SecuritySkeptic.COM: Dave Piscitello's Security Journal January 2009

This page uses style sheets created by Ruthsarian Labs

Mon, 26 Jan 2009 00:00:00 00, 716

Phishing: a low-paid, low-skills enterprise?

Cormac Herley and Dinei Florencio recently published a paper entitled A Profitless Endeavor: Phishing As Tragedy Of The Commons. In the article abstract, the authors say "Phishing is a classic example of tragedy of the commons, where there is open access to a resource that has limited ability to regenerate. Since each phisher independently seeks to maximize his return, the resource is over-grazed and yields far less than it is capable of"; that "common sense dictates that low-skill jobs pay like low-skill jobs, whether the activity is legal or not"; and later that "the resource yields far less when exploited by independent actors than if it were managed by a single decision maker."

These seem to be obvious conclusions. Can't the same conclusions can be reached when analyzing any "street" versus organized crime? The street is open access and the number of individuals who use illegal substances is limited. The average independent corner drug dealer over-grazes his corner. He's unskilled and he isn't raking in millions a year. This is not new. The folks who are making millions harness the resources of large numbers of dealers under a single umbrella or family. This, too, is not new.

Phishing indeed has "single decision makers" today and these are the heads of e-criminal organizations. These real world criminal organizations or families replicate behavior of crime families in the virtual world. The are hierarchically organized. The top of the tree earns the most through the aggregation of rewards from the subordinate branches. The lowest branches of the tree earn the least. And while the lowest branches in this tree may be unskilled, the branches representing the bot and CC software developers are not. Srizbi and confliker illustrate exactly how clever these guys are. Scoff if you want, but anyone who can harness and oversee several hundred thousand networked computers is no slouch. Don't admire them, don't discount them or view them as any less formidable because they are criminals.

I don't think the notion that phishing is largely an independent activity is a valid one. "Phishing" is the collective effort of many phishers, funded and coordinated in the same strong-armed manner as real world criminal endeavors. Clearly an enterprising, independent phisher will have nominal resources and his impact will be less than the collective impact of an organization.

The authors review open access fishing grounds and apply their model to phishing. I think an alternative analogy from the physical world in the pre-Internet decades is dumpster diving. Individual divers earned very little (for many, the cost of a fix). By engaging hundreds of divers in a common criminal purpose, the collective rewards from dumpster diving were not chump change for a crime family.

The authors also claim that the high volume of phishing activity demonstrates its lack of success. This seems to ignore the concept of countermeasures entirely. Phish volume increases because the percent of the population that is phishable for a given variant of a phish diminishes as countermeasures are adopted and that phish becomes ineffective.

The study presents an interesting analysis and they present some startlingly different measures of the impact of phishing but I don't think it mirrors the phishing reality very well. I rather doubt it will convince a lot of would-be phishers that they need to find a new day job; instead, some people will read the article title, skim the article, and let their guards down. To the authors' credit, they do acknowledge that the analysis focuses on the ecomonics of phishing and that "even if the dollar losses are smaller than often believed, we believe that phishing is a major problem. There are many types of crime where the dollars gained by the criminal are small relative to the damage they inflict" and "If the dollar losses were zero the erosion of trust among web users, and destruction of email as a means of communicating would still be a major problem".

N.B. I admit to nearly falling out of my chair, unable to contain the laughter, when I read "It is interesting to wonder why the Gartner estimates are repeated without scrutiny when they appear noisy at best."

Archived at http://www.securityskeptic.com/arc20090101.htm#BlogID716 by Dave Piscitello

Mon, 12 Jan 2009 00:00:00 00, 715

The Ask Mr. DNS Podcasts

Colleague Matt Larson and DNS and Bind author Cricket Liu have teamed up to produce podcasts on DNS issues. In Matt's words, the goal of their joint project is "to explain (DNS) and enliven what's usually a dry,technical subject".

The podcast's web site is http://www.ask-mrdns.com. You can subscribe to the podcast through iTunes and RSS channels.

Matt describes the inaugural episodes as follows:

Episode #1: Welcome to the inaugural episode of the Ask Mr. DNSPodcast! In this first episode, we introduce ourselves and talk a little about our backgrounds. We also explain who the heck Mr. DNS is and why we've named our podcast after him. Then we actually answer a DNS question and wind up the episode discussing some interesting DNS research we've each done.
Episode #2: In our second episode, Matt and Cricket discuss Matt's distaste for handbells and lapse into a discussion of Star Trek (The Original Series) -- oh, and answer an actual listener's question about when DNSSEC deployment will be widespread. Also, Cricket says, "Right, right" many times.

