Interesting People mailing list archives
more on Arizona Republic: New crop of thieves: Pharmers hit Net banking
From: David Farber <dave () farber net>
Date: Tue, 19 Apr 2005 18:39:07 -0400
------ Forwarded Message From: Brad Templeton <btm () templetons com> Organization: http://www.templetons.com/brad Date: Tue, 19 Apr 2005 15:32:20 -0700 To: David Farber <dave () farber net> Cc: Ip <ip () v2 listbox com> Subject: Re: [IP] Arizona Republic: New crop of thieves: Pharmers hit Net banking On Tue, Apr 19, 2005 at 05:59:20PM -0400, David Farber wrote:
The reason: Even experienced Internet users can become victims and not know it.
...
"With pharming, you don't have to do anything stupid to get on the hook," said Tom Leighton, chief scientist of Internet software firm Akamai Technologies Inc. in Cambridge, Mass. "You're just swimming along, and you get caught in the net."
Ok, I couldn't resist the need to be cynical, but the attacks described do require you do do something stupid -- rely on a buggy nameserver running Microsoft Windows which is vulnerable to DNS poisoning, or run executables in an E-mail somebody sends you. Now the one thing everybody has been caught by is the failure of SSL to be used for anything but "special cases" such as login screens. When SSL/TLS was deployed it was expensive to set up, so almost no web sites decided to just use it as a matter of course for all transactions. While some, like https://www.eff.org, can use https instead of http in links, most people don't use that, and nobody uses it in a link as I just did above, because you couldn't be 100% sure the user's browser will handle https, and nobody developed a protocol to say, "If the incoming browser can do https (as almost all of them can) use it, otherwise don't" so that the web could have been based on secure links. And the browswers are at fault for not warning you with, "Strange, last time you visited yourbank.com the connection was secured with a certificate verifying the domain, and this time it isn't" The federal government's ITAR regulations controlling the export of good crypto hold a lot of blame here. At the time all these protocols were in place, they put a lot of burden on people designing software to use crypto -- we all remember the days of having to have different downloads for in and out of the USA, or special crypto packs to add on to software. Even though we beat the regulations, their legacy is here. DNS is not very secure, and the vulnerable DNS servers are not even doing the basic anti-poisoning checks which you can do (and which the *nix based servers do, though in much older versions they still had some vulnerabilities.) People still treat encryption as a special case, and even then the only indicator is the little lock icon on the bottom of the browswer which they are not going to check for every time they login at the bank. Encryption should be the default, and "This connection is not authenticated and encrypted" should be the major warning flag. ------ End of Forwarded Message ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on Arizona Republic: New crop of thieves: Pharmers hit Net banking David Farber (Apr 19)