[fc-discuss] Financial Cryptography Update: SSL phishing, Microsoft moves to brand, and nyms

iang@iang.org iang@iang.org
Tue, 14 Feb 2006 12:05:00 +0000 (GMT)

 Financial Cryptography Update: SSL phishing, Microsoft moves to brand, and nyms 

                           February 14, 2006




fm points to Brian Krebs who documents an SSL-protected phishing
attack.  The cert was issued by Geotrust, and for spice has a
ChoicePoint unique Identifier in it!

Now here's where it gets really interesting. The phishing site, which
is still up at the time of this writing, is protected by a Secure
Sockets Layer (SSL) encryption certificate issued by a division of the
credit reporting bureau Equifax that is now part of a company called
Geotrust. SSL is a technology designed to ensure that sensitive
information transmitted online cannot be read by a third-party who may
have access to the data stream while it is being transmitted. All
legitimate banking sites use them, but it's pretty rare to see them on
fraudulent sites.

(skipping details of certificate manufacturing...) 

Once a user is on the site, he can view more information about the
site's security and authenticity by clicking on the padlock located in
the browser's address field. Doing so, I was able to see that the
certificate was issued by Equifax Secure Global eBusiness CA-1. 
The certificate also contains a link to a page displaying a
"ChoicePoint Unique Identifier" for more information on the issuee,
which confirms that this certificate was issued to a company called
Mountain America that is based in Salt Lake City (where the real
Mountain America credit union is based.)

The site itself was closed down pretty quickly.  For spice, it also had
a ChoicePoint unique Identifier in it!	Over on SANS - something called
the Internet Storm Center - Handler investigates why malware became a
problem and chooses phishing.  He has the Choicepoint story nailed:

I asked about the ChoicePoint information and whether it was used as
verification and was surprised to learn that ChoicePoint wasn't a
"source" of data for the transaction, but rather was a "recipient" of
data from Equifax/GeoTrust.  According to Equifax/GeoTrust, "as part of
the provisioning process with QuickSSL, your business will be
registered with ChoicePoint, the nation's leading provider of
identification and credential verification services."

LOL... So now we know that the idea is to get everyone to believe in
trusting trust and then sell them oodles of it.  Quietly forgetting
that the service was supposed to be about a little something  called
verification, something that can happen when there is no reason to
defend the brand to the public.

Who would'a thunk it?  In other news, I attended an informal briefing
on Microsoft's internal security agenda recently.  The encouraging news
is that they are moving to put logos on the chrome of the browser,
negotiate with CAs to get the logos into the certificates, and move the
user into the cycle of security.  Basically, Trustbar, into IE.  Making
the brand work.  Solving the MITM in browsers.

There are lots of indicators that Microsoft is thinking about where to
go.  Their marketing department is moving to deflect attention with 10
Immutable Laws of Security:

Law #1: If a bad guy can persuade you to run his program on your
computer, it's not your computer
Law #2: If a bad guy can alter the operating system on your computer,
it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer,
it's not your computer
Law #4: If you allow a bad guy to upload programs to your website, it's
not your website any more
Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is
Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no
virus scanner at all
Law #9: Absolute anonymity isn't practical, in real life or on the Web
Law #10: Technology is not a panacea

Immutable!  I like that confidence, and so do the attackers.  #9 is
worth reading - as Microsoft are thinking very hard about identity
these days.  Now, on the surface, they may be thinking that if they can
crack this nut about identity then they'll have a wonderful market
ahead.	But under the covers they are moving towards that which #9
conveniently leaves out - the key is the identity is the key, and its
called psuedonymity, not anonymity.  Rumour has it that Microsoft's
Windows operating system is moving over to a psuedonymous base but
there is little written about it.

There was lots of other good news, too, but it was an informal
briefing, so I informally didn't recall all of it.  Personally, to me,
this means my battle against phishing is drawing to a close - others
far better financed and more powerful are carrying on the charge. 
Which is good because there is no shortage of battles in the future.


To close, deliciously, from Brian:

I put a call in to the Geotrust folks. Ironically, a customer service
representative said most of the company's managers are presently
attending a security conference in Northern California put on by RSA
Security, the company that pretty much wrote the book on SSL security
and whose encryption algorithms power the whole process. When I hear
back from Geotrust, I'll update this post.

That's the company that also ditched SSL as a browsing security method,


Powered by Movable Type
Version 2.64