Netsurfer Focus on Computer and Network Security

More from the Shootout at the E-COM Corral

The First Virtual press release triggered a storm of e-mail on the issue of keystroke capture and the security of sending encrypted credit card numbers across the Internet. First Virtual has collected a number of these email messages and posted them at

http://www.fv.com/ccdanger/e-mail.html

The following are two selections from the Cypherpunks mailing list that we at Netsurfer Focus found to be most pertinent and cogent.

Simon McAuliffe
Vin McClellan

From: "Simon McAuliffe" -sai@comp.vuw.ac.nz-
Date: Wed, 31 Jan 1996 11:54:29 +1300
Subject: Re: Apology and clarification

For those that are sick of this thread (as I am), I apologize in
advance for throwing another log on the fire.  I just can't help
trying to get through...

Nathaniel Borenstein - nsb@nsb.fv.com - writes:

> First of all, I believe that I owe the cypherpunk community an
> apology for an error in judgement on my part.  The message that I
[...]
> Our approach combines the following four known problems into a
> fatal attack:
>
>   1) Consumer machines are insecure and easily compromised.
>   2) Keyboard sniffers are easy to write.
>   3) Credit card numbers are self-identifying (they have check digits)
>      and can easily be extracted from a huge stream of input data.
>   4) Once intercepted, small amounts of information (e.g. a cc #)
>      may be distributed completely tracelessly over the Internet.
>
> When you put all four of these together, you have an attack that
> IS new, in the sense that nobody we know of has ever mentioned it
> before, and which could in fact be used by a single criminal, with
> only a few weeks of programming, to tracelessly steal MILLIONS of
> credit cards, if software-encrypted credit-card schemes ever caught
> on.

You're right, the four problems you mention are known and have been
for a long time, and have also been used in attacks.  What you don't
seem to understand is that the overall attack from the combination of
these isn't new either.

In many ways a credit card number, name and expiry date form a
password.  It's a password that the bank accepts to allow money
transfers in much the same way as a computer accepts a password to
allow information transfers.

On this very list (amongst other places), there has been discussion
of trojans and viruses for grabbing passwords, and of methods of
determining what is a password and what isn't a password.  In the
same way you can decide if a number is a credit card number, there
are heuristics you can use to determine if a user is entering a
password, though often it may require more than just monitoring
keystrokes.  To collect expiry dates and names for credit cards,
monitoring additional side information may also be useful.  So I
see no fundamental difference between the two, credit card numbers
_are_ passwords.

I myself have used precisely this technique many years ago, as I'm
sure many others here have, to demonstrate security problems.  The
only difference is the heuristic for determining what constitutes a
password in the domain you're snooping.

What's more, the methods in existence before your post can be and
have been built in viruses which are considerably more prolific than
a trojan.  Not only is your attack not new, it is less powerful that
some similar attacks that predated yours.

Implying credit card numbers are more valuable than passwords is
dubious.  There are organisations that could lose millions of dollars
if their password security was compromised, but it's hard to say the
same for credit cards.  In this country, although I don't know about
yours, I'm not even liable if somebody steals my credit card and uses
it.  I would consider a "credit card password" as a lesser commodity
than a password for giving access to an entire computer system.

[...]
> So here's the factual claim, to be proven or disproven:  One good
> programmer, in less than a month, can write a program that will
> spread itself around the net, collect an unlimited number of credit
> card numbers, and get them back to the program's author by
> non-traceable mechanisms.  Does anyone on this list doubt that
> this is true?  If so, I'd like to know the flaw in my thinking, --
> I am *not* too proud to withdraw any claims that aren't true.  If
> not, I think it's worth noting that this fact was previously
> completely unknown to the bankers and businessmen who are putting
> large sums of money at risk on the net.  The only way to get the
> message to those communities is with a very visible public
> announcement of the kind you saw yesterday.

Of course this is a threat, I don't think _anybody_ will deny that,
but this is not a new threat.  True, the attack may not have been
known to businesspeople and bankers, but there are many others areas
of security they also know nothing about.  Trying to claim an old
invention as your own just looks like hype, PR and lies, not to
mention showing a lack of knowledge which could do the reverse from
what you set out to achieve.

It is certainly a Good Thing for the public to know about the
potential for various types of snooping, but surely it could be done
in some way which doesn't make it look like you invented it.  I
don't think anybody here objects to the attack itself, but rather
the claims you made about it and the way you communicated it.

- ---
E-mail: sai@comp.vuw.ac.nz/sai@kauri.vuw.ac.nz     +64 4 233 9427
PGP Fingerprint: 65 5B B4 6C CB 6A 65 F1  01 91 B9 FE 34 23 99 D3
PGP Key by mail, finger or from http://www.vuw.ac.nz/~sai/pgp-key.html

From: vin@shore.net (Vin McLellan)
Date: Wed, 31 Jan 1996 05:12:03 -0500
Subject: Re: The FV Problem = A Press Problem

   Mr. Bornenstein's press release ("FV's position on Merc article")
was egregiously self-serving and embarrassingly over-inflated.

