Financial Cryptography

another way to track their citizens

Passports were always meant to help track citizens. According to lore, they were invented in the 19th century to stop Frenchmen evading the draft (conscription), which is still an issue in some countries. BigMac points to a Dutch working paper "Fingerprinting Passports," that indicates that passports can now be used to discriminate against the bearer's country of issue, to a distance of maybe 25cm. Future Napoleons will be happy.

Because terrorising the reader over breakfast is currently good writing style by governments and media alike, let's highlight the dangers first. The paper speculates:

Given that we can remotely detect the presence of a passport of a particular country, how could this functionality be abused? One abuse case that has been suggested is a passport bomb, designed to go off if someone with a passport of a certain nationality comes close. One could even send such a bomb by post, say to an embassy. A less spectacular, but possibly more realistic, use of this functionality would by passport thieves, who can remotely check if someone is carrying passport and if it is of a ‘suitable’ nationality, before they decide to rob them.

From the general fear department, we can also add that overseas travellers sometimes have a fear of being mugged, kidnapped, hijacked or simply shot because of their mere membership of a favourable or unfavourable country.

Now that we have the FUD off our chest, let's talk details. The trick involves sending a series of commands (up to 4) to the RFID in the passport, each of which are presumably rejected by the passport. The manner of rejection differs from country to country, so a precise fingerprint-of-country can be formed simply by examining each rejection, and then choosing a different command to further narrow the choices.

How did this happen? I would speculate that the root failure is derived from bureaucrats' never-ending appetite for complex technological solutions to simple problems. In this case, the first root cause is the use of the RFID, being by intention and design something that can be read from up to 10 cm.

It is inherently attackable, and therefore by definition a very odd choice for security. The second complexity, then, involved implementing something to stop the attackers reading off the RFIDs without permission. The solution to an active read-off attack is encryption, of course! Which leads to our third complexity, a secret key, which is written inside the passport, of course! Which immediately raises issues of brute-forcing (of course!) and, as the paper references, it turns out, brute forcing attacks work on some countries' passports because the secret key is .. poorly chosen.

All of this complexity, er, solution, means something called Basic Access Control is added to the RFID in order to ensure the use of the secret key. Which means a series of commands meant to defend the RFID. If we factor in the tendency for each country to implement passports entirely alone (because they are more scared of each other than they are of their citizens), we can see that each solution is proprietary and home-grown. To cope with this, the standard was written to be very flexible (of course!). Hence, it permits wide diversity in response to errors.

Whoops! Security error. In the world of security, we say that one should be precise in what we send, and precise in what we return.

From that point of view, this is poor security work by the governments of the world, but that's to be expected. The US State Department can now derive some satisfaction from earlier blunders; because of their failure to implement any form of encryption or access control, American passports can be read by all (terrorists and borderists alike), which apparently forced them to add aluminium foil into the passport cover to act as a Faraday cage. Likely, the other countries will now have to follow suit, and the smugness of being sophisticated and advanced in security terms ("we've got BAC!") will be replaced by a dawning realisation that they should have adopted the simpler solutions in the first place.

Economics not repealed, just slow: Paypal blames Browsers for Phishing

Well, it had to happen one day. A major player has finally broken the code of silence and blamed the browsers. In this case, it is PayPal, and Safari.

Infoworld last week quoted Michael Barrett, PayPal’s CIO, saying the following:

“Apple, unfortunately, is lagging behind what they need to do, to protect their customers. Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera.”

The browser is the user's security tool. The browser is the only thing between you and the phisher. The browser is the point of all attack attention. The browser is it. That's why it had SSL built in -- to correctly identify the website as the one you wanted to go to.

So above, Paypal blames Safari for not doing enough about phishing. It's true, Safari does nothing (as I found out recently and had to switch back to Firefox). It likely had to be Paypal because the regulated banks won't say boo without permission, and Paypal might be supposed to be net-savvy. It had to be Safari because (a) there is that popular alternate now, and (b) Apple is still small enough not to be offended, and (c) others have done something in the phishing area.

A take-away then is not the names involved, but the fact that a large player has finally lost patience and is pointing fingers at those who are not addressing phishing:

At issue is the fact that Safari lacks a built-in phishing filter to warn users about shady Web sites. Safari also doesn’t support so-called Extended Validation certificates, which turn the address bar green if a site is legit. Extended Validation certificates aren’t the complete answer but are a help.

OK, so those are some ideas, and Safari could do something. However there may be more to this than meets the eye:

An emerging technology, EV certificates are already supported in Internet Explorer 7, and they've been used on PayPal's Web site for more than a year now. When IE 7 visits PayPal, the browser's address bar turns green -- a sign to users that the site is legitimate. Upcoming versions of Firefox and Opera are expected to support the technology.

Aha! It's not a general complaint to Apple at all. It is a complaint that EV has not been implemented in Safari. It's a very specific complaint!

( Long term readers know that EV implements the basic steps necessary to complete the SSL security model: By naming the CA that makes the claim, it clearly encapsulates the statement. By making it more clear what was going on to the user the final step was made to the risk-bearing party. )

Paypal has purchased a green certificate. And now they want it to work. It works on IE, but not on others. (Firefox and Opera say "soon" and so are given a pass. For now.) Apple rarely comments on its plans, so it has been named and shamed for not adopting the agreed solution. More for not playing the game than anything.

