Re: [gnso-ff-pdp-may08] Choke points

[Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>]

Hi George,

#Would it be fair to say that a combination of factors are going to be
#needed, rather than just one? 

For fastflux? Or for spam and phishing and all the rest of it? When it
comes to spam and phishing, sure, a combination of approaches are
definitely needed, and people *are* using that sort of blended approach
today.

But when it comes to fastflux, well, what would go into that stew? So
far I think there are only a VERY limited selection of ingredients 
available.

#> Whois may be concealed by a whois privacy service, or be completely bogus,
#> or stolen, etc., yes. Another interesting google search:
#>
#>   bullet proof domain name registration
#
#This is where things can be done. For example, once a domain is caught
#to be conducting illegal activity (say via a privacy service), that's
#when one can blacklist that privacy service from registering a domain
#again (unless they cough up the real details of the responsible
#parties). Ultimately, the privacy service is the registrant, if they
#can't identify another responsible party.

Because whois is off topic for this list, feel free to drop me a line
off list to talk about this if you like...

#As for fake/bogus WHOIS, as you mentioned below, that doesn't require
#a "fast flux" policy --- domains can already be taken down for fake
#WHOIS without creating a separate policy.

Again, because this involves whois, please feel free to contact me offlist
for that topic.

#Right, and ultimately with user-generated content, the attackers can
#always infect MySpace pages, Facebook apps, Yahoo Geocities pages,
#etc. You don't see them being taken down, though. A lot of spam comes
#from Gmail, Hotmail, Yahoo, etc. as their captchas have all been
#broken, but those domains don't get taken down --- i.e. some level of
#"crime" is deemed to be acceptable.

More accurately, those operations all respond to their abuse reports
with alacrity; I see absolutely no indication that some level of crime 
is tolerated at any of those sites. 

#> Let's assume that the CBL is probably the best currently available
#> listing of bot'd hosts, typically listing in excess of 5,000,000 dotted
#> quads at any given time.
#
#How would ISP blocking of those hosts (or blocking through a browser)
#cut down on the problem? 

It wouldn't. The CBL has bot'd hosts that are associated with spam, but
there are HUGE numbers of botted hosts that can no longer emit spam (and
thus end up on the PBL), but which CAN be used for things like hosting
fast flux pages, or doing fast flux DNS.

Some may attempt to extend the "block port 25 to fix direct-to-MX spam"
fix, but unlike port 25 traffic, web traffic can be on any arbitrary
port (e.g., www.example.com:80 is typical, but a bad guy/bad gal could
just as easily run a web server (or a reverse proxy pointing to a web
server) on any arbitrary port on a botted host, e.g.
http://www.example.com:7890 )

#(i.e. moving the solutions to the "edge" not something central) 

Edge solutions suffer from deployment issues: e.g., millions of ISPs
can individually block example.com, or one registrar can deal with
that domain. I know which seems more scalable to me...

#What's the false positive rate for those lists, 

Very very low, which is why hundreds of millions of users are protected
by them.

#and how quickly do they remove an innocent black listed entry?

On the CBL? I don't run that blocklist, so I can't speak first hand, but
my understanding is that anyone can request that an IP be removed if it 
was mis-listed, or if it was properly listed but the spam problem's been
addressed.

When you first think about it, that may seem crazy, but you need to 
understand that if an address is delisted and then begins to spew spam 
again, it will just get relisted (e.g., see http://cbl.abuseat.org/faq.html 
under "I delisted my IP, but it keeps getting relisted again. Why??")

I'd also encourage you to write to cbl@xxxxxxxxxxxxxxx for questions about
that blocklist not covered by their FAQ. 

#> But keep in mind that many ISPs do NOT block http servers hosted in
#> user space, so the point may be somewhat moot.
#
#If it's a way to become a best practice (like port 25 blocking has
#become), and is cheaper to implement with less collateral damage, then
#I don't think it's something that should be discounted. 

To block http traffic you basically need to either do deep packet inspection
or you need to block ALL server traffic because of http's ability to be run
on arbitrary ports other than port 80/443.

#It's not something that ICANN can force upon ISPs, but they can use the bully
#pulpit to make some noise (or those who are most damaged, banks, etc.,
#can push for legislation or work with ISPs to fix the problem). If the
#NY attorney general can scare ISPs to stop access to Usenet binaries
#in the fight against child porn, one can probably find the right
#levers and buttons to push to get them to block port 80 too (where
#there's likely very little collateral damage).

Discouraging Usenet is a little like having the entire Dallas Cowboys 
front line blitz an octogenerian, it's just not a very difficult target
I'm afraid. 

