Internet wiretapping

A story about impending U.S. legislation has hit the news in the last few days: Senator Patrick Leahy, along with ten co-sponsors that include Dianne Feinstein and my own senator, Chuck Schumer), has introduced S. 3804, the Combating Online Infringement and Counterfeits Act (link to PDF).

There’s a log of blog outcry about it, of course, and rightly so. I’m less worried about it than many, but I do think it’s a bad idea. Here’s why:

First, we’re meant to be a democracy, different from the totalitarian states we group together with terms such as Axis of Evil and whatnot. That means that, in general, we fit our surveillance and law enforcement into the technology, rather than limiting the technology and building it specifically to enable surveillance and law enforcement. Those who say that this is only paralleling what’s in the telephone system already are missing that the telephone system grew up from a much lower-tech starting point. Wiretaps used to be literally that: wires clipped into wired systems. And it didn’t used to be easy at all.

There’s a lot about surveillance and intelligence gathering that’s hard, and it stands to reason that those tasked with doing it should want to make it easier. Keeping it hard is actually a useful check on nascent authoritarian tendencies, and the temptation for abuse. We’ve recently had court decisions, for example, declaring it a fourth-amendment violation to use GPS tracking without a warrant. These sorts of checks are important.

There’s no saying that the sort of surveillance that S. 3804 proposes will be warrantless — and the bill does specify that a court has to approve it — but we have to remember the warrantless electronic surveillance of the Bush administration, where they bypassed no only the regular courts but also the FISA court, specifically set up to deal with monitoring terrorist action. Official abuse is a real danger.

Further, this bill doesn’t even address terrorism, nor even racketeering or other such crimes. It’s aimed at copyright infringement. Not to put too fine a point on it, but that’s a ridiculous focus for such a broad and risky remedy. There are better ways to address the problem of illegal distribution of copyrighted material, and this is an attempt to shortcut things with a blunt instrument. At least, though, it’s not as bad as the insane French HADOPI law.

Apart from official abuse, though, there’s the issue of abuse by the Bad Guys themselves, who can fool with such a system in two ways:

1. They can take advantage of the holes themselves. Any system that allows authorized intrusion implicitly allows unauthorized intrusion as well, and we should not be so naïve as to think that won’t happen. People are corruptible, security systems are compromised all the time, and if we set it up so that any Internet communication is tappable, malefactors will make their way in and tap it.
2. They can skirt it entirely. It will only be the normal communication channels that will have their encryption compromised, allowing officials to get the unencrypted version. If what gets put on those wires is itself encrypted beforehand — if the unencrypted version is separately encrypted — we’ve gained nothing. Once requiring specialized, high-tech, expensive machines, encryption is now easy, and any ten-year-old with a copy of PGP can do it. And anyone can create a self-signed TLS certificate to secure communication with their web site. There’s nothing the service providers can do to tap into any of that.

The result will be, as often happens with these sorts of things, that private citizens and companies that are trying to abide by the law will have their privacy and liberty compromised, while the real criminals will be able to hide as easily as they do today. If passed, this law will have some effect in the area it’s intended to... but that effect will be limited, and probably short-term.

Finally, there’s the law itself: it actually seems pretty good in its inclusion of safeguards and court involvement. There are two issues I have with it:

1. Sec. 2324(a)(2)(B) is too vague:

   [For purposes of this section, an Internet site is dedicated to infringing activities if such site is] engaged in the activities described in subparagraph (A), and when taken together, such activities are central to the activity of the Internet site or sites accessed through a specific domain name.

   Subparagraph (A) specifies that the site must be specifically designed for these activities, be marketed for these activities, or have no significant purpose other than these activities. That provides a reasonable limitation on the Internet sites that may be targeted here. But then subparagraph (B) opens it back up in a vague way, by saying that any other site might qualify if when taken together such activities are central to the site. Subparagraph (A) clearly does not include such sites as YouTube and Facebook, but subparagraph (B) arguably could. The threat of bringing such an argument to court could exert a severely chilling effect on web sites devoted to social activities and legitimate media sharing.
2. Sec. 2324(j) provides for a public list of sites that are alleged, without any real evidence or court involvement.

   (1) IN GENERAL- The Attorney General shall maintain a public listing of domain names that, upon information and reasonable belief, the Department of Justice determines are dedicated to infringing activities but for which the Attorney General has not filed an action under this section.