The sad thing about the EV is that it is (approximately) what the browsers should have done years ago, when phishing became apparent.

But nothing could be done. I know, I tried. If there is any more elegant proof of the market for silver bullets, I'm hard pressed to find it. To break the equilibrium around SSL+cert-user-CA (that reads SSL plus cert minus user minus CA), EV had to be packaged as an industry consortium agreeing on an expensive product. Once so packaged, it was then sold to Microsoft and to some major websites. Once in the major places, influence is then brought to bear to get the rest to come into line.

The problem with this, as I lay out in silver bullets, is that shifting from one equilibrium to another is a strictly weaker strategy. Firstly, we are not that confident in our choice of equilibrium. That's by definition; we wouldn't play this game if we knew how to play the game. Secondly, and to spin a leaf from John Boyd, the attacker can turn inside our OODA loop. Which is to say, he can create and modify his attacks faster than we can change equilibrium. Or, he is better at playing his game than we are.

You can read a much more extended argument in the essay (new, improved with extra added focus!). But for now, what I find interesting is the questions we don't yet have answers to.

What would be the attacker's best strategy, knowing all we do about the market and our claim that this is equilibrium shifting? Would the attacker destroy EV? Would he protect EV? Would he milk it?

Another question is, what is Apple's best strategy? It is currently outside the consortium, but has been attacked. Should it join and implement EV? Go it alone? Ignore? Invent an own strategy?

MITM spotted in Tor

Bruce Schneier wrote in cryptogram:

Man-in-the-middle attack by Tor exit node. So often man-in-the-middle attacks are theoretical; it's fascinating to see one in the wild. The guy claims that he just misconfigured his Tor node. I don't know enough about Tor to have any comment about this. [German commetary.] I've written about anonymity and the Tor network before.

Can't agree more! MITMs are so rare that they really should not drive any threat model until shown to be economic. Making that mistake was one of the core failures that led to phishing (thanks guys!). Here's a more simple sniffing attack on the same network:

I previously wrote about Dan Egerstad, a security researcher who ran a Tor anonymity network and was able to sniff some pretty impressive usernames and passwords. Swedish police arrested him last month.

Pure eavesdropping is also worth recording because we need to establish the frequency so as to calculate how much attention to pay to it. For the interest of financial cryptographers here, let's add this one from the same source, pointing to BoingBoing pointing to b.wsj:

In 1941, the British Secret Service asked the game's British licensee John Waddington Ltd. to add secret extras to some sets, which had become standard elements of the aid packages that the Red Cross delivered to allied prisoners of war. Along with the usual dog, top hat and and thimble, the sets had a metal file, compass, and silk maps of safe houses (silk, because it folds into small spaces and unfolds silently). Even better, real French, German and Italian currency was hidden underneath the game's fake money. Departing allied soldiers and pilots were told that if they were captured they should look out for the special editions, identified by a red dot in the Free Parking space. Any sets remaining in the U.K. were destroyed after the war. Of the 35,000 prisoners of war who escaped German prison camps by the end of the war, "more than a few of those certainly owe their breakout to the classic board game," says Mr. McMahon.

Threatwatch - more data on cost of your identity

In the long-running threatwatch theme of how much a set of identity documents will cost you, Dave Birch spots new data:

Other than data breaches, another useful rule-of-thumb figure, I reckon, might come from identity card fraud since an identity card is a much better representation of a persons identity than a credit card record. Luckily, one of the countries with a national smart ID card just had a police bust: in Malyasia, the police seized fake MyKad, foreign workers identity cards, work permits and Indonesian passports and said that they thought the fake documents were sold for between RM300 and RM500 (somewhere between $100 to $150) each. That gives us a rule-of-thumb of $20 for a "credit card identity" and $100, say, for a "full identity". Since we don't yet have ID cards in the U.K., I thought that fake passports might be my best proxy. Here, the police says that 1,800 alleged counterfeit passports recovered in raid in North London were valued at £1m. If we round it up to 2,000 fakes, then that's £500 each. This, incidentally, was the largest seizure of fake passports in the U.K. so far and vincluded 200 U.K. passports, which, according to police, are often considered by counterfeiters to be too difficult to reproduce. Not!

The point I actually wanted make is not that these figures a very variable, which they are, but that they're not comparing apples with apples. Hence the simplistic "what's your identity worth?" question cannot be answered with a simple number.

OK, that's consistent with my long-standing estimate of 1000 (in the major units, pounds, dollars, euros) to get a set of docs. It is important to track this because if you are building a system based on identity, this gives you a solid number on which to base your economic security. E.g., don't protect much more than 1000 on the basis of identity, alone.

As a curious footnote, I recently acquired a new high-quality document from the proper source, and it cost me around 1000, once all the checking, rechecking, couriered documents and double phase costs were all added up. If a data set of one could be extrapolated, this would tell us that it makes no difference to the user whether she goes for a fully authentic set or not!

Luckily my experiences are probably an outlier, but we can see a fairly damning data point here: the cost of an "informal" document is far to similar to the cost of a "formal" document.

Postscript: It turns out that there is no way to go through FC archives and see all the various categories, so I've added a button at the right which allows you to see (for example) the cost of your identity, in full posted-archive form.

