[Cryptography] phishing attack again - $300m in losses?

ianG iang at iang.org
Sun Feb 15 09:45:08 EST 2015


http://mobile.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html?_r=0

"In many ways, this hack began like any other. The cybercriminals sent 
their victims infected emails — a news clip or message that appeared to 
come from a colleague — as bait. When the bank employees clicked on the 
email, they inadvertently downloaded malicious code. That allowed the 
hackers to crawl across a bank’s network until they found employees who 
administered the cash transfer systems or remotely connected A.T.M.s. "



So, it's phishing, again.  Exotically called spear phishing, but still 
your common or garden phishing attack.



I am fascinated by the industry dynamics that make this attack 
impossible to deal with.  We first saw serious phishing in about 2003, 
and here we are a decade later .. with what progress?

It is clearly the fault of the browser [1].  All the finger pointing -- 
user responsibility for social engineering, mailer, standards -- is just 
that, finger pointing in ways to move the angst away from the mind of 
the owners of the browser projects.  The successful strategy for doing 
nothing has been a mix of "It's not our fault" and "we're working in XYZ 
cartel..."

The industry has cleverly constructed itself in a deadly embrace between 
browsers, standards, liability dumping contracts, IETF working groups, 
CAs, auditors, developers, lawyers who never-admit-nuttin, all of whom 
collectively share the responsibility and all of whom individually 
manage to actually take on none of it.

But they take the fees.

And, it isn't as if we can't calculate the value of the take.  Mozilla 
for example takes something like 85% of its revenues from one source, 
google, for one purpose, browser advertisement, which serves as a pretty 
good proxy for the value of Firefox to users.  Audit fees are known 
numbers, at least to industry insiders.  CA pricing is known, as is the 
occasional buyout windfall.  Developer salaries are known, and they can 
be counted and summed.



I'm fascinated because this situation should not by all our 
understanding of life, the universe and everything about security last. 
  The user is loosing money and has been for a decade now, and the 
browser vendors do ... nothing?  Approximately?

How is this deadlock to break?  Will someone actually put real 
authenticating crypto into the URL?  Will someone invent a new identity 
concept that works?  Will the browser vendors be sued for their millions 
in the bank by some group of ... upset banks?  Will the banking 
regulators finally do something that actually sounds like proactive 
security not 'best practices'?  Will someone start asking phishing 
victims which browser they used?  Will someone advertise a hardened 
browser for a price?  Will a government get hacked and decide to 
actually ask why the browser isn't doing the job?  Anti-trust?

I don't have any answers, but as I say, it is fascinating that we're 
looking at an industry structure that has concreted itself into 
user-insecurity.



iang, watching phishing since 2003...

[1] of course, the industry does not agree, but Bill Gates did:
http://financialcryptography.com/mt/archives/000361.html


More information about the cryptography mailing list