Paid Advertising
web application security lab

Archive for the 'Random Security' Category

DNSSEC + Certs As a Replacement For SSL’s Transport Security

Thursday, October 15th, 2009

I was talking with id last night, and then shopped this idea around to a couple local OWASP guys, but now I think it’s baked enough to talk about publicly. I make no bones about the fact that I think SSL is almost entirely worthless against a determined attacker who has man in the middle access and is intent on doing harm, and not just passively listening. Passively listening is limited to people who can get access to a valid cert (through MD2/MD5 collisions, through being a CA or hacking a CA, etc… all of which have been proven possible). That’s bad enough, but put into that that the visual cues tell you nothing about site authenticity (leaving EV certs out of this for the time being) and you’re left with a nearly completely broken security mechanism in the browser. You can debate this fact all you like, but what if I don’t care about site authenticity, I just want to do transport security?

An idea we began toying around with is using DNSSEC. Like DKIM, you can put public certs into DNS records that can be queried by any mechanism that wants to use that. By making a change to the way browsers work to look at the DNS record via DNSSEC a few things become possible. Firstly, you can be assured that you are talking to the correct IP address after the negotiation is complete. That is because the DNS record cannot be spoofed (thanks to DNSSEC) and the certificate can prove that the IP you are talking to is really in control because it can verify that it is the owner of the public key. But wait - there’s more!

SSL certs cost money - but that’s because the CA’s infrastructure needs to be supported. In this model, there is no additional weight on any central authority, outside of DNS itself. So you could theoretically kiss the need for expensive certificates goodbye (sorry CA’s your time may have come!). This obviously couldn’t replace SSL certs in day one, or maybe not even for many years, but for internal applications or for when I want to allow all you readers to ensure you are talking to this server, and not another one, that suddenly becomes possible. It also becomes possible for people in 3rd world countries who cannot afford costly certificates to be able to gain transport security in the browser.

Now you’re probably saying - how is this different than a self signed cert. Well, leaving out of it that the CAs are vulnerable, there are dozens of them that can create certs to MITM you - of foreign origins and that they suffer from collisions… there’s still one major difference. The browser intentionally throws a warning with self signed certs, and even if it didn’t I still can’t verify that it’s my self signed cert and not someone else’s without a significant amount of burden placed on the user.

So now you’re probably saying, there are two single points of failure introduced here - the DNS server and the DNSSEC service itself. Why place additional security burdens on the end user? Well, I’d argue that if DNSSEC is broken, we have a much much bigger problem on our hands than we do than if a CA gets broken into even. If we can secure a CA we should be able to secure a DNSSEC service. I’m not worried about that one nearly as much as I am the individual DNS servers themselves. However, remember that their company already relies on DNS. Let’s say they use Godaddy and rely on them to be primary NS. We’ve already been relying on them to provide lookup security for years. The only difference is now they’re using DNSSEC and now we entrust them with the security of the transport.

The reason I like the idea is that it gives the domain the option to choose - pay for an SSL cert that can be MITM’d or get a free DNSSEC domain cert that can’t. I can’t stop someone from trying to make money off this idea and selling EV DNSSEC domain certs, but I see no reason we can’t make a non extended version completely free to all. Consider this a preliminary RFC - flame away!

What Star Trek Predicts About The Future of Information Security

Friday, September 18th, 2009

I had a funny thought while talking with some folks from Intel about what the future state of of information security would look like and how that relates to what our favorite nerdy show, Star Trek, has to say on the topic. This is meant to be a funny post, but there may be some truth buried in here somewhere too. Without further ado:

Physical security will always be a problem: How many times have we seen people open up random access panels on the Enterprise and start pulling out chips when something goes awry or just start swapping them out right and left? Crawling through tubes to get past obstacles and the like… all point to the fact that even the most sophisticated military war machine of the future won’t stop some teen aged acting ensign in engineering from taking over control of the whole ship in about 35 seconds.

Organizations will focus on secure transport and network security and will still ignore drive encryption and the insider threat: I don’t really recall any times where enemies were able to intercept any meaningful communications between the Enterprise and other federation ships. That must mean they are using TLS16/SSL34.0 in the future, which is good, but for some reason any schmuck diplomat from some third world (pun intended) alien race can get any information out of the computer he wants without ever even supplying a password!

