not succeed in sorting out its security mess and will continue to lose market share. Let's get this in perspective - it will probably drop down from around 90% to around 80% allround. Nothing worth crying over, and indeed, it will give the company some sorely lacking focus. Some time around the end of 2006, some soul searching will result in serious investigation of other operating systems. So, who wants to bet on what OS Microsoft will pick up? Here's my anti-picks: it won't be Unix, and it won't be Java (which in its J2EE form is more or less a server OS, and then there's Swing...).

9. Macs won't be seriously hit by security issues, but will suffer a few minor embarrassments which will be trumped up in the press. The Mac application space will come under attack. On the other hand, Apple doesn't look ready for a security war, and will muff it, regardless. Welcome to the Hotel California!

10. I've predicted these before and not seen them so I'll predict them again: class action suites on security against suppliers. the perfect phish - one that includes the SSL+certs within, rather than goes around Also look for a real-time phish to defeat the two-factor authentication tools that the banks are rushing out now. In the security world, it is important to avoid the disclosure of being completely and utterly wrong; these above predictions are my way of avoiding that terrible fate. Neat, huh? On the other hand, I probably needn't have bothered. The security discipline is missing, presumed dead. Experts have hummed and hahed and shuffled feet over the mess for so long that it is now at the point where when anyone hears a so-called 'security expert' talk, they mentally discount most of what is said.

Try it! By the end of the year, I predict open derision of anyone who pretends to be a security professional. Dilbert, anyone?

11. By the end of 2006, the secure browsing system that we know and love to hate -- SSL, $30 certificates, popup madness and that sodding padlock -- will have been bypassed. By the good guys, I mean -- it's been bypassed by the bad guys for several years, already. It will no longer be part of the security model for browsing. What will become the security model will depend on what sector is doing the securing: banks will have their two-factor tokens because they were told to, smart users (and their mothers) will have their Trustbars and Petnames, smart companies will customise the above plugins, and even smarter operators will send out confirmations by email and by cell/mob

That's for the lightweight stuff. For the heavyweight stuff, look for alternate plaforms, like....

12. We'll see the much more use of two-factor authentication by cellular or mobile phone. I.e., SMS messages, or downloadable programs on phones to calculate the challenge/response. Why? Everyone's got a phone and they are a separate means of communication. (Why it's taking so long bothers me - is there something I'm missing?)

13. Unluckily for authors, artists, and blog writers, nothing much will change in DRM. Music sellers will sue file swappers, concentrating on the demographic of 12-17. File swappers will continue to swap, and learn how much better their own music is. The techniques of both sides will advance and both will be widely copied and nobody will make any money. My bulls here are courtesy images.google.com, and if I made any money from this blog, I'd be one sorry matador. Some time around 2007, all IP owners will realise they cannot win this war, and all swappers will get religious about DRM. A papal bull will be issued and a property love-in will ensue. Nobody will fight over the rights for the book, musical, philosophical or TV. By then we will have worked out the killer rights paradigm - convenience.

Hopefully we will be invited back for the love-in. Merry Xmas, Happy New Year, Season's Greetings, and may your packets move at Kelvin speed. I wish you a happy Year of the Bull.

---

Some other predictions:

• Matasano

Sighting of near-extinct beast - the profitable crypto attacker

Regular readers know that I frequently stress that many threats are unvalidated in that they derive from a textbook or a security salesman's hyperactive imagination. So it behoves to collect data on what are validated threats. In what might be a first and is certainly an event of rarity, we now have a report that indicates two cryptosystems that were breached in an attack of value.

The first looks like a classical insider attack against a digsig system by tricks that bypassed the checking of the signatures by switching their need off.

It is the second one that is of more interest as it looks like a direct attack on the encryption system, rather than a bypass attack.

E-Hijacking new threat to trucking

by Sean Kilcarr, senior editor - Nov 3, 2005 4:02 PM

WASHINGTON D.C. The growing use of telematics for both gathering truck performance data and for sending and receiving shipping documents also exposes trucking to a new form of crime called "e-hijacking."

At a special trucking safety and security seminar hosted by law firm Patton Boggs LLP here in the nation's capital, Stephen Spoonamore, CEO of data security consulting firm Cybrinth, gave examples of recent e-hijacking events to illustrate why data security in trucking needs tightening.

He pointed to the supposed loss of 3.9-million banking records stored on computer backup tapes that were being shipped by UPS from New York-based Citigroup to an Experian credit bureau in Texas. "These tapes were not lost - they were stolen," Spoonamore said. "Not only were they stolen, the theft occurred by altering the electronic manifest in transit so it would be delivered right to the thieves." He added that UPS, Citigroup, and Experian spent four days blaming each other for losing the shipment before realizing it had actually been stolen.

Spoonamore, a veteran of the intelligence community, said in his analysis of this e-hijacking, upwards of 15 to 20 people needed to be involved to hack five different computer systems simultaneously to breach the electronic safeguards on the electronic manifest. The manifest was reset from "secure" to "standard" while in transit, so it could be delivered without the required three signatures, he said. Afterward the manifest was put back to "secure" and three signatures were uploaded into the system to appear as if proper procedures had been followed.
"What's important to remember here is that there is no such thing as 'security' in the data world: all data systems can and will be breached," Spoonamore said. "What you can have, however, is data custody so you know at all times who has it, if they are supposed to have it, and what they are doing with it. Custody is what begets data security."

Another case involved a fleet of 350 trucks shipping hazardous materials using telematics to download and track vehicle operating data in real-time - monitoring engine speed, hard braking events, etc.

Spoonamore said the data streams coming from those vehicles only used a basic level of encryption - codes broken by what he called an "enterprising" local law firm that proceeded to download four months of operating data on each truck - especially the actual road speed of each truck over that period, down to the decimal point. The law firm then sued the trucking company for speeding violations, using the carrier's own telematics data against it.

"[Telematics] can tell you at 2 a.m. precisely where your truck is - but do you know where your data is at that time? That's why you can't totally trust your computer anymore," Spoonamore cautioned.

Note the difference between the two: the hackers in the first had to expose themselves to significant costs to attack the system; this is in accordance with the goal of the security, being to raise the costs of the attack. In the second, once cracked, the costs of the attack were fairly minimal and there was little exposure. So much so that the attacker successfully entered court and displayed all!

Other bloggers have picked it up (EC pointed to Bruce Schneier). Chris Walsh quite correctly points out it is uncorroborated, and the notion of an insider attack involving 15-20 people has to be treated with care if not outright suspicion. Still, something happened, and this is one to watch in our developing threat scenario.

Maybe we can now start a count of how many times the crypto is attacked!

Addendum:I incorrectly attributed the comments above to Adam, it was Chris who posted over on Emergent Chaos.

Who v. Who - more on the dilemma of the classical attacker

In the military they say no plan survives the first shot, and call this aptly "the fog of war." The best laid plans of the security industry and various parliaments (US Congress, the European Union, etc) are being challenged in war as in music. Now comes news that one DRM supplier is threatening to reverse-engineer the DRM of another supplier.

A company that specializes in rights-management technology for online stores has declared its plans to reverse-engineer the FairPlay encoding system Apple uses on iTunes Music Store purchases. The move by Cupertino-based Navio Systems would essentially break Apple’s Digital Rights Management (DRM) system in order to allow other online music retailers to sell downloads that are both DRM-encoded and iPod-compatible by early 2006.

“Typically, we embrace and want to work with the providers of the DRM,” said Ray Schaaf, Navio’s chief operating officer. “With respect to FairPlay, right now Apple doesn’t license that, so we take the view that as RealNetworks allows users to buy FairPlay songs on Rhapsody, we would take the same approach.”

In 2004, after unsuccessfully courting Apple to license FairPlay, RealNetworks introduced its Harmony technology, which allowed users to buy music from online sources other than the iTunes Music Store and transfer it to their iPod. RealNetworks’ move was then denounced by Apple as adopting “the tactics and ethics of a hacker to break into the iPod.” In December of 2004, Apple shot back by releasing an iPod software update that disabled support for RealNetworks-purchased songs.

I forgot to add: This trend is by no mean isolated, as pointed to by Adam. Here's an account of AOL inserting capabilities into our computers. I noticed this myself, and had to clean out these bots while making a mental note to never trust AOL with any important data or contacts.

Big mistake. That was my list, not AOL's. They've violated my personal space. By doing this they've demonstrated that my data — my list of contacts — can be tampered with at their whim. I have to wonder what comes next? Can my lists be sold, or mined for more data? Will they find out if my buddies purchase something online and then market that thing to me, on the assumption that I share mutual tastes? Just what is AOL doing with my data?

Security is failing - more evidence from Sony

In the fall-out from the Sony root-kit affair, here's an interesting view:

Sony Rootkits: A Sign Of Security Industry Failure?

Nov. 18, 2005 By Gregg Keizer TechWeb News

One analyst wonders why it took so long to catch onto Sony's use of rootkits on CDs and whether customers may have a false sense of security.

Sony's controversial copy-protection scheme had been in use for seven months before its cloaking rootkit was discovered, leading one analyst to question the effectiveness of the security industry.

"[For] at least for seven months, Sony BMG Music CD buyers have been installing rootkits on their PCs. Why then did no security software vendor detect a problem and alert customers?" asked Joe Wilcox, an analyst with JupiterResearch.

"Where the failure is, that's the question mark. Is it an indictment of how consumers view security software, that they have a sense of false protection, even when they don't update their anti-virus and anti-spyware software?

"Or is it in how data is collected by security companies and how they're analyzing to catch trends?"

Ouch! I wondered before who was attacking who, but this is a good point that goes further. Why didn't anti-virus programs detect the attack from Sony? We rely on the anti-virus sellers in the Microsoft field to protect from the weakness of the underlying OS.

It shouldn't be a surprise to discover that there is some form of selective detection going on in the Microsoft security world - the rest of the article identifies that their source of information is problem reports, honeynets, and a vague but interesting comment:

"Frankly, we were busy looking for where the [spyware] money was going," said Curry. "We weren't looking at legitimate industries."

This is probably as it should be. Microsoft creates the vulnerabilities and the rest of the industry follows along cleaning up. It isn't possible to be more than reactive in this business, as to be proactive will lead to making mistakes - at cost to the company selling the security software. So companies will routinely promise to clean up 100% of the viruses on their list of viruses that they clean up 100% of.

(Note that this still leaves the cost of missed attacks like the Sony rootkit, but that is borne by the user, a problem for another day.)

The next interesting question is whether Sony, or the inevitable imitators that come along, are going to negotiate a pass with the anti-virus sellers. That is, pay blood money to anti-virus scanners for their rootkit. In the spam world, these are called "pink sheets" for some obscure reason. Will an industry in acceptable, paid for attacks on Microsoft's OS spring up? Or has it already sprung up and we just don't know it?

If so, I'd have to change the title of this rant to "Security is getting more economic..."

Addendum:

• Also see Adam's musings on "why we don't seen more of these things."


• Bruce's column for wired covers much the same ground as the article above (and a day earlier) and also poses similar questions to mine above. A good summary and lots of other links.

anti-forensics - why do vapourware security tools sell so well?

Hagai Bar-El points to a paper on the market for anti-forensic tools - ones that wipe your tracks after you've done your naughty deed.

I have just enjoyed reading "Evaluating Commercial Counter-Forensic Tools" by Matthew Geiger from Carnegie Mellon University. The paper presents failures in commercially-available applications that offer covering the user's tracks. These applications perform removal of (presumably) all footprints left by browsing and file management activities, and so forth. To make a long story short: seven out of seven such applications failed, to this or that level, in fulfilling their claims. ...

The next thing I was wondering about is how come these products sell so well, given that they do not provide what they state they do, in a way that is sometimes so evident.

I think a partial answer to why these things sell so well might be found in the debate about security as viewed as a market in insufficient information. It has been suggested that security is a market for lemons (one where the customer does not know the good from the bad) but I prefer to refer to security as a market for silver bullets (one where neither the customer nor the supplier know good from bad).

Either way, in such insufficient markets, the way sales arise is often quite counter intiutive. In a draft paper (html and PS), I make the claim that sales in the market for security have nothing to do with security, but are driven by other factors.

So, once we appreciate that disconnect in the market, it's quite easy to prediuct that vapourware sells better than real product, because the real product has higher costs which means less marketing. All other things being equal of course.

Another partial answer is that the bad guys that do need to evade the FBI (and competitors) will know the score. They also know something that shows them
to be generally astute: they generally mistrust privacy-oriented technology as being fraudulent in claims because it can't be easily checked up on. So sales of products will tend to go to people who believe claims - being those who actually have no strong reason to rely on the claims.

Breaking Payment Systems and other bog standard essentials

Many people have sent me pointers to How ATM fraud nearly brought down British banking. It's well worth reading as a governance story, it's as good a one as I've ever seen! In this case, a fairly bog standard insider operation in a major brit bank (not revealed but I guess everyone knows which one) raided some 2000 user accounts and probably more. They did all this through the bank's supposedly fool proof transaction system, and the bank aided and abetted by refusing to believe there was an issue! Further, given the courts willingness to protect the banks' secrecy, one can say that the courts also aided and abetted the crooks.

This is the story of how the UK banking system could have collapsed in the early 1990s, but for the forbearance of a junior barrister who also happened to be an expert in computer law - and who discovered that at that time the computing department of one of the banks issuing ATM cards had "gone rogue", cracking PINs and taking money from customers' accounts with abandon.

This is bog standard. Once a system grows to a certain point, insider fraud is almost a given, and it is to this that the wiser FCer turns. As I say, this is a must-read, especially if you are new to FC. Here's news for local currency pundits on how easy it is to forge basic paper tokens.

In a world of home laser printers and multimedia PCs, counterfeiting has become increasingly easy. With materials available at any office supply store, those with a cursory knowledge of photo-editing software can duplicate the business-card-size rewards cards once punched at Cold Stone Creamery or the stamps once given out at Subway sandwich sho........

Steven Bellovin reports that Skype have responded to criticisms over their "secret cryptoprotocol."

Skype has released an external security evaluation of its product; you can find it at http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf (Skype was also clueful enough to publish the PGP signature of the report, an excellent touch -- see http://www.skype.com/security/files/2005-031%20security%20evaluation.pdf.sig) The author of the report, Tom Berson, has been in this business for many years; I have a great deal of respect for him.

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Predictibly, people have pored over the report and criticised that, but most have missed the point that unless you happen to have an NSA-built phone on your desk, it's still more secure than anything else you have available. More usefully, Cubicle reports that there is an update to Skype that repairs a few bugs. As he includes some analysis of how to exploit and create some worms... it might be worth it to plan on updating:

The Blackhat in me salivates at the prospect. It’s beautiful security judo, leveraging tools designed to protect confidentiality (crypto) and Availability (peer-to-peer) to better hide my nefarious doings. Combine it with a skype API-based payload and you’ve got a Skype worm that can leverage the implicit trust relationship of contact lists to propagate further, all potentially wrapped inside Skype’s own crypto.

Too bad the first that most of Skype’s 60 million-and-growing users will ever hear of it will be after someone who does pay attention to these sorts of things decides they want to see if it’s possible to create a 60-million node botnet or retire after making The One Big Score with SkypeOut and toll fraud.

Hey Skype, Ignoring Risk is Accepting Risk–NOT Avoiding it. Put this on your main page while upgrading is still prevention rather than incident response.

A little hyperventilated, but consider yourself in need of a Skype upgrade.

Phishing in Pogo's Swamp

This week's phishing roundup starts with (thanks Lynn) sighting of a HTTPS phish. The attacker used a self-signed cert, and as we know browsers commonly fall to self-signed MITMs because of the popup madness ...

A new, advanced form a phishing dubbed "secured phishing" because it relies on self-signed digital certificates, can easily fool all but the most cautious consumers, a security firm warned Thursday.

Browser manufacturers were warned of the problem, were told how to fix it, and even given fine demos. Opera reports that it has made its browser ad-free. Welcome, but I continue to be confused about Opera's security - they claim:

Already regarded as the world's fastest, most secure browser, Opera speeds up your Web browsing with these innovative features: ...

Protect against identity theft and phishing with integrated security features

yet looking at the screen shots on the page it seemed very much like last time I looked - underwhelming. Opera practically haven't updated their security beyond the default Netscape model of 1995, so to say it's the world's most secure browser is just marketing hype; it seems more to me that Opera is fighting with other browser manufacturers for the award of "browser least responsive to user security needs."

Meanwhile, evidence is beginning to accrue that the US (at least, the non-techie part) is starting to take the issue seriously, and americans do not like what they find...

Adam reports on 'the story of a mother whose child was stillborn, and her inability to get the marketing to stop, from "A Lost Baby, and the Pain of Endless Reminders in the Mail," in the New York Times.'

My first reaction was shock, then anger. Why did the baby formula company have her due date? I had shared our baby's due date with only two businesses: my health insurance company and a Web site for expectant and new parents. When I registered to enter the Web site, I specifically requested that it not share my information with third parties.

And also on how mandatory ID cards will make for yet another database full of SSNs as yet another aid to identity theft. Good stuff. There are now a steady stream of reports of surveys that suggest that Americans will leave their banks if they get hit by identity theft. Glenbrook points at EDS slams banking security - Financial Services

Gartner suggests that this is part of a $50bn problem. When they numbers get that big it makes for a lot of difficulty rationalising them ("oh, it's less than Katrina, so that's ok?") but a careful reading doesn't seem to challenge the overall level of phishing at about a $1bn problem. It might have stabilised at this point.

Litan said that banks in Britain were far better at sharing information and working with each other to minimise exposure to this kind of fraud. The incentive to sign up new customers is great in Europe but in the US it's even more pronounced because banks send out 1,937 pieces of marketing information for every new sign-up. "The goal is getting new customers and banks are not that hungry about eating into fraud," she said.

Here's an article that reminds us that there are two problems, not just one (the Microsoft PC is woefully infected with viruses and keyloggers and other malware, as well as your browser's inability to tell you who you are talking to...)
"Tremendous growth of cybercrime, report says." I'd remind them not to forget that online banks aren't that secure themselves... but it seems that banks also have other problems to deal with (Perfect Storm).

And to wrap up, (Adam again reports) chat of the underlying systemic issue - if you trade data like it was property, then you might not want to include your identity in the catalogue.

''As an aside [writes Chapell], some might argue that there's little distinction between "evil doer" and "data broker". I prefer to view the latter as the poster children for another unregulated industry that is screaming for the Government to step in. ... Of course, the trouble with choking off data flow is that it tends to be contrary to the concept of a free society. And since none of us seem to want to live under an EU privacy regime, then what's a privacy conscious American to do?''

First, [writes Adam]I think that Chapell is spot on here: The gossip-mongers would love to trade higher costs in the form of regulation for limits on their liability and high barriers to entry.

Second, the industry relies heavily on government subsidies, in the form of social security numbers, and data collected under threat of legal penalties. (Like the property registers in the article Chapell quotes, or DMV records, or voting lists.) In a free society, I can choose to be known by whatever name I like. That is a right long established in the common law. We can impose regulations on the product of government action without making ourselves less free.

We have met the enemy, and he is us. For those readers who aren't American, Pogo's comment is a famous comic line from the 60s and inspires today's roundup.

RSA keys - crunchable at 1024?

New factoring hardware designs suggest that 1024 bit numbers can be factored for $1 million. That's significant - that brings ordinary keys into the reach of ordinary agencies.

If so, that means most intelligence agencies can probably already crunch most common key sizes. It still means that the capability is likely limited to intelligence agencies, which is some comfort for many of us, but not of comfort if you happen to live in a country where civil liberties are not well respected and keys and data are considered to be "on loan" to citizens - you be the judge on that call.

Either way, with SHA1 also suffering badly at the hands of the Shandong marauders, it puts DSA into critical territory - not expected to survive even given emergency surgery and definately no longer Pareto-complete. For RSA keys, jump them up to 2048 or 4096 if you can afford the CPU.

Here is the source of info, posted by Steve Bellovin.

Open to the Public

DATE: TODAY * TODAY * TODAY * WEDNESDAY, Sept. 14 2005
TIME: 4:00 p.m. - 5:30 p.m.
PLACE: 32-G575, Stata Center, 32 Vassar Street
TITLE: Special-Purpose Hardware for Integer Factoring
SPEAKER: Eran Tromer, Weizmann Institute

Factoring of large integers is of considerable interest in cryptography and algorithmic number theory. In the quest for factorization of larger integers, the present bottleneck lies in the sieving and matrix steps of the Number Field Sieve algorithm. In a series of works, several special-purpose hardware architectures for these steps were proposed and evaluated.

The use of custom hardware, as opposed to the traditional RAM model, offers major benefits (beyond plain reduction of overheads): the possibility of vast fine-grained parallelism, and the chance to identify and exploit technological tradeoffs at the algorithmic level.

Taken together, these works have reduced the cost of factoring by many orders of magnitude, making it feasible, for example, to factor 1024-bit integers within one year at the cost of about US$1M (as opposed to the trillions of US$ forecasted previously). This talk will survey these results, emphasizing the underlying general ideas.

Joint works with Adi Shamir, Arjen Lenstra, Willi Geiselmann, Rainer Steinwandt, Hubert K?pfer, Jim Tomlinson, Wil Kortsmit, Bruce Dodson, James Hughes and Paul Leyland.

Some other notes:

http://www.keylength.com/index.php
http://citeseer.ist.psu.edu/287428.html

Spooks' corner: listening to typing, Spycatcher, and talking to Tolkachev

A team of UCB researchers have coupled the sound of typing to various artificial intelligence learning techniques and recovered the text that was being typed. This recalls to mind Peter Wright's work. Poking around the net, I found that Shamir and Tromer started from here:

Preceding modern computers, one may recall MI5's "ENGULF" technique (recounted in Peter Wright's book Spycatcher), whereby a phone tap was used to eavesdrop on the operation of an Egyptian embassy's Hagelin cipher machine, thereby recovering its secret key.

I haven't _Spycatcher_ to hand, but from memory the bug was set up by fiddling the phone in the same room to act as a microphone, and the different sounds of the typewriter keys hitting being pressed on the cipher machine were what allowed the secret key to be recovered. Here's some more of Wright's basic techniques:

One of Peter Wright's successes was in listening to (i.e. bugging) the actions of a mechanical cipher machine, in order to break their encryption. This operation was code-named ENGULF, and enabled MI5 to read the cipher of the Egyptian embassy in London at the time of the Suez crisis. Another cipher-reading operation, code-named STOCKADE, read the French embassy cipher by using the electro-magnetic echoes of the input teleprinter which appeared on the output of the cipher machine. Unfortunately, Wright says this operation "was a graphic illustration of the limitations of intelligence" - Britain was blocked by the French from joining the Common Market and no amount of bugging could change that outcome.

Particularly interesting is MI5's invention code-named RAFTER, which is used to detect the frequency a radio receiver is tuned to, by tracing emissions from the receiver's local oscillator circuit. RAFTER was used against the Soviet embassy and consulate in London to detect whether they were listening in to A4-watcher radios. Wright also used this technique to try to track down Soviet "illegals" (covert agents) in London who received their instructions by radio from the USSR.

Unlike Wright's techniques from the 60s, the UCB team and their forerunners have the ability to couple up their information to vastly more powerful processing (Ed Felton comments, the paper and pointer from Adam). They manage to show how not only can the technique extract pretty accurate text, it can do so after listening to only 10-15 minutes of typing without prior clues.

That's a pretty impressive achievement! Does this mean that next time a virus invades your PC, you also need to worry about whether it captures your microphone and starts listening to your password typing? No, it's still not that likely, as if the audio card can be grabbed your windows PC is probably "owned" already and the keyboard will be read directly. Mind you, the secure Mac that you use to do your online banking next to it might be in trouble :-)

While we are on the subject, Adam also points at (Bruce who points at) the CIA's Tolkachev case, the story of an agent who passed details on Russian avionics until caught in 1985 (and executed a year later for high treason).

The tradecraft information in there is pretty interesting. Oddly, for all their technical capability the thing that worked best was old-fashioned systems. At least the way the story reads, microfilm cameras, personal crypto-communicators and efforts to forge library passes all failed to make the grade and simpler systems were used:

In November 1981, Tolkachev was passed a commercially purchased shortwave radio and two one-time pads, with accompanying instructions, as part of an "Interim-One-Way Link" (IOWL) base-to-agent alternate communication system. He was also passed a demodulator unit, which was to be connected to the short wave radio when a message was to be received.

Tolkachev was directed to tune into a certain short wave frequency at specific times and days with his demodulator unit connected to his radio to capture the message being sent. Each broadcast lasted 10 minutes, which included the transmission of any live message as well as dummy messages. The agent could later break out the message by scrolling it out on the screen of the demodulator unit. The first three digits of the message would indicate whether a live message was included for him, in which case he would scroll out the message, contained in five-digit groups, and decode the message using his one-time pad. Using this system, Tolkachev could receive over 400 five-digit groups in any one message.

Tolkachev tried to use this IOWL system, but he later informed his case officer that he was unable to securely monitor these broadcasts at the times indicated (evening hours) because he had no privacy in his apartment. He also said that he could not adhere to a different evening broadcast schedule by waiting until his wife and son went to bed, because he always went to bed before they did.

As a result, the broadcasts were changed to the morning hours of certain workdays, during which Tolkachev would come home from work using a suitable pretext. This system also ran afoul of bad luck and Soviet security. Tolkachev's institute initiated new security procedures that made it virtually impossible for him to leave the office during work hours without written permission. In December 1982, Tolkachev returned his IOWL equipment, broadcast schedule, instructions, and one-time pad to his case officer. The CIA was never able to use this system to set up an unscheduled meeting with him.

Sounds like a familiar story! The most important of Kherchkoffs' 6 laws is that last one, which says that a crypto-system must be usable. The article also describes another paired device that could exchange encrypted messages over distances of a few hundred metres, with similar results (albeit with some successful message deliveries).

New Threats on the Airwaves

From the "why won't wireless show me an MITM" department, Risks advises of these new threats to consider to your secure phone app:

"Andre Kramer" ... Thu, 18 Aug 2005 11:31:28 +0100

The Cambridge Evening News reported yesterday ("Phone Pirates in seek and steal mission" 17th August 2005) that several laptop computers have been stolen from car boots (automobile trunks for US readers) in Cambridge (UK). The article claimed that "Bluetooth" was used to detect the laptops presence. While the thefts appear related, the claimed modus operanti seems unlikely as short range wireless would be inactive unless the laptops were powered on (to be fair, the article also mentioned "other electronics"). The risk: thinking your devices are safe in the car boot when they don't have wireless.

Makes sense. Closing the top of a laptop may not have closed off Bluetooth. Or, it might be easy to construct something that otherwise sniffs laptops in power saving mode. Lead-lined laptop bags, anyone?

And, taking the shine off the cell/mobile phone as the ultimate in secure platforms, consider just how much a peeping tom your telco is:

Cellphone carriers can listen in through your phone?

