APWG in Pittsburgh and Fraud in Japan

gm2007logo.jpg The Anti-Phishing Working Group is having one of its periodic member meetings, this time in Pittsburgh. Probably I shouldn’t report too much detail, but I’ll say that interesting things are going on worldwide that may spread to other countries. For example, in Japan it seems that fake programming sites are more popular than phishing. Also, if I heard correctly, most phishing in the Japanese language originates from phishers in Japan. This would make sense, since it’s very hard for foreigners to write well enough to pretend to be Japanese. So that one probably won’t spread too widely, but the fake programming scam could.

My favorite is the history attack. World War II ended on 15 August 1945 in Japan, so a timeline of that war can get a lot of hits on a war’s end link in August of any year. Who would have known history could be so popular?

Meanwhile, during Carnival in Brazil, nobody reports malware, so there’s a dip in measurements…. Then and the rest of the year, sophisticated personalized social engineering attacks seem to be popular in Brazil.

-jsq

Fear of Flying and Fear of Terrorism

fearofflying.gif Here’s a good way to think about it:

…jet travel is safe enough that when someone suffers form fear of flying, he is asked to seek treatment. Flight attendants don’t grab the microphone and say, "We have someone on board who is afraid to fly. This means we are all in great danger." Yet in regard to terrorism, the most frightened voters are being allowed to dictate security policy. Unless you are personally anxious, you are considered unrealistic in the face of the terrorist threat, and politicians feel forced to be "strong on security," meaning that they must appeal to fear rather than to courage, patience, and trust. Therefore, it is up to each individual to nurture those qualities at home and spread their influence to others. Security is a quality of consciousness and always has been. Now is the time when personal security needs to come forward to counter mass insecurity.

How to Feel Safe and Secure (Part 2), Deepak Chopra, Huffington Post, September 28, 2007 | 03:21 PM (EST)

Or, as Bruce Schneier keeps saying, "refuse to be terrorized."

-jsq

Common Sense Lacking for Big Perils such as Georgia Hurricane or WorstCase Worm

KClark.jpg Why it’s not good to depend on common sense for really big perils:
The models these companies created differed from peril to peril, but they all had one thing in common: they accepted that the past was an imperfect guide to the future. No hurricane has hit the coast of Georgia, for instance, since detailed records have been kept. And so if you relied solely on the past, you would predict that no hurricane ever will hit the Georgia coast. But that makes no sense: the coastline above, in South Carolina, and below, in Florida, has been ravaged by storms. You are dealing with a physical process, says Robert Muir-Wood, the chief scientist for R.M.S. There is no physical reason why Georgia has not been hit. Georgias just been lucky. To evaluate the threat to a Georgia beach house, you need to see through Georgias luck. To do this, the R.M.S. modeler creates a history that never happened: he uses what he knows about actual hurricanes, plus what he knows about the forces that create and fuel hurricanes, to invent a 100,000-year history of hurricanes. Real history serves as a guide it enables him to see, for instance, that the odds of big hurricanes making landfall north of Cape Hatteras are far below the odds of them striking south of Cape Hatteras. It allows him to assign different odds to different stretches of coastline without making the random distinctions that actual hurricanes have made in the last 100 years. Generate a few hundred thousand hurricanes, and you generate not only dozens of massive hurricanes that hit Georgia but also a few that hit, say, Rhode Island.

In Nature’s Casino, By Michael Lewis, New York Times, August 26, 2007

And of course a hurricane did hit the Georgia coast before detailed records were kept, in 1898. The article notes that before Hurricane Andrew, insurers believed that a Florida hurricane would cost max a few billion. The actual cost was more like $15.5 billion, predicted only by one woman: Karen Clark, founder of A.I.R.

Sure, the Georgia coast doesn’t have any single concentration of wealth like Miami. But it does have a swath of wealth that could be taken down by a single storm. And complacent owners who think it can’t ever happen, just like people in Thailand didn’t believe Smith Dharmasaroja before the 2004 Tsunami.

Meanwhile, on the Internet, the few insurers of Internet business continuity are winging it and most companies have no insurance at all, despite online crime becoming increasingly sophisticated, leveraging the global reach of the Internet, and the possibility of a global worm that could cause $100 billion damage still being out there.

-jsq .

Mortgage Confusopoly Disintermediated

gI_logo.gif.jpg Adam Shostack finds a company distintermediating the other half of the house buying confusopoly, mortgages:
SmartHippo today launched the public beta version of the first ever web site that allows individuals to use the power of a community to save money and make better decisions when shopping for rates on financial products and services.

“The lending industry is in a state of transformation,” said George Favvas, President of SmartHippo, “and consumers are demanding more control and transparency in their dealings with banks and mortgage companies.”

SmartHippo allows any individual to post information and feedback on the rate they received, and to compare rates with other members of the community with similar profiles. This lessens the chance of consumers with the same lending and risk profile getting different rates on the same loan, which can happen currently.

SmartHippo.com Launches World’s First Community Comparison Shopping Site for Financial Services at TechCrunch40 Event; Founding Participating Banks Include QuickenLoans and Bank of Internet, PRWeb, 17 Sept 2007

This is different from companies like LendingTree that already facilitate getting multiple bids for mortages in that SmartHippo lets mortgage customers comment on their experiences. Participatory, if you will.

-jsq

DRM: The Secret that Can’t be Kept

Cory Doctorow on why DRM can never work:
It’s great for email, but it can never work for movies, TV shows or music, because in the case of “copy protection” the receiver is also the person that the system is meant to guard itself against.

Say I sell you an encrypted DVD: the encryption on the DVD is supposed to stop you (the DVD’s owner) from copying it. In order to do that, it tries to stop you from decrypting the DVD.

