Re: VoIP and phishing
> "mis" == mis <[EMAIL PROTECTED]> writes: mis> does anyone know if [real-]time ANI from mis> toll free services is still unspoofable? No, in general it is not unspoofable. But you probably need the gateway into the PSTN to use SS7 and IMT trunks; and that probably means a CLEC license in the US, or similar elsewhere. That presumably means more substantial civil and criminal penalties for spoofing with criminal intent, not to mention the potential loss of the operating license for doing so. So although it is certainly doable, it'll be expensive and likely beyond the means of small-time players. In short, if you have direct SS7 access, there isn't much you cannot do to screw over other providers and their customers. Hense all of the rules and regs for getting such access. -JimC -- James H. Cloos, Jr. <[EMAIL PROTECTED]> - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: VoIP and phishing
On Thu, Apr 27, 2006 at 01:12:43PM -0700, [EMAIL PROTECTED] wrote: > so if you are counting on the calling party being who they say the are, > or even within your company, based on callerid, don't. > > does anyone know if time ANI from toll free services is still unspoofable? make that "real-time ANI" - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: VoIP and phishing
| the other point that should be made about voip is that callerid is | trivial to spoof. | | so if you are counting on the calling party being who they say the | are, or even within your company, based on callerid, don't. | | i predict a round of targeted attacks on help desks and customer | service, as well as more general scams with callerid set to (say) | "Visa Security". To open a trouble ticket with IT where I work, you go to a Web page; or, if you have problems using the network, you can use the phone. When the phone is replaced by one that use VoIP, just how will one report network outages? I can't wait | does anyone know if time ANI from toll free services is still | unspoofable? The last I heard, it was fairly easy to *suppress* ANI (using games that redirected calls the network saw as going to toll-free numbers), but still difficult to *spoof* it. Since ANI drives Telco billing - unlike Caller ID, which is simply delivered to customers - the Telco's have an interest in making it difficult to fake. On the other hand, LD revenues have been falling for years, so the funding to attack LD fraud has probably been falling, too - given how many people now have "all you can eat" plans, there's less and less reason to worry about them stealing. | some of my clients have been receiving targeted phishes recently that | correctly name their bank and property address and claim to be about | their mortgage. this is information obtainable from public records. I probably get an offer to refinance my mortgage every other week or so. The letters cite real information about me and my mortgage: They know its size, or at least the know the amount at the time I took out the mortgage. In low-income areas, there's a long history of fraudulent refinancing - claiming you are getting a better loan for the person but really getting him deeper and deeper in the hole while you pocket various fees. I wouldn't want bet that all the come-on letters I receive are legitimate! The only difference between some of this stuff and phishing is the medium used. -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: VoIP and phishing
the other point that should be made about voip is that callerid is trivial to spoof. so if you are counting on the calling party being who they say the are, or even within your company, based on callerid, don't. i predict a round of targeted attacks on help desks and customer service, as well as more general scams with callerid set to (say) "Visa Security". does anyone know if time ANI from toll free services is still unspoofable? some of my clients have been receiving targeted phishes recently that correctly name their bank and property address and claim to be about their mortgage. this is information obtainable from public records. On Thu, Apr 27, 2006 at 12:07:20PM -0400, [EMAIL PROTECTED] wrote: > >From Computerworld: > > > New phishing scam model leverages VoIP > Novelty of dialing a phone number lures in the unwary > News Story by Cara Garretson > > APRIL 26, 2006 > (NETWORK WORLD) - Small businesses and consumers aren't the only ones > enjoying the cost savings of switching to voice over IP > (VoIP). According to messaging security company Cloudmark Inc., phishers > have begun using the technology to help them steal personal and > financial information over the phone. > > Earlier this month, San Francisco-based Cloudmark trapped an e-mailed > phishing attack in its security filters that appeared to come from a > small bank in a big city and directed recipients to verify their account > information by dialing a certain phone number. The Cloudmark user who > received the e-mail and alerted the company knew it was a phishing scam > because he's not a customer of this bank. > > Usually phishing scams are e-mail messages that direct unwitting > recipients to a Web site where they're tricked into giving up their > personal or financial information. But because much of the public is > learning not to visit the Web sites these messages try to direct them > to, phishers believe asking recipients to dial a phone number instead