Question on the state of the security industry

Ian Grigg iang at systemics.com
Sun Jul 4 03:46:44 EDT 2004 

geer at world.std.com wrote:
> I shared the gist of the question with a leader
> of the Anti-Phishing Working Group, Peter Cassidy.

Thanks Dan, and thanks Peter,

...
>>I think we have that situation.  For the first
>>time we are facing a real, difficult security
>>problem.  And the security experts have shot
>>their wad. 
> 
> ------- Part One

(just addressing Part one in this email)

> I think the reason that, to date, the security community has
> been largely silent on phishing is that this sort of attack was
> considered a confidence scheme that was only potent against
> dim-wits - and we all know how symathetic the IT
> security/cryptography community is to those with less than
> powerful intellects.


OK.  It could well be that the community has an
inbuilt bias against protecting those that aren't
able to protect themselves.  If so, this would be
cognitive dissonance on a community scale:  in this
case, SSL, CAs, browsers are all set up to meet
the goal of "totally secure by default."

Yet, we know there aren't any secure systems, this
is Adi Shamir's 1st law.

http://www.financialcryptography.com/mt/archives/000147.html

Ignoring attacks on dimwits is one way to meet that
goal, comfortably.

But, let's go back to the goal.  Why has it been
set?  Because it's been widely recognised and assumed
that the user is not capable of dealing with their own
security.  In fact, in its lifetime over the last decade,
browsers have migrated from a "ternary security rating"
presented to the user, to whit, the old 40 bit crypto
security, to a "binary security rating," confirming
the basic principle that users don't know and don't
care, and thus the secure browsing model has to do
all the security for the user.  Further, they've been
protected from the infamous half-way house of self-
signed certs, presumably because they are too dim-
witted to recognise when they need less or more
security against the evil and pervasive MITM.

http://www.iang.org/ssl/mallory_wolf.html

Who is thus a dimwit.  And, in order to bring it
together with Adi's 1st law, we ignore attacks
on dimwits (or in more technical terms, we assume
that those attacks are outside the security model).

(A further piece of evidence for this is a recent
policy debate conducted by Frank Hecker of Mozilla,
which confirmed that the default build and root
list for distribution of Mozilla is designed for
users who could not make security choices for
themselves.)

So, I think you're right.


 > Also, it is true, it was considered a
 > sub-set of SPAM.

And?  If we characterise phishing as a sub-set
of spam, does this mean we simply pass the buck
to anti-spam vendors?  Or is this just another
way of cataloging the problem in a convenient
box so we can ignore it?

(Not that I'm disagreeing with the observation,
just curious as to where it leads...)


> The reliance on broadcast spam as a vehicle for consumer data
> recruitment is remaining but the payload is changing and, I
> think, in that advance is room for important contributions by
> the IT security/cryptography community. In a classic phishing
> scenario, the mark gets a bogus e-mail, believes it and
> surrenders his consumer data and then gets a big surprise on his
> next bank statement. What is emerging is the use of spam to
> spread trojans to plant key-loggers to intercept consumer data
> or, in the future, to silently mine it from the consumer's PC.
> Some of this malware is surprizingly clever. One of the APWG
> committeemen has been watching the devleopment of trojans that
> arrive as seemingly random blobs of ASCII that decrypt
> themselves with a one-time key embedded in the message - they
> all go singing straight past anti-virus.

This is actually much more serious, and I've
noticed that the media has picked up on this,
but the security community remains
characteristically silent.

What is happening now is that we are getting
much more complex attacks - and viruses are
being deployed for commercial theft rather
than spyware - information theft - or ego
proofs.  This feels like the nightmare
scenario, but I suppose it's ok because it
only happens to dimwits?

(On another note, as this is a cryptography
list, I'd encourage Peter and Dan to report
on the nature of the crypto used in the
trojans!)

> Since phishing, when successful, can return real money the
> approaches will become ever more sophisticated, relying far less
> on deception and more on subterfuge.

I agree this is to be expected.  Once a
revenue stream is earnt, we can expect that
money to be invested back into areas that
are fruitful.  So we can expect much more
and more complex and difficult attacks.

I.e., it's only just starting.


> ------- Part Two


iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list