   There are mechanisms to ask to be removed from the list, and for judicial review of the case only after the Justice Department refuses the petition for removal. This amounts to an unregulated blacklist of Internet sites, and strikes me as ill advised, and possibly dangerous. There will clearly be such a list held at the Justice Department; the list should not be public. Any public list must be vetted by a court, as a necessary check on law enforcement.

I plan to write to Senator Schumer with a brief version of this post, and a pointer to the full one.

Analyzing some spam

I got an amusing little piece of email spam this morning. Amusing, that is, from the point of view of someone who likes to figure out what the spammers are doing and what they’ve compromised in order to do it. Here’s the message, as displayed to me in gmail (I’ve inserted spaces in the URL and email addresses, so your browser won’t make them clickable):

from McDonald’s Survey Department. <survey @ mcdonalds.com>
reply-to survey @ mcdonalds.com
to
date Mon, Sep 27, 2010 at 15:01
subject McDonald’s Survey

Dear customer,


Please give us only 5 minutes of your valuable time to ask you some questions about our products . Please be aware that we will not ask you about any personal information.

In return, we will credit $90.00 to your account - just for your time.

If you want to answer our simply 8 questions , please click the link below :

http: //dyn248.ele.uri.edu/.mcdonalds.com/survey/index.html

Thank you for helping us to become better .

Sincerely, McDonald’s Survey Department.


Please do not reply to this email. This mailbox is not monitored and you will not receive a response.

Of course, the message isn’t really from anyone at mcdonalds.com, but you knew that.

The first interesting thing is the URL. As is often the case with spam URLs, they’ve tried to make it look like a legitimate URL from the company by sticking their domain name in there somewhere — in this case, it’s after the slash, and one has to know how to read URLs to understand that putting it there just makes it information that’s passed to the web server, and has nothing to do with what web server gets used.

And the web server it’s pointing us to is at uri.edu, which is what piqued my interest. This isn’t some throwaway domain, nor anything else registered by the spammer, but something residing at the University of Rhode Island. In particular, this looks like a temporary name assigned to some computer connected to U of RI’s network.

My guess is that a student machine was compromised — malware got installed on it — and the malware set up a hidden web server that’s meant to handle these requests.

Let’s look at where the email message really came from, by checking out the Received lines in the headers. Here are the two operative ones:

Received: from www-7419bfef271.modrsoft.com ([218.24.93.98])

by hormel7.ieee.org (8.13.8/8.13.8/Debian-3)

with ESMTP id o8S55UDI020590; Tue, 28 Sep 2010 01:05:32 -0400

Received: from User ([99.97.107.229]) by www-7419bfef271.modrsoft.com

with Microsoft SMTPSVC(6.0.3790.4675); Tue, 28 Sep 2010 02:41:35 +0800

Reading bottom up, the message was submitted by an IP address in SBC Internet Services, to an IP address at Modrsoft, a legitimate service provider in China. The spammers appear to have found an open relay in Modrsoft’s network, or else Modrsoft doesn’t block port 25, and they compromised a machine there, as well.

Here’s what it looks like:

1. A compromised computer on SBC’s network was ordered to submit the spam message.
2. It submitted it to a compromised computer on Modrsoft’s network.
3. That computer relayed the message to its recipients (including me).
4. The message directs users to a clandestine web server on a compromised machine at University of Rhode Island.

Unfortunately, the trail goes cold there: I tried to snag the web page, to see what it’s meant to do... but I can’t contact a web server at that address. The machine has been taken offline, has a new address, or has been cleaned up. In any case, it’s not serving the bad guys at the moment. That’s often true of these things: they may only work for a brief time, but they can certainly do their work in that time. They might do the dirty work directly, or redirect you to another web server that will.

Probably, visiting that web site with a susceptible browser (or user) would result in the installation of malware on the visiting computer, adding it to the zombie network. In addition, they’re offering $90 to your account for participating, so they’ll obviously be asking you to give them some sort of account information where they can deposit the money — an account they’re actually be sucking dry as soon as they have access to it.

Too bad I didn’t get to it soon enough, to see for sure what the web page is trying to do.

Technology and fraud

Fraud has been around as long as people have. I’m convinced that back when people lived in caves, some troglodyte took another’s kill in exchange for a “spacious” cave that turned out to just be an indentation in a rock next to a swamp.

People have perpetrated fraud door-to-door, by mail, by telephone, out of an actual office, whatever. It’s even entertaining, when it’s fictionalized. We delighted to the story of “Professor” Harold Hill in The Music Man. A 10-year-old Tatum O’Neal won an Oscar playing with her father, Ryan, in Paper Moon; the same year’s The Sting won Best Picture, along with six other Academy Awards.

