Comments: Question on the state of the security industry

Author's Note: This is a long outburst....

Editor's Note: This comment is too important and enlightening to remain buried here - it's now reposted as "Security Industry - a question of history" at

http://www.financialcryptography.com/mt/archives/000174.html#more

Posted by Will at July 1, 2004 02:32 PM

In AAAA where I work in it's being discussed but I have no great hope of our outstanding managers doing anything. They seem to believe security is about what you buy rather than what you do.

Also significant is that a bank wants to send marketing emails with links in. This prevents them giving out the good advice of "totally ignore all email claiming to be from your bank".

I think it's clear no amount of SSL will help as the people in question pay no attention to it - certainly far short of what they need to.

I hear ABN AMBRO have a 2-factor calculator gadget that might (if it includes transaction details) mean that a phisher can't take your CD order and buy saleable electronic gear with it. (As it happens my take on the whole RIAA thing is to stop buying CDs and learn the guitar.)

To me it seems you want a hardware device to authenticate your transaction details out of reach of modification by your PC. Without that there is no technical progress.

Some administrative progress may still be posible: limits (per transaction, per time interval, per country) may reduce the amount a phisher can run off with. Adjusting your limits should require attendance at a branch.

Honeypot mail accounts where the bank's scripts feed the phisher with bogus data that will be tracked when used might be a step toward getting someone prosecuted.

A variation on the honeypot theme would be "benign phishing" where the punter gets a "fooled you" letter explaining what was up. This might alienate cutomers and I only suggested it half seriously.

Also I don't think any bank wants to be the first to hold people firmly to their electronic commitments (well they can't really today) and as long as that doesn't happen it's all a game.

Posted by AAA at July 2, 2004 12:46 PM

[copied from cryptography list]
> Here's my question - is anyone in the security
> field of any sort of repute being asked about
> phishing, consulted about solutions, contracted
> to build? Anything?

Nothing here. Spam is the main concern on people's minds, so far as I can tell. Please note, though, that I'm not specifically a computer security consultant but rather a broad-spectrum computer consultant who does some security work and a private security guy who does some computer work.

Topical anecdote: my last full-time but short-term consulting* gig was at a bank. You know, money and stuff. Computer security in the development shop consisted of telling the programmers to run NAV daily. They used Outlook for email, with no filters on incoming mail that I could track down. I did some minor testing from my home system. Didn't send myself any viruses, but I did send a few executable attachments. They all made it through.

* Not really consulting. They wanted a warm-body programmer, and not only ignored the process improvement suggestions I was putatively hired to provide, but seemed offended that I had suggestions to make at all.

Posted by Steve at July 4, 2004 04:43 AM

AAA writes:
> In [Brit bank] where I work in it's being discussed but I have no great
> hope of our outstanding managers doing anything. They seem
> to believe security is about what you buy rather than what you
> do.


OK. But, do they actually experience the problem in Britain at the moment? AFAICS, it's mostly a US problem, hence:

http://www.financialcryptography.com/mt/archives/000146.html

> Also significant is that a bank wants to send marketing emails
> with links in. This prevents them giving out the good advice
> of "totally ignore all email claiming to be from your bank".


Right. I think on balance though, they are right. Not sending out linked mail and trying to convince users to not click on links is slightly better than putting ones head in the sand, but not much. It matters not if the user didn't understand the advice, you've still got a problem regardless.

So what is the core of the real problem, and what is the fix? That is the question. I've posed this both the question and the answer to the cryptography list and mostly, the response has been "we don't believe you and we won't accept that there is a problem."

> I think it's clear no amount of SSL will help as the people
> in question pay no attention to it - certainly far short of
> what they need to.


No, but the cert can be used to track the relationship. In all phishing cases, there is a relationship between the user and the website. There is no such relationship with the phisher. All the tech has to do is to stop burying the relationship. Simple, really.

Why does it bury the relationship? Ah, now that's more complex. It all started way back when some guy worked out that he could sell a cert...

> I hear ABN AMBRO have a 2-factor calculator gadget that
> might (if it includes transaction details) mean that a
> phisher can't take your CD order and buy saleable electronic
> gear with it. (As it happens my take on the whole RIAA thing
> is to stop buying CDs and learn the guitar.)


Yes, the Europeans are much more serious about security, they've done the real processes in advance. I'm not sure why this is, I think it is a reflection on the absence of competition in the continental banking field.

> To me it seems you want a hardware device to authenticate your
> transaction details out of reach of modification by your PC.
> Without that there is no technical progress.


