VeriSign Says “What The Hell? Security” Blogger Was Right

Copyright © What The Hell? Security

MOUNTING VIEW, June 7, 2010 — VeriSign today acknowledged that the real reason it sold its Authentication Services business to Symantec is that it felt remorse over its SSL bribing business model after reading a post at What The Hell? Security.

“Once that What The Hell? Security guy exposed us, we knew our game was finally up.  It forced our hand to choose between the rock of apologizing to truckloads of legitimate merchants for accepting fifteen years worth of SSL bribes from them, and selling our black checkmark for one and a quarter billion dollars,” said a company spokesblogger. “Luckily Symantec was in the market for a non-green checkmark to complete with McAfee’s green one. Let me tell you, that was one cow we milked all the way to the bank. Assuming the link we clicked on to get there wasn’t a phishing link.”

Meanwhile, hoards of merchants signaled their discontent by upping their SSL bribe payments. “I know it sounds counter-intuitive,” said one merchant that pays northward of $275,000 annually in SSL bribes. “But every time I think about VeriSign, I get this inexplicable hankering to protect my customers from the real Web threat: the Certificate Warnings from Hell. I’ll do whatever it takes to accomplish that.”

The What The Hell? Security blogger was unavailable for comment at the time this story hit the wires. Rumor has it that Trend Micro has retained him to talk them out of spending $2 billion to acquire a logo containing a purple checkmark.

Phishing: Full or Responsible Disclosure?

Copyright © What The Hell? Security

I’m on the horns of a dilemma. I’ve come up with a few phishing use cases not yet witnessed in the wild. Should I exercise full disclosure or responsible disclosure?

That’s a completely nonsensical question of course. Who the hell would I report it to? Onguard Online? Phishtank? APWG?  I don’t think so. What would any of them do with it?  You can’t add an idea to a blocklist.

But it does make me wonder how many such use cases might exist. A dozen? A thousand?

And how are we going to grapple with use cases in volume, when we cannot even grapple with the most basic and boring ones imaginable?

Here is just one of the use cases I’ve dreamt up by the way. Create a PDF document titled How to Stop Phishing Once And For All. Load it up with phishing links. Attach it to a digitally signed email message that says everybody who cares about phishing needs to read it and forward it to all of their friends and colleagues.  Then lease a botnet and spray it out in all directions.

It’ll pass the scrutiny of DKIM. S/MIME. Blocklists. Content analyzers. Literally every anti-phishing technique we’ve yet to come up with.

There you have it: a defenseless use case. And hardly an imaginative one.

 

Introducing the Official What The Hell? Security Glossary

Do you know that browsers do not implement blacklists?  (Hint: They’re blocklists.)

And that bribing your Certificate Authority is perfectly legal?

Or that you must license the right to render your website’s URLs  with a background color of  green in browser address bars?

And what the hell exactly are the Certificate Warnings from Hell? And the 9 Laws of Phishing?

Learn about these and more by clicking on “Blog Glossary” in the upper left column.

The 9 Laws of Phishing (Part 2)

Copyright © What The Hell? Security

[ Part 1 | Part 2Part 3 ]

(continued)

Picking up at Law 9 of my 9 Laws of Phishing manifesto:

9. The solution is a platform.

So why a platform?  Because the phishing problem itself spans a number of platforms:  devices, operating systems, and applications to name a few.  And the last thing you want to do is address each platform separately…which is exactly what we’ve been doing.  Badly.

Hell, don’t take my word for it.  Run the numbers yourself. How many kinds of Internet-enabled devices are there in the world?  Right!  And how many flavors of operating systems run on them?  Right again!  And how many of those support at least one flavor of interactive browser, native or otherwise?  You’re on fire!  How many of those use at least one blocklist?  You’re unstoppable!  And how many of those run at least one blocklist in common?  You nailed it again!  And how many of those use the same blocklist API?  BINGO!!!!  Asymptotic zero.

And that’s just one application.  Browsers.  And that’s just one defense.  Blocklists.  Get the picture?

(continued)

[ Part 1 | Part 2Part 3 ]


Fishing for Red Herring Phishing Solutions

We interrupt The 9 Laws of Phishing to bring you two important questions sponsored by the Incorrectly-Thinks-Email-Is-Broken Coalition, newly joined by eCert.

Question 1: What is the most dangerous sport? Boxing?  Sky diving?  Running with the bulls in Pamplona?

