more on Arizona Republic: New crop of thieves: Pharmers hit Net banking

[David Farber <dave () farber net>]

------ Forwarded Message
From: Brad Templeton <btm () templetons com>
Organization: http://www.templetons.com/brad
Date: Tue, 19 Apr 2005 15:32:20 -0700
To: David Farber <dave () farber net>
Cc: Ip <ip () v2 listbox com>
Subject: Re: [IP] Arizona Republic: New crop of thieves: Pharmers hit Net
banking

On Tue, Apr 19, 2005 at 05:59:20PM -0400, David Farber wrote:
> The reason: Even experienced Internet users can become victims and not know
> it.
...
> "With pharming, you don't have to do anything stupid to get on the hook,"
> said
> Tom Leighton, chief scientist of Internet software firm Akamai Technologies
> Inc. in Cambridge, Mass. "You're just swimming along, and you get caught in
> the
> net."

Ok, I couldn't resist the need to be cynical, but the attacks described
do require you do do something stupid -- rely on a buggy nameserver
running Microsoft Windows which is vulnerable to DNS poisoning, or
run executables in an E-mail somebody sends you.

Now the one thing everybody has been caught by is the failure of SSL
to be used for anything but "special cases" such as login screens.
When SSL/TLS was deployed it was expensive to set up, so almost no web
sites decided to just use it as a matter of course for all transactions.

While some, like https://www.eff.org, can use https instead of http in
links, 
most people don't use that, and nobody uses it in a link as I just did
above, because you couldn't be 100% sure the user's browser will handle
https, and nobody developed a protocol to say, "If the incoming browser can
do https (as almost all of them can) use it, otherwise don't" so that
the web could have been based on secure links.

And the browswers are at fault for not warning you with, "Strange, last
time you visited yourbank.com the connection was secured with a certificate
verifying the domain, and this time it isn't"

The federal government's ITAR regulations controlling the export of good
crypto hold a lot of blame here.  At the time all these protocols were
in place, they put a lot of burden on people designing software to use
crypto -- we all remember the days of having to have different downloads
for in and out of the USA, or special crypto packs to add on to software.

Even though we beat the regulations, their legacy is here.   DNS is not
very secure, and the vulnerable DNS servers are not even doing the basic
anti-poisoning checks which you can do (and which the *nix based servers
do, though in much older versions they still had some vulnerabilities.)

People still treat encryption as a special case, and even then the only
indicator is the little lock icon on the bottom of the browswer which
they are not going to check for every time they login at the bank.
Encryption should be the default, and "This connection is not authenticated
and encrypted" should be the major warning flag.


------ End of Forwarded Message


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/