Posted Aug 5, 2005, 10:20 AM ET by Ryan Block

We’re always a little wary of that very blurry line between protection of the general public and infringements on basic civil liberties, but it would appear that according to the Financial Times by way of the Guardian, at least one UK cellphone carrier not only has the power (and mandate) to remotely install software over the air to users’ handsets that would allow for the kind of monitoring we thought only perverts and paranoiacs had access to: picking up audio from the phone’s mic when the device isn’t on a call. While don’t think the backlash on this one has really gotten underway yet, and though we do hate to rock a cliché, we can’t help but be reminded of that classic Benjamin Franklin quote, “They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” What’s worse, a cellphone carrier and The Man are gonna take it from us without our permission on the sly?

Now, the big issue here is whether a telco (or any other party) can download a program to sniff out your keys. For this reason, the favoured platform is a PDA, with one and only one program on it, and no comms 'cept those we said. Anything else is a compromise, but that's ok, for those markets that can deal with the risks.

These can be considered to be an addendum to last week's wireless threats, but alas, still no MITMs recorded.

Notes on today's market for threats

A good article on Malware for security people to brush up their understanding. On honey clients Balrog writes (copied verbatim):

In my earlier post about Microsoft’s HoneyMonkey project I mentioned that the HoneyNet Project will probably latch on and develop something along the same lines.

In the meantime, I was notified of Kathy Wang's Honeyclient project and the client-side honeypots diploma project at the Laboratory for Dependable Distributed Systems at Rheinisch-Westfälische Technische Hochschule in Aachen.

From PaymentNews:

TowerGroup has announced new research examining the impact that phishing attacks may be having on fraud perpetrated at ATMs and debit POS locations that concludes that losses from fraud due to phishing runs about $81 million annually in the US.

That report is confused, it is looking at card skimming and seems to be conflating that with phishing. This may explain the lower-than-others estimate of $81m, or it may be explained by the fact that they only looked at identifiable banks' losses, not consumer losses and other costs. So I feel this number is a low outlyer, rather that really representative of phishing.

(Addendum: Having read the Tower link, I can now see that they are more just looking at the crossover from phishing to ATM Fraud,)

There is a lot of buzz on how wireless networks are being used "routinely" to attack people. So far it's all the same: the attacks are generally of access, rarely listening and no known cases of MITMs _even though they are trivial_! Here's a typical case pointed out by Jeroen from El Reg where the attack is misrepresented as a bank hack over wireless:

The data security chief at the Helsinki branch of financial services firm GE Money has been arrested on suspicion of conspiracy to steal €20,000 from the firm's online bank account. The 26 year-old allegedly copied passwords and e- banking software onto a laptop used by accomplices to siphon off money from an unnamed bank.

"Investigators told local paper Helsingin Sanomat that the suspects wrongly believed that the use of an insecure wireless network in commission of the crime would mask their tracks. This failed when police identified the MAC address of the machine used to pull off the theft from a router and linked it to a GE Money laptop. Police say that stolen funds have been recovered. Four men have been arrested over the alleged theft with charges expected to follow within the next two months. ®

Now, we have to read that fairly carefully to figure out what happened, and the information is potentially unreliable, but here goes. To me, it looks like the perpetrator stole the passwords from the inside and then used a wireless connected laptop (in a cafe?) to empty the account. So this is an inside job! The use of the wireless was nothing more than a forlorn hope to cover tracks and is totally incidental to the nature of the crime.

(Also, it doesn't say much for the security at GE Money ... "Maybe they should have employed a CISP" ... or whatever those flyswatter certifications are called.)

Addendum See here for some new wireless threats.

The Phishing Borg - now absorbing IM, spam, viruses, lawyers, courts and you

Dramatic increase in threats to IM (instant messaging or chat) seen as the IMLogic Threat Center reports a 28 times increase over the last year.

Right on cue. Meanwhile, new tool to download for your browser shows that independent researchers at Stanford know where to put the protection: Spoofguard detects and warns against phishing, and PwdHash augments the password calculation to make each transmitted password site-dependent.

Good stuff guys! We need to induct you into the anti-fraud coffee room before you get swallowed up by the anti-borg of secret committees in smoke-filled rooms.

And in Korea is looking to legalise class-action suits in cases where small losses make it uneconomic for victims to punish negligent providers.

Much as I wonder if class action suits aren't a net loss to society and shouldn't be treated within the threat model rather than the security model, they do seem to be the only non-technical defence that suppliers will listen to. Such suits and others by regulators are filed against data providers (and losers), banks and Microsoft on various causes. Nobody has yet pinned one directly on phishing, but I give it a better than evens chance that it will be tried on the banks, and then on the software suppliers.

Although it is hard to decipher, a new report from IBM reports that spam is down from 83% of all email to 67% in June. That's the "good news." The bad news is that it's almost certainly because phishing and viruses have skyrocketed even this year, with IBM reporting that phishing has now reached around 20% and viruses around 4% of all email. The article is ridiculously muddled in its use of numbers, but I make that around a 91% garbage rate in email.

This to my mind confirms predictions made here that phishing is still the #1 threat to email (by value!), browsing and Internet commerce; viruses are now economically being driven by phishing; and email is dying under the one-two punch of spam and phishing.

Is phishing and related fraud becoming the #1 threat to the net, or is it already there?

George's story - watching my Ameritrade account get phished out in 3 minutes

On the morning of May 5 2005, I decided to work from home [writes George Rodriguez in a great expose of how phishing is spreading through American retail finance].

As I'm checking emails I start receiving email notifications from my on-line broker Ameritrade. The email notifications kept coming one after the other, you just sold out of Duke, you just sold out of Home Depot, you just sold out of Ford, I watched on my screen as the flurry of emails kept coming across my screen, pretty much my entire portfolio of Stocks was being sold out right before my eyes. I took notice of the time when I received the first email confirmation, it was 9:31AM and as you know the equity market opens up at 9:30AM. My heart was racing, I was stunned and I said to myself this can be happening to me, I'm a business and technology savvy as I've worked for major investment banks and brokers as a consultant in the areas of technology trading for equity and fixed income markets.

I looked at my watch and it was now 9:34AM, it seemed like hours have gone by. I picked up the phone and called Ameritrade and spoke to a client-rep and walked him through the entire activities to my account. As I'm the phone with the client rep, I continue to get more email notifications selling out more stocks in my portfolio. I also noticed an email that was sent to me by Ameritrade, you requested and have changed your primary email address to some hotmail address I did not recognize, the interesting piece of information on the email was the time it was sent, 4:45AM. I quickly related this information to the client rep and asked him what bank information he had on file. He went on to say, you requested to have your bank account changed from Wachovia bank to Bank of America in Dallas Texas. I said well let's get on the phone with Bank of America and see who's behind the account. Well Ameritrade said we can't do that. I said wait a minute, someone is committing bank fraud, internet fraud as we speak and you can't represent me your client? No sir the client rep responded, you need to call your local authorities, you mean the Sheriff as I live out in Union County. I responded fine, well please give me the account number and routing number for Bank of America I will call them myself, oh and by the way cancel all these fraudulent trades and freeze the account, I do not want any funds to move. Luckily in the equity markets it takes three days for the trades to settle before the cash is moved out, so much for straight through processing and trying to settle and move cash on the same day, a goal the industry is trying to move towards.

My first call was to Bank of America and it took a while to get though to their fraud department and then trying to explain that it was not the Bank of America brokerage arm but my on-line broker Ameritrade where the fraudulent trades were placed. I gave the BoA fraud department the BoA account number now on file with my Ameritrade broker and they confirmed it was their account but no available information will be provided as it was not my account. Due to the Privacy Act they need it to protect their customers, who's getting protected here I said the thieves or the innocent victims. I quickly hung up the phone and called the Union County Sheriff and within 20 minutes a patrol car was at my driveway, a bit weird for white collar crime but nevertheless a police report was in order. I greeted the officer, we sat in my office and I gave him copies of all the emails, Ameritrade and bank information for him to follow up with all parties. He said, love to help you but after I finish typing this up I will turn it over to the detective and someone will be in touch with you. I did receive a police report number right away from him. As soon as the police officer left I filed a complaint with the Federal Trade Commission and an electronic identity theft report with the FBI. I got a call back from the detective on Monday May 9, and we discussed the details of the fraudulent activities.

I can't imaging what would have happened if I was away on vacation and had no access to email for several days, over $50,000 would have left my Ameritrade brokerage account and moved out to the fraudulent Bank of America account which I'm sure would have been cleaned out right away. I'm sure I can't be the only one who has had this problem as these on-line brokers have millions of accounts. I'm not sure how my userid and password were stolen, perhaps it is an inside job, my account is a passive account as I only logged every six to eight weeks to check the account, I don't day trade anymore since the dot.com crash. But another scenario can be I was hacked on my home computer as I have timewarner road runner and a wireless network. I run Norton Anti-Virus on my machines but unfortunately I don't have a secured firewall running, again I'm not sure how secure these products can safe proof your computer. I'm now waiting for the local authorities, the FBI, Ameritrade and Bank of America to provide me with information on how and who is behind this attack.

George Rodriguez
Waterstone Capital Advisors
Partner
Email: george.rodriguez at waterstonecap.com

Google payment system confirmed - let the trimming of tall poppies begin

Google confirms they are doing a payment system. It may be like Paypal's but I wouldn't bet on it. Google claims it will be unlike. Either way a new sport is about to erupt in the payments systems world - sniping at Google's payments system.

Let's just be clear about this - it already has a name, it's called chopping down the tall poppies. This is a game of envy and spite. It comes because a successful player uses its money and muscle to take on a new field in which others have failed, when all the smart people knew how to get in there but couldn't muster that money and muscle (in this case, I'm referring to cognitive muscle as well as user base muscle).

It's going to happen so get used to it, guys. I'll go first: I'll bet you didn't think of this:

I was opening up my almost brand new Dell 600m laptop, to replace a broken PCMCIA slot riser on the motherboard. As soon as I got the keyboard off, I noticed a small cable running from the keyboard connection underneath a piece of metal protecting the motherboard.

I figured "No Big Deal", and continued with the dissasembly. But when I got the metal panels off, I saw a small white heatshink-wrapped package. Being ever-curious, I sliced the heatshrink open. I found a little circuit board inside.

Being an EE by trade, this piqued my curiosity considerably. On one side of the board, one Atmel AT45D041A four megabit Flash memory chip.

On the other side, one Microchip Technology PIC16F876 Programmable Interrupt Controller, along with a little Fairchild Semiconductor CD4066BCM quad bilateral switch.

Looking further, I saw that the other end of the cable was connected to the integrated ethernet board.

What could this mean? I called Dell tech support about it, and they said, and I quote, "The intregrated service tag identifier is there for assisting customers in the event of lost or misplaced personal information." He then hung up.

A little more research, and I found that that board spliced in between the keyboard and the ethernet chip is little more than a Keyghost hardware keylogger.

The reasons Dell would put this in thier laptops can only be left up to your imagination. It would be very impractical to hand-anylze the logs, and very CPU-intensive to do so on a computer for every person that purchased a dell laptop. Why are these keyloggers here? I recently almost found out.

I called the police, as having a keylogger unknown to me in my laptop is a serious offense. They told me to call the Department of Homeland Security. At this point, I am in disbelief. Why would the DHS have a keylogger in my laptop? It was surreal.

So I called them, and they told me to submit a Freedom of Information Act request. This is what I got back:

Google are entering into the payments system world at a dangerous time. This could be a unique time in the history of payments systems, simply because all those theoretical threat models that we have all trained with, sweated over and loved for a decade or more, now, are coming true. There's one you'll have to deal with, and you won't have the luxury of saying "oh, that's not our problem" this time.

This change has occurred in these pages mostly under the cover of a runctous attack on the idle ostriches of the browser world. Phishing is just the headline, but the real story is that there is now an industrial scale threat to payment systems. Some very few engineers know how to deal with these threats on a real basis - primarily those grounded in European banking experience - but for the most part a lot of the payments systems are learning the hard way right now.

For google, the lessons will be different. There will be no breathing space, no easy ramp up to the critical mass. It is I predict highly likely that from day one, attention will bear down on them from the phishing attackers. I suspect google will weather the security storm, but that's only a guess. The problem here is that there is a difference between facing statistical or safety threats and the aggressive crook. Security goods are different because they have an unruly third party in the transaction.

It will also shoot all the profitability figures to outhouse. Because the attacks will take up a larger support component per transaction than expected then there will be only a loss-leader rationale for the payments system for many a year. I would still do it, but I'm a strategic kinda guy, still if google are in this for anything but the long term, save yourselves the trouble and exit stage left now. Or cull your team of short term thinkers.

(There is a perfect face-saving way out, but it'll cost the price of a Dell *equivalent* laptop ;-) )

(Expect Dell laptops to drop like a stone if this pans out...)

(Expect all hell to break loose if this is true...)

(Are we living in interesting times again?)

(But even if not true, it's the perfect description of a "today" threat model!)

(Looks like we have confirmation ... see comments below!)

A shortcut for bootstrapping trust

From the light-hearted threats department, Mark points to an article on how to bypass trusting defences.

Scientists develop revolutionary 'trust spray'

MICHAEL BLACKLEY

A REVOLUTIONARY nasal spray could have the power to make a person more trusting, scientists have found.

Experiments show that after a few squirts of a spray containing the hormone oxytocin, humans were significantly more trusting. It has even been suggested that the spray could be used as a therapy for trust-diminishing conditions, such as autism or some social phobias.

The research, carried out by a team of American and Swiss scientists and published in today’s issue of Nature, showed that after using the spray, volunteers became more willing to risk losing money to a stranger.

One of the scientists who worked on the project, Dr Michael Kosfeld, of the University of Zurich, said those who had sniffed oxytocin gave away their money much more easily. He also said animal studies had proved that oxytocin takes away the unwillingness to approach strangers. "It helps animals approach one another - which is a parallel with trust in our game," he said. "In companion with psychotherapy it could have a positive effect."

Oxytocin has traditionally been seen as a "love hormone", and is released during orgasm. It has also been proved to be released when cuddling or touching takes place, and women release it when in labour and during breastfeeding.

The idea that it could be released when people express feelings of trust was first raised in 2003, but this research is the first attempt to show that increasing the amount of the hormone present in the body could directly influence the extent that one person trusts another.

Antonio Damasio, a neurologist at the University of Iowa, who reviewed the experiments for Nature, believes the findings could be significant scientifically. He said:

"Some may worry about the prospect that political operators will generously spray the crowd with oxytocin at rallies of their candidates.

"The scenario may be rather too close to reality for comfort, but those with such fears should note that current marketing techniques - for political and other products - may well exert their effects through the natural release of molecules such as oxytocin in response to well-crafted stimuli."

However, the idea that it could be used to help autism was met with scepticism by the National Autistic Society. A spokeswoman said: "The outcome of any approach will depend on the needs of the individual, which vary greatly, and the appropriate application of the intervention."

Addendum Zooko recommends Neuromarketing: Peeking Inside the Black Box

Industrial Espionage using Trojan horses

One of the things that bedevils financial cryptography is not knowing just what crimes are for real and what crimes are fantasy. Amir points to a developing scandal in Israel over a threat that has been predicted for yonks but rarely if ever seen. In a fairly massive sweep, the Israeli police have picked up dozens of CEOs and PIs involved in what they claim is an organised industrial espionage ring.

It comes down to one Trojan horse writer who targetted the wrong couple - the parents of his ex-wife! When the parents found pages of their book on the Internet, they called the police, who found the Trojan. This led them to the author, their ex son-in-law, and from there to three private investigation firms that had contracted his services. And of course, to *their* customers...

It's got intrigue, public personalities, jilted husbands and good old scary FUD words like Trojan horse. As Amir suggests, the film rights are probably worth a bit!

Court remands top Israeli execs in industrial espionage affair

By Roni Singer, Haaretz Correspondent and Haaretz Service

The Tel Aviv Magistrate's Court Monday remanded several people from some of Israel's leading commercial companies and private investigators suspected of commissioning and carrying out industrial espionage against their competitors, which was carried out by planting Trojan horse software in their competitors' computers.

Uzi Mor, CEO of Mayer and his deputies Avner Kez and Or Schachar, Moriah Katriel, financial vice president of Yes as well as Yoram Cohen, CEO of Hamafil were placed under an eight-day house arrest.

The court also extended by four days the remand of two private investigators suspected of carrying out the espionage.

Earlier Monday, police searched the Tel Aviv offices of Haaretz sister publication TheMarker to check for any signs of Trojan horse software infiltration on their computers.

Also on Monday, the Tel Aviv fraud squad discovered Trojan horse software in computers belonging to AMC, a company that produces transmitters for planes and unmanned aerial vehicles. The inspection found that only financial material was extracted from the computers, although the company specializes in security.

Other companies suspected of espionage include the satellite television company Yes, which is suspected of spying on cable television company HOT; cell-phone companies Pelephone and Cellcom, suspected of spying on their mutual rival Partner; and Mayer, which imports Volvos and Hondas to Israel and is suspected of spying on Champion Motors, importer of Audis and Volkswagens. Spy programs were also located in the computers of major companies such as Strauss-Elite, Shekem Electric and the business daily Globes.

The case took a twist, when Bezeq - parent company of two of the companies suspected of the espionage - revealed that it too was apparently among the victims. Police now suspect that Cellcom cellular networks commissioned the spying against Bezeq.

This suspicion was strengthened when internal documents belonging to Bezeq were found in the drawers of senior executives at Cellcom. The name of the CEO of Cellcom, "Peterburg" was written on some of the documents. However, the police did not have decisive evidence Monday that the documents were obtained through Trojan horse software, and hence did not summon CEO Itzhak Peterburg for questioning under caution. Instead, Peterburg was only asked to give a testimony.

When, in the testimony he gave Sunday, Peterburg was asked why his name appeared on the classified documents of a competing company, he answered that he does not know.

A statement from the police said, "It's hard to believe that top executives at these companies don't know what is happening. Even if a security department manager requested the material of the competitor, it reached the CEO, and therefore it's clear to us that the CEOs can absolutely guess how the it was obtained."

Police said they intended to ask for the extension of the remand of several private investigators. But all of the executives in the involved companies will released to their homes under restricting conditions, police said.

Police are currently investigating several other companies that may have been involved in the affair, which was under a court gag order until Sunday.

The Trojan horse software program allows the person who plants it to track all activity conducted via the "victim's" computer and even to seize control of the computer. Police suspect that this program was employed by three private investigation agencies to conduct industrial espionage against their clients' commercial rivals. The software apparently enabled the PIs to obtain vast quantities of secret information from the targeted computers.

The investigation began last November, when author Amnon Jacont and his wife, Varda Raziel-Jacont, complained to the Tel Aviv police that someone had hacked into their computer and stolen information from it. They reached this conclusion after discovering that personal documents, as well as parts of a book Jacont was writing, which had thus far never left his personal computer, had been posted on the Internet. Police examined their computer and concluded that it had been infected with a Trojan horse.

Police investigators eventually determined that the program had been written by Michael Haephrati, 41, a former in-law of Varda Raziel-Jacont. Haephrati, an Israeli citizen, currently lives in Germany and England and has no previous police record.

Investigators then found that Haephrati had sold his program to three private investigation agencies: Modi'in Ezrahi, Zvika Krochmal and Pilosof-Balali. All three agencies are licensed by the Israel Justice Ministry and enjoy excellent reputations.

"The program was essentially customized for each and every one of the 'victims' that the PI agencies wanted to attack," said Chief Inspector Nir Nativ, one of the officers who investigated the case. "Haephrati adapted the software to penetrate a specific company, at the request of the PI agency's client."

For each customized program, the agencies paid Haephrati about NIS 16,000. Haephrati took care of planting the virus in the target computer, then gave the PIs a username and password that enabled them to access the program, and thereby the victim's computer.

According to Chief Superintendent Arye Edelman, head of the Tel Aviv fraud squad, which ran the investigation, Haephrati used two methods to plant his malicious software (or malware) in the target computers. One was to send it via e-mail. The other was to send a disk to the target company that purported to contain a business proposal from a well-known company that would arouse no suspicions. Then, when an employee loaded the disk to view the proposal, the Trojan horse would infect his computer.

Police eventually obtained court orders to access several FTP servers based in Israel and the United States, and then discovered tens of thousands of documents stored there that belonged to major Israeli companies, including many files labeled "internal" and "secret." For the past two weeks, police have been examining these documents to determine which companies have been victimized.

Nativ explained that even anti-virus programs cannot detect Haephrati's malware, because each is unique. Moreover, the Trojan horses were generally unwittingly introduced by company employees who inserted the infected disks, rather than "attacking" from outside, making detection even more difficult.

Police believe that industrial espionage using Haephrati's programs has been going on for at least a year and a half. But because none of the victims knew about the malware, no one ever filed a complaint with the police. Only last week did police inform the victims about the software implanted in their computers.

Police said that they are not yet able to quantify the economic damage suffered by the victims, but it appears to have been considerable -thanks both to the program's capabilities and to the sheer number of companies involved.

Last week, police finally decided to end their undercover investigation. They therefore had Haephrati and his wife, Ruti, arrested in London, with the help of Interpol and the London police. Last Thursday, Haephrati was brought to a London court for a remand hearing, and Israel has requested his extradition as soon as possible.

Two days before his arrest, police raided the three private investigation agencies suspected of using the Trojan horse program, confiscated their computers and arrested nine PIs. From Modi'in Ezrahi, they arrested CEO Yitzhak Rath plus investigators Eyal Abramowitz, Haim Zisman and Assaf Zlotovsky; from Krochmal they arrested CEO Zvika Krochmal plus investigators Ofer Fried and Alex Weinstein; and from Pilosof-Balali they arrested the joint CEOs, Eliezer Pilosof and Avraham Balali. Police also arrested the 17-year-old son of one suspect after investigators caught him trying to erase information from his arrested father's computer.

Later that week, police also arrested Shai Raz, director of Pelephone's security department and Ofer Reichman, director of Cellcom's security department.

At a remand hearing for the PIs last Wednesday, police told the Tel Aviv Magistrate's Court that the investigators are suspected of penetrating a computer for the purpose of committing a crime, making and propagating a computer virus, violating the Protection of Privacy Law, conspiring to commit a crime, wiretapping and fraud. Police also suspect the three agencies of cooperating with each other to perpetrate their industrial espionage.

Rath, like many of the others, claimed at the hearing that he had no idea he was committing a crime. "When the investigators came, I opened the safe for them and helped with the papers. We didn't know we were breaking the law."

But that did not persuade Judge Mordechai Peled, who remanded them for nine days. Peled said the evidence indicated that they not only engaged in widespread industrial espionage, but made great efforts to conceal their illegal activities.

At a separate remand hearing for three of the corporate executives, Mor, Cohen and Katriel, last Thursday, the suspects admitted to commissioning the investigations, but claimed that they had no idea the material they were being given had been obtained illegally. All stressed that their contracts with the PI agencies explicitly obligated the agencies not to violate the law.

Police argued in response that upon being given their rivals' most closely guarded internal documents, they could hardly have failed to realize that the documents were obtained illegally.

Judge Peled accepted the police's argument on this score and remanded the three executives for five days.

On Friday, two more executives, Raz and Reichman, were remanded, along with two more PIs, Roni Barhum of Modi'in Ezrahi and Yitzhak Dekel of Krochmal.

That same day, however, police encountered their first hitch: A corporate executive whom they had planned to arrest that very morning left the country. Police blame his sudden departure on a report of Haephrati's arrest that appeared in that morning's daily Yedioth Ahronoth, and was later picked up by the Globes Web site. They have therefore begun investigating both newspapers on suspicion of violating the gag order on the affair.

The next step, police sources said, is to meet with executives of the victim companies to determine whether any have recently suffered damage from rivals that could be attributed to industrial espionage. That will give them leads to other corporate lawbreakers, the sources explained.

The Crypto Wars are On/Off/On/Off...

The Brits have let out a cheer and declared the Crypto Wars over. And "we won" they say in a press release from the Foundation for Information Policy Research, according to a post on politech:

The Crypto Wars Are Over!

The "crypto wars" are finally over - and we've won!

On 25th May 2005, Part I of the Electronic Communications Act 2000 will be torn out of the statute book and shredded, finally removing the risk of the UK Government taking powers to seize encryption keys."

I don't think that's an accurate assessment. In fact I think it's dead wrong. Read on for today's news....

Over in the US there are worrying signs of more regulations coming to re-criminalise mathematics. Already, there are moves that foreign students will have to be "licensed to operate" any sensitive equipment. ISPs can now be served with spy&gag orders, sans court approval, and nobody's ever debunked the conflicts of interest that now bedevill the certificate authorities in positions of root power.

Today's news, from CACert, is that mere possession of PGP is to be taken as intent to commit a crime. "What has to be a huge blow for anyone with PGP or virtually any other encryption program on their computer, (in fact most computers these day come with cryptographic programs pre-installed). A man found guilty on child pornography related charges, was also found to have PGP software on his system and a court ruled that this was admissible as intent to commit and/or hide crimes in his case. This has huge ramifications if you are found guilty of a crime and then they find any cryptography software installed on your computer."

I hope that's wrong, Nope, it's true. And it was the Appeals Court that said it!

The general message is clear: if you think the war's over, that's because you're fighting the last war. Turn around and meet your new enemy.

PS: Then comes this new twist from Jim:

Now hackers can hold your files hostage...

By Ted Bridis

Washington - Computer users already anxious about viruses and identity
theft have a new reason to worry: hackers have found a way to lock up the
electronic documents on your computer and then demand $200 (about R1 200)
over the Internet to get them back.

Security researchers at the San Diego-based Websense uncovered the unusual
extortion plot when a corporate customer they would not identify fell
victim to the infection, which encrypted files that included documents,
photographs and spreadsheets.

A ransom note left behind included an e-mail address, and the attacker
using the address later demanded $200 for the digital keys to unlock the
files.

"This is equivalent to someone coming into your home, putting your
valuables in a safe and not telling you the combination," said Oliver
Friedrichs, a security manager for Symantec Corporation.

....

Here's the FIPR pres release, at least most of the copy I received.

Press release - Foundation for Information Policy research 

         Release time: 00.01, 25th May 2005



            The Crypto Wars Are Over!



The "crypto wars" are finally over - and we've won!

On 25th May 2005, Part I of the Electronic Communications Act 2000

will be torn out of the statute book and shredded, finally removing

the risk of the UK Government taking powers to seize encryption keys.