PCI doesn’t stop hackers, now or ever: They don’t use money in the future. Probably because consumers are so sick of having their credit cards stolen is my guess. I’m also guessing based on how many holes still exist; SQL injection still exists even hundreds of years in the future. So currency, and therefore the payment industry had to go. Even Quark trades in gold-pressed latinum - you don’t see the Ferengi taking plastic.

Biba and Bell La-Padula security models will always be a good idea, but will still never be properly implemented: Seriously, the federation is pretty lax in their whole openness. I mean, should you really let people on your ship, carrying weapons, with no or minimal escort and allow them to use your computers, write to them, copy information off of them and so on? Balancing the prime directive and giving some industrial revolution era alien species access to a computer with the engine schematics to the warp core of the most advanced war ship in the fleet sorta seems a little out of whack. Maybe that’s what they get for not having money in the future - no one’s worried about losing their job.

The singularity is a non-event and will end up being a wash for security: I mean, Data is pretty cool, but he is really more than a oddity in the show. Sure, he’s saved the Enterprise a number of times, but he’s also pretty darned hackable in the future too. He’s been compromised more than most of the other people on the show combined. This is not a good outlook. Why they didn’t bother to root-kit him, I’ll never know. But if Data is the tipping point of a potential Skynet, I’m not too worried - he plays violin and he owns a cat.

Individuals will almost completely give up on the idea of protecting their privacy: Everyone on the Enterprise is pretty happy with the idea of carrying around RFID chips on their badges all the time, even when they’re off duty and getting some R&R and T&A on Risa.

Organizations will always ignore single points of failure, even after it bites them in the ass: I can’t even tell you how many times the Enterprise has managed to damage the one and only di-lithium crystal that they have on the whole ship. They know they can’t whip up a new one with the replicators but they still don’t carry even one spare. Then they end up being stranded or having to use the sensor array to catch radiation from some exploding sun or some other retarded plan that always manages to work out exactly perfectly, but always necessitates near death experiences in the process. Why, for all that’s holy, wouldn’t you just bite the bullet and pay to have two on board? Yes, I’m talking to you, Jean-Luk and you too Mr. CISO.

The iterative development model will be proven bad for security and quality exactly 1,000,000 times but will still be used in production anyway: How many times have we seen engineering making changes to the warp core while they are 200 light years from any star base or any other craft for that matter? And how many times has that gone smoothly again? No, it’s a bad idea now, and it will always be a bad idea. But then again, maybe you shouldn’t worry so much about keeping your data and integrity intact… it always manages to get fixed in an hour or so anyway, right?

Biometrics will always be used as a backup to password authentication - but both still suck: Sure, voice print recognition has been used a few times, as has hand scanners and even an iris check a few times. But the vast majority of times someone has entered in a password on the show (which incidentally is almost never - giving you an idea about how lax security will be in the future) it has been by saying it out loud. Hackers must be pretty un-inventive in the future because I’m guessing digital voice recorders are pretty easy to get your hands on.

Virtualization security is an oxymoron - even in the distant future: I mean, really, how many times has the whole damned ship been taken over by some overzealous holodeck character? Whoever wrote the holodeck hypervisor really needs to be put in a room with Worf for a few hours so he can explain with his batleth what the need for true physical and logical isolation is. Why some Sherlock Holmes character should have access to main memory, I’ll never know. Too bad we aren’t smart enough in the distant future to think about hardware isolation instead of relying exclusively on dangerously faulty software.

And with that, I’ll let you go back to your regular scheduled programming.

RFC1918 Blues

Monday, June 8th, 2009

Well, it’s been quite a week or so for me. 7 days of travel, to Las Vegas for SANS and Stockholm for the penetration testing summit. Man, I’m tired! But I promised tons of people I’d actually write out what I was talking about during my speeches, since it’s tough to cover everything in such a short presentation, with all the other things I was talking about, and now that I’m finally recovered from my jet lag, I had a chance to sit down and write it all out. For those of you who have no idea what I’m talking about, don’t worry, you’re not behind the times. You can read the whole RFC1918 issue here. I tried to make it into a blog post, but it kept getting longer and longer, so I just turned it into a whitepaper instead because it’s easier.

Without re-explaining the paper, it turns out that in certain browser, and with certain VPN and the current architecture of most RFC1918 networks, there is a high tendency for bad things to inadvertently happen, like IP collisions. That’s annoying in the networking world (and a well known problem) but it’s dangerous in the security world (and far less understood). Anyway, I talked it over with HD Moore and Toby and some of the other guys at SANS and it turns out they had actually seen similar things happen in the past, so it’s been validated in the wild (again, inadvertently though).