Well, that's another way. Unfortunately that also requires a lot of reworking and a lot of individual expense.

> Some administrative progress may still be posible: limits
> (per transaction, per time interval, per country) may
> reduce the amount a phisher can run off with. Adjusting your
> limits should require attendance at a branch.


Limits should be there, yes.

> Honeypot mail accounts where the bank's scripts feed the
> phisher with bogus data that will be tracked when used
> might be a step toward getting someone prosecuted.


Could be. If the guy is out of the country though, this doesn't help much.

> A variation on the honeypot theme would be "benign phishing"
> where the punter gets a "fooled you" letter explaining what
> was up. This might alienate cutomers and I only suggested
> it half seriously.


Huh. Innoculations? Yes, might be more trouble than they are worth.

> Also I don't think any bank wants to be the first to
> hold people firmly to their electronic commitments
> (well they can't really today) and as long as that
> doesn't happen it's all a game.


:-) In the US I think it's gone beyond a game, or rapidly approaching the problem. Identity theft is now the #1 consumer issue, and internet based variants of that run to about 15-20% of cases. But, as I say, this is an american problem.

Posted by Iang at July 4, 2004 04:53 AM

> OK. But, do they actually experience the problem
> in Britain at the moment? AFAICS, it's mostly a
> US problem, hence:
>
> http://www.financialcryptography.com/mt/archives/000146.html


Numbers with zeros on the end were mentioned in my presence a few months ago but I forget them. I know it was much less than the ~450M estimated to annual CC fraud. The new PHB doesn't really believe in communication unless it's name dropping about what bigwig he's been talking to so I've no idea when the subject might come up again - unless I raise it.

There's also the story that the phishing gangs are behind terrorism but I don't know whether that's just plod winding up bank managers with fear of consiracy charges if they don't report as much crime as plod forecasts.

> So what is the core of the real problem, and what is
> the fix? That is the question. I've posed this both
> the question and the answer to the cryptography list
> and mostly, the response has been "we don't believe
> you and we won't accept that there is a problem."

You've posted a lot about SSL, keys and trust but I don't see a simple change cutting the phishing by much.

When your typical home user's PC can be cracked easily and any keys stolen and any s/w (browser and related DLLs) can be made to show anything the cracker chooses ... what's left to show the reality of any relationship ?

> > Also I don't think any bank wants to be the first to
> > hold people firmly to their electronic commitments
> > (well they can't really today) and as long as that
> > doesn't happen it's all a game.
>
> :-) In the US I think it's gone beyond a game, or
> rapidly approaching the problem. Identity theft is
> now the #1 consumer issue, and internet based variants
> of that run to about 15-20% of cases. But, as I say,
> this is an american problem.


In May 2003 I filled in a survey form given me on a plane (Airtours, MyTravel) and used incorrect details in order to see where they turned up later (after apparently no checking at all). The Sunday Times Wine Guide, the National Blood Transfusion Service, Household Finance (part of HSBC) and Norwich Union (insurers) have all written to this fictitious person at my address. Norwich Union say they got the dodgy data from Claritas. This uncritical intake can't be good - and probably provides chances to link yourself to someone's credit history (use their name and their current address as your past address).

The planned UK ID card might lead to more growth in theft here. I'm hoping not to need any credit after the current lot expires.

Posted by AAA at July 4, 2004 04:59 AM

Peter Cassidy, of the Anti-Phishing Working Group, by way of Dan Geer wrote:

I think the reason that, to date, the security community has been largely silent on phishing is that this sort of attack was considered a confidence scheme that was only potent against dim-wits - and we all know how symathetic the IT security/cryptography community is to those with less than powerful intellects. Also, it is true, it was considered a sub-set of SPAM.

The reliance on broadcast spam as a vehicle for consumer data recruitment is remaining but the payload is changing and, I think, in that advance is room for important contributions by the IT security/cryptography community. In a classic phishing scenario, the mark gets a bogus e-mail, believes it and surrenders his consumer data and then gets a big surprise on his next bank statement. What is emerging is the use of spam to spread trojans to plant key-loggers to intercept consumer data or, in the future, to silently mine it from the consumer's PC. Some of this malware is surprizingly clever. One of the APWG committeemen has been watching the devleopment of trojans that arrive as seemingly random blobs of ASCII that decrypt themselves with a one-time key embedded in the message - they all go singing straight past anti-virus.

Since phishing, when successful, can return real money the approaches will become ever more sophisticated, relying far less on deception and more on subterfuge.

