It’s amazing how people can be influenced by a convincing speaker who makes points with conviction, but who happens to be behind the curve in terms of technological developments. I talked to somebody recently who was of the opinion that technical attacks are how people have their identity stolen. The speaker who’d influenced her had said modern operating system security was to blame.
Had he been speaking 2 years ago, I think I’d have been on-side. But look at the situation today. Put yourself in the shoes of the “CEO” of an organised crime syndicate. Looking at the return-on-investment what would you do? The choices are to perform a technical attack (on the machine or its connection to say, a banking website) or a human attack (set up a phishing web site).
Technical attacks: you need to acquire the skills. You’re never going to break in to modern secure connection (say an SSL connection between your victim’s computer and their banking website). The cost of the computing power is too immense and would be too slow to render anything useful. You now have to try and get some of your malicious software on to the victim’s machine. 2 ways. Authenticated and unauthenticated. Things like worms exploit weaknesses in the operating system where certain facilities don’t require credentials. In other words, you don’t need a username/password to get your code to execute on somebody’s computer. Authenticated access – you do need a username and password to get it to execute. So you create malicious software and use some form of subterfuge to get the user to download it on to their machine and execute it. That way, they’ve already used their username and password to log on in the first place. Let’s call this scam lovebug.vbs and put it in an email titled “I Love you” for example.
But let’s have a look at that. Is that a technical attack? No. Your computer will execute the instructions embedded in to the software you run on it. The question is, how did the lovebug (or keylogger) get on to your machine in the first place? That was subterfuge wasn’t it? That’s a human attack. It has nothing to do with operating system security. So we’re back to unauthenticated attacks again.
The thing that has got in the way of unauthenticated attacks in the past couple of years has been the personal firewall. In the case of Windows XP, and Vista, built-in software that doesn’t permit data to enter your machine unless you initiated its download. So for example, requesting a web page would be permitted becuase you initiated the request, but if somebody tried to send some data to your machine it wouldn’t work because you never initiated it in the first place.
It’s not only XP and Vista, many Linux distributions and the Mac either use built-in versions, or computer owners are going to the computer store to buy personal firewall software.
Also, security patches are released so quickly when defects are discovered that these attacks never get the stranglehold they once did.
So the next thing might be to create a dangerous activeX control (that’s just a fancy way of saying software) that does something not in your best interests. You put it on a website and encourage your victimes to download it. Perhpas the controls searches every file on your hard disk looking for the string “password”. When it finds it, the file gets copied to the fraudster’s website, where they later examine it in detail hoping to extract a useful site/user-id/password combination. Hopefully, it’s your banking website.
But how do you encourage your victims to download the control? Especially these days where the default behaviour for most browsers is not to download controls. Well, I guess you put some instructions that say something like “You will receive a warning about this control. Ignore the warning and click OK”. If anybody falls for that, it’s a human attack not a technical attack. Again, they got some software on your machine and got you to execute it.
Microsoft has recently introduced features like User Account Control (UAC), where weird stuff happens when you do something that has all the hallmarks of a dangerous activity. A dialogue box pops up, the background goes dark and you can do nothing other than answer this dialogue. Even with all this weirdness happening, there are people who will ignore the weirdness and click OK to install the software. They have usually been foxed by a clever message describing exactly what will happen and encouraging them click OK. It’s a human attack.
The vast majority of the attacks that are performed on computers take place in the last 2 feet of the connection from the web server to the human being. The 2 feet between the screen and the user.
The classic phishing attack does this. You receive an email that says it’s from your bank. You have apparently made a large withdrawal and they encourage you to log in to your site here. In a panic you go right ahead and click here to reveal what looks like your banking website. It asks for your account number and password and so you dutifully type the secret you’d not even tell your best friend. Now the criminals have your account number and password you are doomed. According to anti-phishing.org, 54 hours later, the bogus web site will have disappeared of the face of the earth – with your money.
But that’s not a technical attack. It’s a human attack. It used subterfuge to fool a human in to doing something that’s against their best interests. Why does it work? Because as humans we’ve become conditioned to 2 things. We type our passwords in to web pages. We expect every web page we ever see to ask for our username in a different way. It’s a tragic weakness of the web that it allows stunning creativity. Each site likes to show off its individuality.
Compare this with the way you log in to an operating system like Windows. The Windows weakness is that the login experience is different between each version of windows. But if you are loggin in to say Windows XP at your employer. It doesn’t matter if you log in to your own machine, your friend’s machine or a machine on the 5th floor owned by somebody else – you will be prompted for your secret credentials in exactly the same way. Every time. Absolute consistency. So much so that if the screen looked different, if the experience was different, if it simply wasn’t “right”, you’d be suspicious that something had gone wrong. This consistency doesn’t exist and is certianly not expected on the internet. It’s one of the reasons why a phishing site doesn’t actually have to be that faithful a reproduction of its genuine counterpart. In many cases if the brand colour is approximately right and the correct logo appears on the site somewhere, that’s good enough. So we can say it’s the lack of consistency that is the biggst aid in fooling the human being. I was q ittle taken aback when this lady suggested it is this very lack of consistency that is protecting us from these attacks. She argued that if all the sites use a different technology, it makes it harder to compromise the “entire system”. But of course, she’s talking about technical attacks, not human attacks. As I said earlier, not very many criminals perform technical attacks. They can’t recruit the mind-numbingly cerebral skills required, and they can’t accquire enough computer power. They write simple software that logs keystrokes or searches your hard drive for plain text passwords and they use human attacks to try to get you to execute them. I only talked to her for about 40 minutes, on the telephone and she left the conversation convinced the problem is technology.
I think if you look at Kim Cameron’s 7 laws of identity, and the resulting standards for the identity metasystem and the idea of using Information Cards – these technologies directly address these human attacks. 2 of the laws in particular. Consistent Experience Across Contexts and Human Integration. When the Information Card standards were developed, discussed, opened to debate, it’s amazing the range of organizations that contributed. There are the obvious candidates – IBM, Microsoft, Novell, Sun Microsystems, CA, RSA and so on. But also the less usual – Privacy International, the Enterprise Privacy Group and other privacy lobbyist organisations. And then distinguished individuals like Lawrence Lessig.