Re: Printers betray document secrets
R.A. Hettinga wrote: http://news.bbc.co.uk/2/low/technology/3753886.stm US scientists have discovered that every desktop printer has a signature style that it invisibly leaves on all the documents it produces. I don't think this is new - I'm pretty sure it was published about 6 or 7 years back as a technique. iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Financial identity is *dangerous*? (was re: Fake companies, real money)
Hi John, John Kelsey wrote: Today, most of what I'm trying to defend myself from online is done as either a kind of hobby (most viruses), or as fairly low-end scams that probably net the criminals reasonable amounts of money, but probably don't make them rich. Imagine a world where there are a few hundred million dollars in untraceable assets waiting to be stolen, but only on Windows XP boxes with the latest patches, firewalls and scanners installed, and reasonable security settings. IMO, that's a world where every day is day zero. All bugs are shallow, given enough qualified eyeballs, and with that kind of money on the table, there would be plenty of eyeballs looking. We are way way past that point in security, phishing is happening on an industrial scale, and the virus, phish and spam people are united, or at least working together. Internet payment systems are being DDOS/extorted on a regular basis, and hack attempts are routine. We literally already have that world. And once it's done, several thousand early adopters are out thousands of dollars each. This isn't much of an advertisement for the payment system. It's anonymous and based on bearer instruments, so there's no way to run the fraudulent transactions back. The money's gone, and the attackers are richer, and the next, more demanding round of attacks has been capitalized. Again, we're well past that point. There have been hundreds and hundreds of payment systems out there, and maybe order of a thousand have failed by now, mostly due to business reasons. Some simply due to hacks and attacks, but it is rare, because: What happens is that beyond a certain threshold, the payment system delivers valuable payments. At that point, it starts getting attacked. If those attacks are survived, then it moves on to the next phase. Which would be more attacks of a different nature... (In fact, one seems to have failed in the last few days - EvoCash - and another is on the watch list for failure - DMT/Alta. Both of them suffered from business style attacks it seemed, rather than what we would call security hacks.) The notion that suddenly it's all over isn't what happens. It's a trickle, then it builds up to a flood. Some small hacks come in, and people either look at them or they don't. Those that are diligent and keep an eye on these things respond. Those that don't go out of business. There are more dead payment systems than people on this list, I'd guess, we do have plenty of experience in this. In practice, we've also seen what happens when money that gets stolen can't be traced or stopped. Even though not bearer, systems like e-gold are plenty anon enough, and they don't easily reverse. I doubt bearer systems would necessarily face a problem because of users losing their bearer tokens (but there are plenty of other problems out there like the rather hard insider theft problem). They also have to be able to do something about it. What would you tell a reasonably bright computer programmer with no particular expertise in security about how to keep a bearer asset as valuable as his car stored securely on a networked computer? If you can't give him an answer that will really work in a world where these bearer assets are common, you're just not going to get a widespread bearer payment system working, for the same reason that there's probably nobody jogging with an iPod through random the streets of Sadr City, no matter how careful they're being. When we get to that point, we will have an answer for him. I can assert that with a fair degree of confidence, because a) we can't ever get to that point until we have an answer, and b) we already have the answer, and have had it for a decade: store it on a trusted machine. Just say no to Windows XP. It's easy, especially when he's storing a bearer bond worth a car. iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: New IBM Thinkpad includes biometrics
On Wed, 13 Oct 2004, Anton Stiglic wrote: http://www.theregister.co.uk/2004/10/05/biometric_thinkpad_t42/ I wonder how well it can counter the attacks discussed by researchers in the last few years. Like reactivating a fingerprint authentication by breathing on the sensor's surface containing residue fat traces of the finger, or placing a bag of water. Or the jelly finger trick. The biometric authentication might very well make the laptop less secure than password-based authentication. --Anton The company I'm currently associated with (United Forensics) is currently working on this very question - I'll let everyone know when we have an answer. -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF An ill wind is stalking while evil stars whir and all the gold apples go bad to the core S. Plath, Temper of Time - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[ISN] 2-Fingerprint Border ID System Called Inadequate
--- begin forwarded text Date: Tue, 19 Oct 2004 21:40:22 -0500 (CDT) From: InfoSec News [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ISN] 2-Fingerprint Border ID System Called Inadequate Reply-To: [EMAIL PROTECTED] List-Id: InfoSec News isn.attrition.org List-Archive: http://www.attrition.org/pipermail/isn List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://www.attrition.org/mailman/listinfo/isn, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.washingtonpost.com/wp-dyn/articles/A43276-2004Oct18.html By Robert O'Harrow and Jr. Scott Higham Washington Post Staff Writers October 19, 2004 Terrorists who alter their fingerprints have about an even chance of slipping past U.S. border watch-list checks because the government is using a two-fingerprint system instead of one that relies on all 10 prints, a lawmaker said in a letter he made public yesterday to Homeland Security Secretary Tom Ridge. Rep. Jim Turner (D-Tex.) wrote that a study by researchers at Stanford University concluded the two-finger system is no more than 53 percent effective in matching fingerprints with poor image quality against the government's biometric terrorist watch-list. Turner said the system falls far short of keeping the country secure. It's going to be a coin toss as to whether we can identify terrorists, Turner, the ranking member of the House Select Committee on Homeland Security, said in an interview yesterday. It's a 50-50 chance, and that's not good enough. Turner's Oct. 15 letter comes as government officials supervising the burgeoning border security system, known as US-VISIT, have been touting their use of fingerprints for identifying people crossing the border and checking them against watch lists of suspected terrorists. The US-VISIT program aims to create a virtual border using computer networks, databases, fingerprints and other biometric identifiers. The program requires foreign visitors to register their names before traveling to the United States and have their fingerprints checked when they arrive and depart. Officials estimate the system could cost up to $10 billion and take a decade to build. The border security program is relying on technology first developed for a program at the former Immigration and Naturalization Service called IDENT. Government officials have known for years that IDENT did not work well with the identification system used by the Justice Department, a 10-fingerprint system called the Integrated Automated Fingerprint Identification System. That system is known for producing good results, even with poor-quality fingerprint images, Turner's letter said. But homeland security officials have told Congress they decided to use the IDENT system for the first phase of US-VISIT as a way to quickly improve security at the borders, and move to a 10-fingerprint system later. It was a logistical issue we had to deal with, said Robert A. Mocny, deputy director of US-VISIT. It will get better. . . . It's a matter of what we can do right now. Turner's letter said the Department of Homeland Security ignored numerous warnings from the government's top biometric scientists that the two-fingerprint system could not accurately perform watch list searches and the ten-fingerprint system was far preferable. The letter quotes Stanford researcher Lawrence M. Wein, who said his study found that at best, with a software fix, the two-finger system would properly identify only about three of four people. Two weeks ago, Wein told the Homeland Security Committee that the implications of our findings are disturbing. Turner accused homeland security officials of failing to be more forthcoming about the limitations of their approach. Turner asked Ridge to direct homeland security officials to preserve all documents and electronic communications relating to their decision on fingerprints. I understand your desire to deploy biometric screening at our borders as quickly as possible, Turner said in his letter. But more than three years after the 9/11 attacks, we have invested more than $700 million in an entry-exit system that cannot reliably do what the Department so often said it would: Use a biometric watch-list to keep known terrorists out of the country. A spokesman for the Republican-controlled Homeland Security Committee, Ken Johnson, said the release of Turner's letter was driven by election-year politics. Johnson acknowledged that there are some concerns with the current system, but he said US-VISIT continues to evolve. In a perfect world, where money is not an issue, and people wouldn't mind spending countless hours or days at the border, the 10-fingerprint system would be preferable. But that's not reality, Johnson said. They're playing politics with some very sensitive issues. _ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ --- end forwarded
[ISN] Worldwide Phishing Attacks May Stem from Few Sources
--- begin forwarded text Date: Wed, 20 Oct 2004 01:41:32 -0500 (CDT) From: InfoSec News [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ISN] Worldwide Phishing Attacks May Stem from Few Sources Reply-To: [EMAIL PROTECTED] List-Id: InfoSec News isn.attrition.org List-Archive: http://www.attrition.org/pipermail/isn List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://www.attrition.org/mailman/listinfo/isn, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] http://www.eweek.com/article2/0,1759,1679953,00.asp By Dennis Fisher October 19, 2004 Research from an e-mail security provider suggests that a handful of people are responsible for the vast majority of the phishing attacks on the Internet and the perpetrators are using a rotating series of zombie networks to launch them. Researchers at CipherTrust Inc. analyzed more than four million e-mails collected from the company's customers during the first two weeks of October and found that nearly a third of all of the zombie machines sending the phishing messages are based in the United States. That's twice as many as the 16 percent that are found in South Korea. However, these findings do not mean that these attacks