Security by asking the drunk whether he's drunk

Adam Shostack adam at
Sun Dec 21 16:51:16 EST 2008

[Moderator's note: top posting and failing to trim what you're
replying to are both considered bad form... --Perry]


Do you have evidence of either Authenticode or business impersonation?
I agree that they're highly plausible, but you say " if the putative
owner of an AuthentiCode certificate used to sign a piece of malware
is ever tracked down then it's invariably some innocent victim
somewhere..." which would indicate that there are several of these
reported on.  (Using 'reporting' in its English, not academic sense.)

Ditto with the business impersonation.  I'd like stories, I'd be
estatic with a frequency analysis that I could show to people.

Out of my own curiosity only, not speaking for my employer or yours.

On Mon, Dec 22, 2008 at 01:18:31AM +1300, Peter Gutmann wrote:
| In recently had an opportunity to talk to someone who had had a family member
| become a victim of identity fraud, not in the usual manner to target them
| directly but as a springboard to target others by registering a phishing site
| in their name.  Variations on this theme include using stolen identities to
| buy code-signing certificates for malware and a variety of other end-runs
| around identity-based accountability mechanisms.  The problem here is the fact
| that the market is so awash with stolen identities that vendors have to sell
| them in bulk lots just to turn a profit.  In other words a system designed to
| defeat the problem of identity theft relies on the flawless functioning of a
| global identity-based accountability infrastructure in order to work, a
| classic catch22-situation.  If it's possible to buy stolen identities with
| almost arbitrary amounts of accompanying verification data to authenticate
| them for purposes of financial fraud:
|   We sell all you need to hack, shop & cashout.
|   CardTipe / * CC Name / * CC Number / * CC Expiry / * CVV2 / * CC PIN
|   First & Last Names / * Address & City / * State & Zip/Postal code / *
|   Country (US) / * Phone #
|   MMN [Mother's maiden name] / * SSN [Social security number] / * DOB
|     [Date of birth]
|   Bank Acc No / * Bank Routine [Routing] No
|   On our forum you can buy:
|   Active eBay accounts with as many positive feedbacks as you need
|   Active and wealthy PayPal accounts
|   PINs for prepaided AT&T and Sprint phone cards
|   Carded Western Union accounts for safe and quick money transfers
|   Carded UPS and FedEx accounts for quick and free worldwide shipping of
|     your stuff
|   Full info including Social Security Info, Driver Licence #, Mother'
|     Maiden Name and much more
|   Come and register today and get a bonus by your choice:
|   One Citybank account with online access with 3k on board, or 5
|     COB' cards with 5k credit line
|     10 eBay active eBay accounts with 100+ positive feedbacks
|     25 Credit Cards with PINs for online carding
| then it's just as easy to turn those identities towards facilitating further
| identity fraud, and indeed it's become pretty much standard practice to
| register fraudulent domains and buy fraudulent X.509 certificates with stolen
| credentials paid for with stolen financial information.  As a result, if the
| putative owner of an AuthentiCode certificate used to sign a piece of malware
| is ever tracked down then it's invariably some innocent victim somewhere,
| possibly someone who doesn't even use a computer.  Even the argument that at
| least the signed malware allows for the use of CRLs to disable it falls flat
| when you consider the difference in speed between having the malware
| identified and blocked by anti-virus software and the ponderous delays of the
| CRL issue process, assuming that the end-user software even checks them.
| Another online fraud technique that's seen use in some countries, although
| it's not widespread because it's still much easier to do the same thing via
| less labour-intensive means, is to use stolen credentials to establish an
| online presence for an existing business with a good credit history, use it
| for whatever fraud you want to perpetrate, and then vanish before anyone's the
| wiser, for example before the end of the monthly billing cycle when the real
| business either gets sent paperwork that it isn't expecting or doesn't get
| sent paperwork that it is.  Since this is borrowing the identity of a bona
| fide business rather than an individual, there's almost no way to catch such
| problems because any (rational) amount of checking will simply confirm that
| it's a long-established legitimate business.  This type of fraud could
| probably even defeat the verification used for EV certificates (at least as
| set out in the guidelines published by some CAs), although at the moment it's
| entirely unnecessary since it's possible to achieve the same ends through far
| less laborious means.
| This is a classic case of asking the drunk whether he's drunk - a system
| rampant with identity fraud is expected to function as the basis for an
| identity-based accountability mechanism.  Or to put it another way, on the
| remote chance that someone does finally figure out what it'll take to make PKI
| work, it still won't actually work.
| Peter.
| ---------------------------------------------------------------------
| The Cryptography Mailing List
| Unsubscribe by sending "unsubscribe cryptography" to majordomo at

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list