Peter

Posted by Peter at July 4, 2004 05:03 AM

Peter Cassidy wrote:
> I think the reason that, to date, the security community has
> been largely silent on phishing is that this sort of attack was
> considered a confidence scheme that was only potent against
> dim-wits - and we all know how symathetic the IT
> security/cryptography community is to those with less than
> powerful intellects.

OK. It could well be that the community has an inbuilt bias against protecting those that aren't able to protect themselves. If so, this would be cognitive dissonance on a community scale: in this case, SSL, CAs, browsers are all set up to meet the goal of "totally secure by default."

Yet, we know there aren't any secure systems, this is Adi Shamir's 1st law.

http://www.financialcryptography.com/mt/archives/000147.html

Ignoring attacks on dimwits is one way to meet that goal, comfortably.

But, let's go back to the goal. Why has it been set? Because it's been widely recognised and assumed that the user is not capable of dealing with their own security. In fact, in its lifetime over the last decade, browsers have migrated from a "ternary security rating" presented to the user, to whit, the old 40 bit crypto security, to a "binary security rating," confirming the basic principle that users don't know and don't care, and thus the secure browsing model has to do all the security for the user. Further, they've been protected from the infamous half-way house of self- signed certs, presumably because they are too dim- witted to recognise when they need less or more security against the evil and pervasive MITM.

http://www.iang.org/ssl/mallory_wolf.html

Who is thus a dimwit. And, in order to bring it together with Adi's 1st law, we ignore attacks on dimwits (or in more technical terms, we assume that those attacks are outside the security model).

(A further piece of evidence for this is a recent policy debate conducted by Frank Hecker of Mozilla, which confirmed that the default build and root list for distribution of Mozilla is designed for users who could not make security choices for themselves.)

So, I think you're right.


> Also, it is true, it was considered a
> sub-set of SPAM.

And? If we characterise phishing as a sub-set of spam, does this mean we simply pass the buck to anti-spam vendors? Or is this just another way of cataloging the problem in a convenient box so we can ignore it?

(Not that I'm disagreeing with the observation, just curious as to where it leads...)


> The reliance on broadcast spam as a vehicle for consumer data
> recruitment is remaining but the payload is changing and, I
> think, in that advance is room for important contributions by
> the IT security/cryptography community. In a classic phishing
> scenario, the mark gets a bogus e-mail, believes it and
> surrenders his consumer data and then gets a big surprise on his
> next bank statement. What is emerging is the use of spam to
> spread trojans to plant key-loggers to intercept consumer data
> or, in the future, to silently mine it from the consumer's PC.
> Some of this malware is surprizingly clever. One of the APWG
> committeemen has been watching the devleopment of trojans that
> arrive as seemingly random blobs of ASCII that decrypt
> themselves with a one-time key embedded in the message - they
> all go singing straight past anti-virus.


This is actually much more serious, and I've noticed that the media has picked up on this, but the security community remains characteristically silent.

What is happening now is that we are getting much more complex attacks - and viruses are being deployed for commercial theft rather than spyware - information theft - or ego proofs. This feels like the nightmare scenario, but I suppose it's ok because it only happens to dimwits?

(On another note, as this is a cryptography list, I'd encourage Peter and Dan to report on the nature of the crypto used in the trojans!)

> Since phishing, when successful, can return real money the
> approaches will become ever more sophisticated, relying far less
> on deception and more on subterfuge.

I agree this is to be expected. Once a revenue stream is earnt, we can expect that money to be invested back into areas that are fruitful. So we can expect much more and more complex and difficult attacks.

I.e., it's only just starting.

Posted by Iang at July 4, 2004 05:07 AM

> Here's my question - is anyone in the security
> field of any sort of repute being asked about
> phishing, consulted about solutions, contracted
> to build? Anything?


I am continually asked about spam, and I personally treat phishing as a subset of it, but I have seen virtually no interest in correcting the problem. I have personally been told I don't even know how many times that phishing "is not an issue."

I personally know it's an issue because between my accounts I receive ~3-5 phishing attempts/day, and the scams apparently account for a major portion of the GNP of many small countries.


> Or, are security professionals as a body being
> totally ignored in the first major financial
> attack that belongs totally to the Internet?
>
> What I'm thinking of here is Scott's warning of
> last year:
>
> Subject: Re: Maybe It's Snake Oil All the Way Down
> At 08:32 PM 5/31/03 -0400, Scott wrote:
> ...
> >When I drill down on the many pontifications made by computer
> >security and cryptography experts all I find is given wisdom. Maybe
> >the reason that folks roll their own is because as far as they can see
> >that's what everyone does. Roll your own then whip out your dick and
> >start swinging around just like the experts.
>
> I think we have that situation. For the first
> time we are facing a real, difficult security
> problem. And the security experts have shot
> their wad.
>
> Comments?


