Re: [gnso-ff-pdp-may08] Choke points

[Marc Perkel <marc@xxxxxxxxxx>]

George Kirikos wrote:
> Hi Mark,
>
> Thanks for taking the time to respond and fill out the broad
> brushstrokes. To identity more choke points, though, needs more and
> more detail. Since the attackers already have those details and are
> succeeding, to some extent, I don't think "security through obscurity"
> is necessarily good, but disclosing a higher level of detail, say the
> "Idiot's Guide" version can identify solutions.
>   
Keep in mind that the definition of "choke point" is a place where the 
process can most easily be stopped. The real chokepoint is to disable 
the domain fakebank.com at the registry. That kills that fraud scheme. 
So the faster we can take out fakebank.com the faster we shout it down.
> Assume I'm complete stupid (which some folks probably do!) and try to
> fill in more of the steps here:
>
> On Thu, Aug 7, 2008 at 1:02 PM, Marc Perkel <marc@xxxxxxxxxx> wrote:
>   
> > A fraud operation starts with domain name tasting. It registers fakebank.com
> >     
> So, to register a domain name, they need funds. Is it from a stolen
> credit card? They also need an identity (for mandatory WHOIS). Is that
> WHOIS completely fake, or a stolen one, or a borrowed one of a legit
> registrant?
>   
They have funds. If I'm stealing millions of dollars then I might invest 
$10 for a domain name. I would probably use a stolen card though so that 
the funds can't be traced to me. But that's not a barrier.
>   
> > and establishes a FF network of virus infected or hacked web servers to
> > server web pages for fakebank.com. These web pages trick victims into giving
> >     
> Ok, so one choke point is to eliminate/attack the network of virus
> infected/hacked webservers. Of course, a tall task, given that no
> security system is 100% secure (i.e. bugs appear in WordPress, Apache,
> PHP, Perl, Windows, Linux, IIS, SQL server, MySQL, etc. from time to
> time that are not the fault of a domain registrant). In the botnets,
> how many are on residential ISP blocks (that conceivably block
> incoming port 80, like many do for outgoing/incoming SMTP blocking)?
>
> Can the webserver software (IIS, Apache) be adjusted or put into a
> safe mode so that if example.com's server is hacked and has malware at
> http://www.example.com/user/hidden/malware/gotcha.html it won't serve
> up that content to a different domain, i.e. www.fakebank.com ? (i.e.
> creating fewer vulnerable hosts that an attacker can find that are
> usable)
>
>   
That would not be a choke point. That's like damming a river at the 
widest point. Some of these servers are viruses that provide web services.
> > up their account numbers and passwords to their accounts on realbank.com ant
> >     
> Ok, say I give you my bank account number and password for
> realbank.com, but that realbank.com is protected by a 2nd factor, e.g.
> a password sent by SMS to my cell phone, or to by that PayPal security
> key ($5). Is the attack now completely thwarted, i.e. the
> username/password is completely worthless to you, and once you login
> with them and don't have the 2nd factor, I'm alerted (and so is the
> bank) to your attack?
>   
Most people don't have that kind of security. So they might not be able 
to rip you off but they can rip off some "little old lady" who doesn't 
know anything about the Internet or security issues.
> More basic still, how are you logging in to my account? Are you
> logging in via a Russian IP address? Or using one of the botnet PCs?
> Or, through my own computer that you've taken over?
>   
Probably through a bot net computer acting as a proxy for your 
realbank.com server. You type in your user name and password and they 
pass that through to realbank. Or the might email your login to someone 
in Russia or Nigeria who will log in manually and transfer your money out.
>   
> > their money is stolen.
> >     
> More detail here please. You have my bank account, and you're somehow
> in to my account. How do you get the money from you to me? What can
> the bank do to thwart that completely? (i.e. maybe this is the choke
> point that is most effective, and we're wasting everyone's time trying
> to implement a more complex system, a more expensive system, on a
> different choke point).
>   
When you get a spam saying "Your paypal account is locked" and you log 
into fakebank.com and give up your user name and password - they take 
that and they log into real paypal and send your money to their account.
> Who loses the money here, the bank, or me? (i.e. if the responsibility
> shifts to the bank, they might take security more seriously, or would
> help cover the costs of internet improvements/safety, see below)
>   
Depending on the situation either the account holder loses the money or 
the bank loses it. If the bank loses it then we all lose it through 
increased fees to pay for the losses.
>   
> > In order to do this the fraud operation uses spam to drive people to the
> > fakebank.com site. The spam pretends to be realbank.com but has a link in
> > the message that takes the victim to fakebank.com.
> >     
> Ok, when do they send out the spam, in relation to the domain
> creation/registration date above? Immediately? What happens if that is
> delayed for a week?
>   
It's immediate. The faster they get it the more money they make before 
it gets shut down.
> The spam "pretends" -- does this mean they are using a "from" of
> realbank.com, which can be thwarted my most people through Domain Keys
> email or Sender ID/SPF? Are only companies opting not to use these
> email authentication methods vulnerable? Are email users opting not to
> have up to date email clients vulnerable, but those using latest
> versions are safe?
