Paypal Says Old IE is Like Car Without Seat Belt: EV SSL blocking

The eBay-owned company, which runs a Web-based payment system that allows the transfer of funds between bank accounts and credit cards, said browsers that do not have support for blocking identity theft-related Web sites or for EV SSL (Extended Validation Secure Sockets Layer) certificates are considered "unsafe" for financial transactions.

"In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts," said PayPal Chief Information Security Officer Michael Barrett.

...

Barrett only mentioned old, out-of-support versions of Microsoft's Internet Explorer among this group of "unsafe browsers," but it's clear his warning extends to Apple's Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates.

— BPayPal Plans to Ban Unsafe Browsers, By Ryan Naraine, EWeek.com, 2008-04-17

Now on the one hand, I think EV SSL is color-coded checklist security candy:

Auditing Georgia Government Security

Georgia's governor wants to standardize information security reporting across the entire state government:

The Executive Order calls for a single set of information security reporting standards for all agencies to follow. Currently, state agencies use a variety of reporting standards, making it difficult to measure information security across state government or to track progress from year to year.

Governor Perdue has directed the Georgia Technology Authority (GTA) to work with the Georgia Department of Audits and Accounts and the Governor's Office of Planning and Budget to develop a reporting format and required content for agency information security reports. Each agency will be responsible for reporting to GTA at the end of the fiscal year. GTA will compile agency reports into a single Enterprise Information Security Report, available by October 31 of each year.

— Gov. Perdue Signs Executive Order Strengthening Georgia's Information Technology Security, News Report, Government Technology, Mar 20, 2008

I think this is a good move. Now how about monthly reporting in a publicly visible web page.

-jsq

Traffic Control Viewed as ISP Risk

Certain ISPs plan to spend a lot of money throttling, stifling, policing copyrights, campaigning and lobbying to control content of information flow through their networks. They might want to look at what's happening in China:

Beijing has recently added a new weapon to its arsenal of surveillance technologies, a system it believes to be a modern marvel: the Golden Shield. It took eight years and $700 million to build, and its mission is to "purify" the Internet — an apparently urgent task. "Whether we can cope with the Internet is a matter that affects the development of socialist culture, the security of information, and the stability of the state," President Hu Jintao said in January.

The Golden Shield — the latest addition to what is widely referred to as the Great Firewall of China — was supposed to monitor, filter, and block sensitive online content. But only a year after completion, it already looks doomed to fail. True, surveillance remains widespread, and outspoken dissidents are punished harshly. But my experience as a correspondent in China for seven years suggests that the country's stranglehold on the communications of its citizens is slipping: Bloggers and other Web sources are rapidly supplanting Communist-controlled news outlets. Cyberprotests have managed to bring about an important constitutional change. And ordinary Chinese citizens can circumvent the Great Firewall and evade other forms of police observation with surprising ease. If they know how.

— The Great Firewall: China's Misguided — and Futile — Attempt to Control What Happens Online, By Oliver August, WIRED MAGAZINE: ISSUE 15.11, 10.23.07 | 12:00 AM

And if they don't know how, that article provides tips.

Sony Rootkitting: How It Happened

Here's a paper about Sony and the Rootkit:

While Sony BMG's customers first became aware of the dangers posed by the rootkit through media reports following Russinovich's October 31 announcement, the company was on notice that its product contained a rootkit, at the very least, four weeks earlier.12 Finnish anti-virus software developer F-Secure contacted Sony BMG on October 4, 2005, alerting it to the presence of the rootkit.13 Of course, First4Internet, as the developer that chose to incorporate the rootkit into its design, necessarily knew of its presence from the outset.

— THE MAGNIFICENCE OF THE DISASTER: RECONSTRUCTING THE SONY BMG ROOTKIT INCIDENT, By Deirdre K. Mulligan & Aaron K. Perzanowski

Yet Sony apparently thought that they could still sneak a rootkit onto CDs its customers paid for. The customers knew better, because Amazon reviews told them, and sales CDs plumetted as soon as rootkit-infested versions were issued.

This maybe illustrates three points:

Chinese Honeynet Project: Botnets Are Sneaky and Evolving; Need Adaptive Distributed Counter

The subject is my interpretation of a sixteen page paper by a joint Chinese-German project to examine botnets in China.

Botnets have become the first-choice attack platform for network-based attacks during the last few years. These networks pose a severe threat to normal operations of the public Internet and affect many Internet users. With the help of a distributed and fully-automated botnet measurement system, we were able to discover and track 3,290 botnets during a period of almost twelve months.

— Characterizing the IRC-based Botnet Phenomenon, Jianwei Zhuge1 , Thorsten Holz2 , Xinhui Han1 , Jinpeng Guo1 , and Wei Zou1 Peking University Institute of Computer Science and Technology Beijing, China, University of Mannheim Laboratory for Dependable Distributed Systems Mannheim, Germany, Reihe Informatik. TR-2007-010

The paper provides many interesting statistics, such as only a small percent of botnets are detected by the usual Internet security companies. But the main point is exactly that a distributed and adaptive honeypot botnet detection network was able to detect and observe botnets in action and to get data for all those statistics. Trying to deal with an international adaptive botnet threat via static software or occasional centralized patches isn't going to work.

