Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-02 Thread Tom Weinstein

Ian G wrote:


But don't get me wrong - I am not saying that we should
carry out a world wide pogrom on SSL/PKI.  What I am
saying is that once we accept that listening right now
is not an issue - not a threat that is being actively
dedended against - this allows us the wiggle room to
deploy that infrastructure against phishing.

Does that make sense?
 

No, not really. Until you can show me an Internet Draft for a solution 
to phishing that requires that we give up SSL, I don't see any reason to 
do so. As a consumer, I'd be very reluctant to give up SSL for credit 
card transactions because I use it all the time and it makes me feel safer.



What matters is now:  what attacks are happening
now.  Does phishing exist, and does it take a lot of
money?  What can we do about it?
 

If you don't know what we can do about phishing, why do you think that 
getting rid of SSL is a necessary first step? You seem to be putting the 
cart in front of the horse.


--
Give a man a fire and he's warm for a day, but set | Tom Weinstein
him on fire and he's warm for the rest of his life.| [EMAIL PROTECTED]



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-02 Thread Adam Shostack
On Tue, May 31, 2005 at 06:43:56PM -0400, Perry E. Metzger wrote:
| 
| Ian G [EMAIL PROTECTED] writes:
|  Perhaps you are unaware of it because no one has chosen to make you
|  aware of it. However, sniffing is used quite frequently in cases where
|  information is not properly protected. I've personally dealt with
|  several such situations.
| 
|  This leads to a big issue.  If there are no reliable reports,
|  what are we to believe in?  Are we to believe that the
|  problem doesn't exist because there is no scientific data,
|  or are we to believe those that say I assure you it is a
|  big problem?
| [...]
|  The only way we can overcome this issue is data.
| 
| You aren't going to get it. The companies that get victimized have a
| very strong incentive not to share incident information very
| widely. However, those of us who actually make our living in the field
| generally have a pretty strong sense of what is going wrong out there.

I believe that this is changing, and that Choicepoint is the wedge.
Organizations that are under no legal obligation to report breaches
are doing so, some quite rapidly, to avoid the PR disaster that hit
Choicepoint.

That shift may lead to a change in public perceptions from breaches
are rare to the reality, which is that breaches are common.  If that
shift takes place, then companies may be more willing to share data,
and thats a good.

[...] much deleted

| Statistics and the sort of economic analysis you speak of depends on
| assumptions like statistical independence and the ability to do
| calculations. If you have no basis for calculation and statistical
| independence doesn't hold because your actors are not random processes
| but intelligent actors, the method is worthless.
| 
| In most cases, by the way, the raw cost of attempting a cost benefit
| analysis will cost far more than just implementing a safeguard. A
| couple thou for encrypting a link or buying an SSL card is a lot
| cheaper than the consulting hours, and the output of the hours would
| be an utterly worthless analysis anyway.

So, that may be the case when you're dealing with an SSL accelerator,
but there are lots of other cases, say, implementing daabase security
rules, or ensuring that non-transactional lookups are logged, which
are harder to argue for, take more time and energy to implement, and
may well entail not implementing customer-visible features to get them
in on budget. 

Choicepoint and Lexis Nexis seemingly, had neither.  Nor are they
representational.   We lack good data, and while there are a few
hundred folks who have the experience, chops, and savvy to help their
customers make good decisions, there are tens of thousands of
companies, many of whom choose not to pay rates for that sort of
advice, and hire an MCSE, instead.  People who slap the label best
practice on log truncation.

I think that we need to promulgate the idea that Choicepoint is
creating a shift, that it will be ok to talk about breaches, with the
intent of getting better data over time.

Adam




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-02 Thread Ian G
Ahh-oops!  That particular reply was scrappily written
late at night and wasn't meant to be sent!  Apologies
belatedly, I'd since actually come to the conclusion
that Steve's statement was strictly correct, in that
we won't ever *see* sniffing because SSL is in place,
whereas I interpreted this incorrectly perhaps as
SSL *stopped* sniffing.  Subtle distinctions can
sometimes matter.

So please ignore the previous email, unless a cruel
and unusual punishment is demanded...

iang


On Wednesday 01 June 2005 16:24, Ian G wrote:
 On Tuesday 31 May 2005 19:38, Steven M. Bellovin wrote:
  In message [EMAIL PROTECTED], Ian G writes:
  On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
   In message [EMAIL PROTECTED], James A. Donald 
writes:
   --
   PKI was designed to defeat man in the middle attacks
   based on network sniffing, or DNS hijacking, which
   turned out to be less of a threat than expected.
  
   First, you mean the Web PKI, not PKI in general.
  
   The next part of this is circular reasoning.  We don't see network
   sniffing for credit card numbers *because* we have SSL.
  
  I think you meant to write that James' reasoning is
  circular, but strangely, your reasoning is at least as
  unfounded - correlation not causality.  And I think
  the evidence is pretty much against any causality,
  although this will be something that is hard to show,
  in the absence.
 
  Given the prevalance of password sniffers as early as 1993, and given
  that credit card number sniffing is technically easier -- credit card
  numbers will tend to be in a single packet, and comprise a
  self-checking string, I stand by my statement.

 Well, I'm not arguing it is technically hard.  It's just
 un-economic.  In the same sense that it is not technically
 difficult for us to get in a car and go run someone
 over;  but we still don't do it.  And we don't ban the
 roads nor insist on our butlers walking with a red
 flag in front of the car, either.  Well, not any more.

 So I stand by my statement - correlation is not causality.

   * AFAICS, a non-trivial proportion of credit
  card traffic occurs over totally unprotected
  traffic, and that has never been sniffed as far as
  anyone has ever reported.  (By this I mean lots of
  small merchants with MOTO accounts that don't
  bother to set up proper SSL servers.)
 
  Given what a small percentage of ecommerce goes to those sites, I don't
  think it's really noticeable.

