Introduction/Overview
The US government's Internet Fraud
Complaint Center received 50,000 complaints in 2001, 75,000 in 2002
and 120,000 in 2003.
From:
Verification <verify50@halifax.co.uk>
To: M.d.ryan <m.d.ryan@bham.ac.uk>
Subject: Halifax E-mail Verification: m.d.ryan@bham.ac.uk
Date: Sun, 26 Oct 2003 06:49:54 +0000
Dear Halifax Bank Member,
This email was sent by the Halifax server to verify your e-mail
address. You must complete this process by clicking on the link
below and entering in the small window your Halifax username
and password. This is done for your protection --- because some
of our
members no longer have access to their email addresses and
we must verify it.
To verify your e-mail address and access your bank account,
click on the link below. If nothing happens when you click on the
link (or if you use AOL), copy and paste the link into
the address bar of your web browser.
http://halifax.co.uk:ac=AA6FDxthlNmaz7OOuYbH@ShOrTwAy.To/x66f94/?7312hL2M5ZHFzNj
The syntax
http://a:b@domain.com/path means http://domain.com/path citing
username a and password b. The web site shortway.to appears to have
disappeared, though it was certainly there when I received this mail.
From: "Halifax plc" <response@halifax-mail.co.uk>
Sender: "Halifax plc"
<response@halifax-mail.co.uk>
To: "mdr@cs.bham.ac.uk"
<M.D.Ryan@cs.bham.ac.uk>
Subject: IMPORTANT NOTICE:
From Halifax and Bank of Scotland
Date: Sat, 1 Nov 2003 12:24:24
GMT
As you may have heard on the
news
recently a number of fraudulent emails are currently circulating in the
UK encouraging bank customers to visit a website where personal card or
internet security details are then requested. Please note that
we would never send emails that ask you for confidential or personal
security information - other than your usual sign-ins to online
banking. (MDR
emphasis)
If you have already received, or
receive such an email in the future, please forward this to
onlineemailinvestigations@hbosplc.com and then delete it immediately
without responding or visiting any site it details. If you are
concerned
that you may have divulged any personal or security details please call
our Helpdesk on 0845 602 0000.
Halifax plc. Registered In
England No. 2367076. Registered Office: Trinity Road, Halifax, West
Yorkshire HX1 2RG.
Bank of Scotland. The Governor
and Company of the Bank of Scotland, constituted under an Act of
Parliament 1695. Head Office: The Mound, Edinburgh EH1 1YZ.
Is this one real, or another fraud? (If real, why mail me, since I
don't bank with Halifax.)
What a mess. Public-key Infrastructure could solve all these problems,
if only it were used [more later].
December 2003: vulnerability
announcement. IE6 can be made to display a different URL in the
address bar than the one you are accessing. You simply use the same
trick as above, but include a non printing character (%01) before the
"@". IE doesn't display the rest of the URL, making the page appear to
be at a different domain. Demonstration:
http://www.zapthedingbat.com/security/ex01/vun1.htm
Is this a bug, or a feature? If
a form is secure (https) but
it posts its data back insecurely,
what does this mean, and how should your browser behave? It probably
means the web designer doesn't understand what s/he is doing, since he
is securing the blank form (which is unlikely to be confidential) but
then passing the data (likely to be confidential) in the clear. Tim
Williams: "I reported the problem twice [to the web site owners], but
they never replied and never bothered fixed the problem."
How do the browsers behave?
- IE: initially, warns user about any switch between http and
https. Everyone turns this off of course. It doesn't give you any
warning after that.
- Both KDE Konqueror and Mozilla web browsers warn the user,
regardless of whether they have turned off standard warnings.
Warning. This is a secure form but it is attempting to send your data
back unencrypted. A third party may be able to intercept and view this
information. Are you sure you wish to continue?
Demo: https://hotstuff.my-place.org.uk/encrypttest.html
Computer Security
Computer security is about
protecting assets against threats, identifying and overcoming
vulnerabilities, mediating risks, and reducing impacts of attacks.
Assets are the things we want
to protect. They include stored data and data in transit. Threats are the bad things that can
happen to assets. They include loss of confidentiality, integrity and
availability of data.
Attacks are attempts to
realise
threats. Vulnerabilities are
weaknesses of systems which make attacks possible.
The risk of an attack is a
measure of the likelihood of it occuring. The impact of an attack is a measure of
how serious it would be, if it did occur. Examples (supposing occurring
in 2004):
|
Low
impact
|
High
impact
|
Low
risk
|
WEP cracking on the School's
wireless network
|
an effective algorithm to break
RSA PKI
|
High
risk
|
a large-scale spam attack
|
a large-scale virus attack
against MS Windows
|
Security engineering is about evaluating the risks and impacts of
attacks and deciding on appropriate responses (such as avoidance,
reduction, and acceptance).
Attacks and countermeasures
Draw lines to connect them appropriately. These lists are not at all
complete; find some more examples of attacks and countermeasures, and
email them to me.
| Attacks |
|
Countermeasures
|
keycatcher
network sniffer
spyware
virus/worm
DDoS
compromised software (with
inserted back door)
identity theft
buffer overflow attacks
website defacing
spam
phishing
|
|
symmetric-key encryption
public-key encryption
secure hashes
certificates
firewalls
security protocols
IPSec
SSH
SSL/TLS
intrusion detection
DCMA
"trusted computing"
|
End