Friday, June 03, 2005

Book Review: Numbered Account


Picture credit: http://www.bonnietoews.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueI just posted this review at Amazon.

Nick Neumann has what, at first glance, appears to be the perfect life. The former U.S. Marine just graduated from Harvard Business School and has joined the fast-paced world of Wall Street. His girlfriend is beautiful, the scion of an incredibly wealthy family. But Nick does have one problem: the unsolved murder of his father weighs heavily on his mind.

His father, murdered almost twenty years ago, worked for the secretive Swiss bank USB. And so Nick decides to follow in his footsteps: to move to Switzerland, join USB, and determine whether the trail can be followed or whether's it's gone cold.

Within days of joining USB, Nick finds himself entangled in a nightmarish conflict. The "Pasha", USB's premier client, is moving ever larger sums of money through the bank in seemingly nonsensical fashion. The DEA, investigating large-scale money transfers through USB, begins squeezing Nick for information. And an attractive vice president at the bank seems to be paying very close attention to Nick's activities.

This is Reich's first book and is, simply put, masterful. While its length (750 pages) is daunting, Reich's firsthand knowledge of the Swiss banking industry is invaluable and enlightening. I can almost guarantee that you'll be swept into this ambitious and fulfilling story: revenge and terror mixed into a near-perfect concoction.

Christopher Reich: Numbered Account
 

Thursday, June 02, 2005

Where were the Senior Managers?


(Picture credit http://www.cokingcokers.com)
Excel-web sharing of spreadsheetsI read this a couple of weeks ago. It's an AP article regarding BP, which explains the reasons for a massive explosion at their Texas City plant. The blast killed 15 workers and injured more than 170. You can read the entire thing at your leisure, but here are some telling quotes.

..."Deeply disturbing" staff errors led to the oil refinery explosion and fire that killed 15 workers, and some employees could be dismissed as a result, plant operators said Tuesday...

..."The mistakes made during the startup of this unit were surprising and deeply disturbing"...

...Supervisors and hourly workers face discipline ranging from written reprimands to dismissal, Pillari said. He declined to say how many employees would be punished...

...The BP investigation determined that fluid level in a tower was 20 times higher than it should have been. Water or nitrogen in the tower when the unit was restarted may have caused a sudden increase in pressure that forced hydrocarbon liquid and vapor into the unit's stack.

But investigators still don't know what ignited the resulting vapor cloud. Earlier theories have suggested that sparks from a running truck engine could have been to blame.

Investigators found that supervisors seemed to be absent at times during the unit startup, and crews didn't know who was in charge.

Also, any of six supervisors had a six-minute window in which they could have sounded an alarm to evacuate the area, but that alarm was never sounded, Pillari said. The decision, he said, denied other workers "the opportunity to get out of harm's way." ...


I've highlighted what I consider the key phrase. During the startup of an immensely expensive and dangerous refinery, wouldn't senior management have plenty of feet on the ground?

Sidebar: Ironically, Texas City was also the site of the worst industrial accident in U.S. history. A fire aboard a ship at the city's docks triggered an explosion that killed more than 550 people.
Supervisors were absent? Where were the refinery managers?

Crews didn't know who was in charge? Wha...? Where were the refinery managers?

Pinning this on supervisory and hourly personnel appears, at face value, to be the ultimate cop-out.

Senior management needs to define strict processes for an operation this complex and then audit those processes to ensure they are followed. This is a failure of senior management, plain and simple.

AP: BP: Personnel Failures Led to Texas Blast
 

Wednesday, June 01, 2005

Making Phishers Solve the Captcha Problem



Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe more I read about Bank of America's solution to the phishing problem, the more I believe it susceptible to man-in-the-middle (MIM) attacks. The Wall Street Journal today described their new system, called SiteKey, in a bit more detail. The BofA site describes it as well.

As I understand it, if you haven't signed into SiteKey before, you will get a randomly selected challenge question. Once you've answered the challenge successfully, a secure cookie is deposited on your PC. Subsequent authentications from that PC will force you to view a pre-selected image that will confirm you're signing into Bank of America, rather than a spammer's zombie machine in Chung Li, Taiwan.

Sidebar: isn't it odd that when you go the Bank of America site, you immediately note that the page is presented in cleartext ("http://"), not SSL ("https://). The first step to combat phishers is to provide an SSL connection... first time, every time. Customers need to get used to expecting a secure connection on every BofA page.

Yes, their sign-in operation itself is secure. I just think it a tad bizarre that every page isn't secure as well. Just for the customer's peace of mind.


As far as I can tell, there's no way for SiteKey to distinguish a malicious, zombie PC from a user's virgin computer. The zombie PC could present a false BofA store-front to the victim and proxy login information from the user to the bank and any resulting pages and images from the bank to the victim.

Step 4 of the BofA SiteKey page even states the following:

If we don't recognize your computer:
We will ask you one of your secret SiteKey Confirmation Questions.

After you answer your question correctly, we will show you your SiteKey.


Sounds like it's completely susceptible to a man-in-the-middle: the classic phisher's false store-front.

I believe you've got to make phishers solve the captcha problem.

