[fc-discuss] Financial Cryptography Update: Threatwatch - trojan hijacking, proxy victims, breaching conflicts of legal interest, semi-opaque blue hats

iang@iang.org iang@iang.org
Sat, 18 Mar 2006 13:47:44 +0000 (GMT)


 Financial Cryptography Update: Threatwatch - trojan hijacking, proxy victims, breaching conflicts of legal interest, semi-opaque blue hats 

                             March 18, 2006


------------------------------------------------------------------------

https://www.financialcryptography.com/mt/archives/000677.html



------------------------------------------------------------------------

Bad news for Microsoft, but (other) browsers may breath a sigh of small
relief.  It seems that there is a shift from email-based phishing
across to trojan hijacking.  Predictable - as people gradually wake up
to phishing, and as the easy targets are phished out, we can expect the
well-funded attackers to shift to new waters.

http://www.infoworld.com/article/06/03/10/76227_11OPsecadvise_1.html

===============================
LURHQ’s description of an E-gold Trojan was an early foreshadowing of
things to come. E-gold is an e-cash operation, similar to Paypal. Turns
out they’ve been under constant attack from these advanced Trojans for
a few years now. 

The E-gold Trojan waits for the victim to successfully authenticate to
E-gold’s Web site, creates a second hidden browser session, and uses
various spoofing tricks until it drains the victim’s account. Because
the stealing and spoofing is started after the authentication is
completed, no amount of fancy log-on authentication would prevent the
heist. All too telling is LURHQ’s prediction that “other banking
institutions are sure to be attacked in this manner in the future.” 
===============================

In the more mundane and routine phishing waters (thanks, Gordon):

===============================
 http://techweb.com/wire/security/181502813

In a smart site redirection, the attacker creates several identical
copies of the spoofed site, each with a different URL, often hosted by
different ISPs. When the phishing e-mails go out, all include a link to
 yet another site, a "central redirector." When the potential victim
clicks on the e-mailed link, the redirector checks all the phishing
sites, identifies which are still live, and invisibly redirects the
user to one.
===============================

I see signs of a new trend in reportage of threats to US financial
institutions.  Above, and here:

http://www.pcpro.co.uk/news/84884/industrial-espionage-is-the-new-targe
t-for-hackers.html
===============================
The report cites the W32/Grams Trojan that targets 'e-gold' but doesn't
launch an attack until the
authentication process has been monitored and completed, as e-gold uses
a number of security
measures, such as limiting account access to an individual IP address
and the use of one-time
passphrases.
===============================

Spot it?  If you can name e-gold then you can get away with
embarressing someone who can't fight back.  But if it is a regulated
financial institution, it shouldn't be named - if the debit card PIN
debacle in the US is anything to go by.  Nobody quite knows what is
going on there, what happened, and who it happened to.	Other than the
consumers, that is.

Knowing what happened is critical to security.	Only with hard facts as
to the real breach can we understand the risks.  Only with
understanding the risks can we counter them.  If big banks have to be
embarressed in that process then so be it - the goal is security,
right?

Which means that naming e-gold is a net good - they become a proxy for
the banks' woeful security practices.  "Sucks to be them."  But at
least they got invited into a new coalition of the willing:

http://www.itweek.co.uk/vnunet/news/2152065/credit-card-providers-team
===============================
A group of 18 financial institutions and internet providers have joined
forces with child advocacy
groups in the US and Europe in an effort to eradicate commercial child
pornography by 2008.
The internet has allowed child pornography to become a multi-billion
dollar industry, and the newly
formed Financial Coalition Against Child Pornography aims to kill the
business model behind the
sites by blocking access to payment services including credit cards.
===============================

http://www.timesonline.co.uk/article/0,,2-2076344,00.html
http://www.timesonline.co.uk/article/0,,2-2080725,00.html
Again, e-gold have been a favourite target of blame for child
pornography, and it is not exactly clear that the mud sticks.  The
reason for putting together a group is possibly explained here:

http://abcnews.go.com/international/csm/story?id=1730002
===============================
One problem for the card companies is that it is illegal for anyone
other than law-enforcement
officials to look at child porn. This has made it difficult to proceed
with their own internal
controls.

"The great thing about this coalition is that it gives us for the first
time an independent entity
to decide the validity of a particular image - and if it is child porn
or not - and gives us
actionable information," says Joshua Peirez, group executive of global
public policy at MasterCard
in Purchase, N.Y.
===============================

How the coalition gets around that illegality question is an open
question - but it certainly points the way towards a nominally
independent body that can govern the question without other conflicts
of interest.  And, conflicts of interest and other disasters are the
rule with such investigations, as reported here:

http://www.emergentchaos.com/archives/2006/03/identity_theft_and_child.
html
http://www.cbc.ca/story/world/national/2006/03/14/landslide-porn060314.
html
===============================
An international investigation of internet-based child pornography has
led to accusations against innocent victims of credit card fraud, a CBC
News investigation has found.  In other cases, victims of identity
theft found themselves fighting to save their reputations, jobs and
marriages after their names were used to buy child pornography. 
===============================

Just exactly how do you deal with a false accusation so severe that due
process is foregone?  Any security strategies for that?

And finally, to return to Microsoft's bad news.  They seem to have run
something of a coup in security forums:

http://www.computerworld.com/securitytopics/security/story/0,10801,1096
06,00.html
===============================
MARCH 16, 2006	(IDG NEWS SERVICE)  - Microsoft Corp. is going public
with some of the hacking information discussed at its Blue Hat Security
Briefings event. Just days after the end of its third Blue Hat
conference, the software vendor today posted the first blog entries at
a new Web site. Microsoft is also promising to publish more details on
the secretive invitation-only event.

The Web site will include Microsoft staffer's "reflections on BlueHat
3" as well as photos, podcasts and video interviews with some of the
presenters, said Security Program Manager Kymberlee Price in a blog
posting. "We sincerely hope that our BlueHat 3 speakers (and BlueHat 1
& 2 speakers) will post their comments to the site as well and share
their BlueHat experience," she wrote. 
===============================

Which at first blush sounds almost convincing.	So, if it is so open
and touchy feely, why is it also so secretive?	Routine champions of
open process such as Adam have supported the secrecy agenda (albeit
under a label of privacy) so we are definately hearing two messages
here, among the many echoes of the past.

https://www.financialcryptography.com/mt/archives/000667.html
https://www.financialcryptography.com/mt/archives/000602.html

The normal reason for secrecy is so as to control the agenda for own
gain, whatever the headline reason is.	In Microsoft's case they
benefit if they can get the information they need and not reveal any
themselves.  Obviously, nobody is quite that naive these days, so some
stuff may have to be revealed.	Especially, what they do reveal should
not reveal their more controversial intentions, so maybe what is not
revealed is likely more interesting than what is not.  And, as we saw
with the "high assurance" case, there is a definate advantage in
getting everyone else to respect privacy, as it gives Microsoft
first-announcer privileges.

Aside from that, I think we are still in net positive.	Microsoft have
failed to get their house in order, and we see more and more signs that
they are trying various ideas to get outside help.  Without admitting
this, that is, but the observation remains that they are the only
organisation that is doing any out-reach on security at all, and they
are the only player that is looking at security for security's sake,
albeit highly filtered with other monetary interests.

(I should hasten to add that I doubt this is caused by any new-found
public spirit on their part, it's almost certainly a rational analysis
of the huge and growing risks Microsoft face in the security field.)

-- 
Powered by Movable Type
Version 2.64
http://www.movabletype.org/