Silver Bullet Metric

Friday, April 24th, 2009

No, I don’t believe there is a silver bullet. But, I came up with an interesting thought exercise while I was at RSAcon that I like to call the silver bullet metric. I asked a number of notable security experts, vendors and analysis and everyone had almost the same reaction, which is that this is worth thinking about, but a hugely complex task to complete. So I thought I’d throw it out there and let the community think about it too. Let’s take a theoretical situation where we looked at any single security vendor out there and give them essentially as much money as they needed to do a complete global deployment of one of their security products. So if it was an anti-virus vendor, you’d give them enough to put AV on every desktop. If it were a firewall, it would be at every endpoint, and so on. Now, the metric is a combination of two scores a) how much is the total cost of ownership and b) what percentage of global online fraud has it decreased. Let’s take a few examples.

If you put Anti-virus on every desktop in the world, would you stop viruses from existing? I think any reasonable person who understands how viruses work would say no. It will, however, make the bad guys work harder and iterate faster to get by the filters (boutique malware). So there is actually a diminishing return once you get above a certain level of deployment. On the other hand, at the very lowest end, if only a few people had anti-virus they would be pretty well protected, because the virus authors wouldn’t bother trying to figure out a way around it. Of course everyone else who doesn’t have the AV is screwed in that scenario. So the right percentage of deployment for anti-virus isn’t global, it somewhere in the middle in that simple example.

If we’re talking about firewalls doing proper egress filtering, that would stop some worms from propagating, but it probably wouldn’t solve enough of the problems compared to the other options out there. If we’re talking about whitelisting applications that can run on computers, that would probably solve a much bigger percentage of the problems compared to firewalls, but the total cost of ownership is through the roof - and who is going to monitor and create all those whitelists. Eesh!

But back to AV for a second - AV has the hidden benefit outside of security that theoretically increases longevity of computers. So AV increases the lifetime of the computer, although the decrease in usability of the computer because of the resources that are being used might offset that number. Anyway, all of that factors into the total cost of ownership. Once we go through that exercise (which is probably best left for the product managers of each product line to do) you come up with a few interesting metrics. The first is the silver bullet metric, and the second is exactly what the maximum level of deployment that product or service should get to before it stops being an effective tool for the money - because TCO might change depending on how widely it is deployed as well (economies of scale, diminishing returns, etc…).

I’m not at all saying I have the right answer, or that I do believe there is a single best product out there, but to be the devil’s advocate, what if we did find that one product or service had the best silver bullet metric - what then? Why would we back any other technologies at that point? Anyway, it’s a fun thing to think about. Perhaps it’s just another lens by which to look at the security industry through. Of course this exercise has it’s evil twin too - which is the types of exploits that can be performed and their own associated cost benefit analysis.


Thursday, April 23rd, 2009

This year’s RSAcon has been a lot of laughs. The parties were great, the people were fun, I actually learned some stuff, and took away a few new ideas for vulnerabilities. So all in all it was a great time. At one point I found my self staring face to face with a vacant Google booth. So I took it upon myself to seize the moment, especially since Google hasn’t figured out how to put computers into kiosk mode (they weren’t the only ones either, by the way - ask mubix). *sigh*

Click to enlarge

The really amusing part was when a rather dim witted Google marketing person came over after a minute or so and asked if she could help us. Then she saw the logo, to which I said, “Don’t worry, we were just playing a practical joke on you.” To which she said, “Okay.” Okay indeed.

So you’ve seen on Google’s own machines at a security conference - where there’s so much irony it hurts. But what about you guys? Where can you get to show up in places it shouldn’t be? I’ll give out some sort of special prize for the winner - I just haven’t figured out what it is yet.

iPhone SSL Warning and Safari Phishing

Sunday, March 29th, 2009

As some of you may have noticed, there’s a lot more going on in the SSL world and a lot more to come thanks to guys like Mike Zusman, Alex Sotirov Moxie Marlinspike and so on… Papers forthcoming, but in the mean time I thought I’d point out a pretty nasty UI issue with the iPhone, since it’s been something I’ve been meaning to post about for a while. Given the rise in mobile computing as a legitimate way to do business, I think this kind of thing is going to become more important. If an attacker can gain MITM access through a public wifi that the iPhone is using, they can intercept a page that the user normally uses and trusts somewhat, but doesn’t necessary trust with any sensitive data (like a blog or forum that they frequently visit for instance).

