Re: Question on the state of the security industry (second half not necessarily on topic)

2004-07-01 Thread Joseph Ashwood
- Original Message - 
Subject: Question on the state of the security industry

 Here's my question - is anyone in the security
 field of any sort of repute being asked about
 phishing, consulted about solutions, contracted
 to build?  Anything?

I am continually asked about spam, and I personally treat phishing as a
subset of it, but I have seen virtually no interest in correcting the
problem. I have personally been told I don't even know how many times that
phishing is not an issue.

I personally know it's an issue because between my accounts I receive ~3-5
phishing attempts/day, and the scams apparently account for a major portion
of the GNP of many small countries.

 Or, are security professionals as a body being
 totally ignored in the first major financial
 attack that belongs totally to the Internet?

 What I'm thinking of here is Scott's warning of
 last year:

Subject: Re: Maybe It's Snake Oil All the Way Down
At 08:32 PM 5/31/03 -0400, Scott wrote:
When I drill down on the many pontifications made by computer
security and cryptography experts all I find is given wisdom.  Maybe
the reason that folks roll their own is because as far as they can see
that's what everyone does.  Roll your own then whip out your dick and
start swinging around just like the experts.

 I think we have that situation.  For the first
 time we are facing a real, difficult security
 problem.  And the security experts have shot
 their wad.


In large part that's the way it looks to me as well. We have an effectively
impotent security community, because all the solutions we've ever made
either didn't work, or worked too well. We basically have two types of
security solutions the ones that are referred to as That doesn't work, we
had it and it did everything it shouldn't have and those that result in I
don't think it works, but I can't be sure because we were never attacked.
The SSL/TLS protocol is an example of this second type, I am unaware of any
blackhats that bother attacking SSL/TLS because they simply assume it is
impenetrable. At the same time we have the situation where Windows is
continually not because it is less secure than the others, but because it is
_believed_ to be less secure than the others, so the Windows security is
clearly of the first type. The biggest problem I've seen is that we're
dealing with generally undereducated peoople as far as security goes. We
need to start selling that we facilitate a business process, and that
because of this all you will see are the failures, the successes are almost
always be invisible.

Also as with all business processes, there is never a final state, it must
be often reanalyzed and revised. This puts us in a rather strange situation,
where somethign that I have always offered becomes important, we become an
outsourced analyst, almost an auditor situation. To build this properly the
security model that is constructed needs to be built to include emergency
threshholds and revision timeframes. By supporting the security process as a
business process it allows the concepts to more easily permeate the CXO
offices, which means that you are far more likely to make more money, build
a long term client, and create a strong security location.

To make the point clearer, I have ended up with clients that were previously
with better known cryptanalysts, including some worldwide names. These
clients have been told by their previous consultants that there security is
good, but their consultant never told themthat it needs reanalysis, they
never encouraged the creation of a business process around it, it was always
Ask me when you have questions. I did not poach these clients, they left
their previous consultants, and found me through referrals. These
relationships are extremely profitable for me, for many reasons; I actually
cost less than their prior consultants, but I make more, because everything
is done quickly, efficiently, and effectively.

This security process builds stronger security, and while I admit I am still
rarely asked about phishing, and even rarer is my advice listened to, my
clients are rarely successfully hacked, and have lower than average losses.

Our biggest problem is that we view the security process as distinct from
business processes. I truly wish I could make the Sarbanes-Oxley 2002
( act
required reading for every security consultant, because it demonstrates very
much that proper security consulting is actually a business process.

Getting back to the topic, by doing this we can help them move from the
dick swinging phase to a best practices security infrastructure used
accurately and appropriately. We also need to start putting our money where
our mouth is, I've seen too many security consultants whose primary job
was to sell the add-on services available from their employer, instead we
need to follow 

Re: Question on the state of the security industry

2004-07-01 Thread Steve Furlong
On Wed, 2004-06-30 at 06:49, Ian Grigg wrote:

 Here's my question - is anyone in the security
 field of any sort of repute being asked about
 phishing, consulted about solutions, contracted
 to build?  Anything?