   Yet, First Virtual's CC-focused keyboard sniffer ("...a program
which completely undermines the security of every known credit card
encryption mechanism for Internet commerce") and his postulated widespread
stealth attack on unprotected consumer PCs highlighted an obvious -- but
oft forgotten, at least in non-CompSec circles -- vulnerability.

   An encrypted link is only as secure as the CPUs at either end.  Not
an unimportant consideration as we plunge into Internet commerce; and
surely a valid point for one vendor to make, if it suggests unrecognized
risks in a competitor's scheme for consumer purchases and payments.

   Borenstein is handling his inevitable mugging in C'punks with zest
and considerable aplomb; even including an apology for submitting his
sensationalistic attack on crypto-based competitors to this List.  Before
folks leap from FV's text to damning the San Jose Mercury New's articles by
Simson Garfinkel, however, they should pause and read or maybe re-read
Garfinkel's three articles. 

   Mr. Garfinkel is probably the single most technically-literate
journalist writing about computer security for mainstream (or trade press)
media.  His Mercury News article is precisely focused on FV's initiative in
developing this demo program (a trojan screen saver) and the campaign by
the Southern California company to use the demo to illustrate a relatively
unguarded aspect of Netscape's SSL-protected credit card transactions,
which have been widely touted as the be-all of Network Commerce.

   It was, as Garfinkel bluntly put it: "a direct attack against the
security promised by Netscape Communication Corp.'s popular Netscape
Navigator..."

   Mr. Borenstein later expressed his regret that Garfinkel had cast
the story as a competitive attack, but IMNSHO Garfinkle was right on
target: the FV campaign was a targeted bombardment of their most prominent
competitor.  And a campaign it was -- well deserving media attention.

   FV apparently carted their demo code and attack model back and
forth across the country. FV gave presentations to NIST, NSA, the US
Treasury, and the White House, according to Garfinkel.

   The only silly comment in Garfinkel's article was a direct quote
from FV's Bornenstein: "One of the things we've heard from people inside
government were comments along the line, 'We thought only NSA knew how to
do this....'"

   (And if a world-class CompSec/UNIX expert like Garkinkel wasn't
chuckling when he wrote that -- and expecting knowledgeable readers to
giggle and grin when they read it --  I'll stew and eat my beaver hat!)

   The Merc's quotes from independent security experts -- commenting
on FV's attack model -- were notably dry and balanced.  Yes, the attack and
threat vectors were real -- but, noted the American Banker's Association's
Kawika Daguio: "It is a classic attack."

   "I've seen it, and I've seen things like it before," said Mr.
Daguio.  Nothing new. Matt Bishop, the UC prof, also sounded less than awed
by FV's creativity: "There is no reason why one could not write a program
to monitor keystrokes, look for numbers which look like credit card
numbers, and sent them out over the Internet," in an unobtrusive way, to a
thief elsewhere.

   (Prof. Bishop might have had more to say, had he been told it took
a FV programmer a _month_ to write a keyboard sniffer optimized for credit
card data;-)

   As a newcomer to this List, I have the impression that C'punks are
a little jaded when it comes to mass-market CompSec and ComSec threats --
and perhaps a little rabid when it comes to anyone rash enough to suggest
that the first mass-market crypto product (in the hands of naive consumers,
with unprotected PCs and poor CompSec habits) may have dangerous procedural
vulnerabilities.   A little perspective, guys!

   Crypto from an insecure base has risks that deserve to be
highlighted; and credit cards numbers are uniquely negotiable passwords.
FV is scare-mongering, sure -- but that's combat marketing.  Mr.
Borenstein's press release posted in C'punks was chumming with raw bloody
beef -- and that was just dumb -- but it was striking how blithely many
folks here acknowledged (and immediately dismissed) the threat he
described.

   Nothing wrong with FV trying to slow the bandwagon of a major
competitor by drawing attention to vulnerabilities or potential
vulnerabilities of their technology in a mass market.    This happens a lot
- -- although most corporate perpetrators try to hide their hand a lot more
than FV did, and they generally sound a lot less self-righteous  -- but a
little brawling is not a bad thing, particularly in IS security.  (Some
markets, like firewalls, desperately need a little more competitive
clarity.)

   On the other hand, Mr. Borenstein's hyper-inflated presentation of
First Virtual's case all but begged for the C'punk lynch mob that has
followed him down through several threads on this List.  If he didn't
expect the reception he got, he should fire his PR advisor and get someone
who knows how to write without the purple prose and napham.

   Simson Garfinkel and the Mercury News are getting a bad rap from
folks caught up in the mob chasing Mr. Borenstein.  Read the three
articles.  The on-line version has a headline that is a bit overwrought
("Program shows ease of stealing credit information") but overall, it's a
credible, savvy, and amusing piece of journalism about FV.   Quite
professional, I'd say.

   Suerte,

         _Vin

    Vin McLellan +The Privacy Guild+  - vin@shore.net -
 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548