The crypto wars started in the 1970s when the US government started

treating cryptographic algorithms and software as munitions and

interfering with university research in cryptography. In the early

1990s, the Clinton administration tried to get industry to adopt the

Clipper chip - an encryption chip for which the government had a

back-door key.  When this failed, they tried to introduce key escrow -

a policy that all encryption systems should leave a spare key with a

`trusted third party' that would hand the key over to the FBI on

demand. They tried to crack down on encryption products that did not

contain key escrow. When software developer Phil Zimmermann developed

PGP, a free mass-market encryption product for emails and files, the

US government even started to prosecute him, because someone had

exported his software from the USA without government permission.

In its dying days, John Major's Conservative Government proposed

draconian controls in the UK too. Any provider of encryption services

would have to be licensed and encryption keys would have to be placed

in escrow just in case the Government wanted to read your email. New

Labour opposed crypto controls in opposition, which got them a lot of

support from the IT and civil liberties communities. They changed

their minds, though, after they came to power in May 1997 and the US

government lobbied them.

However, encryption was rapidly becoming an important technology for

commercial use of the Internet - and the new industry was deeply

opposed to any bureaucracy which prevented them from innovating and

imposed unnecessary costs. So was the banking industry, which worried

about threats to payment systems from corrupt officials. In 1998, the

Foundation for Information Policy Research was established by

cryptographers, lawyers, academics and civil liberty groups, with

industry support, and helped campaign for digital freedoms.

In the autumn of 1999, Tony Blair finally conceded that controls would

be counterproductive. But the intelligence agencies remained nervous

about his decision, and in the May 2000 Electronic Communications Act

the Home Office left in a vestigial power to create a registration

regime for encryption services.  That power was subject to a five year

"sunset clause", whose clock finally runs out on 25th May 2005.

Ross Anderson, chair of the Foundation of Information Policy Research

(FIPR) and a key campaigner against government control of encryption

commented, "We told government at the time that there was no real

conflict between privacy and security. On the encryption issue, time

has proved us right. The same applies to many other issues too - so

long as lawmakers take the trouble to understand a technology before

they regulate it."

Phil Zimmermann, a FIPR Advisory Council member and the man whose role

in developing PGP was crucial to winning the crypto wars in the USA

commented, "It's nice to see the last remnant of the crypto wars

in Great Britain finally laid to rest, and I feel good about our win.

Now we must focus on the other erosions of privacy in the post-9/11

world."

Notes to Editors:

1.      The Foundation for Information Policy Research

 is an independent body that studies the

interaction between information technology and society. Its goal is to

identify technical developments with significant social impact,

commission and undertaken research into public policy alternatives, and

promote public understanding and dialogue between technologists and

policy-makers in the UK and Europe.

2.  The late Professor Roger Needham, who was a founder and trustee of

FIPR, as well as being Pro-Vice-Chancellor of Cambridge University, a

lifelong Labour party member and, for the last five years of his life,

Managing Director of Microsoft Research Europe, once said: `Our enemy

is not the government of the day - our enemy is ignorance. If

ignorance and government happen to be co-located, then we'd better do

something about it.' 

3.    The Electronic Communications Act 2000 received Royal Assent on

the 25th May 2000. Part I provides for the Secretary of State to create

a Register of Cryptography Support Services. s16(4) reads: "If no order

for bringing Part I of this Act into force has been made under

subsection (2) by the end of the period of five years beginning with the

day on which this Act is passed, that Part shall, by virtue of this

subsection, be repealed at the end of that period."



4.     The crypto wars ended in the USA when Al Gore, the most outspoken

advocate of key escrow, was found by the US Supreme Court to have lost

the presidential election of 2000.

5.    The last battle in the crypto wars to be fought on UK soil was

in the House of Lords over the Export Control Act 2002. In this bill,

Tony Blair's government took powers to license the export of intangibles

such as software, where previously the law had only enabled them to

criminalise the unlicensed export of physical goods such as guns. This

caused resistance from the IT industry, and also raised the prospect

that scientific communications would become subject to licensing. FIPR

organised a coalition of Conservative, Liberal and crossbench peers to

insert a research exemption (section 8) into the Act, and an Open

General Export License was created for developers of crypto software.

6.    Phil Zimmermann is arriving in London on the 25th May to take par

...

ShadowCrew - more advanced than you think

An article in BusinessWeek documents the rise and fall of ShadowCrew, a community of crackers and traders. The story mirrors much of the net world and if you took away the bias and the element of crime, you could be forgiven for mistaking them for any of dozens of sophisticated online communities Here are some choice quotes.

Indeed, today's cybercrooks are becoming ever more tightly organized. Like the Mafia, hacker groups have virtual godfathers to map strategy, capos to issue orders, and soldiers to do the dirty work. Their omertà, or vow of silence, is made easier by the anonymity of the Web. And like legit businesses, they're going global. The ShadowCrew allegedly had 4,000 members operating worldwide -- including Americans, Brazilians, Britons, Russians, and Spaniards. "Organized crime has realized what it can do on the street, it can do in cyberspace," says Peter G. Allor, a former Green Beret who heads the intelligence team at Internet Security Systems Inc. (ISSX ) in Atlanta.

This place was organised as a market - buying and selling. The owners' innovation was to bring buyers together with sellers in a trading market and make their crime more efficient.

Because most of the gang members held day jobs, the crew came alive on Sunday nights. From 10 p.m. to 2 a.m. hundreds would meet online, trading credit-card information, passports, and even equipment to make fake identity documents. Platinum credit cards cost more than gold ones. Discounts were offered for package deals. How big was the business? One day in May, 2004, a crew member known as "Scarface" sold 115,695 stolen credit-card numbers in one trade. Overall, the gang made more than $4.3 million in credit-card purchases during its two-year run. The actual tally could be more than twice as large, the feds say. It was like an eBay for the underworld.

Much of the information in the article is unclear in factual terms but it is very good for giving one the scope of the problem. Here's a case of a stupid "money launderer" being caught:

This was a big break, since the cops could use the doorway to monitor all the members' communications. Among the communiqués: Omar Dhanani, aka Voleur (French for "thief"), bragged he could set up a special payment system for cybercrime transactions, police say. For a 10% commission, he would exchange cash for "eGold," an electronic currency backed by gold bullion. The Secret Service watched as he laundered money from at least a dozen deals for ShadowCrew members.

A professional money launderer would know that e-gold and other online currencies are pretty much completely traceable, and not the money laundering nirvana that competitors would have you believe.

In sum, a great story of one such gang. We need this information widely disseminated so as to assess the threats to our own operations, and the Secret Service and the FBI of the US are to be thanked for their openness. Still, this is only one such gang, and there are hundreds others out there. The scope of the problem is ... huge.

The Suits Own You - FBI hacking wireless LANs

The FBI in the US presented how to own your wireless LAN (By way of Tom's hardware and Dan). This is welcome. We need full open disclosure and full open research into cracking if we are to get an edge over the bad guys. Does this mean the laws about cracking someone's encryption scheme are now null and void? Apparently so:

"About half a dozen different software tools were then used by the FBI team, and they are listed-along with their download links-at the end of the article. Thankfully, the Auditor's Security Collection, which we reviewed last year, is a live CD that has all of these tools already installed. Even the FBI likes this distribution."

To get the real facts about the attack, and see the fun pictures of (were those guys really running a WLan at the conference??), read the full article.

"If a hacker is lucky enough to find an extremely busy wireless network, passive sniffing should provide enough good packets to allow the WEP key to be recovered. In most cases, however, an active attack or series of attacks are needed to jump start the process and produce more packets. Note that active attacks generate wireless traffic that can itself be detected and possibly alert the target of the attack."

It takes about 5-10 minutes to get the key. I especially liked tip #5 for protecting your LAN - put a $5 lamp timer on the power and switch it off when not using it. Very practical, very easy to explain to those non-technical people in the world who also have security problems.

Elsewhere in threats news there are signs that phishing is stabilising at its current level. And rumours abound that Netscape is about to release a "blacklist feature" for anti-phishing in its browser update. Details are sparse.

"Security is a big issue in Netscape 8, and the way they have chosen to implement this is with the new Site Controls feature, which consists of a continuously updated list of trusted websites. This gives you a visual rating for each site you visit, for a quick idea of a sites trustworthiness."

Which makes you wonder what other browsers think about security...

$850 million dollar email had Perfect Forward Secrecy

For those who consider the goal to be Perfect Forward Secrecy (or PFS as the acronymoids have it) think about the $850 million punitive damages awarded by a jury in Florida against Morgan Stanley and to the former owner of Sunbeam.

"The billionaire investor started the trial with an advantage after the judge in the case punished Morgan Stanley for failing to turn over e-mails related to the 1998 Coleman deal."

"Judge Elizabeth Maass ordered jurors to assume Morgan Stanley helped Sunbeam inflate its earnings. To recover damages, Perelman only had to prove that he relied on misstatements by Morgan Stanley or other parties to the transaction about Sunbeam's finances."

"Maass also allowed Perelman's lawyers to make reference to the missing e-mails in the punitive damage phase of the case Jurors examined whether any bad conduct by Morgan Stanley merited a punishment in addition to compensation they gave Perelman to offset his losses."

This is the core problem with PFS of course - which is the promise that your emails or IMs won't be provable in the future. It matters not that someone eavesdropping can't prove anything cryptographically, because it simply doesn't matter in the scheme of things. The node is where the threat is, and you are thousands of times more likely to come to blows with your partner than any other party.

Your partner has the emails. So whatever you said, no matter how secret, gets plonked in front of you in the court case, and you've got a choice: rely on PFS and lie about the emails, or say "it's a fair cop, I said that!" Unless this issue is addressed, PFS doesn't really effect the vast majority of the us.

Unfortunately addressing second-party-copies is very hard. I had mused that it would be possible to mark emails as "Without Prejudice" which is a legal term signalling that these conversations were to be kept out of court. Nicholas Bohm set me straight there when he explained that this only applied *after* you have entered dispute, by which time you are taking all care anyway.

Alternatively it may be possible to enter into what amounts to a contract with your companion to agree to keep these conversations private and ex-judicial. That might work but it has two big powerful limitations: it doesn't effect other parties seizing them and it doesn't apply to criminal cases.

Still there may be some merit in that and it will be interesting to experiment with once I get back into IM coding mode. Meanwhile, I'm wondering just what we have to do to convince Morgan Stanley to get into a $850 million tussle with us ... nice work if you can get it.

Threats are two a penny

Good story about a success at defending from a DDOS. As a company sprung out of it, this is obviously a marketing story, but it still gives a lot of good background into the DDOS world. Postini reports that phishing traffic is 45% down in April, over March. Also, viruses are down a bit. Valid email is 13% of messages.

Whoops - here's a wakeup - SSH has been attacked and was implicated in the Cisco source code heist:

Shortly after being stolen last May, a portion of the Cisco programming instructions appeared on a Russian Web site. With such information, sophisticated intruders would potentially be able to compromise security on router computers of Cisco customers running the affected programs.

There is no evidence that such use has occurred. "Cisco believes that the improper publication of this information does not create increased risk to customers' networks," the company said last week.

(I'll bet they're regretting that statement in the post-Choicepoint world. Here's the details on SSH.)

The crucial element in the password thefts that provided access at Cisco and elsewhere was the intruder's use of a corrupted version of a standard software program, SSH. The program is used in many computer research centers for a variety of tasks, ranging from administration of remote computers to data transfer over the Internet.

The intruder probed computers for vulnerabilities that allowed the installation of the corrupted program, known as a Trojan horse, in place of the legitimate program.

In many cases the corrupted program is distributed from a single computer and shared by tens or hundreds of users at a computing site, effectively making it possible for someone unleashing it to reel in large numbers of log-ins and passwords as they are entered.

Once passwords to the remote systems were obtained, an intruder could log in and use a variety of software "tool kits" to upgrade his privileges - known as gaining root access. That makes it possible to steal information and steal more passwords.

The operation took advantage of the vulnerability of Internet-connected computers whose security software had not been brought up to date.

In the Cisco case, the passwords to Cisco computers were sent from a compromised computer by a legitimate user unaware of the Trojan horse. The intruder captured the passwords and then used them to enter Cisco's computers and steal the programming instructions, according to the
security investigators.

Peversely this is good long expected news: it confirms that which we have always predicted, that when SSH is attacked it will be attacked around the system rather than the supposed weakness of the MITM. This is an economically rational attack; break in some other way, and replace a trusted tool with a trojan. Security experts may be wild-eyed zealots, but at least their attackers are economically rational.

In closing, cautionary tale of a security breaches misanalysed. Bob spotted this one:

Sherlock Holmes and Dr Watson go on a camping trip. After a good dinner and a bottle of wine, they retire for the night, and go to sleep.

Some hours later, Holmes wakes up and nudges his faithful friend. "Watson, look up at the sky and tell me what you see."

"I see millions and millions of stars Holmes," replies Watson.

"And what do you deduce from that?"

Watson ponders for a minute.

"Well, astronomically, it tells me that there are millions of galaxies and potentially billions of planets. Astrologically, I observe that Saturn is in Leo. Logically, I deduce that the time is approximately a quarter past three. Meteorologically, I suspect that we will have a beautiful day tomorrow. Theologically, I can see that God is all powerful, and that we are a small and insignificant part of the universe. What does it tell you, Holmes?"

Holmes is silent for a moment and then says: "Watson you idiot, someone has stolen our tent!"

How much is your finger worth?

Adam points at the story of the S-Class Mercedes owner who lost his finger. The finger now makes a comeback in the fight against poorly thought out biometrics.

(Links: BBC, Scheier, German commentary, bigger)

The problem with the biometrics push is as always poorly thought out risk scenarios. If I as a corporate decide that all my employees will make their fingers available to the juggernaught of corporate security, that's fine, as within that world, we have a strictly contained risk analysis. The fingers are at risk, and these risks are offset against the rewards and risks of the corporate. Frankly, there ain't nothing in my corporate offices that's worth a finger.

But it changes when we get into a federated scenario. If my system is being used by some other corporate, my risk analysis is broken; even if I calculate that requiring my employees to use fingerprints to gain access to offices is a good risk, I cannot calculate the risks involved if the local bank starts using my biometrics system to issue banking products to the fingerprints of my employees.

And when national governments start working the biometrics genie, it shifts the risk unreality up several more notchs. The governments are calculating vague and unspecifiable benefits in some "war against today's enemy" but what they cannot calculcate is the risks involved with the use of the system in ordinary businesses.

We see this writ large in the US. Initially, social security numbers were only to be used for ... social security. Then it was tax. Then, employee identification... and loans and credit and banking accounts and ... well, everything. The system was designed with an assumption of one use only; which just marginally made it acceptable from a security risk analysis.

Use by others might be termed federated security, but from a risk analysis point of view it looks more like parasitic security, and if the fraud by impersonation (a.k.a. identity theft) example of the USA is anything to go by, nobody would adopt that risk knowingly.

Big Bad Black Market

Online fraud has been organised, industrialised, institutionalised and big for some time now. When I tell people that they just look blank, they have no conception of what this means. In a nutshell, it means they're making money, scads of it, and they ain't going away. If that doesn't make any sense, then read this:

"I work in the fraud dept. for a well known US company, and have access to hundreds of CCs (credit card numbers) on a daily basis. All I'm looking for is an easy way to make some money and stay anonymous ..."

Carrie Kirby, Chronicle Staff Writer Monday, April 11, 2005

"I work in the fraud dept. for a well known US company, and have access to hundreds of CCs (credit card numbers) on a daily basis. All I'm looking for is an easy way to make some money and stay anonymous ..."

Late last year, someone known as "Elric" posted this message on a Web site for hackers and credit card thieves called Network Terrorism Forums. Within an hour, the Web site shows that Elric received the first of a half-dozen replies -- business offers and advice on how to carry out the theft.

This is the online underworld, where stolen private information is quickly and easily sold over the Internet. The credit card numbers, bank account numbers, eBay accounts and other data sold there are stolen in corporate security breaches like the one at ChoicePoint, through offline crime like old-fashioned pickpocketing, and through scams known as "phishing" attacks, in which criminals trick people into revealing account information with slick-looking fake e-mails.

Cyber crime investigators say deals like the one proposed in Elric's posting are common on a number of similar underground Web sites.

"When you take into account the reach of the Internet and the level of sophistication of the trading in this information, it makes your hair stand on end," said Mike Drewniak, spokesman for the U.S. attorney's office in New Jersey.

These sites have become a dangerous training ground for criminals, where con artists are gaining technical chops and hackers are developing a taste for profit. The result is that online fraud is becoming much more sophisticated and organized.

"It's no longer teenage hackers in a garage trying to rip off credit cards. It is coordinated, organized crime," said Stratton Sclavos, chief executive of VeriSign, a Mountain View security and network infrastructure company that processes and monitors Internet transactions.

Last October, New Jersey prosecutors, along with the Secret Service and the Department of Justice's Computer Crime and Intellectual Property Section, announced they had shut down three of the major online crime Web sites -- Shadowcrew, Carderplanet and Darkprofits -- and arrested 28 alleged participants who are scheduled to go on trial in October.

On Shadowcrew alone, 4,000 members trafficked in at least 1.5 million stolen credit cards, causing losses to financial institutions of more than $4 million, according to the indictment.

But new sites pop up all the time to replace those that law enforcement takes down. The ones that can be easily found online represent just the tip of the iceberg, said David Thomas, chief of the Federal Bureau of Investigation's computer intrusion squad.

"A lot of the more organized groups will be more clandestine about what they do," with invitation-only Web sites, Thomas said. The Internet Relay Chat, or IRC, network, a series of chat rooms that predate the Web, is also a popular meeting place for online crooks.

Denizens of the Internet underworld range from young computer whizzes, to career criminals just getting into computers, to traditional mobsters from established crime families. They live all over the world.

The site where Elric's posting appeared, www.mazafaka.cc, is dominated by Russians, but Americans, Romanians and others can be found on the English-language portion of the site.

When contacted by The Chronicle via instant messenger, Elric said he was a 22-year-old Midwestern college student who had been hacking as a hobby since he was 9 years old. He said he knew little about how to turn his skills into money -- until a Russian man who responded to his posting helped him run up charges on some of the credit cards in his employer's database.

Elric would not reveal his true identity for fear of being arrested, so his story could not be verified. However, his story is typical of a change that's going on in the hacking world, said Christopher Painter, deputy chief of the Justice Department's computer crime unit.

"There's been a convergence," Painter said. "It used to be that the hackers were very technically sophisticated but often didn't do things for a profit." Many hackers were curiosity-driven. They explored corporate networks just to see what was there and wrote viruses just to show they could.

But over the last five years, Painter said, "you see hackers who are doing things for monetary rewards, and the fraudsters becoming sophisticated."

One reason for the growing interest in online fraud: Increasingly, that's where the money is. A quarter of all adults, or 44 percent of Internet users, now use Internet banking, according to the Pew Internet & American Life Project.

How it works

The black market Web sites are part of what the FBI's Thomas calls "nontraditional organized crime." People work together, but they may never meet one another. They may carry out just one illegal transaction together or many.

Here's a typical scenario: A hacker in California steals a batch of credit card numbers from a corporate database. On an underground Web site, he posts a request for help getting money off the cards, just like Elric did.

A Russian partner takes the credit card numbers and uses them to order electronics online. The goods are delivered to a "drop," an address where the resident has agreed to receive stolen merchandise, in the United Kingdom.

The recipient sells the merchandise and sends the proceeds back to the Russian partner, minus the reseller's cut. The Russian partner sends half to the hacker and keeps the other half.

However, since the hackers, thieves and others doing business often don't know one another and remain anonymous, no one knows whom to trust. Rip-offs are rampant. An archive of the now-defunct Shadowcrew site obtained by The Chronicle, and the still-functioning Network Terrorism Forums, show that almost every new offer is met with suspicion.

"If it ain't a rip-off, or an attempt of (Secret Service) to f*** around with us, contact me ..." read one response to Elric's posting.

This has led some Web sites to develop review systems of the sellers not unlike those of eBay and other legitimate e-commerce sites.

According to the indictment, Shadowcrew required the "vendors" to submit their product or service to a trusted community member for review.

Shadowcrew's archives show people who were reviewed for selling merchandise such as stolen credit card numbers and counterfeit credit cards that were created using stolen account information.

In a typical review, the potential seller would provide the reviewer with several credit card numbers -- along with important details such as the expiration date or the three-digit code from the back of the card. The reviewer would try using the card numbers to make purchases, and if they worked, would post a favorable review on the site.

Other vendors were reviewed for selling eBay accounts, which would allow a scam artist to auction off nonexistent merchandise and collect payment while remaining anonymous.

Vendors on the Network Terrorism Forums and other sites are encouraged to get reviewed as well.

To be sure, credit card and bank account fraud is done without using the Internet. But the online world has made it much easier to form sprawling cooperatives to quickly exploit accounts that are often shut down within a day or so after numbers are purloined, law enforcement officials said.

"Because on the Internet you are able to communicate so easily 24 hours a day ... then it's a lot easier to do something on a larger scale and to do so with people overseas," said Assistant U.S. Attorney Arif Alikhan, chief of the computer crimes section for the Central District of California.

Crime families plug in

At the same time that hackers and thieves are forming loose networks online, traditional crime families are also increasingly operating on the Internet.

On Feb. 14, alleged members of the New York Gambino crime family pleaded guilty to a scheme in which they charged the credit cards of consumers who visited pornographic Web sites for "free tours."

According to the indictment in the case, the family had been involved in Internet fraud since the late 1990s.

Traditional mafia in Eastern Europe have been involved in online fraud for years, said Thomas of the FBI.

The Web sites in the online underworld are not just trading posts for stolen information, however. They are places where would-be crooks can get advice on masking their identities online, techniques for stealing data and ideas for how to move around their ill-gotten cash.

One nervous "carder," or stolen credit card user, told peers on Shadowcrew of panicking when a counterfeit card had failed to go through at a store. The carder used his own real credit card instead.

Some members advised the foiled carder to go on the lam, since the store now had his real identity. Others said there was little chance the store would report the incident.

Services are also for sale on these sites, such as creating and hosting phishing Web sites designed to trick people into giving up banking and credit card information.

Phishing e-mails -- one of the fastest-growing threats on the Internet, according to security companies -- look like legitimate messages from banks or online services, but they are really scams. They usually ask recipients to click on a link that sends them to a Web site that also looks real, but is fake. Once there, users are lured into entering account numbers and passwords to "verify" their accounts.

The scammer then uses that information to steal money from victims' accounts or commit identity theft.

One post at the Network Terrorism Forums using the name "Children_Of_Console" offered Web sites that mimic those of 34 banks, including Wells Fargo and Bank of America, for $50 each. For $100, the seller would also provide the wording for the scam e-mail message. All the buyer would have to do is find a way to blast out the e-mail message to as many addresses as possible, then sit back and collect the account information.

Conveniently, e-mail hosting services for sending spam or phishing e-mails can also be found on these sites. Hackers use viruses to secretly take control of hundreds or thousands of personal computers, then use the computers to send spam, for a fee.

Making the digital bust

Catching and prosecuting online fraudsters is not an easy task, especially since the crimes so often involve people overseas, sometimes in many countries.

"It's very difficult working international cases. We get cooperation in countries where we can," said the FBI's Thomas.

While the United States is one of the top sources of fraudulent transactions -- due to heavy Internet use here -- there are other countries where a high percentage of transactions appear to be fraudulent, according to security firm VeriSign.

Belarus, Slovenia and Vietnam had the highest percentages of fraudulent transactions in 2004, but the list is in constant flux. And 58 percent of the Web sites used in phishing attacks are hosted outside the United States, VeriSign said.

There are some successful busts.

Last summer, the U.S. attorney's office for the Northern District of California extradited Ukrainian Roman Vega from Cyprus, for allegedly operating a Web site for trafficking stolen credit card numbers. He was charged with 20 counts of wire fraud and 20 counts of using unauthorized credit cards. If convicted, he faces fines of $250,000 per count, as well as 10 to 20 years in prison for each count, plus possible restitution.

But cases like that aren't the norm, said Ken Silva, vice president of network and security at VeriSign.

"Truth be told, there haven't been very many prosecutions," he said. "The FBI and Secret Service and local law enforcement have had a number of successes, but by and large it goes unpunished. These people don't often get caught."

The FBI has an extensive cyber crime unit and a newly opened computer forensics laboratory in Menlo Park. But the unit acknowledges that Internet fraud is a relatively low priority, taking a backseat to cyber terrorism, computer intrusions, theft of trade secrets and online crimes against children.

"That does not mean we don't work on" Internet fraud, said FBI Special Agent LaRae Quy, "but it is the fifth priority in this division."

Keep it private

Here are tips on protecting your personal information:

-- Guard private information in the physical world by using a locked mailbox and a crosscut paper shredder on mail such as credit card offers and bills.

-- Keep a separate credit card for online transactions, so if anything unusual shows up, you're more likely to notice it and can easily close the account.

-- Don't give your credit card or Social Security number to anyone -- online or over the phone -- without verifying his or her identity.

-- Layering the security measures on your computer will help prevent you from becoming a victim -- or part of the problem. Use a firewall and antivirus software, and download all the updates.

Source: Chronicle research

Chronicle staff writer Dan Fost contributed to this report. E-mail Carrie Kirby at ckirby@sfchronicle.com.

Addendum; new paper on The Economy of Phishing.

Nicking folk's identities is easy, says researcher

Tools required: clipboard, pen, plausible yarn
By Paul Hales: Thursday 24 March 2005, 16:48
http://www.theinquirer.net/?article=22103

SNOOPS in the employ of Infosecurity Europe, an exhibition company, wandered around London streets with clipboards and managed to extract enough information out of gullible shoppers to enable them to perpetrate identity theft on over 90 per cent of those they questioned.

The company said the intention of the stunt was to "raise awareness of the need to be very careful about the information people give to complete strangers."

A copper, detective Inspector, Chris Simpson of the Yard, said he was "disturbed" by the findings.

The researchers admitted to a certain amount of subterfuge in extracting information such mothers’ maiden names, or first schools attended from the 200 folk interviewed.

Pretending to be looking into Londoners’ theatre-going habits, the researchers told pedestrians that if they took part in the survey they would be entered into a draw for theatre ticket vouchers worth £20. Using this tactic they managed to get the names and address of all those questioned. Ninety-nine per cent coughed up their address and postcode and 92 per cent their home phone number.

Interviewees were told actors often combined their pets name and mother’s maiden name to come up with their stage name and were asked what they thought their stage name would be. Ninety four percent of respondents were thus duped into giving up their mother’s maiden name and their pet’s name.

Continuing the theatre-based theme, the question: "Did you get involved in acting in plays at school?" was followed by: "What was the name of your first school?". Ninety-six percent coughed this information too, giving over the key pieces of security information used by banks.

Infosecurity said the three-minute questionnaire gave researchers sufficient information to open bank accounts, credit cards, or even to start stealing their victim’s identity. The researchers did not offer any verification of their identity, their only tool was a clipboard and the offer of the chance to win a voucher for theatre tickets, the company said.