Answer: Whatever you said, you weren’t even close.  It’s fishing.  No kidding.  Fishers experience more per capita deaths than any other sport.  To the tune of a couple hundred a year in the U.S.  The reason why is a bit counter-intuitive.  Here’s a hint though — change the second ‘o’ to an ‘i’ in the following sentence:  Inebriated guys floating on really cold water.  (It’s amazing what effect a fraction of an inch of fiberglass can have on the male lifespan.)

Question 2: What is the most dangerous security sport?  Boxing in your stack pointers?  Sky diving in search of cloud security?  Running with VeriSign bullpucky stuck to your shoes in Pamplona?

Answer: Whatever you said, you weren’t even close.  It’s phishing.  No kidding.  Phishers enjoy more per capita laughs on the way to the bank than any other security sport.  To the tune of a couple hundred…well, that depends on who you ask. The reason why is a bit counter-intuitive.  Here’s a hint though — change no letters in the following sentence: The security industry skating on really thin understanding.  (It’s amazing what effect a fraction of an inch of misdiagnosis can have on the email blaming lifespan.)

And no, I’m not in a bad mood.   It’s just that phishing isn’t about email.  Nor ads.  Nor search.  Nor browsers even.  Phishing Law #1. Of 9. Go read ‘em.

PS: I actually have nothing against eCert or any other security company.  They mean well.  (Except for VeriSign, and that’s mainly because they sell a whole lot of nothing for a whole lot of something.  Ok, and they’re unjustifiably arrogant.)  It’s the groupthink of the security at industry at large that I fault.  And that extends far beyond phishing.

The 9 Laws of Phishing

Copyright © What The Hell? Security

[ Part 1 | Part 2 | Part 3 ]

What the hell is it about phishing that makes it seem so intractable?

First off, let’s talk intractable.  An uncontrollable or incurable problem. Computational complexity theory adds a convenient twist: A problem that can be solved, only not fast enough for the solution to be useful. Like with phishing. With me?

I don’t think so. See, the real issue with an intractable problem isn’t always its intractability.  Sometimes it’s our frame of reference. It’s how we’re thinking about the problem. Like Relativity Al said, when you create a problem with one kind of thinking, it takes a different kind to solve it. With me now?

I still don’t think so, but let’s find out. To do that you need to momentarily dismiss everything you know about anti-phishing. I’ll stipulate that you know everything that can be known about how phishing works, but I need you to pretend you have no preconceptions about how to stop it. Grade your pretending skills by how strongly you want to argue with me before reading this whole piece through a couple of times.

Law 1:  Phishing Is About Commerce

Not visual appearance. Nor ads. Nor search. Nor browsers even. Those things are attack vectors. You can address attack vectors forever without ever getting to the root of the problem.

Take forged email for instance. As phishing attack vectors go, this is the most despicable. Only not for the reason you think. It’s despicable because it is a red herring attack vector. It’s the Mother of All Security Red Herrings, in fact. Why? Because what we call forgery is so integral to our 40-year old email system that it would cease to function without it. Did you get that? Every legitimate email message you have ever sent or received via the Internet had to be forged — using the exact same technique that phishers use — in order to get delivered.

There is only one prime mover of phishing, and it is commerce. In the mid-1990s, we began introducing commerce into pre-existing systems like email and the Web, when they had no accommodation for commerce. And guess what? They still don’t. Not a shred. And before you say SSL, keep reading.

Law 2:  Phishing Education Is Irrational

So we’re trying to teach half the human population to not do the one thing that comes naturally on the Web — click on an interesting link — and to do a bunch of things that come unnaturally — like interpreting unicode URLS and ignoring clearance sales. On something like a $1 budget. C’mon.

Law 3:  Phishers Win By Playing Our Game, On Our Field, Using Our Players, Following Our Rules

Our game: campaigns. Our field: hypermedia. Our players: hijacked CPUs, storage, bandwidth. Our rules:  phishers are always on offense.  We’re always on defense, and score only when they fumble.

This doesn’t mean phishers are less guilty of their crimes.  But we’re guilty too — of being a little disingenuous.

Law 4:  Phishing Is Not Caused By Broken Technology

If you don’t believe me, go read the RFCs.  It’s all working as designed.

