Phishers may not have won the game, but they're definitely trammeling their opponents' defenses, says Phishing Exposed (Syngress Publishing) author Lance James. James is the chief technology officer for Secure Science Corp., in San Diego, Calif. In this interview, he describes security failures and new anti-phishing weapons and justifies his book's exposure of vendors' security holes.
Are there any open source tools that help combat phishing?
James: Short answer, yes. WiKID Systems Inc. has an open source, two-factor authentication system that helps with aspects of phishing.
Long answer, yes and no. I believe people have written software that is supposed to help, but the rapid evolution [of phishing] requires in-depth, security solutions. That has yet to be seen in the open source world. There is no silver bullet for phishing.
In Chapter 5, "The Dark Side of the Web," you mention that patches are only a cover-up for poor Web development practices. What are some examples of the latter, and what basic common-sense precautions can a user take to prevent these mistakes?
James: Follow the Comprehensive Lightweight Application Security Process or some similar framework for all operations of the software development lifecycle. If you can't build a strong foundation, no matter how much patching you do, you'll always keep doing that till the house just falls apart, eventually. Establish a security process from the beginning of your design phase.
SSL's (Secure Sockets Layer's) threat model is bad for the online banking scheme because it doesn't address proper systems of trust to people who understand what trust is. Does a home user know what an SSL fingerprint is? No, of course not. That means that SSL was approved, deciding that that wasn't important. Well, it is now with all this phishing going on, now, isn't it?
How do you tell the difference between genuine software fix-its and patches masked as malware, such as a faux Red Hat patch?
James: You don't. Trust is relative. Look at Sony and their rootkit problem. We all know Sony by name, but now we're seeing they put a rootkit in there. [In its most basic form, a rootkit aims to disguise the presence or activities of a person or process on a target host while providing surreptitious access for later re-entry.] Validation services may help, but as I said in my book, browsing the Web is blind faith.
How do you establish trust? That [requires a] combination of trust metrics, cryptography, out-of-band communication and secure robust technology.
What are some two-factor authentication methods? How feasible or practical is this kind of setup?
James: Two-factor is coming out of the gate rather slowly. Malware will defeat it, and phishers have been using malware quite a bit now. The concept of two-factor is something you have and something you know. Your ATM card and pin code is a two-factor authentication -- and, as you might have noticed, the ATM part of your card doesn't seem to get compromised too often. The failure with that card is it usually acts as a credit card number was well.
The newer two-factor auths are designed to be moveable RSA secureID changes, thus the session gives limited access to an attacker. The RSA SecureID token -- which is a 26 bit number that is appended to your password -- rotates every 20 seconds, all the way up to a minute optionally.
RSA is not perfect. It's a good start. But getting banks to deploy this to their customers doesn't make sense. Banks don't want to lose their customer base by adding yet another confusing thing to the already existing online banking. It's a hard sale.
In your book, you describe exploitations of vendor vulnerabilities. Though vendors were notified of the breaches, some would claim that this crosses an ethical line. How would you respond to this?
James: Well, if they have decided not to adhere to the advisories they were given, what do I do? I believe it's OK to apply pressure to a vendor to get them to do their actual job of protecting their customers. It's the same as Bugtraq; in most cases, you report it to the vendor and hope they fix it and then release it. This book publicizes the vulnerabilities. I'm sure the vendors will be fixing them, if they haven't. It's better they were notified by someone doing good, rather than finding out in a phishing attack and possibly losing some of their customer base due to lack of confidence in their security.
What are the most effective ways to defend against phishing?
James: Common sense is the answer; but it's not perfect. The standard answer is make sure you're not running Windows 98 or ME, keep your 2000/XP boxes up to date. Trust your instincts. If an e-mail feels suspicious, don't click on it. Run protective software that assists with keeping an eye on suspect e-mail. Keep your antivirus [program] up to date.
The truth of the matter is that users can't prevent [phishing], because the ones that get hit never knew what the problem was in the first place. So, the problem can't be dramatically reduced from their end.
Secondly, the attacks are getting way more sophisticated. Take a look at the recent .WMF exploit that is out there. A week goes by, and Microsoft just got a patch going. That's a week where phishers probably made a lot of money, being that it's a phisher that designed the exploit in the first place.
Demand that vendors, such as banks and e-commerce [firms], start getting smarter about phishing! They can reduce the e-mails they send that look like phishing e-mails. Something similar to eBay's MyInbox is a great start. They should audit their Web sites for content and vulnerabilities that may lend a hand to a phisher. Stop reacting. Get proactive.