So, you came back for more?
Today, I'll start with the good news. There's privacy on the Internet. It's called encryption.
Encryption does exactly that, converts each packet with an algorithm before sending them and decode them as they arrive. Plain and simple. In general, not the algorithms. As you can imagine the algorithms are complex and require passwords, passphrases, certificates. Basically, all passwords with different formats and sizes.
The way to use it is to agree between the two parties that encryption will be used and which algorithm and certificates will be used. From that point, all packets will be encrypted and unreadable through its transit.
Encryption can be aplied at many levels, files, packets, sessions or a whole network. You can type a text message in a code previously agreed with you friend and that message will be unreadable for everyone else. Or you can open a session with a secure protocol like HTTPS and keep all packets in that sessions away from prying eyes. Or you can setup a VPN (Virtual Private Network) and keep all the sessions in that network hidden.
The most common case for Internet users is HTTPS, an encryption wrapper for HTTP protocol. Servers using HTTPS keep their traffic with their clients private. You can see it in action in Gmail's login page, when you go to its page it redirects automatically to the secure HTTPS server.
But does this means that the sessions with HTTPS are 100% secure? Not even close but I think they're good enough.
The main problem is the certificate itself. There are many ways to implement a secure channel between computers using certificates. In the case I mentioned, you turn up into a secure session with a server, but where the certificate came from? You didn't have any at that time. Well, the certificate was sent to you at the beginning of the session. And, most likely, replaced by a new one that is also sent to you but through the session secured by the first certificate. Either way, the key to open all the packets for that session was exposed trough all the transit time. Doesn't seem to make much sense. But, as I said before, is good enough. The only way to get information from that session is to capture absolutely all the session, all of it, because in fact it is a sequence of several different sessions with different addresses. This is not something anyone can do, not something easy to do, so it has to be worth it. Certainly not to access your free email account. At least I hope not, because if someone is after you at this level I want you to walk away from this blog. I don't want them (whoever they are) to get to me through you.
To overcome this problem, people that really really want to have a secure session exchange certificates in private. In that case, you have your certificate beforehand and capturing all the traffic for your session is useless.
This is what's done to setup up a private network, the certificates are generated by a certification authority (public or private) and, hopefully, exchanged using means other than a public network.
And now that you're happy with your privacy, let's go back to the bad news.
The transit of the packets is not the only weak point for your privacy. Let's talk about e-mail. Not all mail servers have secure sessions, and I'm not talking about the free ones, most of the private mail servers don't. But let's say that you use one that has it, some use it only for the login, after that you're dealing with a plain open session meaning that the content of your messages can be seen. And even if the whole session is secure, where are your messages stored?
Think about it, it's not your server, it belongs to someone else. Your messages are stored in there available for anyone with access to that server.
But again, who cares about your free mail account? You.
The average Internet user cares about his mail account, trust it and expect it to be private and secure. And they are in a broad sense. They work fine and nobody is going through them, really, at least I'm not worried about it. And I'm not worried because that's not the point, I'm aware that the Internet is a like public place and that it has to be used with that image in mind. So, my question is what are you storing in your account? what are you sending and receiving?
In a way, the Internet distorted the sense of reality for most people. It's hard to believe the things people write in e-mail, the kind of things they send in pictures, video. And the stuff they save in mailboxes.
And that's exactly the point, e-mail boxes are not secure places. They're controlled by people you know nothing about, people that owe you nothing, people that have no responsibility over the content of your mailbox. Of course they all say that they're responsble, that you're mail is safe, that nobody is looking your stuff, an I'm sure they mean it, I trust them and I've never seen evidence that they lie. But you have no way to know, no binding contract, no technical means to verify the integrity of the content in your mailbox. With real life mail, you put your letter inside an envelope and seal it. This way, the letter can't be seen by third parties and if they open the envelope you can tell. With email, the letter is in plain view for anyone to see. Even if you use encryption, the digital envelope, it can be open without you knowing it. And this is one of the main problems of assimiliating the real world and the virtual one. In the real world, things have a physical nature that make them unique. Even if they're made in series, each piece is unique. In the virtual world, there are no physical things. The packets you send are replicated over and over until they reach its destination and all of them are exactly the same as the first one (not exactly, but the difference goes beyond the reach of this article). At each relay, the packet is destroyed and recreated. The same way, they could have been replicated, stored, recreated and sent without leaving a hint of a trace.
With all this in mind, what would you use your e-mail account for?
E-mail is great, is usefull, is fast, is easy. But is not something where you can put all your hopes and dreams. Not something where all your assets can be managed. Not the key to your bank account.
