A BLOG BY MELIH ABDULHAYOGLU

Phishing, Pharming, Spyware, Viruses, Spam, Spear Phishing, is only some of the threats that banks and us the ordinary people face!
Money is the easily usable, convertible, valuable material we all own (well some of us have more than the others and they should learn to let the human race benefit from it by being a good citizen and contribute to our good charities.. sorry couldn’t resist ) and Money is what majority of the above attacks being used for by fraudster and now the organized crime! In the 90s organized crime was stealing credit card slips from restaurants when people used to pay their credit cards. This is like “ambushing” your credit card. Just like you would, if you were the head of the organized crime, identify the weakest point in your victim’s transaction or action and ambush him there. That’s how convoys used to get ambushed in the old days by bandits by identifying the most vulnerable point. Its not that easy to come steal credit card information or your bank details, by coming and stealing it from you physically (even though I am sure this happens frequently by the pickpockets etc). We have a new vulnerable point as we now exchange our “valuable information”, whether credit cards or banking online, this is where the “bandits” (organized crime) is sitting and waiting to ambush us! Internet removed the need for “proximity”  a person in east Europe is as close to you as your next door neighbour as far as internet is concerned. We are all connected to the same net. Unlike good old days where you could only be ambushed by local bandits or fraudsters, now thanks to Internet the doors are wide open to any and every bandit from around the world! Don’t get me wrong I love internet and its an amazing tool for the human race, but we should understand its vulnerabilities and fix them. So why is this the weakest point then? Well for one, the number of people who can ambush you has exponentially grown from your local bandit to the bandits of the world! Secondly, there is literally non-existent levels of authentication of who and what you are dealing with. Now a good chunk of use the Internet for many reasons including banking. Lets be honest, its darn easier to click and get a financial transaction then going to your local branch! So organized crime knowing that this is the weakest link, and knowing that the ROI in their fraud is getting better and better as we all slowly move on to internet, they are investing in new tools and creating more sophistaceted attacks and ambushes for us all! Its all well and good for us to enter a challenge when represented to us by our bank so that we can verify ourselves, but what is there to say that we are entering this challenge on the “legitimate bank site?”. We don’t know. Some even suggested perhaps we let the users choose a graphic only they know so that we can present it to them when they login to the site: But hang on a minute, doesn’t the bank has to identify the user before it can show that specific graphic? And what is there to stop a Man In the Middle from luring you to their website, pretending to be your bank, asking your username, on the background, giving that username to the bank so that bank could display the graphic that “you chose” and for the MIM to show that to you? This is a simple MIM attack which does not take much programming! The problem we still all face is our “inability” to verify what we see on the Internet! That is the problem we must solve. Showing the end user something they have chosen as their graphic to validate the website is flawed. We must add “Authentication” to the “Content” we rely upon!

Melih

Talk Back

People keep asking me:

Is AV dead? Is HIPS the ultimate solution? Are we going to need to have chips surgically implanted in our…”

Okay, let’s not degenerate this in the first fifty words. I’d like to start with some facts about the state of software security for PCs.

1.   The world does not protect itself against Zero Day attacks. The majority thinks it does, but reality begs to differ.
2.   People buy AV products because they don’t know any better. Ignorance is bliss, but not in security. Security checks have been bumped up since 9/11 – enough said.
3.   People are lazy, myself leading that pack. We want things done, but we don’t want to lift a finger. It’s 2007, so we shouldn’t have to!

Let me expand on these points.

1. The world does not protect itself against Zero Day attacks.
Our primary protection is the use of software products called AV (antivirus). These products essentially create a signature for the malware, which functions much like a mug shot does for a criminal, but  only after the crime has been committed. In PCland, AV can never be used as protection against Zero Day attacks because the virus signature (a.k.a. the mug shot) has not been created yet; hence, no protection. In an ideal, if not idiotic, world, virii authors would be kind enough to submit their malware to AV vendors, wait for them to create signatures and update their AV users, and then release their malware to the public so that we could catch zero day attacks. We can expect that about as much as we can expect the criminal to go to the police and say “hey, I’m going to commit a crime”, and the police to prevent the crime. My point: we just don’t protect ourselves against Zero Day attacks.