Threatwatch: how much to MITM, how quickly, how much lost

It costs $500 for a kit to launch an MITM phishing attack. (Don't forget to add labour costs at 3rd world rates...)

David Franklin, vice president for the Europe, Middle East and Africa told IT PRO that these sites are proliferating because they are actually easier for hackers to set up than traditional 'fake' phishing sites because they don't even have to maintain a fake website. He also said man-in-the-middle attacks defeat weak authentication methods including passwords, internet protocol (IP) geolocation, device fingerprinting, cookies and personal security images and tokens, for example.

"A lot of the attacks you hear about are just the tip of the iceberg. Banks often won't even tell an affected customer that they have been a victim of these man-in-the-middle attacks," said Franklin, adding that kits that guide cybercriminals through setting up a man-in-the-middle attack are now so popular they can be bought for as little as $500 (£250) on the black market now.

He also said "man-in-the-browser" attacks are emerging to compete in popularity with middleman threat.

A couple of interesting notes from the above: it is now accepted that MITM is what phishing is (in the form mentioned above, the original email form, and the DNS form). These MITMs defeat the identity protection of SSL secure browsing, a claim made hereabouts first. and one that is still widely misunderstood: This is significant because SSL is engineered to defeat MITMs, but it only defeats internal or protocol MITMs, and can not stop the application itself being MITM'd. This typical "bypass attack" has important economic ramifications, such that SSL is now shown to be too heavy-weight to deliver value, unless it is totally free of cost and setup.

Secondly, note that the mainstream news has picked up the MITB threat (also reported and documented here first). It's still rare, but in the next 6 months, expect your boss to ask what it's about, because he read it in Yahoo.

More juicy threat modelling numbers:

Analysts at RSA Security early last month spotted a single piece of PHP code that installs a phishing site on a compromised server in about two seconds,

And....

Despite efforts to quickly shut sites down, phishing sites averaged a 3.8-day life span in May, according to the Anti-Phishing Working Group, which released its latest statistics on Sunday.

Data from market analyst Gartner released last month showed that phishing attacks have doubled over the last two years.

Gartner said 3.5 million adults remembered revealing sensitive personal or financial information to a phisher, while 2.3 million said that they had lost money because of phishing. The average loss is US$1,250 per victim, Gartner said.

In the past (June 2004: 1, 2), I've reported that phishing costs around one billion per year. Multiply those last two numbers above from Gartner, and we get around a billion over the last three years. Still a good rule of thumb then.

Counting Chickens at eTrade, bankruptcy in Europe, and costs in America

Gunnar Peterson posts:

Identity Chickens Coming Home to 8 Figure Roost

Reason number 2,503,201 why 1995 security architectures based on SSL, network firewalls, and a prayer are not good enough any more. Etrade's 10Q filing (hat tip Dan Geer):

Other expenses increased 97% to $45.7 million and 55% to $101.9 million for the three and nine months ended September 30, 2006, respectively, compared to the same periods in 2005. These increases were primarily due to fraud related losses during the third quarter of 2006 of $18.1 million, of which $10.0 million was identity theft related. The identity theft situations arose from recent computer viruses that attacked the personal computers of our customers, not from a breach of the security of our systems. We reimbursed customers for their losses through our Complete Protection Guarantee. These fraud schemes have impacted our industry as a whole. While we believe our systems remain safe and secure, we have implemented technological and operational changes to deter unauthorized activity in our customer accounts.

Over on EC I suggested that the cost depends on whether you are left or right of the Atlantic. In Europe, the Data Directive mandates fines, I was told it was around 25-50 thousand Euros per record lost . Lose your database, file for bankruptcy.

(OK, so I make this claim. I heard it in a pub... I'd better check on it!)

While we're counting cost, if not coup, here's some US numbers, finally with some serious if unconfirmed attention by Forrester Research:

The average security breach can cost a company between $90 and $305 per lost record, according to a new study from Forrester Research. The research firm surveyed 28 companies that had some type of data breach.

"After calculating the expenses of legal fees, call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be dizzying, if not impossible, to come up with a true number," wrote senior analyst Khalid Kark in the report. "Although studies may not be able to determine the exact cost of a security breach in your organization, the loss of sensitive data can have a crippling impact on an organization's bottom line, especially if it is ill-equipped, and it's important to be able to make an educated estimate of its cost."

Threatwatch: MITB spotted: MITM over SSL from within the browser

A long awaited browser MITB attack -- in essence an MITM against SSL launched within the browser -- has been spotted (by Lynn) in Netherlands:

...customers opened an email attachment that resulted in a virus being executed on their machines. This virus changed their browsers' behaviour so when they went to open the real ABN Amro online banking site, they were instead re-directed to a spoof site.

The customers then typed in their passwords, which the attacker in turn used to access the bank's real Web site. The customer's own transactions were passed along to the real site, so they didn't notice anything wrong right away, while the attacker simultaneously made their own fraudulent transactions using the bank's urgent payment feature.

ABN Amro has issued its customers with two-factor authentication tokens for several years. But the man-in-the middle attack gets around this security measure by passing the ever-changing part of the password from the token to the bank along with the never-changing part - essentially piggybacking on a legitimate log-in.