Going back to the phishing thing, you can see how easy is to get access to your bank online service, your Paypal or eBay account, etc, all things with value, monetary value. And it doesn't stop here. I'm sure that if 90% of those that fell for a phishing scam are using the same password for everything. Now the phisher has the mail address or the user name for that service, if it's just the user name he can get the mail address from the settings of the account. He has the pasword for the service and chances are the same password works for the mail address. Once inside the mailbox, chances are some other valuable services are linked to the same account and the traces of those services are in there, newsletters, subscription confirmations, etc. He just has to try them one by one with the same password, check the messages for the passwords because many of them will send the passwords in plain text over e-mail, or go to the login page and request the password to be sent to the mailbox. Scary, isn't it? Just one little hole in the wall and your whole world is invaded.
The problem is not that we're helpless in the virtual world of the Internet, the problem is that we've lost the perspective of the true meaning of the Internet. I said in a previous article that the main thing that keeps the Intermet togheter is a set of technical rules, and there's nothing in that set trying to make the Internet secure for your privacy or your assets. This is not a flaw on the Internet, it's a flaw in our perception of the Internet. Because it wasn't created for all this, nobody at that time was thinking about it, nobody was able to imagine the incredible growth of the last 20 years, nobody was able to predict that .
The Internet is a great thing, it was meant as a way to connect several computer networks online in order to exchange information fast and easily, to allow access to papers and other files to people in remote locations, to communicate people by means of e-mail, to connect computers that share information to do a job togheter and many other things. It fullfilled al its goals, gave us a lot more than that and keeps delivering.
The Internet is not the problem, we are.
6/29/2006
6/28/2006
Big Brother - Part I
Haved you had the nagging feeling that someone's looking over your shoulder while your're browsing the net?
In a way, someone is. But don't get crazy just yet. The first part of the article is a brief (very brief) description of what's the Internet so you can understand the second part.
The thing we call Internet, THE net, is not really a network. In a broad sense it is, but actually is a huge number of networks interconnected between them. Sounds confusing because, after all, a group of networks interconnected forms a network, a bigger one but a network all the same. The difference is that the Internet has no identity of its own, no owner, no ruler.
Internet is controlled by two things. One is a set of rules, technical rules, and we should be glad they are technical. The other is commercial agreements at every single point where two networks are linked.
Let's start from your own computer, wheter is alone in your house or part of a LAN in your office, it's on a network. It has one IP address, meaning it has an identity on that network, and a phisical connection. If you're on a private network, at some point that network is connected to the public network. If you're a home user, most likely your computer is on the public network already. The main difference is that from a private network you have to connect at least on point of it to a public network. But one way or the other, at that point you have an agreement with an ISP (Internet Service Provider) that lets you access the Internet. The ISP provides you an IP public address and from there you can open sessions with any other public address. I may add, most likely you can and you'll see why in a minute.
Your ISP is basically another network, without a connection to other networks the only thing you're allowed to do is connect to other public address on your ISP network. At some point, your ISP is connected to other or others, and those are also conneted to others. All they need to make the whole Internet work is to know where each public address is. They don't actually, every network knows about their own public addresses, some addresses of the networks directly connected to them and one or more connections where they send every packet not included in the previous groups.
Of course the lists of IP addresses are not extensive, they don't have to store information for each one. They're handled by blocks, groups of IP addresses that can be masked easily. This way every time they have to route a packet, all they do is to identify the block it belongs to and take the action assigned to that particular block.
Let's say that the Internet is like a city. If you live in an apartment building, you have a private address, the number on your door. All traffic to your door is handled by the doorman, if it's between apartments he can do it all by itself inside the building, if it's to or from another place outside the building he has to go to the front door and interface with the rest of the world. The front door of the building is public, it has a public address and is "connected" to the street, your ISP. If you live in a house, you have a public address and don't need the doorman to handle your traffic.
The street, your ISP, has a postman going up and down exchanging packets with every public address on the street. He's not allowed to go anywhere else. The traffic bewtween public addresses on the street are handled directly by him but packets to another street, city or country have to be handled to someone else. The street, crosses other streets, one or many, and the postman has a routing instruction saying at which intersection drop each packet and one or more last resource intersection where he drops all packets without specific routing rules. At those intersections, he also picks up packets addressed to his own street. The last resource intersections allows the postman to reach every address on the net without knowing where is it. That intersection could be served by a bigger postman, like one in an avenue with more intersections, or a high speed postman serving a highway, where there are no home or buildings, only intersections with streets, avenues or other highways. One thing that you may be wondering about is how postmen deliver when they have alternative routes for a packet. As you can imagine, postmen are not humans but computers, and they need precise non ambiguous instructions. The alternative routes can be used as a backup in case the main one fails or to balance load. In the last case, the postmen uses one or the other based on a measureof the traffic.