Some readers conclude that this paper shows that reputation services don't work,because they don't show most botnets. I conclude that current reputation services don't work because they aren't using an adaptive distributed honeypot network to get their information, and because their published reputation information isn't tied to economic incentives for the affected ISPs and software vendors, such as higher insurance rates.

-jsq

ResNet for the Home: Why Don't Last-Mile ISPs Detect, Clean, and Insure Home Machines?

Colleges and universities often provide residential networks (resnets) for their students. There are companies that do that, such as Apogee Networks, plus value added services such as patching, installing, and configuring secure and virus-free software. Last-mile ISPs could do that too. They could go farther: they could detect, clean, and insure home machines.

Now they may not want to do this because they might incur legal liability. But that's what insurance is for. And they might not want to do it because it's not their core competence. But they could offer such services through a third party. Why don't they?

-jsq

Storm Botnet Movie

Cory always has a way with words:

The Storm Worm botnet (thought to be the largest network of compromised machines in the world) has begun to figure out which security researchers are trying to disrupt its command-and-control systems and knock them offline with unmanagable crapfloods from its zillions of zombie machines.

—StormWorm botnet lashes out at security researchers, Cory Doctorow, BoingBoing, October 24, 2007 12:35 PM

But Michael Froomkin found a movie illustrating the situation:

Hiding inside while hordes of zombies dance outside and eat away at the doors; yep, that's pretty much the state of Internet security.

-jsq

APWG in Pittsburgh and Fraud in Japan

The Anti-Phishing Working Group is having one of its periodic member meetings, this time in Pittsburgh. Probably I shouldn't report too much detail, but I'll say that interesting things are going on worldwide that may spread to other countries. For example, in Japan it seems that fake programming sites are more popular than phishing. Also, if I heard correctly, most phishing in the Japanese language originates from phishers in Japan. This would make sense, since it's very hard for foreigners to write well enough to pretend to be Japanese. So that one probably won't spread too widely, but the fake programming scam could.

My favorite is the history attack. World War II ended on 15 August 1945 in Japan, so a timeline of that war can get a lot of hits on a war's end link in August of any year. Who would have known history could be so popular?

Meanwhile, during Carnival in Brazil, nobody reports malware, so there's a dip in measurements.... Then and the rest of the year, sophisticated personalized social engineering attacks seem to be popular in Brazil.

-jsq

Common Sense Lacking for Big Perils such as Georgia Hurricane or Worst Case Worm

Why it's not good to depend on common sense for really big perils:

The models these companies created differed from peril to peril, but they all had one thing in common: they accepted that the past was an imperfect guide to the future. No hurricane has hit the coast of Georgia, for instance, since detailed records have been kept. And so if you relied solely on the past, you would predict that no hurricane ever will hit the Georgia coast. But that makes no sense: the coastline above, in South Carolina, and below, in Florida, has been ravaged by storms. You are dealing with a physical process, says Robert Muir-Wood, the chief scientist for R.M.S. There is no physical reason why Georgia has not been hit. Georgias just been lucky. To evaluate the threat to a Georgia beach house, you need to see through Georgias luck. To do this, the R.M.S. modeler creates a history that never happened: he uses what he knows about actual hurricanes, plus what he knows about the forces that create and fuel hurricanes, to invent a 100,000-year history of hurricanes. Real history serves as a guide it enables him to see, for instance, that the odds of big hurricanes making landfall north of Cape Hatteras are far below the odds of them striking south of Cape Hatteras. It allows him to assign different odds to different stretches of coastline without making the random distinctions that actual hurricanes have made in the last 100 years. Generate a few hundred thousand hurricanes, and you generate not only dozens of massive hurricanes that hit Georgia but also a few that hit, say, Rhode Island.

— In Nature's Casino, By Michael Lewis, New York Times, August 26, 2007

And of course a hurricane did hit the Georgia coast before detailed records were kept, in 1898. The article notes that before Hurricane Andrew, insurers believed that a Florida hurricane would cost max a few billion. The actual cost was more like $15.5 billion, predicted only by one woman: Karen Clark, founder of A.I.R.

Sure, the Georgia coast doesn't have any single concentration of wealth like Miami. But it does have a swath of wealth that could be taken down by a single storm. And complacent owners who think it can't ever happen, just like people in Thailand didn't believe Smith Dharmasaroja before the 2004 Tsunami.

Meanwhile, on the Internet, the few insurers of Internet business continuity are winging it and most companies have no insurance at all, despite online crime becoming increasingly sophisticated, leveraging the global reach of the Internet, and the possibility of a global worm that could cause $100 billion damage still being out there.

-jsq .

DRM: The Secret that Can't be Kept

Cory Doctorow on why DRM can never work:

It's great for email, but it can never work for movies, TV shows or music, because in the case of "copy protection" the receiver is also the person that the system is meant to guard itself against.

Say I sell you an encrypted DVD: the encryption on the DVD is supposed to stop you (the DVD's owner) from copying it. In order to do that, it tries to stop you from decrypting the DVD.

Except it has to let you decrypt the DVD some of the time. If you can't decrypt the DVD, you can't watch it. If you can't watch it, you won't buy it. So your DVD player is entrusted with the keys necessary to decrypt the DVD, and the film's creator must trust that your DVD player is so well-designed that no one will ever be able to work out the key.

— Pushing the impossible, by Cory Doctorow, Guardian Unlimited, Tuesday September 4 2007

So as long as you can keep a secret from yourself, DRM will work....

-jsq