Nothing here. Spam is the main concern on people's minds, so far as I
can tell. Please note, though, that I'm not specifically a computer
security consultant but rather a broad-spectrum computer consultant who
does some security work and a private security guy who does some
computer work.

Topical anecdote: my last full-time but short-term consulting* gig was
at a bank. You know, money and stuff. Computer security in the
development shop consisted of telling the programmers to run NAV daily.
They used Outlook for email, with no filters on incoming mail that I
could track down. I did some minor testing from my home system. Didn't
send myself any viruses, but I did send a few executable attachments.
They all made it through.

* Not really consulting. They wanted a warm-body programmer, and not
only ignored the process improvement suggestions I was putatively hired
to provide, but seemed offended that I had suggestions to make at all.

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

[Publicity-list]: DIMACS Workshop on Mobile and Wireless Security

2004-07-01 Thread Linda Casals

DIMACS Workshop on Mobile and Wireless Security 
 November 3 - 5, 2004
 DIMACS Center, Rutgers University, Piscataway, NJ

  Bill Arbaugh, University of Maryland, [EMAIL PROTECTED] 
Presented under the auspices of the Special Focus on Communication
Security and Information Privacy.

The rapid growth of both voice and data wireless communications has
resulted in several serious security problems in both the voice and 
data spaces. Unfortunately, many of the early security mistakes made 
with wireless voice communications were repeated with data
communications, i.e. the use of flawed authentication and
confidentiality algorithms. For example, the standards committee for 
802.11 left many of the difficult security issues such as key
management and a robust authentication mechanism as open problems. 
This has led many organizations to use either a permanent fixed
cryptographic variable or no encryption with their wireless networks. 
Since wireless networks provide an adversary a network access point
that is beyond the physical security controls of the organization, 
security can be a problem. Similarly, attacks against WEP, the
link-layer security protocol for 802.11 networks can exploit design 
failures to successfully attack such networks. This workshop will 
focus on addressing the many outstanding issues that remain in
wireless cellular and WLAN networking such as (but not limited to):
Management and monitoring; ad-hoc trust establishment; secure roaming
between overlay networks; availability and denial of service
mitigation; and network and link layer security protocols. We will 
seek to extend work on ad hoc networking from a non-adversarial
setting, assuming a trusted environment, to a more realistic setting
in which an adversary may attempt to disrupt communication. We will
investigate a variety of approaches to securing ad hoc networks, in 
particular ways to take advantage of their inherent redundancy 
(multiple routes between nodes), replication, and new cryptographic 
schemes such as threshold cryptography.


Call for Participation:

Advances in wireless technology as well as several other areas are
changing the way the world does business and as a result computing is
becoming more mobile, and users are demanding continuous access to the
Internet. At the same time, the number of devices with embedded
networking technology is growing exponentially--from boxes with RFID
tags to Wi-Fi capable refrigerators since they destroy the notion of a
static defensive perimeter. Furthermore, these trends make the ease of
use and management of wireless based networks more important since
naïve consumers in the future will be establishing and using
wireless networks on a scale significantly larger than today. This
workshop will focus on identifying the current and future problems in
wireless security and privacy and discuss possible solutions.

The three day workshop will be organized around a series of talks on
subjects related to mobility, wireless, and security and privacy
technologies. There will be a mix between invited talks and talks
selected from extended abstracts with plenty of discussion time
between talks.

Authors are encouraged to submit an extended abstract on any topic
related to wireless and mobile security. Example topics of interest
are Interworking security, mesh network security, sensor network
security, the privacy of RFID networks, and the security of community
networks. These topics are examples only and authors are encouraged to
submit extended abstracts on other topics related to the workshop as
long as the abstract is of a technical and research nature. Authors
are also encouraged to submit early work, and new or outlandish ideas
as the primary goal of the workshop is to allow researchers from the
networking and security communities to meet in a workshop environment
where ideas can be exchanged and discussed in an inter-disciplinary

Authors should submit a two page extended abstract in a font no less
than 11pt with reasonable margins by midnight (Eastern time) 
September 1, 2004. Submission instructions will be posted at


Pre-registration deadline: October 27, 2004

Please see website for registration information.