2. People buy AV products because they don’t know any better.
People buy a lot of AV, so it must be the best protection available, right? Wrong. This is not a good argument. People buy a lot of cigarettes, too. This is not to discredit AV; it does what it was designed to do, but it just isn’t enough by itself.  Fraudsters and their toys are a force to be reckoned with, and AV alone isn’t up to the fight.

3. People are lazy.
Look around you: we built washing machines because we got tired of hauling our laundry and the washboard to the river and back. We built dishwashers so husbands wouldn’t have to wash dishes (and spot on, I say!). From cars to nappies, humans demand easy-to-use, painless solutions that give us more time for ourselves and deliver the desired outcome with minimal effort. We want the same from our internet security. We can clap our hands and turn on a lamp, so we should be able to “plug and protect” our PCs just as easily.

The future, from my point of view.
Our houses have doors, burglar alarms and insurance. Well, most do, at least. If you don’t have a door, a burglar can walk in and steal your PC; thus, the door prevents the burglar from entering.

But Melih, doors can be kicked in!

Yes, they can, so continuing to get stronger doors isn’t much of a solution. This is why we should never rely on just one layer of security. The door to the house isn’t enough, so we install a burglar alarm. If he can get in, at least we can detect him – prevention plus detection, two layers. Let’s say he cuts your electric wires or manages to turn off the burglar alarm in another way (They make it look so easy on TV, don’t they?). He walks away with not only your computer, but your priceless stamp collection, too. This is why we have insurance, to recover the value of stolen items. Thus, insurance is the cure, the third layer in our layered approach. Stacking up these layers, in order, to protect the PCs in our homes, we have:

1.   A door for prevention
2.   A burglar alarm for detection, and
3.   Insurance for the cure.

I thought you were going to tell us how to secure our PCs, not our homes, Melih!

I just did. The layered approach can be just as easily applied to our PCs. We use AV as our main source of defense, but is AV prevention? No, it’s detection, the veritable burglar alarm for a PC, but it must have the malware signature – the burglar’s mug shot – or it won’t sound the alarm. A new burglar, however, has a free pass, and no alarm goes off. This, my friends, is the infamous Zero Day attack, which our AV allows to happen.  Now relax, AV devotees. I’m not saying AV is crap; I’m just pointing out its weaknesses, so calm down. With AV, our PC “house” has a burglar alarm but no door. Ridiculous, right? But that’s how it is! Some of us employ Firewalls too, but that’s also a form of detection, with a little prevention thrown in, if it’s a decent Firewall that doesn’t leak. If a firewall does leak, it lets the burglar (malware) take something out of the house or, in firewallspeak, make a call to the Internet with your sensitive information. A good firewall sounds an alarm in the form of a popup when this happens, and a really good firewall gives you advice on what to do next. You need both the AV and the firewall to detect someone coming in and things going out. So now our PC house has a decent burglar alarm (detection), but no door. Yikes!

Dude, where’s my door?
This is where we are challenged and need to change the model altogether. We are backwards when it comes to our default settings, but we can overcome this. Today, it’s fair to say that PCs are running with the “default: allow” function, which means they are allowing everything to run and hoping to catch the bad stuff before it executes. It’s more of a swinging gate than a door, and can’t really provide the prevention we seek.

So we should run with the “deny all” function and only allow the good stuff, right?

Bingo. With the “default: allow” in place, we operate on a system of “blacklisting”, blocking only the things that we know ahead of time are destructive. By reversing that and only granting entry to those names on the “whitelist”, we save ourselves the hassle of trying to figure out who’s good and who’s bad. If you aren’t on the list, you’re not coming in, period.  Thus, we have a door, it’s solid, and it’s locked.

But Melih, who wants to deal with all the popups asking us if we trust ‘this or that’?

Frankly, no one, but why are we making the assumption that the whitelist database will be limited? It is feasible to create a very cogent whitelist security layer which will be virtually noise-free for the average user, and that is exactly what we are doing.

