FSTC Call for Participation: Counter-Phishing Phase I
--- begin forwarded text Date: Wed, 02 Jun 2004 17:17:48 -0400 From: Jim Salters [EMAIL PROTECTED] Subject: FSTC Call for Participation: Counter-Phishing Phase I To: [EMAIL PROTECTED] thread-index: AcRI5w3YXO0+/SUMRSeOkiOpFEA8WQ== List-Post: mailto:[EMAIL PROTECTED] List-Subscribe: http://ls.fstc.org/subscribe, mailto:[EMAIL PROTECTED] List-Archive: http://ls.fstc.org/archives/members/ List-Help: http://ls.fstc.org/elists/admin.shtml, mailto:[EMAIL PROTECTED] List-Id: members.ls.fstc.org To: FSTC Members and Friends From: Jim Salters, Director of Tech Initiatives and Project Development We are pleased to issue this call for participation in FSTC's Counter-Phishing Phase I initiative. You can download the project prospectus at: http://fstc.org/projects/new.cfm#phishing . The cost to financial institutions for this 5-month project is $20,000, and technology companies $15,000. These project fees are tiered by the same percentage as FSTC's membership tiers (see below). Participation commitments are requested by June 18th. An informational conference call has been scheduled for: Wednesday June 9th, 2pm EDT 512-225-3050, 71782# __ Project Summary: FSTC proposes to launch a three-phase initiative to address the problem of phishing in financial services as it affects the relationship between customer and firm. In collaboration with other industry groups, FSTC will focus on defining the unique technical and operating requirements of financial institutions (FIs) for counter-phishing measures; investigating counter-phishing technical solutions, proving and piloting solution sets enabled by technology to determine their fit against FI criteria and requirements; and clarifying the infrastructure fit, requirements, and impact of these technologies when deployed in concert with customer education, enforcement and other industry initiatives. Phase 1 will last five months. Principal deliverables for Phase 1 comprise knowledge statements and options, recommendations, and plans for implementations, including: * A registry of current and known future phishing threat, vulnerabilities and attack models * A cost/impact framework for the assessment of counter-phishing options * A taxonomy of phishing * A comprehensive inventory of available solutions sets * The financial services operating criteria and technical requirements for counter-phishing solutions * A compendium of proposals to pilot, test and evaluate promising solutions, with implementation, test and resource plans * A test plan and evaluation criteria * An executive summary and recommendations for quick hit implementations, if any; new tools development; and design of dynamic technical monitoring and threat updating capability __ Project Fees: Financial Institutions: $20,000 Assets over $100 billion (including affiliates) $16,000 Assets from $50 to $99 billion (including affiliates) $12,000 Assets from $20 to $49 billion (including affiliates) $4,400 Assets under $19 billion (including affiliates) Technology Companies: $15,000 Revenue/funding over $100 million $12,000 Revenue/funding from $50 to $99 million $9,000 Revenue/funding from $20 to $49 million $3,300 Revenue/funding under $19 million To subscribe or unsubscribe from this elist use the subscription manager: http://ls.fstc.org/subscriber --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Article on passwords in Wired News
An article on passwords and password safety, including this neat bit: For additional security, she then pulls out a card that has 50 scratch-off codes. Jubran uses the codes, one by one, each time she logs on or performs a transaction. Her bank, Nordea PLC, automatically sends a new card when she's about to run out. http://www.wired.com/news/infostructure/0,1377,63670,00.html One-time passwords (TANs) was another thing I covered in the Why isn't the Internet secure yet, dammit! talk I mentioned here a few days ago. From talking to assorted (non-European) banks, I haven't been able to find any that are planning to introduce these in the foreseeable future. I've also been unable to get any credible explanation as to why not, as far as I can tell it's We're not hurting enough yet. Maybe it's just a cultural thing, certainly among European banks it seems to be a normal part of allowing customers online access to banking facilities. (If anyone from the outside-Europe banking industry can provide me with an explanation for non-use of TANs that goes beyond We're looking into it, I'd be interested in hearing from them). Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: A National ID