What you’re seeing is a 1×1 pixel iframe (doesn’t need to be visible, but it’s good for testing purposes) to which uses an invalid certificate. Don’t ask me why one of the largest banks on earth can’t get their certs in order - that’s just the way it is. Anyway, let’s pretend instead of it being incredible sloppiness, it’s actually a MITM. The user is presented with a popup that in no way explains to them what the cert they are accepting is for. So their first instinct would be to accept it, because they aren’t going to be putting any sensitive information into the page anyway. The problem is that the cert stays with the browser session - so it will continue to work, when the user does eventually surf to their bank or whatever SSL page you’ve MITM’d.

Compare that to the desktop version of Safari, where it at least tells you that it’s related to Still not the greatest visual cue but it’s something. Incidentally, during this testing I messed around with some of the old tricks and found out that that Safari still suffers from the old URL obfuscation tricks of ages past. Eg: *sigh*

Pushing The Limits of Tech

Sunday, March 8th, 2009

Before I begin this post, let me just say, I’ve always been a huge huge fan of technology. I’ve got more insane tech than almost anyone I know (I know a HD Moore, though, so I don’t win that geek war, but I’m close). And I also like to think I’ve got a firm grasp of the web, but every once in a while something strikes me as just simply stunning. Go here, and watch it - I suggest making it full screen: the new GE smart grid website. Go visit it before you read the rest of this.

I admit it, I’m amazed. It’s very very cool tech. It’s the wave of the future, and as much as I’d like to pretend I think it’s a terrible idea, I don’t. It’s just amazing. Annnnd just as I’m getting ready to set up my printer, get my camera ready, install a plugin and give it complete access to my camera… I pause, as my security brain finally wakes up from it’s amazement. I think we’re soon reaching an inflection point, and in many ways have just simply skipped way past it. What’s the point of the web? Is it to delight and amaze? Is it to allow better consumerism? Is it for communication? Is it to impart information? Is it to download porn? Is it all of those things?

How can we possibly secure ourselves when amazing applications are finally on the horizon that make even hardened security folks want to drop all their guards to join in the party? Am I becoming a Scrooge? “Cool tech - bah humbug!” GE’s application is a wiretapper’s dream application yet I’m compelled to join in and be amazed. *sigh* I guess I’ll just have to watch it again and pretend I don’t want to install it.

Crime and Punishment

Thursday, January 15th, 2009

This post is meant to be overly controversial, but it’s also meant to make people think. Please take that for what it’s worth. My most recent publisher said that I shouldn’t make excuses before I say something, but in this case, I think it’s warranted because it’s a little out there, but I also think it’s a topic worth discussing. Please bear with me.

Looking back in American history, there have been a few significant military losses of recent years. We could easily call Korea a loss, and Vietnam was the worst “police action” in American history. Afghanistan is a tossup, and only time will tell. However, I think there is a perception that there is no way the United States could ever have won those wars. That’s just not true.

The United States has a wide variety of unconventional weapon options and military tactics that it never used. For instance, we never ventured north of a certain line in Vietnam, but only for political reasons. We also never used nuclear, or non-nuclear WMD’s. The United States stockpile of biological, radiological and chemical weapons is unrivaled by any country it has ever gone to war with since WWII. But it never chose to unleash those weapons or pursue those tactics, and ultimately the US lost. But more interestingly, the US chose to lose.

I think this analogy speaks nicely to a computer security problem regarding crime in general. There are a set of options that we as computer security practitioners have at our disposal but we also have chosen not to use them. I would say that in well over three quarters of the attacks that I am aware of, it is trivial to find the person who is responsible for them. Sure, that could change and yes, it’s easy to frame people for crimes they did not commit, but for the moment, let’s just pretend that that statistic was valid.

There are two ends of the spectrum of punishment. On one end we have capital punishment - the ultimate result. It’s pretty much a guarantee that their life of crime is concluded upon their death (barring time delay attacks which are incredibly rare). Most people don’t believe in capital punishment for any purpose other than extreme cases and still I would say there is no clear consensus about when it should be used. However, there is no debate about the finality and clear effects of capital punishment.

