Except the avionics have have not undergone that much change in quite a while. The MAX uses the same Smiths (now GE) FMC that 737's have used for well over a decade (the 2907C1). They use either the Rockwell-Collins CMU-900 or Honeywell MKIII to manage external RF-sourced messages. They all use the same TWLU for Gatelink. Yes there are differences between the software releases (e.g., U13 for the FMS on the MAX) but most of the code in these LRUs is the same from release to release.
Sorry, I have contrary empirical evidence. On multiple different cars we have manipulated appropriate ECUs with the effect that you can push on the brake pedal with no impact on forward velocity (see autosec.org and also the paper this post refers to). I'll personally attest that it is so and that no matter how hard you step on the pedal that nothing is happening wrt braking. I believe that Charlie and Chris also accomplished the same thing with the vehicles they addressed in the first and most recent presentations.
Actually the economics here are not favorable to the scammer. For the class of goods being discussed here, most of the affiliate programs are fairly long lived (necessary precisely because they rely on independent contractors paid on commission to advertise their wares) and, as they advertise broadly, their storefronts are well known. Its simply not difficult to keep up with the top programs in any niche. It does indeed seem to take 2-4 weeks between the generation of a complaint and the merchant account shutdown, but the loss on the account is significant. First, accounts in some niches (notably pharma) have become extremely hard to come by. If you don't have a history of high turnover, you won't get boarded in this sectors and you'll need to go for third-party processing (at discount rates that can go up to 25%). Second, due to high risk, merchants can expect 10% holdback on 180 days revenue as collateral against future liabilities. Anecdotally, scammers report that this money goes out the window when they lose their account. Finally, empirically we see account replacement take a month or more and there's lost opportunity cost on missed sales. When you compare this against the cost of the test purchase... this is a huge asymmetry that does not favor the scammer.
Finally, in the course of our studies we've placed over 800 purchases on distinct credit cards (from pharma, software, replica goods and fakeav) and we have only a small handful of fraudulent charges (almost all associated with a data breach of a large online pharmacy) so our experience does not support the theory that all of these cards are being defrauded post facto.
In fact, even the company spokesperson admitted it's an extra-judicial process: "âoeIt doesnâ(TM)t require a judge, a law-enforcement officer or even much in the way of sophisticated security capabilities. If you can purchase a product, then thereâ(TM)s a record of it and that record points back to the merchant account getting the money,' Savage said."
So... you might want to read more closely. As the aforementioned Savage, I can assure you that I am not a company spokesperson, but rather an academic:-) Brian's article is based on a study we completed looking at how this particular intervention is taking place.
You are correct that none of this is being done through law enforcement. The relevant mechanism is that the card association contracts with acquiring banks stipulate that their boarded merchants may not sell goods that are illegal in their country or that into which they are being sold. The complaints from brand holders represent assertions that such a contract violation is taking place. The card networks investigate with the acquiring bank and, if indeed a violation of their contract terms has taken place, then they can levy the penalties in their contracts. There is nothing extra-legal here in the sense that this is straight up contract enforcement. In principal the card associations could refuse to investigate or enforce a contract violation without the brand holders suing them, but that position seems extreme no? This kind of action happens in countless contexts, from manufacturing to real estate, without any judicial involvement unless one side contests the facts (and even then this would typically be a civil issue and not a criminal one) .
Seems like this was demonstrated four years ago, no?
Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses. D. Halperin, T.S. Heydt-Benjamin, B. Ransford, S.S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W.H. Maisel. IEEE Symposium on Security and Privacy, May 18-21, 2008.
there is zero possibility to send out a "lock up the breaks" command from the car stereo into the CANBUS unless you rewrite the stereo's firmware first. and that is not gonna happen,
I'd admit it is surprising, but you're wrong on this one. This is in fact one of the things we are able to do.
What is the connection to Denmark? I cannot find any mention of Denmark or any Danish bank in the study?
I suspect the connection is via DnBNord... the bank in our study was the Latvian branch, but I believe the headquarters are in Copenhagen (although as I recall the whole lot may be owned by DnB NOR in Norway.
