Some thoughts I wanted to share with you all

[Guest]

[Melih]

The New Dawn: Security is not Trust
Despite talk about encryption and security on the Internet, we are still falling short of true identity trust assurance every time we go online.  Why?  Our current attempts of encryption only encrypt our communications, but don’t check who is on the receiver.  Thus giving users a false sense of security.  After all, what is the point of encrypting something for someone you have not authenticated?  For all we know we could be encrypting and securing information for the fraudster on the other end.
Through real world examples of fraud, phishing and finally trust, I will outline what steps are necessary to move the Internet from merely encrypted messaging to a secure environment with established trust between user and emerchant and back again. This article will outline why some tools work and some don’t, as well as what actions must be taken to prepare us for the next Internet revolution, the next threat and hopefully an age of trust


Not all Animals – or Internet Padlocks - are created Equal!
It’s a fact of life, we look different, we act different, and we feel different!  And that is why browser providers like MS, Mozilla Firefox, Opera and KDE want to change the way their browsers look, feel and interact with the end user.  Yet, their security padlocks seem to remain unchanged, providing us with an icon of trust and security that may not only be outdated, but may be a wolf in sheep’s clothing. 
Today, not all Secure Sockets Layers (SSLs) – padlocks to the general user - are created equal, and some are even being used as tools in today’s phishing attacks.  However, it is hard to tell a secure lock from a non-secure lock when they all look the same.  This growing online inconsistency is making it more important that our end users be able to identify a true authenticated site and that browsers work with trusted Certification Authorities to ensure that the padlocks are doing what they promise. 
But the good news is: All is about to change! We are about to have a more trusted indicator in the browsers! http://news.com.com/Browsers+to+get+sturdier+padlocks/2100-1029_3-5989633.html  .

thanks
Melih

[panic]

Hey Melih,

The new padlock icon in IE7 is embedded within the application. How hard do you think it would be for someone to extract the unsafe padlock icon from the executable and replace it with a copy of the safe padlock icon? Then, the browser would show the safe icon regardless of the authentication level of the site.

Would it be better to have the safe and unsafe icons as separate image files that could be verified somehow each and every time they are due to be displayed by the browser?

What do you think?

Ewen :-)
 (WCF3)

[Melih]

Hey Melih,

The new padlock icon in IE7 is embedded within the application. How hard do you think it would be for someone to extract the unsafe padlock icon from the executable and replace it with a copy of the safe padlock icon? Then, the browser would show the safe icon regardless of the authentication level of the site.

Would it be better to have the safe and unsafe icons as separate image files that could be verified somehow each and every time they are due to be displayed by the browser?

What do you think?

Ewen :-)
 (WCF3)

I really haven't analysed how IE7 handle this Ewen, sorry :-( But if it is as easy as you suggest, then we should alert IE guys to it. They are great bunch of guys who are very serious about security and user experience.

Melih

[panic]

I really haven't analysed how IE7 handle this Ewen, sorry :-( But if it is as easy as you suggest, then we should alert IE guys to it. They are great bunch of guys who are very serious about security and user experience.

Melih

I'm pretty sure that they are embedded icons but I'd love to be wrong. The bit I wrote about swapping the icons around was just off the top of my head, but it would certainly be easy enough to do, wouldn't it, and it would achieve the objective of misleading the user.

Ewen :-)

[Melih]

I'm pretty sure that they are embedded icons but I'd love to be wrong. The bit I wrote about swapping the icons around was just off the top of my head, but it would certainly be easy enough to do, wouldn't it, and it would achieve the objective of misleading the user.

Ewen :-)

ok lets take a look at the threat model.
today phishing takes place using SSL (there were 461 phishing attacks using SSL according to netcraft). So the threat model does not require the phisher to introduce any client code into the victim's machine. In the method you are suggesting, there is a need for a client code. So while it is possible to do what you are suggesting (based on the assumptions you make) its not the current model that fraudsters/phishers use. But that does not mean that they won't in the future!

Melih

[panic]

ok lets take a look at the threat model.
today phishing takes place using SSL (there were 461 phishing attacks using SSL according to netcraft). So the threat model does not require the phisher to introduce any client code into the victim's machine. In the method you are suggesting, there is a need for a client code. So while it is possible to do what you are suggesting (based on the assumptions you make) its not the current model that fraudsters/phishers use. But that does not mean that they won't in the future!

Melih

Yeah, I wasn't thinking in terms of just SSL attacks. If someone could manipulate the browser, then any site could give the appearance of safety, and most users really only concern themselves with the appearance.

e

[Melih]

Yeah, I wasn't thinking in terms of just SSL attacks. If someone could manipulate the browser, then any site could give the appearance of safety, and most users really only concern themselves with the appearance.

e

Yes, there is no protection, afaik, against code modiying the appearance.

Melih

[1nf3s73d]

I understand what panic is saying...
I use to love hot bar
a skin change for bland IE5&6
now picture hot bar (or some other company)skin alteration
for IE7 / opera / mozilla
from what I used to understand hot bar is / was a key logger
now picture phishers paying hot bar or someone else rights for ssl locks or what have you
I don't know how to put it but could be...bad... really really bad news for many...
I haven't seen skins for IE7 but I have seen them for opera and firefox

[kail]

Yes, there is no protection, afaik, against code modiying the appearance.

Melih

But.. if the phishermen (?) can find the icon in memory and change it. Then logic dictates, that someone else must also be able to find it & detect if it has been changed or not. Right?

[Melih]

But.. if the phishermen (?) can find the icon in memory and change it. Then logic dictates, that someone else must also be able to find it & detect if it has been changed or not. Right?

Even under this scenerio a phisher no longer can just benefit from sending emails, he/she now has to introduce a code into people's machine on top of the email.

Melih

[kail]

Even under this scenerio a phisher no longer can just benefit from sending emails, he/she now has to introduce a code into people's machine on top of the email.

So, are they targeting certain email clients (like Outlook/Outlook Express) & browsers (when web mail is used perhaps) and trying to exploit vulnerabilities or is it something else?

[Melih]

So, are they targeting certain email clients (like Outlook/Outlook Express) & browsers (when web mail is used perhaps) and trying to exploit vulnerabilities or is it something else?

They do social engineering attacks whereby they send an email pretending to be a bank and when user clicks on that link they go to a website that looks like a bank. And on this site, you are asked to part with your username and password etc. Now the phisher has all the info to logon to your bank and merrily transfer monies.

Melih

[andyman35]

I really haven't analysed how IE7 handle this Ewen, sorry :-( But if it is as easy as you suggest, then we should alert IE guys to it. They are great bunch of guys who are very serious about security and user experience.

Melih

I'll be sticking with Opera for the forseeable 

[Melih]

I'll be sticking with Opera for the forseeable 

I like Opera too! They have a good bunch of developers who develop some cool technology! They are very forward looking.
(Actually we just recruited one of their good guys to help Comodo with Product management :-) )

Melih

[comicfan2000]

While I am not as security enlightened as most of you, I would think that in order to securly make other's mistakes safe (cough IE) and since the browsers can be manipulated, perhaps a security measure that would install\attach to your browser, a sort of guard that would be run from the pc that would detect changes\falsehoods in the browser if a manipulation was trying to take place, stop or notify user of this, sort of a lock down option or restart safety measure. Would this in fact help with SSL as well? not too sure about that. Yet another hair brained idea by yours truly.

 Cheers,

 Paul

[Tags:]