 Exactly my point.  Sniffing isn't noticeable.  Neither
 in the cases we know it could happen, nor in the
 areas.  The one place where it has been noticed is
 with passwords and what we know from that experience
 is that even the slightest security works to overcome
 that threat.  SSH is overkill, compared to the passwords
 mailouts that successfully protect online password sites.

   * We know that from our experiences
  of the wireless 802.11 crypto - even though we've
  got repeated breaks and the FBI even demonstrating
  how to break it, and the majority of people don't even
  bother to turn on the crypto, there remains practically
  zero evidence that anyone is listening.
  
FBI tells you how to do it:
https://www.financialcryptography.com/mt/archives/000476.
 
  Sure -- but setting up WEP is a nuisance.  SSL (mostly) just works.

 SSH just works - and it worked directly against the
 threat you listed above (password sniffing).  But it
 has no PKI to speak of, and this discussion is about
 whether PKI protects people, because it is PKI that is
 supposed to protect against spoofing - a.k.a. phishing.

 And it is PKI that makes SSL just doesn't set up.
 Anyone who's ever had to set up an Apache web
 server for SSL has to have asked themselves the
 question ... why doesn't this just work ?

  As
  for your assertion that no one is listening, I'm not sure what kind of
  evidence you'd seek.  There's plenty of evidence that people abuse
  unprotected access points to gain connectivity.

 Simply, evidence that people are listening.  Sniffing
 by means of the wire.

 Evidence that people abuse to gain unprotected
 access is nothing to do with sniffing traffic to steal
 information.  That's theft of access, which is a fairly
 minor issue, especially as it doesn't have any
 economic damages worth speaking of.  In fact,
 many cases seem to be more accidental access
 where neighbours end up using each other's access
 points because the software doesn't know where the
 property lines are.

   Since many of
   the worm-spread pieces of spyware incorporate sniffers, I'd say that
   part of the threat model is correct.
  
  But this is totally incorrect!  The spyware installs on the
  users' machines, and thus does not need to sniff the
  wire.  The assumption of SSL is (as written up in Eric's
  fine book) that the wire is insecure and the node is
  secure, and if the node is insecure then we are sunk.
 
  I meant precisely what I said and I stand by my statement.  I'm quite
  well aware of the 

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-02 Thread Ian G
On Thursday 02 June 2005 11:33, Birger Tödtmann wrote:
 Am Mittwoch, den 01.06.2005, 15:23 +0100 schrieb Ian G:
 [...]

  For an example of the latter, look at Netcraft.  This is
  quite serious - they are putting out a tool that totally
  bypasses PKI/SSL in securing browsing.  Is it insecure?
  Yes of course, and it leaks my data like a seive as
  one PKI guy said.

 [...]

 What I currently fail see is the link to SSL.  Or, to its PKI model.

That's the point.  There is no link to SSL or PKI.
The only thing in common is the objective - to
protect the user when browsing.  Secure browsing
is now being offered by centralised database sans
crypto.

 Netcraft bypasses it, but I won't use Netcraft exclusively because I'm
 happy to use the crypto in SSL.  Netcraft and Trustbar are really nice
 add-ons to improve my security *with SSL*.  So where is the point?

Sure, I think it is a piece of junk, myself.  But I
am not important, I'm not an average user.
The only thing that is important is what the user
thinks and does.

When Netcraft announced their plugin had been
ported from IE to Firefox last week, they also
revealed that they had 60,000 downloads in
hours.  That tells us a few things.

Firstly, users want protection from phishing.

Secondly, Netcraft have succeeded enough
in the IE world in creating a user base for their
solution that it easily jumped across to the
Firefox userbase and scored impressive numbers
straight away.  Which tells us that it actually
delivers something useful (which may or may
not be security).  So we cannot discount that
the centralised database concept works well
enough by some measure or other.

So now we wait to see which model wins in
protecting the user from spoofing.

iang
-- 
Advances in Financial Cryptography:
   https://www.financialcryptography.com/mt/archives/000458.html

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-02 Thread Anne Lynn Wheeler

Adam Shostack wrote:

So, that may be the case when you're dealing with an SSL accelerator,
but there are lots of other cases, say, implementing daabase security
rules, or ensuring that non-transactional lookups are logged, which
are harder to argue for, take more time and energy to implement, and
may well entail not implementing customer-visible features to get them
in on budget. 


Choicepoint and Lexis Nexis seemingly, had neither.  Nor are they
representational.   We lack good data, and while there are a few
hundred folks who have the experience, chops, and savvy to help their
customers make good decisions, there are tens of thousands of
companies, many of whom choose not to pay rates for that sort of
advice, and hire an MCSE, instead.  People who slap the label best
practice on log truncation.

I think that we need to promulgate the idea that Choicepoint is
creating a shift, that it will be ok to talk about breaches, with the
intent of getting better data over time.


we got brought in to work on some word smithing for both the cal. state 
and the fed. digital signature legislation (we somewhat concentrated on 
the distinction between digital signature authentication and that human 
signature implies read, understands, agrees, approves, authorizes, etc 
 which isn't present in simple authentication).


one of the industry groups that was active in the effort had done some 
extensive surveys on driving factors behind various kinds of regulatory 
and legislative actions. with regard to privacy regulatory/legislative 
actions ... the two main driving factors were 1) identity theft and 2) 
effectively institutional (gov, commercial, etc) denial of service.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-01 Thread Daniel Carosone
On Tue, May 31, 2005 at 06:43:56PM -0400, Perry E. Metzger wrote:
  So we need to see a Choicepoint for listening and sniffing and so
  forth.
 
 No, we really don't.

Perhaps we do - not so much as a source of hard statistical data, but
as a source of hard pain.

People making (uninformed or ill-considered, despite our best efforts
to inform) business and risk decisions seemingly need concrete
examples to avoid.