Information on participation, registration, accomodations, and travel 
can be found at:


US Court says no privacy in wiretap law

2004-07-01 Thread William Allen Simpson
Switches, routers, and any intermediate computers are fair game for 
warrantless wiretaps.

That is, at any time (the phrase seconds or mili-seconds [sic]) that 
the transmission is not actually on a wire.

Most important, read the very nicely written dissent.  The dissenting 
judge used the correct terms, referenced RFCs, and in general knew what 
he was talking about -- unlike the 2:1 majority!
  ... Under Councilman's narrow interpretation of the Act, the 
  Government would no longer need to obtain a court-authorized wiretap 
  order to conduct such surveillance. This would effectuate a dramatic 
  change in Justice Department policy and mark a significant reduction 
  in the public's right to privacy. 

Such a change would not, however, be limited to the interception 
  of e-mails. Under Councilman's approach, the government would be free 
  to intercept all wire and electronic communications that are in 
  temporary electronic storage without having to comply with the Wiretap 
  Act's procedural protections. That means that the Government could 
  install taps at telephone company switching stations to monitor phone 
  conversations that are temporarily stored in electronic routers 
  during transmission. 
  [page 51-52]

As this is a US Court of Appeals, it sets precedent that other courts 
will use, and directly applies to all ISPs in the NE US.
William Allen Simpson
Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: authentication and authorization (was: Question on the state of the security industry)

2004-07-01 Thread John Denker
Ian Grigg wrote:
The phishing thing has now reached the mainstream,
epidemic proportions that were feared and predicted
in this list over the last year or two. 
  For the first
time we are facing a real, difficult security
problem.  And the security experts have shot
their wad.
The object of phishing is to perpetrate so-called identity
theft, so I must begin by objecting to that concept on two
different grounds.
1) For starters, identity theft is a misnomer.  My identity
is my identity, and cannot be stolen.  The current epidemic
involves something else, namely theft of an authenticator ...
or, rather, breakage of a lame attempt at an authentication
and/or authorization scheme.  See definitions and discusions
in e.g. _Handbook of Applied Cryptography_
I don't know of any security experts who would think for a
moment that a reusable sixteen-digit number and nine-digit
number (i.e. credit-card and SSN) could constitute a sensible
authentication or authorization scheme.
2) Even more importantly, the whole focus on _identity_ is
pernicious.  For the vast majority of cases in which people
claim to want ID, the purpose would be better served by
something else, such as _authorization_.  For example,
when I walk into a seedy bar in a foreign country, they can
reasonably ask for proof that I am authorized to do so,
which in most cases boils down to proof of age.  They do
*not* need proof of my car-driving privileges, they do not
need my real name, they do not need my home address, and
they really, really, don't need some ID number that some
foolish bank might mistake for sufficient authorization to
withdraw large sums of money from my account.  They really,
really, reeeally don't need other information such as what
SCI clearances I hold, what third-country visas I hold, my
medical history, et cetera.  I could cite many additional
colorful examples, but you get the idea:  The more info is
linked to my ID (either by writing it on the ID card or
by linking databases via ID number) the _less_ secure
everything becomes.  Power-hungry governments and power-
hungry corporations desire such linkage, because it makes
me easier to exploit ... but any claim that such linkable
ID is needed for _security_ is diametrically untrue.
Returning to:
  For the first
 time we are facing a real, difficult security
 problem.  And the security experts have shot
 their wad.
I think a better description is that banks long ago
deployed a system that was laughably insecure.  (They got
away with it for years ... but that's irrelevant.)  Now
that there is widespread breakage, they act surprised, but
none of this should have come as a surprise to anybody,
expert or otherwise.
Now banks and their customers are paying the price.  As
soon as the price to the banks gets a little higher, they
will deploy a more-secure payment authorization scheme,
and the problem will go away.
(Note that I didn't say ID scheme.  I don't care who
knows my SSN and other ID numbers ... so long as they
cannot use them to steal stuff.  And as soon as there
is no value in knowing ID numbers, people will stop
phishing for them.)
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]