Even DHS Blindly Accepts Invalid SSL Certificates

Via Forbes:

On page 37, DHS instructs analysts to accept invalid SSL certificates forever without verification. Although invalid SSL warnings often appear in benign situations, they can also signal a man-in-the-middle attack. Not a good practice for the security conscience.

I think that’s grounds for termination by incompetence for whomever was behind that. DHS Phishing attack anyone? I’d expect better practices from a local library branch.

That said, it’s yet more proof that SSL as a form of identity verification just doesn’t work.

How To Be More Secure With Your Data & Identity

It’s amazing how on a daily basis there’s a story about someone’s identity or data being stolen, personal info being misused, or just getting screwed via the Internet. Most of the time it’s due to a complete lack of standards regarding how people treat their digital property and identity. It’s the electronic equivalent of leaving your home and not locking the door. Anyone can come in and take what they want.
Continue reading

Googlefox Redux

Yes, it’s another Google/Firefox blog post. This time in response to a CNet blog post regarding Google’s relationship with Mozilla. It makes a few interesting points, but quite a bit of it is silly or outdated. It was edited at some point late this morning or early afternoon from it’s original form (as it mentions).

While Apple also gets a nice chunk of change from Google for the search bar in its Safari browser, Apple has enough other sources of revenue that it can easily walk away from Google’s cash.

Yes, Google provides a great sum of cash. But indirectly. The real money machine is the search box, and the start page. Right now they are hooked up to Google per an agreement (which I haven’t seen in any way shape or form). In the future that money machine may be hooked up to something else. Will it? I don’t have a clue. Don’t forget $19,776,193 in expenses and $66,840,850 in revenue leaves quite a bit of cash in the war chest and that’s only for 2006. 2007 is rapidly approaching it’s end. There was a 2005 at some point in the past. With the mobile landscape just warming up (new potential for partnerships/revenue streams), there’s opportunity. Google is lucrative, no question about it, but it’s not the only means of survival. Yahoo is already used for some parts of the world. That relationship could be expanded in the future.

Fact: Users who enter keywords or misspelled URLs into the Firefox 2.0 location bar will essentially be running a Google “I’m Feeling Lucky” search. That is, they will be taken to the first result for a Google search query for those terms.

I believe Netscape had this feature about a decade ago, but with a different partner. Not really news here. Back then I believe you paid for that, now it’s about your rank in Google’s search results. I personally think the Google method is much more neutral.

Fact: In addition to the Google cash flowing to Mozilla, a number of Google engineers spend significant amounts of time working on Firefox. This includes Ben Goodger, the lead developer for the browser. Yes, other companies pay developers to work on Firefox, but none throw as many overall corporate resources at the browser.

Fact: This statement quotes things from 2005. I don’t think Ben is very (if at all) involved with Firefox in the past year. The other reference to Darin Fisher is also inaccurate since he hasn’t been very active (if at all) in the past year or so as well. There’s a reason why all those links are to 2005 stories. By the way, the Mozilla Corporation throws way more resources at Firefox than Google.

This begs the question: why doesn’t Firefox adopt the features of AdBlock Plus and CustomizeGoogle? While the terms of Google’s contract with Mozilla are not public, even if Mozilla were contractually free to include anti-Google-tracking features, it would not be a wise move, business-wise. After all, it is not too smart to anger the company that provides more than 85 percent of your financing.

It would not prove to smart to take the first step towards moving the web to a pay-per-site model. Firefox forced the IE development team out of retirement. If Firefox removed advertising, there would a strong amount of pressure on Microsoft to do the same. Microsoft relies on ads for several of it’s properties including MSN. Does anyone want to see the web as a subscription model? I’m pretty sure the answer is no all around. More and more sites have moved away from that such as the NY Times. While some users will block ads regardless of technology most won’t know how, or bother to providing revenue to keep the majority of internet content free. Firefox is about the open web. Payments for every page you visit isn’t anyones definition of “open”. Mozilla thus far has played things pretty neutral. Adblock Plus is treated like any other extension. It’s not shunned or hidden.

This brings us to a really interesting dilemma. Google has a well-known flaw in one of its Web sites that can be (ab)used by phishers and malicious hackers. Google refuses to fix the flaw, as it believes that it is not a problem. Google also operates the Firefox phishing blacklist. Will Google add one of its own domains to the phishing blacklist? Of course not!

Is this a Google issue? Or a company/organization/person issue? I’m not aware of any entity that is immune to this. I can’t even think of a company that hasn’t been down this road before. IIRC Microsoft disagreed with security researches on flaws more than once. Google shouldn’t have to add one of it’s own domains to the phishing blacklist. It has the immediate ability to report the problem internally and shut down the offending problem. For the record Google’s even willing to notify webmasters of certain problems. If your a webmaster, you should be signed up.