The beauty of all this is that there's no central control, manager or government. All the postman and doormans agree in the technical aspects, proper addressing and uniform instructions sheets. This way everyone knows what to do with each packet without knowing what's beyond their own bailiwick.
I want to add a small note here, the system is not perfect. Eventually you may find that certain address is unavailable to you while your friend, who's in an address available to you, can reach it. The routing istructions change everyday either for technical reasons or commercial ones. Sometimes the changes on a network requires its neighbors to change too, and that may take some time. Sometimes there's no routing intruction at all for a combination of addresses, oversight, commercial restriction (it's not worth to pay for, no traffic expected, etc) or just a technical problem.
The other side of what keeps the net togheter is the commercial agreement between postmen and doormen at each intersection. The agreement could be of any kind, pay by packet size, pay by speed, just pay. The agreement could also include address restrictions, alternative routes, guaranteed uptime, etc.
But the bottom line is it works, believe it or not the fact is the Internet works and if you're reading it you have all the evidence you need.
Now going back to the subject of this article, is somebody looking over your shoulder?
Every single packet that you send or receive is handled by many doormen and postmen. They're not human but they're ran by some and they're all independent. What stops them from snooping into you packets?
The answer is simple, nothing.
Let's say that I'm a major carrier, a highway in the city analogy, and for some reason I want to look at all the packets going through one of my intersections. It's my equipment, it's my wire, and even if I have a non snooping clause in my agreement with other networks (there's nosuch clause), nobody is controlling me, there's no way to know that I'm doing it from the outside.
And now that I've freaked you out, I'll put you back togheter. Because now you're thinking that everyone knows what you read, what you see and who you talk to. Forget it, is not happening. But what if it is?
Have you ever been in a mall? Were you worried that someone may note which displays you see? While you were having a drink, someone checking what you have, how, what you were reading? At the post office, the postman checking who you write to or who writes you?
At this point, you either turned into a complete paranoid or realized that the Internet is a public place like a mall or even the street. More like a mall I'd say, because is owned by many private parties. But the point is Internet is public not because of the ownership but because of its nature, its history and its technical limitations. Internet wasn't designed for security, security was insured phisically by not allowing access to equipment and wires. But once it grew into a network too large to be confined, with too many players to be controlled, physical security became impossible.
But is it such a big deal? All your packets in the hands of people you know nothing about?
Let's go back to the mall analogy, you're going through a public place, do you expect privacy? Why do you expect privacy on the Internet then?
The structure of the net makes it impossible to control if someone takes a look at your traffic, I'm sure your ISP will say that no one is doing it, but I'm pretty sure that they won't give you a signed warranty. Even if they're to be trusted, once they pass the packet to the next network is out of their control and yours too.
But are they doing it? Is someone out there checking all your traffic?
I think not, I'm sure not. At least not in that sense. I mean, there's no way to check every single packet, no way to store it for later analysis, no way to keep up with the constant flow. I know that because I do that frequently. I'm in control of the doorman in my building and from time to time I have to check the traffic. Because something is not working or I suspect foul play from the outside or the inside or anything else. And is not a huge building. However I have no way to check it all and there's no automated system able to do it. You can try by yourself if you want, go get a sniffer, a program that allows you to see all the traffic in your network connection. There are some nice sniffers for free out there like NetworkActiv or Ethereal. Once you have it, let it go for one hour and do your regular use of the Internet. Then try to make some sense of the traffic for one hour. How far can you go?
It's a trick test because you probably don't know enough to understand what's in there. But besides that, nobody can check in one hour a one hour traffic file (average traffic). Even with a machine doing it, there are too many variables and the kind of information that would make sense to a human like text, pictures, sound and video can't be properly evaluated by a machine. Imagine that if it can't be done with the traffic of one machine, is a lot more difficult with thousands or millions. So, I can say for sure that nobody is checking the traffic of the Internet sistematically.
However, I can imagine someone looking for something very specific. Let's say that I want to know who's using a specific mail server from my building, my network. I can set my doorman to report connections to that server. The amount of information would be easy to handle. I can do that by content too, specific words, even by media type.
And if you think that your government is able to do it, think again. I can do it because I have just one door in my building. Imagine how many different access points are in one country and how much traffic is going through them, it's impossible to handle.
In conclusion, I wouldn't worry about someone looking at my traffic. However, the Internet is like a public place and I have to assume that my activity may be seen. Do what you do in public, don't do things you don't want others to see.
Of course there's privacy on the Internet but that's for part II where I'll tell you about more scary things. Relax, enjoy.
In a way, someone is. But don't get crazy just yet. The first part of the article is a brief (very brief) description of what's the Internet so you can understand the second part.