is > novel enough that people will do it, says Adam O'Donnell, senior > research scientist at Cloudmark. > > And that's where VoIP comes in. By simply acquiring a VoIP account, > associating it with a phone number and backing it up with an interactive > voice-recognition system and free PBX software running on a cheap PC, > phishers can build phone systems that appear as elaborate as those used > by banks, O'Donnell says. "They're leveraging the same economies that > make VoIP attractive for small businesses," he says. > > Cloudmark has no proof that the phishing e-mail it snagged was using a > VoIP system, but O'Donnell says it's the only way that staging such an > attack could make economic sense for the phisher. > > The company expects to see more of this new form of phishing. Once a > phished e-mail with a phone number is identified, Cloudmark's security > network can filter inbound e-mail messages and block those that contain > the number, says O'Donnell. > > -- Jerry > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
VoIP and phishing
>From Computerworld: New phishing scam model leverages VoIP Novelty of dialing a phone number lures in the unwary News Story by Cara Garretson APRIL 26, 2006 (NETWORK WORLD) - Small businesses and consumers aren't the only ones enjoying the cost savings of switching to voice over IP (VoIP). According to messaging security company Cloudmark Inc., phishers have begun using the technology to help them steal personal and financial information over the phone. Earlier this month, San Francisco-based Cloudmark trapped an e-mailed phishing attack in its security filters that appeared to come from a small bank in a big city and directed recipients to verify their account information by dialing a certain phone number. The Cloudmark user who received the e-mail and alerted the company knew it was a phishing scam because he's not a customer of this bank. Usually phishing scams are e-mail messages that direct unwitting recipients to a Web site where they're tricked into giving up their personal or financial information. But because much of the public is learning not to visit the Web sites these messages try to direct them to, phishers believe asking recipients to dial a phone number instead is novel enough that people will do it, says Adam O'Donnell, senior research scientist at Cloudmark. And that's where VoIP comes in. By simply acquiring a VoIP account, associating it with a phone number and backing it up with an interactive voice-recognition system and free PBX software running on a cheap PC, phishers can build phone systems that appear as elaborate as those used by banks, O'Donnell says. "They're leveraging the same economies that make VoIP attractive for small businesses," he says. Cloudmark has no proof that the phishing e-mail it snagged was using a VoIP system, but O'Donnell says it's the only way that staging such an attack could make economic sense for the phisher. The company expects to see more of this new form of phishing. Once a phished e-mail with a phone number is identified, Cloudmark's security network can filter inbound e-mail messages and block those that contain the number, says O'Donnell. -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Latest Da Vinci mystery: judge's own secret code
Latest Da Vinci mystery: judge's own secret code Thu Apr 27, 2006 8:11 AM ET By Peter Graff LONDON (Reuters) - Three weeks after a British court passed judgment in the copyright case involving Dan Brown's bestseller "The Da Vinci Code," a lawyer has uncovered what may be a secret message buried in the text of the ruling. Lawyer Dan Tench noticed some letters in the judgment had been italicized, and it suddenly dawned on him that they spelled a phrase that included the name of the judge: "Smith code." Justice Peter Smith, who during the trial displayed a sense of humor unusual in the rarified world of bewigged barristers and ancient tradition, appears to have embraced the mysterious world of codes and conspiracy that run through the novel. "I thought it was a mistake, that there were some stray letters that had been italicized because the word processor had gone wrong," Tench told Reuters. Tench initially told The Times newspaper that apparently random letters in the judge's ruling appeared in italics. Wouldn't it be clever if the judge had embedded a secret message in the text? The Times ran a jokey item. "And then I got an e-mail from the judge," said Tench. He said Smith told him to look back at the first paragraphs. The italicized letters scattered throughout the judgment spell out: "smithcodeJaeiextostpsacgreamqwfkadpmqz." Those in the first paragraphs spell out "smith code." But what does the rest mean? The novel, and upcoming movie starring Tom Hanks, are about a secret code that reveals ancient mysteries about Jesus Christ. Smith, who ruled that author Brown had not plagiarized his hugely popular thriller from another book, "The Holy Blood and the Holy Grail," has so far not given any clues to his own mystery code. For now, the judge is not speaking. His clerk said he is refusing interviews. She would not confirm whether there truly was a secret mystery embedded in his judgment. But she did confirm that he is, generally speaking, a humorous type of person. smime.p7s Description: S/MIME Cryptographic Signature
Re: History and definition of the term 'principal'?