Google’s SafeBrowsing is mentioned several times as well. For the record there is a documented method for blacklist providers to use (and yes, you can bundle it as an extension). Thus far, there’s not much on the landscape of free blacklists. The only one I’m aware of is PhishTank.

So there you have it, nothing has changed, Google hasn’t taken over. Nothing to see here. IF Google were to stage a takeover, I’ll be sure to blog about it. Just keep an eye on this blog. Thus far I haven’t seen any evidence of it.

For the record, there was a bug fix committed today by someone at Google (not sure if it was Google backed, or just done by a Google employee). “Fix the incorrect function prototypes of SSL handshake callbacks”. And no, that doesn’t mean Google took over encryption.

96.66% Fell For Phishing

Kiplinger has a great story on phishing and security. The bottom line: while progress has been made there’s still a long way to go. Here was a very concerning piece:

When researchers at Harvard University and the Massachusetts Institute of Technology studied the anti-fraud image system used by Bank of America, they found that 58 out of 60 users still logged on to a phony Web site that did not display the images that the users had selected.

I doubt any anti-phishing protection was enabled on those browsers. Not sure if it would have helped or not. Regardless it’s still a concern. Users didn’t pay attention to the images they selected. I guess it’s human nature to ignore things we don’t think are important.

[Hat tip: The Consumerist]

Norton 360

An interesting review of Norton 360 was posted by CNet. Overall the review was very positive, they seem to like it. Interesting to me was:

We also found that Norton 360 is optimized for Internet Explorer only, and not Firefox and Opera browsers. It could be said that Symantec realizes that Internet Explorer users need more protection, but it would be nice to use the antiphishing feature in Norton 360 on Firefox or Opera. Of the three super suites, only McAfee supports Firefox; none support Opera.

I’d be curious to know if support is planned through an extension or not. They could potentially leverage existing infrastructure to do the job quite nicely. I’m not sure if anyone has used this functionality to date. As far as I’m aware nobody has. Not even PhishTank.

I’m still not sure if Norton 360 is really a product I’d be interested in. I use Norton AV, and despite a few small things, it’s a pretty solid product. I’m not really sure I see the added stuff in 360 as something beneficial. But I still have a little while on my subscription for the year, so I don’t have to decide just yet.

Phishing Unit Testing And Other Phishy Things

Seeing these results is pretty cool. I hope someone has/will come up with a way to have a test like this running periodically (at least weekly, if not daily or multiple times a day) which does an analysis on Phishing sites and how many are being blocked. I’d presume Google and other data services would have some interest in this. It could be as simple as an extension for browsers (yes IE too) which reads a feed and visits each site, and reports the results to a web service. Running in a confined environment (virtual machine, or dedicated box) free of tampering. I think the real advantage would be to see how effectiveness varies over time as phishers become more sophisticated.

Take for example spammers. First spam was pretty simple, now they are using animated GIF’s, sophisticated techniques to poison Bayesian analysis, botnet’s etc. I presume over time we’ll see the exact same thing with Phishing attacks. I doubt it’s going to get any better. On the positive side of things, this is still at it’s infancy, so we can start learning now, and be more aggressive than people were about the spam problem, which got way out of hand before everyone realized it was really something to worry about.

I’d ultimately like to see just percentages of different anti-phishing blacklists/software updated frequently, so we can keep a running tally. Perhaps it would be a good indicator of when phishing tactics require a software or methodology update. I think overall everyone would benefit from some industry collaboration rather than competition. The problem with phishing is to be effective your research must be good. To do good research you need to cast a wide net, and capture only one species of phish while not letting any dolphins get stuck in the net (sorry, couldn’t resist).

I’d be curious to know what others think of such testing, and efforts (from general users, as well as anti-phishing/spam vendors). Is the war against spam effective? Should the same techniques be used? Is it time for coalition building? Should we each go in alone? How do you monitor changes in techniques used by phishing?

I know Google is pretty serious about keeping up with the data in a very timely manner, and from what I can tell, most other vendors are as well. But I wonder how industry wide statistics could further benefit. Perhaps simply the competition of trying to have a higher average score. Perhaps simply the detection of changes in techniques (noted by everyones collective decline in detection rate).

I’d love to hear what others think of Phishing protection. It’s a rather interesting topic that many don’t give too much thought to, but it really is an important part of how browsers make the internet safer.

Is phishing the new spam?

I’m almost convinced now that the majority of stuff SpamAssassin misses isn’t really spam, but phishing messages. I think it’s time for SpamAssassin to start considering detecting it. Perhaps take a look at mscott’s good work for Mozilla Thunderbird.

Odds are lots of that detection stuff, will also detect spam slipping through by other means.