Photo
A Blogger Captcha

You know captchas: they're the odd-looking images representing stretched or melted alphanumeric text that can (presumably) be read by humans, but not malicious bots.

The example at right is the kind of captcha that Google's Gmail service employs. Mail services require strong captchas to prevent spambots from signing up for their free email services for mass-spam campaigns. We need more spam like GM needs more healthcare costs.

The challenge for systems like SiteKey is to create a captcha-like problem for phishers. I think I have the seeds of just such a solution. The idea is to make a man-in-the-middle attack bloody difficult.

Educating the users to expect an "anti-fraud" checklist on the sign-in page is obviously the first order of business. This can be achieved through a snail-mail campaign or equivalent PR effort. Once customers expect the anti-fraud checklist, the next action in the campaign is to:

Squeeze the man-in-the-middle

Force the man-in-the-middle (MIM) to present information specific to both the client and the server. After the user has entered a sign-in name, the anti-fraud checklist page depicted above, should appear.

The key element of the page is a GIF or JPEG image, dynamically created like a captcha, consisting of the three checklist items depicted at the top of this article.

Photo
The MIM gets squeezed by changing fonts

Why is this checklist so difficult for a MIM to present?

Checklist item 2: In a normal situation (with no MIM involved), the bank's server should be able to deduce the client's general location through IP-address geo-mapping.

For the MIM to present the correct location data, it will have to use an IP-address-to-geographic-location mapping algorithm and deduce it on its own.

Checklist item 3: The server has non-sensitive information about the customer (e.g., a check number that recently cleared) that can be presented on the page. This is called a "shared secret" that only the customer and the bank should know.

And for the MIM to retrieve a valid shared secret, it will have to screen-scrape the third line of the checklist from the image the bank has presented.

Captcha problem: Once the MIM has accomplished numbers two and three, it now has to somehow merge the images in a way that looks consistent. But the fonts are changing, the font sizes are changing, and the colors are changing. They're selected randomly.

Without some serious artificial intelligence, the MIM is trapped having to solve a classic captcha-style problem. And I, for one, thinks that's a hard road to hoe for the phishers.
 

Another Phish Tale


(Picture credit http://www.samsung.com)
Excel-web sharing of spreadsheetsI received another phishing email that purports to be from PayPal. Let's just make the blanket statement that you should spam filter anything that even mentions PayPal. Anyhow, the source of the message reads, in part:

Please follow the link below and login to your account<br> and renew your account information<p><b> <a target="_blank" href="http://211.189.88.200/~wcconst/www.paypal.com/us/cgi-bin/webscr=cmdxpt/cps/
clickthru2/Billing-Verification=CookieId=4801de10f2194572779a171135820269/" >https://www.paypal.com/cgi-bin/webscr?cmd=_login-run</a></b></p> <p>Sincerely,<br> Paypal customer department!</td>


A tracert of 211.189.88.200 yields:

9 110 ms 119 ms 113 ms unknown.Level3.net [63.215.71.10]
10 122 ms 114 ms 111 ms ge-2-0-0.0.cjr02.lax001.flagtel.com [62.216.140.77]
11 221 ms 229 ms 224 ms so-1-1-0.0.cjr04.tok002.flagtel.com [62.216.128.130]
12 261 ms 244 ms 244 ms so-0-3-0.0.ejr03.seo002.flagtel.com [62.216.128.18]
13 253 ms 248 ms 251 ms 62.216.147.82
14 249 ms 254 ms 259 ms user7.s148.samsung.co.kr [203.241.148.7]
15 244 ms 249 ms 244 ms 211.189.88.200


Hmmm... the user7 portion makes it almost appear that the next-to-last link in the chain is a typical workstation inside Samsung. Probably not the case, but interesting...
 

Mimicking is more persuasive


(Picture credit http://www.mmjp.or.jp)
Excel-web sharing of spreadsheetsInteresting results from a Stanford study. A computer-generated sales agent was programmed to mimic a human prospect's facial movements in a "conversation". Sales agents that mimicked the prospect's movements (with a four second delay) were considerably more successful than agents programmed with pre-recorded facial movements:

...Researchers at Stanford University's Virtual Human Interaction Lab strapped 69 student volunteers into an immersive, 3-D virtual-reality rig, where test subjects found themselves sitting across the table from a "digital agent" -- a computer-generated man or woman -- programmed to deliver a three-minute pitch advocating a notional university security policy requiring students to carry ID whenever they're on campus.

The anthropomorphic cyberhuckster featured moving lips and blinking eyes on a head that nodded and swayed realistically. But unbeknownst to the test subjects, the head movements weren't random. In half the sessions, the computer was programmed to mimic the student's movements exactly, with a precise four-second delay; if a test subject tilted her head thoughtfully and looked up at a 15-degree angle, the computer would repeat the gesture four seconds later...

...The results, to be published in the August issue of the journal Psychological Science, were dramatic... The remaining students liked the mimicking agent more than the recorded agent, rating the former more friendly, interesting, honest and persuasive. They also paid better attention to the parroting presenter, looking away less often. Most significantly, they were more likely to come around to the mimicking agent's way of thinking on the issue of mandatory ID...