On the other end of the extreme we can do absolutely nothing, or worse yet, reward the attacker for their actions in some way. I would argue that more often than not the second is the option we as a security community take. When we are aware of a problem we either do nothing at all because we believe it won’t actually work against our systems, or we block the attackers, under the false premise that that will stop them. In reality it only makes them stronger because they now know how our defenses work, which they can either try to circumvent later or use as knowledge against other targets elsewhere.

Only in the most extreme cases do we actually bother to track down, locate, arrest and prosecute attackers. And even then the penalties are usually only a few years in jail. Most experts believe that jail is not an effective rehabilitation habitat. While it’s admittedly unclear what the effect is on computer criminals, it’s certain that it is not an effective deterrent given how much computer crime occurs.

Now let’s imagine for a moment that we were decide that capital punishment were a reasonable solution to a problem, because it was an actual deterrent. I know people who care a lot more about their life than they do about jail time, so it’s not an unrealistic assumption. Let’s take a small slice of computer crime, that’s considered by almost everyone to be a minimal offense but also highly annoying - spam.

A few years ago a spammer was killed with a hammer. Now let’s say whether by vigilante justice or state sponsorship, once a week a spammer was killed in the same way, as a symbol to all other spammers everywhere - keep it up and you’re going to end up like this. It’s a terrible fiction I’m spinning here, I know, but I honestly believe it would reduce the amount of spam far more than the amount that was generated by the deceased spammers alone. It would actually have the effect most punishment is designed to have - it would be a deterrent. Although, admittedly it’s gruesome and unrealistic.

So on one end of the spectrum we have nothing which is what we are primarily doing now, and on the other a punishment that outweighs the crime. (Technically, we actually are doing something - we are making it less financially viable for the attack to be profitable by reducing the amount of spam that gets through, but we are a long way from succeeding, unfortunately). In the same way that the US wasn’t about to start using thermonuclear weapons in Vietnam and Korea and most likely won’t in Afghanistan either, we as a society aren’t going to start killing spammers at any rate necessary to act as a proper deterrent. Now I told you all of that so that I could get to the real meat of the matter. What is the proper proportionate response to computer crime to act as a deterrent?

There was an interesting section of a book (the title is escaping me as I write this) that described things that were off limits in a pen test. Things like rubber hose cryptanalysis are apparently not allowed during a pen test (although if anyone wants me to beat them up to see if I can get their password out of them, just let me know - I’ll give you a discount too). It’s funny but it’s also true. In the real world that is an option, just not one that many people use.

So things that are typically off the table that we don’t talk about as a real option are things like kidnapping loved ones, extortion, torture, and of course capital punishment. While all real actual options, we have tied our own hands and said we aren’t allowed to use them. We also take other options off the table, like hacking into people who hack into us, DoSing them and so on. We aren’t even allowed to fight back! So the real heart of the matter is what is the right response to a packet bound for your network that intends to do you harm? Should we keep ignoring it or should we instead track the originator to the ends of the planet and enact a gruesome deterrent for the greater good of all humanity?

No, put your gun down, I’m not saying we should go on a spammer killing spree, although I’d be plenty happy to use my rubber hose on them every once in a while. Perhaps instead of killing people we should make it a priority to actually pursue attackers instead of defending ourselves in a reactionary manner. My friend Mike Rothman is fond of saying “REACT FASTER”, but maybe reacting isn’t enough. Maybe we as a society are missing the most important dimension of this whole thing by focusing on reacting instead of going on the offensive.

We actually pursue shoplifters and put them in handcuffs, which in terms of monetary loss can pale in comparison to a computer criminal’s potential. Shoplifting is a relatively petty crime too, yet the consequences are so severe compared to the crime itself and with the wide proliferation of modern loss prevention technology most people don’t shoplift. Maybe if more people were actually forced to face the consequences of their computer crimes all over the world, it would have the effect the laws were intended to have - which is to limit the breadth and scale of the crime itself.

Until something like that happens, I find it difficult to believe we will ever see a real decline in computer crime. I know one thing for certain - what we’re doing now isn’t working.

ToS Abuse Abuse

Tuesday, December 16th, 2008

Sorry I haven’t posted in a while. Not for lack of wanting to, but alas, the real world keeps pulling me away from the fun stuff. Maybe I’ll get a chance to post more over the holiday. No the title of this post isn’t a typo, I actually just wanted to spend some time iterating this case regarding the Megan Meier case about Cyberbullying and what that means for the average consumer. Like most cyber law I’ve come across, it’s not good.

