Using crypto against Phishing, Spoofing and Spamming...

Perry E. Metzger perry at piermont.com
Wed Jul 21 12:10:08 EDT 2004


I'm perhaps a bit overly blunt in this message. I apologize for that,
but I don't really know how to be more subtle and still get across my
message.

Ian Grigg <iang at systemics.com> writes:
> Steven M. Bellovin wrote:
>>>But, there is precious little to suggest that
>>>credit cards would be sniffed - I've heard one
>>>isolated and unconfirmable case.  And, there is
>>>similar levels of MITM evidence - anecdotes and
>>>some experiences in other fields, as reported
>>>here on this list.
>>>
>> I think that Eric is 100% correct here: it doesn't happen because
>> it's a low-probability attack, because most sites do use SSL.
>
> The trick is to show cause and effect.  We know the
> effect and we know the cause(s).  The question is, how
> are they related?  The reason it is important is that
> we may misapply one cause if the effect results from
> some other cause.

That sounds like incomprehensible gobbledygook to me.

What we have here is a very practical question -- what does bitter
experience teach us about building systems that aren't secure against
eavesdropping. My own experiences say stay away from authenticators in
the clear -- I've had customers badly mangled by doing that sort of
thing. The experience of others is pretty much identical: virtually
every deployed system that has used authenticators in the clear, from
the old NAMPS analog mobile phones to telnet on the wire and others,
has been badly attacked.

The experience says that when you make eavesdropping an easy attack
people will eavesdrop. You take away the eavesdropping mechanism and
the attack goes away.

Sure, we could be foolish optimists and build new infrastructures that
allow eavesdropping, ignoring all the lessons of history, but then
what happens when we find ourselves faced with multi-billion dollar
retrofit jobs to try to stop the problem after the fact, if the
retrofit can be done at all?

You don't add SSL and such to a system long after the fact -- it is
too late to get adoption at that point. Thank goodness we have decent
protocols now to prevent eavesdropping. The attacks we see today would
be far far worse without them.

> Question - are we facing a situation today whereby it is
> easy to eavesdrop from the backbone of a major ISP and
> capture a lot of traffic?

Yes. If I wanted to do it, I probably could, which means that bad guys
who want to do it can do it far better than I can. No, I won't say how
I would do it on this list.

> As far as I can see, that's not likely to happen, but it could happen.

I don't agree. I see it as certain to happen if money can be made
doing it. I don't buy the "who would figure out how to do it?" crap,
because we've seen tremendous ingenuity on the part of the bad
guys. Everyone always thinks that attacks won't happen if they
involve effort and ingenuity on the part of the bad guys, and then the
bad guys show effort and ingenuity and everyone is shocked. Well, it
turns out that bad guys are often less lazy than you are.

> (Hackers had no liability in those days.  Criminals do
> have liability, and are more concerned to cover their
> tracks.  This makes active attacks less useful to them.
> Criminals are getting braver though.)

I think that phishing and such are pretty straightforwardly "active
attacks". If running networks of tens of thousands of zombies isn't
"active", what is? People commit crimes every day to send out porn
spam that would land them in jail for the rest of their lives if
someone actually prosecuted them. There are, however, few to no
prosecutions.

> Thirdly, why aren't we seeing more reports of this on
> 802.11b networks?

Because people aren't aware of it happening to them, and because the
payoff on sniffing all the data going by in a 100m radius isn't as
interesting as the payoff in sniffing all the data going by a big pipe
in the middle of the net, and because the payoff in sniffing is pretty
low in general right now. Sure, I could listen in on my neighbors in
my building, but what would I learn? I'd need to deploy thousands of
sniffer boxes all over my city to get a decent traffic volume. It is
far more economical just to tap the cable provider's IP link, except
that right now I won't get many credit card numbers or other valuable
information by doing that.

> The point of all this is that we need to establish how
> frequent and risky these things are.

No, we don't. Ask the mobile phone people if they want to go back to
systems that can be cloned with data gathered by sniffing, for
example. I think they'll tell you pretty clearly that they're not
interested in trying the experiment again.

We're even getting the equivalent of eavesdropping attacks now on ATMs
in which thin readers are placed in front of the real readers and
cameras are set up to try to get the user's PIN. If you can't trust
the physical world, I'll be damned if I recommend to a customer that
they trust a network they have no control over.

I'll be direct. I see no evidence for the position you espouse at all
-- that being that the risk from eavesdropping is "unknown" or
"overstated" or what have you -- and I see plenty of evidence that
you're just plain wrong. Systems that permit eavesdropping will be
attacked and will cost people lots of time and money. We don't need
more of them.

I hope you have no customers who you have advised to ignore the
eavesdropping problem, because they stand a good chance of getting
badly hurt.

Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list