Anti-Phishing Legislation
Legislation is probably one of the least sexy parts of what we all work on, but I had a thought a while back that I never managed to circle back on. I used to work for a mega-company doing anti-phishing stuff (among lots of other tasks) and one day I decided to look into anti-phishing from a legal perspective. I never followed through with it, but this is a topic that I think deserves some debate, as I haven’t seen a lot of people talking about this, or sponsoring legislation I think has a snowballs chance in hell of helping.
I was doing an interview with InformationWeek today about anti-phishing (btw, any phishers reading this, if you are interested, they would like to have an interview with you - contact me and I’ll get you in touch with them). One of the questions that was asked (and is always asked every time I talk to high level people about this) is what people can do about it. I started down the same old path I always go down, patch up, use modern browsers with anti-phishing built in, blah blah. I hated the sound of my own voice. If you were to take the average IQ of the internet population, I doubt it would be higher than 90-95 at best. There is no way people reading that article are the target segment of the Internet.
If you take that to the next logical step, the people who need this help the most are also the least likely to know how to fix those issues or keep themselves safe. Taking it the next logical step there is no way for the average consumer to protect themselves. So who is it up to? To me it seems like it should be up to the people who actually do know how to fix these issues.
I’m not one of those people who is super into having laws dictate our lives, but this seems like an interesting idea. Current anti-phishing laws only apply to countries that have extradition treaties with us, and since when do phishers care about that anyway? What if we turned the law around and pointed it at the people who actually do know how to fix these issues for consumers - the ISPs? What if we made a law that said that ISPs must make a reasonable effort to subscribe to anti-phishing lists and they must shut down access to websites that have known phishing holes in them. Failure to do so could result in fines, and further, if a consumer is actually phished, the ISP is liable.
I’ve already talked to large ISPs who are using OpenDNS, but that’s not cutting it. OpenDNS only applies to sites that are linked to using a hostname, and many phishing sites use only IP addresses. So yes, it would painful for ISPs. Yes, it would extra cost. Yes, it would be annoying for researchers (maybe they have to call to get sites turned back on for them). Yes, it could cause DoS for websites that are caught as false positives, or virtual hosts on the same IP. All valid points, but none of them seem worth it to spend another billion dollars this year of Internet consumer’s money to finance the phishing market. Comments?
January 23rd, 2007 at 6:10 pm
Only somewhat related, but if some sort of liability was put onto ISPs and they provided suffecient blacklisting of phishing sites, would this not just forward the concepts of XSS-based Phishing where there is very little to trace back to anyone?
January 23rd, 2007 at 8:05 pm
You still have to post the data somewhere, or you have to pull in the JavaScript include that puts the XSS on the page from somewhere and that somewhere is what you would blacklist. It’s pretty easy to see where the data is posted to/pulled from.
January 23rd, 2007 at 11:26 pm
Sure, you still have to put it somewhere, but you can always abuse existing infrastructure, e.g. if say someone decided to use WhiteAcid’s Community Cookie Logger to store credentials, or pastebin, or some public forum, where you know the admins aren’t active.
And even then, considering the security of the web, you can easily just root a couple of hosts, and use them, they are still legit businesses.
And to top that off, you’re not going to be able to get all countries to sign this legislation, and practically all countries have vulnerable hosts.
And then you also need to consider what tier ISP you want to do this. Are you willing to force this on mom-and-pop ISPs who may not have the resources to keep on top of it, and contact customers, etc, etc.
So while its an interesting idea, I’m against any legislation that prosecutes people who didn’t do anything wrong, its like blaming a person who rents out hundreds of units because one of them was a mafia front.
January 24th, 2007 at 12:09 pm
I don’t think that anti-phishing legislation will do anything. There’s anti spam, DDoS, etc. laws now and only the real dumb spammers ever get caught. There’s laws against stealing money from someone so I am not sure why there needs to be a anti-phishing law. Should we make a law that walking into a bank with a mask on is illegal? No, we should just keep it illegal to rob banks.
Everyone with a problem asks the ISPs to fix it. Spam, DDoS, kiddie porn, gambling, pirate music/movies/softwre, and on and on. However there’s no financial motive for the ISPs (telcos) to fix any of this. There have been stabs at legislation but the fact is that the most costly phishing (financial, etc.) isn’t their problem.
