Security x.0

Whilst the industry is still choosing the best user authentication method, the phishers are moving on. Possibly just too bored with how simple it is to do a "normal" phish, or attempting to improve signal-to-noise ratio, they are building the tools that allow them to easily bypass the strong authentication that has not even been rolled out everywhere.

Recent reports indicate an increase in phishing-based trojans and traffic redirectors.

Along with phishing-based keyloggers we are seeing high increases in traffic redirectors. In particular the highest volume is in malicious code which simply modifies your DNS server settings or your hosts file to redirect either some specific DNS lookups or all DNS lookups to a fraudulent DNS server. The fraudulent server replies with “good” answers for most domains, however when they want to direct you to a fraudulent one, they simply modify their name server responses. This is particularly effective because the attackers can redirect any of the users requests at any time and the end-users have very little indication that this is happening as they could be typing in the address on their own and not following an email or Instant Messaging lure. APWG March 2007

As previously discussed, phishers are already developing and using tools that automate Man-in-the-Middle attacks and they continue to innovate. Richard Clayton and Tyler Moore have produced a paper (An Empirical Analysis of the Current State of Phishing Attack and Defence) based on monitoring "several thousand phishing web sites over a two month period". The paper describes mechanisms employed by phishers to effectively deploy a vast number of phishing websites, including:

A newer architectural innovation dubbed “fast-flux” that used hundreds of different compromised machines per week, extended the website availability to a median of 202 hours.

Both the original paper and their blog summary are well worth reading.

No single method can solve the problem, but a good start is to move away from "protecting these brand new 2007-built apps with a Web 1.0 security model that was invented in 1995", get better at "following the money" and focus on verifying transactions, not just the user.

It was difficult not to agree if you were at the last Infosec in London. As of the afternoon of the 25th April, when a heated debate on the future of the secure network took place, I have become a huge fan and an enthusiastic supporter of the whole securing the data not the network idea. Ever since the senior exec at Accenture, Stuart Okin, asked his famous question: “And how many of you feel that your network is secure?” and got a pathetic one raised hand, I was convinced. It all made perfect sense. No network is 100% secure or can be trusted, transmitted data are always subject to interception and inappropriate use; indeed, we must direct our efforts on securing data, not the transmission channel.

Why then, when the next day an email attachment arrived from my lawyer, securely protected by the password given to me using an Out-of-Band channel (the phone ), I got, how can I put it nicely, slightly annoyed. Surely, it must be the fact that I first made a mistake when writing it down (on a Post-it next to the laptop – very secure ), and then the alternative communication channel turned out to be not so reliable anymore – the phone was actually engaged for about half an hour. By the time I eventually got through, it was time for the meeting, and then it turned out that I had conveniently misplaced the second Post-it with the newly acquired correct password. In the end, I just saved the password in the name of the file and decided, after all, that there was nothing in the document that warrants such security/incovenience.

So what is it that stops us, users, from securing our precious data? Do we have nothing to hide anymore and are we ready to share everything with the rest of the world? Why can I talk so convincingly about the number of laptops lost or stolen each day and recommend with enthusiasm various encryption packages available for portable devices to my friends, yet haven’t used once myself the one already pre-installed for free on my own machine? Do you really think twice before connecting to an open wireless network when desperate to check your email (if you have not been in touch with the rest of the world for a whole 45 minutes!)? And how about that encrypted email? Did it never really take off on a large scale because using certificates is so cumbersome?

It may well be that the ultimate user-centric and trusted, fully reliable and “a pleasure to use” securing data solution is just round the corner. Until then, we’re just waiting patiently, reluctantly relying on our good old “secure” network, ready to jump at the opportunity the moment it is available. Or it could simply be that human nature is such that nothing is done until it’s too late…

And, finally, would we ever be able to secure the data from the biggest security threat, the “threat within”, the insiders rather than the outsiders?