Now, if it has been spotted here, it has been going on for some time. The first signs seen of an attack on SSL were late 2004. In essence it was still an uneconomic attack, but the proof of concepts were there. What remains to be seen is whether we are about to see a large scale shift into browser MITM attacks (known as Man-in-the-Browser) or whether we are seeing only tentative experimentation.

Meanwhile, over at Mozilla, "our man in the SSL/UI security team" Johnath is trying to draft up a proposal to work with Firefox. State of play so far:

Creating a simple UI to repair the padlock is no easy matter. EV is a complicating factor in that we need at least 3 states, and that means we need more than 3. This ain't new, but it is easier said than done.

Further, nobody has any hope that EV changes anything. Firstly, it is very confusing, too small, rare, and ultimately spoofable. So people are looking to Mozilla to see whether it will break away and start working on the far stronger user-bank relationship, directly, a.k.a Petnames and Zooko's Triangle and all that.

Maybe. As Gervase does not tire of pointing out, users won't do that. Worse, the above attack slices its way through both of those approaches, because it changes the browser from the inside.

The number of balls in the air is now too many. We've all noticed the migration away from Microsoft to Mac because of security failures. (The press worms bury deeply into the wet soil on this one.) Will there be a wholesale migration away from online banking as all browsers are declared no more solid than swiss cheese in a fondue?

This was what the European banks were worried about when we reported MITB earlier in 2006. One year later there has been no epidemic, and that gave them time to respond. Hopefully they are ready. Chances are, nobody else has or is. To live in interesting times...

Threatwatch - bots, selling Ameritradelity, all your DNS belong to US

In our side project of collecting reported threat statistics, here's lots of them:

MessageLabs, a company that counts spam, recently stopped counting bot-infected computers because it literally could not keep up. It says it quit when the figure passed about 10 million a year ago. Symantec Corp. recently said it counted 6.7 million active bots during an Internet scan. Since all bots are not active at any given time, the number of infected computers is likely much higher. And Dave Dagon, who recently left Georgia Tech University to start a bot-fighting company named Damballa, pegs the number at closer to 30 million. The firm uses a "capture, mark, and release," strategy borrowed from environmental science to study the movement of bot armies and estimate their size.

"It's like asking how many people are on the planet, you are wrong the second you give the answer. : But the number is in the tens of millions," Dagon said. "Had you told me five years ago that organized crime would control 1 out of every 10 home machines on the Internet, I would have not have believed that. And yet we are in an era where this is something that is happening."

This transcript of a trading account fencing ("selling of stolen goods") spree reveals:

Two accounts on TD Ameritrade. One has $7,000, $2,000 on the other. Plus I have a us.etrade.com account which has $1,300. I will sell all for $250. I also have a Fidelity valued at $50,000 that I'll sell for $350. Purse on webmoney Zxxxxxxxxxxxx. I can send them in parts so you can be sure I am not a fraud, but you make the first transaction, and then I send you the money.

Funnily enough, the "fence" wasn't that smart, as the TV Intern doing the 'buying' tipped him off fairly early that he was probably an investigator.

Not a number, but a threat (posted by Duane, pointed out by Philipp):

DNSSec is poorly adopted already, and now the US Gov wants IANA to hand over private keys, giving people even less incentive to adopt.

"At an ICANN meeting in Lisbon, the US Department of Homeland Security made it clear that it has requested the master key for the DNS root zone. The key will play an important role in the new DNSSec security extension, because it will make spoofing IP-addresses impossible. By forcing the IANA to hand out a copy of the master key, the US government will be the only institution that is able to spoof IP addresses and be able to break into computers connected to the Internet without much effort. There's a further complication, of course, because even 'if the IANA retains the key ... the US government still reserves the right to oversee ICANN/IANA. If the keys are then handed over to ICANN/IANA, there would be even less of an incentive [for the U.S.] to give up this role as a monitor. As a result, the DHS's demands will probably only heat up the debate about US dominance of the control of Internet resources.'"

A Cook Report around 1997 laid out the basic case that it is US government formal but unstated policy that the net is controlled and kept as a US-managed institution. That makes the above an old and well understood threat; serious high security Internet systems do their "own DNS," including Skype, eCash, WebMoney, Ricardo. (All except the last are from memory and anecdotes.)

The above can be seen as a power play between the overseers of the poodle ICANN (Commerce Dept?) and the DHS, being the new kid on the block. The solution to the above problem is simply to issue the DNS root zone master key to every government agency that asks for it. If the crazies in DHS have a right to it (as they will argue) then so do the mad mullahs of Persia ... and all points in between.

Then, the root key moves to where Spire put it: 150,000 people with legitimate access to it, so no longer a security tool. Problem solved.

Addendum: dead link was this:

---

Hackers Pillaging Your Hard-Earned Retirement Funds
The Following Are E-mail Exchanges Between a Russian Hacker and an ABC News
Intern Dubbed 'Svetlana'

March 20, 2007- -

Hacker (March 9, 10:44 AM): Hello Svetlana! You need TD Ameritrade accounts?
I have a couple and Fidelity.com as well. On one there is 7k for cash
trading/withdrawal. How much are you willing to offer for it? Write me and
we will discuss )

Svetlana (11:42 AM): Hello! Thank you for responding...what percent do you
usually take for the information and what exactly will you give me if we
make a deal? Is the 7K in TD Ameritrade or in Fidelity.com?