Claire Sellick Event Director for Infosecurity Europe who took part in the research said, one man provided all his information without question, "but returned five minutes later asking for it back, as he thought that we could use it to gain access to his on-line bank account, we gave him back his survey form," she said, "but did not provide any evidence of who we were. If we had been fraudsters he would have been too late."

Detective Inspector, Simpson, Head of Scotland Yard’s Computer Crime Unit said, "The results of the survey are disturbing to say the least, however they do highlight the need to raise public awareness of identity theft, what it actually means, how it can happen and the potential consequences".

By a spooky coincidence, DI Simpson is speaking in a keynote session on, ‘Law Enforcement - Cybercrime and International Co-Operation, Prevention, Detection and Punishment,’ at Infosecurity Europe 2005 – Olympia, London, UK 26th–28th April. µ
I’Inq
© 2005 Breakthrough Publishing Ltd.
http://www.theinquirer.net/?article=22103

New Password Cracking Threat: Grid + your laptop

The following article is quite significant. My comments are at the end so as not to bias reading.

washingtonpost.com
DNA Key to Decoding Human Factor
Secret Service's Distributed Computing Project Aimed at Decoding Encrypted Evidence

By Brian Krebs washingtonpost.com Staff Writer Monday, March 28, 2005; 6:48 AM

For law enforcement officials charged with busting sophisticated financial crime and hacker rings, making arrests and seizing computers used in the criminal activity is often the easy part.

More difficult can be making the case in court, where getting a conviction often hinges on whether investigators can glean evidence off of the seized computer equipment and connect that information to specific crimes.

The wide availability of powerful encryption software has made evidence gathering a significant challenge for investigators. Criminals can use the software to scramble evidence of their activities so thoroughly that even the most powerful supercomputers in the world would never be able to break into their codes. But the U.S. Secret Service believes that combining computing power with gumshoe detective skills can help crack criminals' encrypted data caches.

Taking a cue from scientists searching for signs of extraterrestrial life and mathematicians trying to identify very large prime numbers, the agency best known for protecting presidents and other high officials is tying together its employees' desktop computers in a network designed to crack passwords that alleged criminals have used to scramble evidence of their crimes -- everything from lists of stolen credit card numbers and Social Security numbers to records of bank transfers and e-mail communications with victims and accomplices.

To date, the Secret Service has linked 4,000 of its employees' computers into the "Distributed Networking Attack" program. The effort started nearly three years ago to battle a surge in the number of cases in which savvy computer criminals have used commercial or free encryption software to safeguard stolen financial information, according to DNA program manager Al Lewis.

"We're seeing more and more cases coming in where we have to break encryption," Lewis said. "What we're finding is that criminals who use encryption usually are higher profile and higher value targets for us because it means from an evidentiary standpoint they have more to hide."

Each computer in the DNA network contributes a sliver of its processing power to the effort, allowing the entire system to continuously hammer away at numerous encryption keys at a rate of more than a million password combinations per second.

The strength of any encryption scheme is based largely on the complexity of its algorithm -- the mathematical formula used to scramble the data -- and the length of the "key" required to encode and unscramble the information. Keys consist of long strings of binary numbers or "bits," and generally the greater number of bits in a key, the more secure the encryption.

Many of the encryption programs used widely by corporations and individuals provide up to 128- or 256-bit keys. Breaking a 256-bit key would likely take eons using today's conventional "dictionary" and "brute force" decryption methods -- that is, trying word-based, random or sequential combinations of letters and numbers -- even on a distributed network many times the size of the Secret Service's DNA.

"In most cases, there's a greater probability that the sun will burn out before all the computers in the world could factor in all of the information needed to brute force a 256-bit key," said Jon Hansen, vice president of marketing for AccessData Corp, the Lindon, Utah, company that built the software that powers DNA.

Yet, like most security systems, encryption has an Achilles' heel -- the user. That's because some of today's most common encryption applications protect keys using a password supplied by the user. Most encryption programs urge users to pick strong, alphanumeric passwords, but far too often people ignore that critical piece of advice, said Bruce Schneier, an encryption expert and chief technology officer at Counterpane Internet Security Inc. in Mountain View, Calif.

"Most people don't pick a random password even though they should, and that's why projects like this work against a lot of keys," Schneier said. "Lots of people -- even the bad guys -- are really sloppy about choosing good passwords."

Armed with the computing power provided by DNA and a treasure trove of data about a suspect's personal life and interests collected by field agents, Secret Service computer forensics experts often can discover encryption key passwords.

In each case in which DNA is used, the Secret Service has plenty of "plaintext" or unencrypted data resident on the suspect's computer hard drive that can provide important clues to that person's password. When that data is fed into DNA, the system can create lists of words and phrases specific to the individual who owned the computer, lists that are used to try to crack the suspect's password. DNA can glean word lists from documents and e-mails on the suspect's PC, and can scour the suspect's Web browser cache and extract words from Web sites that the individual may have frequented.

"If we've got a suspect and we know from looking at his computer that he likes motorcycle Web sites, for example, we can pull words down off of those sites and create a unique dictionary of passwords of motorcycle terms," the Secret Service's Lewis said.

DNA was developed under a program funded by the Technical Support Working Group -- a federal office that coordinates research on technologies to combat terrorism. AccessData's various offerings are currently used by nearly every federal agency that does computer forensics work, according to Hansen and executives at Pasadena, Calif.-based Guidance Software, another major player in the government market for forensics technology.

Hansen said AccessData has learned through feedback with its customers in law enforcement that between 40 and 50 percent of the time investigators can crack an encryption key by creating word lists from content at sites listed in the suspect's Internet browser log or Web site bookmarks.

"Most of the time this happens the password is some quirky word related to the suspect's area of interests or hobbies," Hansen said.

Hansen recalled one case several years ago in which police in the United Kingdom used AccessData's technology to crack the encryption key of a suspect who frequently worked with horses. Using custom lists of words associated with all things equine, investigators quickly zeroed in on his password, which Hansen says was some obscure word used to describe one component of a stirrup.

Having the ability to craft custom dictionaries for each suspect's computer makes it exponentially more likely that investigators can crack a given encryption code within a timeframe that would be useful in prosecuting a case, said David McNett, president of Distributed.net, created in 1997 as the world's first general-purpose distributed computing project.

"If you have a whole hard drive of materials that could be related to the encryption key you're trying to crack, that is extremely beneficial," McNett said. "In the world of encrypted [Microsoft Windows] drives and encrypted zip files, four thousand machines is a sizable force to bring to bear."

It took DNA just under three hours to crack one file encrypted with WinZip -- a popular file compression and encryption utility that offers 128-bit and 256-bit key encryption. That attack was successful mainly because investigators were able to build highly targeted word lists about the suspect who owned the seized hard drive.

Other encrypted files, however, are proving far more stubborn.

In a high-profile investigation last fall, code-named "Operation Firewall," Secret Service agents infiltrated an Internet crime ring used to buy and sell stolen credit cards, a case that yielded more than 30 arrests but also huge amounts of encrypted data. DNA is still toiling to crack most of those codes, many of which were created with a formidable grade of 256-bit encryption.

Relying on a word-list approach to crack keys becomes far more complex when dealing with suspects who communicate using a mix of languages and alphabets. In Operation Firewall, for example, several of the suspects routinely communicated online in English, Russian and Ukrainian, as well as a mishmash of the Cyrillic and Roman alphabets.

The Secret Service also is working on adapting DNA to cope with emergent data secrecy threats, such as an increased criminal use of "steganography," which involves hiding information by embedding messages inside other, seemingly innocuous messages, music files or images.

The Secret Service has deployed DNA to 40 percent of its internal computers at a rate of a few PCs per week and plans to expand the program to all 10,000 of its systems by the end of this summer. Ultimately, the agency hopes to build the network out across all 22 federal agencies that comprise the Department of Homeland Security: It currently holds a license to deploy the network out to 100,000 systems.

Unlike other distributed networking programs, such as the Search for Extra Terrestrial Intelligence Project -- which graphically display their number-crunching progress when a host computer's screen saver is activated -- DNA works silently in the background, completely hidden from the user. Lewis said the Secret Service chose not to call attention to the program, concerned that employees might remove it.

"Computer users often experience system lockups that are often inexplicable, and many users will uninstall programs they don't understand," Lewis said. "As the user base becomes more educated with the program and how it functions, we certainly retain the ability to make it more visible."

In the meantime, the agency is looking to partner with companies in the private sector that may have computer-processing power to spare, though Lewis declined to say which companies the Secret Service was approaching. Such a partnership would not endanger the secrecy of their operations, Lewis said, because any one partner would be given only tiny snippets of an entire encrypted message or file.

Distributed.net's McNett said he understands all too well the agency's desire for additional computing power.

"There will be such a thing as 'too much computing power' as soon as you can crack a key 'too quickly,' which is to say 'never' in the Secret Service's case."

© 2005 TechNews.com

So here's my comment. Up until now, we've known that groups like the NSA and GCHQ have had the capability to crunch bigger keys and do better searches. Yet, they are not threats to the world, because their information is kept too secret; they can't reveal their discoveries without risk of losing their edge. Perversely, it doesn't matter whether they can break our crypto, as our secret and their secret is safe with them.

But any policing force is a different matter. The US Secret Service is just another policing agency, one with two missions, being the protection of the currency and the more famous mission of bodyguard. They have no special need to keep their discoveries secret, in fact quite the reverse as they like all policing forces pander to the big bust and the exposure seeking press release. They are by definition threats to the common man.

And, they're talking about cooperating with other departments, both to share data and to share compute resource. Think J Edgar Hoover with a Grid, and it matters not that they are the good guys, it's all about incentives tomorrow, not today's recruitment poster.

In sum, up until now, nobody threatening had access to 10,000 machines. Now they do. Give it another year and I'll bet every large force in the USA and a half dozen ones in other countries will have installed their screen saver style grids. The threats meter has shifted up a few dozen bits for the ordinary person.

(That's the bad news. The good news was that it was a good article.)

Mozilla wobbles on the ball of security

Over at Mozilla, the honeymoon is definately over, as no less than Symantec's CEO casts some doubt on the notion that just because a browser is popular and open source doesn't mean it's secure. The full story. There is one weak comment from Mitchell Baker, of Mozilla, that is easy to dispose of:

"There is this idea that market share alone will make you have more vulnerabilities," Baker said. "It is not relational at all."

That's, um, slightly wrong. You create the vulnerabilities, and market share finds 'em. We can show it empirically, logically or economically, you pick. Not to worry. Now, I have a fond hope that Mozilla can show the way ahead in phishing, being open source and all that, but this has got me totally bemused:

In general, classic code flaws tend to be fairly easy to fix once they are found, she said. More difficult problems to guard against are the ones that exploit human behavior, like phishing.

"In some of these cases, the solution is very difficult to determine," she said. "There are some circumstances where the speed won't be as fast."

In barely disguised politeness, I have to question this. While I'm happy that phishing is belatedly on the table, what does it mean that the solution is difficult to determine?

If there is a question of how to handle phishing, then ask?! We've been talking about fixing phishing for an entire YEAR now on Mozilla's very crypto and security groups. There are bugs filed, there are no shortage of clues planted. Keyboards have smoked with the volume of emails, posts, and documents. GOOD ideas on fixing phishing will flood in faster than you can say "go-fish". There are at least two, maybe 3 or 4 completely coded up solutions running in Mozilla already! Today!

What's difficult about it all? Maybe it hasn't been said today. Here's how to do it: download trustbar.mozdev.org and do that.

Couldn't be simpler.

FUDWatch - NYT breathless on wireless terrorism

In the humour department, Cubicle points to Wendy who says:

Without a hint of irony, however [NYT breathlessly reported that]:

“Two federal law enforcement officials said on condition of anonymity that while they were not aware of specific cases, they believed that sophisticated terrorists might also be starting to exploit unsecured Wi-Fi connections.”

Yes, even law enforcement needs anonymity sometimes.

To which Cubicle comments that "Personally, I think that the reason that most of the “sources” are anonymous is because they don’t exist." Say Amen to that. Read the rest for some good FUD trashing by Cubicle.

There's a market here for a FUDwatch site that gives awards to the crappiest security news.

Random phishing news

Over in the phishing department, Simon pointed to a new payments blog that seems to cover phishing as well.

A company called Corillian has a 'rule base' system that analyses a company's data to see if they or their customers are getting phished (hmmm.... lost the link. They claim 90% success rate; for now, that is. Short terms solutions like these are probably necessary until the infrastructure is in place to deal with phishing where it most happens, but we shouldn't be fooling ourselves that these are any more than bandaids.

I briefly wandered by the Anti-phishing Working Group's site to see what's new in the war on phishing, and nothing much there. And, I mean nothing - there are lots of teasers, but no information. There are a lot of logos there, however, and this confirms my suspicion of the APWG as a sales forum. Their value-added is to collect all the vendors of phishing solutions for you in one place, and their value-added for vendors is to collect all customers together! My advice to any financial institution looking for help is to do your own research. You will have to anyway.

Addendum: See Phishing Club: An Addict/Enabler Nest?

Microsoft's negative rep leads to startling new security strategy

Triage is one thing, security is another. Last week's ground-shifting news was widely ignored in the press. Scanning a bunch of links, the closest I found to any acknowledgement of what Microsoft announced is this:

In announcing the plan, Gates acknowledged something that many outside the company had been arguing for some time--that the browser itself has become a security risk. "Browsing is definitely a point of vulnerability," Gates said.

Yet no discussion on what that actually meant. Still, to his sole credit, author Steven Musil admitted he didn't follow what Microsoft were up to. The rest of media speculated on compatibility, Firefox as a competitor and Microsoft's pay-me-don't-pay-me plans for anti-virus services, which I guess is easier to understand as there are competitors who can explain how they're not scared.

So what does this mean? Microsoft has zero, zip, nada credibility in security.

...earlier this week the chairman of the World's Most Important Software Company looked an auditorium full of IT security professionals in the eye and solemnly assured them that "security is the most important thing we're doing."

And this time he really means it.

That, of course, is the problem: IT pros have heard this from Bill Gates and Microsoft many times before ...

Whatever they say is not only discounted, it's even reversed in the minds of the press. Even when they get one right, it is assumed there must have been another reason! The above article goes on to say:

Indeed, it's no accident that Microsoft is mounting another security PR blitz now, for the company is trying to reverse the steady loss of IE's browser market share to Mozilla's Firefox 1.0.

Microsoft is now the proud owner of a negative reputation in security,

Which leads to the following strategy: actions not words. Every word said from now until the problem is solved will just generate wheel spinning for no productivity, at a minimum (and not withstanding Gartner's need to sell those same words on). The only way that Microsoft can change their reputation for insecurity is to actually change their product to be secure. And then be patient.

Microsoft should shut up and and do some security. Which isn't entirely impossible. If it is a browser v. browser question, it is not as if the competition has an insurmountable lead in security. Yes, Firefox has a reputation for security, but showing that objectively is difficult: their brand is indistinguishable from "hasn't got a large enough market share to be worth attacking as yet."

Some agree:

"This is a work in progress," Wilcox says. "The best thing for Microsoft to do is simply not talk about what it's going to do with the browser."

Choicepoint - 700 identities attacked

As predicted, the states ganged up on Choicepoint and forced them to agree to notify all the victims of the identity thefts. Of the 145k or so identified sets of identity, 700 ... 750 have now been identified as having been (ab)used. Which leaves me confused - is the identity stolen when the data is acquired, or when the data is used to commit a fraud?

Adam points to widening ripples of turmoil as the thought permeates of remote, inattantive and disinterested parties amass massive databases on everyone. My guess: the US will suddenly have a love affair with European-style data privacy directives, as the deal with the risks and interests. Whoops: spoke too soon.

Also see this nice open governance site that monitors Choicepoint and other companies.

A Blackbird Moment - Microsoft confirms phishing is an attack on the browser

17th February 2005. Bill Gates has just spoken at the RSA security conference:

"Microsoft's chairman and chief software architect announced plans for an updated Internet Explorer 7.0 browser and a slew of other initiatives to bolster security in Microsoft products. Reacting to increased phishing, spyware, and malicious software (commonly known as malware) being directed against the IE browser, Gates said that Microsoft now plans to release "a new IE 7 with added levels of security" in mid-2005 rather than include the new browser in the next version of Windows, code-named Longhorn, due in 2006."

"Gates promised that the new IE would add protection from "Internet-enabled social engineering" scams like phishing, a prevalent type of online attack in which spammers send e-mail messages to dupe recipients into visiting fraudulent Web pages that look like legitimate e-commerce sites to steal sensitive personal information such as passwords and credit card details."

Back in the early 90s, seeing the Internet evolve was quite extraordinary. It was the social and technical revolution of our times. I used to tell everyone this, how this shift was as big as Gutenberg. Of course, people who spend all their time on the net rant a lot.

And then, one night, Bill Gates canned Blackbird.

A decade later, we don't even know what that is, but in that one event, the biggest force in software rewrote the whole rule book of computing and communications. They went from competing with the greatest force of our time to joining it, in one evening demo. Ever since that moment, there was no longer a battle to explain to people. The battle was won, the Internet was one, ours for evermore.

Yesterday's announcement is a Blackbird Moment. When Microsoft announces that they are releasing a new browser with new phishing defences, no longer is there any debate about what phishing is. It's an attack on the browser. That's it, that's what it is.

And now we can get one with the hard work of fixing it. But at least we know what to fix.

Smartphone attacks - a timeline

Unlike most media articles, this one has body, in the form of a nice timeline showing the arisal and evolution of a threat. For that alone it is worth it! (Read the full story)

The following timeline gives a sense of the stepped-up pace of mobile phone attacks:

Spring 2004: A trojanized game called "Mosquitos" secretly sends messages to expensive toll numbers at the user's expense.

15 June 2004: The Cabir worm replicates over-the-air via Bluetooth connections.

16 June 2004: Cabir.B, a variation on the Cabir worm, is discovered. Cabir.B, which began spreading in the wild in autumn 2004, continues to spread today. To date, it has been detected in China, India, Turkey, the Philippines, and Finland.

19 November 2004: The Skulls.A trojan replaces icons on the phone with skull images, making the phone almost useless.

29 November 2004: Skulls.B is discovered.

9 December 2004: Cabir.C is discovered.

9 December 2004: Cabir.D is discovered.

9 December 2004: Cabir.E is discovered.

21 December 2004: Skulls.C is discovered.

21 December 2004: Cabir.F is discovered.

21 December 2004: Cabir.G is discovered.

21 December 2004: The METAL Gear.a trojan encourages users to download and install it by masquerading as the popular mobile phone game Metal Gear Solid.

The most recent in this new wave of exploits, the trojan METAL Gear.a, targets mobile devices using the Symbian operating system. When run, it installs Skulls and Cabir variants and tries to disable antivirus and file-browsing products installed on the device - thus making the device extremely difficult for the user to repair. In addition, METAL Gear.a also makes a file called SEXXXY.sis available to any Bluetooth phones that happen to be within range; if the user of a nearby phone accepts that file, it will disable that phone's application selection button.

http://www.identitytheft911.com/education/articles/art20041223mobile.htm

Firefox first blood - bug allows any domain to be "owned"

Over at something called the Shmoo conference, an exploit was announced that effects all browsers except including IE. Florian reports that spam is already circulating attacking IE. If you want to test it, and see what happens, browse over to http://www.shmoo.com/idn/ and click on the links. (Solution is below, also see BoingBoing suggested fix .)

Don't worry, nothing bad happens to you, this time. And don't be unduly alarmed as in practice, this is no more distinct an attack than ordinary phishing. To be exploited, you have to be sent a link in email or chat, and you have to click on it. Don't do that. If you still feel threatened ... browse over to BoingBoing and follow the instructions - this turns off IDN support, which disables the code paths that the bug exploits.

What is much more interesting is that this seems to be 'first blood' for Firefox - their first big security bug after the recent massive success of Firefox 1.0. It was always going to happen - all code has bugs, right? - and now is as good a time as any.

The major problem that's going to strike here is that this is not a bug. Yes, I know I said it was a bug, and now I'm changing my mind.... Let me explain: it's a not-bug,
or a not-a-bug-but-a-feature.

The IDN - international domain name - concept allows names to be created that do non-english lettering. As an artifact of this, you can do english lettering, but in a non-english character set. Which means that anyone can craft any other domain and also request a certificate in it.

But, anyone could already do that. We've known for a long time that paypa1.com was available as a domain (notice the digit one '1' at the end!). This is simply yet another way to create a near-perfect copy of a domain name. Not only is it simply yet another way ... it's one of a string of them including future mechanisms that we can only dream of right now.

So, the first thing to understand is that domain names can be copied. And we can't really stop that.

How then does the user defend herself? Or, better yet, how does the user and the browser working together stop being fooled?

Simple. (I will assume that SSL is indicated here because it is important.) What the browser has to do is to show the user several things:

1. Who the CA is that signed the cert.
2. What the user previously knew/set about that site.

Those two simple things will give the user powerful tools. Remember, the user knows her trusted sites. She is the one that trusts Bank of America, not the CA and not the browser manufacturer. So when she goes to her bank, she can designate that bank as "her bank". Sort of like a bookmark or a favicon, but it has to be tied to the certificate, and it has to be generated by her, elsewise the spoofer simply copies the public info on the website.

The best way to do this is to show the logo of the CA (can be shipped in the browser for added security) alongside a logo for the bank that the user selected when she first visited the bank in SSL form. Those logos should appear on the chrome, in a position that can't be touched by the HTML.

Then, when the spoof BunkOfAmerika turns up, the HTML might look the same, but the browser should treat this is an untrusted site - no logos because the cert seen (if any) doesn't have any logos selected.

Cyota reports "almost 5% have been hooked in phishing"

I know some have been banding around these ridiculous figures of phishing success, but I simply discounted them as being ridiculous. Yet, a new survey by Cyota in New York has said the same thing: "almost 5% [of banking account holders] admitted to responding and divulging information."

We're in the wrong business. Here are the other key results:

Key results found in the survey include:

50% of accountholders have received at least one phishing email, compared to less than 25% back in April - representing 100% growth in just six months.

44% of online bankers utilize the same password for multiple online banking services - a password obtained by the fraudsters can be used at a number of banks.

37% of online bankers use their online banking password at other, less secure sites - these sites are typically less protected and this poses a security risk for banks.

79% of accountholders check for the little lock on the bottom of a secure web page, however less than 40% actually click on the lock to view the security certificate. Cyota's Anti-Fraud Command Center (AFCC) confirms: lock image can be and is easily spoofed by fraudsters.

70% of accountholders are less likely to respond to an email from their bank, and more than half are less likely to sign-up or continue to use their bank's online services due to phishing.

Nah... I cannot believe that "79% of accountholders check for the little lock..." And, as for "less than 40% actually click on the lock" ... well, I guess that includes 4%.

Internet 'Phishing' Scams Getting More Devious

There are about 10 articles a day on phishing, so I don't read them. What else is there to say that hasn't been said since years ago? Including the fact that it gets better and better, it's enough to drive a security guy to drink. Anyway, here's a good summary article to set a flag on the date, and an even briefer summary paragraph:

57 million americans, 122 "brands", organised crime, DNS redirection attacks, half based on spyware, convergance, get a hardware token, and this corker of a closing argument:

"Internet engineers should also figure out a way to authenticate Web addresses, much as they are currently figuring out how to make sure e-mail addresses are legitimate, he said."

Wed Jan 19, 3:03 PM ET

Internet 'Phishing' Scams Getting More Devious
By Andy Sullivan

WASHINGTON (Reuters) - Internet "phishing" scams are becoming more difficult to detect as criminals develop new ways to trick consumers into revealing passwords, bank account numbers and other sensitive information, security experts say.

Scam artists posed as banks and other legitimate businesses in thousands of phishing attacks last year, sending out millions of "spam" e-mails with subject lines like "account update needed" that pointed to fraudulent Web sites.

These attacks now increasingly use worms and spyware to divert consumers to fraudulent sites without their knowledge, experts say.

"If you think of phishers initially as petty thieves, now they're more like an organized crime unit," said Paris Trudeau, senior product manager for Internet-security firm SurfControl.

Phishing attacks have reached 57 million U.S. adults and compromised at least 122 well-known brands so far, according to several estimates.

At the end of 2004 nearly half of these attacks contained some sort of spyware or other malicious code, Trudeau said.

One attack, first documented last month by the Danish security firm Secunia, misdirects Web surfers by modifying a little-known directory in Microsoft Windows machines called a host file. When an Internet user types a Web address into a browser, he is directed instead to a fraudulent site.

This technique has shown up in attacks spoofing several South American banks, said Scott Chasin, chief technical officer of the security firm MX Logic.

The convergence of all of these threats means "we can expect to see some large attacks in the near term," he said.

Another more ambitious attack targets the domain-name servers that serve as virtual telephone books, matching domain names with numerical addresses given to each computer on the Internet.

IDENTITY THIEVES

If one of those computers is compromised, Internet users who type in "www.bankofamerica.com" could be directed to a look-alike site run by identity thieves.

Domain-name servers are tougher to crack, as they are typically run by businesses rather than home users, but hackers can find a way in by posing as a company's tech-support department and asking new employees for their passwords, Trudeau said.

Domain-name hijacking is suspected in incidents involving Google.com, Amazon.com, eBay Germany and HSBC Bank of Brazil, Chasin said.

Even straightforward phishing attacks are getting more sophisticated. Spelling errors and mangled Web addresses made early scams easy to spot, but scam artists now commonly include legitimate-looking links within their Web addresses, said Kate Trower, associate product manager of protection software for EarthLink Inc.

Consumers who click on links like www.citibank.com in these messages are directed to a fraudulent Web address buried in the message's technical code, she said.

MasterCard International has caught at least 10 phishing scams involving www.mastercard.com over the past two months, said Sergio Pinon, senior vice president of security and risk services.

Consumers can protect themselves with software that screens out viruses, spyware and spam. But online businesses will have to take steps as well, perhaps by issuing customers a physical token containing a changing password, Chasin said.

Internet engineers should also figure out a way to authenticate Web addresses, much as they are currently figuring out how to make sure e-mail addresses are legitimate, he said.

Copyright © 2005 Reuters Limited. All rights reserved.
http://story.news.yahoo.com/news?tmpl=story&cid=581&e=4&u=/nm/20050119/tc_nm/tech_phishing_dc

Security Signalling - the market for Lemmings

Adam continues to grind away at his problem: how to signal good security. It's a good question, as we know that the market for security is highly inefficient, some would say dysfunctional. E.g., we perceive that many security products are good but ignored, and others are bad but extraordinarily popular, and despite repeated evidence of breaches, en masse, users flock to it with lemming-like behaviour.

I think a real part of this is that the underlying question of just what security really is remains unstudied. So, what is security? Or, in more formal economics terms, what is the product that is sold in the market for security?