Its depressing how much of what we actually achieve is determined by
primitive pain response reflexes - even when you're in the beneficial
position of having past insistences validated by the pain of others.

 The day to day problem of security at real financial institutions is
 the fact that humans are very poor at managing complexity, and that
 human error is extremely pervasive. I've yet to sit in a conference
 room and think oh, if I only had more statistical data, but I've
 frequently been frustrated by gross incompetence.

Amen.

--
Dan.


pgppCusu69AQW.pgp
Description: PGP signature


Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-01 Thread Perry E. Metzger

Daniel Carosone [EMAIL PROTECTED] writes:
 On Tue, May 31, 2005 at 06:43:56PM -0400, Perry E. Metzger wrote:
  So we need to see a Choicepoint for listening and sniffing and so
  forth.
 
 No, we really don't.

 Perhaps we do - not so much as a source of hard statistical data, but
 as a source of hard pain.

That might not be such a bad thing. Object lessons have a way of
whipping people in to shape. A few more heads rolling might convince
others that security isn't optional.

In the late 1960s, several major brokerage firms went under because
they didn't have their accounting systems sufficiently automated. The
people on the business people thought of I.T. as a necessary evil
rather than as the backbone of their business, and they paid the
price.

At intervals, business gets major accounting scandals, about every 20
to 40 years when people forget about the last set. I suspect
I.T. crises are similar. It has been so long since the last one
happened in the financial industry that the institutional memory of it
is now gone, so we're ripe for another.

It is my prediction that we will, in the next five years, get the
failure of a couple of international financial institutions because of
insufficient attention to systems security, again because there are a
few executives in the business who do not understand that I.T. is not
an expense that needs managing but rather the nervous system of the
company.

 People making (uninformed or ill-considered, despite our best efforts
 to inform) business and risk decisions seemingly need concrete
 examples to avoid.

Indeed.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-01 Thread Ian G
On Wednesday 01 June 2005 10:35, Birger Tödtmann wrote:
 Am Dienstag, den 31.05.2005, 18:31 +0100 schrieb Ian G:
 [...]

  As an alternate hypothesis, credit cards are not
  sniffed and never will be sniffed simply because
  that is not economic.  If you can hack a database
  and lift 10,000++ credit card numbers, or simply
  buy the info from some insider, why would an
  attacker ever bother to try and sniff the wire to
  pick up one credit card number at a time?

 [...]

 And never will be...?  Not being economic today does not mean it
 couldn't be economic tomorrow.  Today it's far more economic to lift
 data-in-rest because it's fairly easy to get on an insider or break into
 the database itself.

Right, so we are agreed that listening to credit cards
is not an economic attack - regardless of the presence
of SSL.

Now, the point of this is somewhat subtle.  It is not
that you should turn off SSL.

The point is this:  you *could*
turn off SSL and it wouldn't make much difference
to actual security in the short term at least, and maybe
not even in the long term depending on the economic
shifts.

OK, so, are we agreed on that:  we *could* turn off
SSL, but that isn't the same thing as should* ?

If we've got that far we can go to the next step.

If we *could* turn off SSL then we have some breathing
space, some room to manouvre.  Some wiggle room.

Which means we could modify the model.  Which
means we could change the model, we could tune
the crypto or the PKI.  And in the short term, that
would not be a problem for security because there
isn't an economic attack anyway.  Right now, at
least.

OK so far?

This means that we could improve or decrease
its strength ... as our objectives suggest ... or we
could *re-purpose* SSL if this were so desired.

So we could for example use SSL and PKI to
protect from something else.  If that were an issue.

Let's assume phishing is an issue (1.2 billion
dollars of american money is the favourite number).

If we could figure out a way to change the usage
of SSL and PKI to protect against phishing, would
that be a good idea?

It wouldn't be a bad idea, would it?  How could it
be a bad idea when the infrastructure is in place,
and is not currently being used to defeat any
attack?

So, even in a stupidly aggressive worst case
scenario, if were to turn off SSL/PKI in the process
and turn its benefit over to phishing, and discover
that it no longer protects against listening attacks
at all - remember I'm being ridiculously hypothetical
here - then as long as it did *some* benefit in
stopping phishing, that would still be a net good.

That is, there would be some phishing victims
who would thank you for saving them, and there
would *not* be any Visa merchants who would
necessarily damn your grandmother for losing
credit cards.  Not in the short term at least.

And if listening were to erupt in a frenzy in the
future it would likely be possible to turn off the
anti-phishing tasking and turn SSL/PKI back to
protecting against eavesdropping.  Perhaps as
a tradeoff between the credit card victim and
the phishing victim.

But that's just stupidly hypothetical.  The main
thing is that we can fiddle with SSL/PKI if we want
to and we can even afford to make some mistakes.

So the question then results in - could it be used
to benefit phishing?  I can point at some stuff that
says it will be.

But every time this good stuff is suggested, the
developers, cryptographers, security experts and
what have you suck air between their teeth in and
say you can't change SSL or PKI because of this
crypto blah blah reason.

My point is you can change it.  Of course you
can change it - and here's why:  it's not being
economically used over here (listening), and
right over there (phishing), there is an economic
loss waiting attention.


 However, when companies finally find some 
 countermeasures against both attack vectors, adversaries will adapt and
 recalculate the economics.  And they may very well fall back to sniffing
 for data-in-flight, just as they did (and still do sometimes now) to get
 hold of logins and passwords inside corporate networks in the 80s and
 90s.  If it's more difficult to hack into the database itself than to
 break into a small, not-so-protected system at a large network provider
 and install a sniffer there that silently collects 10,000++ credit card
 numbers over some weeks - then sniffing *is* an issue.  We have seen it,
 and we will see it again.  SSL is a very good countermeasure against
 passive eavesdropping of this kind, and a lot of data suggests that
 active attacks like MITM are seen much less frequently.