And dammit, quit blaming Tim and Vint for the sorry state of security.  It’s a gross injustice.  We should in fact be thanking them for building insecure systems, because adding security to systems that have no foreseeable need for it is a lousy idea.  (Note I said foreseeable, not immediate, which is another story entirely.) They set out to solve very pressing problems at hand, which they did, which is why their stuff got so widely adopted. It’s not their fault that we threw the monkey wrench of commerce into the gears of their systems years after the fact. Blaming them for bad security is like blaming Karl Benz for inventing cars that make for poor submarines.

Law 5:  Phishing Blacklists Are Not Blacklists

They are, pure and simple, blocklists. Not blacklists. See the important difference?!?

Law 6:  SSL Certificate Authorities Increase Phishers’ ROI And Reduce Merchants’

SSL was introduced in 1995 to solve two problems:  1) help consumers identify legitimate sites, and 2) encrypt the channel between browser and webserver to protect sensitive information.

The latter is free. The former works so poorly that it actually helps phishers at the expense of merchants.  The only reason merchants pay for certs (other than out of check-writing habit) is to prevent people’s browsers from ralphing error messages that Rivest, Shamir and Adelman can barely understand.

SSL didn’t always have this problem.  CAs like VeriSign started out with good certificate issuance practices.  Later, upon realizing that the market for legitimate certs was bounded on the smallish side, they unbounded it by issuing certs to anybody having the means (fraudulent or not) to pay for them.

Law 7:  It’s The Clicks, Stupid

If you learn one thing today, let it be this.

You can’t control content produced by other people. In many cases you can’t even anticipate its delivery to you. But you control what you do with it.

You control whether or not you click on a link. You control whether or not you click on a form’s control to populate it. You control whether or not you click on a form’s submit button. Get it?

And I don’t think for a minute that I mean the clicks that SiteAdvisor invites with its army of green checkmarks.  Look closely and you’ll see that it’s a blocklist wearing a clever (and rarely washed) blacklist disguise.

Law 8:  Documents Matter, Sites Do Not

A site owner is a site owner. A content publisher is a content publisher. A content author is a content author. A third-party content developer (like those building on Facebook’s platform) is a third-party content developer.

None of these need to be the same, and increasingly with time, they are not. Imagine you’re examining a source page that contains a link to a destination page. The destination contains content from a dozen sources. Just because you know who the destination site owner is, does that really make it safe to click on the link?  (Hint: No.)

The whole notion of a site will slowly erode, for no reason other than hypermedia does not require it. Hypertext did just fine without it for 30 years.

Law 9:  The Solution Is A Platform

(continued)

[ Part 1 | Part 2 | Part 3 ]


GOTO Website Considered Harmful

Copyright © What The Hell? Security

You wanna know the biggest problem with the Web?

Browsers.

I actually don’t mean the fact that every browser I’ve encountered is a steaming pile. But now that I’ve brought it up, let’s talk about that too.

Sure, some browsers steam less than others.  But be honest.  Browsers have been around since 1991.  That’s 19 years folks.  Let’s check out the  brag sheet from the latest rev of Firefox (3.6):

Amazing New Feature! Translation
Change Firefox’s appearance with a single click! Click your way through thousands of themes to find the one you like.
Protection from out-of-date plug-ins! if (version = compatible) then behave(as_expected);
Full screen native video! All new levels of pixelization.
Scripts can run asynchronously! Render 3K of your 10M page at an indeterministic point in time.
Improved Javascript performance! But still a lot slower than NOSCRIPT. You are running NOSCRIPT, right?
Improved startup time! More spin time for the idle process while you wait for your homepage to load.
Improved responsiveness! Queues keyboard and mouse events.

C’mon.  I wrote loads of Internet client-server apps in the late 1980s.  Production ones, used by tens of thousands of people every day.  These are the kinds of improvements I would brag about on alt.misc while listening to Hall & Oates.

But like I said, that’s not the point I actually wanted to make. The bigger problem with browsers is that they have to exist at all. I don’t know about you, but I sure as hell don’t want to GOTO Amazon.com to buy a book. I want the book to show up on my Kindle. I sure as hell don’t want to GOTO all 142 job sites to post my resume. I want my resume to end up on them. I sure as hell don’t want to GOTO my bank’s site to transfer money from checking to savings. I want my money to get moved from checking to savings.

GOTO website is an artifact of the procedural web, just like the GOTO statement was an artifact of procedural programming.  The latter went away.  So should the former.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: