April 24, 2006

disparity between the stupid and the clever


all of us know very well about phishing attacks, right? i just felt like listing out how clever these attacks can get and, as the title suggests, how stupid people can behave when a phishing attack is launched on them. when you combine these two factors, *bam*, you've got a multi-million dollar industry.

so first, let's take a look at how stupid people can get:

a security professor at a reputed university conducted this little experiment to see how easy it is to swindle people out of their passwords. he wanted to test the extent to which people would trust emails that came from familiar/trusted sources. so he collected a list of friends of a bunch of students from the popular 'facebook', and sent a mail to each student. this email looked as if it was forwarded by a friend of the target student and it read, "hey, check out this cool link!!" (as you all know, this is the very first sign of something fishy) followed by a link forwarded to the sender by someone else (possibly unrecognized by the target - remember this part as it plays an important role in a variant of the experiment, which is described later here).

(a little digression at this point)
a dumb idiot would directly click on the link, while we clever and alert computer literates would first place our mouse pointer over the link, take a peek at the destination, and only then click on the link, right? by doing this, most of us get the "oh so wonderful" feeling that we're being very cautious and that no one can hoodwink us, right? you couldn't be more wrong. 'cross site scripting' (XSS) attacks only need the user to roll the mouse over a malicious link posted on a 'good' site and the user's cookies get hijacked. usually, the 'good' site is a billboard or an online discussion forum, where anyone can post anything. just imagine, you're part of these discussion forums. you see a post from a member with an interesting title. you click the title to open the article (remember the title points to a page on the forum/billboard itself and so doesn't raise any questions in your head). when the page opens, there's a huuuuuuuuge picture link that spans the entire width and height of your screen, so your mouse is automatically on that link and your cookie's stolen!!

(back to the experiment)
alright then, so the emails were sent out. and people started clicking on the link. and a page opens up that says "you need to login using your university id and password". apparently, this website was created in such a way that the passwords of the people who tried to login were not stored anywhere (good professor, but who knows?). instead, it just counted the number of login attempts that were made. (it just struck me that a few people could have entered meaningless ids and passwords, but i'm sure that would have formed only a small percentage of the results, which follow). so what would be your guess at the percentage of students that fell for this well-known trick? well the count was a whopping 71%.

"hmm . . . well that's expected. it probably looked like a legit university page, with the university logo and everything," you say? that's because i haven't yet mentioned the most important part of the experiment - the address bar of the website read something like *stealyourpassword.com*. (i'm sooooooo tempted to use upper case letters here)

that's right!! and 71 bloody percent of the students gave away their passwords. i leave the conclusion to you people.

that's not all. there was a variant of the experiment with a different set of targets (obviously). in this variant, the email sent to each student had a deliberate blow-up. remember i mentioned that the link was present as part of a mail forwarded to the sender by someone else? so now, the email received by the target said that the sender received that email from the target in the first place. now tell me, how many people do you think would go and directly click on the link, which in fact, was below the from, to, subject, sent, etc fields of the forwarded mail?? 48%. period.

i have reason to believe these students were actually computer science students. worse, they were all taking that professor's security class. i earnestly pray that's a distortion of the truth and that these students were not very familiar with security issues. in any case, no wonder the phishing industry is a multi-million dollar industry.

now, let's see how clever phishing attacks can get:

as we all know, the basic version is an email purportedly from our bank or paypal.com or whatever, asking us to login to a page that's a twin of the real bank or paypal.com homepage. once we're past the login page (even when we *clever observers* provide non-existent username and passwords just to check it out!!), we're asked for all the booty - our full name, address, credit card number, date of expiration, mother's maiden name, etc. (if you ask me, these guys are a bit too ambitious, don't you think? they want *everything*)

so we *acute observers* see through this prank by looking at the address bar, which is generally very close to the actual site's address but off by a character, or with a numeric '0' in place of the letter 'o', etc., - minor details which can (and do) easily go unnoticed. in fact, some sites show only the ip address and don't have a readable string, which in my opinion, should act to the attacker's disadvantage (which apparently doesn't seem to be the case!!)

so here comes the second version of the attack where the address bar looks perfectly legitimate. how is this done? though the actual address bar of the browser contains the illegitimate site's address, it is hidden behind an image which shows a valid address. wouldn't you fall for that? agreed you know that no legitimate site would ask you for all the booty on one single page. but what if the attacker behaved in a slightly less greedy fashion, and is only interested in getting your password? once you supply your password, the attacker's program redirects you to the actual legitimate site and logs you in with your credentials, leaving no trace of what transpired.

