Article up at MercatorNet: Attack of the Google Phone
I have an article up over at MercatorNet called My big brother, my cell phone on the latest on Google Phone in particular, but the use of cell phone advertising in specific. Go take a look!
Related Posts:
Mercator Column Up: Google, YouTube, and Web 2.0 MercatorNet article up: Unsuitable for Children Some more Weekend Reading Book Review: Google: The Missing Manual by Milstein, Biersdorfer, and MacDonald Google worth more than GM and Disney Combined
Review: Phrack Vol. 64 A Shell of its Former Self
As an information security professional, lately I've become quite bored. The state of hacking today seems to be almost solely employed by the spammer-class of miscreants looking to make as much money as quickly as possible. It's big business now. As such, they continue to exploit the same weaknesses, again and again, and simply lack the spirit and ingenuity of previous generations of hackers.
It is in this environment that the latest issue of the underground hacking magazine Phrack has been written after a long hiatus and under a new team of editors. If the document was a disappointment, it is because of the promise it has failed to live up to. As someone who has a notorious attitude problem, a healthy disrespect for authority, and a marked David complex, I have some sympathy for their underground and anti-authority tendencies, though I've not participated in the underground.
That said, the current issue of Phrack looks like it is written more by disgruntled teenagers trying to be nostalgic for a long passed era which they never even participated in. Much like the anti-war protestors, who continue to try to relive their glory days of the 60s, Phrack is an attempt to live the hacking glory days of the 80s and 90s. The problem with both is that those days are gone. "You can never go home again."
Hacking has been commoditized. With spammers running the show whose bottom-line is money, information security threats have become quantifiable, systemitizable, and predictable. Occasionally there are some really neat new security hacks, the WMF exploit and the ANI exploit come to mind, but by and large, it's the same old stupid tricks done and redone. This is because they continue to exploit the weakest link, the unsophisticated PC user who will still fall prey to 419 scams after all these years. Upwards of 80% of people will click on phishing e-mails if the message looks "good" enough, such as through a social networking site. Any idiot can own hardware now… and they do. It's quantity over quality.
At the same time, many of the old school hacker groups have sold out. Instead of continuing to work on their craft, they've gone to work for the highest bidder. As a result, the old hacking vitality has been lost. The Phrack editors are fond of saying that the information security guys need hackers, or they wouldn't exist. It's true. I wouldn't be doing the job I do if it weren't for hacking; the problem is that you're boring the hell out of me.
Here is the environment that Phrack is working in, trying to resuscitate a likely dead horse. They're hoping they can succeed, but I doubt it. With all the poor spelling and grammar, it's not likely they are up to the task. How can you try to teach people the syntax of shellcode when you don't have a basic understanding of the syntax of the English language? There is a difference between the cutesy-31337 h4×0r speak and sloppy writing. Phrack 64 was pock-marked with the later.
To be fair, there is some good info in this issue. I found the RDS-TMC article informative and full of fun little tricks I'll have to try on my friends. Some articles rank along the lines of a digital fecal toss. "The Revolution will be on YouTube" was so pointless and insipid I got dumber having read it. Pages are marked with Phrack trying to convince people they are important. Let me introduce Bambenek's Second Law:
If you have to convince people you are (still) relevant, you aren't.
The demise of the hacking underground is a familiar story when capitalism comes to town. While communism is an economic, political, and social theory; capitalism is only an economic theory. When it gets applied as a political and social theory, dysfunction occurs. In the case of the hacking underground, some sold out, others hopped in, and the wheel moved forward with the profit motive, and the fine people at Phrack are disgruntled because they've been left behind.
Blogging is another example. Take the earliest bloggers; they all knew each other and there was a great spirit to it. Now it's been commoditized by splogs, been left behind by those who sold out, and the media has created their own. There are a few good blogs still out there (such as Blogcritics Magazine which is more online magazine, and my own blog of course), but the signal-to-noise ratio is quite low.