The thing we call Internet, THE net, is not really a network. In a broad sense it is, but actually is a huge number of networks interconnected between them. Sounds confusing because, after all, a group of networks interconnected forms a network, a bigger one but a network all the same. The difference is that the Internet has no identity of its own, no owner, no ruler.
Internet is controlled by two things. One is a set of rules, technical rules, and we should be glad they are technical. The other is commercial agreements at every single point where two networks are linked.
Let's start from your own computer, wheter is alone in your house or part of a LAN in your office, it's on a network. It has one IP address, meaning it has an identity on that network, and a phisical connection. If you're on a private network, at some point that network is connected to the public network. If you're a home user, most likely your computer is on the public network already. The main difference is that from a private network you have to connect at least on point of it to a public network. But one way or the other, at that point you have an agreement with an ISP (Internet Service Provider) that lets you access the Internet. The ISP provides you an IP public address and from there you can open sessions with any other public address. I may add, most likely you can and you'll see why in a minute.
Your ISP is basically another network, without a connection to other networks the only thing you're allowed to do is connect to other public address on your ISP network. At some point, your ISP is connected to other or others, and those are also conneted to others. All they need to make the whole Internet work is to know where each public address is. They don't actually, every network knows about their own public addresses, some addresses of the networks directly connected to them and one or more connections where they send every packet not included in the previous groups.
Of course the lists of IP addresses are not extensive, they don't have to store information for each one. They're handled by blocks, groups of IP addresses that can be masked easily. This way every time they have to route a packet, all they do is to identify the block it belongs to and take the action assigned to that particular block.
Let's say that the Internet is like a city. If you live in an apartment building, you have a private address, the number on your door. All traffic to your door is handled by the doorman, if it's between apartments he can do it all by itself inside the building, if it's to or from another place outside the building he has to go to the front door and interface with the rest of the world. The front door of the building is public, it has a public address and is "connected" to the street, your ISP. If you live in a house, you have a public address and don't need the doorman to handle your traffic.
The street, your ISP, has a postman going up and down exchanging packets with every public address on the street. He's not allowed to go anywhere else. The traffic bewtween public addresses on the street are handled directly by him but packets to another street, city or country have to be handled to someone else. The street, crosses other streets, one or many, and the postman has a routing instruction saying at which intersection drop each packet and one or more last resource intersection where he drops all packets without specific routing rules. At those intersections, he also picks up packets addressed to his own street. The last resource intersections allows the postman to reach every address on the net without knowing where is it. That intersection could be served by a bigger postman, like one in an avenue with more intersections, or a high speed postman serving a highway, where there are no home or buildings, only intersections with streets, avenues or other highways. One thing that you may be wondering about is how postmen deliver when they have alternative routes for a packet. As you can imagine, postmen are not humans but computers, and they need precise non ambiguous instructions. The alternative routes can be used as a backup in case the main one fails or to balance load. In the last case, the postmen uses one or the other based on a measureof the traffic.
The beauty of all this is that there's no central control, manager or government. All the postman and doormans agree in the technical aspects, proper addressing and uniform instructions sheets. This way everyone knows what to do with each packet without knowing what's beyond their own bailiwick.
I want to add a small note here, the system is not perfect. Eventually you may find that certain address is unavailable to you while your friend, who's in an address available to you, can reach it. The routing istructions change everyday either for technical reasons or commercial ones. Sometimes the changes on a network requires its neighbors to change too, and that may take some time. Sometimes there's no routing intruction at all for a combination of addresses, oversight, commercial restriction (it's not worth to pay for, no traffic expected, etc) or just a technical problem.
The other side of what keeps the net togheter is the commercial agreement between postmen and doormen at each intersection. The agreement could be of any kind, pay by packet size, pay by speed, just pay. The agreement could also include address restrictions, alternative routes, guaranteed uptime, etc.
But the bottom line is it works, believe it or not the fact is the Internet works and if you're reading it you have all the evidence you need.
Now going back to the subject of this article, is somebody looking over your shoulder?
Every single packet that you send or receive is handled by many doormen and postmen. They're not human but they're ran by some and they're all independent. What stops them from snooping into you packets?
The answer is simple, nothing.
Let's say that I'm a major carrier, a highway in the city analogy, and for some reason I want to look at all the packets going through one of my intersections. It's my equipment, it's my wire, and even if I have a non snooping clause in my agreement with other networks (there's nosuch clause), nobody is controlling me, there's no way to know that I'm doing it from the outside.
And now that I've freaked you out, I'll put you back togheter. Because now you're thinking that everyone knows what you read, what you see and who you talk to. Forget it, is not happening. But what if it is?
Have you ever been in a mall? Were you worried that someone may note which displays you see? While you were having a drink, someone checking what you have, how, what you were reading? At the post office, the postman checking who you write to or who writes you?