There’s nothing entertaining about it, though, when it’s done for real, and there’s a lot that’s the same between the snake-oil salesman in his horse-drawn wagon in the old west... and the folks selling remedies to improve one’s “love rocket” (as a recent message in my spam folder called it) on the Internet.

There’s also a lot that’s different, and those differences are what enable modern fraud to work on such a vast scale.

The huckster in the wagon had a rough job. He needed that wagon and horses, for one thing, and he had to feed and care for the horses. He rode all over, usually riding more than selling, and when he got to where he could sell he became a performer. He also sometimes became a fugitive, driven out of town with threats of tar and feathers, or worse — and hot tar is a punishment that’s far less comical than jokes make it out to be.

Moving through the years, printing brochures and other advertising material and setting up fake offices took money and required special equipment (printing presses) and access (office space). Even cheating people by telephone necessitated one-on-one phone calls, a significant investment in time, and a fixed location that was prone to being raided by the authorities.

Technology and the Internet makes this all so much easier, and that’s what has really changed. Printing stuff? You can get professional results with an inexpensive ink-jet printer. Pre-paid mobile phones are untraceable and don’t tie you into a fixed location. But most useful are email and web pages.

Constructing a brick-and-mortar business is quite a task. But a web site can be put up in minutes, and abandoned as quickly. Email can be sent out in the millions, also in minutes. Set yourself up, and sit back and wait for the clicks. You can make it semi-legitimate (by actually sending out “product” in response to purchases) or not, as you please.

Worse, though, is how easy it is not just to set up a bogus business, but to mimic a real one. Building a fake Bank of America branch to lure people in with their money would have been next to impossible 20 years ago. Putting up a fake Bank of America web site that’s hard to distinguish from the real one is trivial today. Slipping someone a fake map or fake directions to send them to your storefront used to be an idea limited to the movies. Sending a phony URL by email, or rerouting traffic from an Internet café is no big thing.

It’s even easy to set up a fake “magazine” and suck in advertising revenue. It’s amazing how many unsuspecting folks will be willing to write for free, as “interns”. Even easier is to scan the Internet for interesting items and then just republish them on your own site, without permission. Throw in a bit of “search-engine optimization” to draw people to your ’zine (SEO is big business in itself, these days), and, again, you can sit back and collect the money.

It’s a new world, but I’m not sure how “brave”.

“Branding” for email and web sites

John Levine notes that using secure branding can be an effective way to combat phishing. “Secure“ branding, in this sense, means using trusted authorities to verify the credentials of a web site or email sender, and then displaying branding information, such as a logo, in a trusted area of the application window, done in a way that would be hard to attack.

John is certain right, in principle, but the difficulty is that principle doesn’t necessarily translate into reality, for a number of reasons.

First, I’ll note that the “extended” security certificates that newer browsers recognize and use to display additional visual cues (the “green bar” he refers to) are really what the standard certificates were originally meant to be. That is, in the beginning, Internet certificate authorities were supposed to do reasonable vetting of businesses before issuing them certificates.

We can see how well that worked: not at all. Anyone can get a certificate for any domain they own (and sometimes for ones they don’t). Beyond that, anyone can create their own certificates, and then convince users to accept them... that part is easy enough, because when a browser or email program runs across a certificate it doesn’t trust, it asks the user what to do, and most users have simply learned to say “trust it,” for reasons I’ve discussed before.

OK, so the theory is that now we have a version that gets it right, and that these extended certificates really will only be issued to properly vetted organizations. That is, paypal.com can get one, but poypol.com can not, even though it is a properly registered domain as of this writing (registered on 30 March 2009, with fake “whois” information). I’m not sure how we assure ourselves that the vetting will last, and will not fall into the “anyone who pays can get one” trap, nor how we can prevent a bad guy from tricking the system somehow. But let’s stipulate, for now, that it’s true, and that no phisher will ever get a “green bar” in the browser frame.

So let’s look at how different browsers show this. Click the image below to see it full-sized.

The first three images show three browsers — Firefox, Safari, and Opera, all run on MacOS — and you can see (the red-circled bits) that they each use a different way to display the green “this has been verified” information. Firefox puts it at the beginning of the address field, Opera puts it at the end, and Safari puts it at the top right of the window, in a shade of green that barely looks green to me, actually. Personally, I think the Firefox way looks the coolest. But cool or not, the key is for it to convey crucial information, and they all do that.