tmcghan quoted: SDSI's active agents (principals) are keys: specifically, the private keys that sign statements. We identify a principal with the corresponding verification (public) key... Calling a key a "principal" (and saying that a key "speaks") is just a poetic language used in SDSI/SPKI. The goal was to eliminate liability by using keys as syntactic elements - a digital signature reduced to mathematics. This did not, however, turn out to be a real-world model because someone must have allowed the software to use that key or, at least, turned the computer on (even if by a cron job). Usually (but not always consistently) cryptography's use of "principal" is not what the dictionary says. Here, principal conveys the idea of "owning or operating". In this sense, SDSI is somewhat right -- the private key seems to operate the signature -- but fails to recognize that, ultimately, the key by itself cannot operate(or own) anything. Being responsible for an account, or creating keys or passwords, is within the idea of "owing or operating". Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: History and definition of the term 'principal'?
I was manager of development for Project Athena beginning in 1985. Amongst our projects was Kerberos, and, as you know, it was a direct implementation of Needham-Schroeder. Schroeder had been Jerome Saltzer's Ph.D. student and Saltzer was the MIT faculty member in charge of the technical side of Athena, and to whom I reported. The word "principal" was solidly in place from the moment the Kerberos work began, and comes directly from the work of Saltzer and Schroeder. At least as early as 1975 the term "principal" was in use in their work; see [1] for my own earliest reference. I suspect it was in place at Project MAC and might thus have some lineage with Multics, but now I am speculating. Needham is sadly gone, but Schroeder and Saltzer are still with us. If it is worth my pursuit of the matter I'll make the time for it, but I now forget why this was asked. If it is curiousity, perhaps the canoe is now far enough upriver. If it is a patent claim or the like and one needs to find the exact wet spot in the ground that the river starts, well, let me know. --dan [1] Proceedings of the IEEE. Vol. 63, No. 9 (September 1975), pp. 1278-1308; Manuscript received October 11, 1974; revised April 17, 1975. Copyright 1975 by J. H. Saltzer. The authors are with Project MAC and the Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology Cambridge, Mass. 02139. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Judge Hints at Code in 'Da Vinci' Ruling
http://www.helenair.com/articles/2006/04/26/ap/strange/d8h7t2f8n.txt http://www.helenair.com/articles/2006/04/26/ap/strange/d8h7s6805.prt Judge Hints at Code in 'Da Vinci' Ruling By JENNIFER QUINN LONDON - The judge who presided at the "Da Vinci Code" copyright infringement trial has put a code of his own into his ruling, and he said Wednesday he would "probably" confirm it to the person who breaks it. Since Judge Peter Smith delivered his ruling April 7, lawyers in London and New York began noticing odd italicizations in the 71-page document. In the weeks afterward, would-be code-breakers got to work on deciphering Smith's code. "I can't discuss the judgment," Smith said in a brief conversation with The Associated Press, "but I don't see why a judgment should not be a matter of fun." Italics are placed in strange spots: The first is found in the first paragraph of the 360-paragraph document. The letter "s" in the word "claimants" is italicized. In the next paragraph, "claimant" is spelled with an italicized "m," and so on. The italicized letters in the first seven paragraphs spell out "Smithy code," playing on the judge's name. Lawyer Dan Tench, with the London firm Olswang, said he noticed the code when he spotted the striking italicized script in an online copy of the judgment. "To encrypt a message in this manner, in a High Court judgment no less? It's out there," Tench said. "I think he was getting into the spirit of the thing. It doesn't take away from the validity of the judgment. He was just having a bit of fun." Smith was arguably the highlight of the trial, with his acerbic questions and witty observations making the sometimes dry testimony more lively. Though Smith on Wednesday refused to discuss the judgment or acknowledge outright that he'd inserted a secret code in its pages, he said: "They don't look like typos, do they?" When asked if someone would break the code, Smith said: "I don't know. It's not a difficult thing to do." And when asked if he would confirm a correct guess to an aspiring code-breaker, he said, "Probably." Tench said the judge teasingly remarked that the code is a mixture of the italicized font code found in the book "The Holy Blood and the Holy Grail" _ whose authors were suing Dan Brown's publisher, Random House, for copyright infringement _ and the code found Brown's "The Da Vinci Code." Authors Michael Baigent and Richard Leigh had sued Random House Inc., claiming Brown's