Many ISPs have long hungered for a plausible excuse to shed Usenet because
of the network traffic and disk space requirements involved (and of course
there are now 3rd party Usenet service providers who can absorb the reportedly
small number of remaining customers who want something beyond an 
Internet-as-web-instant-messaging-and-maybe-email experience). 

#> #Ok, say I give you my bank account number and password for
#> #realbank.com, but that realbank.com is protected by a 2nd factor, e.g.
#> #a password sent by SMS to my cell phone,
#>
#> Some folks have tried this approach. At least one successful attack has
#> been demonstrated as being able to overcome it:
#
#Right, I'm not saying any solution is going to be 100% effective. But,
#if it cuts down the problem substantially, raising the bar high on
#those who are able to defeat it, it means that they should do it (and
#might be more cost effective, etc.).

The tough part is that some of these vulnerabilities come with potentially
large costs for even single-user failures. If failures were kin to 
captcha failures, and failure just mean, "Comment spam, again..." that
would be one thing, but two factor auth solutions, in particular, are
usually used to protect things of uniquely high value, such as 
brokerage accounts, bank accounts, etc. 

#> Hardware crypto tokens are nice, but are not a perfect solution for a
#> few reasons. See, for example:
#
#Right, not trying for a "perfect" solution, but one that is efficient,
#makes it much harder for attackers. A MITM attack is probably going to
#take a lot more sophistication than just somewhere one has a
#username/password to get access. Make it harder than just something
#point-and-click that a script kiddie can do.

I'm not so sure. Assume we're talking about the hardware crypto fobs
that work by generating a periodically changing "random-looking" 
number. Because of clock sync issues and number entry delays (some
people don't type very fast) the random-looking number doesn't change 
"constantly," it only changes every so many seconds. So, if I'm 
watching you enter your passwords, whether that's on the wire, on the 
desktop, or via a surreptitiously installed video camera pointed at 
your keyboard, I can get both your secret password and the hardware 
token password, and I should have at least a short period of time 
when that hardware token password will continue to be live...

And we all know that there are LOTS of pieces of malware that are 
targeted on sniffing traffic, including things like Bancos which date
from the summer of 2003. 

#> Money is normally extracted from compromised accounts by "cashiers,"
#> who perform that service in exchange for a flat fee, or more typically
#> a share of the funds extracted. See for example the discussion ion
#> "An Inquiry Into the Nature and Causes of the Wealth of Internet
#> Miscreants," http://www.icir.org/vern/papers/miscreant-wealth.ccs07.pdf
#> at page two, right hand column near the bottom.
#
#They'd didn't really give much detail:
#
#"After purchasing credentials, the fraudster may employ the services
#of a "cashier," a miscreant who specializes in the conversion of financial
#credentials into funds. To perform their task, the cashiers may work
#with a "confirmer," a miscreant who poses as the sender in a money
#transfer using a stolen account."

It gets relatively small coverage in most carding discussions because it
is a comparatively straightforward process, but if you'd like a more
detailed treatment, see Byron Acohido and Jon Swartz's book, "Zero Day
Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber
Crooks Steal Your Money and Identity," available from all the usual
booksellers. 

Oh, and another excellent discussion of the carding environment is 
"The Economy of Phishing: A Survey of The Operations of the Phishing
Market," http://www.firstmonday.org/issues/issue10_9/abad/

#One would think that there's not a huge supply of these people taking
#the risk of getting caught. Why aren't they getting caught? (i.e. the
#real money has to move out of the victim's account to someone else's
#account, and the money has to end up somewhere.....keep following the
#money)

The money may go from electrons to currency via an ATM in South America
or Eastern Europe. Unless you're a cop trailing the cashier, or you're
staking out the particular money machine they happen to use, or they
smile for the camera on the machine (assuming there is a camera on the
machine!), I think it would be hard to catch the person cashing out in
flagrante delicto, so to speak. 

And there are a million other scams...

#Hmmm, why is there any need for a "day old bread" list at all? Just
#download the entire zone file (from 6 days ago), 

Zone files are nominally only available to those who've signed a zone
file data access agreement.

#and if you see a
#domain name that wasn't in it, treat it differently, quarantine it,
#penalize it, etc. that'll capture nearly everything (except for a few
#cases where a registrant of an old domain eliminated their nameservers
#for a day)

There's also the mechanical issues -- DOB can be queried by anything
from anywhere, requiring no local zone storage or parsing, unlike the
download-the-zone-files-yourself approach. 

