Re: Question on the state of the security industry (second half not necessarily on topic)
I recently had the same trouble with the Centers for Disease Control (CDC) - who were calling around to followup on infant influenza innoculations given last fall. Ultimately, they wanted me to provide authorization to them to receive HIPPA protected patient records from my son's pediatrician, and I couldn't figure out how to get them to definitively pursuade me that they were really the CDC, who I was willing to be so authorized. Such research MAY be appropriate, and in this case, I'm a believer in the flu shots, and am generally supportive. But, while I could (and had to) identify myself to them (it was a random-number dial canvas), they had no way, short of giving me an 800 number to call (with obvious trust bootstrap problems with that) to get past it. Eventually, I found enough information on the CDC websites (assuming that DNS wasn't hacked, that my ISP wasn't redirecting my http queries to a Russian web site, and that the CDC site hadn't been hacked) to cooperate (talked with 2 supervisors, 5 followup canvasers, etc.) This is a problem that "real life" has. This sort of problem has been around since telephones came into existence (I didn't think to check the caller-id on the call, presuming it would point me to a call center located somewhere on the planet). We cope. And when the annoyance gets too bad, we kvetch, pass laws, and file law suits. Isn't that pretty much what's happening, now? Thought-control countries present separate problems (whether that's the Patriot Act or the Chinese censorship of SMS messages). For them, we have to rely on the Internet to route around censorship. And facilitate alternate routes (silent ones?) when the routers are own3d by the censors. (sorry - cross-over to another thread). Ed >>> Dave Howe <[EMAIL PROTECTED]> 7/3/2004 8:22:56 PM >>> Joseph Ashwood wrote: > I am continually asked about spam, and I personally treat phishing as a > subset of it, but I have seen virtually no interest in correcting the > problem. I have personally been told I don't even know how many times that > phishing "is not an issue." Well if nothing else, it is impossible for my bank to send me anything I would believe via email now To take this even slightly more on-topic - does anyone here have a bank capable of authenticating themselves to you when they ring you? I have had four phone calls from my bank this year, all of which start out by asking me to identify myself to them. When I point out that they must know who I am - as they just phoned me - and that I have no way of knowing who they are, they are completely lost (probably takes them away from the little paper script pinned to their desk) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Use cash machines as little as possible
http://www.thisislondon.com/news/business/articles/timid80044?source= http://www.thisismoney.com/20040704/nm80044.html ONE of Britain's biggest banks is asking customers to use cash machines as little as possible to help combat soaring card fraud. ... snip .. Anne & Lynn Wheelerhttp://www.garlic.com/~lynn/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Using crypto against Phishing, Spoofing and Spamming...
Following some of our discussions on this list, I tried to think more seriously on how crypto could be used for the basic current security threats of spoofing, phishing and spamming. Preliminary write-ups of the results are available in the following (or from my homepage): # Protecting (even) Naïve Web Users, or: Preventing Spoofing and Establishing Credentials of Web Sites, at http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/trusted%20credentials%20area.PDF # Controlling Spam by Secure Internet Content Selection, at http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spam.pdf I believe many of you will find some interest in (criticizing?) the new ideas and proposals, and I'll be very grateful for any feedback; the works already benefited a lot from some discussions on this list, including some of you who asked me essentially to `write up your ideas`. I am also very interested in working with potential implementors; I am already working on implementations with students, but, additional and potentially more experienced developers may help us turn some of these ideas into reality. BTW, I'm already using the anti-spamming mechanism (trusted logo and credentials area) we developed for Mozilla, and it works great; I hope we'll feel soon confident enough with the code so we'll be able to put it in the public domain. Experienced Mozilla developers who will be willing to help test and evaluate the code are invited to contact me. -- Best regards, Amir Herzberg Associate Professor, Computer Science Dept., Bar Ilan University http://AmirHerzberg.com (information and lectures in cryptography & security) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Question on the state of the security industry
[EMAIL PROTECTED] wrote: I shared the gist of the question with a leader of the Anti-Phishing Working Group, Peter Cassidy. Thanks Dan, and thanks Peter, ... I think we have that situation. For the first time we are facing a real, difficult security problem. And the security experts have shot their wad. --- Part One (just addressing Part one in this email) I think the reason that, to date, the security community has been largely silent on phishing is that this sort of attack was considered a confidence scheme that was only potent against dim-wits - and we all know how symathetic the IT security/cryptography community is to those with less than powerful intellects. OK. It could well be that the community has an inbuilt bias against protecting those that aren't able to protect themselves. If so, this would be cognitive dissonance on a community scale: in this case, SSL, CAs, browsers are all set up to meet the goal of "totally secure by default." Yet, we know there aren't