Phrack is a relic of the past and a shell of its former self. It has managed to break out of obscurity with new editors and perhaps they can make it into a solid technical magazine once again, but the underground they represent is dead and will remain so. Likely, when the editors figure that out, they'll go on to something else too.
Al Qaeda’s Economic War and Online Identity Theft: A Perfect Storm
Online identity theft has become a constant concern in a world of online shopping and bill paying. In the rush to move to the internet age, many companies simply neglected security concerns and the result has luckily not been as bad as it could have been.
In 2005, I did an estimate of the amount of money that was compromised because of online identity theft and came up with $24 billion in the United States alone. With the help of Agnieszka Klus, I redid the study recently with more realistic numbers and found over $55 billion was compromised. That amount is enough to pay off the entire state debt of Illinois.
Despite this large amount of money being at risk, very little of that money actually gets stolen. What investigators have found is despite it being relatively easy to steal money online, the current fraud protections make it hard to steal a great deal of money; “The straw is only so big”, according to one government source. The running assumption is that online identity theft would be used for theft and there is a finite limit of the amount of theft that can actually take place. This has allowed financial institutions to build in this amount into their business models and simply write the cost of fraud and fraud protection into the price for their services.
The idea that we, as a society, should rely on only one layer of protection (the limitation on how much can be stolen) is absurd and violates defense in depth. Eventually someone will figure out a way around the straw. More importantly, however, earlier this month proved false the assumption that identity theft would be used solely for stealing money.
On December 1st, the Department of Homeland Security warned of an “aspirational threat” to United States banking interests by Al Qaeda. A website claiming to be affiliated with Al Qaeda encouraged the cyberattack against US financial interests using denial of service attacks and viruses. While the specific methods of attack are “low tech” and easy to prevent, it shows that terrorist groups are moving to expand their tactics to include economic warfare.
If the goal of identity theft is to make money, the incentive is to keep taking as much as you can. If the goal is economic warfare, the behavior changes dramatically. As a concrete example, Al Qaeda could use run-of-the-mill hacker techniques to build a large botnet to steal identities. It could then use those machines that they have taken over to process fake transactions in the name of that consumer.
For instance, they could use a consumer’s home PC and process transactions at amazon.com to buy a bunch of books using the credit card information and home address of the consumer. It is not clearly a case of fraud because the hacker is not getting any personal gain. Does Amazon or the credit card company believe that the consumer really didn’t make the order when the product is going to their home address?
Now repeat this attack for a thousand consumers, ten thousand consumers, or one hundred thousand consumers. What would happen with the ensuing media coverage is that consumers would think twice about shopping online if their assets can’t be protected. They would think twice about paying bills online or banking online if they’re bank accounts can’t be protected. If done correctly and on a large enough scale, it would lead to a dramatic loss of confidence in electronic commerce and could push the United States economy back ten years.
The fundamental problem with electronic commerce is that transactions are not effectively authenticated. If someone knows all the right information, they can place a transaction in your name. We’ve learned that in the digital age that stealing information from consumer PCs is remarkably easy. However, there exists technology today to fix this problem.
Two-factor authentication (something you “have” and something you “know”) would mitigate the risk of stolen information. Some banks use key chains that generate random numbers to authenticate users to their bank accounts. This must be widely applied to not only bank accounts but general financial transactions online. As another example, instead of entering credit card information with a keyboard, a user could insert a credit card with an embedded smart card into a card reader attached to their computer. The reader could have a keypad to enter a PIN to make the transaction secure and the card reader would happily give the online merchant all the information it needed to complete the transaction.
There are a variety of technologies to properly authenticate users to make purchases and these should be adopted. Al Qaeda and other groups are already on the lookout to undermine our economy. The question is will we stop them before it’s too late.
Learn More Online
Ever thought about learning online? It’s easy to get an online bachelors degree in anything from foreign policy to political science. Just look into finding a great online college and you’ll be on your way to getting an education in something you love!