Wired: AI Seduces Stanford Students
 

The Israeli Trojan Horse Affair... and Ad Agencies


(Picture credit http://www.momentum-design-house.com)
Excel-web sharing of spreadsheetsThe Israeli corporate espionage affair is spreading from firm to firm like wild-fire. An interesting aspect: ad agencies were reportedly infected with trojans, presumably to glean strategic marketing information on competitors.

A question for senior managers: do your ad agencies (or other partners) possess your company's strategic data? If so, your legal team should be writing infosec process into your contracts... and your infosec team should be performing due diligence on their systems.

...Tel Aviv Police District Fraud Unit investigators yesterday raided the offices of international calls carrier Bezeq International Ltd., and detained for questioning its VP marketing and a strategic researcher. The company is suspected of obtaining from private investigators business information of Golden Lines International Communication Services Ltd. by uploading a Trojan Horse into computers of ad agency Shalmor-Avnon-Amichay Young and Rubicam...


Car importer Jacob Shachar questioned in Trojan Horse affair
 

WSJ: "Nightline" needs an enemies list


(Picture credit http://as.wn.com)
Excel-web sharing of spreadsheetsThe Wall Street Journal features an op-ed on Nightline's broadcast of the honor roll of American troops who died serving in the war on terror:

...Much energy has been spent on the debate over whether Saddam actually backed al Qaeda, or merely spent some of his billions purloined out of the United Nations Oil for Food relief program in supporting such folks as Palestinian suicide bombers and buying the kinds of conventional weapons used to kill the troops whose faces we just saw on "Nightline." The larger point is that nations export to our globalizing world whatever it is they specialize in. Saddam specialized in terror. His legacy includes a roster of Iraqi dead so vast that it would take weeks if not months to read the full list of names, if anybody even knew the list. That is the kind of rule, or grotesque misrule, he brought to the international table--corrosive to all, and dangerous even to the great American superpower. Which is why, after 17 failed U.N. resolutions, our troops had to go to Iraq.

Second on the list of who killed our troops would be those who abetted Saddam's regime and continue to help his successors today. Topping that list would be the Baathist regime of Syria's dictator, Bashar Assad, and the totalitarian ayatollahs of Iran--backing what is too often called an "insurgency" and would better be termed a fight for the resumption of tyranny.

Also on the list would be the corrupt and craven crew at the U.N., who hid the rebuilding of Saddam's resources, who preferred to give Saddam an 18th chance. It is important to understand that while the U.N.-approved investigation into Oil for Food, led by Paul Volcker, has focused narrowly on questions of whether anyone administering the program violated U.N. procedure, the deeper horror was the assurance of the U.N. that all was well--while Saddam skimmed billions... to buy weapons and restock the war chest [that] ...is very likely funding terror in Iraq today.... [T]wo unnamed high-ranking UN officials [are] alleged to have taken bribes from Saddam; this is a matter not only of venal and corrupt behavior among those entrusted with serving the public good, but of U.N. officials with blood on their hands...

...In thinking about the context for the past year's honor roll, however, I found there was another American president who also came to mind: Abraham Lincoln, who, as America struggled to shed its own evil of slavery, commemorated the dead at Gettysburg with a statement that holds true today. These Americans died "that government of the people, by the people, for the people, shall not perish from the earth."


Claudia Rosett: Never Forget - "Nightline" needs an enemies list
 

Corporate Espionage and Trojan Horses


Picture credit: http://www.emich.edu
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueVia Arik's blog, an excellent recap of the Israeli corporate espionage scandal.

* [Some] ...very prominent Israeli companies were infected by a trojan. Foreign companies may have been victims as well, but names of those were not provided.
* The trojan was targeted specifically at those companies by the perpetrator, and more specifically at key people in those companies and PR companies working for those companies.
* The trojan was targeted at Windows machines.
* The attack vector was social engineering, using e-mail and CD-ROMs sent to the victims as ‘a business proposal’.
* Data proliferated from some of the infected machines includes (but is not limited to) the ‘My Documents’ folder and screen captures.
* The stolen data was sent to “FTP servers” both out and inside Israel. The protocol used for the actual transfer was not disclosed.
* The trojan was never detected within the infiltrated companies until the police looked for it...


Saar Drimer also states, "...the police’s own computers were compromised by the very method they were investigating!"

Arik's blog: Trojan horses abound
 

Tuesday, May 31, 2005

Offshore Firms Handling US Privacy Data


(Picture credit http://www.esecretary.net)
Excel-web sharing of spreadsheetsIn early May, I noted Northwestern Mutual's new policy of shipping customer data overseas. The announcement, made at Gartner's Outsourcing Conference, noted that offshore contractors would have access to sensitive customer data in order to facilitate greater cost savings.

Security measures?

...Beyond secure lines and dumb terminals, the company insisted that Infosys put additional physical security measures in place. A guard is posted on the floor of the Infosys facility where Northwestern Mutual's work is performed, and employees aren't allowed to take any documents or media with them after they clock out...