any secure systems, this is Adi Shamir's 1st law. http://www.financialcryptography.com/mt/archives/000147.html Ignoring attacks on dimwits is one way to meet that goal, comfortably. But, let's go back to the goal. Why has it been set? Because it's been widely recognised and assumed that the user is not capable of dealing with their own security. In fact, in its lifetime over the last decade, browsers have migrated from a "ternary security rating" presented to the user, to whit, the old 40 bit crypto security, to a "binary security rating," confirming the basic principle that users don't know and don't care, and thus the secure browsing model has to do all the security for the user. Further, they've been protected from the infamous half-way house of self- signed certs, presumably because they are too dim- witted to recognise when they need less or more security against the evil and pervasive MITM. http://www.iang.org/ssl/mallory_wolf.html Who is thus a dimwit. And, in order to bring it together with Adi's 1st law, we ignore attacks on dimwits (or in more technical terms, we assume that those attacks are outside the security model). (A further piece of evidence for this is a recent policy debate conducted by Frank Hecker of Mozilla, which confirmed that the default build and root list for distribution of Mozilla is designed for users who could not make security choices for themselves.) So, I think you're right. > Also, it is true, it was considered a > sub-set of SPAM. And? If we characterise phishing as a sub-set of spam, does this mean we simply pass the buck to anti-spam vendors? Or is this just another way of cataloging the problem in a convenient box so we can ignore it? (Not that I'm disagreeing with the observation, just curious as to where it leads...) The reliance on broadcast spam as a vehicle for consumer data recruitment is remaining but the payload is changing and, I think, in that advance is room for important contributions by the IT security/cryptography community. In a classic phishing scenario, the mark gets a bogus e-mail, believes it and surrenders his consumer data and then gets a big surprise on his next bank statement. What is emerging is the use of spam to spread trojans to plant key-loggers to intercept consumer data or, in the future, to silently mine it from the consumer's PC. Some of this malware is surprizingly clever. One of the APWG committeemen has been watching the devleopment of trojans that arrive as seemingly random blobs of ASCII that decrypt themselves with a one-time key embedded in the message - they all go singing straight past anti-virus. This is actually much more serious, and I've noticed that the media has picked up on this, but the security community remains characteristically silent. What is happening now is that we are getting much more complex attacks - and viruses are being deployed for commercial theft rather than spyware - information theft - or ego proofs. This feels like the nightmare scenario, but I suppose it's ok because it only happens to dimwits? (On another note, as this is a cryptography list, I'd encourage Peter and Dan to report on the nature of the crypto used in the trojans!) Since phishing, when successful, can return real money the approaches will become ever more sophisticated, relying far less on deception and more on subterfuge. I agree this is to be expected. Once a revenue stream is earnt, we can expect that money to be invested back into areas that are fruitful. So we can expect much more and more complex and difficult attacks. I.e., it's only just starting. --- Part Two iang - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Question on the state of the security industry (second half not necessarily on topic)
Joseph Ashwood wrote: I am continually asked about spam, and I personally treat phishing as a subset of it, but I have seen virtually no interest in correcting the problem. I have personally been told I don't even know how many times that phishing "is not an issue." Well if nothing else, it is impossible for my bank to send me anything I would believe via email now To take this even slightly more on-topic - does anyone here have a bank capable of authenticating themselves to you when they ring you? I have had four phone calls from my bank this year, all of which start out by asking me to identify myself to them. When I point out that they must know who I am - as they just phoned me - and that I have no way of knowing who they are, they are completely lost (probably takes them away from the little paper script pinned to their desk) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
md5 cracking for short texts
These folks have a service that will find the text that hashed to an MD5 if the text is less than or equal to 8 characters in length and matches [0-9a-z]+ http://passcracking.com/ -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: US Court says no privacy in wiretap law
William Allen Simpson wrote: Switches, routers, and any intermediate computers are fair game for warrantless wiretaps. It seems privacy and free speech are becoming lost concepts worldwide. This just came out today: http://www.taipeitimes.com/News/worldbiz/archives/2004/07/03/2003177559 So not only does China mercilessly filter the Internet for their residents (several weeks ago, they blocked access to Wikipedia), now they also filter SMSs. North Korea chose not to bother altogether, and after introducing cell phone service a year and a half ago, recently shut it down completely for "fear of too much foreign influence". I need not say international calls were blocked, both inbound and outbound, during the period the network was operational. Is there nothing that can be done about any of this? Do we just stand by, watching some of our most important human rights go to shit? This sets my blood boiling like very few other things. Caustically embittered, Ivan. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]