Enterprise Security – IT Security Solutions: Concepts, Practical Experiences, Technologies edited by Fumy and Sauerbrey
This book has the look and feel of a business school textbook, moving from topic to topic in a fairly academic matter. It is a combination of 14 essays from prominent authors in the topics they are writing on. This allows for a book that can treat a wide range of concepts and still maintain credibility and a tone of expertise with the downside being the structure of each essay is slightly different between authors. As such, it is meant more as a higher-level introduction to concepts and ideas that swirl around the information security industry but it is couched in the language of business in the hopes that enterprises will adopt a measure of culture change in the area of security. The book seems to have a more European focus, but it is not without value to an American audience.
The book begins with an introduction by the editors laying out what they view as three areas driving enterprise security and what they hope to accomplish with the book. They finger security threats, creating new business opportunities, and regulatory compliance as the main drivers of security investment for the enterprise. In their experience, the editors see businesses still creating processes and applications designed around speed and convenience with security being an afterthought. The editors then establish 4 items they wish to see changed in industry: review of information security requirements, assuming legal liability for poor security practices (it’ll never happen), creating a security-aware culture, and security against insider threats. The rest of the book doesn’t seem to truly address how to bring these four changes to fruition.
The rest of the book is divided into three sections: (1) Concepts & Trends (better described as emerging security technologies), (2) Practical Experiences, and (3) Technologies & Standards. As far as organization, it would seem better to have Practical Experiences come last in the book and address the technologies discussed previously; however this is not a serious deficiency in the book.
Parts 1 and 3 are presented to the reader from a high-level perspective. It assumes little prior technical knowledge and thus is accessible to a wide audience, particularly the business community. It helps the reader understand why these technologies are beneficial from an economic standpoint. Readers who are technically savvy may get easily bored from this section unless they are trying to develop a “business case” for the adoption of security mechanisms for their organization. In that regard, these essays help bridge the gap between “tech heads” and the “pointy-haired management”.
The Practical Experience section is a collection of four case studies of four different organizations facing four different problems. It helps the reader to understand the challenges and obstacles in actual implementation of technologies. It helps bridge the gap between book-learning and real-world experience. 3 of the 4 essays revolve around PKI and digital identities. It is clear based on the focus of the editors that authentication is important to them, however and expansion of case studies based on their other goals would make the text that much more effective.
All in all, the book is a valuable primer for consultants and non-savvy managers who are seeking to get their minds around security and how best to sell the investment of security.
So how long til my CC info hits the web?
I was in a Washington Post article today in which I basically was quoted calling all the online credit card thiefs n00bs. I’m starting a pool, how long til they DoS me…
John Bambenek, a security incident handler at the Bethesda, Md.-based SANS Internet Storm Center, which monitors hacking trends, agreed.
“The reason there is often a delay is that a lot of the people who actually install a lot of these keylogger programs are not that sophisticated,” Bambenek said. “In most cases, they’re teenage hackers who flip the information to more organized criminal groups for some quick cash.”
The scourge of keylogger programs is pervasive and growing, Bambenek said. He recently conducted an analysis for SANS estimating that nearly 10 million U.S. households own a computer that is infected with some type of keystroke logging program. Although not every PC user whose keystrokes are being logged has experienced financial losses — perhaps because hackers are busy sifting their illicit logs for rare kinds of data — Bambenek estimates that organized-crime groups have access to roughly $24 billion in bank assets from accounts associated with the owners of those infected machines.
Then there is this article where the reporter only mentioned my comments about porn sites. Awesome.
John Bambenek, a research programmer for the coordinated science lab at the University of Illinois, said some segments of retail on the Internet are not as trustworthy as others. “Porn is particularly bad,” he said. “They’ll take your credit card information and sell it to someone else. Since they’re a dime a dozen, you have no idea who you’re dealing with.”
SANS Handler of the Day Diary Up
I got my Internet Storm Center Diary up. 5 critical security updates for Windows coming next Tuesday…
Fun.
Light Posting Today
I’m busy at with my shift at the Internet Storm Center so probably light posting today.
