Question on the state of the security industry

geer at world.std.com geer at world.std.com
Fri Jul 2 11:14:38 EDT 2004 

I shared the gist of the question with a leader
of the Anti-Phishing Working Group, Peter Cassidy.

Specifically, I shared this fragment:

> Here's my question - is anyone in the security
> field of any sort of repute being asked about
> phishing, consulted about solutions, contracted
> to build?  Anything?
>
> Or, are security professionals as a body being
> totally ignored in the first major financial
> attack that belongs totally to the Internet?
>
> What I'm thinking of here is Scott's warning of
> last year:
>
>    Subject: Re: Maybe It's Snake Oil All the Way Down
>    At 08:32 PM 5/31/03 -0400, Scott wrote:
>    ...
>    >When I drill down on the many pontifications made by computer
>    >security and cryptography experts all I find is given wisdom.  Maybe
>    >the reason that folks roll their own is because as far as they can see
>    >that's what everyone does.  Roll your own then whip out your dick and
>    >start swinging around just like the experts.
>
> I think we have that situation.  For the first
> time we are facing a real, difficult security
> problem.  And the security experts have shot
> their wad.


------- Part One

I think the reason that, to date, the security community has
been largely silent on phishing is that this sort of attack was
considered a confidence scheme that was only potent against
dim-wits - and we all know how symathetic the IT
security/cryptography community is to those with less than
powerful intellects. Also, it is true, it was considered a
sub-set of SPAM.

The reliance on broadcast spam as a vehicle for consumer data
recruitment is remaining but the payload is changing and, I
think, in that advance is room for important contributions by
the IT security/cryptography community. In a classic phishing
scenario, the mark gets a bogus e-mail, believes it and
surrenders his consumer data and then gets a big surprise on his
next bank statement. What is emerging is the use of spam to
spread trojans to plant key-loggers to intercept consumer data
or, in the future, to silently mine it from the consumer's PC.
Some of this malware is surprizingly clever. One of the APWG
committeemen has been watching the devleopment of trojans that
arrive as seemingly random blobs of ASCII that decrypt
themselves with a one-time key embedded in the message - they
all go singing straight past anti-virus.

Since phishing, when successful, can return real money the
approaches will become ever more sophisticated, relying far less
on deception and more on subterfuge.

Peter

------- Part Two


You can also tell them that the Anti-Phishing Working Group was
organized in Nov 2003 to investigate, quantify and propose
solutions (drawing from off-the-shelf technologies) to the
phishing threat. It now has 500 members from banks, ISPs,
payment processors, federal law enforcement (US, UK, Canada and
Australia) - some 300 companies and agencies in all. You'd
recognize some of the individuals involved. I am coordinating
the research effort. Among the committee chairs is Phillip
Hallam Baker who is heading up the Solutions Evaluations
subcommittee whose work is being synchronized with the FSTC and
its member banks. Description of the APWG's committee's system
follows:

The Anti-Phishing Working Group (APWG) is an industry
association focused on eliminating the identity theft and fraud
that result from the growing problem of phishing and email
spoofing. The organization provides a forum to discuss phishing
issues, to define the scope of the phishing problem in terms of
hard and soft costs, and to share information and best practices
for eliminating the problem. Where appropriate, the APWG will
also look to share this information with law enforcement.

The research and cross-disciplinary investigations into
phishing, related pre-texting scams and subterfuge schemes to
animate identity thefts and subsequent illicit transactions are
driven by seven sub-committees. Each sub-committee has its own
chairs, writes its own agenda in coordination with the APWG
executive committee and organizes its own research for
presentation to the plenary at meetings and through the APWG
members Web site: https://antiphishing.kavi.com/

Though the lion's share of the APWG is being driven by member
experts and practitioners within the committee system, the APWG
foresees many opportunities for extramural collaborations such
as the Working Group has already initialized with the Financial
Services Technology Consortium (FSTC) and others. As well, where
appropriate, the APWG will be recruiting visiting fellows and
expert practitioners to contribute research if relevant
expertise to complete it cannot be recruited from the ranks of
the APWG membership. To date, the seven standing committees to
have formed are:

- Solution Evaluation and Trial 
- Best Practices 
- Education 
- Future Threat Models and Forensics 
- Phishing Repository, Data Streams and Alerts 
- Sizing and Quantifying the Problem 
- Working with Law Enforcement

Regards,

Peter


------- End of Forwarded Messages

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list