#Right, not looking for a perfect solution, just trying to whittle
#things down, taking out various attack vectors. E.g. if a bank had a 6
#day window to notice a newly registered fake8ank.com ("8" added as a
#typo for "b" or to look alike), that would give them a big window to
#stop an attack before it even started (if the DNS wouldn't resolve for
#a certain number of days after the creation date). Registrars, humans,
#brand monitoring agencies are pretty good at picking up lists of names
#to complain about, once they get published in the zone files (they
#just need a few days to work with registrars to get them shut down
#before things start).

There are indeed folks who specialize in identifying look-alike domains 
and getting those domain taken down.

Unfortunately, a multiday window is often far too long to effectively
block a phishing domain, and that's why there is a push within the
antiphishing community to implement accelerated takedown procedures.

And then there's the issue of scalability, again. It takes a phisher
what, a minute, a few seconds, less than that?, to automatically
create a look alike domain. It takes a domain monitoring company how
long to convince each registrar to take down each domain it is 
reporting?

#> Sanitizing potentially dangerous email constructs with something like
#> Procmail Email Sanitizer (see
#> http://www.impsec.org/email-tools/procmail-security.html ) can be
#> very helpful, but note that by the time you're doing so, many HTML
#> formatted messages are NOT going to look very pretty.
#
#If that's the price to pay, I think that a lot of folks would be
#willing to pay the price of "not pretty" HTML messages if those emails
#are a lot more secure. If all banks could be made 100% safe by
#painting them purple and green, that would become the new "black".

Actually, people seem to really like HTML email because they can look
at externally observable characteristics (the message's "letterhead" 
if you will) for reassurance that it is the "real deal" and not a fake.

Someone good at cloning the look and feel of a site, and who has a 
spell checker and a native english speaker on hand to make sure the
usage is correct, is a huge fraction of the way toward success in
convincing naive users that the mail they've received *must* be real.

Oh, and there's INCREDIBLE resistence to returning to plain text
email from most folks. 

#> While some users enjoy extremely accurate spam filtering, others make
#> do with a somewhat leakier umbrella, shall we say, and there's the
#> constant tension between false positives and false negatives.
#
#And some folks will give up their passwords if someone calls them up
#on the telephone pretending to be a banker. We can't protect everyone
#from their own stupidity.

But neither can we expect every individual user to devote their lives to
developing technical expertise about combatting spam, phishing, malware,
etc. There are some tasks of that sort that should be handled by the
user's service provider. 

#> Actually, it pretty much is. Hate to say, and sure have looked at a lot
#> of other options (as my commentary above may illustrate), but for fastflux,
#> you really DO need registrar/registry cooperation.
#
#I think they're part of the solution, but not the only part.

Love to hear more about the other parts when it comes to going after 
fastflux!

#> #Why does it work? The attacker then creates 10,000 new domains, and
#> #the process starts all over again.
#>
#> Processes which scale well are highly desirable. :-)
#
#Indeed, that's what we're all trying to do. So, suppose .info, .com,
#etc. say, as an experiment, that freshly created domains don't resolve
#at all in the first 6 days. That scales well. What % of attacks would
#that stop? Collateral damage is arguably minimal, as most folks don't
#do much in those first few days (take a look at the number of parked
#domains at GoDaddy, for example).

I'd argue "virtually none." With the exception of some look alike domains
that might be targeted by brand monitoring services, all the rest of the
domains would just sit there aging. At the end of six days, the miscreants
would map them to IP's and begin to abuse them, the same as before, except
for a six day delay. 

#As long as folks are able to register and resolve domains faster than
#registrars are able to take them down, then this issue would continue
#to exist, unless there's a "cost" introduced that breaks that cycle.

I'm not sure the bad guys can outdo the good guys on that one, but we'd
have to wait and see I suppose, and of course the bad guys should be 
paying the cost of the domain each time, while the good guys would be
paying nothing. 

#> #why isn't every ISP using it instead, or why isn't every user opting
#> #into it.
#>
#> One cannot use what doesn't exist (as an ISP); user's don't have the
#> knowledge and technical ability to do so.
#
#Free market, there's an opportunity. Certainly ISPs subscribe to spam
#block lists, one would think it's not a huge technical leap to
#anti-phishing blacklist (and to some extent already done via OpenDNS,
#etc; 

But you gloss over the multiway relationship that may be involved... for
example, warez d00d A uses fastflux to host his software, and attempts to
encourage potential purchaser B to come and visit that site by spamming
advertisements at B and millions of other folks; software publisher, C,
or law enforcement agency D, needs to convinced ISP E, to interfere with 
A and B's potential transaction... and then there's party F(1)...F(n) 
with compromised machines which A has been exploiting, and all the
B(2)...B(n)'s who've been spammed, and all the other E's who need to 
also take action, etc. 