Although I am against any national ID, at least as far terrorist identification goes (note that the Social Security Number that every American has IS a national ID card), I feel that a discussion on how to do it properly is a worthwhile endeavor. - Original Message - From: Peter Clay [EMAIL PROTECTED] Subject: Re: A National ID [T]he real danger is not the cards but the database for which they are a unique key. See just about every issue of RISKS for ways in which big national databases can go wrong. The solution then is obvious, don't have a big central database. Instead use a distributed database. I first suggested this concept some time ago on sci.crypt. It's very simple, use cryptography so we don't have to be concerned about duplication (although fraudulent acquisition of valid id would be an issue). Issue each person a Flash RAM card, on the card is biometric information, name, birthdate, etc, a Law Enforcement Only Field, and a signature across all the information, most importantly DO NOT print anything resembling what we currently see as an ID card (no picture, no drivers license number, etc) just print a name on the card for ease of card identification. At this point (assuming the cryptography is good) people can make as many copies as they'd like, it's not going to make any difference. The Law Enforcement Only Field (which I'll call LEAF for historical reasons) serves a unique purpose, it is either a random number, or an encrypted old identity. There are several possible reasons for the old identity; undercover police, witness protection, support for pseudo-nyms, etc. This field allows the police and only the police to identify undercover officers, and provides tracability back through the process to identify granting a new identity to someone. The most important part though is the search time required for verifying an ID. In the case of a giant central database it is O(log(n)) time, with the cryptographic ID it is O(1). This reduces the cost of the national overhead, while a database is still necessay for reissuing, and a new signing setup is required, the access requirements are reduced by several orders of magnitude. Further reduction comes from the ability of each police precinct to have their own local known database, as well as every bar/nightclub having their own banned list without the possibility of cross-corruption, because there is no direct link. This further increases the security because access to the main database can even be restricted to key personnel. This personnel access reduction will again lower the speed requirements for the central database, probably down to the point where a single Oracle server with a few Terabytes of disk space could easily handle the load (I come up with a horrible case size of about 300 Terabytes, and a minimum size of 70 gigabytes for storing only the signature and LEAF because everything else can be reconstructed). (Sizes assume 1MB maximum data set, and DSA/ECDSA with SHA-512) This would also have a knock-on effect of creating a small ID customization industry, because the ID can take any form-factor within certain reasonable bounds there is no reason that it cannot be as customizable as a cell-phone. As for security, this would put the citizen in general control of their information, and with the minimum database size used would give the citizen complete control over their own data. The additional overhead for the current law enforcement databases would be minimal, each entry would only be expanded by the size of the signature to mark the ID card. The invasiveness for your average citizen would be minimized because there is no chance of leakage between the big central database (which could be very small) and the corner market, because the central database does not have to be online. Now as to the level of cryptographic security that would be necessary for this. It is important to realize that the potential market for fraudulent ID of this caliber would be massive, so a multi-decade multi-trillion dollar effort to break the key is not unreasonable. This poses a risk of a magnitude that cryptanalysts really haven't dealt with. Even at the level of protecting the drivel from Shrub II, the possibility of a multi-decade, multi-trillion dollar is simply inconceivable, and it is important to remember that this signature has to remain secure not for a few years, or even a couple of decades, it has to remain secure for longer than the longest concievable lifespan for a human, which means 150 years (I've rounded up from the record), which is a timeframe that we cannot even conceive of at this time. A 100 trillion dollar, 150 year effort to break the security is simply beyond our ability to predict cryptographically, with Celerons at about $35 per GHz right now, that timeframe works out to approximately 2^95 (again being generous to the attacker), that already means that SHA-1 cannot be used simply because the workload is available to
Polygraph Testing Starts at Pentagon in Chalabi Inquiry
http://www.nytimes.com/2004/06/03/politics/03CHAL.html?th=pagewanted=printposition= The New York Times June 3, 2004 Polygraph Testing Starts at Pentagon in Chalabi Inquiry By DAVID JOHNSTON and JAMES RISEN ASHINGTON, June 2 - Federal investigators have begun administering polygraph examinations to civilian employees at the Pentagon to determine who may have disclosed highly classified intelligence to Ahmad Chalabi, the Iraqi who authorities suspect turned the information over to Iran, government officials said Wednesday. The polygraph examinations, which are being conducted by the Federal Bureau of Investigation, are focused initially on a small number of Pentagon employees who had access to the information that was compromised. American intelligence officials have said that Mr. Chalabi informed Iran that the United States had broken the secret codes used by Iranian intelligence to transmit confidential messages to posts around the world. Mr. Chalabi has denied the charge. On Wednesday, his lawyers made public a letter they said they had sent to Attorney General John Ashcroft and F.B.I. Director Robert S. Mueller III repeating Mr. Chalabi's denials and demanding that the Justice Department investigate the disclosure of the accusations against Mr. Chalabi. The lawyers, John J. E. Markham II and Collette C. Goodman, said in the letter, The charges made against Dr. Chalabi - both the general and the specific ones are false. They also said, We ask that you undertake an immediate investigation to find and hold accountable those who are responsible for these false leaks. Officials would not identify who has taken polygraph examinations or even who has been interviewed by F.B.I. counterespionage agents. It could not be determined whether anyone has declined to submit to a polygraph test. No one has been charged with any wrongdoing or identified as a suspect, but officials familiar with the investigation say that they are working through a list of people and are likely to interview senior Pentagon officials. The F.B.I. is looking at officials who both knew of the code-breaking operation and had dealings with Mr. Chalabi, either in Washington or Baghdad, the government officials said. Information about code-breaking work is considered among the most confidential material in the government and is handled under tight security and with very limited access. But a wider circle of officials could have inferred from intelligence reports about Iran that the United States had access to the internal communications of Iran's spy service, intelligence officials said. That may make it difficult to identify the source of any leak. Government officials say they started the investigation of Pentagon officials after learning that Mr. Chalabi had told the Baghdad station chief of Iran's intelligence service that the United States was reading their communications. Mr. Chalabi, American officials say, gave the information to the Iranians about six weeks ago, apparently because he wanted to ensure that his secret conversations with the Iranians were not revealed to the Americans. But the Iranian official apparently did not immediately believe Mr. Chalabi, because he sent a cable back to Tehran detailing his conversation with Mr. Chalabi, American officials said. That cable was intercepted and read by the United States, the officials said. Mr. Chalabi and his supporters argue that the accusations against him are part of a C.I.A.-inspired campaign to discredit him. His backers have been dismayed that the Bush administration recently divorced itself from Mr. Chalabi and his group, the Iraqi National Congress. They contend that the move was instigated by the C.I.A., which they say is now wielding intercepted Iranian communications as a weapon against Mr. Chalabi. Richard N. Perle, the former chairman of the Defense Policy Board and an influential Chalabi supporter, said Wednesday that the notion that Mr. Chalabi would compromise the American code-breaking operation doesn't pass the laugh test. Mr. Perle said it was more plausible that the Iranians, knowing already that the United States was reading its communications, planted the damning information about Mr. Chalabi to persuade Washington to distance itself from Mr. Chalabi. The whole thing hinges on the idea that the Baghdad station chief of the MOIS commits one of the most amazing trade craft errors I've ever heard of, Mr. Perle said, referring to Iran's Ministry of Intelligence and Security. He said it defied belief that a seasoned intelligence operative would disclose a conversation with Mr. Chalabi using the same communications channel that he had just been warned was compromised. You have to believe that the station chief blew a gift from the gods because of rank incompetence, Mr. Perle said. I don't believe it, and I don't think any other serious intelligence professional would either. Mr. Chalabi is not a focus of the inquiry, but senior law
BBN Technologies Unveils World's First Quantum Cryptography Network
http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=SVBIZINK3.storySTORY=/www/story/06-03-2004/0002186418EDATE=THU+Jun+03+2004,+07:50+AM Silicon Valley Biz Ink :: The voice of the valley economy June 3, 2004 Computers/Electronics News Press release distributed by PR Newswire BBN Technologies Unveils World's First Quantum Cryptography Network back Quantum Cryptography Breakthrough Delivers Absolute Security Based on Laws of Physics CAMBRIDGE, Mass., June 3 /PRNewswire/ -- BBN Technologies announced today that it has built the world's first quantum cryptography network and is now operating it continuously beneath the streets of Cambridge, Massachusetts. Today the DARPA Quantum Network links BBN's campus to Harvard University; soon it will stretch across town to include Boston University as a third link. The Harvard University Applied Physics Department and the Boston University Photonics Center have worked in close collaboration with BBN to build the network under Defense Advanced Research Projects Agency (DARPA) sponsorship. Information traveling over open networks such as the Internet is often encrypted to prevent unauthorized