The days of going to bed without locking the front door are long past. PC security is, or should be, just as important as the security of our homes and personal belongings. We deserve to live our lives without the constant worry of burglary and vandalism, and only a layered approach will give us that peace of mind in regard to our computers. 

Melih’s prediction: prevention will become the first line of defense!

thank you

Melih

Talk Back

What is a firewall?Let’s start with the Webopedia definition:

(fīr´wâl) (n.) A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
There are several types of firewall techniques:
•   Packet filter: Looks at each packet entering or leaving the network and accepts or    rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.
•   Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.
•   Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
•   Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

In practice, many firewalls use two or more of these techniques in concert.

A firewall is considered a first line of defense in protecting private information. For greater security, data can be encrypted.

http://www.webopedia.com/TERM/f/firewall.html

Eh? What? Who?

I hear you; we need someone to explain what the heck a firewall is, but in laymen terms.
First of all, there are two kinds of firewalls, the ones we all use on our PCs (known as Personal Firewall or Desktop Firewall ) and the others that are hardware based, in your router or where enterprises deploy in their operations (these cost a lot of money to buy, up to thousands of dollars). Both are integral to the everyday maintenance and security of a PC.

So why have two?

Because there are 2 things that a firewall does.

First, it acts as a prevention tool, and makes you invisible on the Internet. Imagine the Internet as a highway (literally) with houses scattered all around it. Each one will have its own number, as well as doors, windows, etc. Each house represents a computer connected to the Internet. Now, wouldn’t it be cool to have “invisible paint” that I can paint my house with on this highway, so that people can’t see me ? Yup, that’s one function of a firewall. It makes you invisible on the Internet highway so that hackers don’t know where you are and they can’t hack in to your machine. Hackers are like the nasties on this highway, who go knocking on your door to see if anyone is in, even try to open the door to see if they can get into your house. After all, in the virtual world, hackers get in to your house (your PC) and take over as you have much less visibility to what’s happening in your PC than your house!

Yes, but the firewalls in our routers have some firewall functionality to stop hackers from getting in to your PC, don’t they?

Yes sir, you are right. Some hardware firewalls do have this functionality. That is why firewalls (the PC firewalls) have evolved to offer the 2nd functionality, “detection”.

Huh?

Okay, let me think . . . got it!  Making yourself invisible only protects you against one type of threat. There are numerous others. Think of them like this:
1.   The hacker throws a hand bomb through a window he manages to open.
2.   The hacker puts a nasty bomb in your shopping bag without you realizing it. You take the shopping bag home.
3.   The hacker drops a package at your front door and you open it.
4.   The hacker gives you a really nice present that you will be proud to display as a piece of furniture. It looks a bit like a Trojan Horse, but you like it.

Protecting your PC against these attacks is tough, because they are not thoroughly understood. The idea is to prevent your stuff from being stolen, right? So how do you do that in the PC world? Let’s serve this up in the “real world”. It looks something like this.

You are shoplifter and you go to a retail outlet and identify some nice clothes to steal. You are wearing a huge coat so that you can put some of these clothes on you in the dressing room and simply walk out with them. Good plan so far.  Ok, you go pick 5 items, go to the dressing room, and put them on. You feel like smiling, but don’t! You will give yourself away. Just walk towards the door as if nothing has happened. DO NOT WHISTLE! You are making it too obvious. Just walk normally. OK, great, almost there. Keep going…

BEEP…BEEP…BEEP … OOOHHHH NOOOO!!!!

You forgot the remove the tags! Oh well, try telling the police this was just an experiment to show how PC Firewalls work, and see if they buy it.  No, we can’t visit you in jail. 

Tags? What tags? Those electronic tags on the clothes I stole?

BINGO!

This is a tag alert system. It stops valuables from being stolen. If you have something being taken out of the shop without authorization, it sounds the alarms. Well this what your firewall does. It stops thieves from stealing, literally. If you have somehow managed to get malware on your system and that malware is trying to make a call home and steal information from you, the firewall will warn you. This is why your firewall must not “leak”; otherwise, malware will be stealing stuff out of your machine, without your firewall alerting you. A leaky firewall is like a tag that doesn’t work, shoplifter will take it out of the store without sounding any alarms!