Basically the verdict is that any violations of ToS can earn you jail time and fines. Yup, it’s a felony. So now, let’s put some haXor filters on that decision and talk about other consequences. Firstly, let’s look at Google’s ToS:

2.3 You may not use the Services and may not accept the Terms if (a) you are not of legal age to form a binding contract with Google, or (b) you are a person barred from receiving the Services under the laws of the United States or other countries including the country in which you are resident or from which you use the Services.

So if you are under eighteen and you DO you use Google, does that mean you committed a federal crime? And if so can you be tried as an adult, or do your parents take the rap? Or does your upstream for letting you use Google in the first place? Okay, that’s funky, but what about the fact that Google’s search engine is actually built into Firefox for domains typos? Does that mean if you typo a domain and you are underage you are committing a crime? How about those search boxes on everyone’s website that use Google? What about clicking on ads? Yah…

So, there’s a few ways to force people to commit crimes it seems. By creating hard to find TOS (Google’s isn’t on their front page, I might ad) and confusing language, it appears you can convict anyone of just about anything unless they really take the time to read your documents. That is, of course, unless your TOS strictly prohibits the reading of any part of their website. What about CSRF TOS abuse? Yah, you too can rickroll your friends right into the pokey. Believe it or not I’m actually not picking on Google here. They are just one of a million websites that can get you arrested for legal minutia. This is just a stupid law. Maybe the woman does deserve some jail time for what she did, but not for violating TOS - which she never even read. Her, along with every other MySpace user.

Lifelock Protects You from Clickjacking

Monday, November 3rd, 2008

Well, now I’ve seen everything. Just when I didn’t think I could ever be amazed more by attempts of overselling and snake oil, I get hit with this. Apparently Lifelock now purports to protect you from clickjacking. For those of you who don’t recall, Lifelock is the service that protects your identity, except for that one time when it doesn’t. But that’s neither here nor there and water under the bridge and all that. Here’s how lifelock protects you from clickjacking…

You log into your home firewall/router and forget to log out. Then you wind up on some compromised website and someone clickjacks you (regardless of browser - I have no idea what that Lifelock comment means, no browser has patched against it) and gets you to change your DNS to use an attacker controlled DNS server. Now every page you go to is effectively man in the middle’d. But instead of taking over every page the attacker takes over Google Adwords, since that effectively XSS’s every domain, and they can monetize their own sites in the process.

Next the attacker begins to steal your credentials to your accounts, and unfortunately you aren’t super good at using unique passwords, not that it matters since they can use forgot password and change password functions via XMLHTTPRequests and credential theft/replay. Plus since they own pretty much every webpage you go to and you rarely patch Adobe Flash, they are now listening to your microphone through a second clickjack. Now as you give up all your sensitive info on the phone with your bank, credit card companies and more they are right there listening via their version of Back Orifice for the web - because that’s what we’re really talking about here with clickjacking, isn’t it?

Anyway, next the attacker figures out where you work and begins to infiltrate using webmail. Soon they have access to most of your life, have installed malware in lieu of something you thought you were downloading over HTTP. Now, with their newly installed malware/keystroke logger they have access through your corporate VPN tunnel and they have access to all your online accounts work related or otherwise.

Then they begin to wire funds out of your account, attack your company, and use your machine as a child porn server since they can put your computer into the DMZ, having long ago compromised the firewall/router, running a brute force attack against it through their malware. Lastly, just for grins they compromise your Lifelock account, since you log into it from the same compromised machine, and they request to cancel it on your behalf.

So after the police come to your door to arrest you for proliferation of child pr0n (your wife leaving you for the same reason of course), and for the added charge of industrial espionage against your own company, and you realize that your bank account has been raided, and your identity has been stolen, at least you have someone to talk to over at the Lifelock helpline. Good luck getting your life put back together, I’m sure they’ll be very sympathetic with an incarcerated pervert who is awaiting trial and can only be reached at the federal holding facility, especially after you tried to cancel your account with them.

Yes, this is all just a wildly overly dramatic scenario, but so is the Lifelock’s statement. In their defense they probably meant it only as it relates to identity theft, not at all understanding any of the other possibilities relating to clickjacking or the hacking/security world as a whole for that matter. But isn’t that the point? If you don’t get it, you probably shouldn’t pretend you protect against it in any meaningful way. Consumers might not know the difference, but a hacker does.