Offshoring Management notes, as we did, that Northwestern Mutual has not notified customers of their new data-sharing practices:

...Northwestern’s terminals are even more restrictive than the terminals of yesteryear. They do not allow users to alter, record, or print the data they see on their monitors. The Indian workers are connected to Northwestern’s servers in Milwaukee via high-speed lines. They can monitor and test the company’s applications and perform maintenance operations but they can’t record or manipulate sensitive client data. Northwestern’s CIO Barbara Piehler told TechWeb that the company came up with the plan because it was not maximizing its savings from offshoring. As part of the plan, IT service workers are not allowed to take any documents or media with them at the completion of their shift, so the company also requires its contractor, Infosys, to post guards on the floors where its sensitive applications are serviced. Northwestern does not inform its customers that their personal information is being viewed by IT workers a world away. “It’s just the way we do business now,” Ms Piehler told the publication.


Northwestern Mutual still teeters on the precipice of a major security debacle. Consider a malicious employee at the offshore firm who is able to record U.S. identity data (SSN, name, birth date, etc.) using pen and paper, secrete it on their person and then sell it.

Short of cavity searches for all of the outsourcers, identity theft from these venues is all but certain.
 

The data kidnappers


(Picture credit http://www.n-tv.de)
Excel-web sharing of spreadsheetsThe previous post references Bruce Schneier's discussion of "data kidnapping" malware. As reported by CNN, this malicious payload encrypts files on the victim's computer and then "holds the files hostage". A ransom note is prominently displayed on the PC, which includes an email address and a demand for $200 for the decryption key.

One of the blog comments noted the history of these sorts of "data kidnappers":

On Slashdot, there was mention of the "Casino.2330" virus that existed years ago. This virus erased the FAT (file allocation table) from the disk after copying it into memory. The virus then displayed a slot machine game and invited the user to play. The user had to win the game for their FAT to be restored. See http://www.avp.ch/avpve/file/c/casino.stm.

In 1989, a mailing consisting of a floppy disk and a license was sent to 20,000 recipients. The software on the disk provided an assessment of the user's risk from HIV/AIDS. Users were encouraged to install the software. However, a hidden mechanism in the software would encrypt and hide files on the user's system after a delay had passed. The included license warned (in very small print) of "most serious consequences" for violating the license. Users were supposed to send a license fee to a PO box in Panama for "PC Cyborg Corporation." A one-off license cost $189 and a lifetime license cost $378. Those who paid the license fee would receive a "renewal software package." The originator of the software was located but was found unfit to stand trial. See the "AIDS Diskette" entry at http://www.virusbtn.com/resources/malwareDirectory/about/history.xml.

[Regarding extortion] ...There was an incident where an individual was trying to extort money from a dairy company. They had already carried out an act of product tampering against this company. The individual demanded that bank card details for an account be embedded in an image file. This image file was to be posted on a public web site. Sometime afterwards, the image file was downloaded via an anonymity proxy service. However, the anonymity service cooperated and identified the individual who had downloaded the image. See http://www.theregister.co.uk/2004/03/24/dutch_internet_blackmailer_gets/


The data kidnappers
 

Monday, May 30, 2005

Schneier on Internet attacks


Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueFour key sentences in Bruce Schneier's latest:

Internet attacks have changed over the last couple of years. They're no longer about hackers. They're about criminals. And we should expect to see more of this sort of thing in the future.

Two-Factor Authentication won't stop Phishing


Picture credit: http://www.sachsreport.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe Association for Payment Clearing Services (APACS), a banking industry organization, is putting the final touches on its plan to make online transactions "secure". Their approach uses two-factor authentication.

Two-factor authentication (TFA) utilizes the principles of "something you know" and "something you have." The classic embodiment of TFA is a SecurID card that provides a random, time-sensitive password when a PIN is entered into it. The time-sensitive password is matched up to a central server's version. If the password is used later, it won't work.

What's driving the adoption of TFA? And, more importantly, will it work?

To answer the first question, one need only read this blurb from Finextra:

BoA is currently embroiled in a legal challenge from a Miami businessman over $90,000 he says was stolen from his online banking account by Latvian cybercriminals. He says the thieves authorised a wire transfer out of his account using access details acquired by a Trojan keylogging device on his infected PC.


Under some circumstances, TFA will help repel key-loggers that capture users' sign-in names and static passwords. The crooks won't be able to save the password for later use.

But the key-logger could easily notify the bad guy or open up a session for him. The bad guy just needs to man his computer, waiting for these time-sensitive notifications. Once he has hijacked a session, he's still free to perpetrate the same kinds of criminal acts that static passwords facilitated.

Will Two-Factor Authentication Help Fight Phishing?

BankOfAmerica has announced a system that they believe will, if not prevent, then dramatically reduce phishing:

The service will also provide customers with a way to confirm that the bank Web site they visit is legitimate. The PassMark is displayed during log in to a banking site and if the image is correct customers will know the site is genuine and that it is safe to enter passwords.


I'm not sure I see much of a benefit to these measures. In an earlier, more complete critique, I summarized some of its problems.

Basically, the new BofA measures appear susceptible to a simple man-in-the-middle attack. That is, a phishing site -- a false store-front, if you will -- can simply act as a proxy server to capture a victim's authentication data. If the BofA site presents a special image or a custom challenge, the "evil proxy" just relays that information to the victim.

The victim can't tell the difference between the proxy and the real site (after all, it looks correct!). Therefore, the victim provides the evil proxy with suitable sign-in data, the proxy relays it to the BofA site, and the phisher has now hijacked the session.