In large part that's the way it looks to me as well. We have an effectively impotent security community, because all the "solutions" we've ever made either didn't work, or worked too well. We basically have two types of security solutions the ones that are referred to as "That doesn't work, we had it and it did everything it shouldn't have" and those that result in "I don't think it works, but I can't be sure because we were never attacked." The SSL/TLS protocol is an example of this second type, I am unaware of any blackhats that bother attacking SSL/TLS because they simply assume it is impenetrable. At the same time we have the situation where Windows is continually [attacked] not because it is less secure than the others, but because it is _believed_ to be less secure than the others, so the Windows security is clearly of the first type. The biggest problem I've seen is that we're dealing with generally undereducated peoople as far as security goes. We need to start selling that we facilitate a business process, and that because of this all you will see are the failures, the successes are almost always be invisible.

Also as with all business processes, there is never a final state, it must be often reanalyzed and revised. This puts us in a rather strange situation, where somethign that I have always offered becomes important, we become an outsourced analyst, almost an auditor situation. To build this properly the security model that is constructed needs to be built to include emergency threshholds and revision timeframes. By supporting the security process as a business process it allows the concepts to more easily permeate the CXO offices, which means that you are far more likely to make more money, build a long term client, and create a strong security location.

To make the point clearer, I have ended up with clients that were previously with better known cryptanalysts, including some worldwide names. These clients have been told by their previous consultants that there security is good, but their consultant never told themthat it needs reanalysis, they never encouraged the creation of a business process around it, it was always "Ask me when you have questions." I did not poach these clients, they left their previous consultants, and found me through referrals. These relationships are extremely profitable for me, for many reasons; I actually cost less than their prior consultants, but I make more, because everything is done quickly, efficiently, and effectively.

This security process builds stronger security, and while I admit I am still rarely asked about phishing, and even rarer is my advice listened to, my clients are rarely successfully hacked, and have lower than average losses.

Our biggest problem is that we view the security process as distinct from business processes. I truly wish I could make the Sarbanes-Oxley 2002 (http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf) act required reading for every security consultant, because it demonstrates very much that proper security consulting is actually a business process.

Getting back to the topic, by doing this we can help them move from the "dick swinging" phase to a best practices security infrastructure used accurately and appropriately. We also need to start putting our money where our mouth is, I've seen too many "security consultants" whose primary job was to sell the add-on services available from their employer, instead we need to follow Sarbanes-Oxley in spirit and seperate our security auditing from other services, even to the point where I am not invested in any company who's products I recommend (obviously I'm not shooting myself in the foot and investing in their competitors either). Unfortunately, a large number of cryptanalysts will have a lot of penance to take before they can do this because their "dick swinging" has been highly visible.

Joe

Posted by Joe at July 4, 2004 05:14 AM

I never considered phishing to be much of an issue until about a month ago, when I had a long discussion with someone at a security conference about a scale and type of phishing you never really hear about much. Not small-scale script-kiddie stuff but large-scale phishing run as a standard commercial business, with (literally) everything but 24-hour helpdesks (if you can read Portuguese you may be able to find more info at http://www.nbso.nic.br/). Some of this I've already covered in the "Why isn't the Internet secure yet" tutorial I mentioned a while back: Trojans that control your DNS to direct you to fake web sites, trojans that grab copies of legit web sites from your browser cache and render them asking for your to re-validate yourself since your session has expired, trojans that intercept data from inside your browser before it gets to the SSL channel, etc etc. This isn't stuff that only newbies will fall for, these are exact copies of the real site that look and act exactly like the real site.

This stuff is the scariest security threat I've heard of in (at least) the last couple of years because it's almost impossible to defend against. There is simply no way to protect a user on a standard Windows PC from this type of attack - even if you can afford to give each user a SecurID or crypto challenge-response calculator, that doesn't help you much because the attacker controls the PC. It's like having users stick their bank cards into and give their PIN to a MafiaBank branded ATM, the only way to safely use it is to not use it at all.

The only solution I can think of is to use the PC only as a proxy/router and force users to do their online banking via a small terminal (not running Windows) that talks to the PC via the USB port, but it's not really economically viable.

Peter.

Posted by Peter Gutmann at July 7, 2004 11:30 AM
MT::App::Comments=HASH(0x14bd850) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.