Re: Question on the state of the security industry (second half not necessarily on topic)
- Original Message - From: Ian Grigg [EMAIL PROTECTED] Subject: Question on the state of the security industry Here's my question - is anyone in the security field of any sort of repute being asked about phishing, consulted about solutions, contracted to build? Anything? I am continually asked about spam, and I personally treat phishing as a subset of it, but I have seen virtually no interest in correcting the problem. I have personally been told I don't even know how many times that phishing is not an issue. I personally know it's an issue because between my accounts I receive ~3-5 phishing attempts/day, and the scams apparently account for a major portion of the GNP of many small countries. Or, are security professionals as a body being totally ignored in the first major financial attack that belongs totally to the Internet? What I'm thinking of here is Scott's warning of last year: Subject: Re: Maybe It's Snake Oil All the Way Down At 08:32 PM 5/31/03 -0400, Scott wrote: ... When I drill down on the many pontifications made by computer security and cryptography experts all I find is given wisdom. Maybe the reason that folks roll their own is because as far as they can see that's what everyone does. Roll your own then whip out your dick and start swinging around just like the experts. I think we have that situation. For the first time we are facing a real, difficult security problem. And the security experts have shot their wad. Comments? In large part that's the way it looks to me as well. We have an effectively impotent security community, because all the solutions we've ever made either didn't work, or worked too well. We basically have two types of security solutions the ones that are referred to as That doesn't work, we had it and it did everything it shouldn't have and those that result in I don't think it works, but I can't be sure because we were never attacked. The SSL/TLS protocol is an example of this second type, I am unaware of any blackhats that bother attacking SSL/TLS because they simply assume it is impenetrable. At the same time we have the situation where Windows is continually not because it is less secure than the others, but because it is _believed_ to be less secure than the others, so the Windows security is clearly of the first type. The biggest problem I've seen is that we're dealing with generally undereducated peoople as far as security goes. We need to start selling that we facilitate a business process, and that because of this all you will see are the failures, the successes are almost always be invisible. Also as with all business processes, there is never a final state, it must be often reanalyzed and revised. This puts us in a rather strange situation, where somethign that I have always offered becomes important, we become an outsourced analyst, almost an auditor situation. To build this properly the security model that is constructed needs to be built to include emergency threshholds and revision timeframes. By supporting the security process as a business process it allows the concepts to more easily permeate the CXO offices, which means that you are far more likely to make more money, build a long term client, and create a strong security location. To make the point clearer, I have ended up with clients that were previously with better known cryptanalysts, including some worldwide names. These clients have been told by their previous consultants that there security is good, but their consultant never told themthat it needs reanalysis, they never encouraged the creation of a business process around it, it was always Ask me when you have questions. I did not poach these clients, they left their previous consultants, and found me through referrals. These relationships are extremely profitable for me, for many reasons; I actually cost less than their prior consultants, but I make more, because everything is done quickly, efficiently, and effectively. This security process builds stronger security, and while I admit I am still rarely asked about phishing, and even rarer is my advice listened to, my clients are rarely successfully hacked, and have lower than average losses. Our biggest problem is that we view the security process as distinct from business processes. I truly wish I could make the Sarbanes-Oxley 2002 (http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf) act required reading for every security consultant, because it demonstrates very much that proper security consulting is actually a business process. Getting back to the topic, by doing this we can help them move from the dick swinging phase to a best practices security infrastructure used accurately and appropriately. We also need to start putting our money where our mouth is, I've seen too many security consultants whose primary job was to sell the add-on services available from their employer, instead we need to follow
Re: Question on the state of the security industry
On Wed, 2004-06-30 at 06:49, Ian Grigg wrote: Here's my question - is anyone in the security field of any sort of repute being asked about phishing, consulted about solutions, contracted to build? Anything? Nothing here. Spam is the main concern on people's minds, so far as I can tell. Please note, though, that I'm not specifically a computer security consultant but rather a broad-spectrum computer consultant who does some security work and a private security guy who does some computer work. Topical anecdote: my last full-time but short-term consulting* gig was at a bank. You know, money and stuff. Computer security in the development shop consisted of telling the programmers to run NAV daily. They used Outlook for email, with no filters on incoming mail that I could track down. I did some minor testing from my home system. Didn't send myself any viruses, but I did send a few executable attachments. They all made it through. * Not really consulting. They wanted a warm-body programmer, and not only ignored the process improvement suggestions I was putatively hired to provide, but seemed offended that I had suggestions to make at all. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Publicity-list]: DIMACS Workshop on Mobile and Wireless Security
***CALL FOR PAPERS* * DIMACS Workshop on Mobile and Wireless Security November 3 - 5, 2004 DIMACS Center, Rutgers University, Piscataway, NJ Organizers: Bill Arbaugh, University of Maryland, [EMAIL PROTECTED] Presented under the auspices of the Special Focus on Communication Security and Information Privacy. The rapid growth of both voice and data wireless communications has resulted in several serious security problems in both the voice and data spaces. Unfortunately, many of the early security mistakes made with wireless voice communications were repeated with data communications, i.e. the use of flawed authentication and confidentiality algorithms. For example, the standards committee for 802.11 left many of the difficult security issues such as key management and a robust authentication mechanism as open problems. This has led many organizations to use either a permanent fixed cryptographic variable or no encryption with their wireless networks. Since wireless networks provide an adversary a network access point that is beyond the physical security controls of the organization, security can be a problem. Similarly, attacks against WEP, the link-layer security protocol for 802.11 networks can exploit design failures to successfully attack such networks. This workshop will focus on addressing the many outstanding issues that remain in wireless cellular and WLAN networking such as (but not limited to): Management and monitoring; ad-hoc