>   
Yes - they are spoofing the from address. They also use the logos and 
graphics of the real site so it looks the same. An expert like myself 
can tell the difference but most people can't. As to SPF, Domain Keys, 
etc. People like me can use that to block spam, but most of the world 
isn't using my filters. And some banks do a sloppy job of protecting 
their email. Bank of America allows third party vendors to email on 
their domain making it not easy for me to figure out what's real and 
what's fake.
Also - SPF is a totally useless technology that is actually 
counterproductive. But if you want to debate that I'll do it in a 
separate thread.
> How does one convert that link to a visitor? i.e. educating people not
> to click links can thwart this attack vector? Does having the email
> client actually remove the link (by filtering the HTML/mesage source)
> thwart the attack? (i.e. compel people to type in the link in an
> email, thereby also compelling banks, etc. either not to send links,
> but to send "friendly" links that people can type in, e.g.
> http://www.realbank.com/ or http://www.realbank.com/1234 instead of a
> 50 character URL.
>   
I think someone should create free educational videos that people must 
watch to get an email account. That would take a bite out of the 
problem. However, as they say, "There's a sucker born every minute." So 
counting on people being smart isn't a solution in itself.
> Going a step further, once I've clicked that link, why does the link
> even resolve? If my ISP won't resolve that link, or if my browser
> won't resolve that link, does that thwart the attack? In other words,
> is the problem solved by having the ISP choose not to resolve things
> (i.e. a "clean" ISP that automatically filters out phishing domains,
> or a clean set of nameservers like OpenDNS that actively filters out
> phishing domains, or modern browsers that warn/filter out phishing
> domains?)?
>   
How is the ISP going to know that fakebank.com is phishing? That 
technology doesn't exist. However - my suggestion about publishing 
registry data (some in whois) through DNS would provide the information 
that could lead to that kind of blocking. But I think it's better 
blocked at the spam level that the ISPs DNS level. Or ultimately the 
main choke point is to kill the domain at the registry level. That take 
it offline everywhere instantly. (Or near instantly)
>   
> > These messages are easily detected by spam filtering operations. eal backs
> > don't send email through bot nets. If a bank is set up properly (some are,
> > others should be) then all real email from realbank.com comes from servers
> > whose FCrDNS points to *.realbank.com. Thus any email not from that hostname
> > is fraud and mail from it is good. There are also a lot of other indicators
> >     
> If the messages are so easily detected, then that means I should never
> actually see them, right? (i.e. you can leave the domain name up
> forever, and no real person will visit it?)
>   
If I'm doing your spam filtering this wouldn't be a problem for you. but 
I have the best filter on the planet. Most of the world has poor, little 
or no filtering.
>   
> > that make this process nearly 100% accurate. (100% on positives, so no false
> > positives. Possibly a few slip through if they are very clever).
> > There are two choke points. Good spam filtering can stop most all of it, and
> > can report it to registrars. Geberally in such a system the registrar will
> >     
> Back up a little, and assume I'm dumb/crazy. Why report it to the
> registrars at all? If the system is 100% accurate, I should never see
> the email to begin with, it ends up in my junk mail folder, or is
> rejected by my incoming mail server before it even gets to me, or is
> filtered by other opt-in non-centralized systems, besides the
> registrar/registry?
>   
The spam I block works for my customers which is a very small fraction 
of the world. most of this spam gets through. But if we report it to the 
registry then they can shut it down worldwide and kill it completely.
> If the only people that are actually making reports to the
> registrar/registry are automated bots, because they "perfectly detect
> the spam and have eliminated the potential to be victimized, then
> aren't these reports low priority? (i.e. if a phishing site gets 1000
> visits from automated scanning tools, but 0 visits from real people,
> then we've "won" already, right?)
>   
I'm not reporting the bots. I'm reporting what the spam from the bots 
link to. They all limk to fakebank.com. So if we kill the domain 
fakebank.com then the fraud is stopped. If the spam gets through and 
they click on the link and fakebank.com has been disabled at the 
registry then nothing happens.
This is an important concept so everyone pay attention. Spam needs the 
victim to do something to communicate back to the spammer. So even if 
the spam gets through - and some will, if the victim can't get to the 
spammer's web site (fakebank.com) then the fraud is stopped. If the spam 
can't be stopped then the fraud can be if the communication back is stopped.
>   
> > get thousand of complains from many reporting operation. The real choke
> > point is taking down the fakebank.com domain. Once that is done then the
> >     
> See above (and below). That's not the only choke point.
>   
Actually that is the choke point because in one place you can shut them 
down worldwide.
>   
> > spam doesn't matter, the Fast Flux doesn't matter, the link becomes dead and
> > the victims are protected. Taking down that domain quickly is the key to
> > making this work.
> >     
> Why does it work? The attacker then creates 10,000 new domains, and
> the process starts all over again. But, if there's another choke
> point, they don't even bother to register those domains, because the
> attacks are thwarted.
>   
If these domains are shut down in minutes after they are used then it 
becomes useless. If someone is registering domains that fast then the 
registrar sould disallow that. I don't think that a bot net can operate 
that quickly.
