[fc-discuss] Financial Cryptography Update: More dots than you or I can understand (Internet Threat Level is Systemic)

iang@iang.org iang@iang.org
Sun, 19 Feb 2006 13:05:55 +0000 (GMT)

 Financial Cryptography Update: More dots than you or I can understand (Internet Threat Level is Systemic) 

                           February 19, 2006




fm points to Gadi Evron who writes an impassioned plea for openness in
security.  Why?  He makes a case that we don't know the half of what
the bad guys are up to.  His message goes something like this:

DDoS -> recursive DNS -> Fast Flux -> C2 Servers -> rendevous in
cryptographic domainname space -> bots -> Phishing

Connecting the dots is a current fad in america, and I really enjoyed
those above.  I just wish I knew what even half of them meant.	Evron's
message is that there are plenty of dots for us all to connect, so many
that the tedium of imminent solution is not an issue.  He attempted to
describe them a bit later with commentary on the recent SSL phishing

Some new disturbing phishing trends from the past year:

POST information in the mail message
That means that the user fills his or her data in the HTML email
message itself, which then sends the information to a legit-looking
site.  The problem with that, is how do you convince an ISP that a real
(compromised) site is indeed a phishing site, if there is no
phishy-looking page there, but rather a script hiding somewhere?

Trojan horses
This is an increasing problem. People get infected with these bots,
zombies or whatever else youíd like to call them and then start sending
out the phishing spam, while alternating the IP address of the phishing
server, which brings us toÖ

Fast Flux is a term coined in the anti spam world to describe such
Trojan horsesí activity.  The DNS RR leading to the phishing server
keeps changing, with a new IP address (or 10) every 10 minutes to a
day.  Trying to keep up and eliminate these sites before they move
again is frustrating and problematic, making the bottle-neck the DNS RR
which needs to be nuked.

We may be able to follow that, but the bigger question is how to cope
with it.  Even if you can follow the description, dealing with all
three of the above is going to stretch any skilled practitioner.  And
that's Evron's point.

What am I trying to say here?

All these activities are related, and therefore better coordination
needs to be done much like we do on the DA and MWP groups,
cross-industry and open-minded. R&D to back up operations is critical,
as whatís good for today may be harmful tomorrow (killing C&Cís as an

The industry needs to get off its high tree and see the light. There
are good people who never heard about BGP but eat Trojans (sounds bad)
for breakfast, and others need to see that just because some donít know
how to read binary code doesnít mean they are not amazingly skilled and
clued with how the network runs.

This is not my research alone. I can only take credit for seeing the
macro image and helping to connect the dots, as well as facilitate
cooperation across our industry. Still, as much as many of this needs
to remain quiet and done in secret-hand-shake clubs, a lot of this
needs to get public and get public attention.

Over-compartmentalizing and over-secrecy hurts us too, not just the US
military. If we deal in secret only with what needs to be dealt in
secret, people may actually keep that secret better, and more resources
can be applied to deal with it.
Some things are handled better when they are public, as obviously the
bad guys already know about them and share them quite regularly. ďLike
candyĒ when it comes to malware samples, as an example.

The Internet threat level is now systemic, and has been since the
arisal of industrialised phishing, IMO.  I've written many times before
about the secrecy of the browser sector in dealing with phishing, and
how the professional cryptographic community washed its hands of the
problem.  Microsoft's legendary castles of policy need no reminder, and
it's not as if Apple, Sun, Symantec, Verisign or any other security
company would ever do any better in measures of openness.

Now someone over the other side of the phishing war is saying that he
sees yet other tribes hiding in their fiefdoms, and I don't even know
which tribes he's referring to.  Gadi Evron concludes:

-opinion-Our fault, us, the people who run these communities and global
efforts, for being over-secretive on issues that should be public and
thus also neglecting the issues that should really remain under some
sort of secrecy, plus preventing you from defending yourself.

Us, for being snobbish dolts and us, for thinking we invented the
wheel, not to mention that we know everything or some of us who try to
keep their spots of power and/or status by keeping new blood out (AV
industry especially, the net-ops community is not alone in the sin of

Itís time to wake up. The Internet is not about to die tomorrow and
there is a lot of good effort from a lot of good people going around.
Amazing even, but it is time to wake up and move, as we are losing the
battle and the eventual war.

Cyber-crime is real crime, only using the net. Cyber-terrorism will be
here one day. If we canít handle what we have on our plate today or
worse, think we are OK, how will we handle it when it is here?

Powered by Movable Type
Version 2.64