The ISPs have in recent years started putting anti-DDoS gear in POPs to help with that problem but that was only because one or two ISPs started to product-ize anti-DDoS as a service. And they now respond to DMCA notices and look what a CF that is.
Asking ISP’s to fix phishing is like asking the Dept of Transportation to help reduce auto accidents. They can engineer roads, lights, etc. to a degree but then it becomes more effective to build better cars and be better drivers.
Here’s a thought: Make the customer partially responsible for getting phished. This is unfriendly to the consumer and not a good business solution but damn would it make you double check the cert, etc. before handing over your credentials.
January 24th, 2007 at 2:59 pm
From a friend who works with a domain registration company, I’ve heard interesting tales about this sort of thing. The major phishing targets often contact the ISP when the notice the DNS Update to shut down the servers, and any Domain name that redirects to it. The major Domain registrars attempt to screen any new domains for possible phishers as well. I’m not sure exactly what benefit a new law would bring. Most phishing sites aren’t up for very long at a single Ip address. Its like playing whack a mole.
January 24th, 2007 at 3:02 pm
@Packetwerks - I think you are confusing a few issues. The current state of legislation definitely doesn’t work because it attempts to stop people from phishing - they aren’t going to stop phishing in Romania because someone in the US tells them not to. However, with my proposal it doesn’t matter. If the US adopts the legislation it doesn’t matter where the phishing site is located it would not be able to be routed to anymore, thereby protecting everyone in the US. Other countries would be at risk still, but as the US is the largest target for online fraud, I think that’s a huge step in the right direction.
Regarding your thought to screw over consumers by making them to blame for their own mistakes - that’s already the way it is. That doesn’t appear to be working. I think we can safely assume telling people that they must defend themselves is a lost cause. It’s time to try something else.
ISPs would need to become accountable for their customers. In the same way car manufacturers are accountable for faulty seatbelts. If someone gets killed they should be liable, not the poor schmuck who didn’t know his car was a hunk of garbage. There is tons of precedence for this type of law. OSHA is a great example - companies are liable for the unsafe work conditions that their employees reside in - it’s not up to the employee to know not to use a wobbly stool to change a lightbulb.
To use your own example it’s exactly like the DoT (let’s use a local example like CalTrans for ease of understanding). CalTrans is absolutely require to keep roads up to a certain state, and if they fail to do so, they can be held liable by the state. The consumers in this case sue the state, not CalTrans, but the effect is the same. There is precedence for this kind of thing all over the place, and it’s one of the few choke points on the Internet that could actually help the issue.
@Kuza - to your point, yes, I already mentioned that as a hole in this proposal, but would you rather have a phishing site stay up or having a legitimate business get blacklisted until they can fix the problem? Frankly, I think it’s their duty to protect their consumers (similar to PCI compliance). Again, there’s precedence here.
To do business with whatever consumers reside within whatever governments adopt this you would need to be in compliance. It’s not dissimilar to having to have a license to drive in a lot of ways.
January 24th, 2007 at 4:07 pm
@RSnake - Having worked in the department (there were 6 of us) of a Tier-1 backbone provider that would have to comply with your legislation, let me tell you why this won’t work
If by routing you mean black-hole-route the phishing server’s IP address (given the limitations of OpenDNS as mentioned above), you will be hard pressed to find an ISP that will constantly add/remove IP’s from their entire AS as the phish sites go up and down. It’s not practical. Trust me, protecting the Internet population by “nuking sites from orbit” is not practical except in very specific and grave circumstances. Every now and then the ISPs can do something nice like black-hole some owned DSL line that is being used as a DDoS control server, or black-hole a web server hosting the payload for a worm that is about to melt the Internet. But those situations are few and far and done with a lot of coordination.
Basically what you are asking for is a centralized “bad phishing IP list” sort of like what the anti-spam community has. Only rather than having mail admins subscribe to this list on a server-by-server basis, you would force ISP’s to make changes on a daily/hourly/minute? basis as phish sites went up and down. The same arguments would apply here that apply to the spam game:
Who get’s to add IP’s to the list?
What if the IP is the IP of a HUGE web server with thousands of vhosts on it?
What notification will happen to let the poor web server admin know why his 10k web host customers are down?
What if someone “frames” someone by sending phishing emails, etc. but never does anything with the accounts?