The only benefit I can deduce in BofA's new approach is time-sensitivity. That is, the hijacked session is only valid for a relatively short period of time. Thus, the phisher has to man a control computer, waiting for successful hijackings. The static sign-in ID and password is no longer quite as useful as it once was.

A longer-term approach? Customer education is paramount. I've also proposed an anti-fraud checklist that a financial institution could place on their website. This checklist would make it considerably tougher for a phisher to construct a false store-front.

That said, I don't think there are any silver bullets that can rid us of the phishing problem once and for all. The BofA approach is a baby step in the right direction, but many vulnerabilities remain.
 

Hacking phishing sites


Picture credit: http://news.bbc.co.uk
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe latest development in the war on phishing: vigilante hackers are defacing the phishers' false store-fronts. It's an interesting idea, though probably illegal in most venues. The vigilante hackers are likely using the same exploits the phishers employed.

The ironic upshot? The phisher now must consider patching any vulnerabilities on a target machine to ensure the store-front doesn't get defaced! Who'd have thunk it - phishers patching machines to remove vulnerabilities...

Call them modern Robin Hoods, hackers who use their skills to take down Web sites used in phishing scams. Several sites that at one point hosted fraudulent Web pages designed to trick usres into giving out personal data have been defaced, according to Netcraft, an Internet services company in Bath, England.

The hackers replaced the phishing sites with a warning page. Netcraft has posted several screenshots of purported defaced phishing sites.

Phishing sites often are hosted on hacked Web servers. It appears the defacers used the same server weaknesses that were exploited by the phishers to remove the phishing Web sites...


News.com: Hacking Phishing Sites
 

Sunday, May 29, 2005

Phishing: How Banks can Fight Back



Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueTrue to yesterday's promise, here are several suggestions for banks to more effectively combat the scourge of phishing. If you're unfamiliar with the 'phishing' concept, please refer to this primer. In short, phishing emails claim to be from a reputable financial website and encourage the victim to sign-in. The phisher puts up a false "store-front" that appears to be the real financial website and then captures the victim's sign-in data. The phisher then uses the victim's sign-in for a variety of nefarious purposes including theft of funds, identity theft, etc.

Yesterday's post discussed the pros and cons of Bank of America's new SiteKey anti-fraud measures. I gave BofA a C on their report card, primarily because their countermeasures could be spoofed by a false store-front smart enough to proxy the user's transactions.

In other words, BofA's SiteKey could be effectively defeated by a false store-front that accepted the user's log-in data, proxied it to the real site, and then presented the real site's page and images back to the user as if it were genuine.

Pictured above is how I think BofA's website should appear to the end-user. Note the topmost banner, which is a dynamically generated image. It consists of a checklist that users should read before signing in. I suspect most users would actually check this out due to its prominence on the page.

Here's how it works. The user would enter an online ID (user name) on the initial screen - there would be no password, PIN, or other truly 'secret' data entered on the first page. The screen pictured above would be the second page of the sign-in. The anti-fraud checklist on the topmost banner consists of three items. Let's review each.



1) The first line reads If your address bar does not read https://www.bankofamerica.com DO NOT SIGN IN. The address in the address bar -- the simplest anti-fraud measure -- is seldom noted on financial websites. It's the most crucial element in combatting phishing. If the address bar doesn't match up... don't sign in! It's... just... that... simple.

2) The second line reads You appear to be signed in from Sandy Springs, GA USA. If that's not correct DO NOT SIGN IN. The physical location that the customer appears to be connecting from can be deduced (in most cases) from the customer's IP address. A geographic IP address location algorithm can be used to generate this sentence. This prevents a false store-front from acting as a proxy (a false store-front brokering requests to the real site would yield a different geographic location in Taiwan, Russia, etc.). A false store-front would therefore have to compute this information itself and paste it into a dynamically created image 'on the fly'. Do-able, but considerably more difficult.

3) The third line reads A recent check number that you wrote was 2046. If that's not correct DO NOT SIGN IN. A shared secret (in this case, a recent check number) is used to further authenticate the genuine site to the user. The bank will have the customer's recently cleared check numbers. The phisher won't.

Yes, a dedicated and tech-savvy phisher could construct a false store-front that proxies the initial sign-in page, grabs the resulting JPEG, looks up the geographic location from the IP address, pastes that in (while matching fonts)

But critical to this checklist is the fact that the typeface (font face) is chosen randomly. Now, the typeface will be consistent for the three items on each banner, but the typeface will vary randomly for each sign-in. Thus, if the false store-front goes to the trouble of painstakingly constructing the checklist itself, it will also have to match fonts to stick the correct location into the image.

The randomly selected typeface makes cutting and pasting text from the dynamically created image considerably -- considerably -- more difficult for the phisher! And interspersing a shared secret (the check number) ensures that the false store-front must (a) proxy the transaction, (b) compute the victim's real geographic location; and (c) match typefaces correctly in order to make the false storefront realistic.

That's quite a task.

Thus, we've turned the sign-in process into a bit of a captcha problem for phishers. I don't think this approach would be easy for the bad guys to defeat... but feel free to poke holes in this strategy, using the comments link.
 

