Re: Question on the state of the security industry (second half not necessarily on topic)
On Jul 3, 2004, at 14:22, Dave Howe wrote: Well if nothing else, it is impossible for my bank to send me anything I would believe via email now To take this even slightly more on-topic - does anyone here have a bank capable of authenticating themselves to you when they ring you? I have had four phone calls from my bank this year, all of which start out by asking me to identify myself to them. When I point out that they must know who I am - as they just phoned me - and that I have no way of knowing who they are, they are completely lost (probably takes them away from the little paper script pinned to their desk) Last month I had a rather good experience with American Express in this regard. I recently moved and had ordered something to be shipped to my new address (this was before I changed my billing address with AMEX). Apparently the merchant had Amex verify the transaction, and so AMEX called me. Naturally, I asked how I was supposed to know it was really them calling. Without missing a beat, the caller invited me to hang up and call back the number on the back of my card, which I did. After the usual exchange of information to establish my identity, I was transferred to the right department, and ended up speaking with the same person who had originally called me(!). After confirming the validity of the transaction in question, I asked how many people are as suspicious as I was in asking for confirmation that it's really AMEX calling. He said not many, but a significant enough number that they're ready to handle it routinely when it happens (he also congratulated me for my diligence). It's nice that they have a procedure for this, but it's still a mixed success for security against the theft of sensitive personal information. People like me (us?) remain the exception rather than the rule, and while it's comforting that the standard procedures accommodate us, the vast majority of people appear to happily give any information requested to whoever calls them. And when banks and credit card issuers make calls requesting sensitive information as part of their routine operations, they're training their customers to engage in exactly the same behavior that they should be trying to discourage. Perhaps a better procedure would be to always simply ask the customer to call back the known, trusted contact number (e.g., as printed on the card), and never ask for any personal or sensitive information in an unsolicited call. They could widely advertise that this is always the procedure and ask customers to be alert for any caller who deviates from it. -matt - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Question on the state of the security industry (second half not necessarily on topic)
In message [EMAIL PROTECTED], Jason H olt writes: [...] I had the same question about the NSA when some friends were interviewing there. Apparently investigators will just show up at your house and want to know all sorts of things about your friends, who you may or may not know to be in the process of looking for work there. As I understand it, the investigators don't even carry NSA badges; they're DSS or private investigators. In all seriousness, background investigations have been outsourced... I had a similar experience a few years ago. I was supposed to visit the --- agency. Someone I had *not* been dealing with called to ask for my social security number and birthdate. I declined, on the grounds that I had no idea who he was. But if I'm not legitimate, how do I know you're going to visit tomorrow? My reply was you're from --- and you don't think people can learn things they're not supposed to know? He was livid -- if you don't tell me, you can't visit. I told him that that was fine with me, and he should get my usual contact to call me. But he's unavailable today!. I indicated that I was still unconcerned -- and 10 minutes later, this unavailable person called me... On the other hand, when my broker called last week and asked for some confidential info, he was very understanding and co-operative when I declined to give out that information over the phone when he had called me. So it's not completely hopeless. --Steve Bellovin, http://www.research.att.com/~smb - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Question on the state of the security industry (second half not necessarily on topic)
I recently had the same trouble with the Centers for Disease Control (CDC) - who were calling around to followup on infant influenza innoculations given last fall. Ultimately, they wanted me to provide authorization to them to receive HIPPA protected patient records from my son's pediatrician, and I couldn't figure out how to get them to definitively pursuade me that they were really the CDC, who I was willing to be so authorized. Such research MAY be appropriate, and in this case, I'm a believer in the flu shots, and am generally supportive. But, while I could (and had to) identify myself to them (it was a random-number dial canvas), they had no way, short of giving me an 800 number to call (with obvious trust bootstrap problems with that) to get past it. Eventually, I found enough information on the CDC websites (assuming that DNS wasn't hacked, that my ISP wasn't redirecting my http queries to a Russian web site, and that the CDC site hadn't been hacked) to cooperate (talked with 2 supervisors, 5 followup canvasers, etc.) This is a problem that real life has. This sort of problem has been around since telephones came into existence (I didn't think to check the caller-id on the call, presuming it would point me to a call center located somewhere on the planet). We cope. And when the annoyance gets too bad, we kvetch, pass laws, and file law suits. Isn't that pretty much what's happening, now? Thought-control countries present separate problems (whether that's the Patriot Act or the Chinese censorship of SMS messages). For them, we have to rely on the Internet to route around censorship. And