Hacker (11:46 AM): Ok 7k is on the Ameritrade and I do not take a
percentage. I can just simply sell you the account. I am not a fraud you can
ask Egold he knows me. A couple of hundred dollars will satisfy me
completely.

Svetlana (11:53 AM): Ok, do you have the password and the number of that
account? And is this account American? How much money is in the Fidelity? A
couple of hundred is feasible, how much exactly do you want?

Hacker (12:03 PM): Two accounts on TD Ameritrade. One has $7,000, $2,000 on
the other. Plus I have a us.etrade.com account which has $1,300. I will sell
all for $250. I also have a Fidelity valued at $50,000 that I'll sell for
$350. Purse on webmoney Zxxxxxxxxxxxx. I can send them in parts so you can
be sure I am not a fraud, but you make the first transaction, and then I
send you the money.

Hacker (12:05 PM): Yes, all the accounts are American.

Svetlana (12:14 PM): Ok, so I will send you the money, and you will give me
1) username 2) password?

Hacker (12:16 PM): Of course, I have these accounts from time to time and if
you need them we can work together permanently. As soon as you make the
transaction I will send you the information in the email.

Hacker (12:34 PM): Svetlana, how do you like my offer? Are you going to buy,
I need to know that they are yours so I don't sell them. Write back.

Svetlana (12:52 PM): I will pay you double if along with this information
you have the names of these people and their SS #.

Hacker (12:56 PM): Ok when you enter you will see the owner's information.
When are you planning to buy the accounts? Today?

Hacker (1:00 PM): I also have two trading.scottrade.com accounts valued a
little under $40,000. Need them?

Svetlana (1:09 PM): Yes, I DEFINITELY need them. I never used a webmoney
account, how do I sign up to it?

Hacker (1:23 PM): Ok fine Svetlana I will help you make the transfer. Go to
www.roboxchange.com, select "exchange electronic money," "forward," in the
window select USD e-gold. For the receiver choose WMZ. Type in the amount in
your e-golds and below it will say how much that equals in webmoney. Copy
the number of the purse from the email Zxxxxxxxxxxxx. That's it, press
"exchange," the money will be instantaneously transferred to me and I will
send you the information for accessing the accounts, which will complete the
transaction.

Hacker (1:45 PM) So Svetlata, did you understand? Write back as soon as you
send.

Hacker (2:07 PM): Svetlana...

Svetlana (2:07 PM) Ok I signed up. However, $600 is big money, how would I
know FOR SURE that you will send them to me? Can you give me some kind of
proof?

Hacker (2:11 PM): I told you, Egold works with me, write him, he serves as
the guarantee during transactions. He is also the forum's moderator on which
you made the announcement. This is guarantee in itself. Believe me, I am not
a fraud, I am a salesperson of accounts. I make money from this, I have no
reason to ruin my reputation, especially since you are paying me good money
and there is no point to lose you as a client, which I have to find anyway.

Hacker (2:13 PM): My nickname is koloxxxx, he knows.

Hacker (2:38 PM): Svetlana, did you make the transaction, or am I
misunderstanding something?

Hacker (2:40 PM): For proof, I can send you one small account. Look and
understand that I am a real seller, this is my fraud-free business.
[https://wwws.ameritrade.com/cgi-bin/apps/LogIn]
Log on to TD AMERITRADE
USERID=xxxxxxxxx
PASSWORD=xxxxxxxxxxx

Svetlana (2:50 PM): I can not find the person's name and SSN# on this
account.

Hacker (2:54 PM): Ok this is just with Ameritrades, Fidelity has them. Make
the transfer and I will send you the rest, then we will talk in detail.

Hacker (2:56 PM): Fidelity has the SS #.

Svetlana (3:02 PM): So Ameritrades never have SSN#'s? I need the people's
names and their SSN#'s.

Hacker (3:11 PM): Ok Svetlana you wrote: "I need to access Schwab, E-trade,
TD Ameritrade accounts. I do not need credit cards -- only savings accounts
or 401(K)s. Pay good money, willing to make a deal. Write back asap, or
email me at Sveta.xxxx@gmail.com". So I showed you an account,
Ameritrade...unfortunately it lacks the information you need, specifically
the name of the owner, but on the Fidelity I have that information plus the
SS#. I also have us.etrade.com where the person's information can be seen. I
am completing my part of the deal, and am awaiting the same on your part.
Svetlana, what do you want from me, let's make the exchange and and I will
send you your accounts, or consequently I will open them up for sale. Make a
decision...

Hacker (3:31 PM): Do you need them or not?

Hacker (3:37 PM): Svetlana, are you still there?

Svetlana (3:47 PM): Yes, I need them but I will not have the money till
Monday (I am awaiting a transfer), can you wait till then? If not, will you
have anything remaining or will you have anything new on Monday?

Hacker (3:51 PM): Of course, and I will keep this material for you. It would
be nice if you would send me at least $50 as a sort of a guarantee for me.
If not then not...I will keep the accounts till Monday and I will be online
at that time so feel free to write me. Good luck Svetlana.

Svetlana (4:06 PM): I would rather send you the total amount on
Monday...thank you very much for your patience...talk to you soon!!