trust establishment; secure roaming between overlay networks; availability and denial of service mitigation; and network and link layer security protocols. We will seek to extend work on ad hoc networking from a non-adversarial setting, assuming a trusted environment, to a more realistic setting in which an adversary may attempt to disrupt communication. We will investigate a variety of approaches to securing ad hoc networks, in particular ways to take advantage of their inherent redundancy (multiple routes between nodes), replication, and new cryptographic schemes such as threshold cryptography. ** Call for Participation: Advances in wireless technology as well as several other areas are changing the way the world does business and as a result computing is becoming more mobile, and users are demanding continuous access to the Internet. At the same time, the number of devices with embedded networking technology is growing exponentially--from boxes with RFID tags to Wi-Fi capable refrigerators since they destroy the notion of a static defensive perimeter. Furthermore, these trends make the ease of use and management of wireless based networks more important since naïve consumers in the future will be establishing and using wireless networks on a scale significantly larger than today. This workshop will focus on identifying the current and future problems in wireless security and privacy and discuss possible solutions. The three day workshop will be organized around a series of talks on subjects related to mobility, wireless, and security and privacy technologies. There will be a mix between invited talks and talks selected from extended abstracts with plenty of discussion time between talks. Authors are encouraged to submit an extended abstract on any topic related to wireless and mobile security. Example topics of interest are Interworking security, mesh network security, sensor network security, the privacy of RFID networks, and the security of community networks. These topics are examples only and authors are encouraged to submit extended abstracts on other topics related to the workshop as long as the abstract is of a technical and research nature. Authors are also encouraged to submit early work, and new or outlandish ideas as the primary goal of the workshop is to allow researchers from the networking and security communities to meet in a workshop environment where ideas can be exchanged and discussed in an inter-disciplinary environment. Authors should submit a two page extended abstract in a font no less than 11pt with reasonable margins by midnight (Eastern time) September 1, 2004. Submission instructions will be posted at http://www.missl.cs.umd.edu/dimacs-workshop. ** Registration: Pre-registration deadline: October 27, 2004 Please see website for registration information. * Information on participation, registration, accomodations, and travel can be found at: http://dimacs.rutgers.edu/Workshops/MobileWireless/ **PLEASE BE SURE TO PRE-REGISTER EARLY**
US Court says no privacy in wiretap law
Switches, routers, and any intermediate computers are fair game for warrantless wiretaps. That is, at any time (the phrase seconds or mili-seconds [sic]) that the transmission is not actually on a wire. Most important, read the very nicely written dissent. The dissenting judge used the correct terms, referenced RFCs, and in general knew what he was talking about -- unlike the 2:1 majority! http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf ... Under Councilman's narrow interpretation of the Act, the Government would no longer need to obtain a court-authorized wiretap order to conduct such surveillance. This would effectuate a dramatic change in Justice Department policy and mark a significant reduction in the public's right to privacy. Such a change would not, however, be limited to the interception of e-mails. Under Councilman's approach, the government would be free to intercept all wire and electronic communications that are in temporary electronic storage without having to comply with the Wiretap Act's procedural protections. That means that the Government could install taps at telephone company switching stations to monitor phone conversations that are temporarily stored in electronic routers during transmission. [page 51-52] As this is a US Court of Appeals, it sets precedent that other courts will use, and directly applies to all ISPs in the NE US. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: authentication and authorization (was: Question on the state of the security industry)
Ian Grigg wrote: The phishing thing has now reached the mainstream, epidemic proportions that were feared and predicted in this list over the last year or two. OK. For the first time we are facing a real, difficult security problem. And the security experts have shot their wad. The object of phishing is to perpetrate so-called identity theft, so I must begin by objecting to that concept on two different grounds. 1) For starters, identity theft is a misnomer. My identity is my identity, and cannot be stolen. The current epidemic involves something else, namely theft of an authenticator ... or, rather, breakage of a lame attempt at an authentication and/or authorization scheme. See definitions and discusions in e.g. _Handbook of Applied Cryptography_ http://www.cacr.math.uwaterloo.ca/hac/about/chap10.pdf I don't know of any security experts who would think for a moment that a reusable sixteen-digit number and nine-digit number (i.e. credit-card and SSN) could constitute a sensible authentication or authorization scheme. 2) Even more importantly, the whole focus on _identity_ is pernicious. For the vast majority of cases in which people claim to want ID, the purpose would be better served by something else, such as _authorization_. For example, when I walk into a seedy bar in a foreign country, they can reasonably ask for proof that I am authorized to do so, which in most cases boils down to proof of age. They do *not* need proof of my car-driving privileges, they do not need my real name, they do not need my home address, and they really, really, don't need some ID number that some foolish bank might mistake for sufficient authorization to withdraw large sums of money from my account. They really, really, reeeally don't need other information such as what SCI clearances I hold, what third-country visas I hold, my medical history, et cetera. I could cite many additional colorful examples, but you get the idea: The more info is linked to my ID (either by writing it on the ID card or by linking databases via ID number) the _less_ secure everything becomes. Power-hungry governments and power- hungry corporations desire such linkage, because it makes me easier to exploit ... but any claim that such linkable ID is needed for _security_ is diametrically untrue. === Returning to: For the first time we are facing a real, difficult security problem. And the security experts have shot their wad. I think a better description is that banks long ago deployed a system that was laughably insecure. (They got away with it for years ... but that's irrelevant.) Now that there is widespread breakage, they act surprised, but none of this should have come as a surprise to anybody, expert or otherwise. Now banks and their customers are paying the price. As soon as the price to the banks gets a little higher, they will deploy a more-secure payment authorization scheme, and the problem will go away. (Note that I didn't say ID scheme. I don't care who knows my SSN and other ID numbers ... so long as they cannot use them to steal stuff. And as soon as there is no value in knowing ID numbers, people will stop phishing for them.) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]