Defusing Nuclear Terror


Picture credit: http://www.nationalterroralert.com
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueHighly interesting -- and nerve-wracking -- reading from the Bureau of Atomic Scientists regarding the history of nuclear terror threats and the founding of the Nuclear Emergency Search Team (NEST).

...in the summer of 1972, the terrorist group Black September seized, and ultimately murdered, nine members of the Israeli Olympic team. Among those who became seriously concerned over the prospect of nuclear terrorism was James Schlesinger, then chairman of the Atomic Energy Commission (AEC). He held a series of meetings exploring whether terrorists could steal plutonium and make a bomb with it, whether they could steal a bomb, and whether the United States would be able to locate it. In 1974, while those issues were being considered and investigated, the FBI received a note demanding that $200,000 be left at a particular location in Boston or a nuclear device would be detonated somewhere in the city. This note was not part of an exercise, but the real thing (New York Times Magazine, December 14, 1980).

William Chambers, a Los Alamos nuclear physicist who was studying the detection issue, was instructed by the AEC and FBI to assemble the best team he could and head for Boston to search the city. The operation reflected its ad hoc origins. The group rented a fleet of mail vans to carry concealed equipment that could detect the emissions of a plutonium or uranium weapon. But the team found that they did not have the necessary drills to install the detectors in the vans. NEST field director Jerry Doyle recalled, "If they were counting on us to save the good folk of Boston . . . well, it was bye-bye Boston." ...


Bulletin of the Atomic Scientists: Defusing nuclear terror
 

Throw Bolton Under the Bus



Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueHugh Hewitt, writing in the World, exposes John McCain as a simple, publicity-seeking missile headed directly towards the 2008 primaries. That he underestimated the rage of the GOP base at his so-called "deal" is certain. Less certain is what will become of John Bolton, now that filibusters are to be used only for "exceptional" circumstances.

...great Americans can be lousy senators and terrible Republicans, and once again Mr. McCain has proven to be both. He has now done for the judicial nomination and confirmation process what he did for campaign finance reform. He brought the country George Soros and the scourge of the 527s, and with his leadership on the deal that threw at least two of George Bush's nominees under the bus in exchange for the most ambiguous of promises, the senator has once again turned his back on a core constitutional value in order to advance his own agenda...


In the old days, when the Democrats controlled both the Senate Judiciary Committee and the White House, the GOP uniformly accepted the President's judicial nominations. Now that they are in a decided minority, the Democrats have embarked on a course of wanton obstructionism. That such a course is unwise can be confirmed by one Tom Daschle, ex-communicated by South Dakotans.

If the Democrats want to control judicial nominations, here's a suggestion (paraphrasing Hugh Hewitt): win some elections for a change.

Hugh Hewitt: A house on fire
 

Are you free, woman? Take this fun, easy quiz!


Picture credit: http://www.amitiesquebec-israel.org
Sharia and the stoning of women in IranThe crew at Pow3rline points us to this exceptional shredding of Erica Jong at, of all places, the Huffington Post.

...I've never understood why women’s groups weren't out front cheering the wars against the Taliban in Afghanistan and Saddam Hussein's Iraq. Were there ever more feminist wars than these? You'd think the National Organization for Women would be egging the administration on to Saudi Arabia and Iran. But no, and for the same reason that organized feminists have refused to applaud George Bush’s historic appointments of women to positions of high office, including most recently his nomination of two women, one of them black, to appellate judgeships. Bush is a Republican. The organized feminists are Democrats. It's as simple as that.

Still, I wouldn’t think the feminist worldview could be quite SO simple as to equate the oppression of women who live under repressive and murderous regimes in the Islamic world with the condition of women in the United States. For HP bloggers and readers who have trouble telling the difference, I’ve prepared the following quiz:

1. Are you allowed to drive a car? Y/N
2. Must you be accompanied at all times in public by a male escort? Y/N
3. If you were to say "what the hell" and drive to the mall by yourself, would you be immediately surrounded by bat-wielding male police officers? Y/N
4. Could you be beaten for saying “what the hell”? Y/N
5. When you go outside on a hot summer day, can you wear shorts and a t-shirt? Y/N ...


As Frontpage Magazine points out, stoning a woman to death in Iran is not illegal; but using the wrong-sized stone is.

It should go without saying - read both articles.

Danielle Crittenden: Are you free, woman? Take this fun, easy quiz!

Banafsheh Zand-Bonazzi: Tehran's Killing Fields
 

Saturday, May 28, 2005

Bank of America takes on cyberscams: a report card


Picture credit: http://www.pbs.org
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueThe Bank of America will be rolling out a series of anti-fraud measures to combat the wave of phishing attempts roiling cyberspace.

Let's take a look at some of their new, and hopefully improved, anti-phishing countermeasures:

When people register for SiteKey, they pick an image from a list and type in their own phrase to be associated with their account. When they enter their login name and hit the SiteKey button on the Bank of America site, that same image and phrase are displayed in response, Gupta said. This verifies that the user is in fact on the real Bank of America Web site, he said.