This is not such an easy question from an economist's point of view. It's a bit like the market for lemons, which was thought to be just anomalous and weird until some bright economist sat down and studied it. AFAIK, nobody's studied the market for security, although I admit to only having asked one economist, and his answer was "there's no definition for *that* product that I know of!"

Let's give it a go. Here's the basic issue: security as a product lacks good testability. That is, when you purchase your standard security product, there is no easy way to show that it achieves its core goal, which is to secure you against the threat.

Well, actually, that's not quite correct; there are obviously two sorts of security products, those that are testable and those that are not. Consider a gate that is meant to guard against dogs. You can install this in a fence, then watch the rabid canines try and beat against the gate. With a certain amount of confidence you can determine that the gate is secure against dogs.

But, now consider a burglar alarm. You can also install it with about the same degree of effort. You can conduct the basic workability tests, same as a gate. One opens and goes click on closing; the other sets and resets, with beeping.

But there the comparison gets into trouble, as once you've shown the burglar alarm to work, you still have no real way of determining that it achieves its goal. How do you know it stops burglars?

The threat that is being addressed cannot be easily simulated. Yes, you can pretend to be a burglar, but non-burglars are pretty poor at that. Whereas one doesn't need to be a dog to pretend to be a dog, and do so well enough to test a gate.

What then is one supposed to do? Hire a burglar? Well, let's try that: put an ad in the paper, or more digitally, hang around IRC and learn some NuWordz. And your test burglar gets in and ... does what? If he's a real burglar, he might tell you or he might just take the stuff. Or, both, it's not unreasonable to imagine a real burglar telling you *and* coming back a month later...

Or he fails to get in. What does that tell you? Only that *that* burglar can't get in! Or that he's lying.

Let's summarise. We have these characteristics in the market for security:

• a test of the product by a simulated threat is:
  • expensive, and
  • the results cannot be relied upon to predict defence against a real threat;
• a test of the product by a real threat is:
  • difficult to arrange,
  • could be destructive, and
  • the results cannot be relied upon to predict defence against any _other_ real threat.

Perhaps some examples might help. Consider a security product such as Microsoft Windows Operating System. Clearly they write it as well as they can, and then test it as much as they can afford. Yet, it always ships with bugs in it, and in time those bugs are exploited. So their testing - their simulated threats - is unsatisfactory. And their ability to arrange testing by real threats is limited by the inefficient market for blackhats (another topic in itself, but one beyond today's scope).

Closer to (my) home, let's look at crypto protocols as a security product. We can see that it is fairly close as well: The simulated threat is the review by analysts, the open source cryptologists and cryptoplumbers that pore through the code and specs looking for weaknesses. Yet, it's expensive to purchase review of crypto, which is why so many people go open source and hope that someone finds it interesting enough. And, even when you can attract someone to review your code, it is never ever a complete review. It's just what they had time for; no amount of money buys a complete review of everything that is possible.

And, if we were to have any luck in finding a real attacker, then it would only be by deploying the protocol in vast numbers of implementations or in a few implementations of such value that it would be worth his time to try and attack it. So, after crossing that barrier, we are probably rather ill-suited to watching for his arrival as a threat, simply due to the time and effort already undertaken to get that far. (E.g., the protocol designers are long since transferred to other duties.) And almost by default, the energy spent in cracking our protocol is an investment that can only be recouped by aggressive acquisition of assets on the breach.

(Protocol design has always been known to have highly asymmetric characteristics in security. It is for this reason that the last few years have shown a big interest in provability of security statements. But this is a relatively young art; if it is anything like the provability of coding that I did at University it can be summarised as "showing great potential" for many decades to come.)

Having established these characteristics, a whole bunch of questions are raised. What then can we predict about the market for Lemmings? (Or is it the market for Pied Pipers?) If we cannot determine its efficacy as a product, why is it that we continue to buy? What is it that we can do to make this market respond more ... responsibly? And finally, we might actually get a chance to address Adam's original question, to whit, how do we go about signalling security, anyway?

Lucky we have a year ahead of us to muse on these issues.

From the "real threats" department: Wanted: Chief Espionage Officer

A long but good article by John McCormick and Debbie Gage on espionage against American companies, generally by their competitors. It's good because it is real. The threats are validated by court filings, research and surveys. This is what real security is about, determining what threats are out there, validating them and constructing economic models of their costliness. Only then can security people proceed to design economic security systems to address the threats. Any thing else is speculation, and you shouldn't be surprised if it works out as being worthless or worse, interfering with the real security needs of the users.

2005 - The Year of the Snail

So if 2004 depressingly swims past us as the Year of the Phish, what then will 2005 bring?

Worse, much worse. The issue is this: during the last 12 months, the Internet security landscape changed dramatically. A number of known, theoretical threats surfaced, became real, and became institutionalised. Here's a quick summary:

1. Viruses started to do more than just replicate and destroy: they started to steal. The first viruses that scanned for valuable information surfaced, and the first that installed keyloggers that targetted specific websites and banking passwords. Just this week, the first attack on the root list of SSL browsers was being tracked by security firms.
2. Money started to be made in serious amounts in phishing. This then fed into other areas, as phishers *invested* their ill gotten gains, which led to the next development:
3. Phishers started to use other techniques to gather their victims: viruses were used to harvest nodes for spam that were used to launch phishing attacks. Integration across all the potential threats was now a reality.
4. DDOS, which seemed to seriously take off in 2002, became a serious *extortion* threat to larger companies in 2004. Companies that had something to lose, lost.
5. In 2004, it now became clear that we were no longer dealing with a bunch of isolated hackers who were doing the crack as much to impress each other as to exercise their own skills. There is now a market phase for every conceivable tool out there, and mere hackers do not purchase the factors of their production.
6. Malware, spyware, and any other sort of ware turned up as infesting average PCs with Windows at numbers quoted as 30 per machine. And this was just the mild and benign stuff that reported your every browse for marketing purposes.
7. Microsoft were shown to be powerless to stem the tide. Their SP2 mid-life update caused as many problems as it might have solved. No progress was discernable overall, and 2004 might be marked as the year when even the bubble headed IT media started questioning the emporer's nakedness.

How can I summarise the summary in one pithy aphorism? For most intents and purposes, the Internet was secure for Windows users until about 2004. From 2005 onwards, the Internet is not secure for Windows users. Are you depressed, yet?

2005 will be the Year of the Snail. Your machine will move slowly and slipperily to a fate that you can't avoid. The security of the Windows system on which the vast majority of the net depends for its leaf nodes will repeat the imagery of a snail's house. Ever toiling, slithering slowly across the garden with an immense burden on its back, and ever fearful of approaching predator. The snail is quick to retreat into its house, but all to no avail, as that crunching sound announces that your machine just got turned into more phish compost.

I had hoped - foolish, I know - that Firefox and the like would have at least addressed the phishing threat by now. But now we are fighting a two fronts war: phishing attacks the browser's security model and UI, while all the rest attacks the Windows platform.

It's really easy to offer a solution: download Firefox, and buy a Mac. But this is like asking a snail to become a hedgehog; it is simply out of the budget of way too many users to rush out and buy a Mac. Those that can do so, do so!

Those that cannot, prepare for the Year of the Snail. And check in with us in a year's time to see how the two fronts war is going. The good news is that statistically, a few snails always survive to populate the garden for the next year. The bad news is that it will decidedly take more than a year for your house to evolve away from the sound of the crunch.

Addendum 30th December: The Independent's Charles Arthur wrote The shape of things to come in 2005, which centrepoints security, but also comments on wider issues.

3rd January 2005: The New Scientist's The year in technology.

2004 - The Year of the Phish

Last year, 2003, was a depressing year. We watched the phishing thing loom and rise, and for the most part, security experts fudged, denied, shuffled and ignored while the phish was reeled in. Now, 2004 can truly be said to be the Year of the Phish.

There is progress. Firefox have added two small but nice additions to their browser to address phishing. If you download Firefox (and if you haven't yet, you are now classified as too insecure to be permitted to browse) you can see these when you go to your banking site. On the bottom right, there is a little box containing the domain that is seen by the browser. Also, notice how the URL bar changes colour.

Get used to these things, as they are about the only things protecting you from phishing.

More is needed, however, much much more. Whilst I am somewhat ecstatic that Mozilla programmers have started on this journey, the amount done so far is dwarfed by what would be required to fully address phishing in the browser, and no other manufacturer of browsers seems to have even woken up yet.

(Just briefly, the Certificate Authority needs to be shown. Further, the cert needs to "tracked" by the browser, and a relationship built up. I've suggested a usage count - 100 times to this site, you must like it! Amir and Ahmad have suggested that the user sign off on the cert and even coded it up as Trustbar, while Tyler has suggested the use of petnames for the user's idea of what each site is. They all have their purposes and benefits, and a solution that used all of these and more would be very powerful against phishing. Oh, and all this needs to be "in the face" and not discretely hidden down in some forgotten corner.)

Most of this was known in 2003, by one means or another. But even though we have now to all intents and purposes had a full year of devastating losses due to phishing (more money lost than was ever spent on SSL certs) we still can't say with any degree of confidence that people understand that the browser is being attacked and the browser is where the defences should be placed.

Addendum 2004-12-23: John Leyden wrote this 2004 security review for The Register which echoes a similar message.
Also, In 2005, Organized Crime Will Back Phishers we can take as an echo, given that we already saw it in 2004!

Addendum 2005-09-03; new paper on The Economy of Phishing.

Burglary that called in its own "burglary in progress..."

Some targets have their own security for certain threats. Here's a case of a burglary that went wrong, when the crooks tried to lift the circuit boards that drove the 911 system in the district!

A Burglary Foiled by Calls That Didn't Reach 911
By MARC SANTORA Published: November 27, 2004

The plan seemed simple enough. The building had been cased and the burglars knew exactly what they wanted - advanced computer circuit panels that could be sold on the black market for hundreds of thousands of dollars.

The night before Thanksgiving, about 8 p.m., they entered the Verizon building in White Plains undetected and set to work.

But as the criminals removed the panels, they soon triggered problems across Westchester County. Most problematic, 911 systems across the region began to crash. By the time some 150 panels were removed, roughly 25,000 people had lost 911 service.

At 9:51 p.m., the White Plains Police received a call alerting them to the fact that there might be a problem at the Verizon building. Still unaware that burglars were at work inside, a patrol car rolled up to the site, according to Inspector Daniel Jackson.

...

NY Fed hit by inside saboteur?

Another day, another threat. Here's the story of an electrician who was caught using a strange device with strange wires inside the electronic bowels of the New York Federal Reserve. Rather than pre-judge this one, I'll put my say in the comments on the site. You be the judge!

http://www.nydailynews.com/front/story/251774p-215484c.html

How a guy's gizmo spread fear at Fed

BY THOMAS ZAMBITO
DAILY NEWS STAFF WRITER

It nearly sparked a financial catastrophe.

An electrician's homemade gadget wreaked havoc on the Federal Reserve Bank of New York, causing computer convulsions at a facility that houses the world's biggest cash vault, the Daily News has learned.

The foulup short-circuited the career of journeyman electrician John Cravetts, who was fired though he insists he meant no harm.

But it could have been much worse, according to papers filed in Manhattan Federal Court.

"The results could have been catastrophic," said Barry Schindler, an attorney for the New York Fed.

Fed officials say they might have had to shut down computers that process some $2.5 trillion in funds and securities payments and $4 billion in checks every day.

Fortunately, backup systems kicked in after the Nov. 17, 2002, incident.

The heavily guarded facility in East Rutherford, N.J., is also home to a vault that handles more than $1 billion in currency, coins and food coupons.

Cravetts, 62, was canned two weeks after the incident. A surveillance tape caught him using the crude device - two red wires strung between an ordinary household switch and plug.

He later filed an age discrimination suit and also charged his firing was retaliation for reporting an electrocution hazard at the facility where he'd worked for almost 10 years.

Manhattan Federal judge Harold Baer tossed out Cravetts' claim this week.

"I had an unblemished record," Cravetts told The News yesterday.

"What I did was in good faith. I did not do anything malicious," added the licensed electrician, who has since found a new job. "What do they think I'm going to do, sabotage it?"

Although Fed attorneys presented a near-doomsday scenario in court filings, Fed spokesman Peter Bakstansky downplayed the incident yesterday.

"There was no point at which the operations of the Fed were in danger," Bakstansky said. "We stopped him. ... We have a lot of redundancy."

Cravetts had been asked to locate circuit breakers on the Fed computers that had not been properly labeled.

He used his gizmo to conduct the search, plugging it in and tripping breakers, knocking out power as he went along.

Cravetts told The News his superiors knew he used the device. He had made four of them at work.

Fed attorneys say he should have used a device that sends a harmless tone back to the breaker and doesn't cause disruptions.

Cravetts said that for more than a year, he had asked his bosses to order the manufactured device needed for the job, but they never did.

Originally published on November 11, 2004

Kids' Secret Cells - defeating security by learning

Following on from recent reports that the UK and the US are trialling advanced back-scatter millimetre radar scanners that see through clothing ... comes this story about how school children are defeating security systems to sneak their cell phones into school. See the article below for the basic techniques.

The lesson for those who aren't familiar with security is not what they did, but how they discovered it. Basically, we can guess that the school children tried different measures, discarded those that didn't work, and shared those that did. In other words, a learning attack.

Which, incidentally, we should find quite encouraging, right? After all, that's what school is about.

Getting back to the wider security implications, the question is whether other security systems are secured against attackers who can learn.

========================================

KIDS' SECRET 'CELLS'
By MATTHEW SWEENEY

October 25, 2004 -- Savvy students are figuring out all kinds of ways to get their cellphones past metal-detectors and school-security staff at city high schools, where the devices are banned.

Kids at Martin Luther King Jr. HS on the Upper West Side put the phones behind a belt buckle - and blame the buckle for the beeping metal-detector.

Some girls hide the phones where security guards won't look - in their bras or between their legs.

"You tell them you're wearing an underwire bra," said Gleneshia Jesquith, 17. "What are they going to do, strip us apart for a cellphone?"

"They put the phone in their thighs and they walk in with their legs together through the metal-detector," said Lauree, 16, another MLK student. La Guardia HS, across the street from King, has no metal-detectors, and lets students keep cellphones under what a staffer called an "as long as we don't see it" approach to the city's policy.

"There's a ban, but it's not enforced," said a La Guardia staffer, who declined to give her name.

So La Guardia students keep cellphones off and out of sight, and take advantage of the school's hallway "mood lighting" to make calls from darkened corners.

La Guardia even has an area in the lobby set aside for kids to make emergency calls.

Some approaches don't always work.

"I put my phone in between two pieces of bread and wrapped it in tin foil," said Lauren Nocco, 15, a sophomore at James Madison HS in Brooklyn.

The school took away her phone - and won't give it back until a parent retrieves it.

Mom-and-pop businesses near schools are getting more traffic from the ban.

Madison Deli, near James Madison HS, stores kids' cellphones in labeled paper bags behind the counter while they're in school. When school's out, kids surge into the deli to pick up their phones - and buy drinks and snacks.

The owner, Timothy Thompson, doesn't charge for the phone-storage service - but he does require the kids to bring in their own self-labeled paper bags.

"This is a good school," Thompson said. "They're good kids. Without them, we wouldn't be here."

e-gold to track Cisco extortioner

In line with my last post about using payment systems to stupidly commit crimes, here's what's happening over in the hacker world. In brief, some thief is trying to sell some Cisco source code he has stolen, and decided to use e-gold to get the payout. Oops. Even though e-gold has a reputation for being a den of scammers, any given payment can be traced from woe to go. All you have to do is convince the Issuer to do that, and this case, e-gold has a widely known policy of accepting any court order for such work.

The sad thing about these sorts of crooks and crimes is that we have to wait until they've evolved by self destruction to find out the really interesting ways to crack a payment system.

E-gold Tracks Cisco Code Thief
November 5, 2004 By Michael Myser

The electronic currency site that the Source Code Club said it will use to accept payment for Cisco Systems Inc.'s firewall source code is confident it can track down the perpetrators.

Dr. Douglas Jackson, chairman of E-gold Ltd., which runs www.e-gold.com, said the company is already monitoring accounts it believes belong to the Source Code Club, and there has been no activity to date. ADVERTISEMENT

"We've got a pretty good shot at getting them in our system," said Jackson, adding that the company formally investigates 70 to 80 criminal activities a year and has been able to determine the true identity of users in every case.

On Monday, a member of the Source Code Club posted on a Usenet group that the group is selling the PIX 6.3.1 firewall firmware for $24,000, and buyers can purchase anonymously using e-mail, PGP keys and e-gold.com, which doesn't confirm identities of its users.

PointerClick here to read more about the sale of Cisco code.

"Bad guys think they can cover their tracks in our system, but they discover otherwise when it comes to an actual investigation," said Jackson.

The purpose of the e-gold system, which is based on 1.86 metric tons of gold worth the equivalent of roughly $25 million, is to guarantee immediate payment, avoid market fluctuations and defaults, and ease transactions across borders and currencies. There is no credit line, and payments can only be made if covered by the amount in the account. Like the Federal Reserve, there is a finite value in the system. There are currently 1.5 million accounts at e-gold.com, 175,000 of those Jackson considers "active."

eWEEK.com Special Report: Internet Security To have value, or e-gold, in an account, users must receive a payment in e-gold. Often, new account holders will pay cash to existing account holders in return for e-gold. Or, in the case of SCC, they will receive payment for a service.

The only way to cash out of the system is to pay another party for a service or cash trade, which Jackson said creates an increasingly traceable web of activity.

He did offer a caveat, however: "There is always the risk that they are clever enough to figure out an angle for offloading their e-gold in a way that leads to a dead end, but that tends to be much more difficult than most bad guys think."

This is all assuming the SCC actually receives a payment, or even has the source code in the first place.

PointerDavid Coursey says securing source code must be a priority. Read about it here.

It's the ultimate buyer beware-the code could be made up, tampered with or may not exist. And because the transaction through e-gold is instantaneous and guaranteed, there is no way for the buyer to back out.

Next Page: Just a publicity stunt?

Dave Hawkins, technical support engineer with Radware Inc. in Mahwah, N.J., believes SCC is merely executing a publicity stunt.

"If they had such real code, it's more likely they would have sold it in underground forums to legitimate hackers rather than broadcasting the sale on Usenet," he said. "Anyone who did have the actual code would probably keep it secret, examining it to build private exploits. By selling it, it could find its way into the public, and all those juicy vulnerabilities [would] vanish in the next version."

PointerFor insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzer's Weblog.

"There's really no way to tell if this is legitimate," said Russ Cooper, senior scientist with security firm TruSecure Corp. of Herndon, Va. Cooper, however, believes there may be a market for it nonetheless. By posting publicly, SCC is able to get the attention of criminal entities they otherwise might not reach.

"It's advertising from one extortion team to another extortion team," he said. "These DDOS [distributed denial of service] extortionists, who are trying to get betting sites no doubt would like to have more ways to do that."

PointerCheck out eWEEK.com's Security Center for the latest security news, reviews and analysis.

Phishing - companies are mostly powerless

The media is talking about some report that calls for companies to cooperate and not display information on web sites as an aid on phishing [1][2]. Yeah, that'll make a difference. Over in Korea they are reporting some little group arrested after selling an estimated 6 million user profiles [3].

That's one company that we don't want anywhere near our data; but unfortunately that's how it happens. Asking companies to get involved in phishing is like asking cops to get involved in crime. Sure, they can do something, but only afterwards. The phish happens between the phisher and the user. The only thing that's constant between the two is the browser. The thing that happens afterwards is that the company gets it in the neck.

So you have a choice of three possibilities. Educate the user, "educate" the phisher, or stop it at the browser. One doesn't need a PhD in security to recognise the company isn't present in that little equation, and education of the user is like telling the crime victim to stay clear of crime next time.

Only attention to the browser has any merit whatsoever, as its the only agent that can tell the difference. It's the only one with a security model that implementors can adjust. It's the only one with some crypto blah blah - stuff that could make a difference [4]. Luckily for phishers, the crypto is currently widely deployed pointing in the wrong direction.

One thing caught my eye. Markus Jacobsson (who must have been missreported) has submitted this report to the annual Financial Cryptography conference. Well, that makes sense. If phishing isn't a fraud involving finance, crypto, software engineering, governance of data, and a whole lot in between, then ... what else is FC?

( While we're on the depressing subject of phishing, here's an interesting report: most of the attacks come from a stable set of 1000 or so (hacked DSL) machines and it is claimed that there are only a very few groups, and maybe only one involved [5]. I don't believe it, but it's food for thought. )

[1] Identity thieves' 'phishing' attacks could soon get a lot nastier
[2] Identity thieves' "phishing" attacks could soon get a lot nastier
[3] Six Million People Have Personal Information Stolen
[4] See for example the work that Amir Herzberg and Ahmad Gbara are doing at
Protecting (even) Naïve Web Users, or: Preventing Spoofing and Establishing Credentials of Web Sites
[5] Phishing attacks may be coming from your computer

Great intro to social engineering - "Catch me if you can"

Now appearing on the not-ridiculously-priced racks at your local supermarket, the film "Catch me if you can" follows the life of a young fraudster in the 1960s. Frank Abagnale followed his heart if not his elders and developed strong techniques in how to engineer his way into many a closed shop.

Systems that he breached: medical practice, law, airline pilots, family. All systems that owed their security more to their marketing and belief systems than to good technology. Oh, yes, and he "kited" a lot of checks along the way, as the Americans would say.

What strikes is the successful integration of different techniques into a concerted attack. Yes Abagnale presented a fraudulent cheque or two. And yes, the system was pretty darn bad in those days. But it was the way he integrated his different social engineering approaches together that made the difference, not the single issue of credit or reliance on pieces of paper.

The film is well worth seeing for the financial cryptographer. It's integrated, balanced, and it includes little or no crypto. Just like the real world! Oh, and it's also a fun film for all the family, which makes it shareable with those who exercise patience in our lives.

Know your enemy - Interview with a hacker

"Knowing what makes your antagonist tick is the key to getting the result you want," says a hacker who's being pursued by journalists and the FBI. Computer Weekly interviewed him and he came out with some answers worth pondering.

Wednesday 6 October 2004
Know your enemy

A young Asian hacker who easily penetrated the databases of several large US corporations, and whose exploits made him a top target for the FBI, offers advice for dealing with foreign cybercriminals.

"Knowing what makes your antagonist tick is the key to getting the result you want," he says.

Do you think it is more difficult to hack into US corporate networks today than it was four years ago?

If we are talking about the network that existed four years ago and exists now, then it would probably be more difficult, especially if during those years a given target had experienced trespasses by hackers.

If it is a recently developed network, then chances to get access are probably better.

In general it is easier for hackers to get access to networks in countries with growing and well-developed economies, because such companies have resources to expand their networks.

In third-world countries the companies do not have the ability or resources to expand the networks, so they have to fine-tune them and work with what they have.

Should US companies worry about hackers in Russia and other countries?

Hackers from countries where the economy is less developed than the US are more motivated by money than by pride when they start trespassing on US companies - as opposed to US hackers, who are motivated more by pride than money. (There are many other ways that you can make money in the US.)

Also, money is a stronger motivator than pride. That's why people motivated by money are more dangerous. Hackers are businesspeople [if they are motivated by money]. In most cases, they are probably just having difficulties in their countries finding and exploring opportunities to work.

If a company that is hacked into can explore with a hacker his or her talents in a more peaceful way, the victim can only benefit. If these hackers are businesspeople, they can be redirected by being offered a better deal than the one they might get by creating pressure through hacking.

I deeply believe in this point. It is hard, however, to generalise too much because every case involves different kinds of people and different circumstances.

What security measures offer the best protection against hackers?

Keep the hackers occupied if you recognise them as a threat. This might be similar to what some countries have done with their nuclear scientists - Russia, for example, keeps them under close supervision and treats them well, but above all keeps them busy professionally.

Is there a certain type of network that is particularly easy to hack?

There are two types. First, those that develop custom software. They usually invest money in developing the features that software provides, but often forget about securing parts of this software.

The second type is where there is a breach in the company's infrastructure. It is not the hacking per se that is dangerous; what should concern the company is being taken advantage of by the use of that information.

For example, if one got account numbers of users of PayPal, the hacker could then contact the users in huge numbers and attempt various kinds of fraud.

Will security technologies ever be able to keep hackers out, or will hackers always find a way into corporate networks?

Software and hardware can be improved to protect against trespasses. But then hackers will concentrate on security breaches in the infrastructure of a company, or do "social engineering".

The ultimate goal is to obtain information for subsequent use, and hacking is just one of the many ways to obtain it.

Hurricanes reduce Spam

TechWeb reports that the hurricanes that gave Florida a good whipping over September seemed to drop the amount of spam seen on the net. The reason? It's suggested that "A lot of the biggest spammers are based in and around Boca Raton, Florida... When their power went out, they weren't able to spam."

Well, there you go. For once, I have no polite comment ...

The DDOS dilemma - change the mantra

The DDOS (distributed denial of service) attack is now a mainstream threat. It's always been a threat, but in some sense or other, it's been possible to pass it off. Either it happens to "those guys" and we aren't effected. Or, the nuisance factor of some hacker launching a DOS on our ISP is dealt with by waiting.

Or we do what the security folks do, which is to say we can't do anything about it, so we won't. Ignoring it is the security standard. I've been guilty of it myself, on both sides of the argument: Do X because it would help with DOS, to which the response is, forget it, it won't stop the DOS.

But DOS has changed. First to DDOS - distributed denial of service. And now, the application of DDOS has become over the last year or two so well institutionalised that it is a frequent extortion tool.

Authorize.com, a processor of credit cards, suffered a sustained extortion attack last week. The company has taken a blow as merchants have deserted in droves. Of course, they need to, because they need their payments to keep their own businesses alive. This signals a shift in Internet attacks to a systemic phase - an attack on a payment processor is an attack on all its customers as well.

Hunting around for some experience, Gordon of KatzGlobal.com gave this list of motives for DDOS:

• #1. Revenge Attack. A site may have ripped off someone and in revenge they ddos the site or hire it out. You can actually hire this service like a website hitman. $50 to kill your site sort of thing from most eastern block countries. Did I just coin something? The Webhit.
• #2. Field Reduction: Say I no longer like Robert and he no longer likes me and we get into a pissing match and we ddos each other... Or say we were jerks and didn't want any competition at all. We could ddos all of our competitiors into oblivion. This type of thing happens more than you might think.
• #3. Enacting God's Will: These are the DDOSERS from GOD. They are rightous and they ddos sites that do not align with their views on the world.
• #4. HYIPer Dossers: If anything looks scammy about a HYIP (high yield investment programme) site there is a particular DDOS team running around out there who ddosses HYIPs damn near on a daily basis. This falls into category 3 and 5 below:
• #5. Extortioners: Hackers or wannabees usually from Eastern European countries (usually) trying to make a living becasue their governemnt could gve a crap what they do to us citizens in general.