At this point, you either turned into a complete paranoid or realized that the Internet is a public place like a mall or even the street. More like a mall I'd say, because is owned by many private parties. But the point is Internet is public not because of the ownership but because of its nature, its history and its technical limitations. Internet wasn't designed for security, security was insured phisically by not allowing access to equipment and wires. But once it grew into a network too large to be confined, with too many players to be controlled, physical security became impossible.
But is it such a big deal? All your packets in the hands of people you know nothing about?
Let's go back to the mall analogy, you're going through a public place, do you expect privacy? Why do you expect privacy on the Internet then?
The structure of the net makes it impossible to control if someone takes a look at your traffic, I'm sure your ISP will say that no one is doing it, but I'm pretty sure that they won't give you a signed warranty. Even if they're to be trusted, once they pass the packet to the next network is out of their control and yours too.
But are they doing it? Is someone out there checking all your traffic?
I think not, I'm sure not. At least not in that sense. I mean, there's no way to check every single packet, no way to store it for later analysis, no way to keep up with the constant flow. I know that because I do that frequently. I'm in control of the doorman in my building and from time to time I have to check the traffic. Because something is not working or I suspect foul play from the outside or the inside or anything else. And is not a huge building. However I have no way to check it all and there's no automated system able to do it. You can try by yourself if you want, go get a sniffer, a program that allows you to see all the traffic in your network connection. There are some nice sniffers for free out there like NetworkActiv or Ethereal. Once you have it, let it go for one hour and do your regular use of the Internet. Then try to make some sense of the traffic for one hour. How far can you go?
It's a trick test because you probably don't know enough to understand what's in there. But besides that, nobody can check in one hour a one hour traffic file (average traffic). Even with a machine doing it, there are too many variables and the kind of information that would make sense to a human like text, pictures, sound and video can't be properly evaluated by a machine. Imagine that if it can't be done with the traffic of one machine, is a lot more difficult with thousands or millions. So, I can say for sure that nobody is checking the traffic of the Internet sistematically.
However, I can imagine someone looking for something very specific. Let's say that I want to know who's using a specific mail server from my building, my network. I can set my doorman to report connections to that server. The amount of information would be easy to handle. I can do that by content too, specific words, even by media type.
And if you think that your government is able to do it, think again. I can do it because I have just one door in my building. Imagine how many different access points are in one country and how much traffic is going through them, it's impossible to handle.
In conclusion, I wouldn't worry about someone looking at my traffic. However, the Internet is like a public place and I have to assume that my activity may be seen. Do what you do in public, don't do things you don't want others to see.
Of course there's privacy on the Internet but that's for part II where I'll tell you about more scary things. Relax, enjoy.
6/16/2006
What can be done about phishing
Yesterday I was upset about the attitude of everyone about phishing, the same attitude that everyone has about scams and spam and fake banks, etc. Two main reasons for this are the problem is too big and those who fall for it are gullible people that everyone else deem as stupid and worthless of consideration. Yes, I know it sounds harsh but that's the way most people think.
They have the right to think anyway the want but from a practical point of view, don't the service providers want the gullible people as customers? Gullible people make a great market, they support shopping TV channels. Who wouldn't want to sell to them?
But this is a blog about phishing and other things around the Internet, gullible people and market place is theme for another blog.
What I want to write about today is ways to reduce phishing, ways that can be implemented by the service providers whoever they are. None of this recomendations are technically impossible nor complicated. In fact some of them are out there right now, someone is using them already.
Here they are
First of all we have to understand how phishing works. The phisher goes to the original login page and save a copy, then download the copy to a server somewhere else. The original page takes the username and password, checks against a database and grants or denies access. The phisher changes this, stores the username and password and, in most of them, directs the user to a page where his/her personal information has to be verified for security reasons. There is where you have to put your address, credit card number, PINs, etc. Then it forwards you to the original home page, an error page (try again in a couple minutes), or any other he can think of. It doesn't matter, by that time your personal information is compromised already.
I'd like to start from the email, but there's a lot of stuff that I have in another article about spam and I don't want to duplicate it. So I'm going to start from the phishing page.
The first problem here is that the page looks like the original one, in fact most of the components of the page are the originals.
A web page is basically a file with instructions to build the page, it says what text is included, how it should be organized, format information, etc. It doesn't include the images, it just says what images are required to build the page, how to put them in the page and the link where the images are stored. Your browser asks the server for the image. In fact there's an option in your web browser to prevent it, it was included many years ago for people using low speed dial up access so they could see the content of the page without downloading all the images.
The phisher can download all the images and set a server just like the original, is easier now that any browser has the ability to save a full web page in one command. Before that you'd have to save them one by one. But they don't, I think the reason is that is a lot easier to keep the links and let the original server to do the job. Having the images stored on their own servers won't help finding them, they're not more incriminating that the page itself, so I have to assume that the main reason is because they're lazy.
