Re: Citibank discloses private information to improve security
But from your point, the codeword would be in the clear as well. Respectively speaking, I don't see how either solution would solve this. Ed Gerck wrote: List, In an effort to stop phishing emails, Citibank is including in a plaintext email the full name of the account holder and the last four digits of the ATM card. Not only are these personal identifiers sent in an insecure communication, such use is not authorized by the person they identify. Therefore, I believe that some points need to be made in regard to right to privacy and security expectations. It's the usual tactic of pushing the liability to the user. The account holder gets the full liability for the security procedure used by the bank. A better solution, along the same lines, would have been for Citibank to ask from their account holders when they login for Internet banking, whether they would like to set up a three- or four-character combination to be used in all emails from the bank to the account holder. This combination would not be static, because it could be changed by the user at will, and would not identify the user in any other way. Private, identifying information of customers have been used before by banks for customer login. The account holder's name, the ATM card number, the account number, and the SSN have all been used, and abandoned, for Internet banking login. Why? Because of the increased exposure creating additional risks. Now, with the unilateral disclosure by Citibank of the account holder's name as used in the account and the last four digits of the ATM number, Citibank is back tracking its own advances in user login (when they abandoned those identifiers). Of course, banks consider the ATM card their property, as well as the number they contain. However, the ATM card number is a unique personal identifier and should not be disclosed in a plaintext email without authorization. A much better solution (see above) exists, even using plaintext email -- use a codeword that is agreed beforehand with the user. This would be a win-win solution, with no additional privacy and security risk. Or is email becoming even more insecure, with our private information being more and more disclosed by those who should actually guard it, in the name of security? Cheers, Ed Gerck -- Best Regards, Lance James Secure Science Corporation www.securescience.com Author of 'Phishing Exposed' http://www.securescience.net/amazon/ Have Phishers stolen your customers' logins? Find out with DIA https://slam.securescience.com/signup.cgi - it's free! - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Citibank discloses private information to improve security
Suppose you choose A4RT as your codeword. The codeword has no privacy concern (it does not identify you) and is dynamic -- you can change it at will, if you suspect someone else got it. Compare with the other two identifiers that Citibank is using. Your full name is private and static. The ATM's last-four is private and static too (unless you want the burden to change your card often). Lance James wrote: But from your point, the codeword would be in the clear as well. Respectively speaking, I don't see how either solution would solve this. Ed Gerck wrote: List, In an effort to stop phishing emails, Citibank is including in a plaintext email the full name of the account holder and the last four digits of the ATM card. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
The Secret Passages In CIA's Backyard Draw Mystery Lovers
http://online.wsj.com/article_print/0,,SB111714148789244402,00.html The Wall Street Journal ? May 27, 2005 PAGE ONE The Secret Passages In CIA's Backyard Draw Mystery Lovers 'Da Vinci Code' Has Many Trying to Decipher Secret Of the Kryptos Sculpture By JOHN D. MCKINNON Staff Reporter of THE WALL STREET JOURNAL May 27, 2005; Page A1 LANGLEY, Va. -- The big mystery at the Central Intelligence Agency, sitting in a sunny corner of the headquarters courtyard, begins this way: EMUFPHZLRFAXYUSDJKZLDKRNSHGNFIVJ. That's the first line of the Kryptos sculpture, a 10-foot-tall, S-shaped copper scroll perforated with 3-inch-high letters spelling out words in code. Completed 15 years ago, Kryptos, which is Greek for hidden, at first attracted interest mainly from government code breakers who quietly deciphered the easier parts without announcing their findings publicly. Now, many mystery lovers around the world have joined members of the national-security establishment in trying to crack the rest. So far, neither amateurs nor pros have been able to do it. The latest scramble was set off by The Da Vinci Code, the thriller about a modern-day search for the Holy Grail. On the book's dust jacket, author Dan Brown placed clues that hint at Kryptos's significance. The main one is a set of geographic coordinates that roughly locate the sculpture. (One of the coordinates is off slightly, for reasons that Mr. Brown so far has kept secret.) A game at www.thedavincicode.com1 suggests that Kryptos is a clue to the subject of Mr. Brown's as-yet-unpublished next novel, The