Great list, Gordon! He reports that extortion attacks are 1 in 100 of the normal, and I'm not sure whether to be happier or more worried.

So what to do about DDOS? Well, the first thing that has to be addressed is the security mantra of "we can't do anything about it, so we'll ignore it." I think there are a few things to do.

Firstly, change the objective of security efforts from "stop it" to "not make it worse." That is, a security protocol, when employed, should work as well as the insecure alternative when under DOS conditions. And thus, the user of the security protocol should not feel the need to drop the security and go for the insecure alternative.

Perhaps better put as: a security protocol should be DOS-neutral.

Connection oriented security protocols have this drawback - SSL and SSH both add delay to the opening of their secure connection from client to server. Packet-oriented or request-response protocols should not, if they are capable of launching with all the crypto included in one packet. For example, OpenPGP mail sends one mail message, which is exactly the same as if it was a cleartext mail. (It's not even necessarily bigger, as OpenPGP mails are compressed.) OpenPGP is thus DOS-neutral.

This makes sense, as connection-oriented protocols are bad for security and reliability. About the best thing you can do if you are stuck with a connection-oriented architecture is to turn it immediately into a message-based architecture, so as to minimise the cost. And, from a DOS pov, it seems that this would bring about a more level playing field.

A second thing to look at is to be DNS neutral. This means not being slavishly dependent on DNS to convert ones domain names (like www.financialcryptography.com) into the IP number (like 62.49.250.18). Old timers will point out that this still leaves one open to an IP-number-based attack, but that's just the escapism we are trying to avoid. Let's close up the holes and look at what's left.

Finally, I suspect there is merit in make-work strategies in order to further level the playing field. Think of hashcash. Here, a client does some terribly boring and long calculation to calculate a valid hash that collides with another. Because secure message digests are generally random in their appearance, finding one that is not is lots of work.

So how do we use this? Well, one way to flood a service is to send in lots of bogus requests. Each of these requests has to be processed fully, and if you are familiar with the way servers are moving, you'll understand the power needed for each request. More crypto, more database requests, that sort of thing. It's easy to flood them by generating junk requests, which is far easier to do than to generate a real request.

The solution then may be to put guards further out, and insist the client matches the server load, or exceeds it. Under DOS conditions, the guards far out on the net look at packets and return errors if the work factor is not sufficient. The error returned can include the current to-the-minute standard. A valid client with one honest request can spend a minute calculating. A DDOS attack will then have to do much the same - each minute, using the new work factor paramaters.

Will it work? Who knows - until we try it. The reason I think of this is that it is the way many of our systems are already structured - a busy tight center, and a lot of smaller lazy guards out front. Think Akamai, think smart firewalls, think SSL boxes.

The essence though is to start thinking about it. It's time to change the mantra - DOS should be considered in the security equation, if only at the standards of neutrality. Just because we can't stop DOS, it is no longer acceptable to say we ignore it.

Eavesdropping threats: Listening to chat

In the IHT, Hal Varian reports analysis of 1.5 million messages from online trading chat rooms [1]. Two researchers, Werner Antweiler and Murray, used their statistical tools and were able to glean a few clues and predictions for markets trades [2].

Not terrifically much, it seems, but that's to be expected if one follows the efficient market hypothesis. However, it's not that far off a scam or two that's been going on. Allegedly, I hear, rumour has it, and all normal caveats....

The place to look at is not the public chat rooms, which anyone will tell you is mostly noise, but the private places. The chat community of choice is the traders in the large banks. To get access to their chat, which is much more focused on big and real trading, you either have to be an insider, or very cunning.

The cunning way to do it is to attract the traders to get into your own chatroom and encourage them to think about trading. This can be done by setting up a fantasy trading system. In these systems, you post trades that are nominal or virtual, and encourage traders to get involved and play. It's a bit like fantasy football, if you've seen that. As traders do well on the predictions, they get rewarded, with value that is "outside" their normal salary system in some sense or other (extra points if the rewards can be delivered tax free!).

So the traders are encouraged to reveal the insider secrets of their employer banks in order to score big in the game. Is it that simple? Yup. Traders really don't care about the secrets, but they sure as hell care about scoring big in the games ... and perversely, the banks enourage this behaviour as they go hunting for analysts who've proven themselves in the game world!

Then, of course, the system operator takes all the chat and all the trades and pumps it into their black boxes. Out spews the predictions, the operator passes it on to another sister company who arbitrages the banks, and they make out like bandits.

Here's how the insider does it. Being on the inside, and being able to tap directly into the networks, one can collect all the trader and analyst chat in real time, and pump it into an analytics engine. Then out comes all the predictions ... so far so good.

But, if the insider does all this, they need some infrastructure, and it's hard to do that without getting noticed. Not to mention that if they were able to make a trade, they'd be betting against their own bank!

So one could be excused for thinking this was unlikely. Until the advent of the mutual funds scandal that is, where we discover all sorts of egregious behaviour, including mutual funds trading against their own parent manager banks [3]. In that scandal, many mutual funds were operated by major banks or other large institutions. Some of them, it seems, were simply listening to all the insider info, analysing it, and betting against their own organisation.

What's going on here? Well, the mistake of the outsider is two-fold: firstly, to assume that the bank operates with one goal in mind, and secondly to assume that if they bet against their own trades, they are stealing their own money.

It turns out that all the trading that they are arbitraging is trades of clients. For which fees are earnt, in a competitive framework. So as long as the client doesn't know, nobody cares. And, it turns out that what with Chinese walls and results-oriented management, there is no problem whatsover with one department betting against another; some banks even do it as a matter of policy.

So, what we have is a fairly aggressive framework where managers of mutual funds are sucking their own trading floors for profits. Where it gets eggregious would be if they are doing it via insider information - chat, for example. And if they are doing it in such a fashion where the insiders that are getting paid off are keeping the scam a secret: encouraging the traders to reveal and perform worse than they otherwise would.

Of course, we don't know where or if this precise scam is going on. But, all the building blocks are in place: the means, the motive, the weapon. It would be a shock to me if it wasn't a done deal.

Hal R. Varian NYT Friday, September 24, 2004

Online messages presage active trading

Talk is cheap, particularly on the Internet. Stock message boards are a case in point. Every day, participants post tens of thousands of tips about which way various stocks are heading. Is any of this worth reading?

Recently, two financial economists from the University of British Columbia, Werner Antweiler and Murray Frank, examined the message board phenomenon in a paper titled "Is All That Talk Just Noise? The Information Content of Internet Stock Message Boards," published in the June 2004 issue of The Journal of Finance.

They collected more than 1.5 million messages from two online boards, Yahoo Finance and Raging Bull, and analyzed them using methods of computational linguistics and econometrics.

The computational linguistics techniques allowed them to classify messages with respect to whether they advocated buying, holding, or selling the stock in question. Most of the messages were short and direct, allowing the algorithms to do a pretty good job of classification.

Antweiler and Frank then merged the estimated buy, sell or hold signals into one "bullishness measure," which was a slightly modified version of the ratio of buy to sell recommendations.

During the period they examined in their article, January to December 2000, the Internet bubble dissipated. Bullish messages, however, continued to proliferate.

But did the message volume, timing, and sentiment forecast anything useful? The three most interesting features of a stock on a given day are its return, its volume and its volatility.

The authors found that the characteristics of messages helped predict volume and volatility. Perhaps more surprisingly, they also found that the number of messages on one day helped predict stock returns the next day. The degree of predictability, however, was weak and reversed itself the next trading day.

The bullish sentiment of messages was positively associated with contemporaneous returns, but has no predictive power for future returns. Traders post bullish messages about a given stock on days when its price goes up, but it is hard to determine which way the causation runs. Since postings do not predict future returns, it may be that the returns cause the postings.

The story was different with respect to volatility. It appeared that the more messages posted about a stock one day, the higher its volatility was the next day.

Trading volume was also correlated with messages. However, the apparent causation here was somewhat subtle. Message posting appeared to cause volume when the researchers examined daily data. But when they looked at the market at 15-minute intervals, trading volume seemed to cause messages.

One hypothesis consistent with these observations about volume and messages was that people might tend to post messages shortly after buying a stock. Even though there are two sides to every trade, the seller has little incentive to brag about the dog he just unloaded, while the buyer has a strong incentive to recommend that others buy the stock he has just purchased.

The authors conclude that the talk on message boards is not just noise. Though the predictive power for returns is too small to be meaningful, message board activity does seem to help predict volatility and volume. Varian is a professor of business, economics and information management at the University of California at Berkeley.

[1] Hal R. Varian NYT, "Internet stock talk may have statistical meaning"
[2] Werner Antweiler and Murray Frank, "Is All That Talk Just Noise? The Information Content of Internet Stock Message Boards," published in the June 2004 issue of The Journal of Finance.
[3] James Nesfield and Ian Grigg, Mutual Funds and Financial Flaws, testimony to the U.S. Senate's finance subcommittee, 27th January 2004.

The Node is the Threat

Slowly, inch by inch, by hack and by phish, the Internet security community is coming to realise that the Node is the Threat, and the Wire is incidental. The military-inspired security textbooks of the 80s that led to 90s security practice never had much relevance for the net, simply because in military and national security places, the nodes were well guarded. It was the antennas of the NSA and the GRU that those guys were focused on.

Whether you agree with the following judgement or not (and one judge did not), it highlights how the node is where the action is [1]. If you secure the wire and ignore the node, then you've only done a tiny part of the job. Probably still worth doing, but don't hold any illusions as to the overall security benefit, and don't sell any of those illusions to the customer.

[1] See also the Wired article on E-Mail Snooping Ruled Permissible and the court record.

ISPs Can Check E-Mail

By Roy Mark July 1, 2004

Backed by the clear, though perhaps out-of-date, language of the Wiretap Act, e-mail providers have the right to read and copy the inbound e-mail of their clients, a federal appeals court ruled Wednesday. The decision sparked howls of protest from privacy advocates, despite immediate assurances from some of the nation's largest ISPs that they would never engage in such practices.

The U.S. Court of Appeals for the 1st Circuit in Boston voted 2-1 Wednesday to uphold the dismissal of a 2001 indictment against Branford C. Councilman, the vice president of now-defunct Interloc Inc., a rare and out-of-print books site.

The U.S. district attorney for Massachusetts charged Councilman, who maintained an e-mail service for his clients, with illegal wiretapping for making copies of e-mail sent to his clients from Amazon.com. The district attorney claimed Councilman copied the e-mail to gain a competitive advantage.

But Councilman's attorneys argued his actions were within the legal limits, because he did not intercept the messages in transit. E-mail, often only momentarily, is routed through servers. The U.S. District Court for Massachusetts ultimately ruled that counted as storage and dismissed the indictment.

Yesterday's decision echoed that ruling in voting to uphold the indictment dismissal, saying e-mail does not enjoy the same eavesdropping protections as telephone conversations, because it is stored on servers before being routed to recipients.

Samantha Martin of the Massachusetts district attorney's office said, "We are still in the process of reviewing that decision and weighing our options on what steps to take next."

The two-judge majority deferred to the language of the Wiretap Act, noting it prohibits the unauthorized interception and storage of "wire communications," but only makes reference to the interception of "electronic communications."

"The Wiretap Act's purpose was, and continues to be, to protect the privacy of communications. We believe that the language of the statute makes clear that Congress meant to give lesser protection to electronic communications than wire and oral communications," Appeals Court Judge Juan R. Torruella wrote. "Moreover, at this juncture, much of the protection may have been eviscerated by the realities of modern technology."

"We observe, as most courts have, that the language may be out of step with the technological realities of computer crimes," Torruella wrote. "However, it is not the province of this court to graft meaning onto the statute where Congress has spoken plainly."

In his dissenting opinion, Appeals Court Judge Kermit V. Lipez said there is no distinction between the electronic transmission and storage of e-mail.

"All digital transmissions must be stored in RAM or on hard drives while they are being processed by computers during transmission," Lipez wrote. "Every computer that forwards the packets that comprise an e-mail message must store those packets in memory while it reads their addresses, and every digital switch that makes up the telecommunications network through which the packets travel between computers must also store the packets while they are being routed across the network."

Lipez concluded: "Since this type of storage is a fundamental part of the transmission process, attempting to separate all storage from transmission makes no sense."

America Online, EarthLink (Quote, Chart) and Yahoo (Quote, Chart), three of the country's largest ISPs, all have privacy policies prohibiting them from reading customer e-mail, except in the case of a court order.

"Consistent with Yahoo's terms of service and privacy policy, we do not monitor user communications," said Yahoo spokeswoman Mary Osako said.

Also jumping to the ISP defense was EarthLink spokeswoman Carla Shaw.

"EarthLink has a long history of protecting customer privacy, and that protection extends to e-mail," she said. "We don't retain copies of customer e-mail, and we don't read customer e-mail."

But this does little to alleviate the concerns of folks like Kevin Bankston, an attorney for the online privacy group Electronic Frontier Foundation.

"By interpreting the Wiretap Act's protections very narrowly," Bankston said in a statement, "this court has effectively given Internet communications providers free reign to invade the privacy of their users for any reason and at any time."

Bankston added that the law "has failed to adapt to the realities of Internet communications and must be updated to protect online privacy."

DNS spoofing - spoke too soon?

Just the other day, in discussing VeriSign's conflict of interest, I noted that absence of actual theft-inspired attacks on DNS. I spoke too soon - The Register now reports that the German eBay site was captured via DNS spoofing.

What makes this unusual is that DNS spoofing is not really a useful attack for professional thieves. The reason for this is cost: attacking the DNS roots and causing domains to switch across is technically easy, but it also brings the wrath of many BOFHs down on the heads of the thieves. This doesn't mean they'll be caught but it sure raises the odds.

In contrast, if a mail header is spoofed, who's gonna care? The user is too busy being a victim, and the bank is too busy dealing with support calls and trying to skip out on liability. The spam mail could have come from anywhere, and in many cases did. It's just not reasonable for the victims to go after the spoofers in this case.

It will be interesting to see who it is. One thing could be read from this attack - phishers are getting more brazen. Whether that means they are increasingly secure in their crime or whether the field is being crowded out by wannabe crooks remains to be seen.

Addendum 20040918: The Register reports that the Ebay domain hijacker was arrested and admitted to doing the DNS spoof. Reason:

"The 19 year-old says he didn't intend to do any harm and that it was 'just for fun'. He didn't believe the ploy was possible.

So, back to the status quo we go, and DNS attacks are not a theft-inspired attack. In celebration of the false alert to a potential change to the threats model, I've added a '?' to the title of this blog.

VeriSign's conflict of interest creates new threat

There's a big debate going on the US and Canada about who is going to pay for Internet wire tapping. In case you hadn't been keeping up, Internet wire-tapping *is* coming. The inevitability of it is underscored by the last ditched efforts of the ISPs to refer to older Supreme Court rulings that the cost should be picked up by those requiring the wire tap. I.e., it's established in US law that the cops should pay for each wiretap [1].

I got twigged to a new issue by an article [2] that said:

"To make wiretapping possible, Internet phone companies have to buy equipment and software as well as hire technicians, or contract with VeriSign or one of its competitors. The costs could run into the millions of dollars, depending on the size of the Internet phone company and the number of government requests."

What caught me by surprise was the mention of Verisign. So I looked, and it seems they *are indeed* in the business of subpoena compliance [3]. I know most won't believe me, given their public image as a trusted ecommerce player, so here's the full page:

NetDiscovery Service for CALEA Compliance Complete Lawful Intercept Service VeriSigns NetDiscovery service provides telecom network operators, cable operators, and Internet service providers with a streamlined service to help meet requirements for assisting government agencies with lawful interception and subpoena requests for subscriber records. Net Discovery is the premier turnkey service for provisioning, access, delivery, and collection of call information from operators to law enforcement agencies (LEAs). Reduce Operating Expenses Compliance also requires companies to maintain extensive records and respond to government requests for information. The NetDiscovery service converts content into required formats and delivers the data directly to LEA facilities. Streamlined administrative services handle the provisioning of lawful interception services and manage system upgrades. One Connection to LEAs Compliance may require substantial capital investment in network elements and security to support multiple intercepts and numerous law enforcement agencies (LEAs). One connection to VeriSign provides provisioning, access, and delivery of call information from carriers to LEAs. Industry Expertise for Continued Compliance VeriSign works with government agencies and LEAs to stay up-to-date with applicable requirements. NetDiscovery customers benefit from quick implementation and consistent compliance through a single provider.

CALEA is the name of the bill that mandates law enforcement agency (LEA) access to telcos - each access should carry a cost. The cops don't want to pay for it, and neither do the suppliers. Not to mention, nobody really wants to do this. So in steps VeriSign with a managed service to handle wiretaps, eavesdropping, and other compliance tasks as directed under subpoena. On first blush, very convenient!

Here's where the reality meter goes into overdrive. VeriSign is also the company that sells about half of the net's SSL certificates for "secure ecommerce [4]." These SSL certificates are what presumptively protect connections between consumers and merchants. It is claimed that a certificate that is signed by a certificate authority (CA) can protect against the man-in-the-middle (MITM) attack and also domain name spoofing. In security reality, this is arguable - they haven't done much of a job against phishing so far, and their protection against some other MITMs is somewhere between academic and theoretical [5].

A further irony is that VeriSign also runs the domain name system for the .com and the .net domains. So, indeed, they do have a hand in the business of domain name spoofing; the trivial ease of mounting this attack has in many ways influenced the net's security architecture by raising domain spoofing to something that has to be protected against [6]. But so far nothing much serious has come of that [7].

But getting back to the topic of the MITM protection afforded by those expensive VeriSign certificates. The point here is that, on the one hand, VeriSign is offering protection from snooping, and on the other hand, is offering to facilitate the process of snooping.

The fox guarding the chicken coop?

Nobody can argue the synergies that come from the engineering aspects of such a mix: we engineers have to know how to attack it in order to defend it. This is partly the origin of the term "hacker," being one who has to crack into machines ... so he can learn to defend.

But there are no such synergies in governance, nor I fear in marketing. Can you say "conflict of interest?" What is one to make of a company that on the one hand offers you a "trustworthy" protection against attack, and on the other hand offers a service to a most likely attacker [8]?

Marketing types, SSL security apologists and other friends of VeriSign will all leap to their defence here and say that no such is possible. Or even if it was, there are safeguards. Hold on to that thought for a moment, and let's walk through it.

How to MITM the CA-signed Cert, in one easy lesson

Discussions on the cryptography list recently brought up the rather stunning observation that the Certificate Authority (CA) can always issue a forged certificate and there is no way to stop this. Most attack models on the CA had assumed an external threat; few consider the insider threat. And fair enough, why would the CA want to issue a bogus cert?

In fact the whole point of the PKI exercise was that the CA is trusted. All of the assumptions within secure browsing point at needing a trusted third party to intermediate between two participants (consumer and merchant), so the CA was designed by definition to be that trusted party.

Until we get to VeriSign's compliance division that is. Here, VeriSign's role is to facilitate the "provisioning of lawful interception services" with its customers, ISPs amongst them [9]. Such services might be invoked from a subpoena to listen to the traffic of some poor Alice, even if said traffic is encrypted.

Now, we know that VeriSign can issue a certificate for any one of their customers. So if Alice is protected by a VeriSign cert, it is an easy technical matter for VeriSign, pursuant to subpoena or other court order, to issue a new cert that allows them to man-in-the-middle the naive and trusting Alice [10].

It gets better, or worse, depending on your point of view. Due to a bug in the PKI (the public key infrastructure based on x.509 keys that manages keys for SSL), all CAs are equally trusted. That is, there is no firewall between one certificate authority and another, so VeriSign can issue a cert to MITM *any* other CA-issued cert, and every browser will accept it without saying boo [11].

Technically, VeriSign has the skills, they have the root certificate and now they are in the right place. MITM never got any easier [12]. Conceivably, under orders from the court Verisign would now be willing to conduct an MITM against its own customers and its own certs, in every place that it has a contract for LEA compliance.

Governance? What Governance?

All that remains is the question of whether VeriSign would do such a thing. The answer is almost certainly yes: Normally, one would say that the user's contract, the code of practice, and the WebTrust audit would prevent such a thing. After all, that was the point of all the governance and contracts and signing laws that VeriSign wrote back in the mid 90s - to make the CA into a trusted third party.

But, a court order trumps all that. Judges strike down contract clauses, and in the English common law and the UCC, which is presumably what VeriSign uses, a judge can strike out clauses in the law or even write an entire law down.

Further, the normal way to protect against over zealous insiders or conflicts of interests is to split the parties: one company issues the certs, and another breaches them. Clearly, the first company works for its clients and has a vested interest in protecting the clients. Such a CA will go to the judge and argue against a cert being breached, if it wants to keep selling its wares [13].

Yet, in VeriSign's case, it's also the agent for the ISP / telco - and they are the ones who get it in the neck. They are paying a darn sight more money to VeriSign to make this subpoena thing go away than ever Alice paid for her cert. So it comes down to "big ISP compliance contract" versus "one tiny little cert for a dirtbag who's probably a terrorist."

The subpoena wins all ways, well assisted by economics. If the company is so ordered, it will comply, because it is its stated goal and mission to comply, and it's paid more to comply than to not comply.

All that's left, then, is to trust in the fairness of the American juridical system. Surely such a fight of conscience would be publically viewed in the courts? Nope. All parties except the victim are agreed on the need to keep the interception secret. VeriSign is protected in its conflict of interest by the judge's order of silence on the parties. And if you've been following the news about PATRIOT 1,2, National Security Letters, watchlists, no-fly lists, suspension of habeus corpus, the Plame affair, the JTTF's political investigations and all the rest, you'll agree there isn't much hope there.

What's are we to do about it?

Then, what's VeriSign doing issuing certs? What's it doing claiming that users can trust it? And more apropos, do we care?

It's pretty clear that all three of the functions mentioned today are real functions in the Internet market place. They will continue, regardless of our personal distaste. It's just as clear that a world of Internet wire-tapping is a reality.

The real conflict of interest here is in a seller of certs also being a prime contractor for easy breachings of certs. As its the same company, and as both functions are free market functions, this is strictly an issue for the market to resolve. If conflict of interest means anything to you, and you require your certs to be issued by a party you can trust, then buy from a supplier that doesn't also work with LEAs under contract.

At least then, when the subpoena hits, your cert signer will be working for you, and you alone, and may help by fighting the subpoena. That's what is meant by "conflict of interest."

I certainly wouldn't recommend that we cry for the government to fix this. If you look at the history of these players, you can make a pretty fair case that government intervention is what got us here in the first place. So, no rulings from the Department of Commerce or the FCC, please, no antitrust law suits, and definitely no Star Chamber hearings!

Yet, there are things that can be done. One thing falls under the rubric of regulation: ICANN controls the top level domain names, including .net and .com which are currently contracted to VeriSign. At least, ICANN claims titular control, and it fights against VeriSign, the Department of Commerce, various other big players, and a squillion lobbyists in exercising that control [14].

It would seem that if conflict of interest counts for anything, removing the root server contracts from VeriSign would indicate displeasure at such a breach of confidence. Technically, this makes sense: since when did we expect DNS to be anything but a straight forward service to convert domain names into numbers? The notion that the company now has a vested interest in engaging in DNS spoofing raises a can of worms that I suspect even ICANN didn't expect. Being paid to spoof doesn't seem like it would be on the list of suitable synergies for a manager of root servers.

Alternatively, VeriSign could voluntarily divest one or other of the snooping / anti-snooping businesses. The anti-snooping business would be then a potential choice to run the DNS roots, reflecting their natural alignments of interest.

[1] This makes only sense. If the cops didn't pay, they'd have no brake on their activity, and they would abuse the privilege extended by the law and the courts.

[2] Ken Belson, Wiretapping on the Net: Who pays? New York Times, http://www.iht.com/articles/535224.htm

[3] VeriSign's pages on Calea Compliance and also Regulatory Compliance.

[4] Check the great statistics over at SecuritySpace.com.

[5] In brief, I know of these MITMs: phishing, click-thru-syndrome, CA-substitution. The last has never been exploited, to my knowledge, as most attacks bypass certificates, and attack the secure browsing system at the browser without presenting an SSL certificate.

[6] , D. Atkins, R. Austein, Threat Analysis of the Domain Name System (DNS), RFC 3833.

[7] There was the famous demonstration by some guy trying to get into the DNS business.

[8] Most likely? 'fraid so. The MITM is extraordinarily rare - so rare that it is unmeasurable and to all practical intents and purposes, not a practical threat. But, as we shall see, this raises the prospects of a real threat.

[9] VeriSign, op cit.

[10] I'm skipping here the details of who Alice is, etc as they are not relevent. For the sake of the exercise, consider a secure web mail interface that is hosted in another country.

[11] Is the all-CAs-are-equal bug written up anywhere?

[12] There is an important point which I'm skipping here, that the MITM is way too hard under ordinary Internet circumstances to be a threat. For more on that, see Who's afraid of Mallory Wolf?.

[13] This is what is happening in the cases of RIAA versus the ISPs.

[14] Just this week: VeriSign to fight on after ICANN suit dismissed
U.S. Federal District Court Dismisses VeriSign's Anti-Trust Claim Against ICANN with Prejudice and the Ruling from the Court.
Today: VeriSign suing ICANN again

Phishing Kits

James Sherwood of ZDNet reports: "Some Web sites are now offering surfers the chance to download free "phishing kits" containing all the graphics, Web code and text required to construct the kind of bogus Web sites used in Internet phishing scams. "

Some Web sites are now offering surfers the chance to download free "phishing kits" containing all the graphics, Web code and text required to construct the kind of bogus Web sites used in Internet phishing scams.

According to security firm Sophos, the kits allow users to design sites that have the same look and feel as legitimate online banking sites that can then be used to defraud unsuspecting users by getting them to reveal the details of their financial accounts.

"By putting the necessary tools in the hands of amateurs, it's likely that the number of attacks will continue to rise," said Graham Cluley, senior technology consultant at Sophos.

Sophos warned that many of the kits also contain spamming software that enables potential fraudsters to send out thousands of phishing e-mails with direct links to their do-it-yourself fraud sites.

"The emergence of these 'build your own phish' kits means that anyone can now mimic bona fide banking Web sites and convince customers to disclose sensitive information such as passwords," Cluley said.

Many online banking Web sites now carry messages urging users not to open any e-mail that they suspect may be fraudulent and to telephone their bank for further information if they do receive suspicious e-mail.

Phishing has become such a problem that there are now several online antiphishing guides to educate users about the con artists' common tricks.

James Sherwood of ZDNet UK reported from London

Paranoia Goes Better With Coke

Most threats are mundane and well known. Some are just plain silly. Then, there are some that slice through the over-paranoid security systems and make them look daft. Here's one. Is it a threat? You be the judge.