There are many ways to get something nasty into your house, and guess what? In the virtual world it’s even easier! It’s easier because not many people understand “what is what”. What may look like an Email or something else innocuous could spell disaster for your PC. Having both firewalls in place gives you both prevention and detection, so a hacker is outsmarted, both coming and going.
Now I hope I have been able to give you a good security briefing with this article.   If you take nothing else away from this,

“Put tags on your stuff, or it’s going out the door, people!”

Melih

Talk Back

http://www.theregister.co.uk/2007/05/17/take-away_scam/

interesting read, and one we should learn from.
in the online world, before paying, we must verify legitimacy of the site!
this must be a basic rule we should all follow for a healthier internet and healthier pocket!

Melih

Talk Back

http://www.darkreading.com/document.asp?doc_id=116685&WT.svl=news2_1

“The attackers used an army of bots from around the globe to hammer the servers with bogus and abnormally large DNS requests — partially formed DNS messages of over 350 bytes each, according to a report from the ISC. The majority of the traffic came from nodes in Seoul (61 percent of the attack traffic) and Beijing (18 percent). Another 13 percent originated from nodes in San Francisco and another 7 percent elsewhere, according to ISC numbers”

Security can not be optional! Charging the end users for basic security, makes it less than optional!

Security MUST be available to everyone for free! Otherwise we are creating an army of bots that could turn against us!!

Melih

Talk Back

Hi Everyone

http://www.comodogroup.com/products/comodo_security.html

a bit of self promotion, but it does truly help end users. The more sites verified by Comodo the better for end users.

Your help is greatly appreciated.

Melih

Talk Back

Oil Wars and CPU power! 

What the hell has Oil got to do with CPU power?
Well they are somewhat related. One is the enabler for the physical world (Oil) and you have people fighting over it, and the other is the enabler for the Virtual world and you have people (well malware, spammers and hackers) are fighting for it).

Just like Oil is the key component that enables majority of our lives from transportation to heating etc, CPU power is the one that enables our online worlds. Without the CPU power there would be no online world! So who is fighting for that CPU then? We can see who is fighting for Oil but who is fighthing for the CPU?  Nope, I am not talking about Intel or AMD. They are not fighting for the CPU power, they are fighting for market share to sell CPU. But there are more sinister forces who are fighting for the CPU power, forces that without CPU power would be utterly useless. CPU is the food they need to survive. They trick you and your programs to let them in to get some CPU power! With that CPU power, they get more powerful and continue to exist and expand/spread.
(ok, ok.. enough suspense.).

It is the malware, it is the malware providers, it is the spammers, it is the hackers, it is the script kiddie that wants to have access to and control of the CPU power you have! Computer software are made of instructions. (things that instruct the PC to do things like: Display text, do algorithms etc.). These instructions get “executed” in the CPU (eg: intel/amd etc). whether the code/instructions has good intention or bad intentions, they get executed in the CPU. So a bad guy who wants to do bad things will go after your CPU power. Let me give you an example: A spammer, who wants to send lots of spam to millions of people: They write some nasty code that they distribute, to take over unsuspecting victim’s machine and turn them into Zombies. Cos the spammer does not want to send all the spam from his machine! And why should he, its easy enough and less risky for him to take over your machine and send his spam thru your machine. You see, your CPU is able to do a lot of good and bad things, its very powerful and its control is totally up for grabs! It can send millions of spam, it can launch attack on other websites and take them down, it can harbour malware and act as a distribution point and oh btw it can also do word processing !

The question is: How do you get that control back!? How can you make sure you have control of your own CPU!?