are originating from inside these countries. The global nature of the Internet allows attackers anywhere in the world to compromise machines in any location. In fact, many experts believe that the majority of phishers are in some way connected to organized crime groups in Russia or Eastern Europe and that most such attacks begin there. The most surprising conclusion of the research is that the attackers sending out the phishing messages are using zombie networks of only about 1,000 PCs. That's a pretty small bot network for the volume of stuff that these guys are doing, said Dmitri Alperovitch, the research engineer at Atlanta-based CipherTrust Inc. who conducted the study. But the trick is that they rotate to a different set of compromised machines each day. They don't keep going to the same ones each time. Crackers for years have been accumulating large networks of machines compromised with small programs that give them the ability to control the PCs remotely. They routinely sell or trade access to the networks to others in the cracker underground and the PCs typically are used either for launching DDoS (distributed denial of service attacks). But as authorities began cracking down on spammers in recent years, the spammers have begun relying on these networks to send out their messages, too. Now, phishers have gotten into the game. Alperovitch said that there are fewer than five operators in control of the zombie networks that he identified in his research. And, even though they're generating thousands of fraudulent e-mails every day, their output was still a tiny fraction.less than one percent--of the four million messages CipherTrust examined. Phishers seem to be concentrating their efforts on a few high-profile targets, as well. In the sample CipherTrust looked at, 54 percent of the phishing messages used CitiGroup's Citibank name to entice recipients. Another 13 percent use Citigroup Global Markets Inc.'s Smith Barney's brand and eBay Inc. is the victim in about four percent of the scams. _ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Financial identity is *dangerous*? (was re: Fake companies, real money)
-- On 19 Oct 2004 at 21:30, Ian Grigg wrote: (In fact, one seems to have failed in the last few days - EvoCash - and another is on the watch list for failure - DMT/Alta. Both of them suffered from business style attacks it seemed, rather than what we would call security hacks.) To clarify, EvoCash was subjected to DDoS attacks, and persistent attack upon its reputation, both of these seemingly originating from the operator of a ponzi scheme, presumably for the purposes of extortion. we already have the answer, and have had it for a decade: store it on a trusted machine. Just say no to Windows XP. It's easy, especially when he's storing a bearer bond worth a car. What machine, attached to a network, using a web browser, and sending and receiving mail, would you trust? --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG hrZ6lTrAZYICXnGqF8vLx7tZ1wcjKkoF7d/jKJbF 4WFPME/Dy9Losvs1g9ZsxwxI0oIYThq0dwJCNpLX9 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Printers betray document secrets
At 05:23 PM 10/18/2004, R.A. Hettinga wrote: http://news.bbc.co.uk/2/low/technology/3753886.stm It turns out that their techniques aren't all that useful. Changing laser printer cartridges changes the results. You might find that two documents were printed by the same printer, but it doesn't give you the options for tracking it down that manual typewriters did. And the differences don't identify a specific printer in a way that can be tracked, e.g. identifying a serial number that could be looked up from warranty records. It's not clear that they work at all with inkjet printers, and changing ink cartridges is even more common than changing laser printer cartridges. If you're sloppy, you've probably got a bunch of partly-used cartridges around, so even if you want to print out a bunch of ransom notes or whatever, you don't even have to go to Kinko's to get them to be different. If printer makers want to build in watermarking to make everything they print traceable, the way many of them check for documents that look like money and don't print them, they could hide patterns that survive cartridge changes (would you notice a few inverted pixels on a 600x600dpi printout?) But even then, inkjet printers are dirt cheap; when they're on sale, they're essentially a free enclosure in a box of overpriced printer cartridges, so even of the printer wants to rat out the user and it's not easy to change the serial number PROM, you can just replace the printer. Bill Stewart [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Printers betray document secrets
At 10:44 PM -0700 10/20/04, Bill Stewart wrote: At 05:23 PM 10/18/2004, R.A. Hettinga wrote: http://news.bbc.co.uk/2/low/technology/3753886.stm It's not clear that they work at all with inkjet printers, and changing ink cartridges is even more common than changing laser printer cartridges. If you're sloppy, you've probably got a bunch of partly-used cartridges around, so even if you want to print out a bunch of ransom notes or whatever, you don't even have to go to Kinko's to get them to be different. If you're really concerned about this, buy a cheap inkjet, use it for your purposes, then destroy it. -- -- Marshall Marshall Clow Idio Software mailto:[EMAIL PROTECTED] It is by caffeine alone I set my mind in motion. It is by the beans of Java that thoughts acquire speed, the hands acquire shaking, the shaking becomes a warning. It is by caffeine alone I set my mind in motion. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Article on Echelon on Techworld...