How does someone get their IP out of the black hole?
Who pays for the resources my ISP has to spend on this?
Also (and I hate to use this phrase) but using the law to force ISP’s into black holing IP’s *doesn’t scale*. The ISP would need to hire x amount of FTE to sit there and add/remove and monitor “The Bad List”. Each time you black hole an IP from your AS you are essentially making a backbone routing change that propagates across your network. There’s room for mistakes there. (oops, not a /32 but a /8). Just not worth it to the ISP.
People have always tried to get the ISP’s to be the solution to many of the worlds security problems because when we see a crime or something we otherwise object to (DDoS, spam, etc.) we can’t legally “take those bastards down”. So we look to the top of the stack, the ISPs.
As for “ISPs would need to become accountable for their customers”, Google for that phrase. Everyone wants the ISPs to fix everything because they have such far-reaching power. But where do you draw the line? Once ISP’s start blocking phishing sites then all the anti-spammers will ask for spam-bot-zombies to be blocked, the RIAA will ask that P2P users be black holed, etc. Next thing you know the Tier-1’s are acting like the nation’s Firewall or Websense admin. I’d much rather see them just let everything flow freely and keep out of it.
So regarding the “blame the user” bit, I guess this comes down to what component failed? From the bank’s perspective the user put his/her credentials into a fake web site. The user views it as “My bank did not keep me safe. Their online banking product failed”. I don’t have the answer here as I have family members who have been phished and I have large corporate customers who are getting taken for hundreds of thousands per incident.
CalTrans is responsible for filling pot-holes, keeping guardrails up so you don’t drive into oncoming traffic, making sure that street lights are on, etc. In the grand scheme of things they are responsible for making sure that the infrastructure that you drive on (or sit on, heh) can be used safely. It is not their job to police or otherwise enforce how you use it. Someone runs you off the road or you roll your car off a cliff on PCH, CalTrans is not the first responder or the guy that writes you the ticket.
Good talk.
January 24th, 2007 at 8:34 pm
@Packetwerks - I too have worked for one of the largest telcos in the world (maybe the same one?). And trust me, I’ve thought of all of these issues. To answer your specific questions:
There are already services that provide centralized services to do this - APWG, Cyota, MarkMonitor, Symantec’s WholeSecurity, etc… Problem solved there, it’s just a matter of everyone purchasing a feed from them. The people who get to add IPs are the people who run the website that are being phished. BigBank.com gets to add bigbank URLs. No one else. It must be vetted by them. It’s on them to protect their customers, no one else. I wouldn’t trust some guy off the street to add things to those lists, and neither do those lists.
These problems have already been worked out. But at the end of the day I think anything the ISP does to reasonably protect it’s consumers is better than the nothing at all that they are doing now.
But in response to your comment that telcos couldn’t really do this, I really wasn’t talking so much about large telcos as the individual BtoC ISPs. Think about if AOL alone instituted this! 5MM users protected, instantly.
If it’s an IP with thousands of vhosts, it shouldn’t be the IP that’s added but the vhost. Easy solve.
In the case of notifying the company that their site has been blackholed, it behooves them to keep an abuse@ email address alive and active. It’s their own fault for having bad security in the first place, if they also ignore abuse emails they really have no business having their site on the internet anyway.
Phishing emails aren’t proof that the site is a phishing site. I’m not sure what that has to do with this anyway. I’m talking about actual phishing sites.
You could get your site out of the blackhole in the same way sites today get themselves out of those various anti-phishing lists - they contact the owners of the lists to verify that the site has been removed and they remove the listing from the list.
The ISP would have to pay for it’s own resources. This wouldn’t come out of anyone else’s budget. But this entire thing could be easily automated, I don’t think anyone’s adding CIDR blocks by hand - that really wouldn’t make any sense at all. An API would have to be created and after that it would be out of the hands of the ISPs completely - in the same way it’s out of your hands when someone adds a signature to your AV software. If it happens to block anything with a .html extention you have no one to complain to other than the people who pushed the signature out - the list owners.
Lastly, CalTrans doesn’t police anything, you’re right. But CalTrans isn’t the police in my analogy. CalTrans is the ISP. CalTrans is being policed by the state to ensure that they abide by the rules - keeping potholes filled. If they don’t do their job (like the ISP) they are liable.