Hacker (March 12, 11:44 AM): Hello Svetlana! How are you today? Are you able
to make the transfer to the purse? As I promised I left you those accounts
and I also have 6-8 new fidelity each valued at $20-40k. Of course each has
a SS# and FIO of the owner as you needed. Write back as soon as you get
this.

Svetlana (11:54 AM): Hello! Yes I have the money, but how do I extract the
money from these accounts?

Hacker (12:01 PM): Svetlana I merely sell the accounts, the people that
purchase them they do everything as they wish and I have nothing to do with
it...You asked me to find accounts and I found them for you, will you be
buying those for $600?

Svetlana (12:08 PM): Sergey, actually I work for ABC News in New York. We
are doing a report on hackers that break into accounts. What you showed me
is very interesting, and we would like to interview you about your business.

Hacker (12:11 PM): ) Best of luck to you.

This exchange was translated from Russian to English.

Copyright © 2007 ABC News Internet Ventures
http://abcnews.go.com/wnt/print?id=2966583

Cost of an identity

Some figures on the cost to build a new identity:

In all, seven defendants pleaded guilty in Corpus Christi this past week to charges of selling their birth certificates and Social Security cards for $100 each. Seven other defendants pleaded guilty to buying or reselling those documents as part of a ring that sold documents to illegal immigrants seeking jobs in Dodge City, Kan.

One other figure:

Tim Counts, an Immigration and Customs Enforcement spokesman in Bloomington, Minn., said that investigation revealed documents were available for a price in places as open as Kmart parking lots. He said genuine documents were the most expensive, costing up to $1,500, and the most effective against detection.

That remark looks suspicious, I'd guess he's talking about something else than SS cards and birth certificates.

Also over in that center of expertise in identity theft, USA, a blog entry by Spire says:

1. For as long as we continue to pretend that SSNs are secret and therefore may be used as authenticators, they will be.
2. There are over 150,000 people (my estimate) with "defendable" access to your SSN right now. They aren't secret.
3. You are more likely by a factor of 10 to be a victim of identity fraud via one of these "authorized" folks.
4. The real problem is not how easy it is to get your SSN, but how creditors et.al. allow the SSN to be used as an authenticator (See #1).
5. The SSN is fine as an identifier. No, it is not perfect, but its main benefit is that it is already used in so many places.

Right. That's a number we wanted: 150k people in that country have access (legal, he says defendable) to the SSN. Presumably they have access to all the other PII as well.

Finally, someone gets done for Money Laundering....

Money Laundering (ML) was once tightly defined as washing the proceeds of (very) serious crime through an organised cycle.

How you could tell was supposed to be that there was (a) an awful lot of it, (b) there was a hot-button crime like drugs, and (c) an organisation that processed the cash. That's what the big drugs rings did; in effect, they outsourced the money problem to the professionals.

This is "real" money laundering:

Three members of a money laundering gang were jailed for a total of 15 years at Ipswich Crown Court today. Between June 2003 and September 2005 the gang laundered more than £100 million in cash for criminal organisations and individuals throughout the United Kingdom.

The court heard that this large scale money laundering operation was centred around a Money Services Bureau (MSB) on the London Road in Croydon, called Deans Exchange. This was run by Zaka Ud Din, with the assistance of Sabz Ali Khojo. As well as offering legitimate money services to the local community, Deans Exchange was being used as a front for a much larger operation, offering the laundering of cash.

My hat off to the guys who busted that ring.

These days, however, ML is a catch-all crime of no semantic meaning, given the massive preponderance of convictions where the only relationship was that it was a crime of some trivial amount of value. ML these days is more likely to mean a well-off professional goes down for one count of slapping his wife and 6 counts of ML.

Technically, this is the best it gets:

BRITAIN'S biggest and most feared gangster got away with murder yesterday when he was jailed for just seven years. Terry Adams, linked by police to 25 unsolved killings, was finally brought to justice after running a £200million crime empire for more than 25 years.

Like Al Capone, police were unable to make any serious charges stick against the crime kingpin and it was a financial scam that proved his downfall. Adams pleaded guilty to a single charge of money laundering - but was told he will be eligible for parole in three and a half years.

More public applaud to the British criminal authorities (and MI5 apparently). That was the case that AML (anti-money laundering) was designed for: get a notorious crime boss on the financials, because he killed all the witnesses (25 in the above case). You can't kill the flow of money, so the theory goes.

La Procuraduría General de la República investiga los vínculos internacionales de la compañía Unimed Pharm Chem de México, la cual fue fachada para que por lo menos desde 2004 un grupo de presuntos productores de drogas sintéticas acumulara en una residencia de las Lomas de Chapultepec más de 205 millones de dólares en efectivo, así como unos 200 mil euros y 157 mil pesos FOTO Ap /PGR

(Sorry about the spanish, haven't found an english article yet.) Which is why there was a rationale that if you could seize the cash, you did the crimeboss harm. The $205 million in cash in the photo above was seized this week in Mexico in some sort of financing deal for a complete factory to produce drugs.

When cash like that gets seized from MLers, this helps. Nobody can object to that!