All that is absolutely true, in that we can conjecture
that if we close everything else off, then sniffing will
become economic.  That's a fair statement.

But, go and work in one of these places for a while,
or see what Perry said yesterday:

 The day to day problem of security at real financial institutions is
 the fact that humans are very poor at 

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-01 Thread Ian G
On Tuesday 31 May 2005 23:43, Perry E. Metzger wrote:
 Ian G [EMAIL PROTECTED] writes:

Just on the narrow issue of data - I hope I've
addressed the other substantial points in the
other posts.

  The only way we can overcome this issue is data.

 You aren't going to get it. The companies that get victimized have a
 very strong incentive not to share incident information very
 widely.

On the issue of sharing data by victims, I'd strongly
recommend the paper by Schechter and Smith, FC03.
 How Much Security is Enough to Stop a Thief?
http://www.eecs.harvard.edu/~stuart/papers/fc03.pdf
I've also got a draft paper that argues the same thing
and speaks directly and contrarily to your statement:

Sharing data is part of the way towards better security.

(But I argue it from a different perspective to SS.)


 1) You have one anecdote. You really have no idea how
frequently this happens, etc.

The world for security in the USA changed dramatically
when Choicepoint hit.  Check out the data at:

http://pipeda.blogspot.com/2005/02/summaries-of-incidents-cataloged-on.html
http://www.strongauth.com/regulations/sb1386/sb1386Disclosures.html

Also, check out Adam's blog at

http://www.emergentchaos.com/

He has a whole category entitled Choicepoint for
background reading:

http://www.emergentchaos.com/archives/cat_choicepoint.html

Finally we have our data in the internal governance
and hacking breaches.  As someone said today, Amen
to that.  No more arguments, just say Choicepoint.

 2) It doesn't matter how frequently it happens, because no two
companies are identical. You can't run 100 choicepoints and see
what percentage have problems.

We all know that the attacker is active and can
change tactics.  But locksmiths still recommend
that you put a lock on your door that is a) a bit
stronger than the door and b) a bit better than your
neighbours.  Just because there are interesting
quirks and edge cases in these sciences doesn't
mean we should wipe out other aspects of our
knowledge of scientific method.

 3) If you're deciding on how to set up your firm's security, you can't
say 95% of the time no one attacks you so we won't bother, for
the same reason that you can't say if I drive my car while
slightly drunk 95% of the time I'll arrive safe, because the 95%
of the time that nothing happens doesn't matter if the cost of the
5% is so painful (like, say, death) that you can't recover from
it.

Which is true regardless of whether you are
slightly drunk or not at all or whether a few
pills had been taken or tiredness hits.

Literally, like driving when not 100% fit, the
decision maker makes a quick decision based
on what they know.  The more they know, the
better off they are.  The more data they have,
the better informed their decision.

In particular, you don't want to be someone on who's watch a 
major breech happens. Your career is over even if it never happens
to anyone else in the industry.

Sure.  Life's a bitch.  One can only do ones
best and hope it doesn't hit.  But have a read
of SS' paper, and if you still have the appetite,
try my draft:

http://iang.org/papers/market_for_silver_bullets.html

 Statistics and the sort of economic analysis you speak of depends on
 assumptions like statistical independence and the ability to do
 calculations. If you have no basis for calculation and statistical
 independence doesn't hold because your actors are not random processes
 but intelligent actors, the method is worthless.

No, that's way beyond what I was saying.

I was simply asserting one thing:  without data, we do
not know if an issue exists.  Without even a vaguely
measured sense of seeing it in enough cases to know
it is not an anomoly, we simply can't differentiate it
from all the other conspiracy theories, FUD sales,
government agendas, regulatory hobby horses,
history lessons written by victors, or what-have-you.

Ask any manager.  Go to him or her with a new
threat.  He or she will ask who has this happened
to?

If the answer is it used to happen all the time in
1994 ... then a manager could be forgiven for
deciding the data was stale.  If the answer is
no-one, then no matter how risky, the likely
answer is get out!  If the answer is these X
companies in the last month then you've got
some mileage.

Data is everything.

iang
-- 
Advances in Financial Cryptography:
   https://www.financialcryptography.com/mt/archives/000458.html

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-01 Thread Ian G
Hi Birger,

Nice debate!


On Wednesday 01 June 2005 13:52, Birger Tödtmann wrote:
 Am Mittwoch, den 01.06.2005, 12:16 +0100 schrieb Ian G:
 [...]

  The point is this:  you *could*
  turn off SSL and it wouldn't make much difference
  to actual security in the short term at least, and maybe
  not even in the long term depending on the economic
  shifts.

 Which depends a bit on the scale of your could switch of.  If some
 researchers start switching it off / inventing / testing something new,
 then your favourite phisher would not care, that's right.

Right.  That's the point.  It is not a universal
and inescapable bad to fiddle with SSL/PKI.

 [...]

  But every time this good stuff is suggested, the
  developers, cryptographers, security experts and
  what have you suck air between their teeth in and
  say you can't change SSL or PKI because of this
  crypto blah blah reason.
 
  My point is you can change it.  Of course you
  can change it - and here's why:  it's not being
  economically used over here (listening), and
  right over there (phishing), there is an economic
  loss waiting attention.

 Maybe.  But there's a flip-side to that coin.  SSL and correlated
 technology helped to shift the common attack methods from sniffing (it
 was widely popular back then to install a sniffer whereever a hacker got
 his foot inside a network) towards advanced, in some sense social
 engineering attacks like phishing *because* it shifted the economics
 for the adversaries as it was more and more used to protect sensitive
 data-in-flight (and sniffing wasn't going to get him a lot of credit
 card data anymore).