Let's break this down. You visit the BofA site and enter your login name. The BofA site displays your personal, pre-selected image (say, a picture of your hero, John Bolton). You examine the image and decide that it's correct, so you enter your password. *Voila* - a fraud-proof login? Or is it?

It certainly renders the typical false store-front approach more difficult. In the past, the phishers only needed to put up a welcome-and-login page, capture the credentials at login time, and redirect the victim to the proper site.

But a new, "improved" phishing storefront approach is still feasible with SiteKey. Consider the following sequence of events:

1) Phishing site presents a false store-front to victim
2) Victim enters login name at false store-front
3) Behind the scenes, false store-front visits real site, enters victim's login name at real site, and captures returned web page, SiteKey image, etc.
4) False store-front now presents victim with its captured web page and SiteKey image
5) Victim verifies image and enters password into false store-front
6) False store-front notifies crook that a valid session is active

In other words, the false store-front simply brokers a bit more of the authentication sequence transpiring between the victim and the genuine site. Put simply, this is just a minor technical challenge for the phishers.

Personal image countermeasure - Grade: C, primarily for the effort... not the effectiveness.

In another feature, SiteKey links the customer's PC to the online banking service. If the service is later accessed from a different computer, the account holder is prompted to answer one of three previously selected challenge questions... Additional PCs, such as an office computer, can be linked to the bank's Web site so a customer doesn't have to keep answering challenge questions.


There are really two ways that BofA could "tie" the customer PC to the site: via source IP addresses or via cookies. IP addresses are problematic. A customer using AOL, for instance, can appear to be coming from multiple IP addresses, all in one transaction. This is the case because AOL uses an entire bank of proxy servers to broker web traffic for its customers. So I suspect IP addresses would not be suitable for "tying" the PC to the bank.

Cookies are the more likely candidate. Once the user successfully performs a "full login" (complete with challenge/response), a cookie is delivered to the PC to speed subsequent logins.

A couple of vulnerabilities with this approach: a cross-site scripting hack could deliver the real session cookie to the phishing site. Or, more likely, a false store-front would simply broker the full authentication sequence -- including the challenge -- thereby gaining access to the account.

Only a truly diligent customer would likely notice that extra challenge. I'm guessing that's less than 5% of the entire customer audience. And that's the only reason I'll give this countermeasure a slightly higher grade - the extra 5% of customers who'll notice something fishy.

PC-to-site tying countermeasure - Grade: C+

In short, these are decent -- but half-hearted -- efforts at phish-fighting. I'll post some additional ideas regarding phish combat later.

Diversity in these approaches among the various financial institutions would be a good thing. With diversity, the phishers will need to build different infrastructure for each false-storefront. But build it they will, as the cyberwar between crooks and institutions continues unabated.

News.com: BofA takes on Cyberscams
 

Friday, May 27, 2005

George Galloway: Bluster and Fabrication


Picture credit: http://news.bbc.co.uk
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueYou may remember George Galloway's testimony in front of the Senate committee investigating the UN Oil-for-Food debacle. In a manner more accustomed to Parliament's House of Commons, the MP went on offense, blustering, accusatory, and piercing.

For a brief, shining moment, Galloway became an icon of the mainstream media/DNC (a singular noun). The San Francisco Chronicle went so far as to label him a "media hero".

Galloway's bluster couldn't obscure the facts, however. Galloway was in front of the Senate because he ran the controversial Mariam Appeal, which raised enormous amounts of money and then (apparently) disappeared. The Mariam Appeal, according to Sexion, was the political organization set up to "protest" the Iraq sanctions.

According to the Telegraph, Saddam's precious oil-for-food vouchers included the names of intended beneficiaries. Among the parties listed: Zureikat, Galloway and "Mariam's Appeal".

And, coincidentally, "Galloway moved the financial statements and other documents of the Mariam Appeal from the UK to the Middle East".

The seedy involvement with Oil-for-Food financier Zureikat was the question before the MP on the day of his testimony. Let's listen in.


SEN. COLEMAN: So Mr. Galloway, you would have this committee believe that your designated representative from the Mariam's Appeal becomes the chair of the Mariam's Appeal, was listed in Iraqi documents as obviously doing business, oil deals with Iraq, that you never had a conversation with him in 2001 or whether he was doing oil business with Iraq.

GALLOWAY: No, I'm doing better than that. I'm telling you that I knew that he was doing a vast amount of business with Iraq... He was an extremely wealthy businessman doing very extensive business in Iraq.

Not only did I know that, but I told everyone about it. I emblazoned it in our literature, on our Web site, precisely so that people like you could not later credibly question my bonafides in that regard. So I did better than that.


Galloway, knowing full well that his website was down, told the Senate committee that he had "emblazoned" on his website that his partner in the organization had extensive business dealings with Iraq and was a donator to the campaign. Thus he most likely believed that there would be no way to check if he was lying or not.

He couldn't have been more wrong.

Using an awesome website called the Internet Archive Wayback Machine, we can look up how the Mariam Appeal website appeared throughout the past few years. I'm fairly certain that Mr. Galloway was not aware of this, for if he was, I'm not certain he would have made the statements he made...


Sexion effectively tears Galloway's testimony to shreds... in a manner reminiscent of Genghis Kahn. It would appear that Galloway's ersatz indignation was as genuine as his testimony. Which is to say his statements were as valuable as a Hillary Clinton three dollar bill.