But the more popular meaning of ML seizures is "police need money to finance more ML seizures." When someone you know gets accused of 5 counts of ML and 1 count of using the postal service, all because he rubbed the local FBI agent up the wrong way, AML becomes the enemy of civil society.

Relevance to FC: as we design systems of value, we must protect our users from illegal ML and from immoral AML. No easy task, given the lack of discrimination in the tools. Above, all the cases are clearly bad guys being caught by the good guys, and we applaud. Indeed, an honest ML bust is so rare that it's worth posting about.

An ordinary crime: stock manipulation

Sometimes when we can't seem to get anywhere on analysing our own sector of criminal activity, it helps to look at some ordinary stuff. Here's one:

According to the Commission's complaint, between July and November 2006, the Defendants repeatedly hijacked the online brokerage accounts of unwitting investors using stolen usernames and passwords. Prior to intruding into these accounts, the Defendants acquired positions in the securities of at least fourteen securities, including Sun Microsystems, Inc., and "out of the money" put options on shares of Google, Inc. Then, without the accountholders' knowledge, and using the victims' own accounts and funds, the Defendants placed scores of unauthorized buy orders at above-market prices. After these unauthorized buy orders were placed, the Defendants sold the positions held in their own accounts at the artificially inflated prices, realizing profits of over $121,500.

To achieve this benefit, the prosecution alleges that $875,000 of damage was done.

It's a point worth underscoring: a criminal attack in our world often involves doing much more damage than the gain to the criminal. For that reason, we must focus on the overall result and not on the headline number. Here's a more aggressive damages number:

The pump and dump scheme, which occured between July and November 2006, has cost one brokerage firm at least $2m in losses. An estimated 60 customers and nine US brokerage firms were identified as victims.

Also, funds seized.

Any good definitions of Phishing?

Somehow I ended up on Wikipedia's entry on phishing, and added a link from the AOL playtime era to its more modern incarnation of the rape & pillage of a financial district swollen with multi-nationals, conglomerates and fat, bloated merchant banks:

Transition from AOL to Financial Institutions

Capture of AOL account information may have led phishers to capture and misuse of (real) credit card information, which then evolved to attacks against online payment systems. The first direct attempt against a payment system may have been against e-gold, "going out of biz," June 2001, and was followed by "post-911 id check" shortly after 9/11.[14] Both were viewed at the time as failures, but can now be seen as early experiments towards more fruitful attacks against mainstream banks. By 2004, phishing was recognised as fully industrialised, in the sense of an economy of crime: specialisations emerged on a global scale and provided components for cash which were assembled into a finished attack. [15][16]

[edit]

Anyone can edit that page, honest injun! Also, at the top, it defines:

In computing, phishing is a criminal activity using social engineering techniques.[1]

Come on, surely we can do better than that!? What happened to the successful MITM? What happened to the failure of the browser security model? I think at least we need to inject some hubris in there: security designs failed. Sorry about that, let's get it fixed.

What are the potential definitions of phishing, then?

Posted by iang at 03:27 PM | Comments (1) | TrackBack

Threatwatch: $400 to 'own' your account

Some numbers from Guillaume Lovet on what it costs to gain control of an online bank account:

The most straightforward is to buy the 'finished product'. In this case we'll use the example of an online bank account. The product takes the form of information necessary to gain authorised control over a bank account with a six-figure balance. The cost to obtain this information is $400 (cybercriminals always deal in dollars).

Also, roles:

Coders - comparative veterans of the hacking community. With a few years' experience at the art and a list of established contacts, 'coders' produce ready-to-use tools (i.e. Trojans, mailers, custom bots) or services (such as making a binary code undetectable to AV engines) to the cybercrime labour force - the 'kids'. Coders can make a few hundred dollars for every criminal activity they engage in.

Kids - so-called because of their tender age: most are under 18. They buy, trade and resell the elementary building blocks of effective cyber-scams such as spam lists, php mailers, proxies, credit card numbers, hacked hosts, scam pages etc. 'Kids' will make less than $100 a month, largely because of the frequency of being 'ripped off' by one another.

Drops - the individuals who convert the 'virtual money' obtained in cybercrime into real cash. Usually located in countries with lax e-crime laws (Bolivia, Indonesia and Malaysia are currently very popular), they represent 'safe' addresses for goods purchased with stolen financial details to be sent, or else 'safe' legitimate bank accounts for money to be transferred into illegally, and paid out of legitimately.

Mobs - professionally operating criminal organisations combining or utilising all of the functions covered by the above. Organised crime makes particularly good use of safe 'drops', as well as recruiting accomplished 'coders' onto their payrolls.

And now for the big picture:

All of the following phishing tools can be acquired very cheaply: a scam letter and scam page in your chosen language, a fresh spam list, a selection of php mailers to spam-out 100,000 mails for six hours, a hacked website for hosting the scam page for a few days, and finally a stolen but valid credit card with which to register a domain name. With all this taken care of, the total costs for sending out 100,000 phishing emails can be as little as $60. This kind of 'phishing trip' will uncover at least 20 bank accounts of varying cash balances, giving a 'market value' of $200 - $2,000 in e-gold if the details were simply sold to another cybercriminal. The worst-case scenario is a 300% return on the investment, but it could be ten times that.