I saw this on /.: http://www.techworld.com/storage/news/index.cfm?NewsID=2430 -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Financial identity is *dangerous*? (was re: Fake companies, real money)
James A. Donald wrote: we already have the answer, and have had it for a decade: store it on a trusted machine. Just say no to Windows XP. It's easy, especially when he's storing a bearer bond worth a car. What machine, attached to a network, using a web browser, and sending and receiving mail, would you trust? None. But a machine that had one purpose in life: to manage the bearer bond, that could be trusted to a reasonable degree. The trick is to stop thinking of the machine as a general purpose computer and think of it as a platform for one single application. Then secure that machine/OS/ stack/application combination. Oh, and make it small enough to fit in the pocket, put a display *and* a keypad on it, and tell the user not to lose it. iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Printers betray document secrets
US scientists have discovered that every desktop printer has a signature style that it invisibly leaves on all the documents it produces. I don't think this is new - I'm pretty sure it was published about 6 or 7 years back as a technique. A couple of years ago, I was told that *every* Canon laser engine generated a unique microprint signature that could be traced back to a particular device. OEMs could buy the engine with or without the signature. If so, this has been going on, surruptitiously, for years. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Printers betray document secrets
| It turns out that their techniques aren't all that useful. | Changing laser printer cartridges changes the results. | You might find that two documents were printed | by the same printer, but it doesn't give you the | options for tracking it down that manual typewriters did. Actually, they say they can identify the make and model - which is about all you could do with a typewriter. Going further, in either case, means tying a particular piece of text to a particular writing instrument to which you have gained access. Changing printer cartridges will certainly work, but then again simply replac- ing the typewriter will, too. Any identification of physical objects can only work as long as the physical object isn't replaced. In practice, there's a great deal of inertia in replacing physical objects, for cost, convenience, and other reasons. So such identifications may still be useful. | And the differences don't identify a specific printer | in a way that can be tracked, e.g. identifying a serial number | that could be looked up from warranty records. A bullet can't be tied to a gun's serial number, but that doesn't make it useless to examine bullets. | It's not clear that they work at all with inkjet printers, | and changing ink cartridges is even more common than | changing laser printer cartridges. The technique is based on variations in dot pattern that ultimately come down to small variations in mechanical parts, usually the gears that drive the paper. Laser printer cartridges are deliberately designed so that (just about) all moving/wearing parts are part of the cartridge. So most variations in the results are necessarily tied to the cartridge. That's not true for ink jets. While the paper describing all this isn't yet available, from what is published I don't think they are making any claims about inkjets, just laser printers. However, they seem to believe the same general approach - look for variations due to variations in manufacture that don't produce artifacts that are visible to the naked eye, so don't need to be and hence are not controlled - would work. Whether the source of the variation would be in the ink cartridge or in the fixed mechanicals, who can say at this point. | If you're sloppy, | you've probably got a bunch of partly-used cartridges around, | so even if you want to print out a bunch of ransom notes | or whatever, you don't even have to go to Kinko's | to get them to be different. | | If printer makers want to build in watermarking to | make everything they print traceable, the way many of them | check for documents that look like money and don't print them, | they could hide patterns that survive cartridge changes | (would you notice a few inverted pixels on a 600x600dpi printout?) Actually, this would probably be noticable in certain pictures. But slight variations in pixel spacing - which is what these guys look for - is not visible. (In fact, the origin of this work seems to have been work in the opposite direction: Early laser printers had a problem with banding, due to periodic variations in paper movement causing variations in pixel spacing. The trick was to find out how much variation you could allow without visible artifacts and then get to that level cheaply. But there is still plenty of variation left for appropriate software to find.) You could probably play games with pixel sizes, too. | But even then, inkjet printers are dirt cheap; | when they're on sale, they're essentially a free enclosure | in a box of overpriced printer cartridges, | so even of the printer wants to rat out the user and | it's not easy to change the serial number PROM, | you can just replace the printer. One could say the same about most physical objects that end up being used for identification. You would think that fibers would be useless for identification, for example - you can always throw out the clothing you were wearing and buy a new tee shirt. Still ... the real world has a great deal of inertia. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Financial identity is *dangerous*? (was re: Fake companies, real money)