On the other hand, we have the original server. Its serving the images for the offending site for free, keeping them and paying for the bandwidth everytime a mark falls in the trap. It doesn't make sense to me.
Why aren't they doing something about it? And here's a list of simple silly things that can be done.
- Don't serve images if they're referred from another server. Even when the session itself is from your browser to the server, your browser tells the server where the link comes from, this is something that the phisher can avoid. A lot of sites are doing this, it's a simple solution. I'm not saying that you can do that just checking a flag on a configuration, someone has to work it out. But it's worth it.
- Serve the images but with a twist. When you ask for an image to a web server, it sends you the file. All the URL that you see is basically a directory path just like the ones you use in your own machine. The server goes through the path, finds the file you want and sends it. An alternative to this is to use an image serving script, an active page that checks what file are you asking for and serves it. The difference is that this scripts can check the referral and decides wheter to serve the file or not or serve another. And that option is a very good one, they can serve an image file that, instead of the original logo, bears one that's obviously fake. Better yet, an image with a text saying "you're about to login into a fake server". Eventually the phishers will copy all the images and serve them from their own sites but it will make things harder for them, they'll need more time, they'll need more resources, it will give the hosts a good way to detect the phishing pages automatically, at least it will reduce the problem. Yahoo is doing even more, they change the images of their webmail login page. And not only the images, they're changing the look of it frequently. If you're a frequent user, you probably got used to it by now. The idea (I guess) is that if the user sees an old page he'll suspect that something's wrong and won't login.
- While they're not doing it, having the log of referrals they can identify without a shadow of a doubt any phishing page as it's being accessed. The second someone opens that page and request the image file, the server is able to tell that it was referred from a site other than the original. Maybe they're not logging that but I'm sure they can, any web server has a log service. The logs are or would be huge surely, but they don't have to read them line by line. A computer can do that, and even if they have to set a computer to do just that all day everyday is worth it. All they need is to compile a list of the sites from where a reference to the images is done other than their own servers. And that's it, they'd have the most efficient early warning system ever. Every page I've seen lately is using the original image files, every single one. The phishers are literally ringing a bell every time they set up a page. However, the service providers are sitting there waiting for you to report a phishing page. And in return you have a nice preformated thank you message with tips to recognize phishing pages and protect yourself, what for? You're reporting the page, you don't need that. "Common sense is the less common of the senses", I don't know if it makes any sense in english but never before that phrase was more appropiate. - In adition to the image problem, most of these services are using links to other services. Doubleclick, Omniture, BBOnline, Verisign, etc. Each one with an specific purpose. Doubleclick manages targeted advertising, BBOnline and Verising do certification of the site, Omniture runs statistical analysis. I'm making a complete article about Omniture, don't miss it. They can apply the same criteria if some elements are referred from that page. But they can also certify that you're connected to the right server. The verification that Verisign or BBOnline do is useless for the final user, the seal at the bottom of the page has an ID code assigned to the original site and you can use it anywhere you want. In fact you can try these:
https://seal.verisign.com/splash?form_file=fdf/splash.fdf&dn=WWW.AMERICARX.COM〈=en
http://www.bbbonline.org/cks.asp?id=20111061155818568
You can try them from here, copy and paste in your browser or do your own page with the link. Anyway they won't certify that the site from where you're clicking it is the real one. They certify security (internal), business standards, etc of the site whose ID you're asking about. Why aren't they certifying the site from where you're clicking? Why aren't they selling that service? As a user I'd like to have that service, the other certification is fine too but I want one to help me know that I'm on the right site. And I know that it can be fooled, I wouldn't sell it as a 100% safe method because I know is not, but at least it can tell you 100% sure that it isn't the right site.
- Research more each phishing case. I don't think they're doing it. At most they're requesting the closure of the offending site and I don't think they're doing it either. I closed more sites last week than they did ever. Closing the site itself is good but not enough, each phisher opens many of them at the same time and doesn't expect them to live for long. If they do, great, but just a couple days is more than good enough. People that fall for this do it almost immediatly, they get the message, they click, they login, it's done. Even one day is good enough, half a day or less too. Heck, I bet the phisher is happy if he gets one good hit. But they're doing a lot better than that, if you've read the previous article you may have seen that I found one page with less than a day of life and close to 10 good logins. Today I've just found another, half a day of life and almost 10 good logins. By the time the page is close, most likely the phisher already cropped it. Add to that all the pages that have been running for weeks, months. The phisher now can keep sending messages linking to them forever. And the worse part is that even if the page is closed fast most of them are not storing the information in the same server. I want to explain this in detail because it seems simple but is not. The page itself is weak, the phisher knows that it will be closed (most likely) and that it won't last much. He has two choices, check it out often enough to make it worth before is closed or store the data somewhere else. The last option has many advantages, he can stay away from the page for a long period of time without risking his position, the information is safe meanwhile is the page is closed, all his pages report to only one site and, best of all, he knows that nobody cares, the host of the page will shut it down, erase all the content and move on. After that, there's no link between the phishing message, the phishing page and the site holding the database. I'm seeing this set up often lately, the pages holding a local file with the logins are uncommon now. Getting the database down would make all the pages linked to it worthless, and we're talking about almost all of them linked to a relatively small number of servers. And, again, I know it takes time and resources to do it. But I think that I can do it by myself if I want to, and once you get to the server it should be easy to take any measures to close it, block it, take legal action, anything. But is worth it, is something that the service providers owe their customers.