eavesdropping. Currently, complex mathematical algorithms are the most common method used to scramble (encrypt) and de-scramble (decrypt) messages that require secure transmission. Although this method can provide high levels of security, it is not infallible. In contrast, the DARPA Quantum Network introduces extremely high levels of security for Internet-based communications systems by encrypting and decrypting messages with keys created by quantum cryptography. Quantum cryptography, invented by Charles Bennett and Giles Brassard in the 1980s, prepares and transmits single photons of light, through either fiber optic cable or the atmosphere, to distribute cryptographic keys that are used to encrypt and decrypt messages. This method of securing information is radically different from methods based on mathematical complexity, relying instead on fundamental physical laws. Because very small (quantum) particles are changed by any observation or measurement, eavesdropping on a quantum cryptography system is always detectable. The DARPA Quantum Network has improved on these techniques to create a highly robust, six-node network that is both extremely secure and 100% compatible with today's Internet technology. Patent-pending BBN protocols pave the way for robust quantum networks on a larger scale by providing any to any networking of quantum cryptography through a mesh of passive optical switches and cryptographic key relays. People think of quantum cryptography as a distant possibility, said Chip Elliott, a Principal Scientist at BBN and leader of its quantum engineering team, but the DARPA Quantum Network is up and running today underneath Cambridge. BBN has built a set of high-speed, full-featured quantum cryptography systems and has woven them together into an extremely secure network. This kind of breakthrough is the essence of BBN, said Tad Elmer, president and CEO of BBN. We were ahead of the technology curve with the ARPANET and the first router, and our quantum network exemplifies the same kind of forward thinking and innovation that has made BBN a technology leader for over 50 years. About BBN Technologies BBN Technologies was established as Bolt Beranek and Newman Inc. in 1948. From its roots as an acoustical design consulting firm, BBN grew to implement and operate the ARPANET (the forerunner of today's Internet) and develop the first network email, which established the @ sign as an icon for the digital age. Today BBN Technologies provides technical expertise and innovation to both government and commercial customers. Areas of expertise include: quantum information, speech and language processing, networking, information security, and acoustic technologies. BBN has more than 600 employees in offices across the US. For more information, visit http://www.bbn.com. Media Contact: Joyce Kuzmin 617-873-8193 [EMAIL PROTECTED] This release was issued through eReleases(TM). For more information, visit http://www.ereleases.com. © 2004 Silicon Valley Business Ink. All rights reserved. This material may not be published, broadcast, rewritten for broadcast or publication or redistribution directly or indirectly in any medium. Neither these Silicon Valley Business Ink. materials nor any portion thereof may be stored in a computer except for personal and non-commercial use. Silicon Valley Business Ink. will not be held liable for any delays, inaccuracies, errors or omissions therefrom or in the transmission or delivery of all or any part thereof or for any damages arising from any of the foregoing. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street,
Re: Article on passwords in Wired News
On Thu, Jun 03, 2004 at 08:14:39PM +1200, Peter Gutmann wrote: One-time passwords (TANs) was another thing I covered in the Why isn't the Internet secure yet, dammit! talk I mentioned here a few days ago. From talking to assorted (non-European) banks, I haven't been able to find any that Customers hate PINs/TANs (have to carry then around, PINs typically are not alphanumeric, and fixed-length, print is low-contrast). Which is why power users have a (Windows-only, for some reason couldn't get GNUcash working, despite right crypto libraries and proper port punched through firewall) HBCI software alternatives. Which are not used widely, alas. Banks tried to push smart cards, but very half-heartedly (didn't offer free readers, which could have created critical mass). Now some folks are trying to use existing smartcard-authenticated mobile phone infrastructure for online payments, but it has its own problems (Bluetooth/IrDa, security, fax effect, etc). -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net pgpp37oZjAHGy.pgp Description: PGP signature
Re: Article on passwords in Wired News
Eugen Leitl wrote: Banks tried to push smart cards, but very half-heartedly (didn't offer free readers, which could have created critical mass). Ther was one of those net-only bank-like operations in the last days of the bubble that did offer free smart-card readers. That's what prompted me to sign up. Of course, the bubble burst and I never did get my free reader. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not Never Forget: It's Only 1's and 0's! SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]