Tuesday, February 21, 2006

Crime: The Real Internet Security Problem - Google Video

The talk on Internet Crime I gave at Google is available on Google video.

Internet crime is a serious problem, real money is being stolen. The Nigerian letters/419 advance fee frauds are comical until you find out about the victims who lost their life savings.

The main Internet Crime threat at the momnent is phishing. This is theft of access credentials through a social engineering attack. There are three main approaches to stopping phishing:

  1. Stop attacks in progress: this is what we do in the takedown service. When a phishing attack is detected we try to get it shut down by the ISP as soon as possible. This does not drive the gangs out of business but it does limit their profits and it does encourage them to choose other targets.
  2. Disrupt the social engineering attack: Email allows the phishing gangs to plausibly send email that purports to come from any trusted brand they choose. Secure Internet Letterhead provides a trustworthy method of identifying content as from the trusted source. So an email will show the trusted Bizybank logo if and only if it is signed by a party authenticated as being Bizybank.
  3. Use theft proof tokens: In the long term we will all be using OTP or smartcard technology to log in to our bank account.

The main thrust of the talk was on the Secure Letterhead concept which I am presenting at NIST and at the W3C workshop. Unfortunately this talk was before the Infocard launch which is a pity because Infocard uses the letterhead concepts.

It is important to attack the problem using all these approaches. They are not exclusive. Stopping attacks in progress is all that we can do without completing a major infrastructure build-out. Disrupting the social engineering attack is essential if we are going to restor trust in the Web and email. Theft proof credentials such as OATH are the long term solution but deployment will take time.

It is equally important to maintain pressure on the tool providers, botnets and dumps markets. Break up the trading sites, shut down as many bots as possible, prosecute the tool providers as well as the tool users. The two engines of Internet crime are botnets and spam. Both can be significantly reduced at little cost.

If every WiFi box and cable modem was required to have a reverse firewall built in to limit outbound attack traffic the volume of spam and DDoS attacks from botnets would diminish significantly.

Another powerful technique would be to require ISPs to filter out executable content in emails by default. There is no real need to use email to distribute executable code, most programs are much too big to fit in email anyway, the people who are able to do it securely can easily circumvent simple blocking techniques. 99% of Internet users do not need this very risky feature, the fact that it is enabled for them by default creates a problem for all of us.

No comments: