Buying the pharm
This is some rambling, and it has nothing to do with pill-pushing spam. Rather, it’s a new kind of attack called “pharming.”
The background principles are these. There is a hierarchy of servers out on the internet which serve to translate domain names (like flashesofpanic.com) into numerical addresses. This process is called “resolving” a domain name, and your system asks one of these servers to “resolve” domain names whenever you use a domain. (There’s intricate caching rules which I won’t get in to now, since they’re not relevant.)
By now we’ve all heard of “phishing,” where various black-hats send us email pretending to be from banks we don’t have accounts at, trying to fool us into going to websites which look like those of the banks and filling in (“confirming”) our personal data and account information, which they can then use for several avenues of fraud. Phishing can be combatted by education: once a user understands that you can’t trust everything you see in e-mail, it becomes pretty simple to recognize the ruses used by the phishermen.
Pharming takes this to the next level. Instead of trying to fool you into going to a site which is not that of the financial institution, they “poison” the DNS servers such that when you “resolve” the domain name of the bank, you are sent to their website instead. Your browser says www.mybank.com, but the numerical IP address is somewhere else. It is nearly impossible to recognize this kind of scam.
Nearly. But not completely. This is where digital certificates come in. Certificates have a dual role. First, they are one side of an asymmetric key encrypted conversation between hosts, which is their most widely known use. They’re what puts the padlock in your browser window and assures you that your credit-card number is encrypted as it passes over the wild, wild internet on the way to the browser. But they are also signatures, issued by a signing authority and serving as proof that your site is what it says it is. If I tried to serve a certificate claiming I was ebay.com here on this site, your browser would pop up all kinds of warning flags.
Likewise, if I serve a “self-signed certificate” as a key, as I might when providing secure webmail, your browser will pop up a different error. It will say, sure, the certificate matches the domain name, but nobody vouches for it. (Actually, it will say something like, “The certificate wasn’t issued by a recognized authority,” or “No trust path could be established,” but those all mean the same thing to geeks.)
Which leads to an uncomfortable place. To efficiently guard against pharming, we should be conditioning users to pay attention to those warning messages from their browser, not tune them out. That probably means not using self-signed certificates for webmail or SSL email. But that, in turn, would require us to cough up $300 to a certificate authority which doesn’t actually do much other than a cursory verification of our paperwork stating that we are who we say we are.
My paranoia and my New England flintiness are in conflict here.
Now Playing: Welcome To The Occupation from Document by R.E.M.
![[Swinging off a dragger, Cundy's Harbor, Maine, July 4th, 2003]](/images/cundys_harbor.jpg)
Comments
Yikes!! I recently got an email from “Paypal” that asked me to do just what you describe, confirm my information. I am savy enough to know that no authentic bank or such would ask me to send my info over email. I was also wary enough to not follow the link in the email to “www.paypal.com.” But I think I did soon after closing the email type www.paypal.com into my browser, and go to what looked like Paypal’s homepage. I can’t remember if I logged in or not.
Excuse my ignorance of what a “DNS server” actually is, but are these scams so sophisticated as to take control of your browser, sending you to their site instead of the real site, even if you haven’t followed a link?
If so, that’s rather scarry.
Thanks for the informative post.
Posted by: n_drest | March 9, 2005 10:30 AM