OK, and that's where we get into poor use of
data.  Yes, sniffing of passwords existed back
then.  So we know that sniffing is quite possible
and on reasonable scale, plausible technically.

But the motive of sniffing back then was different.
It was for attacking boxes.  Access attack.  Not
for the purpose of theft of commercial data.  It
was a postulation that those that attacked boxes
for access would also sniff for credit cards.  But,
we think that to have been a stretch (hence the
outrageous title of this post) at least up until
recently.

Before 2004, these forces and
attackers were disconnected.  In 2004 they joined
forces.  In which case, you do now have quite a
good case that the installation of sniffers could be
used if there was nothing else worth picking up.
So at least we now have the motive cleared up,
if not the economic attack.

(Darn ... I seem to have argued your case for you ;-) )

 That this behaviour (sniffing) is a thing of the past does not mean it's
 not coming back to you if things are turned around: adversaries are
 strategically thinking people that adapt very fast to new circum-
 stances.

Indeed.  It also doesn't mean that they will come
and attack.  Maybe it is a choice between the
attack that is happening right now and the attack
that will come back.  Or maybe the choice is
not really there, maybe we can cover both if
we put our thinking caps on?

 The discussion reminds me a bit of other popular economic issues: Many
 politicians and some economists all over the world, every year, are
 coming back to asking Can't we loosen the control on inflation a bit?
 Look, inflation is a thing of the past, we never got over 3% the last
 umteenth years, lets trigger some employment by relaxing monetary
 discipline now.  The point is: it might work - but if not, your economy
 may end up in tiny little pieces.  It's quite a risk, because you cannot
 test it.  So the stance of many people is to be very conservative on
 things like that - and security folks are no exception.  Maybe fiddling
 with SSL is really a nice idea.  But if it fails at some point and we
 don't have a fallback infrastructure that's going to protect us from the
 sniffer-collector of the 90s, adversaries will be quite happy to bring
 them to new interesting uses then

Nice analogy!  Like all analogies it should be taken
for descriptive power not presecription.

The point being that one should not slavishly stick
to an argument, one needs to establish principles.
One principle is that we protect where money is being
lost, over and above somewhere where someone
says it was once lost in the past.  And at least then
we'll learn the appropriate balance when we get it
wrong, which can't be much worse than now, coz
we are getting it really wrong at the moment.

(On the monetary economics analogy, if you said your
principle was to eliminate inflation, I'd say fine!  There
is an easy way to do just that, just use gold as money,
which has maintained its value throughout recorded
history, not just the last century!  The targets debate
has been echoing on for decades, and there is no
real end in sight.)

  So I would suggest that listening for credit cards will
  never ever be an economic attack.  Sniffing for random
  credit cards at the doorsteps of amazon will never ever
  be an economic attack, not because it isn't possible,

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-06-01 Thread Ian G
On Tuesday 31 May 2005 19:38, Steven M. Bellovin wrote:
 In message [EMAIL PROTECTED], Ian G writes:
 On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
  In message [EMAIL PROTECTED], James A. Donald writes:
  --
  PKI was designed to defeat man in the middle attacks
  based on network sniffing, or DNS hijacking, which
  turned out to be less of a threat than expected.
 
  First, you mean the Web PKI, not PKI in general.
 
  The next part of this is circular reasoning.  We don't see network
  sniffing for credit card numbers *because* we have SSL.
 
 I think you meant to write that James' reasoning is
 circular, but strangely, your reasoning is at least as
 unfounded - correlation not causality.  And I think
 the evidence is pretty much against any causality,
 although this will be something that is hard to show,
 in the absence.

 Given the prevalance of password sniffers as early as 1993, and given
 that credit card number sniffing is technically easier -- credit card
 numbers will tend to be in a single packet, and comprise a
 self-checking string, I stand by my statement.


Well, I'm not arguing it is technically hard.  It's just
un-economic.  In the same sense that it is not technically
difficult for us to get in a car and go run someone
over;  but we still don't do it.  And we don't ban the
roads nor insist on our butlers walking with a red
flag in front of the car, either.  Well, not any more.

So I stand by my statement - correlation is not causality.

  * AFAICS, a non-trivial proportion of credit
 card traffic occurs over totally unprotected
 traffic, and that has never been sniffed as far as
 anyone has ever reported.  (By this I mean lots of
 small merchants with MOTO accounts that don't
 bother to set up proper SSL servers.)

 Given what a small percentage of ecommerce goes to those sites, I don't
 think it's really noticeable.


Exactly my point.  Sniffing isn't noticeable.  Neither
in the cases we know it could happen, nor in the
areas.  The one place where it has been noticed is
with passwords and what we know from that experience
is that even the slightest security works to overcome
that threat.  SSH is overkill, compared to the passwords
mailouts that successfully protect online password sites.

  * We know that from our experiences
 of the wireless 802.11 crypto - even though we've
 got repeated breaks and the FBI even demonstrating
 how to break it, and the majority of people don't even
 bother to turn on the crypto, there remains practically
 zero evidence that anyone is listening.
 
   FBI tells you how to do it:
   https://www.financialcryptography.com/mt/archives/000476.

 Sure -- but setting up WEP is a nuisance.  SSL (mostly) just works.

SSH just works - and it worked directly against the
threat you listed above (password sniffing).  But it
has no PKI to speak of, and this discussion is about
whether PKI protects people, because it is PKI that is
supposed to protect against spoofing - a.k.a. phishing.

And it is PKI that makes SSL just doesn't set up.
Anyone who's ever had to set up an Apache web
server for SSL has to have asked themselves the
question ... why doesn't this just work ?

 As 
 for your assertion that no one is listening, I'm not sure what kind of
 evidence you'd seek.  There's plenty of evidence that people abuse
 unprotected access points to gain connectivity.

Simply, evidence that people are listening.  Sniffing
by means of the wire.

