Interview with Aaron Emigh Interview with Aaron Emigh
• Latest news on the crimeware and phishing fronts
• Why average users can’t always sniff out those phishy emails
• Other cybercrime that financial institutions should be worried about
• Strong authentication - is it helping? What needs to be done further

> Listen to the podcast now

Aaron Emigh is a well-known expert in information security. He is the author of the U.S. Secret Service San Francisco Electronic Crimes Task Force Report on anti-phishing technology, as well as the reports on online identity theft countermeasures and crimeware from the U.S. Department of Homeland Security. Aaron has been involved as a consultant in anti-spam and anti-phishing technologies for several years and has presented security research at numerous conferences and research forums. Most recently, he contributed several chapters to phishing and countermeasures published this year by Wiley Publishing.

LINDA MCGLASSON: Aaron, can you tell our audience what’s the latest news on the crimeware and phishing fronts these days?

AARON EMIGH: I think the biggest thing that’s happening right now is the ongoing transition from purely deception-based attacks where you’re getting an email that just pretends to be from your bank, to very sophisticated crimeware which provides all kinds of different attack factors on a user, in which credentials can be stolen, transactions can be generated, DNS can be hijacked so that you’re going to your bank site and you actually end up somewhere else, even if you’re doing the right thing as a user and so on. So, we’re seeing on the conventional deception attacks that they’re using blacklist busting URLs. It’s a game of Whack-a-Mole where blacklisting the phishing toolbars and so on are being integrated into browsers, so what’s happening is phishers are using unique subdomains for each email or for groups of emails to avoid being put on the blacklist. We’re seeing more pharming attacks, we’re seeing man-in-the-middle attacks, which will render the tokens that are used for two factor authentications significantly less effective, for example, and we’re seeing a lot of work being done in research on wireless-based attacks, for example, attacks in which a wireless router with a default password could be reprogrammed using a malicious java script to point to a DNS server, which would direct you, instead of to your bank site, to a site that has nothing to do with your bank, and using java script only, you can actually get any user that you can lure onto a malicious website to have their DNS compromised to enable pharming. So, I think there are some interesting things happening right now, and there are even scarier attacks on the horizon. One other thing I’d point to is, what a lot of people are calling spear-phishing, which is more targeted phishing attacks. So we saw this, for example, in one case where a DSL store was broken into and its customer database was compromised. Well, once you have not only email addresses, but where those email addresses came from, you can then craft a very specific attack. So in these cases, these people were sent emails saying, there’s a problem with your order, and they were able to show real order information, and then you have to come to this website to input additional information, and then they would phish them on that website. Well, since it was a real order that they had placed, that was a very convincing token of credibility, and a lot of people got caught in that. And I think we’ll see more of these kinds of composition attacks.

LINDA MCGLASSON: What are some of the reasons that that average user or reader of emails out there can’t always sniff out those phishy emails?

AARON EMIGH: It’s an interesting question because it involves a lot of different factors, I think the first thing to say is that users don’t really understand the finer points of authentication, of knowing that they’re on the right website and so on, or that they’re looking at an email from the right party. And I would argue that users should not have to understand and can’t be expected to understand them, so I don’t think that just a reliance on educating users on the assumption that it’s these dumb users that’s the problem is going to be successful. I don’t think users are dumb, I just think that things are not well set up for users to easily understand things.

Simple example, if you’re in the real physical world, and you’re looking at a building that says it’s a bank, it’s pretty easy to visually tell with pretty decent reliability whether it’s really a bank. Is it a big, gleaming edifice of marble? Well, if so, it probably is. If it’s a guy on a street corner with a cardboard box, it probably isn’t a bank. And one of the problems that we have is that the online equivalent of the guy on the corner with a box can steal the bank website and look exactly the same as the bank, and the only differences are things that are very obscure to the user. They’re things like, oh, well, look for the SSL lock icon in a very particular location in the chrome. Well, it turns out users don’t know that it matters where the lock icon is. If it occurs on the page, it also gives them an increased sense of security. If it’s the favicon and it appears on the left side of the URL instead of the right side of the URL, they don’t know how to distinguish those kinds of things. A lot of our security indicia are not designed for human recognition. We have evolved over a very long period of time to make very sophisticated trust decisions in the offline world, and the online world has done a very poor job so far, and in fact the general technology arena has done a very poor job so far of helping users to figure out what they should trust online. I think financial institutions compound the problem by employing very poor practices in a lot of their customer communication. I’m talking about things like emails from banks that contain clickable links, where the links are obfuscated, really long links that are hard for a user to understand, and they sometimes don’t even go to a domain that you’d expect for a bank. They go off to some strange domain name that looks a little bit like a phishing domain or just like a phishing domain. They don’t even visibly use SSL on the login screen, hard though it is for users to understand it, it’s easier if it’s generally used. And oftentimes the login screen does not use this SSL for the submitted form data with a username and password, but the user can’t see the lock when it’s actually entering the data. Users tend to learn from what they do, rather than from what they’re told, so they’ll learn a lot better from good practices being followed by a financial institution and seeing a deviation from that phishing site than they will from just being told by a financial institutions what to do. So I think that’s kind of a rundown of some of the reasons that the situation is difficult for users.