The episodes are very entertaining in a "techies with senses of humor and a wealth of expertise talking technology" manner. Matt and Cricket are extremely knowledgeable in the DNS space (Note: I don't believe for a NY minute that Cricket is only qualified to talk about DNS as he intimates in Episode 1.) Neither Matt nor Cricket have overly inflated egos and both have an engaging, self-deprecating way of imparting knowledge. The banter is genuine and you can easily imagine that you're listening to a conversation in an informal setting, as a welcome (if silent) participant. If this is not enough to convince you to listen in and you need a kicker, try this:

You'll actually learn something.

Archived at http://www.securityskeptic.com/arc20090101.htm#BlogID715 by Dave Piscitello

Thu, 08 Jan 2009 00:00:00 00, 714

Security joins the ranks of industries seeking handouts

The Internet Security Alliance is urging the Obama administration to assist in assuring that the nation’s cyber infrastructure is secure by, you bet, providing market incentives "to spur industry to adopt security procedures to protect cyber infrastructure." ISA's president is quoted as saying, "“Virtually every aspect of American life is now dependent on this electronic infrastructure, which is under attack and is growing increasingly vulnerable”. He adds that neither the voluntary partnership model of the Bush Administration nor a centralized set of regulatory mandates are appropriate responses, inferring that federal funding of private companies as per the NSF years is the most practical solution.

Much as I'd like to see security improve, I'd first like to understand why the voluntary partnership that was so strongly advocated for almost decades has suddenly fallen out of favor. What does this admit? One interpretation is, "we can't do it on our own". The task is too large, the cost is too great, the talent is lacking? Those are scary admissions and would seem as likely to cause certain Congressmen to call for greater regulatory oversight as it would cause other Congressmen to to reach for the federal check book.

Why not greater regulatory oversight? Radical measure, admittedly, but look at the argument ISA makes: every aspect of American life is now dependent on this electronic infrastructure, which is under attack and is growing increasingly vulnerable. This paints as dire a circumstance for the future of the Internet as post-911 preparedness reports painted of other infrastructures, and look where those reports took us. Talk about painting yourself into a corner...

Another interpretation is that the security industry doesn't want to miss out on what on the federal free lunch opportunity. Yes, that's a shift from being a skeptic to curmudgeon.

My $.02. If ISA wants the feds to infuse the industry with funding to improve security, present the Obama administration with a plan that explains how it intends to infuse secure coding practices, improve security and resiliency in the core TCP/IP infrastructure, naming and numbering systems, and assert a global baseline of secure operating practices. Work with the administration to establish auditing and accountability frameworks to assure that federally funded security initiatives bear fruit and are not merely ways to perpetuate F.U.D. and grow market shares.

Tall order, indeed.

Archived at http://www.securityskeptic.com/arc20090101.htm#BlogID714 by Dave Piscitello

Mon, 05 Jan 2009 00:00:00 00, 713

Sebattical from blogging

The Security Skeptic went dark over the month of December. I didn't begin the month with the intention to neglect this activity, but on reflection, I really needed to devote time to family and personal matters. I'll also admit to feeling as if I'd lost my muse. I've become a victim of writer's block.

I characterize writer's block as a need to write but having nothing to write about. That's not exactly correct. For me, it's not simply a matter of having nothing to write, but having nothing that compels me to write. When I shared this notion with friends and colleagues, some replied, "you really can't find anything about Internet Security that compels you to write? Are you nuts?"

My answer through much of last month was that much of what you might write about Internet Security has been written and ignored, only to be revisited, discussed at length, and written again when an event or incident that might have been avoided occurred because the original message was ignored. Yes, I sound like my friend and colleague, Marcus Ranum. Tell me we are both wrong:-)

I don't believe we're wrong, but I can't see that Internet Security will improve if I and others don't continue to tilt at the windmills. So my resolution for the new year is to heed the advice so often given to anyone who claims to have writer's block.

I'll keep writing.

Archived at http://www.securityskeptic.com/arc20090101.htm#BlogID713 by Dave Piscitello

Dave Piscitello founded Core Competence, Inc. in 1993 and is now an occasional consultant for the company. He is currently ICANN's Senior Security Technologist and serves on the ICANN Security and Stability Advisory Committee (SSAC). A 30-year network, Internet and security veteran, Dave provides advisory and consulting services to security and broadband access companies, *SPs, and Fortune 100 companies. An enthusiastic writer, Dave has published hundreds of articles, product reviews, and editorials for print and online publications, including BCR, Network World, Infoworld, WatchGuard Technologies' Live Security, SecurityPipeline, LOOP, ISSA Journal, and Information Security Magazine. Dave maintains a security infoblog at http://www.securityskeptic.com/weblogindex.htm