Evidence that people abuse to gain unprotected
access is nothing to do with sniffing traffic to steal
information.  That's theft of access, which is a fairly
minor issue, especially as it doesn't have any
economic damages worth speaking of.  In fact,
many cases seem to be more accidental access
where neighbours end up using each other's access
points because the software doesn't know where the
property lines are.


  Since many of
  the worm-spread pieces of spyware incorporate sniffers, I'd say that
  part of the threat model is correct.
 
 But this is totally incorrect!  The spyware installs on the
 users' machines, and thus does not need to sniff the
 wire.  The assumption of SSL is (as written up in Eric's
 fine book) that the wire is insecure and the node is
 secure, and if the node is insecure then we are sunk.

 I meant precisely what I said and I stand by my statement.  I'm quite
 well aware of the difference between network sniffers and keystroke
 loggers.


OK, so maybe I am incorrectly reading this - are you
saying that spyware is being delivered that incorporates
wire sniffers?  Sniffers that listen to the ethernet traffic?

If that's the case, that is the first I've heard of it.  What
is it that these sniffers are listening for?

   Eric's book and 1.2 The Internet Threat Model
   http://iang.org/ssl/rescorla_1.html
 
 Presence of keyboard sniffing does not give us any
 evidence at all towards wire sniffing and only serves
 to further embarrass the SSL threat model.
 
  As for DNS hijacking -- that's what's 

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-05-31 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Ian G writes:
On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
 In message [EMAIL PROTECTED], James A. Donald writes:
 --
 PKI was designed to defeat man in the middle attacks
 based on network sniffing, or DNS hijacking, which
 turned out to be less of a threat than expected.

 First, you mean the Web PKI, not PKI in general.

 The next part of this is circular reasoning.  We don't see network
 sniffing for credit card numbers *because* we have SSL.

I think you meant to write that James' reasoning is
circular, but strangely, your reasoning is at least as
unfounded - correlation not causality.  And I think
the evidence is pretty much against any causality,
although this will be something that is hard to show,
in the absence.

Given the prevalance of password sniffers as early as 1993, and given 
that credit card number sniffing is technically easier -- credit card 
numbers will tend to be in a single packet, and comprise a 
self-checking string, I stand by my statement.

 * AFAICS, a non-trivial proportion of credit
card traffic occurs over totally unprotected
traffic, and that has never been sniffed as far as
anyone has ever reported.  (By this I mean lots of
small merchants with MOTO accounts that don't
bother to set up proper SSL servers.)

Given what a small percentage of ecommerce goes to those sites, I don't 
think it's really noticeable.

 * We know that from our experiences
of the wireless 802.11 crypto - even though we've
got repeated breaks and the FBI even demonstrating
how to break it, and the majority of people don't even
bother to turn on the crypto, there remains practically
zero evidence that anyone is listening.

  FBI tells you how to do it:
  https://www.financialcryptography.com/mt/archives/000476.

Sure -- but setting up WEP is a nuisance.  SSL (mostly) just works.  As 
for your assertion that no one is listening, I'm not sure what kind of 
evidence you'd seek.  There's plenty of evidence that people abuse 
unprotected access points to gain connectivity.

As an alternate hypothesis, credit cards are not
sniffed and never will be sniffed simply because
that is not economic.  If you can hack a database
and lift 10,000++ credit card numbers, or simply
buy the info from some insider, why would an
attacker ever bother to try and sniff the wire to
pick up one credit card number at a time?

Sure -- that's certainly the easy way to do it.

And if they did, why would we care?  Better to
let a stupid thief find a way to remove himself from
a life of crime than to channel him into a really
dangerous and expensive crime like phishing,
box cracking, and purchasing identity info from
insiders.

 Since many of 
 the worm-spread pieces of spyware incorporate sniffers, I'd say that
 part of the threat model is correct.

But this is totally incorrect!  The spyware installs on the
users' machines, and thus does not need to sniff the
wire.  The assumption of SSL is (as written up in Eric's
fine book) that the wire is insecure and the node is
secure, and if the node is insecure then we are sunk.

I meant precisely what I said and I stand by my statement.  I'm quite 
well aware of the difference between network sniffers and keystroke 
loggers.

  Eric's book and 1.2 The Internet Threat Model
  http://iang.org/ssl/rescorla_1.html

Presence of keyboard sniffing does not give us any
evidence at all towards wire sniffing and only serves
to further embarrass the SSL threat model.

 As for DNS hijacking -- that's what's behind pharming attacks.  In
 other words, it's a real threat, too.

Yes, that's being tried now too.  This is I suspect the
one area where the SSL model correctly predicted
a minor threat.  But from what I can tell, server-based
DNS hijacking isn't that successful for the obvious
reasons (attacking the ISP to get to the user is a
higher risk strategy than makes sense in phishing).

They're using cache contamination attacks, among other things.

...


As perhaps further evidence of the black mark against
so-called secure browsing, phishers still have not
bothered to acquire control-of-domain certs for $30
and use them to spoof websites over SSL.

Now, that's either evidence that $30 is too much to
pay, or that users just ignore the certs and padlocks
so it is no big deal anyway.  Either way, a model
that is bypassed so disparagingly without even a
direct attack on the PKI is not exactly recommending
itself.

I agre completely that virtually no one checks certificates (or even 
knows what they are).


--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: SSL stops credit card sniffing is a correlation/causality myth

2005-05-31 Thread Perry E. Metzger

Ian G [EMAIL PROTECTED] writes:
 On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
 The next part of this is circular reasoning.  We don't see network
 sniffing for credit card numbers *because* we have SSL.

 I think you meant to write that James' reasoning is
 circular, but strangely, your reasoning is at least as
 unfounded - correlation not causality.  And I think
 the evidence is pretty much against any causality,
 although this will be something that is hard to show,
 in the absence.