LINDA MCGLASSON: Obviously phishing and crimeware are things that financial institutions are thinking constantly about. But are there other things that they should be worried about in terms of cybercrime?

AARON EMIGH: I think that in terms of cybercrime, those are very large threats. I also think that, there’s a consumer perception sometimes that phishing and so on are the big problems and we have very high number estimates there, and people should understand it’s not the largest source of losses for banks, and certainly dwarfed by bad credit decisions and other forms of fraud are comparable to or greater in size, but phishing has become very big. Crimeware is very big on a number of levels. It’s very large in attacks against individuals. It’s also a very significant risk in transaction generators that get put into payment processing centers and so on, often through security holes and those types of places. There are a lot of threats in the online world, as well as the typical data theft. And simple insider compromises always need to be paid attention to also. There’s an old question, how do you make a system so secure that it would take $50 million to break in, and the answer is, well, you can’t, because you can always pay somebody on the inside $1 million and get the data, and certainly this is not a new thing to financial institutions, but it is something that sometimes people focused narrowly on cyber security don’t give full consideration to.

I would say also that phishing and other forms of cybercrime are especially scary because they’re growing very fast relative to other kinds of fraud, and because ultimately it has the potential to erode trust in online banking. Certainly people who have been stung by phishing are much less likely to continue with online banking, but also just generally some of the publicity around it has the potential to have that impact, so it’s receiving important priority consideration because it has the possibility to threaten a lot of the infrastructure that’s been built up.

LINDA MCGLASSON: And as you noted before, it’s not always the banks themselves that are the victims of the phish, but it’s other companies or like the DSL company that you had mentioned before. What can financial institutions to do to mitigate some of the threats that have been coming out as of late that are posed by zero day vulnerabilities?

AARON EMIGH: Well, zero day vulnerabilities in particular are an interesting question, because there are some things that financial institutions can potentially do. Frankly, I think operating system vendors and other software vendors have in some ways more to contribute here. But one thing - and that’s just because they are situated to actually respond to the attacks and to deploy technology that better addresses those attacks. Financial institutions are rightly hesitant to be providing patches or otherwise trying to get people up to date and running security technologies. And I think that’s the correct stance, because if they try to get users to install executables, then that becomes something that users are accustomed to, and they will tend to install executables more often from illegitimate sources as well. So, a true zero day vulnerability is one that there isn’t a patch for at the time it comes out. This is something that happens a fair amount, although the vast majority of the compromises occur through vulnerabilities that have already been discovered and patched, but where the users simply haven’t updated their machines.

One thing that a financial institution can potentially do against a zero day attack or at least an attack that is relatively new is to scan the machines of people who are contacting them. And so, for example, one technology I’m familiar of that’s in development is something called remote harm detection. I think this is something that has a very interesting future in front of it in terms of being able to figure out at the time the user hits your website, well, have they previously visited websites that are known to distribute malware, for example. And so this is one thing that I think is a very promising direction for financial institutions to be able to do about crimeware in general.

LINDA MCGLASSON: You had mentioned before the move to stronger authentication methods at financial institutions. Do you see that as helping to further secure their customers, and what would you say need to be done further, and finally, is mutual authentication the next step?

AARON EMIGH: Yes, so I think that absolutely strongly authentication can be extremely helpful. I would place a very significant caveat on that, which is you have to very carefully formulate what it is that you’re trying to protect against, and you need to do a careful evaluation of any technology that’s under consideration to ensure that it actually defends against your particular threat model. So, , for example, tokens that have one-time passcodes or time-varying passcodes can be effective in preventing an after market for credentials, but they are not effective against preventing an illicit action taking place quickly, because a man-in-the-middle attack can take the authentication token information and utilize that. Similarly, there are a lot of technologies on the market which rely on the user being able to make a particular determination about whether an image that’s being displayed is correct, or so on and so on. There are a lot of different variants of these. Very few, if any, of them have any solid evidence behind them that they actually work when users under realistic conditions and under attack are involved. They make a lot of assumptions about what user behavior will be, and if there’s one thing that we know about user behavior, it’s that it is not incredibly predictable, and you need to carefully study it and understand what it is going to be in realistic conditions.

LINDA MCGLASSON: What can be done more to provide better security by the companies that produce these operating systems and browsers that run all this?

AARON EMIGH: This is a really interesting because I think there are a lot of things, and I would give first the caveat that these have the same requirements for user testing as any technology that a financial institution might roll out. But one thing that’s really missing right now is a trusted path, a way that users can have an assurance when they're entering information, that the only intended recipient of the data can actually use it. And this is something that really should be provided at the operating system level. It could be provided potentially within a browser, but it would have a general form - there are a number of proposals, but one possible form for it is to have what is known as a secure attention sequence. When you log into a Windows computer, you have to hit Ctrl + Alt + Delete before you enter your username and password. Well, that’s done so to prevent a Trojan from operating. So, when you hit Ctrl + Alt + Delete, the operating system conceptually is providing a guarantee that you’re really talking to the OS and that the user interface you’re seeing can’t be spoofed. And at that point that that’s what you’re talking to.