Melih

Talk Back

The New Dawn: Security is not Trust
Despite talk about encryption and security on the Internet, we are still falling short of true identity trust assurance every time we go online.  Why?  Our current attempts of encryption only encrypt our communications, but don’t check who is on the receiver.  Thus giving users a false sense of security.  After all, what is the point of encrypting something for someone you have not authenticated?  For all we know we could be encrypting and securing information for the fraudster on the other end.
Through real world examples of fraud, phishing and finally trust, I will outline what steps are necessary to move the Internet from merely encrypted messaging to a secure environment with established trust between user and emerchant and back again. This article will outline why some tools work and some don’t, as well as what actions must be taken to prepare us for the next Internet revolution, the next threat and hopefully an age of trust

Not all Animals – or Internet Padlocks - are created Equal!
It’s a fact of life, we look different, we act different, and we feel different!  And that is why browser providers like MS, Mozilla Firefox, Opera and KDE want to change the way their browsers look, feel and interact with the end user.  Yet, their security padlocks seem to remain unchanged, providing us with an icon of trust and security that may not only be outdated, but may be a wolf in sheep’s clothing. 
Today, not all Secure Sockets Layers (SSLs) – padlocks to the general user - are created equal, and some are even being used as tools in today’s phishing attacks.  However, it is hard to tell a secure lock from a non-secure lock when they all look the same.  This growing online inconsistency is making it more important that our end users be able to identify a true authenticated site and that browsers work with trusted Certification Authorities to ensure that the padlocks are doing what they promise. 
But the good news is: All is about to change! We are about to have a more trusted indicator in the browsers! http://news.com.com/Browsers+to+get+sturdier+padlocks/2100-1029_3-5989633.html  .

thanks
Melih

Talk Back

Well, now that we have a website www.cabforum.org, everyone knows the new standard we have been working on to improve SSL.

I thought I should write a note or two to clarify few issues and make few statements

1)Where the hell this CAB forum came from?
well, in April 05, I thought the time had come to bring together the people in the industry and own up to problems existed so that they could be resolved. One morning , I rang our Competitor Verisign folks and asked them if they would be in. They said np. Then we held the first meeting of this forum in a hotel near wall street in NY, hosted by Comodo.
What do you mean why did I do that? The same reason why I choose to give free firewall, free AV. I believe by bringing the industry together we could create a vehicle to help resolve “trust threats”. 

2)What had to be done: The problem was, people who had root keys could issue certs willy nilly. There were no standards to follow or rules to abide with. That’s why some CAs were issuing unvetted certs. So stage one was to set a standard and get everyone to agree that unless they complied with this, their root would be kicked out of the root programme.

of course, then the question was: where do you draw the line for this standard. It was, still is, difficult to figure out. It was important to have a really good validation but still inclusive. Stage one is a good starting point, however we need to continue in making progress and make EV accessible to every legitimate entity who needs it.  Identity Assurance is a key component in any commerce and especially so for e-commerce.

3)Why did we have to come up with a new GUI and not simply fixed the yellow padlock?: Well that’s a tough one. I don’t think its fair on the browser guys. Let me explain, there was no standard when browser guys included the root keys of certain CAs, so under what circumstance can they turn around and say, ok we are kicking your root out now? On what basis? There was no standard in the first place! So that would, imo, leave a huge liability for browser guys. Also it would take a lot longer to get the standard affected as there are already multi-year certs out there on the old SSL. And few other reasons that I can’t remember (yes, old age!).

4)Is this a way of CAs making more money? Well yes. But that was not the intended consequences at the begining. It was merely tring to address a problem, which turned out to be a new product that actually cost more money to implement due to its high standard requirement. (come on guys, give me a break will you, we give all desktop security for free!! let us make money somewhere  will you(:SHY) )

more will follow as I get more questions/thoughts……

Melih

Talk Back

Interesting reading.

The point that is being raised in this news article is that people use AV mostly and anti spyware is yet to penetrate the market.

One of the major reasons why Anti-Spyware products come as a seperate product is because vendors are looking for ways to charge extra for this. At Comodo we decided to turn our AV engine to also catch spyware hence we called it CAVS (Comodo Anti Virus/Spyware). Hence I believe our strategy is right and our strategy will help fight malware better, cos majority of people still think just AV will be enough and don’t bother with Anti spyware.

Read the article and let me know your thoughts please.

Thanks
Melih

Talk Back