I have suggestions more complicated, not impossible but more difficult to implement. I think I can do them, that's why I know that they can be done, but the complexity is such that some are impossible to do with the resources the phishers use to host their pages and some would put out of business a good part of them.
Like dynamically generated images. How about the logo with the date and time? The image can be generated dinamically but if you have access only to a web server, even with scripting capabilities, is close to impossible. The phisher will have to move to more complex setups that would be easier to find and shutdown, even worse, they'd give more evidence to track the phisher.
And the best of all, they can hire me. After all, among all those who are talking and talking and talking about phishing, I'm the one who can show results... just a though.
They have the right to think anyway the want but from a practical point of view, don't the service providers want the gullible people as customers? Gullible people make a great market, they support shopping TV channels. Who wouldn't want to sell to them?
But this is a blog about phishing and other things around the Internet, gullible people and market place is theme for another blog.
What I want to write about today is ways to reduce phishing, ways that can be implemented by the service providers whoever they are. None of this recomendations are technically impossible nor complicated. In fact some of them are out there right now, someone is using them already.
Here they are
First of all we have to understand how phishing works. The phisher goes to the original login page and save a copy, then download the copy to a server somewhere else. The original page takes the username and password, checks against a database and grants or denies access. The phisher changes this, stores the username and password and, in most of them, directs the user to a page where his/her personal information has to be verified for security reasons. There is where you have to put your address, credit card number, PINs, etc. Then it forwards you to the original home page, an error page (try again in a couple minutes), or any other he can think of. It doesn't matter, by that time your personal information is compromised already.
I'd like to start from the email, but there's a lot of stuff that I have in another article about spam and I don't want to duplicate it. So I'm going to start from the phishing page.
The first problem here is that the page looks like the original one, in fact most of the components of the page are the originals.
A web page is basically a file with instructions to build the page, it says what text is included, how it should be organized, format information, etc. It doesn't include the images, it just says what images are required to build the page, how to put them in the page and the link where the images are stored. Your browser asks the server for the image. In fact there's an option in your web browser to prevent it, it was included many years ago for people using low speed dial up access so they could see the content of the page without downloading all the images.
The phisher can download all the images and set a server just like the original, is easier now that any browser has the ability to save a full web page in one command. Before that you'd have to save them one by one. But they don't, I think the reason is that is a lot easier to keep the links and let the original server to do the job. Having the images stored on their own servers won't help finding them, they're not more incriminating that the page itself, so I have to assume that the main reason is because they're lazy.
On the other hand, we have the original server. Its serving the images for the offending site for free, keeping them and paying for the bandwidth everytime a mark falls in the trap. It doesn't make sense to me.
Why aren't they doing something about it? And here's a list of simple silly things that can be done.
- Don't serve images if they're referred from another server. Even when the session itself is from your browser to the server, your browser tells the server where the link comes from, this is something that the phisher can avoid. A lot of sites are doing this, it's a simple solution. I'm not saying that you can do that just checking a flag on a configuration, someone has to work it out. But it's worth it.
- Serve the images but with a twist. When you ask for an image to a web server, it sends you the file. All the URL that you see is basically a directory path just like the ones you use in your own machine. The server goes through the path, finds the file you want and sends it. An alternative to this is to use an image serving script, an active page that checks what file are you asking for and serves it. The difference is that this scripts can check the referral and decides wheter to serve the file or not or serve another. And that option is a very good one, they can serve an image file that, instead of the original logo, bears one that's obviously fake. Better yet, an image with a text saying "you're about to login into a fake server". Eventually the phishers will copy all the images and serve them from their own sites but it will make things harder for them, they'll need more time, they'll need more resources, it will give the hosts a good way to detect the phishing pages automatically, at least it will reduce the problem. Yahoo is doing even more, they change the images of their webmail login page. And not only the images, they're changing the look of it frequently. If you're a frequent user, you probably got used to it by now. The idea (I guess) is that if the user sees an old page he'll suspect that something's wrong and won't login.