Well, you can actually do a similar thing over the Internet. The technical details, although they are a little bit involved, but you can have something over the Internet where you have a guarantee that your data is going to be encrypted using the public keys of the person whose identity - institution whose identity is being displayed, and that is displayed from a cryptographically signed certificate. And that way only that intended recipient can actually read the data, so that’s something that can actually be done.

I mentioned earlier that a lot of the indicia that are displayed in browsers and so on are not easily intelligible to users, and I would say that a lot of the attempts here by the browser manufacturers have not been exceptionally well motivated in terms of how users really respond to them. They’ve been rolling out phishing toolbars and so on that it looks like they don’t work exceptionally well. Security indicia that are really unspoofable and that are distinguishable by users, and again I would stress that that really needs to be proven by usability testing, would be a tremendous step forward.

LINDA MCGLASSON: You’re involved in several government organizations that are working to prevent online fraud, what are they doing?

AARON EMIGH: There’s a lot of work in this area, because online fraud is recognized as a financial issue, but also as a law enforcement issue, and as a threat to parts of the nation’s critical infrastructure. A few examples of the organizations that are out there, I’m a member of the Department of Homeland Security Identity Theft Technology Council. They have published a couple of papers on phishing and on crimeware. They are looking at this very much from the point of view of bringing together top people in academia, corporate executives, technology executives and researchers and coming up with good approaches to the technology. The Secret Service has an electronic crimes task force which looks at this as sort of a public/private partnership to have law enforcement and industry working together on electronic crimes. The FBI sponsors an organization called InfraGard and that is dedicated to protecting the nation’s critical infrastructure, and the financial infrastructure and the Internet is part of that. So, all of these organizations are really looking to provide conduits between law enforcement and private industry so people know where to turn and also to find the best technologies and help that come about.

The Department of Homeland Security, and its subdepartments as well, have done especially a lot of work in providing some early stage funding also to promising security technologies, which could help mitigate the risk. So, there’s a lot of work going on in that borderline between public and private.

LINDA MCGLASSON: Seeing how 80% of our critical infrastructure is privately owned, it’s important to protect it. What is something that keeps you up at night in regards to information security?

AARON EMIGH: One thing is, there’s sensitive information that’s being kept in all kinds of unsafe places, alright? I mean, there are all sorts of low-security sites that are filled with credit card data, Social Security numbers, employment information, all sorts of things. And it’s actually fairly remarkable that some of this information has become extremely public, and there’s an after market for this information, and you can see that, for example, got some publicity in the case involving Hewlett Packard’s board. And it’s possible to obtain a lot of this information publicly. But also it’s accessible, often quite easily, to hackers, and once people obtain that information, it can be very difficult to right the wrong, and it’s hard to know when it’s compromised.

Another thing that keeps me up at night, strangely enough, is just the lack of trusted path. I was talking earlier about the fact that there’s just no good mechanism for providing an assurance to people about who they’re talking to online, and it’s possible to subvert that very easily in ways that are very, very difficult for all but the most expert users to discern. Talking earlier about wireless drive-by pharming it’s being dubbed, changing your wireless router configurations and so on. There’s just a lot of possibility for problems also as different kinds of devices proliferate. You could have malware that attacks wireless routers, you could have malware that attacks cell phones. In Japan they’ve got people using cell phones are payment mechanisms. Well, that’s an area that again is very ripe for problems. I think there are plenty of things to stay up at night worrying about.

LINDA MCGLASSON: All of the insomniacs step forward. Finally, your words of advice to those information security practitioners at financial institutions?

AARON EMIGH: The first thing I would say is educate yourself on the threat. Join organizations like the Anti-Phishing Working Group, like some of the public/private partnerships that I was talking about earlier. There’s been a lot of good academic literature as well, and I think it would be valuable to familiarize yourself with that literature. The next thing I would say is to get on top of your institution’s practices. There are, I mentioned earlier, a lot of different kinds of poor behavior on the part of financial institutions that helps make people susceptible to phishing. It’s especially complicated to make sure that good practices are followed by different vendors who may be used for marketing campaigns and so on, but this is a very important thing for financial institutions to do. The next thing I would say is, formulate your threat model. It’s not uncommon that people will go out looking for vendors when they haven’t actually specified clearly what problem it is that they’re trying to solve. It’s very hard to make an appropriate choice of technology if you’re not exactly sure what it’s supposed to do. And I would say that you need to evaluate any technology and vendor that you’re considering, based on those clearly defined threat models and on user studies that show that the technology actually works, rather than just a plausible story that it might work. I also push for work - industry consortia like the financial services technology consortium are doing good work to help create sets of recommendations that are better motivated than just vendor brochures. I would also encourage you to share data. The APWG has a phishing data network, FS-ISAC, there are a lot of different places that you can share data, but one of the things that can really help is that information sharing between institutions. And I would also say security can be a subtle area. It involves a lot of deep technology, it also involves a lot of user behavior. And in any particular area where you’re not yourself experienced, it can be very helpful to find people who are knowledgeable in that field and work with them.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network