facilitate alternate routes (silent ones?) when the routers are own3d by the censors. (sorry - cross-over to another thread). Ed Dave Howe [EMAIL PROTECTED] 7/3/2004 8:22:56 PM Joseph Ashwood wrote: I am continually asked about spam, and I personally treat phishing as a subset of it, but I have seen virtually no interest in correcting the problem. I have personally been told I don't even know how many times that phishing is not an issue. Well if nothing else, it is impossible for my bank to send me anything I would believe via email now To take this even slightly more on-topic - does anyone here have a bank capable of authenticating themselves to you when they ring you? I have had four phone calls from my bank this year, all of which start out by asking me to identify myself to them. When I point out that they must know who I am - as they just phoned me - and that I have no way of knowing who they are, they are completely lost (probably takes them away from the little paper script pinned to their desk) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Question on the state of the security industry (second half not necessarily on topic)
- Original Message - From: Ian Grigg [EMAIL PROTECTED] Subject: Question on the state of the security industry Here's my question - is anyone in the security field of any sort of repute being asked about phishing, consulted about solutions, contracted to build? Anything? I am continually asked about spam, and I personally treat phishing as a subset of it, but I have seen virtually no interest in correcting the problem. I have personally been told I don't even know how many times that phishing is not an issue. I personally know it's an issue because between my accounts I receive ~3-5 phishing attempts/day, and the scams apparently account for a major portion of the GNP of many small countries. Or, are security professionals as a body being totally ignored in the first major financial attack that belongs totally to the Internet? What I'm thinking of here is Scott's warning of last year: Subject: Re: Maybe It's Snake Oil All the Way Down At 08:32 PM 5/31/03 -0400, Scott wrote: ... When I drill down on the many pontifications made by computer security and cryptography experts all I find is given wisdom. Maybe the reason that folks roll their own is because as far as they can see that's what everyone does. Roll your own then whip out your dick and start swinging around just like the experts. I think we have that situation. For the first time we are facing a real, difficult security problem. And the security experts have shot their wad. Comments? In large part that's the way it looks to me as well. We have an effectively impotent security community, because all the solutions we've ever made either didn't work, or worked too well. We basically have two types of security solutions the ones that are referred to as That doesn't work, we had it and it did everything it shouldn't have and those that result in I don't think it works, but I can't be sure because we were never attacked. The SSL/TLS protocol is an example of this second type, I am unaware of any blackhats that bother attacking SSL/TLS because they simply assume it is impenetrable. At the same time we have the situation where Windows is continually not because it is less secure than the others, but because it is _believed_ to be less secure than the others, so the Windows security is clearly of the first type. The biggest problem I've seen is that we're dealing with generally undereducated peoople as far as security goes. We need to start selling that we facilitate a business process, and that because of this all you will see are the failures, the successes are almost always be invisible. Also as with all business processes, there is never a final state, it must be often reanalyzed and revised. This puts us in a rather strange situation, where somethign that I have always offered becomes important, we become an outsourced analyst, almost an auditor situation. To build this properly the security model that is constructed needs to be built to include emergency threshholds and revision timeframes. By supporting the security process as a business process it allows the concepts to more easily permeate the CXO offices, which means that you are far more likely to make more money, build a long term client, and create a strong security location. To make the point clearer, I have ended up with clients that were previously with better known cryptanalysts, including some worldwide names. These clients have been told by their previous consultants that there security is good, but their consultant never told themthat it needs reanalysis, they never encouraged the creation of a business process around it, it was always Ask me when you have questions. I did not poach these clients, they left their previous consultants, and found me through referrals. These relationships are extremely profitable for me, for many reasons; I actually cost less than their prior consultants, but I make more, because everything is done quickly, efficiently, and effectively. This security process builds stronger security, and while I admit I am still rarely asked about phishing, and even rarer is my advice listened to, my clients are rarely successfully hacked, and have lower than average losses. Our biggest problem is that we view the security process as distinct from business processes. I truly wish I could make the Sarbanes-Oxley 2002 (http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf) act required reading for every security consultant, because it demonstrates very much that proper security consulting is actually a business process. Getting back to the topic, by doing this we can help them move from the dick swinging phase to a best practices security infrastructure used accurately and appropriately. We also need to start putting our money where our mouth is, I've seen too many security consultants whose primary job was to sell the add-on services available from their employer, instead we need to follow