Solomon Key. Gary Phillips, 27 years old, a Michigan computer programmer, started researching Kryptos last year, hours after learning about its Da Vinci Code connection. Once it pulls you in, you just can't stop thinking about it, he says. Eventually, Mr. Phillips says, he let a struggling software business go under and took a construction job so he would have more time for solving Kryptos. The CIA's copper Kryptos sculpture The quest to solve the fourth and final passage of Kryptos's message has spawned several Web sites -- including Mr. Phillips's -- as well as an online discussion group that has more than 500 members. The discussion group was founded by Gary Warzin, who heads Audiophile Systems Ltd. in Indianapolis. He became fascinated with Kryptos after visiting the CIA in 2001. But after months of trying to crack the code on his own, Mr. Warzin -- whose other hobbies include escaping from straitjackets -- decided he needed help. Kryptos devotees are intrigued by the three passages that have been deciphered so far. They appear to offer clues to solving the sculpture's fourth passage, and possibly to locating something buried. Sculptor James Sanborn, Kryptos's creator, says he wrote or adapted all three. The first reads, Between subtle shading and the absence of light lies the nuance of iqlusion. Jim Gillogly, a California computer researcher believed to be the first person outside the intelligence world to solve the first three parts, came up with the translation, which includes the deliberate misspelling of the word illusion. The second passage, more suggestive, reads in part, It was totally invisible. How's that possible? They used the Earth's magnetic field. The information was gathered and transmitted undergruund to an unknown location. Does Langley know about this? They should: it's buried out there somewhere. That passage is followed by geographic coordinates that suggest a location elsewhere on the CIA campus. The third decoded passage is based on a diary entry by archaeologist Howard Carter, on the day in 1922 when he discovered the tomb of the ancient Egyptian King Tutankhamen. It reads in part, With trembling hands I made a tiny breach in the upper left-hand corner. And then, widening the hole a little, I inserted the candle and peered in. The hot air escaping from the chamber caused the flame to flicker, but presently details of the room within emerged from the mist. Can you see anything? Mr. Sanborn confirms that the translations are accurate. In addition to deliberate misspellings, there are letters slightly higher than others on the same line. Other possible clues are contained in smaller parts of the work scattered around the CIA grounds. Made of red granite and sheets of copper, these are tattooed with Morse code that spells out phrases like virtually invisible and t is your position. In addition, a compass needle carved onto one of the rocks is pulled off due north by a lodestone that Mr. Sanborn placed nearby. Those poring over the puzzle these days are thought to include national-security workers as well as retirees, computer-game players and cryptogram fans. Some devotees believe Kryptos holds profound significance as a portal into the wisdom of the ancients. More typical is Jennifer Bennett, a 27-year-old puzzle aficionado who works as a poker-room supervisor near Seattle. She came across the Kryptos mystery
Re: Citibank discloses private information to improve security
On May 26, 2005, at 13:24, Ed Gerck wrote: A better solution, along the same lines, would have been for Citibank to ask from their account holders when they login for Internet banking, whether they would like to set up a three- or four-character combination to be used in all emails from the bank to the account holder. Why couldn't they just use digitally signed S/MIME email? I'm sure that works just as well as signed SSL handshakes. Oh. Answered my own question, didn't I? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Citibank discloses private information to improve security
Wells Fargo reported to me some time ago that they tried using digitally signed S/MIME email messages and it did not work even for their _own employees_. Also, in an effort to make their certs more valuable, CAs have made digitally signed messages imply too much -- much more than they warrant or can even represent. There are now all sorts of legal implications tied to PKI signatures, in my opinion largely exagerated and casuistic. If someone forges a digitally signed Citibank message, or convincingly spoofs it, the liability might be too large to even think of it. Using a non-signed codeword that the user has defined beforehand allows the user to have a first proof that the message is legitimate. Since the user chooses it, there is no privacy concern or liability for the bank. Of course, here trust decreases with time -- a fresh codeword is more valuable. But if the user can refresh it at will, each user will have the security that he wants. Matt Crawford wrote: On May 26, 2005, at 13:24, Ed Gerck wrote: A better solution, along the same lines, would have been for Citibank to ask from their account holders when they login for Internet banking, whether they would like to set up a three- or four-character combination to be used in all emails from the bank to the account holder. Why couldn't they just use digitally signed S/MIME email? I'm sure that works just as well as signed SSL handshakes. Oh. Answered my own question, didn't I? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Citibank discloses private information to improve security