Paranoia Goes Better With Coke
Associated Press 09:57 AM Jul. 02, 2004 PT

There's a new security threat at some of the nation's military bases - and it looks uncannily like a can of Coke. Specially rigged Coke cans, part of a summer promotion, contain cell phones and global positioning chips. That has officials at some installations worried the cans could be used to eavesdrop, and they are instituting protective measures.

Coca-Cola says such concerns are nothing but fizz.

Mart Martin, a Coca-Cola spokesman, said no one would mistake one of the winning cans from the company's "Unexpected Summer" promotion for a regular Coke. "The can is dramatically different looking," he said. The cans have a recessed panel on the outside and a big red button. "It's very clear that there's a cell phone device."

Winners activate it by pushing the button, which can only call Coke's prize center, he said. Data from the GPS device can only be received by Coke's prize center. Prizes include cash, a home entertainment center and an SUV.

"It cannot be an eavesdropping device," he said.

Nonetheless, military bases, including the U.S. Army Armor Center at Fort Knox, Kentucky, are asking soldiers to examine their Coke cans before bringing them in to classified meetings.

"We're asking people to open the cans and not bring it in if there's a GPS in it," said Master Sgt. Jerry Meredith, a Fort Knox spokesman. "It's not like we're examining cans at the store. It's a pretty commonsense thing."

Sue Murphy, a spokeswoman for Wright-Patterson Air Force Base in Dayton, Ohio, said personal electronic devices aren't permitted in some buildings and conference rooms on base.

"We've taken measures to make sure everyone's aware of this contest and to make sure devices are cleared before they're taken in" to restricted areas, she said. "In the remote possibility a can were found in one of these areas, we'd make sure the can wasn't activated, try to return it to its original owner and ask that they activate it at home," she said. "It's just another measure we have to take to keep everyone out here safe and secure."

The Marine Corps said all personnel had been advised of the cans and to keep them away from secure areas.

Paul Saffo, research director at The Institute for the Future, a technology research firm, compared the concern about the Coke cans to when the Central Intelligence Agency banned Furbies, the stuffed toys that could repeat phrases.

"There are things generals should stay up late at night worrying about," he said. "A talking Coke can isn't one of them."

But Bruce Don, a senior analyst at the Rand Corp., said the military's concern is rational and appropriate.

"There's a lot of reason to worry about how that technology could be taken advantage of by a third party without Coke's knowledge," he said. "I wouldn't worry if one was in my refrigerator, but if you had a sensitive discussion or location, it's not inconceivable the thing could be used for something it was not designed for."

Martin said Thursday the world's largest soft drink maker has received phone calls inquiring about the promotion from Hill Air Force Base in Ogden, Utah, and from a military base in Anchorage, Alaska. The callers did not mention any concerns, and Coke has not been contacted by the bases in Ohio and Kentucky, Martin said.

Asked if Coke would curtail the promotional campaign because of the security issues raised, Martin said, "No. There's no reason to."

¿ Copyright 2004, Lycos, Inc. All Rights Reserved.
http://www.wired.com/news/technology/0,1282,64078,00.html

crypto wars - NSA the victor

Here's a long but worthwhile article full of clues as to how the NSA benefitted in the aftermath of the crypto wars of the 1990s [1]. In brief, there has been little impact on their operations, and massive net mining flags the few encrypted packets out there for further traffic analysis. On the whole, good stuff, for them.

It's pretty obvious that the NSA won the crypto wars, even if the net won some of the battles. Open source warriers managed to force the hugely uncrackable 128 bits and 1024 bits into open international distribution, but simply failed to deploy it in any significant numbers [2]. In some senses, we won the right to fight, and then went home feeling mighty chuffed with ourselves.

Director of NSA shifts to new path
Hayden makes changes to keep up with technology; 'He's had to move the culture'

By Scott Shane, Baltimore Sun National Staff, August 8, 2004

Last year, long before CIA Director George J. Tenet resigned in advance of a series of damning reports on intelligence failures before the Sept. 11, 2001, attacks, the chief of an even larger spy agency was quietly asked to extend his term.

Lt. Gen. Michael V. Hayden, director of the National Security Agency, was asked by Tenet and Defense Secretary Donald H. Rumsfeld to stay on as director until at least September 2005. The 6 1/2 -year term will make the three-star Air Force general by far the longest-serving NSA boss in the agency's 52-year history.

Hayden's survival amid the harsh assessment of pre-Sept. 11 intelligence may reflect his ability to turn around the gargantuan eavesdropping agency in an era of shifting technology and threats.

Even as stateless terrorists have replaced Soviet missile bases as the agency's prime target, so the boom in cell phones, the Internet and the spread of fiber-optic cable and computerized encryption have forced it to reinvent eavesdropping technology.

"The whole ballgame of where and how you collect signals intelligence changed," says Charles G. Boyd, a retired Air Force general who was executive director of the Hart-Rudman Commission on national security in the late 1990s and now heads Business Executives for National Security.

"And that's where [Hayden] has moved this institution. To do that, he's not only changed technologies and processes. He's had to move the culture itself, and that's very difficult to do."

Boyd knows Hayden well from their Air Force service and has followed his work at NSA closely. "As a manager of change and a manager of intelligence overall, I think Mike Hayden is the best we have," he says.

Agency changes

Matthew M. Aid, a respected intelligence historian in Washington who is writing a book on the NSA, says the changes under Hayden appear to be producing results.

"The al-Qaida operatives who are being tracked down and caught - that's largely the result of signals intelligence," which is spy lingo for the intercept of phone calls, e-mail and other messages that is NSA's turf, Aid says. "NSA is flush with cash. It's hiring thousands of new people. It's clearly an agency that's going places."

Some NSA veterans complain that Hayden "brought in corporate types who gave him Harvard Business School models" that "don't work for an intelligence agency," Aid says.

But the people at the CIA, the White House, the State Department and the Pentagon who receive NSA's reports see a difference, he says: NSA "has a lot more respect from intelligence consumers than it had when Hayden arrived in 1999."

The changes at NSA have been wrenching, with large numbers of veterans taking early retirement and contractors brought in to handle much of the agency's retooling. More than 22 percent of the agency's civilian work force has been hired since 2000, with more than 1,300 new employees expected to come on board this year, agency officials say.

Aid estimates that 25,000 civilian and military employees work on NSA's sprawling Fort Meade campus off the Baltimore-Washington Parkway, although the exact number is classified. At least an additional 10,000 eavesdroppers are scattered elsewhere in the United States and around the world, he says.

Many agency old-timers aren't happy, says retiree Mike Levin, who worked at the agency from 1947 to 1993. "I have a very negative view of General Hayden. Before he had a chance to know what was going on, he announced he was going to clean the place out," Levin says.

But others say the NSA was in need of radical surgery well before the Sept. 11 attacks.

"NSA was set up to monitor an enormous country, the Soviet Union, that didn't go anywhere," says James Bamford, author of two books on the agency. "It was never set up to follow individual terrorists around the world using phone cards, disposable cell phones and e-mail."

Of Hayden, Bamford says, "I think he's done about as good a job as anyone could do given the limitations."

In fact, the author says, the cerebral 59-year-old intelligence veteran, a Bulgarian linguist early in his career, might emerge as a candidate for the post of national intelligence director proposed by the Sept. 11 commission.

Keeping up

When Hayden arrived in March 1999, the agency was by all accounts hurting. Its budget had been cut by about a third since the height of the Cold War, but it had to devise new intercept systems to keep up with what Hayden calls "the greatest revolution in communications since Gutenberg discovered movable type."

The shift of international communications traffic from satellites and microwave links to hard-to-tap fiber-optic cables posed a major challenge. Encryption described by NSA officials as impossible to break was spreading. National magazine stories on the secret agency began to ask: Is the NSA going deaf?

Then, in January 2000, a huge computer crash took the agency offline for days, dramatizing the need for an updated infrastructure.

Russian linguists were in oversupply, while there was an extreme shortage of speakers of Arabic and other languages more relevant to terrorism. Older employees who had mastered radio and microwave intercepts were not so adept at monitoring cellular networks and the Internet.

After Sept. 11, 2001 - when most of NSA was evacuated for fear it might be the hijackers' next target - it became obvious that the agency would be permitted to expand. But Hayden decided to go forward the next month with a final early-retirement program, watching 765 employees leave even as the agency geared up to hire.

"It was not because anyone was dumb, incompetent, lazy or calcified or anything else," Hayden said in an interview last week in his whisper-quiet office at the top of one of NSA's massive glass towers at Fort Meade. "It was just a work force that historically did not change over very much. ... So if we were going to get new skills, we were going to have to get new people."

The old Soviet target, Hayden said, was "exceptionally slow-moving, oligarchic and technologically inferior," and what NSA was then interested in was "big things. You wanted to know where their nuclear missile submarines were. You wanted to know about Soviet forces in Germany - were they in garrison or in the field? You wanted to know if there were bombers at Arctic staging bases."

By contrast, he said, "in the current war, you're looking for infinitely more granular information. You want to know where this human being is. And it's not good enough to say he's in Afghanistan. In terms of our current ops [operations] tempo, it's not even good enough to know what city. You have to know what building he's in."

Rather than the special communications systems used by foreign militaries, "al-Qaida rides on the global [commercial] communications structure." To listen in, "you're putting yourself into their communication pattern. If your pattern doesn't match their pattern ... you don't hear."

Technology revolution

Given the dire assessments a few years ago, it is notable that Hayden says the communications revolution has on the whole been a plus, not a minus, for the NSA.

The NSA director declines to elaborate. But interviews with outside experts suggest that the agency has managed to overcome the challenges posed by fiber-optic cable and encryption.

"My opinion is that at this point, those are little more than a speed bump to NSA," says Steve Uhrig, president of SWS Security, a Harford County firm that builds eavesdropping and counter-eavesdropping systems for U.S. and foreign police agencies. "They have a virtually unlimited budget, and they can put amazing resources to work on a problem."

Several sources who regularly speak with NSA officials say they believe Uhrig is right. Although they do not know the details, they say the agency has almost certainly managed to tap fiber cables on a large-scale basis, making access to the information inside less of a problem than its overwhelming volume.

The NSA has also found a silver lining to the use of encrypted e-mail: Even if a particular message cannot be read, the very use of encryption can flag it for NSA's attention. By tracking the relatively few Internet users in a certain country or region who take such security measures, NSA analysts might be able to sketch a picture of a terrorist network.

Information 'in motion'

And by focusing their electronic tricks on messages as they are first typed on a computer or when they are read on the other end - what security experts call "information at rest" - NSA technical experts might be able to bypass otherwise-unbreakable encryption used when the information is "in motion."

Meanwhile, the popularity of e-mail and particularly of cell phones has worked to the NSA's advantage in the battle against terrorism.

The NSA's computers can track and sort huge volumes of e-mail far more easily than they can manage telephone intercepts, because text is consistently represented in digital code.

And cell phones - as handy for terrorist plotters as for everyone else - provide not just an eavesdropping target but also a way to physically track the user.

Uhrig, who has installed cellular intercept systems in several countries, says that as cell phones have proliferated, the "cells" served by a tower or other antenna have correspondingly grown smaller. "A big hotel may have a cell for every other floor. Every big office building is its own cell," he says.

Easier tracking

By following a switched-on cell phone as it shifts from cell to cell, "you can watch the person move," Uhrig says. "You can tell the direction he's moving. If he's moving slow, he's walking. If he's moving fast, he's in a car. The tracking is sometimes of much more interest than the contents of a call."

But Hayden will say nothing about reports in the news media and from outside specialists that NSA telephone intercepts led to the recent series of arrests of suspected terrorists in Pakistan. Confirming the agencies' victories would only warn future targets to take precautions against eavesdropping.

The most devastating such loss in recent years came in 1998, when al-Qaida leader Osama bin Laden stopped using the satellite phone the NSA had used for years to track him and his plans.

Whether he was tipped off by press reports - as the Sept. 11 commission has claimed - or by the United States' cruise missile attack on his camp in Afghanistan remains unclear.

"This is the most fragile of all intelligence disciplines," Hayden said. "We would not want many of our successes broadcast."

Copyright © 2004, The Baltimore Sun

[1] Original article over on Cryptome.org
[2] "How effective is open source crypto?"

FCC votes to tap Internet calls

In the US, the FCC has voted to enforce CALEA - wiretap rules - on VoIP operators [1] [2]. These businesses (like Vonage) provide Internet calls to their switches and then onto the public network. They are fantastically successful, because they deliver good service for cheap, something so implausible for the fixed wire competitors (like Sprint, AT&T and the baby bells) that it must be against FCC rules.

VoIP (voice over IP) operators are of course ideally placed to listen to the calls, something that is currently only done under subpoena. CALEA will force them to provide high performance infrastructure to enable massive monitoring.

This could presage a new phase in crypto deployment. Obviously, direct PC to PC comms cannot be covered by such rules, and equally obviously, people will prefer to talk privately. Products like Skype and the rough predecessors PGPPhone and SpeakFreely will get a boost.

IMHO, the FCC will do more damage to the eavesdroppers' objectives than they realise. The FCC has been one of the agencies at the forefront of letting the Internet develop without overbearing regulation, knowing that they can't help, but they can certainly hinder. Perhaps they do realise?

[2] FCC approves taps on broadband and VoIP
[1] Wiretap law would apply to broadband

When is a phish not a phish?

When it's a class action payout! Yep, Paypal got into a mess when it had to mail out notifications to many users announcing a class action payout and encouraging them to ... you guessed it, click on the link and register their details.

http://www.internetnews.com/bus-news/article.php/3390191

August 3, 2004
Mass Action on PayPal Settlement Site
By Susan Kuchinskas

An awful lot of people want a piece of PayPal. They overwhelmed a site offering a minimum of $50 to anyone with an account, the result of a class action suit.

The site went live in late July, after the United States District Court for the Northern District of California in San Jose approved a $9.25 million settlement in a class action suit alleging that the online payment platform owned by eBay unreasonably restricted, froze or closed customer accounts.

Under the terms of the settlement, anyone who had a PayPal account from October 1, 1999 to January 31, 2004 can receive up to $50 by filing a short form; those who went through PayPal's dispute resolution process or want to claim a higher damage award fill out a longer form and receive a portion of the $5.92 million left after the attorneys are paid.

Although claims must be submitted online, the site at times was unavailable or extremely slow, and some e-mails requesting information bounced.

A notice on the index page reads, "The website is experiencing delays and other problems due to an extremely high volume of traffic." Noting that the deadline for submitting claims isn't until October 23, it advises people to check back in a week or so.

Aside from the sheer volume of hits on the site, there were other glitches: The online form refuses to accept e-mail addresses that contain hyphens or multiple periods, and some people were unable to print the required certification firm, which must be mailed.

"The PayPal settlement site is being hosted by a company hired by the plaintiffs' side of the agreement," said a PayPal spokesperson. "They are aware of the issues with this site and have been working to get them fixed. We've done everything on our end to assist with that, but ultimately it's their site."

While some claimants had difficulty using the site, others worried about whether they should even click on the link in the PayPal e-mail. Internet users are right to be wary of e-mails purporting to be from PayPal. It's been one of the top victims of phishing schemes.

Phishers try to lure the unsuspecting to phony sites that mimic those of reputable companies. Once there, they're asked to input credit card, Social Security and bank account numbers that the fraudsters then exploit.

Most e-mail users receive a relentless barrage of fake PayPal requests to "Update your account immediately!" So, when present and former PayPal account holders received notice last Friday that the company was ready to pay up, it might have seemed a little dodgy.

The link in the e-mail read "paypal.com," but it redirected surfers to the somewhat spam-sounding settlement4onlinepayments.com. That site is hosted by a company with the suspiciously generic-sounding moniker "The Garden City Group."

It's for real, said A.J. De Bartolomeo, one of the lead attorneys in the suit. "This Web site is the official and only official Web site," she said.

De Bartolomeo, a principal in the San Francisco law firm of Girard Gibbs & De Bartolomeo, said all elements of the settlement site and notification e-mails were carefully considered in light of the phishing problem.

Regarding the settlement site's URL, "We realized that using PayPal in the actual Web address might make people think it was a scam," she said. "So we tried to do something that was descriptive. It's an online payment service, and this is the settlement for it."

On the other hand, PayPal sent out the notification e-mails, rather than a third party, she said, because "an e-mail notice from a third party would look a lot like a spoof." Including a link to PayPal's site, which redirected surfers to the Garden City site, she added, "seemed the best way to have the highest legitimacy possible for people who are, for a lot of reasons, suspicious. No notice program is ever perfect," she said.

According to the June Phishing Attack Trends Report from the Anti-Phishing Working Group, Tumbleweed Communications and Websense, in that month there were 1,422 new, unique phishing attacks, a 19 percent increase over the 1,197 attacks reported in May.

Girard Gibbs & De Bartolomeo has several other class action suits against technology companies in the works. It recently filed a class action against Apple Computer on behalf of iPod owners whose batteries have died or lost their ability to hold a charge.

De Bartolomeo said that so far, response to the PayPal settlement has been about what she expected. A judgment won by the firm against MCI (Quote, Chart) for overcharging, in which claims could be filed via paper, the Internet or the telephone, garnered an 8 percent claim rate, while a recent settlement with Hyundai Motor Co. for overstating the horsepower of vehicles drew a whopping 23 percent of eligible claimants. De Bartolomeo said it's too early to tell whether the ability to file claims online combined with widespread consumer Internet use might up the average claim rate.

The PayPal settlement will be a good test.

Professional email snooping

The below Register article " America - a nation of corporate email snoops" reports on the trend in email snooping by US corporates. I'll spare you the trouble of reading it - 44% of large companies pay someone to monitor email, and 38% regularly audit the content.

In the search for the eavesdropper, it was always clear that this was a real threat. A small one, but a real one. Unfortunately, the entire crypto industry got distracted on protecting against another threat, the MITM, which was too difficult and obscure to be real. Consequently, the net community fielded systems that didn't really work because of their grossly costly rollouts, and eavesdropping wasn't covered in any real sense (1% of servers use SSL, and 2% of email is encrypted, after a decade of trying).

Since the dawn of Internet crypto time, we've now gone from eavesdropping as a small threat to a potentially large threat. What is really worrying is not so much the corporate eavesdropping, but that we are on the verge of seeing massive ISP-based eavesdropping. All to be reported with a shrug and smile. All because Internet security experts are convinced that the MITM is a threat.

By John Leyden
Published Tuesday 27th July 2004 17:16 GMT

Forget Big Brother, US conglomerates are paying low-tech snoopers to read workers' emails.

According to research from Forrester Consulting, 44 per cent of large US companies (20,000 workers and above) pay someone to monitor the firm's outgoing mail, with 38 per cent regularly auditing email content. According to the study - reported without question in the mainstream press - companies' motivation was mostly due to fears that employees were leaking confidential memos.

Proof, were it needed, that your own staff are the biggest security risk. If the study is to be believed, the dystopian visions of films such as Brazil and George Orwell's 1984 are an everyday reality of today's corporate America. Yes, that's right: "privacy officers" are scouring your email looking for incriminating snippets among the flirtatious email, jokes exchanged between mates and the small amount of work-related stuff you might send during the course of the day.

Scary stuff. And we're asked to believe they are often doing this with little recourse to technology. Even scarier.

Paranoid Android

Joking aside, the 44 per cent figure on corporate snoops struck us as very high. So we got in touch with Forrester asking it to justify its conclusions. Forrester directed our enquiries towards Proofpoint, the email filtering firm which sponsored the research. Forrester Consulting, the custom research arm of Forrester Research, did the leg work for the survey but it was Proofpoint which wrote up the final report.

So how does Proofpoint explain its findings on email monitoring? It's all to do with complying with external regulations.

A wide variety of external regulations applying to email are driving the monitoring trend, according to Keith Crosley, director of corporate communications at Proofpoint. He cited US regulations such as HIPAA (which regulates the handling of personal health information) and Gramm-Leach-Bliley (which regulates the handling of private personal and financial information) as examples.

"It's because of these concerns that companies employ staff to monitor outbound email. Technology solutions for detecting confidential information or for detecting other breaches of email policy or external regulations have, to date, not been particularly effective or popular so the best recourse that companies have has been to have human beings monitor email," he said.

Proofpoint's angle here is that its anti-spam technology can be used as a way of ensuring that outbound emails comply with government regulations. "We believe that companies will, over time, turn to technology to help enforce their internal policies," said Crosley.

The (email) Conversation

If low-tech snooping is currently so widespread, could Proofpoint name a company which is paying someone specifically to check emails? We'd welcome the chance to have a chat to a modern day Harry Call (the lead charecter played by Gene Hackman in 70s classic The Conversation) but sadly we're out of luck.

"We have come into contact with numerous companies that employ staff (even full time staff) to monitor or audit outbound email, but I don't have a company name that you could use," said Crosley. "Because of this 'anecdotal' information, I can say that the results of the survey didn't really surprise us. But as you might imagine, most companies are not willing to talk openly about the use of these sorts of techniques even though they are completely legal in the US."

"To people not familiar with this issue, however, the number does seem astonishing. But our findings on other points are not out of line with other recent email related research. In a somewhat similar survey conducted by the ePolicy Institute, which found that about 60 per cent of companies use some sort of technology to monitor incoming and outgoing email."

Readers can review Proofpoint's survey here. ®

Related stories

netReplay is watching you
Google's Gmail: spook heaven?
US defends cybercrime treaty
Security fears over UK 'snooper's charter'
Merrill Lynch shackles employee Net access
Privacy in the workplace is a 'myth'

Ordinary Threats

I see a lot of threat articles come through from many sources. Each describes the latest threat to our net lives in an entertaining way - at least, as presented by the journalists who try and create a sense of excitement in their work.

We've seen them all before, in one variant or another. Still, reminders are good - these are the things that we have to balance when we build financial cryptography systems, and as there are so many and so varied a scale of threats, compromises are always needed. Here's the collected threats from the last month or so.

"Via eavesdropping, terror suspects nabbed" Intelligence officials use cellphone signals to track Al Qaeda operatives, as number of mid-level arrests rises.
By Faye Bowers June 02, 2004
http://www.csmonitor.com/2004/0602/p02s01-usmi.html

"NHTCU and Russian police foil online extortion racket" which was really clever, amounting to extortion for not DOSing the gambling sites.
http://www.finextra.com/fullstory.asp?id=12208

"Oops! Firm accidentally eBays customer database," when a disk drive sold on eBay carried data that it shouldn't. 7th June 2004, The Register.

"Venezuela: Fear for Sale" is an article about how government contractors are compiling databases on citizens in foreign countries. They just happen to have detailed files on countries in South America who are opposed to US interests.
GregPalast.com http://www.inthesetimes.com/site/main/article/fear_for_sale/

"Door locks know a lot more than you think" about how hotel door lock cards apparently don't know who you are, nor your credit cards, but they do (in concert with other systems) track entry to your hotel room.
June 12, 2004, Joe Sharkey NYT.

"Monaco banker faces re-imprisonment for not being French" is the story about the Brit who got caught doing special transfers for famous private clients of the bank. Whether he was acting for the client, or whether he was stealing, or whether the bank wanted a money laundering head is not clear and may never be clear.
Paul Murphy The Guardian Thursday June 17, 2004

"Iris scans at UK airports, says Home Office" is a story about testing iris scanners at borders, with no real hard indication that it will save anything, as yet.
By Lucy Sherriff 15th June 2004

"Google's Gmail: spook heaven?" argues that if Google can scan mail, then it puts in place the infrastructure for others to scan mail.
By Mark Rasch, SecurityFocus 15th June 2004

"How safe are the in-room safes in hotels?" says not safe enough for anything important, as it's too easy to break the pin code.
Roger Collis International Herald Tribune Friday, June 25, 2004

"Plan Would Pay Tax Whistleblowers" addresses how the IRS seeks to pay insiders to reveal on activity. A classic insider attack.
Mary Dalrymple AP.

"From a life of privilege to an English jail" reports on an all-American high school star who among other things fenced stolen account info from a ring of Russian thieves. Not clear how the "hackers" got the info, but they had access: "The Russians "were sitting there watching the accounts drain and recording everything so they knew how much money to expect at the end of the day," he said. "It was millions and m
illions of dollars." "
PAUL MEYER and MATT STILES / The Dallas Morning News June 27, 2004

"Email Spying and Attorney Client Privilege - US Government Reads All About It"
reports that the AG was secretly spying on the email of a lawyer for a Muslim mother of three. Emails made available from AOL, under warrant.

"Press card scam investigated" reports on one place to buy a fake press card.
30 June 2004 By: Jemima Kiss http://www.journalism.co.uk/news/story967.shtml

"The secrets your computer just can't keep safe" talks about malware - spying programs that are inserted into your PC: "On average every PC has 28 so-called spyware programs installed on it"
Mark Ward
http://news.bbc.co.uk/2/hi/technology/3845835.stm

"How [he who must not be named] Became a Dictator" talks about how a minority leader engineered a suspension of rights through a pogrom against bad people and took leadership of a country.
Jacob Hornberger
http://www.fff.org/freedom/fd0403a.asp

"Web sites allow gamblers to be their own bookmakers" talks about how offshore gambling sites (primarily Britain and Australia) are being financed by US investors. But, they don't take US customers.
Matt Richtel NYT July 7, 2004
http://www.iht.com/articles/528222.html

"Globalization, deregulation allow stock fraud industry to thrive" and it's Boiler Room all over again: this time the operation phones from one country, sells to an investor (read: victim) in another country for some Nasdaq loser stock in the US.
http://www.jewishworldreview.com/0604/stock_fraud.asp

"Text Messages May Turn Up in Bryant Case" about an alleged case of rape in the US, where the accuser exchanged cell phone text messages shortly after the incident. In this case, people are suprised that the telco can ... recover the messages!
JON SARCHE, Jun 07, 2004 AP

"Laptops containing sensitive financial details and all manner of corporate secrets can be snapped up at auctions for a pittance, a security firm revealed Wednesday."
(Reuters) By Bernhard Warner, European Internet Correspondent
http://www.reuters.com/newsArticle.jhtml?type=oddlyEnoughNews&storyID=5381490

"Smart-phone worm has a hang-up" reports about attempts to write a worm for cellular phones.
By Robert Lemos CNET News.com June 15, 2004
http://zdnet.com.com/2100-1105_2-5234953.html?tag=sas.email

"The Mystery of the Voynich Manuscript" New analysis of a famously cryptic medieval document suggests that it contains nothing but gibberish
Scientific American: June 21, 2004 By Gordon Rugg
http://www.sciam.com/print_version.cfm?articleID=0000E3AA-70E1-10CF-AD1983414B7F0000

"Spyware Sneaking into the Enterprise" ... well where else would it go?
By Roy Mark June 30, 2004
http://www.internetnews.com/security/article.php/3375661

"Woman allegedly stole law firm's identity" is another case of an insider shifting things around to steal money.
June 28, 2004, AP
http://www.cnn.com/2004/US/Northeast/06/28/corporate.id.theft.ap/index.html

"iPods are the latest security risk" because they can carry data out of corporates? Don't forget cameras, pocket drives, USB fobs, .....
John Leyden 7th July 2004 The Register
http://www.theregister.com/2004/07/07/ipod_security_risks/

New Attack on Secure Browsing

Over on PGP Corp's web site, they've inadvertantly revealed a new way to futz with secure browsing [0].