Better returns can be accomplished by using 'drops' to cash the money. The risks are high, though: drops may take as much as 50% of the value of the account as commission, and instances of 'ripping off' or 'grassing up' to the police are not uncommon. Cautious phishers often separate themselves from the physical cashing of their spoils via a series of 'drops' that do not know one another. However, even taking into account the 50% commission, and a 50% 'rip-off' rate, if we assume a single stolen balance of $10,000 - $100,000, then the phisher is still looking at a return of between 40 and 400 times the meagre outlay of his/her phishing trip.

Good foundation for the risk analysis.

CFP: 6W on the Economics of Information Security (WEIS 2007)

The Sixth Workshop on the Economics of Information Security (WEIS 2007)

The Heinz School, Carnegie Mellon University Pittsburgh (PA), USA
June 7-8, 2007

http://weis2007.econinfosec.org/

C A L L F O R P A P E R S

Submissions due: March 1, 2007

How much should we spend on security? What incentives really drive privacy decisions? What are the trade-offs that individuals, firms, and governments face when allocating resources to protect data assets? Are there good ways to distribute risks and align goals when securing information systems?

The 2007 Workshop on the Economics of Information Security builds on the success of the previous five Workshops and invites original research papers on topics related to the economics of information security and the economics of privacy. Security and privacy threats rarely have purely technical causes. Economic, behavioral, and legal factors often contribute as much as technology to the dependability of information and information systems. Until recently, research in security and dependability focused almost exclusively on technical factors, rather than incentives. The application of economic analysis to these problems has now become an exciting and fruitful area of research.

We encourage economists, computer scientists, business school researchers, law scholars, security and privacy specialists, as well as industry experts to submit their research and attend the Workshop. Suggested topics include (but are not limited to) empirical and theoretical economic studies of:

- Optimal security investment
- Software and system dependability
- Privacy, confidentiality, and anonymity
- Vulnerabilities, patching, and disclosure
- DRM and trusted computing
- Trust and reputation systems
- Security models and metrics
- Behavioral security and privacy
- Information systems liability and insurance
- Information threat modeling and risk management
- Phishing and spam

**Important dates**

- Submissions due: March 1, 2007
- Notification of acceptance: April 10, 2007
- Workshop: June 7-8, 2007

For more information visit http://weis2007.econinfosec.org/.

Tracking email - the disappearing myth, the #1 threat, versus ultra rare sighting of eavesdropping attack

Shades of OTR -- off-the-record -- a protocol that claims to provide plausible deniability.

A START-UP communications outfit is flogging a web-based email system that destroys the message after it has been read.

VaporStream system from Void Communications, which apparently is not a euphemism for VapourWare, works from an encrypted webpage. A punter visits the site, lists the person they want to talk too and chats away.

The names of the parties, or their messages are not stored anywhere and details can't be cut and pasted. Instead it is held on a temporary memory segment in a VaporStream server. When it is delivered, the server forgets that it ever existed.

The big problem is that these approaches completely fail to understand the real threat models for real people, and arguably make matters worse by creating a false sense of security, and encouraging people to deny the truths that can be proved in other ways.

The non-sexy #1 threat to email is breach of the node, and that threat breaches both of those approaches. Here's a reminder:

Last fall, agents on the FBI's public corruption squad faced a problem: They couldn't read encrypted e-mail seized from State Sen. Vincent J. Fumo's offices.

On Oct. 18, they got a break. Donald Wilson, a state Senate computer technician who had been granted immunity, suddenly remembered something, according to a newly unsealed FBI affidavit. He still had two portable data cards - with all the passwords to open the e-mail.

Wilson's lawyer called authorities and turned over the passwords. The feds were in.

With that breakthrough, the affidavit said, agents were able to read more Fumo office e-mails talking about destroying records and fretting about the FBI - a trail that helped lead to obstruction-of-justice charges against two other Fumo computer technicians, Leonard Luchko and Mark Eister.

An actual eavesdropping attack on "aircraft email" spotted by Steve Bellovin:

... ACARS is like an automated email system used by aircraft and ground control. An ACARS-enabled plane will transmit all kinds of information about what the plane is doing: where it is and where it's going, how much fuel it has, what the weather is like, and so on. These automated "emails" between aircraft and their ground controllers are encoded into radio signals clustered around the 131 megahertz and 136 megahertz frequencies.

A good scanner can receive these radio signals. To the ear, the transmissions sound like noise, but when filtered through a computer equipped with a software-based decoder the information contained in the airplanes' messages becomes comprehensible. Like notebooks filled with tail numbers and landing times, ACARS monitoring produces an endless stream of ridiculously detailed information, which ACARS enthusiasts from around the world dutifully post online.

The "open source" attack (c.f. John Robb) on the CIA's illegal renditions -- known as the torture taxi -- makes for fascinating reading. How relevant is such a threat model to general FC? In the past I would have said not relevant due to the context, but the recent open source work on the AOL privacy breach makes me think it is a valid threat, and the article is therefore valid case material.

It is curious to see how they would solve the ACARS problem. The only way that I can see is to use open source techniques of opportunistic cryptography, something that obviously has been fought against by the CIA and others. So the eavesdropping attack on plane traffic can be considered to be yet another example of how the USG's policy of low Internet security bites back. Chalk up another "Own Goal" like the Israeli "Defence" Force (IDF) results of last month (1, 2).