Re: [gnso-ff-pdp-may08] Choke points

["George Kirikos" <fastflux@xxxxxxxx>]

Hi Mark,

Thanks for taking the time to respond and fill out the broad
brushstrokes. To identity more choke points, though, needs more and
more detail. Since the attackers already have those details and are
succeeding, to some extent, I don't think "security through obscurity"
is necessarily good, but disclosing a higher level of detail, say the
"Idiot's Guide" version can identify solutions.

Assume I'm complete stupid (which some folks probably do!) and try to
fill in more of the steps here:

On Thu, Aug 7, 2008 at 1:02 PM, Marc Perkel <marc@xxxxxxxxxx> wrote:
> A fraud operation starts with domain name tasting. It registers fakebank.com

So, to register a domain name, they need funds. Is it from a stolen
credit card? They also need an identity (for mandatory WHOIS). Is that
WHOIS completely fake, or a stolen one, or a borrowed one of a legit
registrant?

> and establishes a FF network of virus infected or hacked web servers to
> server web pages for fakebank.com. These web pages trick victims into giving

Ok, so one choke point is to eliminate/attack the network of virus
infected/hacked webservers. Of course, a tall task, given that no
security system is 100% secure (i.e. bugs appear in WordPress, Apache,
PHP, Perl, Windows, Linux, IIS, SQL server, MySQL, etc. from time to
time that are not the fault of a domain registrant). In the botnets,
how many are on residential ISP blocks (that conceivably block
incoming port 80, like many do for outgoing/incoming SMTP blocking)?

Can the webserver software (IIS, Apache) be adjusted or put into a
safe mode so that if example.com's server is hacked and has malware at
http://www.example.com/user/hidden/malware/gotcha.html it won't serve
up that content to a different domain, i.e. www.fakebank.com ? (i.e.
creating fewer vulnerable hosts that an attacker can find that are
usable)

> up their account numbers and passwords to their accounts on realbank.com ant

Ok, say I give you my bank account number and password for
realbank.com, but that realbank.com is protected by a 2nd factor, e.g.
a password sent by SMS to my cell phone, or to by that PayPal security
key ($5). Is the attack now completely thwarted, i.e. the
username/password is completely worthless to you, and once you login
with them and don't have the 2nd factor, I'm alerted (and so is the
bank) to your attack?

More basic still, how are you logging in to my account? Are you
logging in via a Russian IP address? Or using one of the botnet PCs?
Or, through my own computer that you've taken over?

> their money is stolen.

More detail here please. You have my bank account, and you're somehow
in to my account. How do you get the money from you to me? What can
the bank do to thwart that completely? (i.e. maybe this is the choke
point that is most effective, and we're wasting everyone's time trying
to implement a more complex system, a more expensive system, on a
different choke point).

Who loses the money here, the bank, or me? (i.e. if the responsibility
shifts to the bank, they might take security more seriously, or would
help cover the costs of internet improvements/safety, see below)

> In order to do this the fraud operation uses spam to drive people to the
> fakebank.com site. The spam pretends to be realbank.com but has a link in
> the message that takes the victim to fakebank.com.

Ok, when do they send out the spam, in relation to the domain
creation/registration date above? Immediately? What happens if that is
delayed for a week?

The spam "pretends" -- does this mean they are using a "from" of
realbank.com, which can be thwarted my most people through Domain Keys
email or Sender ID/SPF? Are only companies opting not to use these
email authentication methods vulnerable? Are email users opting not to
have up to date email clients vulnerable, but those using latest
versions are safe?

How does one convert that link to a visitor? i.e. educating people not
to click links can thwart this attack vector? Does having the email
client actually remove the link (by filtering the HTML/mesage source)
thwart the attack? (i.e. compel people to type in the link in an
email, thereby also compelling banks, etc. either not to send links,
but to send "friendly" links that people can type in, e.g.
http://www.realbank.com/ or http://www.realbank.com/1234 instead of a
50 character URL.

Going a step further, once I've clicked that link, why does the link
even resolve? If my ISP won't resolve that link, or if my browser
won't resolve that link, does that thwart the attack? In other words,
is the problem solved by having the ISP choose not to resolve things
(i.e. a "clean" ISP that automatically filters out phishing domains,
or a clean set of nameservers like OpenDNS that actively filters out
phishing domains, or modern browsers that warn/filter out phishing
domains?)?

> These messages are easily detected by spam filtering operations. eal backs
> don't send email through bot nets. If a bank is set up properly (some are,
> others should be) then all real email from realbank.com comes from servers
> whose FCrDNS points to *.realbank.com. Thus any email not from that hostname
> is fraud and mail from it is good. There are also a lot of other indicators

If the messages are so easily detected, then that means I should never
actually see them, right? (i.e. you can leave the domain name up
forever, and no real person will visit it?)

> that make this process nearly 100% accurate. (100% on positives, so no false
> positives. Possibly a few slip through if they are very clever).
> There are two choke points. Good spam filtering can stop most all of it, and
> can report it to registrars. Geberally in such a system the registrar will

Back up a little, and assume I'm dumb/crazy. Why report it to the
registrars at all? If the system is 100% accurate, I should never see
the email to begin with, it ends up in my junk mail folder, or is
rejected by my incoming mail server before it even gets to me, or is
filtered by other opt-in non-centralized systems, besides the
registrar/registry?