While the universe of banks willing to accept high-risk merchants is smaller than the total number of Visa association affiliates it is certainly far larger than three. If you got these three banks out of the game, there would be others to replace them. However, the more important asymmetry here is not in the size of the set, but in the switching time. If a merchant (or their payment processor more likely) starts to route transactions through a new acquiring bank, their identity will be revealed very quickly in any purchase authorization record. By contrast,the time to actually establish that new banking relationship (and get appropriate certificates from Visa, etc) takes days. This is one of those rare cases where the defender is able to respond far more quickly than the attacker.
Is suspect that the times article is referring to DnBNord Latvia which I think also has a Danish branch. I think they are all technically owned by DnB NOR in Norway.
Like they wouldn't go to another provider... much like they do now if they get shut down.
Of course they would. However, th key issue is the cost structure on each side. For us to discover the identify of the new bank being used takes a few minutes (seconds if we had direct access to VisaNet) and negligible cost (I just need to authorize a purchase from the site). There is no technical reason I'm aware of that you couldn't implement an issuer blacklist at similar time scales if you wanted to (I can think of lots of reasons it might not be a good idea to automate this, but the main point is that the time scale is short). Compare that to how much time and cost you think it takes to find a new bank willing to accept high-risk merchants. Its certainly doable, there area number of such banks, but its orders of magnitude more time.
Yes it is the business model of these banks. However, they are processing through a credit network (Visa / Mastercard) and consumers credit cards are backed by an issuing bank (think Chase, Citibank, etc). Either the credit network or the issuing bank can prevent the transaction without the cooperation of the shady acquiring bank.
This is precisely right. We too would expect that convincing foreign banks to dump their customers would, at best, be a slow process and would be unlikely to succeed as an general approach. Moreover, its not even clear if such activities are illegal in the jurisdiction of all these institutions (at some level these are all IP crimes after all). However, the money for these purchases is primarily from the US and thus direct interventions by domestic issuers is likely to be as effective as shutting down the acquiring institutions.
Now a separate question is whether this makes political and economic sense as a matter of public policy. That is certainly open to debate and there are probably reasonable arguments on both sides.
In general, the payment tier is only an appropriate point of intervention for those activities that are monetized via direct consumer payment. So it is appropriate for things like spam-advertised goods, fake-AV, gambling, porn, etc.... things for which it is hoped that the recipient will provide a credit card number to finance the underlying advertising activity. It is not useful for scams that employ an out-of-band payment scheme (e.g., pump-and-dump) or that are fundamentally focused on theft (e.g., phishing, 519, malware vectors, etc)
I've never understood why not, when a computer can generate millions of spam ads for viagra, that another computer cannot generate millions of (fake) orders for the viagra.
You can, but the processors all use standard fraud detection policies that will detect this activity and filter it out unless you do a very good job (from experience, it can be tricky making a purchase if you are not who you say you are... there is a real learning curve here). You'd need valid cards for which you have an associated name and street address that will pass an AVS check, a range of distinct e-mails (and not from public Web mail) and IP addresses. However, with enough work it would be doable... although probably in violation of Federal and State law in the US.
Indicating there are still other companies willing to process these transactions. The spammers will just switch to them if the 'big 3' refuse to do business with them.
This is correct; while the universe of banks willing to accept high-risk merchants is smaller than the total number of Visa association affiliates it is certainly far larger than three. However, the more important asymmetry here is not in the size of the set, but in the switching time. If a merchant (or their payment processor more likely) starts to route transactions through a new acquiring bank, their identity will be revealed very quickly in any purchase authorization record. By contrast,the time to actually establish that new banking relationship (and get appropriate certificates from Visa, etc) takes days. This is one of those rare cases where the defender is able to respond far more quickly than the attacker.
> In a talk, Stefan claimed to have the ability to remotely drive as well, i.e., steer/accelerate/brake. I'd be surprised if you're not misremembering... both because we hadn't spoken publicly about concrete remote vulnerabilities before our NAS briefing and because some of this is not true. In particular, steering is not electrically intermediated on most cars (new electric cars aside) and we've never demonstrated acceleration control (engine start/shutdown, yes... acceleration no... although I'd be surprised if it wasn't possible).
