Some thoughts I wanted to share with you all

The New Dawn: Security is not Trust
Despite talk about encryption and security on the Internet, we are still falling short of true identity trust assurance every time we go online. Why? Our current attempts of encryption only encrypt our communications, but don’t check who is on the receiver. Thus giving users a false sense of security. After all, what is the point of encrypting something for someone you have not authenticated? For all we know we could be encrypting and securing information for the fraudster on the other end.
Through real world examples of fraud, phishing and finally trust, I will outline what steps are necessary to move the Internet from merely encrypted messaging to a secure environment with established trust between user and emerchant and back again. This article will outline why some tools work and some don’t, as well as what actions must be taken to prepare us for the next Internet revolution, the next threat and hopefully an age of trust

Not all Animals – or Internet Padlocks - are created Equal!
It’s a fact of life, we look different, we act different, and we feel different! And that is why browser providers like MS, Mozilla Firefox, Opera and KDE want to change the way their browsers look, feel and interact with the end user. Yet, their security padlocks seem to remain unchanged, providing us with an icon of trust and security that may not only be outdated, but may be a wolf in sheep’s clothing.
Today, not all Secure Sockets Layers (SSLs) – padlocks to the general user - are created equal, and some are even being used as tools in today’s phishing attacks. However, it is hard to tell a secure lock from a non-secure lock when they all look the same. This growing online inconsistency is making it more important that our end users be able to identify a true authenticated site and that browsers work with trusted Certification Authorities to ensure that the padlocks are doing what they promise.
But the good news is: All is about to change! We are about to have a more trusted indicator in the browsers! http://news.com.com/Browsers+to+get+sturdier+padlocks/2100-1029_3-5989633.html .

thanks
Melih

Hey Melih,

The new padlock icon in IE7 is embedded within the application. How hard do you think it would be for someone to extract the unsafe padlock icon from the executable and replace it with a copy of the safe padlock icon? Then, the browser would show the safe icon regardless of the authentication level of the site.

Would it be better to have the safe and unsafe icons as separate image files that could be verified somehow each and every time they are due to be displayed by the browser?

What do you think?

Ewen
(WCF3)

I really haven’t analysed how IE7 handle this Ewen, sorry But if it is as easy as you suggest, then we should alert IE guys to it. They are great bunch of guys who are very serious about security and user experience.

Melih

I’m pretty sure that they are embedded icons but I’d love to be wrong. The bit I wrote about swapping the icons around was just off the top of my head, but it would certainly be easy enough to do, wouldn’t it, and it would achieve the objective of misleading the user.

Ewen

ok lets take a look at the threat model.
today phishing takes place using SSL (there were 461 phishing attacks using SSL according to netcraft). So the threat model does not require the phisher to introduce any client code into the victim’s machine. In the method you are suggesting, there is a need for a client code. So while it is possible to do what you are suggesting (based on the assumptions you make) its not the current model that fraudsters/phishers use. But that does not mean that they won’t in the future!

Melih

Yeah, I wasn’t thinking in terms of just SSL attacks. If someone could manipulate the browser, then any site could give the appearance of safety, and most users really only concern themselves with the appearance.

e

Yes, there is no protection, afaik, against code modiying the appearance.

Melih

I understand what panic is saying…
I use to love hot bar
a skin change for bland IE5&6
now picture hot bar (or some other company)skin alteration
for IE7 / opera / mozilla
from what I used to understand hot bar is / was a key logger
now picture phishers paying hot bar or someone else rights for ssl locks or what have you
I don’t know how to put it but could be…bad… really really bad news for many…
I haven’t seen skins for IE7 but I have seen them for opera and firefox

But… if the phishermen (?) can find the icon in memory and change it. Then logic dictates, that someone else must also be able to find it & detect if it has been changed or not. Right?

Even under this scenerio a phisher no longer can just benefit from sending emails, he/she now has to introduce a code into people’s machine on top of the email.

Melih

Even under this scenerio a phisher no longer can just benefit from sending emails, he/she now has to introduce a code into people's machine on top of the email.