If the only people that are actually making reports to the
registrar/registry are automated bots, because they "perfectly detect
the spam and have eliminated the potential to be victimized, then
aren't these reports low priority? (i.e. if a phishing site gets 1000
visits from automated scanning tools, but 0 visits from real people,
then we've "won" already, right?)


> get thousand of complains from many reporting operation. The real choke
> point is taking down the fakebank.com domain. Once that is done then the

See above (and below). That's not the only choke point.

> spam doesn't matter, the Fast Flux doesn't matter, the link becomes dead and
> the victims are protected. Taking down that domain quickly is the key to
> making this work.

Why does it work? The attacker then creates 10,000 new domains, and
the process starts all over again. But, if there's another choke
point, they don't even bother to register those domains, because the
attacks are thwarted.

In other words, when one's only tool is a hammer, you start to think
that every problem is a nail (i.e. taking down the domain quickly
being the hammer).

> So - if the registrar of the domain in question is getting thousands of
> complains from many reporters about fakebank.com and fakebank.com is fluxing
> and it's still in the tasting period it could be shut down through
> automation within minutes of the fraud starting. If such a system were in
> place then Fast Flux would stop working for fraud than the criminals would
> abandon it's use and the problem would be solved.

Ok, suppose you have such a great system, why isn't every ISP using it
instead, or why isn't every user opting into it. Or if the system is
"perfect", why aren't those who are making reports willing to provide
a huge bond against liability should they take down a legitimate site
by mistake?

Remember, even Yahoo/McAfee classified Google as a malware site:

http://www.techcrunch.com/2008/05/11/google-is-a-malware-site-says-yahoo/

and that was only three months ago. Even the US government shut down
the California government's domain (ca.gov).

http://www.networkworld.com/community/node/20192

less than a year ago.

> And we win - and without damage to and freedoms or liberties.
>
> People - this war is winnable if we do it right. I think that we can take
> out 90%+ of fraud with 100% accuracy within 5 minutes. And that's a
> conservative guess.

We need to be cautious that we do things right, and that there is a
predictable process that has safeguards, rights and responsibilities,
and that can't be gamed. From the play/movie "A Man For All Seasons"
there was an apt quote:

"William Roper: So, now you give the Devil the benefit of law!

Sir Thomas More: Yes! What would you do? Cut a great road through the
law to get after the Devil?

William Roper: Yes, I'd cut down every law in England to do that!

Sir Thomas More: Oh? And when the last law was down, and the Devil
turned 'round on you, where would you hide, Roper, the laws all being
flat? This country is planted thick with laws, from coast to coast,
Man's laws, not God's! And if you cut them down, and you're just the
man to do it, do you really think you could stand upright in the winds
that would blow then? Yes, I'd give the Devil benefit of law, for my
own safety's sake!"

That last line is particularly important. We accept some crime in this
world as the price for not living in a police state. That being said,
though, we can still try to make sound policies that can make the
world a much better place.

When I was in grad school, I used to be a teaching assistant for
various economics classes, which was a lot of fun. One thing I learned
in particular was that by explaining things to other people in detail,
I learned more about things myself, things that I took for granted,
allowing me to look at things from a different angle/direction. Thus
my motivation, when I'm "pretending to be dumb" (maybe not pretending!
:) ) is to make us all think more of what we're perhaps "missing" or
things we automatically overlook (i.e. "That can't be done, so I won't
even mention it") or are too shy to say lest we look "stupid" -- I'll
keep asking "stupid" questions, as I don't mind pretending I look
"stupid" if it achieves the goal of a better, more well considered
policy choice.

Some folks threw out stats of $500 billion in annual losses to this
list (which I've not seen backed up yet). Other sources say less:

http://www.ic3.gov/media/2008/080403.aspx
http://www.ic3.gov/media/annualreport/2007-IC3Report.pdf

$240 million in reported losses. Even allowing for unreported crimes,
that's a lot less than $500 billion.

Suppose we actually had $500 billion in losses, then we'd have
essentially unlimited resources to fight back with (i.e. we save the
banking system $50 billion/yr, and they'd gladly pay up $1 billion to
do XYZ), and no solution should be ruled out.

Hopefully we can come up with more choke points, before we start
picking the registry/registrars as "THE" solution (there might not
even be a solution, to play Devil's Advocate; is there a possibility
we are already at the best solution today?), and IF they *are* the
solution, how to effectively pick out the malefactors from the
responsible registrants.

And then when we start talking about solutions, once all of them are
visible, we'll have to start deciding how to pick amongst them, how to
pick the winners and losers (as there are certainly going to be some
losers, whether they be false positives, or folks that costs are
imposed upon, etc.). Economics can give us a guide, e.g. there are
notions of "Pareto Optimality" for example,

http://en.wikipedia.org/wiki/Pareto_efficiency

where a state is preferable to the current one if it makes some subset
better off, while making the remaining people no worse off. Of course,
Pareto optimality is a very weak standard (indeed, the starting point
of "I get 100% of the world's resources, and everyone else gets 0%" is
Pareto optimal by definition, and can't be improved upon. But, at some
point we'll have to start weighing pros and cons of various solutions,
and hopefully that will be done with economic costs/benefits in mind
as a metric as to whether a solution is "better" than doing nothing at
all. With the possibility of "side payments",  one can perhaps
directly help some of those people experiencing costs, if there are a
lot more "winners" or beneficiaries from an optimal policy choice.

Sincerely,

George Kirikos
www.LEAP.com