As a co-author of this work, I should be clear that we never suggested that we have a perfect spam filter per se, simply a new tool that has the benefit of being orthogonal to existing techniques. For _existing_ botnets, our filters are extremely good, but the paper is also quite clear about the variety of ways that spammers might try to evade the approach.
Sorry, but this is generally incorrect. The Baye-Dole act (with us since 1980) gives universities to rights to patents funded with Federal $$$. To make this situation more clear, many universities have faculty sign IP agreements explaining how such rights will be considered in various contexts. Indeed, most universities will claim patent rights on inventions made during your period of employment even if not funded by the government. Patent revenue is generally shared, but precisely how varies quite a bit among institutions. Faculty-founded startups directly based on university patented research almost always license those patents from the university. There are pro/con arguments about whether or not this is all good policy, but this is what actually happens.
Seriously, I suppose usefulness is in the eye of the beholder, but from my rather pragmatic standpoint the machine has one very important use: it allows me to get a coke with very little effort (while differentiating my debts from those of others). There's really nothing more to it that that. I think people are looking for something deep, or new a new product category, or some groundbreaking science... move on... you won't find it here.
This project really had two goals: make it easy to buy soft drinks from our grad student co-op and have fun building a real artifact.
The latter part -- having fun -- is underappreciated. Really, the students had a great time putting the pieces together... they had to design and build an interface board to Vendo's control bus, they had to build a UI (that student was a ST:TNG fan so the interface mimics the screens from the series), they had to interface it to our MySql database that holds user accounts, etc. It was a real esprit de coeur project and one in which everyone had alot of fun. Once it was working, people started adding other components: a 2d bar code scanner (not used for soda, contrary to the article, but for candy and other goods), they added visual recognition (and there is a banana detector in the works to register purchase of bananas), there is a voice synthesizer that can say "Shame" out loud if your cash balance in the co-op goes negative, there is even a student who has been talking about door-to-door delivery using a robot, etc.
I suspect if we had called it a "case mod", people would have had understood the spirit in which it was built.
FWIW, readers should always understand that when they read a news story they are getting a reporter's interpretation of an interview that itself attempts to simplify a larger story. Inevitably, this means that technical details don't survive the translation. To wit, on the second page of the proposal we write:
While it is tempting to repurpose the epidemiological models of infectious disease in humans [29], Internet pathogens are in fact quite different--they are authored by intelligent adversaries. Consequently, traditional stochastic
analyses are highly fragile tools for predicting the dynamics or limitations of future outbreaks.
For those actually interested in what our center is planning to do, I've made the proposal and the summary available. It also gives some insight into what an NSF grant proposal looks like for those who are curious.
- Stefan
I remember back in 1994 WebCrawler was running on three machines in the corner of Sieg Hall 433. They were rigged up so one could reboot the others via a serial line, but occassionally that machine would crash too. That was when Brian would call in and say "Hey, Webcrawler is hung. Could you go reboot it?". I'm guessing this doesn't happen much at Google...
We tried to be quite clear that the methodology we used is generally conservative and likely underestimates the total number of attacks in the Internet.
Without widespread monitoring its impossible to know for sure how many attacks have the address uniformity property (that the victim sees an attack with source addresses uniformly distributed across all 2^32 address). In addition to the targeted spoofing you mention, ingress/egress filtering and reflector attacks also have the property that the source address profile is restricted and will not generate backscatter seen by us. While one could potentially produce a more complete estimate by extrapolating from data about how often such attacks are seen at a few monitored sites, the Internet is so diverse and varied that we had little faith in the quality of results derived in that way. Instead, we preferred to produce an underestimate that we were confident in.
Frankly, most people we've shown our data to are surprised (as we were) at the level of DoS activity we found. That the true numbers may be significantly higher still only reinforces that feeling. Undoubtedly, some people had different expectations:-)
Slashdot Mirror
Except the avionics have have not undergone that much change in quite a while. The MAX uses the same Smiths (now GE) FMC that 737's have used for well over a decade (the 2907C1). They use either the Rockwell-Collins CMU-900 or Honeywell MKIII to manage external RF-sourced messages. They all use the same TWLU for Gatelink. Yes there are differences between the software releases (e.g., U13 for the FMS on the MAX) but most of the code in these LRUs is the same from release to release.