Except it has to let you decrypt the DVD some of the time. If you can’t decrypt the DVD, you can’t watch it. If you can’t watch it, you won’t buy it. So your DVD player is entrusted with the keys necessary to decrypt the DVD, and the film’s creator must trust that your DVD player is so well-designed that no one will ever be able to work out the key.

Pushing the impossible, by Cory Doctorow, Guardian Unlimited, Tuesday September 4 2007

So as long as you can keep a secret from yourself, DRM will work….

-jsq

Web Panopticons: China and U.S.

panopticon.gif Fergie points out a university project investigating censorship:

The "Great Firewall of China," used by the government of the People’s Republic of China to block users from reaching content it finds objectionable, is actually a "panopticon" that encourages self-censorship through the perception that users are being watched, rather than a true firewall, according to researchers at UC Davis and the University of New Mexico.

The researchers are developing an automated tool, called ConceptDoppler, to act as a weather report on changes in Internet censorship in China. ConceptDoppler uses mathematical techniques to cluster words by meaning and identify keywords that are likely to be blacklisted.

University Researchers Analyze China’s Internet Censorship System, News Report, Government Technology News, Sep 11, 2007

So the Great Firewall of China watches what users are doing by actively intercepting their traffic. Meanwhile, back in the U.S. of A., how about a passive web panopticon?

Continue reading

Mounties Admit Making Up Online Piracy Costs

dudley_doright.jpg Hey, if you don’t have any research, why not just pick some number off the net? Police agencies do:
However bogger Michael Geist thought there was something fishy about the figure and asked for the sources behind the Royal Mounted Police’s $30 billion claim.

The letter came back from red-faced coppers confessing that they made up the figure based what they had read on the Internet.

The RCMP did not conduct any independent research on the scope or impact of counterfeiting in Canada, but rather merely searched a couple news stories.

anadian coppers admit making up piracy figures, $30 billion figure simply plucked from bottom, By Nick Farrell, The Inquirer, Wednesday 19 September 2007, 08:52

I like the punchline:
Soon they’ll try solving their cases by looking to see who did it on Wikipedia.
And will they change their motto to “we always make up our scam?”

-jsq

What It Will Take to Win

gp.jpg IT and Internet security people and companies act mostly as an aftermarket. Meanwhile, the black hats are a well-integrated economy of coders, bot herders, and entrepeneurs. This is what it will take for the white hats to win:
It can seem overwhelming for security people who are typically housed in a separate organization, to begin to engage with software developers and architects to implement secure coding practices in an enterprise. While the security team may know that there are security vulnerabilities in the systems, they have to be able to articulate the specific issues and communicate some ideas on resolutions. This can be a daunting task especially if the security team does not have a prior workign relationship with the development staff, and understand their environment.

The task seems daunting also because there are so many developers compared to security people. I am here to tell you though that you don’t have to win over every last developer to make some major improvements. In my experience a small percentage of developers write the majority of code that actually goes live. The lead developers (who may be buried deep in the org charts) are the ones you need to engage, in many cases they really don’t want to write insecure code, they just lack the knowledge of how to build better. Once you have a relationship (i.e. that you are not just there to audit and report on them, but are there to help *build* more secure code) it is surprisingly easy to get security improvements into a system, especially if the design is well thought and clearly articulated. You don’t have get the proverbial stardotstar, each and every developer on board to make positive improvements, it can be incremental. See some more specific ideas on phasing security in the SD! LC here. In meantime, with security budgets increasing 20% a year, use some of that money to take your top developers out to lunch.

Secure Coding – Getting Buy In, Gunnar Peterson, 1Raindrop, 17 Sep 2007

The start of what it will take.

-jsq

Online Crime Pays

dollarsign.jpg Why Internet security professionals are losing:

Today, few malware developers use their own code. They write it for the same reason commercial software developers do: to sell it for a healthy profit. If you’ve ever bought anything online, buying from them may be disconcertingly familiar. If you want to break into a computer or steal credit card numbers, you can buy the necessary software online, just like almost anything else. More than that, you can find user friendly, point-and-click attack applications that have been pre-tested and reviewed by experts, and read through customer feedback before making your purchase.

You might even be able to buy technical support or get a money back guarantee. Some developers offer their malware through a software-as-a-service model. If you prefer an even more hands-off approach, you can simply buy pre-screened credit card numbers and identity information itself, or sign a services agreement with someone who will do the dirty work for you. As in many other industries, money has given rise to professionalism.

Online crime and malware development has become a full-blown and extremely profitable commercial enterprise that in many ways mirrors the legitimate software market. "We’re in a world where these guys might as well just incorporate," says David Parry, Trend Micro’s Global Director of Security Education. "There’s certainly more money in the cybercrime market than the antivirus market. The internet security industry is a drop in the bucket; we’re talking about hundreds of billions of dollars."

Computer crime is slicker than you think, By David Raikow, CRN, 16 August 2007 08:04AM

Makes you wonder how long until traditional security companies get bought out by newly-IPOed offshore malware corps.

-jsq

Quantitative >= Qualitative

See Pete Lindstrom’s Spire Security Viewpoint for empirical evidence that mechanical quantitative diagnosis is almost always at least as good as clinical qualitative diagnosis.

There is still plenty of room for qualitative decision-making in arenas where there aren’t enough facts or the facts haven’t been quantified or there’s no baseline or there’s no mechanical method yet. But where those things are available, it’s better to use them. You’ll still need qualitative judgement for cases where the algorithm is right but it didn’t take into effect unfortunate side effects, for instance. Even then, you’ve got a better chance of knowing what you’re doing.

-jsq