- While they're not doing it, having the log of referrals they can identify without a shadow of a doubt any phishing page as it's being accessed. The second someone opens that page and request the image file, the server is able to tell that it was referred from a site other than the original. Maybe they're not logging that but I'm sure they can, any web server has a log service. The logs are or would be huge surely, but they don't have to read them line by line. A computer can do that, and even if they have to set a computer to do just that all day everyday is worth it. All they need is to compile a list of the sites from where a reference to the images is done other than their own servers. And that's it, they'd have the most efficient early warning system ever. Every page I've seen lately is using the original image files, every single one. The phishers are literally ringing a bell every time they set up a page. However, the service providers are sitting there waiting for you to report a phishing page. And in return you have a nice preformated thank you message with tips to recognize phishing pages and protect yourself, what for? You're reporting the page, you don't need that. "Common sense is the less common of the senses", I don't know if it makes any sense in english but never before that phrase was more appropiate. - In adition to the image problem, most of these services are using links to other services. Doubleclick, Omniture, BBOnline, Verisign, etc. Each one with an specific purpose. Doubleclick manages targeted advertising, BBOnline and Verising do certification of the site, Omniture runs statistical analysis. I'm making a complete article about Omniture, don't miss it. They can apply the same criteria if some elements are referred from that page. But they can also certify that you're connected to the right server. The verification that Verisign or BBOnline do is useless for the final user, the seal at the bottom of the page has an ID code assigned to the original site and you can use it anywhere you want. In fact you can try these:
https://seal.verisign.com/splash?form_file=fdf/splash.fdf&dn=WWW.AMERICARX.COM〈=en
http://www.bbbonline.org/cks.asp?id=20111061155818568
You can try them from here, copy and paste in your browser or do your own page with the link. Anyway they won't certify that the site from where you're clicking it is the real one. They certify security (internal), business standards, etc of the site whose ID you're asking about. Why aren't they certifying the site from where you're clicking? Why aren't they selling that service? As a user I'd like to have that service, the other certification is fine too but I want one to help me know that I'm on the right site. And I know that it can be fooled, I wouldn't sell it as a 100% safe method because I know is not, but at least it can tell you 100% sure that it isn't the right site.
- Research more each phishing case. I don't think they're doing it. At most they're requesting the closure of the offending site and I don't think they're doing it either. I closed more sites last week than they did ever. Closing the site itself is good but not enough, each phisher opens many of them at the same time and doesn't expect them to live for long. If they do, great, but just a couple days is more than good enough. People that fall for this do it almost immediatly, they get the message, they click, they login, it's done. Even one day is good enough, half a day or less too. Heck, I bet the phisher is happy if he gets one good hit. But they're doing a lot better than that, if you've read the previous article you may have seen that I found one page with less than a day of life and close to 10 good logins. Today I've just found another, half a day of life and almost 10 good logins. By the time the page is close, most likely the phisher already cropped it. Add to that all the pages that have been running for weeks, months. The phisher now can keep sending messages linking to them forever. And the worse part is that even if the page is closed fast most of them are not storing the information in the same server. I want to explain this in detail because it seems simple but is not. The page itself is weak, the phisher knows that it will be closed (most likely) and that it won't last much. He has two choices, check it out often enough to make it worth before is closed or store the data somewhere else. The last option has many advantages, he can stay away from the page for a long period of time without risking his position, the information is safe meanwhile is the page is closed, all his pages report to only one site and, best of all, he knows that nobody cares, the host of the page will shut it down, erase all the content and move on. After that, there's no link between the phishing message, the phishing page and the site holding the database. I'm seeing this set up often lately, the pages holding a local file with the logins are uncommon now. Getting the database down would make all the pages linked to it worthless, and we're talking about almost all of them linked to a relatively small number of servers. And, again, I know it takes time and resources to do it. But I think that I can do it by myself if I want to, and once you get to the server it should be easy to take any measures to close it, block it, take legal action, anything. But is worth it, is something that the service providers owe their customers.
I have suggestions more complicated, not impossible but more difficult to implement. I think I can do them, that's why I know that they can be done, but the complexity is such that some are impossible to do with the resources the phishers use to host their pages and some would put out of business a good part of them.
Like dynamically generated images. How about the logo with the date and time? The image can be generated dinamically but if you have access only to a web server, even with scripting capabilities, is close to impossible. The phisher will have to move to more complex setups that would be easier to find and shutdown, even worse, they'd give more evidence to track the phisher.
And the best of all, they can hire me. After all, among all those who are talking and talking and talking about phishing, I'm the one who can show results... just a though.
Subscribe to:
Posts (Atom)