some of you *astute* observers probably have a huuuuuuuge grin on your face right now, and are probably saying to yourself "i wouldn't have fallen for that. i know that these illegit sites don't show a 'lock' in the bottom right part of the browser window. yaaaaaaaaay" (lock shown in the following picture). again, you couldn't be more wrong. the attacker can put all the locks and keys he wants. he can even buy a bloody ssl certificate for a measly amount of money.



and here's the third version - the worst of them all. you buy a wireless router off ebay for your home wi-fi connection and happily use it to perform all your online banking transactions. while wi-fi connections can themselves be easily intercepted by even a novice hacker, that's not the point here. assuming that there is no eavesdropper around listening on your wi-fi network, would you feel safe? of course you would. that's exactly how the attacker wants you to feel, while he has happily obtained your bank's password. "whooooooaaaaa!! how the hell did that happen?," you ask? all he has to do is create a bunch of sites that are replicas of all the major banking sites. (if you use a lesser known bank, then you're probably lucky and won't be affected.) then he buys a wireless router, flashes it so that the routing table now points to his version when you type www.<mybank>.com in your browser, and puts it up for sale on ebay for half the price. this is the router that's sitting in your house right now, and directing you to his site each time you login to your bank. ha ha gotcha!!

so as you can see, you really don't need people to be stupid to wipe their accounts clean. but, stupidity is definitely a desirable and a favorable characteristic as far as the attacker is concerned.

i consider myself to be one of you 'observers'. and i admit that i would fall for the second version.

gets you thinking, huh?

it is claimed that there are 5 different gangs in the world that mastermind all phishing attacks. if any of you knows where they hire their programmers from, please let them know that i'm interested.

-w

April 02, 2006

a problem with efficient coding?

i write this in my own words. so it is quite possible that there are a few embellishments that get added (un)intentionally. however, the moral of the story is what is important here.

back in the days of ww2, the germans gained a psychological advantage over the allies (especially the british) by wreaking havoc with their 'v1 flying bombs'. it took a long time and a good number of failed attempts for the british to come up with measures to counter these 'demolition birds'. however, there was one specific battle (possibly more) where the v1s proved to be a mere annoyance and posed no real threat, in spite of their heavy destructive ability.

antwerp was a huge port in belgium and was an important german stronghold, it being the second largest harbor in all of europe. the allies captured it and drove the germans out of it, which fuelled german attempts to destroy the port and the british ships docked in it. so what do they do? send out their v1s.

the result: most of the v1s ended up destroying dutch villages (which were evacuated, fortunately) that were roughly in between the v1 launch sites and the target, antwerp. this would seem really strange considering the fact that the germans had really smart scientists and engineers. this baffled the british and american scientists as well, who studies the v1 trajectories day in and day out just to figure out what was going on. and when they eventually did figure out what was going on, it was protected as a confidential military secret.

all of us know how projectiles work - so did the german engineers. they measured the distance ('range' in projectile terminology) between the launch sites and antwerp, inclined their v1s at 45 degrees for maximum range, calculated the actual distance that the v1s would have to travel, and filled them with the required amount of fuel. this sounds like a perfect plan, doesn't it? can you think of any problems with this approach?

well, it was the inclination. the machinery available wasn't accurate enough to incline the v1s at *exactly* 45 degrees. (disparity between theory and practice!!). the error was really very minute, but the problem was that this minute error was with the angle of inclination (of all things!!), which ended up throwing the v1s completely off-track.

now comes the question - how could the germans have avoided this problem? no . . . . . not by throwing more money into developing machinery with lower error. they should have behaved in a little less miserly fashion. yes . . . . . all they needed to do was to fill in a little more fuel than they did, and this would have provided thrust for a little more time, increasing the maximum height of the projectile and in turn, increasing the range.

A (poor) illustration:



well, i'm not contending that, by doing this, the germans could have turned the war and the world would've been a different place today but . . . . . you never know!!

now, putting this into context . . . . . i learnt this fact from my (extremely knowledgeable) manager while we were pondering over why we weren't getting the results we expected, even though we were doing everything according to (the theoretical) plan. he then narrated this little story to me and said that maybe we're overlooking something, just like the germans did.

and this way, he succeeded in adding to an already long list of concerns that i need to be worried about while coding. i have this habit (which i was proud of till this day) of keeping things as efficient as possible starting from the smallest modules, instead of the other approach wherein, people initially just get things to work, and then go about optimizing stuff. now when i think about it, there doesn't seem to be much difference between 'being efficient' and 'putting in the exact required amount of fuel'!! :(

some people might argue that it's not the same situation with software. there are no physical conditions like wind resistance that can affect the performance, and that software runs in a perfect 'environment'. this may or may not hold depending on the issue that the software is addressing. it certainly doesn't hold when dealing with statistical and probabilistic models to solve problems, which is what i do.

what do i do?

-w