FWIW, we're aware of thousands of these dongles on the road today.
Sorry, I have contrary empirical evidence. On multiple different cars we have manipulated appropriate ECUs with the effect that you can push on the brake pedal with no impact on forward velocity (see autosec.org and also the paper this post refers to). I'll personally attest that it is so and that no matter how hard you step on the pedal that nothing is happening wrt braking. I believe that Charlie and Chris also accomplished the same thing with the vehicles they addressed in the first and most recent presentations.
Actually the economics here are not favorable to the scammer. For the class of goods being discussed here, most of the affiliate programs are fairly long lived (necessary precisely because they rely on independent contractors paid on commission to advertise their wares) and, as they advertise broadly, their storefronts are well known. Its simply not difficult to keep up with the top programs in any niche. It does indeed seem to take 2-4 weeks between the generation of a complaint and the merchant account shutdown, but the loss on the account is significant. First, accounts in some niches (notably pharma) have become extremely hard to come by. If you don't have a history of high turnover, you won't get boarded in this sectors and you'll need to go for third-party processing (at discount rates that can go up to 25%). Second, due to high risk, merchants can expect 10% holdback on 180 days revenue as collateral against future liabilities. Anecdotally, scammers report that this money goes out the window when they lose their account. Finally, empirically we see account replacement take a month or more and there's lost opportunity cost on missed sales. When you compare this against the cost of the test purchase... this is a huge asymmetry that does not favor the scammer.
Finally, in the course of our studies we've placed over 800 purchases on distinct credit cards (from pharma, software, replica goods and fakeav) and we have only a small handful of fraudulent charges (almost all associated with a data breach of a large online pharmacy) so our experience does not support the theory that all of these cards are being defrauded post facto.
In fact, even the company spokesperson admitted it's an extra-judicial process: "âoeIt doesnâ(TM)t require a judge, a law-enforcement officer or even much in the way of sophisticated security capabilities. If you can purchase a product, then thereâ(TM)s a record of it and that record points back to the merchant account getting the money,' Savage said."
So... you might want to read more closely. As the aforementioned Savage, I can assure you that I am not a company spokesperson, but rather an academic :-) Brian's article is based on a study we completed looking at how this particular intervention is taking place.
You are correct that none of this is being done through law enforcement. The relevant mechanism is that the card association contracts with acquiring banks stipulate that their boarded merchants may not sell goods that are illegal in their country or that into which they are being sold. The complaints from brand holders represent assertions that such a contract violation is taking place. The card networks investigate with the acquiring bank and, if indeed a violation of their contract terms has taken place, then they can levy the penalties in their contracts. There is nothing extra-legal here in the sense that this is straight up contract enforcement. In principal the card associations could refuse to investigate or enforce a contract violation without the brand holders suing them, but that position seems extreme no? This kind of action happens in countless contexts, from manufacturing to real estate, without any judicial involvement unless one side contests the facts (and even then this would typically be a civil issue and not a criminal one) .
Seems like this was demonstrated four years ago, no?
Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses.
D. Halperin, T.S. Heydt-Benjamin, B. Ransford, S.S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W.H. Maisel.
IEEE Symposium on Security and Privacy, May 18-21, 2008.
See: http://www.secure-medicine.org/icd-study/icd-study.pdf
Page 7 of the linked paper.
- Stefan
nope.
there is zero possibility to send out a "lock up the breaks" command from the car stereo into the CANBUS unless you rewrite the stereo's firmware first. and that is not gonna happen,
I'd admit it is surprising, but you're wrong on this one. This is in fact one of the things we are able to do.
- Stefan
Does that make it a Danish bank or a Norwegian bank?
In this day and age its hard to tell. You could call it a Latvian bank too (that's what we did in the paper).
What is the connection to Denmark? I cannot find any mention of Denmark or any Danish bank in the study?