Only, because each browser does it in a different way, things are open to confusion. We might think that because most users only use one browser, that wouldn’t be a problem, that each user would get used to her own browser. In practice, though, the difference does confuse the situation, because most users are less aware than we think about what the browsers do, what the cues are, and what those cues mean.

In Why Phishing Works, a study presented at CHI 2006, by Rachna Dhamija of Harvard University and two University of California colleagues, users were asked questions about what browser cues they noticed, and what the users thought they meant. They were also asked to explain what they thought they had agreed to when they clicked on security pop-ups that warned them of problems with certificates.

The results show that we cannot assume that users will understand what the computer is trying to tell them, or how. For example, some users in the study did not notice the padlock symbol — the symbol in the browser frame that tells you that you have an encrypted “SSL” connection to the server — at all. Of those who did, some didn’t understand what the padlock symbol was telling them. Some didn’t realize that there’s any difference between symbols in the browser frame (under control of the browser) and those in the web page itself (under control of the web site, good or bad). And some actually “gave more credence to padlock icons that appeared within the content of the page.”

There’s no reason to think that the “green bar” situation will be any different. The fourth image above shows a mock-up that I made of how a fake PayPal web site could, using the domain poypol.com, put a fake paypal.com green bar within the web page itself. A smart web site could even use the identification that it receives from the browser to make a browser-specific fake. It won’t fool everyone, of course, but it’s likely to fool a pretty high proportion of the users.

We’ve also seen very clever junk web sites that use scripts that pop up small, menu-less browser sub-windows positioned to cover key parts of the main window. One such site very effectively covered the address bar with its own replacement, a technique that could fool all but the most savvy users into thinking that there was a legitimate green “OK” in the trusted browser frame.

Of course, a well-designed system such as John describes will help some users, and I’m not saying that we shouldn’t do it. But it will take a lot of cooperation from software vendors, and a great deal of user education. And what I worry about is that, while we may protect some portion of the user community, we could well make things much worse for the users who don’t understand, but who get false security from their misunderstanding.

The Internet, in New Scientist, parts 5 and 6

For the next installment in my series of comments on the New Scientist magazine series “Eight things you didn’t know about the internet”, we have two for one. Actually, not really: I’m going to skip part 5, “Is the net caught in the credit crunch?”, because I have nothing to say about it, and move right on to part 6, “Where are the net’s dark corners?”, by Ben Crystall. Here, we get into the discussions of malware and other Internet crime.

There are plenty of places online that you would do well to steer clear of. A brief visit to some unsavoury websites, for instance, could leave your computer infected with worms or viruses. Then there are the “black holes” to worry about.

On the malware side, I’ve said quite a bit already about web sites and email that try to infect your computer. The malware that’s gotten the most press recently, though so far its effects have been benign, is Conficker.

Network “black holes” shouldn’t be of direct concern to you, for the most part. Visiting a particular web site might cause your browser to appear dead, but it won’t affect your online experience beyond that: you can just go to another, legitimate web site and it will work fine. It’s possible, though, for an attacker to get a black-hole site into the Domain Name System or into routing tables, causing more extensive difficulty.

You’re more vulnerable to this sort of thing if you allow your computer (or iPhone) to connect to arbitrary wireless networks, which might themselves be black holes, or which might be attacked using black-hole techniques.

Then there’s the side of the Internet that tries to hide from you: the part that supports illegal activities. There are sub-networks for those engaged in buying and selling stolen credit-card numbers, leasing time on botnets, and the like. Rob Thomas gives an excellent presentation on this, and the corresponding paper, The Underground Economy: Priceless (PDF), is a good read.

For more about Internet crime and online security, let me point to two books:

• Secrets and Lies: Digital Security in a Networked World, by Bruce Schneier
• The dotCrime Manifesto: How to Stop Internet Crime, by Phillip Hallam-Baker

Spammers in court again

More catching up; today, week-old news that a U.S. district court has frozen the assets of a group of spammers and ordered them to stop their operations:

The Federal Trade Commission won a preliminary legal victory against what it called one of the largest spam gangs on the Internet, persuading a federal court in Chicago on Tuesday to freeze the group’s assets and order the spam network to shut down.

The group, which used several names but was known among spam-fighting organizations as HerbalKing, sent billions of unsolicited messages to Internet users over the last 20 months, promoting replica watches and a variety of pharmaceuticals, including weight-loss drugs and herbal pills that supposedly enhanced the male anatomy, according to the commission.