If you diagram it, it quickly comes to look like a New Yorker Magazine
cartoon science blackboard with arrows going all over the place. 

#I can block all .ru, .br, .badistan DNS from resolving with a
#click).

I generally discourage people from blocking all of Kerblechistan (or
whatever) on a country by country basis because in most cases countries
are not the right unit of analysis. Autonomous systems on the other hand,
I would not rule out -- if you route it, you're responsible for it.

#> #Or if the system is "perfect", why aren't those who are making reports
#> #willing to provide a huge bond against liability should they take down
#> #a legitimate site by mistake?
#>
#> For the same reason that "Good Samaritan" laws are needed in most states
#> to shelter public spirited individuals against malicious lawsuits or
#> unforseeable misadventures in non-cyber situations.
#
#I don't think that's a good enough answer. If I'm Google and I'm
#registry operator goes above the wishes of the registrar, and shuts
#down the domain "by mistake", someone's gotta pay.

Safeguards for the googles of the world have already been treated 
previously. See, for example:

http://forum.icann.org/lists/gnso-ff-pdp-may08/msg00360.html

#"60 percent of the top 100 most popular Web sites  have either hosted
#or been involved in malicious activity in the first half of 2008."

But they're not fast fluxing on broadband hosts across diverse ASNs.

#> Only a fraction of all losses are reported. The IC3 report, in particular,
#> substantially over-represents auction related fraud for reasons they
#> acknowledge and discuss, e.g., see page 40 of "A Succinct Cyber
#
#Some folks have an incentive to overstate the problem, though. Some
#real stats from Australia:
#
# http://www.australianit.news.com.au/story/0,24897,23984660-15306,00.html
#
#"Chris Hamilton, chief executive of the Australian Payments Clearing
#Association - which runs the Eftpos network - said he was puzzled by
#the ABS figure of $1billion.
#
#According to its figures, fraud on locally issued cards reached $111.5
#million last year.
#
#"I would have assumed that nearly all instances of card fraud that
#come to the attention of the individual consumer would be reported to
#their financial institution," he said.

At the risk of disconcerting some of my antiphishing and anti-carding
colleagues, phishing and card fraud is relatively trivial in dollar 
volume compared to intellectual property theft. 

It's a sheer matter of trade volume, and the relatively low levels of
interdiction occuring on sometimes-perceived-as-"harmless" counterfeit 
goods like knock off clothing and trademark infringing watches. 

#And now that you mentioned above where the big losses are coming from,
#i.e. are sites like Pirate Bay, which have been online for years (and
#have fought things through the courts) susceptible to being shut down
#by some central authority if they decide to start using fast flux to
#have resilient hosting?

It is really sad, but fastflux is typically needed only for the worst
of the worst. All the rest of it can get traditional hosting somewhere
in the world...

#> Because there isn't, that's why some registrars get hammered with court
#> orders currently -- but THAT's an unweildy and expensive process if
#> there ever was one.
#
#The price we pay in a civilized society when *private parties* want to
#settle disputes.

Or when *law enforcment agencies* are trying to enforce the criminal laws
that civilized society has passed and charged them with enforcing. :-)

Of course, when the government finds that the existing enforcement 
mechanisms are too cumbersome, it often resorts to the other arrow 
in it carries in its quiver, new regulations to make its work more 
tractable. 

#I'm sure they do jump out and most become "obvious" -- there should be
#no worries about posting a "bond" for those cases. And, there's
#already a policy for takedown on bad WHOIS (or just needs to be
#enforced).

Again, happy to talk about whois with you off-list.

#"Criminal" is in the eye of the beholder. 

Already covered that one, too. Criminal behavior isn't subjective,
like the right amount of salt to add to a dish, it's objective for 
a given geographical locale. See the discussion at:

http://forum.icann.org/lists/gnso-ff-pdp-may08/msg00261.html

#Private enforcement and interpretation of public laws is a very
#dangerous and slippery slope (leads to vigilantism).

Industry self-policing need not involve vigilantism, and it is a well 
established principle of U.S. law that if one becomes aware of material 
information relating to a serious crime, one has an affirmative obligation 
to share that with the authorities under the misprision of felony doctrine. 
By way of a comparatvely recent computer-related example, see for example

http://www.usdoj.gov/usao/ct/Press2007/20070927-1.html

But again, I would urge you to take this off list because I suspect
that this is yet another area that has scoping issues.

Regards,

Joe

Disclaimer: all opinions strictly my own