Click on http://www.pgp.com/ and you will see an SSL-protected page with that cute little padlock next to domain name. And they managed that over HTTP, as well! (This may not be seen in IE which doesn't load the padlock unless you add it to favourites, or some such. So you need Firefox or Konqueror or Opera, it seems.)

Whoops! That padlock is in the wrong place, but who's going to notice? It looks pretty bona fide to me, and you know, for half the browsers I use, I often can't find the darn thing anyway. This is so good, I just had to add one to my SSL page. I feel so much safer now, and it's cheaper than the ones that those snake oil vendors sell :-)

What does this mean? It's a bit of a laugh, is all, maybe. But it could fool some users, and as Mozilla Foundation recently stated, the goal is to protect those that don't know how to protect themselves. Us techies may laugh, but we'll be laughing on the other side when some phisher tricks users with the new, improved favicon-SSL.

It all puts more pressure on the oh-so-long overdue project to bring the "secure" back into "secure browsing." Microsoft have befuddled the already next-to-invisible security model even further with their favicon invention, and getting it back under control should really be a priority.

Putting the CA logo on the chrome now seems inspired - clearly the padlock is useless. See countless rants [1] listing the 4 steps needed and also a new draft paper from Amir Herzberg and Ahmad Gbara [2] exploring the use of logos on the chrome.

[0] An earlier version of this blog credited PGP Corp with this discovery. I had assumed that they had realised the security significance of the favicon with respect to the browser security model. This appears incorrect - they simply put the logo from their corporate documents there.

[1] SSL considered harmful
http://iang.org/ssl/

[2] Protecting (even) Naïve Web Users, or: Preventing Spoofing and Establishing Credentials of Web Sites
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm

Conducting blackmail with private payment systems - Daft!

I must have written a hundred times that privacy enhancing payments are only private to a degree. From eCash to Ricardo to e-gold to PayPal to greenbacks to ... well, all of them can be tracked somewhat. They help protect honest people from bad trackers, but they don't protect real serious criminals from serious sustained levels of tracking.

In a sort of Darwin award for criminals, here's the story of a major heist that went wrong, because the crooks believed they could use a privacy-based payment system to get their ill-gotten gains. Oh well, no great loss to society here.

http://www.crime-research.org/news/13.07.2004/485/

(one section quoted from the interview)

What kinds of Internet crimes are the most dangerous at the moment? Can you explain them? What can you say about blackmail?

Spread of computer viruses, plastic card frauds, theft of money from bank accounts, theft of computer information and violation of operation rules of computer systems are among the most dangerous offences on the Internet. In order to get one million of UAH (about $185-190 thousand) certain people phoned director of Odessa Airport, Ukraine and informed that they had placed an explosive device on board of a plane flying for Vienna and they also had blown up a bomb in the building opposite to the airport building to confirm their serious intentions.

The Security Service of Ukraine and the Air Security Office were informed of the accident right away. Criminals put detailed instructions on fulfillment of their requirements on the Internet. The main demand was one million of UAH. Criminals planned to use Privatbank's "Privat-24" Internet payment system to get the money. The useful feature for criminals in that case was that this system allowed anonymous creation and control over an account knowing only login and password. Therefore they used the Internet to secure anonymous and remote distribution of their threats and receipt of money.

Besides typical operational measures, there was a need to operationally establish data on technical information in computer networks as criminals used the Internet at all stages of their criminal offence. The Security Service decided to engage experts of a unit on fighting crimes in the sphere of high technologies at the Ministry of Internal Affairs. They were committed to establish senders of threat e-mails and the initiators of bank payments.

The response of ISP and the information they provided helped to determine phone numbers and addresses related to criminals, and also allowed to get firm evidences stored in log data bases of ISP and Privatbank.

Logs allowed to find out IP addresses of computers, e-mails and phones that helped to review concrete computers at the scenes.

The chronicle of events proves that prompt and qualified aid, provided by the unit on fighting crimes in the sphere of high technologies at the Ministry of Internal Affairs in January 2002, to officers of departments fighting terrorist and protecting state organization at Security Service allowed to reveal a criminal group, to prevent their criminal activity, and thus to give due to cyber terrorists.

Putting the chat back into IM

An interesting article about how a manager lost his job when an instant messaging virus sent his entire recorded conversations to his buddy list. This brings out the ticking time bomb that is the archive of all ones conversations. I've always treated chat and IM as just that - idle chat, and don't record those comments please!

Yet I seem to be a minority - I know lots of people who record their every message. And they've got good reasons, which makes me feel even worse. This permanent archiving kind of takes the spontaneity out of it, and it certainly makes it un-chat-like. How does one feel about teasing around with ones partner, as one does, when the threat of a divorce case in 4 years time brings out how cruel you were? Or, idle musings on the safety features of a product, in an open whiteboard fashion, gets dragged into liability suits?

I don't think there is an easy answer to this dilemma. The medium of chat is as it is, and no amount of wishing for that personal, forgiving experience can make the chat archiving devil vanish.

But there are some things that could be done. Here's one idea - perhaps a chat client could present a policy button with a buddy connection. For example, there might be different buttons for partner/confidential, business/confidential, negotiation/confidential and client/attorney privilege.

The first might extend husband-wife protection, with an intent of making the chat not useable against each party in a court of law. The second might create an internally confidential status, so that any forwarding could be warned against. The third would extend confidentiality to the documents such that they couldn't be used in a dispute (this is a trap for young players that I fell into). And the fourth could make the discussions inaccessible to aggressive plaintiffs. (And, we'd of course need another button for "write your own." Not that many people would of course.)

To support these buttons, there would need to be a textual understanding. A contract, lawyers would call it. If we both selected the same contract, then we'd agreed up front to its provisions. In legal terms, this gives us some protection - the courts generally agree with what you said up front.

There are limits of course - for example contract protection gets weaker if criminal proceedings are being undertaken. In which case, if you murder your spouse, you shouldn't expect the marital confidentiality button to save you. Also, even if the words can't be presented in court, there might be a lot of value in just reading them.

But it could bring back enough peace of mind to enable IM to get chatty again. What say you? Select your chat confidence policy and IM me with comments....

Phishing I - Penny Black leads to Billion Dollar Loss

Today, the Financial Times leads its InfoTech review with phishing [1]. The FT has new stats: Brightmail reports 25 unique phishing scams per day. Average amount shelled out for 62m emails by corporates that suffer: $500,000. And, 2.4bn emails seen by Brightmail per month - with a claim that they handle 20% of the world's mail. Let's work those figures...

That means 12bn emails per month are scams. If 62m emails cause costs of half a million, then that works out at $0.008 per email. 144bn emails per year makes for ... $1.152 billion dollars paid out every year [2].

In other words, each phishing email is generating losses to business of a penny. Black indeed - nobody has been able to show such a profit model from email, so we can pretty much guarantee that the flood is only just beginning.

(The rest of the article included lots of cartels trying to peddle solutions, and a mention that the IETF things email authentication might help. Fat chance of that, but it did mention one worrying development - phishers are starting to use viral techniques to infect the user's PC with key loggers. That's a very worrying development - as there is no way a program can defeat something that is permitted to invade by the Microsoft operating system.)

[1] The Financial Times, London, 23rd June 2004,
"Gone phishing," FT-IT Review.
[2] Compare and contrast this 1 billion dollar loss to the $5bn claimed by NYT last week:
"Phishing an epidemic, Browsers still snoozing"
http://www.financialcryptography.com/mt/archives/000153.html

"While it's difficult to pin down an exact dollar amount lost when identity thieves strike such institutions, Jones said 20 cases that have been proposed for federal prosecution involve $300,000 to $1 million in losses each."

This matches the amount reported in the Texas phishing case, although it refers to identity theft, not phishing (yes, they are not the same).

A study by Gartner Research [L04] found that about two million users gave such information to spoofed web sites, and that "Direct losses from identity theft fraud against phishing attack victims -- including new-account, checking account and credit card account fraud" cost U.S. banks and credit card issuers about $1.2 billion last year.

[L04] Avivah Litan, Phishing Attack Victims Likely Targets for Identity Theft, Gartner FirstTake, FT-22-8873, Gartner Research, 4 May 2004

DTCC accused of counterfeiting shares

I had heard about Stockgate a while back when the Nanopierce lawsuit was filed. At the time, it looked like a hopeful settlement deal, but now more details have come to light [1].

And what details! This may well be bigger than the mutual funds scandal, which was the biggest scandal of all time as far as I can see. The Nanopierce class action team has 65 lawyers in it! They have (allegedly) uncovered 1200 funds and 150 broker dealers in naked short selling.

Here's how it works. Short selling is supposed to involve borrowing the stock, then selling the borrowed stock on the market, anticipating a drop in price. It's "good" because it moves information more quickly. It's "bad" because someone with a lot of time and money on their hands can just dump the stock and then buy it back at a cheaper price. Like all things valued by people over the age of 12, there are goods and bads in it.

Where it gets egregious is if the stock is not borrowed at all, and simply "sold" on a promise. Now, if you are a big bad player and you can "not borrow" enough of it, and "sell" enough of what you don't have, then the price has to go down. Supply and demand, and all that. Then you can "buy" it on the cheap, transfer a few things around in the accounts, and end up with a profit.

Having the actual stock on hand is supposed to put a brake on this practice. And, when the DTCC - the single depository and clearing agency in the US - set up its stock lending facility, it was quite popular, as it was relatively easy to just borrow the shares from DTCC, and dump them on the market.

All supposing that DTCC had acquired them from somewhere. Now it transpires that DTCC took a fee for this activity, and worked out that they could over-lend. That is, they could simply counterfeit the shares. It's alleged by the lawsuit that DTCC turned off its governance, and turned on the equity tap. Anyone who wanted to borrow, presumably could - even if there were none to borrow.

"The Stock Borrow Program was purportedly set up to facilitate expedited clearance of stock trades. Somewhere along the line, the DTCC became aware that if it could lend a single share an unlimited number of times, it could collect a fee each time, according to Burrell. "There are numerous cases of a single share being lent ten or many more times," giving rise to the complaint that the DTCC has been electronically counterfeiting just as was done via printed certificates before the Crash."

"Such re-hypothecation has in effect made the potential 'float' in a single company's shares virtually unlimited and the term 'float' meaningless. Shares could be electronically created/counterfeited/kited without a registration statement being filed, and without the underlying company having any knowledge such shares are being sold or even in existence." ...

But, says the cunning governance observer, what happens if the price moves against the naked short seller? Surely he's then caught with his pants down? No. Here's the game: DTCC, instead of taking a clearing agency role as they are supposed and covering the particpants, simply refers the dispute to arbitration between the parties! And, they leave an open position book until it has been resolved.

If true, this makes a mockery of governance, regulation, the system, and any sense of investment. What is the point in investing in shares in a small company if the big players are naked short selling it out of existance, simply to transfer wealth from your pocket into their pocket?

The mutual funds scandal was pretty rude - big players conspired with insiders to strip out percentage points worth of value every year. This sort of salami scam works as long as the amounts taken out don't appear too large. 1% per annum is fine ... always remembering that we are talking about 1% of a 7 trillion dollar amount here.

But stockgate is a whole other ballgame, as the Americans would say - here, broker dealers and investment banks were conspiring allegedly to transfer the *whole* value of small companies to them. One expert claims that 7,000 public companies and from one to three trillion dollars have been raided.

[1] http://www.investors.com/breakingnews.asp?journalid=21660437&brk=1
StockGate: London Companies on Berlin Exchange Ask for Investigation, Reg SHO Hearing Reset

Phishing an epidemic, Browsers still snoozing

Phishing, the sending of spoof emails to trick you into revealing your browser login passphrase, now seems to be the #1 threat to Internet users. A dubious award, indeed. An article in the New York Times claims that online identity theft caused damages of $5 billion worldwide, while spamming was a mere $3.5 billion [1]. That was last year, and phishing was just a sniffle then. Expect something like 20-30 billion this year in phishing, as now, we're facing an epidemic [2].

That article also mentions that 5-20% of these emails work - the victim clicks through using that nice browser-email feature and enters their hot details into the bogus password harvesting site.

Reported elsewhere today [3]:

"Nearly 2 million Americans have had their checking accounts raided by criminals in the past 12 months, according to a soon-to-be released survey by market research group Gartner. Consumers reported an average loss per incident of $1,200, pushing total losses higher than $2 billion for the year."

"Gartner researcher Avivah Litan blamed online banking for most of the problem."

A recent phishing case in a Texas court gave something like $200 damages per victim [4]. That's a court case - so the figures can have some credibility. The FTC reports an average loss rate of about $5300 per victim for all identity theft [5].

So we are clearly into the many many millions of dollars of damage. It is not out of the question that we are reaching for the billion dollar mark, especially if we add in the associated costs. The FTC reported about $53b of losses last year; while most of identity theft is non-Internet related, it only needs to be 10% of total identity theft to look like the NYT's figure of $5bn, above.

Let's get our skepticisms up front here: I don't believe these figures. Firstly, they are reported quite loosely, with no backing. There is no pretence at academic seriousness. Secondly, they seem to derive from a bunch of vested interest players, such as mi2g.com and AFWG.org (both being peddlers of some sort of solution). Oh, and here's another group [6].

We know that there is a shortage of reliable figures to go on. Having said that, even if the figures are way off, we still have a conclusion:

This is real money, folks!

Wake up time! This is actual fraud, money being taken from real average Internet users, people who download the email programs and browsers and web servers that many of us worked on and used. Forget the hypothetical attacks postulated by Internet security experts a decade or so back. Those attacks were not real, they were a figment of some academic's imagination.

The security model built in to standard browsing is broken. Get over it, guys.

Every year, since 2003, Americans will lose more money than was ever paid out to CAs for those certificates to protect them from MITM [7]. By the end of this year, Americans will have been defrauded - I predict - to the same extent as Verisign's peak in market cap.

The secure browser falls to the MITM three ways that I know of - phishing, click thru syndrome, and substitute CA.

The new (since 2002) phishing attack is a classical MITM that breaches secure browsing. This attack convinces some users to go to an MITM site. It's what happens when a false sense of security goes on to long. The fact that secure browsing falls to the MITM is unfortunate, but what's really sad is that the Internet security community declines to accept the failure of the SSL/CA/secure browsing model.

Until this failure is recognised, there is no hope of moving on: What needs to be done is to realise that the browser is the front line of defence for the user - it's the only agent that knows anything about the user's browsing activity, and it's the only agent that can tell a new spoof site from an old, well-used and thus trusted site.

Internet security people need to wind the clock forward by about a decade and start thinking about how to protect ordinary Internet users from the billions of dollars being taken from their pockets. Or not, as the case may be. But, in the meantime, let's just accept that the browser has a security model worth diddly squat. And start thinking about how to fix it.

[1] New York Times, Online crime engenders a new hero: cybersleuth, 11th June 2004. (below)
[2] Epidemic is defined as more than one article on an Internet fraud in Lynn Wheeler's daily list.
http://seattlepi.nwsource.com/business/apbiz_story.asp?category=1310&slug=Japan%20Citibank
http://www.epaynews.com/index.cgi?survey=&ref=browse&f=view&id=1087301938622215212&block=
florida cartel stole identities of 1100 cardholders
http://www.msnbc.msn.com/id/5184077/
[3] http://www.msnbc.msn.com/id/5184077/
Survey: 2 million bank accounts robbed
[4] http://www.financialcryptography.com/mt/archives/000129.html
"Cost of Phishing - Case in Texas"
[5] http://www.ftc.gov/opa/2003/09/idtheft.htm
FTC Releases Survey of Identity Theft in U.S.
[6] http://www.reuters.com/financeNewsArticle.jhtml?type=governmentFilingsNews&story
ID=5429333§ion=investing
Large companies form group to fight "phishing"
[7] Identity Theft - the American Disease
http://www.financialcryptography.com/mt/archives/000146.html

Online crime engenders a new hero: cybersleuth
Christopher S. Stewart NYT

Friday, June 11, 2004

A lot of perfectly respectable small businesses are raking in money from
Internet fraud.

From identity theft to bogus stock sales to counterfeit prescription drugs,
crime is rife on the Web. But what has become the Wild West for savvy
cybercriminals has also developed into a major business opportunity for
cybersleuths.

The number of security companies that patrol the shady corners of the
virtual world is small but growing.

"As more and more crime is committed on the Internet, there will be growth
of these services," said Rich Mogull, research director for information
security and risk at Gartner, a technology-market research firm in Stamford,
Connecticut.

ICG, a Princeton, New Jersey, company founded in 1997, has grown to 35
employees and projected revenue of $7 million this year from eight employees
and $1.5 million in revenue just four years ago, said Michael Allison, its
founder and chief executive.

ICG, which is licensed as a private investigator in New Jersey, tracks down
online troublemakers for major corporations around the world, targeting
spammers and disgruntled former employees as well as scam artists, using
both technology and more traditional cat-and-mouse tactics.

"It's exciting getting into the hunt," said Allison, a 45-year-old British
expatriate. "You never know what you're going to find. And when you identify
and finally catch someone, it's a real rush."

According to Mi2g, a computer security firm, online identity theft last year
cost businesses and consumers more than $5 billion worldwide, while spamming
drained $3.5 billion from corporate coffers. And those numbers are climbing,
experts say.

"The Internet was never designed to be secure," said Alan Brill, senior
managing director at Kroll Ontrack, a technology services provider that was
set up in 1985 by Kroll Associates, an international security company based
in New York. "There are no guarantees."

Kroll has seven crime laboratories around the world and is opening two more
in the United States because of the growing demand for such work.

ICG clients, many of whom Allison will not identify because of privacy
agreements, include pharmaceutical companies, lawyers, financial
institutions, Internet service providers, digital entertainment groups and
telecommunication giants.

One of the few cases that ICG can talk about is a spamming problem that
happened a few years ago at Ericsson, the Swedish telecommunications
company. Hundreds of thousands of e-mail messages promoting a telephone-sex
service inundated its servers hourly, crippling the system.

"They kept trying to filter it out," said Jeffrey Bedser, ICG chief
operating officer. "But the spam kept on morphing and getting around the
filter."

Bedser and his team plugged the spam message into search engines and located
other places on the Web where it appeared. Some e-mail addresses turned up,
which led to a defunct e-fax Web site. And that Web site had in its registry
the name of the spammer, who turned out to be a middle-aged man living in
the Georgetown section of Washington.

Several weeks later, the man was sued. He ultimately agreed to a $100,000
civil settlement, though he didn't go away, Bedser said.

"The guy sent me an e-mail that said, 'I know who you are and where you
are,'" Bedser recalled. "He also signed me up for all kinds of spam and I
ended up getting flooded with e-mail for sex and drugs for the next year."

Allison says ICG's detective work is, for the most part, unglamorous,
involving mostly sitting in front of computers and "looking for ones and
zeros." Still, there are some private-eye moments. Computer forensic work,
for instance, takes investigators to corporate offices all over America,
sometimes in the dead of night.

Searching through the hard drives of suspects - always with a company lawyer
or executive present - the investigators hunt for "vampire data," or old
e-mails and documents that the computer users thought they had deleted long
ago.

In some cases, investigators have to be a little bit sneaky themselves.
Once, an ICG staffer befriended a suspect in a "pump-and-dump" scheme - in
which swindlers heavily promote a little-known stock to get the price up,
then sell their holdings at artificially high prices - by chatting with him
electronically on a chess Web site.

The Internet boom almost guarantees an unending supply of cybercriminals.
"They're like mushrooms," Allison said.

Right now, the most crowded fields of criminal activity are the digital
theft of music and movies, illegal prescription-drug sales and "phishers,"
identity thieves who pose as representatives of financial institutions and
send out fake e-mails to people asking for their account information. The
Anti-Phishing Working Group, an industry association, estimates that 5
percent to 20 percent of recipients respond to these phony e-mails.

In 2003, 215,000 cases of identity theft were reported to the Federal Trade
Commission, an increase of 33 percent from the year before.

This bad news for consumers is a growth opportunity for ICG. "The bad guys
will always be out there," Allison said. "But we're getting better and
better. And we're catching up quickly."

The New York Times

Identity Theft - the American Disease

Identity theft is a uniquely American problem. It reflects the massive - in comparison to other countries - use of data and credit to manage Americans' lives. Other countries would do well to follow the experiences, as "what happens there, comes here." Here are two articles on the modus operandi of the identity thief [1], and the positive side of massive data collection [2].

First up, the identity thief [1]. He's not an individual, he's a gang, or more like a farm. Your identity is simply a crop to process. Surprisingly, it appears that garbage collected from the streets (Americans call it trash) is still the seed material. Further, the database nation's targetting characteristics work for the thief as he doesn't need to "qualify" the victim any. If you receive lots of wonderful finance deals, he wants your business too.

Once sufficient information is collected (bounties paid per paper) it becomes a process of using PCs and innocent address authorities to weezle ones way into the prime spot. For example, your mail is redirected to the farm, the right mails are extracted, and your proper mail is conveniently re-delivered - the classic MITM. We all know paper identity is worthless for real security, but it is still surprising to see how easily we can be brought in to harvest.

[Addendum: Lynn Wheeler reports that a new study by Professor Judith Collins of Michigan State University reveals up to 70% of identity theft starts with employee insider theft [1.b]. This study, as reported by MSNBC, directly challenges the above article.]

Next up, a surprisingly thoughtful article on how data collection delivers real value - cost savings - to the American society [2]. The surprise is in the author, Declan McCullagh, who had previously been thought to be a bit of a Barbie for his sallacious use of gossip in the paparazzi tech press. The content is good but very long.

The real use of information is to make informed choices - not offer the wrong thing. Historically, this evolved as networks of traders that shared information. To counteract fraud that arose, traders kept blacklists and excluded no-gooders. A dealer exposed as misusing his position of power stood to lose a lot, as Adam Smith argued, far more indeed than the gain on any one transaction [3].

In the large, merchants with businesses exposed to public scrutiny, or to American-style suits, can be trusted to deal fairly. Indeed, McCullagh claims, the US websites are delivering approximately the same results in privacy protection as those in Europe. Free market wins again over centralised regulations.

Yet there is one area where things are going to pot. The company known as the US government, a sprawling, complex interlinking of huge numbers of databases, is above any consumer scrutiny and thus pressure for fair dealings. Indeed, we've known for some years that the policing agencies did an endrun around Congress' prohibition on databases by outsourcing to the private sector. The FBI's new purchase of your data from Checkpoint is "so secret that even the contract number may not be disclosed." This routine dishonesty and disrespect doesn't even raise an eyebrow anymore.

Where do we go from here? As suggested, the challenge is to enjoy the benefits of massive data conglomeration without losing the benefit of privacy and freedom. It'll be tough - the technological solutions to identity frauds at all levels from financial cryptographers have not succeeded in gaining traction, probably because they are so asymmetric, and deployment is so complicated as to rule out easy wins. Even the fairly mild SSL systems the net community put in place in the '90s have been rampantly bypassed by phishing-based identity attacks, not leaving us with much hope that financial cryptographers will ever succeed in privacy protection [4].

What is perhaps surprising is that we have in recent years redesigned our strong privacy systems to add optional identity tokens - for highly regulated markets such as securities trading [5]. The designs haven't been tested in the full, but it does seem as though it is possible to build systems that are both identity strong and privacy strong. In fact, the result seems to be stronger than either approach alone.

But it remains clear that deployment against an uninterested public is a hard issue. Every company selling privacy to my knowledge has failed. Don't hold your breath, or your faith, and keep an eye on how this so-far American disease spreads to other countries.

[1] Mike Lee & Brian Hitchen, "Identity Theft - The Real Cause,"
http://www.ebcvg.com/articles.php?id=217
[1.b] Bob Sullivan, "Study: ID theft usually an inside job,"
http://www.msnbc.msn.com/id/5015565
[2] Declan McCullagh, 'The upside of "zero privacy,"'
http://www.reason.com/0406/fe.dm.database.shtml
[3] Adam Smith, "Lecture on the Influence of Commerce on Manners," 1766.
[4] I write about the embarrassment known as secure browsing here:
http://iang.org/ssl/
[5] The methods for this are ... not publishable just yet, embarrassingly.

The Myth of Systemic Risk

At a St. Louis Banking Conference, Professor George Kaufman presented a thesis of his that "systemic risk" is a myth [1]. It goes like this: Systemic Risk is that risk of contagion, whereby a failure causes a domino-like collapse of large segments of the system. Professor Kaufman makes the claim that an institution that is financially sick should fail, and that isn't a case of systemic risk. Those that are financially healthy should not fail, and if they do, it could be systemic risk.

He then goes on to challenge his listeners to find an example of an economically solvent bank that was brought down by a run, anywhere in the world. So far, no joy - he's not been presented with any such cases, although like myself and the MITM, he holds out hope.

Which leaves us rethinking the S&L scandal, the Asian crisis, and sundry other squillion dollar collapses (in another paper, he presents just how devastating these collapses are [2]). If all those countries in Asia back in the late 90s were insolvent, or at least financially unsound, then he asserts that they shouldn't have been propped up. When the Asian dominos wobbled and fell, that was an example of proper bankrupcy procedures, albeit at a national level, rather than systemic risk.

What are the consequences of this? One of the underlying justifications for central banking was that they could protect the system from systemic risk. That crutch is now removed from the Central Banks and their role as centralised regulators. Other crutches such as monopoly issuance of money, and the myth of "banking is special" have been under stress for many a year.

To some extent this has already been predicted; it's been clear for some time that the 20th century was the Golden Age of Central Banks and now everyone is posturing for, or at least fearing, a gradual waning of their influence and place in financial society.

On a more personal note, when we built Ricardo and our real time gross settlement system of trading, we used to say that we'd eliminated sources of systemic risk. Maybe we should back off from that and just claim the elimination of other classes of risk, and a reliance on the supreme savings of cheap RTGS trades (one or two orders of magnitude, but who's counting?). Or maybe not; is there a contradiction in claiming the elimination of something that doesn't exist?

[1] Professor George Kaufman, "The Myth of Systemic Risk," remarks presented at the St Louis Banking Conference,
http://www.fed-soc.org/Publications/practicegroupnewsletters/financialservices/myth-finv3i3.htm
[2] Professor George Kaufman, "Banking and currency crises and systemic risk: Lessons from recent events," Federal Reserve Bank of Chicago,
http://www1.worldbank.org/economicpolicy/managing volatility/contagion/documents/3qep2.pdf