> In other words, when one's only tool is a hammer, you start to think
> that every problem is a nail (i.e. taking down the domain quickly
> being the hammer).
>   
The registry is the only single point where they (fakebank.com) can be 
shut down globally with a single change.
>   
> > So - if the registrar of the domain in question is getting thousands of
> > complains from many reporters about fakebank.com and fakebank.com is fluxing
> > and it's still in the tasting period it could be shut down through
> > automation within minutes of the fraud starting. If such a system were in
> > place then Fast Flux would stop working for fraud than the criminals would
> > abandon it's use and the problem would be solved.
> >     
> Ok, suppose you have such a great system, why isn't every ISP using it
> instead, or why isn't every user opting into it. Or if the system is
> "perfect", why aren't those who are making reports willing to provide
> a huge bond against liability should they take down a legitimate site
> by mistake?
>   
This system doesn't yet exist. I'm suggesting as a solution to create 
this system. ISPs don't need to do anything. This is a system that would 
involve the cooperation of filtering companies and registrars. It 
involvs registrars providing public data we need through DNS and us 
providing them with automated alters that they can run a manual and 
automated take down system to disable FF domains that are being used for 
fraud.
(FF domains not being used for fraud would not be affected because there 
wouldn't be a spam campaign driving it. So free speech is safe from this 
method.)
> Remember, even Yahoo/McAfee classified Google as a malware site:
>
> http://www.techcrunch.com/2008/05/11/google-is-a-malware-site-says-yahoo/
>   
Getting it right means building in protections so that doesn't happen. 
And that's doable.
> and that was only three months ago. Even the US government shut down
> the California government's domain (ca.gov).
>
> http://www.networkworld.com/community/node/20192
>
> less than a year ago.
>
>   
> > And we win - and without damage to and freedoms or liberties.
> >
> > People - this war is winnable if we do it right. I think that we can take
> > out 90%+ of fraud with 100% accuracy within 5 minutes. And that's a
> > conservative guess.
> >     
> We need to be cautious that we do things right, and that there is a
> predictable process that has safeguards, rights and responsibilities,
> and that can't be gamed. From the play/movie "A Man For All Seasons"
> there was an apt quote:
>
> "William Roper: So, now you give the Devil the benefit of law!
>   
I don't know what kind of detail you all want but I think that 
safegaurds wouldn't be to hard to implement. For example, if you 
excluded all domains over 1 yeal old and all domains that are paid up 1 
year in advance they you would eliminate false positives on almost all 
the important internet sites. To be caught they would have to be 
massively sending spam through bot nets, linking to a fast fluxing 
domain, pretending to be a bank, and doing a number of sins that real 
domains don't do in order to be accidentally shut down. It's not likely 
it's going to happen.
And if it does then you turn the domain back on, apologize profusely, 
and repair the flaw that caused the problem.
> Hopefully we can come up with more choke points, before we start
> picking the registry/registrars as "THE" solution (there might not
> even be a solution, to play Devil's Advocate; is there a possibility
> we are already at the best solution today?), and IF they *are* the
> solution, how to effectively pick out the malefactors from the
> responsible registrants.
>   
If anyone knows of any other single choke point other than shutting down 
fakebank.com I'm interested. I agree that we need to identify and 
evaluate choke points.
> And then when we start talking about solutions, once all of them are
> visible, we'll have to start deciding how to pick amongst them, how to
> pick the winners and losers (as there are certainly going to be some
> losers, whether they be false positives, or folks that costs are
> imposed upon, etc.). Economics can give us a guide, e.g. there are
> notions of "Pareto Optimality" for example,
>
> http://en.wikipedia.org/wiki/Pareto_efficiency
>
> where a state is preferable to the current one if it makes some subset
> better off, while making the remaining people no worse off. Of course,
> Pareto optimality is a very weak standard (indeed, the starting point
> of "I get 100% of the world's resources, and everyone else gets 0%" is
> Pareto optimal by definition, and can't be improved upon. But, at some
> point we'll have to start weighing pros and cons of various solutions,
> and hopefully that will be done with economic costs/benefits in mind
> as a metric as to whether a solution is "better" than doing nothing at
> all. With the possibility of "side payments",  one can perhaps
> directly help some of those people experiencing costs, if there are a
> lot more "winners" or beneficiaries from an optimal policy choice.
>
>   
I think if we do it right we can do it without losers. (Except of course 
for those committing fraud. I think that we can take down a huge number 
of fraud operations without taking down any good sites. It isn't going 
to get all the bad guys but it will get most of them. And I think most 
is a good start.
Also - many people think that this war isn't winnable. I think it is. 
And if you think about it you can see that this is actually doable in a 
way that doesn't have bad side effects and is not only cost effective 
but actually saves money.
But - I would like to ask for the reality standard here. Solutions that 
actually will work in the real world. So - if any ideas I come up with 
are flawed I'm willing to give it up immediately. No sense in wasting 
time on bad ideas. So if I'm wrong let me know and I'm off to work on a 
new/better idea.
Additionally if nothing we come up with actually will work then we'll 
accept failure and report the problem might not yet be solvable.