James Donald writes: On 19 Oct 2004 at 21:30, Ian Grigg wrote: we already have the answer, and have had it for a decade: store it on a trusted machine. Just say no to Windows XP. It's easy, especially when he's storing a bearer bond worth a car. What machine, attached to a network, using a web browser, and sending and receiving mail, would you trust? I would suggest pursuing work along the lines of a Virtual Machine Monitor (VMM) like VMWare. This way you can run a legacy OS, even Windows, alongside a high security simplified OS which handles your transactions. You run your regular buggy OS as usual, then hit a function key to switch into secure mode, which enables access to your financial data. The VMM does introduces some performance overhead but for typical web browsing and email tasks it will not be significant. This seems more promising than waiting for Windows to become secure, or for everyone to switch to Linux. I believe there are a number of academic projects along these lines, for example the Terra project, http://www.stanford.edu/~talg/papers/SOSP03/abstract.html , which uses a hardware security chip to try to protect one VM's data from another. I don't know if the extra complexity buys you much in this application though. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Are new passports [an] identity-theft risk?
http://worldnetdaily.com/news/printer-friendly.asp?ARTICLE_ID=41030 WorldNetDaily Thursday, October 21, 2004 YOUR PAPERS, PLEASE Are new passports identity-theft risk? Privacy advocates warn data chips can be 'seen' by anyone with reader Posted: October 21, 2004 5:00 p.m. Eastern While the U.S. State Department prepares to switch over to passports that include embedded data chips, privacy experts worry the new technology will open Americans to identity theft and fraud. New passports will be fitted with chips using RFID, or radio frequency identification, technology. Reader devices at borders and customs checkpoints will be able to read the information stored on the chip, including the person's name, address and digital photo. Kelly Shannon is a spokesperson for the State Department. She told Wired News: The reason we are doing this is that it simply makes passports more secure. It's yet another layer beyond the security features we currently use to ensure the bearer is the person who was issued the passport originally. RFID technology has been used for tracking everything from store inventory to family members visiting an amusement park. It is also used in the Digital Angel human implant that recently was approved by the FDA for storing medical information. Wired reports civil libertarians and some technologists say the passport chips are actually a boon to identity thieves, stalkers and commercial data collectors, since anyone with the proper reader can download a person's biographical information and photo from several feet away. Even if they wanted to store this info in a chip, why have a chip that can be read remotely? Barry Steinhardt, who directs the American Civil Liberty Union's Technology and Liberty program, asked Wired. Why not require the passport be brought in contact with a reader so that the passport holder would know it had been captured? Americans in the know will be wrapping their passports in aluminum foil. Last week, the government contracted with four companies to develop the chips and readers for the program. The report stated diplomats and State Department employees will be issued the new passports as early as January, while others applying for new passports will receive the new version starting in the spring. Electronic Frontier Foundation attorney Lee Tien told Wired RFID chips in passports are a privacy horror and would be even if the data were encrypted, which it isn't. If 180 countries have access to the technology for reading this thing, whether or not it is encrypted, from a security standpoint, that is a very leaky system, Tien said. Strictly from a technology standpoint, any reader system, even with security, that was so widely deployed and accessible to so many people worldwide will be subject to some very interesting compromises. An engineer and RFID expert with Intel claims there is little danger of unauthorized people reading the new passports. Roy Want told the newssite: It is actually quite hard to read RFID at a distance, saying a person's keys, bag and body interfere with the radio waves. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]