The 9 Laws of Phishing (Part 3)

Posted on Sunday June 27 2010 by hell if i know

Copyright © What The Hell? Security

[ Part 1 | Part 2 | Part 3 ]

(continued )

The 9 Laws tell us quite a bit about designing a viable platform solution.  Let’s step through them again, sketching as we go.

Law 1:  Phishing Is About Commerce

Web 1.0 was all about commerce.  Only we got it all wrong.  Which explains why startups with names like iDiggMyTwitteringFaceTuber.com don’t require revenue models to get showered with venture bucks. Anyway, having gotten it all wrong, and the Web having moved on in the meantime, our platform can layer pro-commerce functionality on top of legacy Web fabric.

Did you catch that?  Pro-commerce functionality.  Not anti-phishing.  Pro-commerce.  There’s a difference. Remember that.

Law 2:  Phishing Education is Irrational

Irrational, but inevitable.  The unphished masses have to be taught something.  So it might as well be something rational.  Our platform can require users to learn, say, one thing, in under one minute, applicable across all Web apps.

Law 3:  Phishers Win By Playing Our Game, On Our Field, Using Our Players, Following Our Rules

Our platform can flip the inherent advantage in our favor. Y’know, make the bad guys work hard for a change.

Law 4:  Phishing Is Not Caused By Broken Technology

If it ain’t broke, don’t fix it.  Our platform can be backward compatible with all legacy Web technology.  For all time.

Law 5:  Phishing Blacklists Are Not Blacklists

Nor are they whitelists. Nor whitelists for commerce. Nor certified whitelists for commerce. Something more than that. Our platform can provide a certified whitelist for commerce, where each entry:

  1. has an owner that has been vetted for legitimacy
  2. is managed by that owner, and can therefore be presumed as up-to-date and accurate
  3. has commerce-related attributes, such as “is a form for entering credit cards”

Law 6:  SSL Certificate Authorities Increase Phishers’ ROI And Reduce Merchants’

Note this law reads “SSL Certificate Authorities.”  Not “Certificate Authorities.” Our platform can accommodate Certificate Authorities of a better kind.  How else are we going to vet those legitimate owners mentioned in Law 5?

Law 7: It’s the Click, Stupid

Of course it’s the clicks. You click on a deceptive link to get on a phishing site. You click on a submit button in a deceptive form to send your confidential waist size to a fake doctor. You fix the clicks, you fix phishing.

From a security perspective, a click can be considered to have three stages. The first two below have already been fixed (for some values of fixed anyway).  Our platform can address the third, which as it turns out is actually the easiest of the three to fix.

  1. On-Click - security pertaining to what happens when you click. Javascript onclick()and whatnot
  2. Post-Click – security pertaining to what happens after you click, e.g. blocklists
  3. Pre-Click - security pertaining to what would happen should you click

Basically, our platform can tell the user, “Here’s what to expect if you decide to click.

Law 8:  Documents Matter, Sites Do Not

Deciding to trust a document published by VeriSign is a really dumb idea.  If the document is a mashup containing content from untrusted sources, I mean.

Our platform can solve this by publishing attributes for the document that explain a document contains content from such-and-such untrusted sources.  Plus any other descriptive attributes that seem relevant.

Law 9:  The Solution Is A Platform

Q.E.D.

(To be continued soon at Part 4 …)

[ Part 1 | Part 2 | Part 3 ]


Filed under: certificate authorities, hypertext, malware, phishing, security, security sense | Leave a Comment »

VeriSign Says “What The Hell? Security” Blogger Was Right

Posted on Tuesday June 8 2010 by hell if i know

Copyright © What The Hell? Security

MOUNTING VIEW, June 7, 2010 — VeriSign today acknowledged that the real reason it sold its Authentication Services business to Symantec is that it felt remorse over its SSL bribing business model after reading a post at What The Hell? Security.

“Once that What The Hell? Security guy exposed us, we knew our game was finally up.  It forced our hand to choose between the rock of apologizing to truckloads of legitimate merchants for accepting fifteen years worth of SSL bribes from them, and selling our black checkmark for one and a quarter billion dollars,” said a company spokesblogger. “Luckily Symantec was in the market for a non-green checkmark to complete with McAfee’s green one. Let me tell you, that was one cow we milked all the way to the bank. Assuming the link we clicked on to get there wasn’t a phishing link.”

Meanwhile, hoards of merchants signaled their discontent by upping their SSL bribe payments. “I know it sounds counter-intuitive,” said one merchant that pays northward of $275,000 annually in SSL bribes. “But every time I think about VeriSign, I get this inexplicable hankering to protect my customers from the real Web threat: the Certificate Warnings from Hell. I’ll do whatever it takes to accomplish that.”

The What The Hell? Security blogger was unavailable for comment at the time this story hit the wires. Rumor has it that Trend Micro has retained him to talk them out of spending $2 billion to acquire a logo containing a purple checkmark.

Filed under: certificate authorities, fraud, phishing, security, ssl | Leave a Comment »

Phishing: Full or Responsible Disclosure?