I suspect the connection is via DnBNord... the bank in our study was the Latvian branch, but I believe the headquarters are in Copenhagen (although as I recall the whole lot may be owned by DnB NOR in Norway.
Reprising a previous comment:
While the universe of banks willing to accept high-risk merchants is smaller than the total number of Visa association affiliates it is certainly far larger than three. If you got these three banks out of the game, there would be others to replace them. However, the more important asymmetry here is not in the size of the set, but in the switching time. If a merchant (or their payment processor more likely) starts to route transactions through a new acquiring bank, their identity will be revealed very quickly in any purchase authorization record. By contrast,the time to actually establish that new banking relationship (and get appropriate certificates from Visa, etc) takes days. This is one of those rare cases where the defender is able to respond far more quickly than the attacker.
Is suspect that the times article is referring to DnBNord Latvia which I think also has a Danish branch. I think they are all technically owned by DnB NOR in Norway.
- Stefan
Like they wouldn't go to another provider... much like they do now if they get shut down.
Of course they would. However, th key issue is the cost structure on each side. For us to discover the identify of the new bank being used takes a few minutes (seconds if we had direct access to VisaNet) and negligible cost (I just need to authorize a purchase from the site). There is no technical reason I'm aware of that you couldn't implement an issuer blacklist at similar time scales if you wanted to (I can think of lots of reasons it might not be a good idea to automate this, but the main point is that the time scale is short). Compare that to how much time and cost you think it takes to find a new bank willing to accept high-risk merchants. Its certainly doable, there area number of such banks, but its orders of magnitude more time.
Yes it is the business model of these banks. However, they are processing through a credit network (Visa / Mastercard) and consumers credit cards are backed by an issuing bank (think Chase, Citibank, etc). Either the credit network or the issuing bank can prevent the transaction without the cooperation of the shady acquiring bank.
This is precisely right. We too would expect that convincing foreign banks to dump their customers would, at best, be a slow process and would be unlikely to succeed as an general approach. Moreover, its not even clear if such activities are illegal in the jurisdiction of all these institutions (at some level these are all IP crimes after all). However, the money for these purchases is primarily from the US and thus direct interventions by domestic issuers is likely to be as effective as shutting down the acquiring institutions.
Now a separate question is whether this makes political and economic sense as a matter of public policy. That is certainly open to debate and there are probably reasonable arguments on both sides.
In general, the payment tier is only an appropriate point of intervention for those activities that are monetized via direct consumer payment. So it is appropriate for things like spam-advertised goods, fake-AV, gambling, porn, etc.... things for which it is hoped that the recipient will provide a credit card number to finance the underlying advertising activity. It is not useful for scams that employ an out-of-band payment scheme (e.g., pump-and-dump) or that are fundamentally focused on theft (e.g., phishing, 519, malware vectors, etc)
I've never understood why not, when a computer can generate millions of spam ads for viagra, that another computer cannot generate millions of (fake) orders for the viagra.
You can, but the processors all use standard fraud detection policies that will detect this activity and filter it out unless you do a very good job (from experience, it can be tricky making a purchase if you are not who you say you are... there is a real learning curve here). You'd need valid cards for which you have an associated name and street address that will pass an AVS check, a range of distinct e-mails (and not from public Web mail) and IP addresses. However, with enough work it would be doable... although probably in violation of Federal and State law in the US.
- Stefan
Indicating there are still other companies willing to process these transactions. The spammers will just switch to them if the 'big 3' refuse to do business with them.
This is correct; while the universe of banks willing to accept high-risk merchants is smaller than the total number of Visa association affiliates it is certainly far larger than three. However, the more important asymmetry here is not in the size of the set, but in the switching time. If a merchant (or their payment processor more likely) starts to route transactions through a new acquiring bank, their identity will be revealed very quickly in any purchase authorization record. By contrast,the time to actually establish that new banking relationship (and get appropriate certificates from Visa, etc) takes days. This is one of those rare cases where the defender is able to respond far more quickly than the attacker.
> In a talk, Stefan claimed to have the ability to remotely drive as well, i.e., steer/accelerate/brake.