“This is pretty major. At one point these guys delivered up to one-third of all spam,” said Richard Cox, chief information officer at SpamHaus, a nonprofit antispam research group.

(Here’s the FTC’s press release on the case.)

This gang is at the forefront of spam technology, with a large zombie network, or “botnet”, and worldwide operations — the investigators cite the group’s connections to Australia, New Zealand, India, China, Russian, and Canada, in addition to the United States. The FTC worked with the FBI and with their counterparts in Australia and New Zealand (one of the principals, Lance Atkinson, is from there).

The group sells “medicine”, both real and fake, including “male enhancement” pills containing sildenafil (Viagra), hoodia remedies, and prescription drugs shipped from India. According to the Times, the FTC says that the spam operation “cleared $400,000 in Visa charges in one month alone.” Think about that: how many people out there are responding to this spam by actually buying the products? Do you wonder why there’s so much spam? Do you shake your head and say that no one pays attention to this stuff? Think again.

If things work the way the FTC would like, we’ll be seeing less spam about these things now. That seems unlikely, though, except for the briefest transition period as others take over. I agree with Trend Micro’s Paul Ferguson, quoted in USA Today: “Someone else will fill the void. While it’s great they caught these guys, the last time a major spam king was busted, the spam increased.” I don’t know that I specifically expect it to increase because of this, but there’s just too much money in spamming for one prosecution and one injunction to stop much.

Also, this isn’t a conviction, but only a temporary injunction — the order is for them to stop their operations while the court case proceeds. There’s no guarantee that it’ll end in a conviction.

Nevertheless, I will stress that it’s great they caught these guys, and it’s another case that shows that the CAN-SPAM Act of 2003 is effective, even with its flaws.

Internet crime and the real world

We’ve heard a lot about pedophiles using the Internet to find their victims, and then arranging real-world meetings. They lure their victims by offering what the children want, promising fun, attention, friendship. They surround it all with intrigue, being a little sneaky behind one’s parents’ backs. They know how to make it appealing, even irresistible.

But it’s not just children who’re targeted by criminals who would cross the cyber/reality barrier. And to slightly geeky adults, what could be more appealing, even irresistible, than cheap iPhones?:

Trying to exploit the popularity of iPhones, four men used Craigslist to lure would-be buyers to Brooklyn and then robbed them at gunpoint, the police said on Thursday.

[...]

Lt. Garfield Brown, of the Police Department’s central robbery section in Brooklyn, said that the men used Craigslist to advertise a bulk sale of iPhones at a set price, arranged meetings with potential buyers, then robbed them of cash and other possessions.

Most of the meetings were set up in the evenings on various corners in the Flatbush area, he said.

“They were hoping that the victim would come with money to make the purchase,” he said.

The police said they have linked the suspects to at least 4 of 12 similar robberies between March 8 and June 4.

Lieutenant Brown said the men were arrested after the police noticed an advertisement on Craigslist that resembled one of the prior postings in which a buyer was lured to a meeting and then robbed. Officers posed as interested buyers and arrested the group. A loaded 9-millimeter gun was found in their car, Lieutenant Brown said.

They caught these guys using the same approach that they do for the pedophiles, only it was probably easier. One wonders about the stupidity of the criminals: I’d figure that once the police got three or four reports of the same crime, they’d be looking for it in just that way. “Hm,” they’d say, “This is the third report of a guy who answered a Craigslist ad for an iPhone in Brooklyn, and then got robbed. Let’s go have a look at Craigslist.”

So it’s a group of not-very-smart thieves, here, which tells us that the Internet is becoming a pretty routine place for launching crime — no longer a mechanism limited to clever criminals, no longer requiring any technological savoir-faire. And what got them caught was greed. If they’d pulled, say, three of these tricks and then disappeared, they might have gotten away with it. But not anticipating how easily they’d be caught if they persisted did them in.

But how does one protect oneself from this? Well, the victims fell into the greed trap too, to some extent (though the extent isn’t clear, since the article doesn’t tell us how cheap the iPhones were purported to be). The first line of defense is to be suspicious of a price that’s too low. Then if you still want to do it, bring someone with you, and meet in a public place at a reasonable hour. Look, anyone who tells you to come alone to a deserted area in the middle of the night is not selling you legitimate goods, hm?

Of course, you could do all that... and still get robbed. It’s a nasty world.