January 24th, 2007 at 10:00 pm
@RSnake, it’s a small world. Email me and we’ll compare notes
We can see if we were on the same 4am conf call long ago.
I guess that my big problem (and our disconnect) with this that I don’t think that it can be done from the Tier-1 level and I don’t think that it can be done at the layer 3 (IP) level. Null routing IP addresses of servers at the Tier-1 is like being put on the TSA’s No Fly List. Once you are on it’s hard to figure out why and even harder to get off. (Try calling the NOC
) The owner of the IP that is 4 tiers down the ISP food chain will take forever to troubleshoot and escalate the issue to the ISP to even figure out what happened. I am speaking from experience.
If you are saying that the BtoC ISP’s that more or less directly own the user (ELN, AOL, Comcast, Verizon, etc.) can do it. I think that approach is more palatable as I view the Tier-1’s more as a “neutral utility” (not that they are) and the AOL, ELN’s, and Comcasts of the world as offering a much more feature-rich, competitive, invasive and customized and branded Internet experience.
Tele2 and Perspektiv Bredband in Europe blocked AllofMp3.com because a court told them to. So I can see where this type of thing at the consumer ISP becomes common.
I’ve done work for a large ISP with thousands of cable modem customers who runs a TippingPoint with a LOT of rules turned on and never told their customers. Tickets went way down from spyware, etc. So there’s one for your argument.
As for the API idea, I can see a granular pushed feed of URL’s sent to the subscribing ISP’s (Not tier-1’s) as an AV-like subscription service. I don’t however see a time in the near future where you’ll see anyone pushing null routes to a tier-1 who does it at layer-3 automatically.
As for CalTrans, I am referring to the Tier-1 backbone ISP’s. They more or less lay down the road/fiber and let what will happen, happen. My analogy seems to have had a head-on collision with your’s.
Anyways, I hope this was the debate you were looking for. I don’t like the government to get involved when it comes to anything Internet related (tubes anyone?). I think that this problem is something that the free market should attack. BtoC ISP’s already use security and privacy as competitive differentiator. Anti-phishing could act as a selling point. In fact, the big targets HSBC, Citi, etc. should co-brand with an ISP that features anti-phishing controls. The customer gets safe Internet service and the bank gets a customer who is less likely to call a week later asking why all of their money was wired to eastern Europe.
My vote is to keep the politicians out of it. Once they pass legislation that says that ISP’s are liable for phishing, they are opening a door for other people with problems (MPAA, RIAA, etc.) to hold the ISP responsible for their woes. I think that’s a topic for another time.
Thanks.
January 25th, 2007 at 4:04 am
@RSnake
How do you effectively block vhosts? You have to do traffic inspection to make sure an offending Host: header isn’t being sent; and that starts laying the ground work for doing traffic inspection to see what users are viewing, and extending national intel networks, and all kinds of really unpalatable stuff.
And then you could also have SSL traffic which you couldn’t passively sniff even if you wanted to.
And then we also have issues with wildcard DNS entries to contend with.
So yeah, I think filtering based on vhosts is rather impractical. Unless of course I’m completely missing something in which case, I’d appreciate being enlightened
January 25th, 2007 at 9:23 am
@packetwerks - Correct, not necessarily the Tier 1’s… it would probably slow down the internet substantially if you tried to do this type of filtering in those big foundry switches. But the actual user IPSs have a lot more control and it makes more sense anyway. But as far as getting people removed, that would be up to the company in question. But yes, thank you for the debate. In the end I still feel like this is not only plausible but one of the only ways to actually substantially reduce the issues - your spyware ticket comment gives me a great deal of hope.
@kuza55 - Yah, sorry, I wasn’t clear. This would have to be a hybrid of IP filtering (for when the phishers use IP addresses) and DNS filtering (for when they use a vhost). You can’t rely on either independantly - which is why OpenDNS falls down. Case in point, the newest phishing email I got today was to this URL, which OpenDNS would have missed:
http://0xd2.0xdb.0xf1.0×7b/.online/BankofAmericaOnlineID/cgi-bin/sso.login.controller/SignIn/
So yah, sorry, you’re right, I wasn’t clear.
September 16th, 2007 at 9:15 pm
“Asking ISP’s to fix phishing is like asking….”
Cited as quotable metaphors-analogies in Metaphor-Analogy Archive”.
Thank you.