I'd be surprised if you're not misremembering... both because we hadn't spoken publicly about concrete remote vulnerabilities before our NAS briefing and because some of this is not true. In particular, steering is not electrically intermediated on most cars (new electric cars aside) and we've never demonstrated acceleration control (engine start/shutdown, yes... acceleration no... although I'd be surprised if it wasn't possible).
As a co-author of this work, I should be clear that we never suggested that we have a perfect spam filter per se, simply a new tool that has the benefit of being orthogonal to existing techniques. For _existing_ botnets, our filters are extremely good, but the paper is also quite clear about the variety of ways that spammers might try to evade the approach.
Sorry, but this is generally incorrect. The Baye-Dole act (with us since 1980) gives universities to rights to patents funded with Federal $$$. To make this situation more clear, many universities have faculty sign IP agreements explaining how such rights will be considered in various contexts. Indeed, most universities will claim patent rights on inventions made during your period of employment even if not funded by the government. Patent revenue is generally shared, but precisely how varies quite a bit among institutions. Faculty-founded startups directly based on university patented research almost always license those patents from the university. There are pro/con arguments about whether or not this is all good policy, but this is what actually happens.
Seriously, I suppose usefulness is in the eye of the beholder, but from my rather pragmatic standpoint the machine has one very important use: it allows me to get a coke with very little effort (while differentiating my debts from those of others). There's really nothing more to it that that. I think people are looking for something deep, or new a new product category, or some groundbreaking science... move on... you won't find it here.
This project really had two goals: make it easy to buy soft drinks from our grad student co-op and have fun building a real artifact.
The latter part -- having fun -- is underappreciated. Really, the students had a great time putting the pieces together... they had to design and build an interface board to Vendo's control bus, they had to build a UI (that student was a ST:TNG fan so the interface mimics the screens from the series), they had to interface it to our MySql database that holds user accounts, etc. It was a real esprit de coeur project and one in which everyone had alot of fun. Once it was working, people started adding other components: a 2d bar code scanner (not used for soda, contrary to the article, but for candy and other goods), they added visual recognition (and there is a banana detector in the works to register purchase of bananas), there is a voice synthesizer that can say "Shame" out loud if your cash balance in the co-op goes negative, there is even a student who has been talking about door-to-door delivery using a robot, etc.
I suspect if we had called it a "case mod", people would have had understood the spirit in which it was built.
http://lazowska.cs.washington.edu/CyberSecurity.pd f
FWIW, readers should always understand that when they read a news story they are getting a reporter's interpretation of an interview that itself attempts to simplify a larger story. Inevitably, this means that technical details don't survive the translation. To wit, on the second page of the proposal we write: While it is tempting to repurpose the epidemiological models of infectious disease in humans [29], Internet pathogens are in fact quite different--they are authored by intelligent adversaries. Consequently, traditional stochastic analyses are highly fragile tools for predicting the dynamics or limitations of future outbreaks. For those actually interested in what our center is planning to do, I've made the proposal and the summary available. It also gives some insight into what an NSF grant proposal looks like for those who are curious. - Stefan
I remember back in 1994 WebCrawler was running on three machines in the corner of Sieg Hall 433. They were rigged up so one could reboot the others via a serial line, but occassionally that machine would crash too. That was when Brian would call in and say "Hey, Webcrawler is hung. Could you go reboot it?". I'm guessing this doesn't happen much at Google...
Without widespread monitoring its impossible to know for sure how many attacks have the address uniformity property (that the victim sees an attack with source addresses uniformly distributed across all 2^32 address). In addition to the targeted spoofing you mention, ingress/egress filtering and reflector attacks also have the property that the source address profile is restricted and will not generate backscatter seen by us. While one could potentially produce a more complete estimate by extrapolating from data about how often such attacks are seen at a few monitored sites, the Internet is so diverse and varied that we had little faith in the quality of results derived in that way. Instead, we preferred to produce an underestimate that we were confident in.
Frankly, most people we've shown our data to are surprised (as we were) at the level of DoS activity we found. That the true numbers may be significantly higher still only reinforces that feeling. Undoubtedly, some people had different expectations :-)