best-selling novel "appropriated the architecture" of their 1982 nonfiction book, "The Holy Blood and the Holy Grail." Both books explore theories that Jesus married Mary Magdalene, the couple had a child and the bloodline survives, ideas dismissed by most historians and theologians. "The Da Vinci Code" has sold more than 40 million copies _ including 12 million hardcovers in the United States _ since its release in March 2003. It came out in paperback in the United States earlier this year, and quickly sold more than 500,000 copies. An initial print run of 5 million has already been raised to 6 million. Since the judgment was handed down three weeks ago, Tench said it took several weeks _ and several watchful eyes _ to catch the code. Now, London and New York attorneys are scrambling to solve it. "I think it has caught the particular imagination of Americans," Tench said. "To have a British, staid High Court judge encrypt a judgment in this manner, it's jolly fun." I'm definitely going to try to break the code," said attorney Mark Stephens, when learning of its existence. "Judges have been known to write very sophisticated and amusing judgments," Stephens said. "This trend started long ago ... one did a judgment in rhyme, another in couplets. There has been precedent for this. "It adds a bit of fun of what might have been a dusty text," he said. On the Net: http://www.hmcourts-service.gov.uk/HMCSJudgments A service of the Associated Press(AP) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- *** FAIR USE NOTICE. This message contains copyrighted material the use of which has not been specifically authorized by the copyright owner. This Internet discussion group is making it available without profit to group members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of literary, educational, political, and economic issues, for non-profit research and educational purposes only. I believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml - ---
Re: PGP "master keys"
Quoting "Steven M. Bellovin" <[EMAIL PROTECTED]>: > What is a "master key" in this context? ADK, the Additional Decryption Key. An enterprise with a Managed PGP Desktop installed base can set up an ADK and all messages get encrypted to the ADK in addition to the recipient's key. Ah -- corporate key escrow. An overt back door for Little Brother, rather than a covert one for Big Brother Yep. Nothing below board going on. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH [EMAIL PROTECTED]PGP key available - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: PGP "master keys"
On Wed, 26 Apr 2006 22:24:22 -0400, Derek Atkins <[EMAIL PROTECTED]> wrote: > Quoting "Steven M. Bellovin" <[EMAIL PROTECTED]>: > > > In an article on disk encryption > > (http://www.theregister.co.uk/2006/04/26/pgp_infosec/), the following > > paragraph appears: > > > > BitLocker has landed Redmond in some hot water over its insistence > > that there are no back doors for law enforcement. As its > > encryption code is open source, PGP says it can guarantee no back > > doors, but that cyber sleuths can use its master keys if > > neccessary. > > > > What is a "master key" in this context? > > ADK, the Additional Decryption Key. An enterprise with a Managed > PGP Desktop installed base can set up an ADK and all messages get > encrypted to the ADK in addition to the recipient's key. > Ah -- corporate key escrow. An overt back door for Little Brother, rather than a covert one for Big Brother --Steven M. Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: PGP "master keys"
On Wed, Apr 26, 2006 at 09:53:27PM -0400, Steven M. Bellovin wrote: > In an article on disk encryption > (http://www.theregister.co.uk/2006/04/26/pgp_infosec/), the following > paragraph appears: > > BitLocker has landed Redmond in some hot water over its insistence > that there are no back doors for law enforcement. As its > encryption code is open source, PGP says it can guarantee no back > doors, but that cyber sleuths can use its master keys if > neccessary. > > What is a "master key" in this context? It sounds rather like a misunderstanding/mangling of PGP's Additional Decryption Key feature. David - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: PGP "master keys"
Quoting "Steven M. Bellovin" <[EMAIL PROTECTED]>: In an article on disk encryption (http://www.theregister.co.uk/2006/04/26/pgp_infosec/), the following paragraph appears: BitLocker has landed Redmond in some hot water over its insistence that there are no back doors for law enforcement. As its encryption code is open source, PGP says it can guarantee no back doors, but that cyber sleuths can use its master keys if neccessary. What is a "master key" in this context? ADK, the Additional Decryption Key. An enterprise with a Managed PGP Desktop installed base can set up an ADK and all messages get encrypted to the ADK in addition to the recipient's key. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH [EMAIL PROTECTED]PGP key available - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]