Re: Citibank e-mail looks phishy
James A. Donald [EMAIL PROTECTED] writes: Before computers, people had a lot of procedures that they routinely and ritualistically followed to prevent fraud, faithfully following the required procedures without ever thinking much about why things were done that way. It seems that some time during the seventeenth and early eighteenth century, various captains of finance laid down the law It shall be done thus, so very firmly that for the next few hundred years, no one deviated. But right now, we are inventing things, and we have not yet figured out how to do stuff right. Further, the tools available do not really fit the task at hand, so it is unsurprising if people keep using them upside down and backwards. I'm not sure this is the problem -- the problem may be a lack of object lessons to provide negative reinforcement. Every twenty years or so, a major accounting firm implodes in a scandal. In the 1980s it was Laventhal and Horvath. A few years ago it was Andersen. At intervals, the institutional memory of what can go wrong vanishes, someone pushes the edge, and it takes a bit of blood in the streets for people to remember why they were supposed to follow the rules. (By the way, this is a good reason why people should oppose the reduction of individual liability for partners in accounting firms -- it is an important check on accounting scandals.) At intervals, there are also major explosions in other parts of finance. For example, everyone remember how Barings melted down because of lax controls? There have been failures of this sort at intervals in trading operations -- Askin detonated even though it had correct models of the CMO market because the market remained irrational longer than it could remain liquid. Twenty years later, the memory forgotten, Long Term Capital Management had a similar problem. I think that failures of this sort are, for good or ill, part of the natural order of things. Unless there are object lessons around, people forget what the reason for the controls. Right now, the systems technologies in use are too new for there to have been major failures, so many people in management do not understand why the technical people have pushed for certain kinds of controls. I suspect the failure of a major bank as a result of deep penetration of their systems or some similar failure will be rather educational for the ones that remain. Unfortunately it will also cause a lot of damage, but I'm not sure there is any way to help this. Some folks have said perhaps this is a failure of regulation but I don't know that regulation can be made better. It is difficult for regulators to understand all the intricacies the operations of every firm they watch, and it is difficult in some cases for them to remain at arms length from the people they regulate, since regulation agencies depend on people with intimate knowledge of a given industry who are inevitably previous insiders. There is also, inevitably, far more lobbying by a regulated industry than by third parties, because the regulated have a far greater incentive to shape the regulations than outsiders do and thus spend more time and money on it. Ultimately, I think we're going to have to see the collapse of a major banking institution before this is dealt with. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Citibank e-mail looks phishy
Here's another one... United Airlines send out email to UA flyers directing them to 2006elitechoice.com for frequent flyer benefits. 2006elitechoice.com is registered to Srirangapatna Chandrashekar of Grey Direct, Chicago. There are no indications on united.com of any connection to 2006elitechoice.com. Querying United about this yields an emailed reply from usa.net telling you that it's legit and not to worry. Apparently this is legit, but the whole thing is less credible than many phishing scams. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Citibank e-mail looks phishy
I think Citibank aims at foot and lets loose with both barrels, then reloads and shoots a second time would be a better title. This is a really scary example of what Perry once referred to as banks actively training users to become future victims of phishing attacks. What's even worse is that Citibank uses such a profusion of marketing-driven vaguely bank-related domain names (e.g. accountonline.com, although this now seems to have been shut down) that the email could just as easily have directed users to random bank-sounding name.com without raising too much suspicion. Any half-awake phisher will immediately send out an identical email sending people to some other vaguely correct-looking URL and asking for the same information. Leichter, Jerry wrote: They screw things up in other ways, too. If you have an ATT Universal card, you're actually serviced by Citibank these days. To get to your account on line, you go to www.universalcard.com, which very nicely accepts https connections, using a Verisign cert. Unfortunately, the cert is for www.citibank.com or some such address. (Of course, then it promptly redirects you to something on accountonline.com.) Before computers, people had a lot of procedures that they routinely and ritualistically followed to prevent fraud, faithfully following the required procedures without ever thinking much about why things were done that way. It seems that some time during the seventeenth and early eighteenth century, various captains of finance laid down the law It shall be done thus, so very firmly that for the next few hundred years, no one deviated. But right now, we are inventing things, and we have not yet figured out how to do stuff right. Further, the tools available do not really fit the task at hand, so it is unsurprising if people keep using them upside down and backwards. I imagine that when our ancestors first figured out how to flake stones to form really sharp blades (and a well flaked blade will cut like broken glass) there were lots of people cutting their fingers off, despite the experts telling them how to correctly handle blades, until eventually the next genius figured out how to connect a sharp stone blade to a wooden handle. It then became a lot easier for the wise woman to say hold a knife by the handle except when handing it over, and don't run with a knife. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
NIST releases a security guide for managers
http://csrc.nist.gov/publications/nistpubs/800-100/sp800-100.pdf This guide is specifically written for top level security/info management (CSOs, CIOs etc). It addresses the requirements of various security policies and laws, such as Clinger-Cohen Act (CCA) and FISMA. -- Saqib Ali, CISSP, ISSAP http://www.full-disk-encryption.net - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]