Re: Can you help develop crypto anti-spoofing/phishing tool ?

2005-02-08 Thread Ed Gerck 

Amir Herzberg wrote:
Ed Gerck responded to me:
 Can
you trust what trustbar shows you? 
This trust translates to:
-- Trusting the TrustBar code (which is open source so can be validated 
by tech-savvy users / sys-admin)
-- Trusting that this code was not modified (same as for any other 
aspect of your machine)
-- Trusting the CA - well, not exactly; TrustBar allows users to specify 
for each CA whether the user is willing to display logos/names from this 
CA automatically, or wants to be asked for each new site. Only if the 
user selects `display logo/name automatically`, then he really trusts 
the CA in this regard, and still the brand (logo) of the CA appears (for 
accountability). I'll admit, though, that currently VeriSign is 
`trusted` in this respect by default (of course user can chnage this 
easily).
In other words, if trustbar can be verified it can be trusted.
Redundancy is useful to qualify trust in information. Trusting the trustbar
code might be hard to qualify by itself (ie, source code verification) but
redundancy helps here [1]. Trust increases if the two channels trustbar and
browser CA status [2] agree with each other. Trustbar can become a trusted
verifier after positively checking with the browser CA status.
This would also help prevent one-sided attacks to trustbar, as one would need
to attack both trustbar and browser CA status,
Cheers,
Ed Gerck
[1] This is also my solution to the famous trust paradox proposed by Ken
Thompson in his " Reflections of Trusting Trust". Trust is earned, not
given. To trust Ken's code, I would first ask two or more programmers (who
I choose) to code the same function and submit their codes to tests. If they
provide the same answers for a series of inputs, including random inputs,
I would have a qualification for trusting (or not) Ken's code. This works
even without source code. Trust is not in the thing, it's how the thing works.
[2] Mozilla already shows the signing CA name when the mouse is over the lock
symbol in SSL. This is more readily visible than clicking with the right-button
and reading the cert.
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Identity thieves can lurk at Wi-Fi spots

2005-02-08 Thread R.A. Hettinga 


USA Today



Identity thieves can lurk at Wi-Fi spots
 By Jon Swartz, USA TODAY
SAN FRANCISCO - Coffee shop Web surfers beware: An evil twin may be lurking
near your favorite wireless hotspot.

Thieves are using wireless devices to impersonate legitimate Internet
access points to steal credit card numbers and other personal information,
security experts warn.

So-called evil-twin attacks don't require technical expertise. Anyone armed
with a wireless laptop and software widely available on the Internet can
broadcast a radio signal that overpowers the hot spot.
  How to avoid an 'evil twin'?? Install personal firewall and security
patches. Use hot spots for Web surfing only. Enter passwords only into Web
sites that include an SSL key at bottom right. Turn off or remove wireless
card if you are not using a hot spot. Avoid hot spots where it's difficult
to tell who's connected, such as at hotels and airport clubs. If hot spot
is not working properly, assume password is compromised. Change password
and report incident to hot spot provider. Do not use insecure applications
such as e-mail instant messaging while at hot spots.

 Source: AirDefense Then, masquerading as the real thing, they view the
activities of wireless users within several hundred feet of the hot spot.

"It could be someone sitting next to you on a plane or in a parking lot
across the street from a coffee shop," says Jon Green, director of
technical marketing at Aruba Wireless Networks, which makes
radio-wave-scanning equipment that detects and shuts down bogus hot spots.

"Wireless networks are wide open," says Steve Lewack, director of
technology services for Columbus Regional Medical Center in Columbus, Ga.

The facility uses software and sensors to monitor 480 wireless devices used
by medical personnel at 110 access points. Last month, it stopped about 120
attempts to steal financial information from medical personnel and patients
- double the number of incidents from a few months earlier.

The recent surge in evil-twin attacks parallels phishing scams - fraudulent
e-mail messages designed to trick consumers into divulging personal
information. Though the problem is in its infancy, it has caught the
attention of some businesses heavily dependent on wireless communications.

But most consumers aren't aware of the threat, security expert Green says.

Wi-Fi, or wireless Internet, sends Web pages via radio waves. Hot spots are
an area within range of a Wi-Fi antenna.

As the technology has grown - there are now about 20,000 hot spots in the
USA, up from 12,000 a year ago - so too have security concerns. Anil
Khatod, CEO of AirDefense, a maker of software and sensors, estimates
break-ins number in the hundreds each month in the USA.

Companies employing hundreds of people with wireless laptops are especially
vulnerable to evil-twin scams. When a worker's information is filched, it
can expose a corporate network.

"It presents a serious, hidden danger to Web users," says Phil Nobles, a
wireless-security expert at Cranfield University in England who has
researched the threat. "It's hard to nab the perpetrator, and the victim
has no idea what happened."

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: link-layer encryptors for Ethernet?

2005-02-08 Thread Steven M. Bellovin 
In message <[EMAIL PROTECTED]>, Russell Nelson writes:
>Steven M. Bellovin writes:
> > Are there any commercial link-layer encryptors for Ethernet available?  
> > I know that Xerox used to make them, way back when, but are there any 
> > current ones, able to deal with current speeds (and connectors)?
>
>Given the price of gigE, it's hard to say that a 100Mbps adapter is
>"current", but Intel has one with 3DES.  I recently went through my
>collection and threw out about a hundred antique (ISA / MCA) Ethernet
>cards, but I kept all the PCI ones.  With sufficient inducement I
>could go grovelling through the Intel ones to get you a part number.
>

Hmm -- I thought that the Intel encrypting NIC cards were for IPsec, 
not link encryption.

--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: link-layer encryptors for Ethernet?

2005-02-08 Thread Russell Nelson 
Steven M. Bellovin writes:
 > Are there any commercial link-layer encryptors for Ethernet available?  
 > I know that Xerox used to make them, way back when, but are there any 
 > current ones, able to deal with current speeds (and connectors)?

Given the price of gigE, it's hard to say that a 100Mbps adapter is
"current", but Intel has one with 3DES.  I recently went through my
collection and threw out about a hundred antique (ISA / MCA) Ethernet
cards, but I kept all the PCI ones.  With sufficient inducement I
could go grovelling through the Intel ones to get you a part number.

-- 
--My blog is at angry-economist.russnelson.com  | The laws of physics cannot
Crynwr sells support for free software  | PGPok | be legislated.  Neither can
521 Pleasant Valley Rd. | +1 315-323-1241 cell  | the laws of countries.
Potsdam, NY 13676-3213  | +1 212-202-2318 VOIP  | 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]