Posted on Sunday May 16 2010 by hell if i know

Copyright © What The Hell? Security

I’m on the horns of a dilemma. I’ve come up with a few phishing use cases not yet witnessed in the wild. Should I exercise full disclosure or responsible disclosure?

That’s a completely nonsensical question of course. Who the hell would I report it to? Onguard Online? Phishtank? APWG?  I don’t think so. What would any of them do with it?  You can’t add an idea to a blocklist.

But it does make me wonder how many such use cases might exist. A dozen? A thousand?

And how are we going to grapple with use cases in volume, when we cannot even grapple with the most basic and boring ones imaginable?

Here is just one of the use cases I’ve dreamt up by the way. Create a PDF document titled How to Stop Phishing Once And For All. Load it up with phishing links. Attach it to a digitally signed email message that says everybody who cares about phishing needs to read it and forward it to all of their friends and colleagues.  Then lease a botnet and spray it out in all directions.

It’ll pass the scrutiny of DKIM. S/MIME. Blocklists. Content analyzers. Literally every anti-phishing technique we’ve yet to come up with.

There you have it: a defenseless use case. And hardly an imaginative one.

 

Filed under: fraud, phishing, security | Leave a Comment »

Introducing the Official What The Hell? Security Glossary

Posted on Monday May 3 2010 by hell if i know

Do you know that browsers do not implement blacklists?  (Hint: They’re blocklists.)

And that bribing your Certificate Authority is perfectly legal?

Or that you must license the right to render your website’s URLs  with a background color of  green in browser address bars?

And what the hell exactly are the Certificate Warnings from Hell? And the 9 Laws of Phishing?

Learn about these and more by clicking on “Blog Glossary” in the upper left column.

Filed under: certificate authorities, security | Leave a Comment »

The 9 Laws of Phishing (Part 2)

Posted on Wednesday April 28 2010 by hell if i know

Copyright © What The Hell? Security

[ Part 1 | Part 2Part 3 ]

(continued)

Picking up at Law 9 of my 9 Laws of Phishing manifesto:

9. The solution is a platform.

So why a platform?  Because the phishing problem itself spans a number of platforms:  devices, operating systems, and applications to name a few.  And the last thing you want to do is address each platform separately…which is exactly what we’ve been doing.  Badly.

Hell, don’t take my word for it.  Run the numbers yourself. How many kinds of Internet-enabled devices are there in the world?  Right!  And how many flavors of operating systems run on them?  Right again!  And how many of those support at least one flavor of interactive browser, native or otherwise?  You’re on fire!  How many of those use at least one blocklist?  You’re unstoppable!  And how many of those run at least one blocklist in common?  You nailed it again!  And how many of those use the same blocklist API?  BINGO!!!!  Asymptotic zero.

And that’s just one application.  Browsers.  And that’s just one defense.  Blocklists.  Get the picture?

(continued)

[ Part 1 | Part 2Part 3 ]


Filed under: certificate authorities, hypertext, phishing, security, security soapbox, ssl | Leave a Comment »

Fishing for Red Herring Phishing Solutions

Posted on Tuesday April 13 2010 by hell if i know

We interrupt The 9 Laws of Phishing to bring you two important questions sponsored by the Incorrectly-Thinks-Email-Is-Broken Coalition, newly joined by eCert.

Question 1: What is the most dangerous sport? Boxing?  Sky diving?  Running with the bulls in Pamplona?

Answer: Whatever you said, you weren’t even close.  It’s fishing.  No kidding.  Fishers experience more per capita deaths than any other sport.  To the tune of a couple hundred a year in the U.S.  The reason why is a bit counter-intuitive.  Here’s a hint though — change the second ‘o’ to an ‘i’ in the following sentence:  Inebriated guys floating on really cold water.  (It’s amazing what effect a fraction of an inch of fiberglass can have on the male lifespan.)

Question 2: What is the most dangerous security sport?  Boxing in your stack pointers?  Sky diving in search of cloud security?  Running with VeriSign bullpucky stuck to your shoes in Pamplona?

Answer: Whatever you said, you weren’t even close.  It’s phishing.  No kidding.  Phishers enjoy more per capita laughs on the way to the bank than any other security sport.  To the tune of a couple hundred…well, that depends on who you ask. The reason why is a bit counter-intuitive.  Here’s a hint though — change no letters in the following sentence: The security industry skating on really thin understanding.  (It’s amazing what effect a fraction of an inch of misdiagnosis can have on the email blaming lifespan.)

And no, I’m not in a bad mood.   It’s just that phishing isn’t about email.  Nor ads.  Nor search.  Nor browsers even.  Phishing Law #1. Of 9. Go read ‘em.

PS: I actually have nothing against eCert or any other security company.  They mean well.  (Except for VeriSign, and that’s mainly because they sell a whole lot of nothing for a whole lot of something.  Ok, and they’re unjustifiably arrogant.)  It’s the groupthink of the security at industry at large that I fault.  And that extends far beyond phishing.

Filed under: certificate authorities, fraud, phishing, security, ssl | 2 Comments »

« Previous PageNext Page »
Follow

Get every new post delivered to your Inbox.