It goes without saying: read the whole thing and suckle at the teat of wisdom.

Seixon: With all due RESPECT, Mr. Galloway…
 

Thursday, May 26, 2005

My Food Pyramid



Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueI received startling news this week that an esteemed colleague had suffered a massive heart attack on Sunday. Only in his late forties, he'd apparently tip-toed on the precipice of eternity. The ICU nurses mentioned that when he'd arrived, it appeared to be a 90% chance-of-fatality case. The chaplain was called in, perhaps to counsel his wife. It was that dire.

He'd been camping and hiking on Saturday. He felt sufficiently lousy that by Sunday, he'd cut short his trip and headed home. In front of the computer on Sunday, relaxing, he suffered a massive heart-attack. When his wife called 9-1-1, apparently the paramedics were too busy watching Deadwood or were otherwise indisposed. Somehow, the gravity of the situation escaped them. So his wife gathered him up in the car and took him to a nearby hospital.

On two fronts, he was fortunate: his home is only a few miles away and the hospital in question is highly rated for cardiac care. He received, I think, a balloon and then a stent to open up the blockage and save his life.

I saw him today to bring him some mail and reading material. He is still in an ICU room, but is mobile. He's off most of the various tubes, contraptions and machines, and is talking about getting back home over the weekend. All in all, lucky and tough.

His episode reminded me of my Dad's heart attack nearly a decade ago. Put it this way, the heart history among the males in our family is decidedly lousy. For instance, my Dad's brother has survived a couple of heart attacks, the first in his forties. I found out recently that his son, my cousin, was also rushed to the hospital for an angioplasty. He's only in his mid-forties.

After my Dad's heart attack, which he thankfully survived, I completely changed my diet. My cholesterol was in the 220 range. Prior to that my weight was around 215. I was in the mode of heavy weightlifting and the commensurate mindset of carbo loading (described in excruciating detail in an earlier blog post).

I got my weight down to 178 while continuing to work out hard. A new diet was the key. Here's a pretty typical day:

Breakfast: All-bran mixed with Ka-shi Protein Crunch Cereal
Lunch: Can of chunk light tuna (hold the mercury, please!) in salt-free tomato sauce, heated up 90 seconds in microwave
Dinner: Salmon fillet served with sliced tomatos garnished with Tuscan seasoning (my wife brought this stuff back from Italy... delicioso, if that's Italian). Couple of apples or a pineapple for dessert.

Tangent: I was checking out of the grocery store the other day and through utter coincidence had only two items: an extra-large box of All-Bran and a giant package of toilet paper. Now that's a tad embarassing. Maybe I should have gone through the checkout twice to have avoided the stares. Nothing to see here, folks. Nothing at all.


A lot of my friends and colleagues do make fun of me for my odd diet.

Dessert? What's that? I haven't had a real dessert since my Dad's heart attack. Seriously. Actually, I have had one. We went on a cruise a while back. In the formal dining room, the Maitre'D ripped the menu out of my hands and said, "no, no... you don't eat from these desserts... I make you a special dessert." I guess he talked like Poppy on Seinfeld.

He brought us a bread pudding or something like that. My wife loved it. I forced myself to eat most of it. How could I refuse?

Everyone thinks I'm highly disciplined, but I'm not. The rich foods -- cookies, chocolates, pies, cakes -- don't appeal to me at all now. Maybe it's been so long that I've avoided them, that I no longer care.

Or, more likely, it's still this overriding fear of the family heart history. Every time I look at a piece of chocolate cake, I see the dripping, unprocessed fat... the ride to the emergency room... the Nurses holding me down while someone rubs the electric plates together and the surgeon yells "Clear!!". Yes, I'm a cheery dining partner.

If someone at the table gets served bread, I'll ask, "you do know that bread is the work of the devil?"

Or if someone asks me if I want some butter, I'll raise an eyebrow, "Butter? I didn't have an angiogram scheduled tomorrow..."

But now, after my colleague's episode, I'm really paranoid. I'm really going to watch what I eat now.

A bunch of us go to a fast-food restaurant from time to time. I used to order the Chicken Wrap, with no sauce and no cheese. Now I guess I'll order the Chicken Wrap, with no sauce, no cheese and no wrap.

Now my cholesterol is 170. My ratio is 2.5, which is in a very desirable range. I work out four to five times a week, twice on resistance training, twice on the heavy bag and floor-ceiling bag, with some elliptical training thrown on as an added bonus.

My food pyramid, above, breaks down the diet for you. Tomatos are the key, you see, as the lycopene keeps your body's resistance high. I don't know if anyone else could or would want to follow this diet. I do know that it seems to be working for me. Every time you see some sweets, just imagine a bug crawling inside it. Maybe that'll cut down on the chocoholism.

On a more serious note: One thing I have learned from these events... it's easy to overlook some chest pain and try to 'gut it out'. My Dad did it. My colleague did it. It almost cost both their lives. If you're at any risk whatsoever and encounter chest pain, get it checked out, fast. Your family and friends don't want to attend a funeral. They'd rather be visiting you as you recuperate in the hospital.