  * AFAICS, a non-trivial proportion of credit
 card traffic occurs over totally unprotected
 traffic, and that has never been sniffed as far as
 anyone has ever reported.

Perhaps you are unaware of it because no one has chosen to make you
aware of it. However, sniffing is used quite frequently in cases where
information is not properly protected. I've personally dealt with
several such situations.

Bluntly, it is obvious that SSL has been very successful in thwarting
certain kinds of interception attacks. I would expect that without it,
we'd see mass harvesting of credit card numbers at particularly
vulnerable parts of the network, such as in front of important
merchants. The fact that phishing and other attacks designed to force
people to disgorge authentication information has become popular is a
tribute to the fact that sniffing is not practical.

The bogus PKI infrastructure that SSL generally plugs in to is, of
course, a serious problem. Phishing attacks, pharming attacks and
other such stuff would be much harder if SSL weren't mostly used with
an unworkable fake PKI. (Indeed, I'd argue that PKI as envisioned is
unworkable.)  However, that doesn't make SSL any sort of failure -- it
has been an amazing success.

  * We know that from our experiences
 of the wireless 802.11 crypto - even though we've
 got repeated breaks and the FBI even demonstrating
 how to break it, and the majority of people don't even
 bother to turn on the crypto, there remains practically
 zero evidence that anyone is listening.

Where do you get that idea? Break-ins to firms over their unprotected
802.11 networks are not infrequent occurrences. Perhaps you're unaware
of whether anyone is listening in to your home network, but I suspect
there is very little that is interesting to listen in to on your home
network, so there is little incentive for anyone to break it.

 As for DNS hijacking -- that's what's behind pharming attacks.  In
 other words, it's a real threat, too.

 Yes, that's being tried now too.  This is I suspect the
 one area where the SSL model correctly predicted
 a minor threat.  But from what I can tell, server-based
 DNS hijacking isn't that successful for the obvious
 reasons

You are wrong there again.

Where are you getting your information from? Whomever your informant
is, they're not giving you accurate information.


-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: SSL stops credit card sniffing is a correlation/causality myth

2005-05-31 Thread Anne Lynn Wheeler

Steven M. Bellovin wrote:
Given the prevalance of password sniffers as early as 1993, and given 
that credit card number sniffing is technically easier -- credit card 
numbers will tend to be in a single packet, and comprise a 
self-checking string, I stand by my statement.


the major exploits have involved data-at-rest ... not data-in-flight. 
internet credit card sniffing can be easier than password sniffing  
but that doesn't mean that the fraud cost/benefit ratio is better than 
harvesting large transaction database files. you could possibly 
conjecture password sniffing enabling compromise/exploits of 
data-at-rest ... quick inout and may have months worth of transaction 
information all nicely organized.


to large extent SSL was used to show that internet/e-commerce wouldn't 
result in the theoritical sniffing making things worse (as opposed to 
addressing the major fraud vulnerability  treat).


internet/e-commerce did increase the threats  vulnerabilities to the 
transaction database files (data-at-rest) ... which is were the major 
threat has been. There has been a proliferation of internet merchants 
with electronic transaction database files ... where there may be 
various kinds of internet access to the databases. Even when the 
prevalent risk to these files has been from insiders ... the possibility 
of outsider compromise can still obfuscate tracking down who is actually 
responsible.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: SSL stops credit card sniffing is a correlation/causality myth

2005-05-31 Thread Ian G
On Tuesday 31 May 2005 21:03, Perry E. Metzger wrote:
 Ian G [EMAIL PROTECTED] writes:
  On Tuesday 31 May 2005 02:17, Steven M. Bellovin wrote:
  The next part of this is circular reasoning.  We don't see network
  sniffing for credit card numbers *because* we have SSL.
 
  I think you meant to write that James' reasoning is
  circular, but strangely, your reasoning is at least as
  unfounded - correlation not causality.  And I think
  the evidence is pretty much against any causality,
  although this will be something that is hard to show,
  in the absence.
 
   * AFAICS, a non-trivial proportion of credit
  card traffic occurs over totally unprotected
  traffic, and that has never been sniffed as far as
  anyone has ever reported.

 Perhaps you are unaware of it because no one has chosen to make you
 aware of it. However, sniffing is used quite frequently in cases where
 information is not properly protected. I've personally dealt with
 several such situations.


This leads to a big issue.  If there are no reliable reports,
what are we to believe in?  Are we to believe that the
problem doesn't exist because there is no scientific data,
or are we to believe those that say I assure you it is a
big problem?

It can't be the latter;  not because I don't believe you in
particular, but because the industry as a whole has not
the credibility to make such a statement.  Everyone who
makes such a statement is likely to be selling some
service designed to benefit from that statement, which
makes it very difficult to simply believe on the face of it.

The only way we can overcome this issue is data.  If
you have seen such situations, document them and
report them - on forums like these.  Anonymise them
suitably if you have to.

Another way of looking at this is to look at Choicepoint.
For years, we all suspected that the real problem was
the insider / node problem.  The company was where
the leaks occurred, traditionally.

But nobody had any data.  Until Choicepoint.  Now we
have data.  We know how big a problem the node is.
We now know that the problem inside the company is
massive.

So we need to see a Choicepoint for listening and
sniffing and so forth.  And we need that before we can
consider the listening threat to be economically validated.


 Bluntly, it is obvious that SSL has been very successful in thwarting
 certain kinds of interception attacks. I would expect that without it,
 we'd see mass harvesting of credit card numbers at particularly
 vulnerable parts of the network, such as in front of important
 merchants. The fact that phishing and other attacks designed to force
 people to disgorge authentication information has become popular is a
 tribute to the fact that sniffing is not practical.

And I'd expect to see massive email scanning by
now of say lawyer's email at ISPs.  But, no, very
little has occurred.