-- On 26 May 2005 at 11:24, Ed Gerck wrote: A better solution, along the same lines, would have been for Citibank to ask from their account holders when they login for Internet banking, whether they would like to set up a three- or four-character combination to be used in all emails from the bank to the account holder. This combination would not be static, because it could be changed by the user at will, and would not identify the user in any other way. An even better solution would be if email clients silently did key continuity checking on a signature hidden in the email headers, if such a header is present, and then popped up an SSH style dialog if an accustomed key is absent or changed. With bank web sites, experience has shown that only 0.3% of users are deterred by an invalid certificate, probably because very few users have any idea what a certificate authority is, what it does, or why they should care. (And if you have seen the experts debating what a certificate authority is and what it certifies, chances are that those few who think they know are wrong) Do we have any comparable experience on SSH logins? Existing SSH uses tend to be geek oriented, and do not secure stuff that is under heavy attack. Does anyone have any examples of SSH securing something that was valuable to the user, under attack, and then the key changed without warning? How then did the users react? --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG 9xkPv5IiSbkDSyL+VmtW44PAr2ChEHEncpVVVLUp 4PtEJ+TutEYw9poqnX74X8nSltnDV22OJDPqsG1cS - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Microsoft info-cards to use blind signatures?
Yes but the other context from the related group of blog postings, is Kim Cameron's (microsoft) laws of identity [1] that this comment is made in the context of. It is relatively hard to see how one could implement an identity system meeting the stated laws without involving blind signatures of some form... Adam [1] http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.html On Sat, May 21, 2005 at 11:17:04AM -0700, David Wagner wrote: http://www.idcorner.org/index.php?p=88 The Identity Corner Stephan Brands I am genuinely excited about this development, if it can be taken as an indication that Microsoft is getting serious about privacy by design for identity management. That is a big if, however: indeed, the same Microsoft researcher who came up with the patent (hello Dan!) was also responsible for Microsoft e-cash patent no. 5,768,385 that was granted in 1998 but was never pursued. What a strange criticism of Microsoft! Here is something to know about patents: many companies file patents all the time. That doesn't mean they are committing to build a product around every patent they file. The fact that Microsoft hasn't pursued patent 5,768,385 tells you essentially nothing about what they are going to do with this patent. I wouldn't take patent filings as an indicator of intent or of future business strategy. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Trojan horse attack involving many major Israeli companies, executives
Possibly the most visible Trojan attack was just exposed by the Israeli police. The Trojan was written (apparently) by an Israeli programmer, living in Europe in the last few years. It was planted in many Israeli companies, such as the major cellular companies. There were conflicting reports so far on the distribution method, and it may have used several, such as a program sent by e-mail or on CD to company. The scheme had three layers: the programmer; several `private investigation` companies (including the largest in Israel!); and the customers (including many hi-profile Israeli companies). The victims were also many leading Israeli companies. A lot of confidential documents were disclosed (via FTP to several servers, from which the customers downloaded the documents). This is a story worth a movie, really, since there is also a personal and media issue here... This whole thing was discovered not by any of the victim companies, but by a different victim: a well-known couple who wrote a `psychology-thriller`. The wife is the more well known; she is the host of an extremely popular (and controversial) talk-radio show, consulting listeners on different personal problems. This couple were apparently targeted by the Trojan for personal reasons; the programmer is their ex-son-in-law... See more info e.g. at http://www.haaretz.com/hasen/spages/581790.html -- Best regards, Amir Herzberg Associate Professor Department of Computer Science Bar Ilan University http://AmirHerzberg.com New: see my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]