So, are they targeting certain email clients (like Outlook/Outlook Express) & browsers (when web mail is used perhaps) and trying to exploit vulnerabilities or is it something else?

They do social engineering attacks whereby they send an email pretending to be a bank and when user clicks on that link they go to a website that looks like a bank. And on this site, you are asked to part with your username and password etc. Now the phisher has all the info to logon to your bank and merrily transfer monies.

Melih

I’ll be sticking with Opera for the forseeable (:WIN)

I like Opera too! They have a good bunch of developers who develop some cool technology! They are very forward looking.
(Actually we just recruited one of their good guys to help Comodo with Product management )

Melih

While I am not as security enlightened as most of you, I would think that in order to securly make other’s mistakes safe (cough IE) and since the browsers can be manipulated, perhaps a security measure that would install\attach to your browser, a sort of guard that would be run from the pc that would detect changes\falsehoods in the browser if a manipulation was trying to take place, stop or notify user of this, sort of a lock down option or restart safety measure. Would this in fact help with SSL as well? not too sure about that. Yet another hair brained idea by yours truly.

Cheers,

Paul

Well you certainly recruited well then! Opera is a fantastic browser that doesn’t get the recognition it deserves compared to Mozilla.It’s the most secure browser of all and like you say loaded with cool technology.Tabbed browsing,as an example,which is still far better implemented than all the others. (:CLP)

Opera is really great! I’m using it for years now and when all the others are telling me what great new features there are in Firefox now I just smile and try to remember since which Opera version I’m already using that great “new” technology.
Unfortunately People often stuck to what they know (IE), no matter how often you tell them about better solutions (Opera).
And please don’t recruit too many people from Opera. Opera really shouldn’t die.

I think the only really secure way of protecting any pc is instateful packet inspection to see what that packet of data contains, and what that packet of data can and will do when received. This gives Comodo a huge responsibility to monitor all data in and out of the system, but if used effectively could be an incredibly useful tool.

It would be hard to implement, how can you predict what each packet of data will do, when received, and re-integrated into it’s whole, but it’s not impossible. You can easily use predictive formulas to monitor data as it arrives, CRC’s to show file lengths, and file name and extensions, including options for allowing and disallowing data types in and out of the pc. You can also map out what applications need network access, and anything new, or unmapped is automatically denied, or flagged as suspect. (Here we go back to management console modules again)

Not to mention reactive data filtering again by packet inspection, to show what is contained, and it’s ultimate destination. The rules could be simple and generic, and a network learning mode, would be used to better manipulate and define this rule as time went on and more traffic flowed through the firewall.

Just some random thoughts.

Encyrption is a problem in this scenerio.

Melih

Well, it’s a problem if a pc not secured by Comodo is issuing encrypted data packets, for sure. But then that being the case it’s a rogue pc, and should either become controlled, or shutdown.

This is all about the functionality of the software, not the other issues that may be seen.

Question. Is there free software to secure the clients?

Answer: Yes

Question. Is there additional cost effective components to tie that free software into an enterprise class, efficient management tool?

Answer: In development.

The rest of the issues that exist, that you may not be able to control, are… Simply in existence. You can’t do anything about them.

I’ve seen hardware come and go. 8 bit isa, 16 bit isa, 32 bit vesa local bus, IBM’s MCI architecture, token ring and the network beacons, 4 and 16 mbps, then banyan vines, and later on ethernet. They all come with different functionality, and any software developed for one won’t work well on another, drivers changes, and the software has to manage as many differing generic situations as possible. As such you can’t do everything, so you cater to the market, you cater to the largest class that you can, and you write software that is as robust as possible.

Install the clients, install the management software, install the add-on components, and configure it all to run well, efficiently, and be an easy maintainable, network.

If someone starts encrypting data packets, then turn the option off. You know what your own clients are doing, in fact, you can see who is receiving and transmitting, it would not be hard to track down where that data is going even if you don’t know what the data contains.

Cater to your strengths, not your weaknesses.