 The bogus PKI infrastructure that SSL generally plugs in to is, of
 course, a serious problem. Phishing attacks, pharming attacks and
 other such stuff would be much harder if SSL weren't mostly used with
 an unworkable fake PKI. (Indeed, I'd argue that PKI as envisioned is
 unworkable.)  However, that doesn't make SSL any sort of failure -- it
 has been an amazing success.

In this we agree.  Indeed, my thrust all along in
attacking PKI has been to get people to realise
that the PKI doesn't do nearly as much as people
think, and therefore it is OK to consider improving
it.  Especially, where it is weak and where attackers
are attacking.

Unfortunately, PKI and SSL are considered to be
sacrosanct and perfect by the community.  As these
two things working together are what protects people
from phishing (site spoofing) fixing them requires
people to recognise that the PKI isn't doing the job.

The cryptography community especially should get
out there and tell developers and browser implementors
that the reason phishing is taking place is that the
browser security model is being bypassed, and that
some tweaks are needed.

   * We know that from our experiences
  of the wireless 802.11 crypto - even though we've
  got repeated breaks and the FBI even demonstrating
  how to break it, and the majority of people don't even
  bother to turn on the crypto, there remains practically
  zero evidence that anyone is listening.

 Where do you get that idea? Break-ins to firms over their unprotected
 802.11 networks are not infrequent occurrences. Perhaps you're unaware
 of whether anyone is listening in to your home network, but I suspect
 there is very little that is interesting to listen in to on your home
 network, so there is little incentive for anyone to break it.

Can you distinguish between break-ins and sniffing
and listening attacks?  Break-ins, sure, I've seen a
few cases of that.  In each case the hackers tried to
break into an unprotected site that was accessible
over an unprotected 802.11.

My point though is that this attack is not listening.
It's an access attack.  So one must be careful 

Re: SSL stops credit card sniffing is a correlation/causality myth

2005-05-31 Thread Perry E. Metzger

Ian G [EMAIL PROTECTED] writes:
 Perhaps you are unaware of it because no one has chosen to make you
 aware of it. However, sniffing is used quite frequently in cases where
 information is not properly protected. I've personally dealt with
 several such situations.

 This leads to a big issue.  If there are no reliable reports,
 what are we to believe in?  Are we to believe that the
 problem doesn't exist because there is no scientific data,
 or are we to believe those that say I assure you it is a
 big problem?
[...]
 The only way we can overcome this issue is data.

You aren't going to get it. The companies that get victimized have a
very strong incentive not to share incident information very
widely. However, those of us who actually make our living in the field
generally have a pretty strong sense of what is going wrong out there.

 It can't be the latter;  not because I don't believe you in
 particular, but because the industry as a whole has not
 the credibility to make such a statement.  Everyone who
 makes such a statement is likely to be selling some
 service designed to benefit from that statement, which
 makes it very difficult to simply believe on the face of it.

Those who work as consultants to large organizations, or as internal
security personnel at them, tend to be fairly independent of particular
vendors. I don't have any financial reason to recommend particular
firms over others, and customers generally are in a position to judge
for themselves whether what gets recommended is a good idea or not.

 If you have seen such situations, document them and report them - on
 forums like these.  Anonymise them suitably if you have to.

Many of us actually take our contract obligations not to talk about
our customers quite seriously, and in any case, anonymous anecdotal
reports about unnamed organizations aren't really data in the
traditional sense. You worry about vendors spreading FUD -- well, why
do you assume you can trust anonymous comments not to be FUD from
vendors?

You don't really need to hear much from me or others on this sort of
thing, though. Pretty much common sense and reasoning will tell you
things like the bad guys attack the weak points etc. Experience says
if you leave a vulnerability, it will be exploited eventually, so you
try not to leave any.

All the data in the world isn't going to help you anyway. We're not
talking about what percentage of patients with melanoma respond
positively to what drug. Melanomas aren't intelligent and don't change
strategy based on what other melanomas are doing. Attack strategies
change. Attackers actively alter their behavior to match conditions.

The way real security professionals have to work is analysis and
conservatism. We assume we're dumb, we assume we'll make mistakes, we
try to put in as many checks as possible to prevent single points of
failure from causing trouble. We assume machines will be broken in to
and try to minimize the impact of that. We assume some employees will
turn bad at some point and try to have things work anyway in spite of
that.

 Another way of looking at this is to look at Choicepoint.
 For years, we all suspected that the real problem was
 the insider / node problem.  The company was where
 the leaks occurred, traditionally.

 But nobody had any data.  Until Choicepoint.  Now we
 have data.

No you don't.

1) You have one anecdote. You really have no idea how
   frequently this happens, etc. 
2) It doesn't matter how frequently it happens, because no two
   companies are identical. You can't run 100 choicepoints and see
   what percentage have problems.
3) If you're deciding on how to set up your firm's security, you can't
   say 95% of the time no one attacks you so we won't bother, for
   the same reason that you can't say if I drive my car while
   slightly drunk 95% of the time I'll arrive safe, because the 95%
   of the time that nothing happens doesn't matter if the cost of the
   5% is so painful (like, say, death) that you can't recover from
   it. In particular, you don't want to be someone on who's watch a
   major breech happens. Your career is over even if it never happens
   to anyone else in the industry.
3) Most of what you have to worry about is obvious anyway. There's
   nothing really new here. We've understood that people were the main
   problem in security systems since before computer security. Ever
   wonder why accounting controls are set up the way they are? How
   long were people separating the various roles in an accounting
   system to prevent internal collusion? That goes back long before
   computers.

 So we need to see a Choicepoint for listening and sniffing and so
 forth.

No, we really don't.

 And we need that before we can consider the listening threat to be
 economically validated.

Spoken like someone who hasn't actually worked inside the field.

Statistics and the sort of economic analysis you speak of depends on
assumptions like statistical independence and the