Re: Secure phones from VectroTel?

2006-05-24 Thread mis
another contender (or could-be contender):

http://www.cryptophone.de/products/CPG10/index.html

(open source and built by people like rop gonggrijp and barry wels)

On Tue, May 23, 2006 at 01:45:15PM -0400, John Ioannidis wrote:
 On Tue, May 23, 2006 at 11:19:38AM -0400, Perry E. Metzger wrote:
  
  Following the links from a /. story about a secure(?) mobile phone
  VectroTel in Switzerland is selling, I came across the fact that this
  firm sells a full line of encrypted phones.
  
  http://www.vectrotel.ch/
  
 
 Too little, too late.  What are they doing, running a V.32bis modem
 over the GSM analog channel? That would account for the worse voice
 quality and the delays in the spec.
 
 A friend showed me yesterday his EVDO-enabled, WinCE handheld, which
 he was using to make phone calls over Skype (not that Skype is secure,
 but that's another story).
 
 /ji
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: VoIP and phishing

2006-04-27 Thread mis
the other point that should be made about voip is that
callerid is trivial to spoof.  

so if you are counting on the calling party being who they say the are,
or even within your company, based on callerid, don't.

i predict a round of targeted attacks on help desks and customer
service, as well as more general scams with callerid set to (say) 
Visa  Security.

does anyone know if time ANI from toll free services is still unspoofable?

some of my clients have been receiving targeted phishes recently that correctly 
name
their bank and property address and claim to be about their mortgage.
this is information obtainable from public records.



On Thu, Apr 27, 2006 at 12:07:20PM -0400, [EMAIL PROTECTED] wrote:
 From Computerworld:
 
 
 New phishing scam model leverages VoIP
 Novelty of dialing a phone number lures in the unwary
   News Story by Cara Garretson
 
 APRIL 26, 2006
 (NETWORK WORLD) - Small businesses and consumers aren't the only ones
 enjoying the cost savings of switching to voice over IP
 (VoIP). According to messaging security company Cloudmark Inc., phishers
 have begun using the technology to help them steal personal and
 financial information over the phone.
 
 Earlier this month, San Francisco-based Cloudmark trapped an e-mailed
 phishing attack in its security filters that appeared to come from a
 small bank in a big city and directed recipients to verify their account
 information by dialing a certain phone number. The Cloudmark user who
 received the e-mail and alerted the company knew it was a phishing scam
 because he's not a customer of this bank.
 
 Usually phishing scams are e-mail messages that direct unwitting
 recipients to a Web site where they're tricked into giving up their
 personal or financial information. But because much of the public is
 learning not to visit the Web sites these messages try to direct them
 to, phishers believe asking recipients to dial a phone number instead is
 novel enough that people will do it, says Adam O'Donnell, senior
 research scientist at Cloudmark.
 
 And that's where VoIP comes in. By simply acquiring a VoIP account,
 associating it with a phone number and backing it up with an interactive
 voice-recognition system and free PBX software running on a cheap PC,
 phishers can build phone systems that appear as elaborate as those used
 by banks, O'Donnell says. They're leveraging the same economies that
 make VoIP attractive for small businesses, he says.
 
 Cloudmark has no proof that the phishing e-mail it snagged was using a
 VoIP system, but O'Donnell says it's the only way that staging such an
 attack could make economic sense for the phisher.
 
 The company expects to see more of this new form of phishing. Once a
 phished e-mail with a phone number is identified, Cloudmark's security
 network can filter inbound e-mail messages and block those that contain
 the number, says O'Donnell.
 
   -- Jerry
 
 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: VoIP and phishing

2006-04-27 Thread mis
On Thu, Apr 27, 2006 at 01:12:43PM -0700, [EMAIL PROTECTED] wrote:

 so if you are counting on the calling party being who they say the are,
 or even within your company, based on callerid, don't.
 
 does anyone know if time ANI from toll free services is still unspoofable?

make that real-time ANI

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Not everyone knows about strong crypto...

2006-04-19 Thread mis
and a second data point, not everyone in the mafia chooses good passphrases;

a few years ago the government got a black bag warrant (once and a
renewal) to install some still undescribed keystroke monitoring
technology on nicky scarfo jr's pc, to find out the pgp key of a
spreadsheet of a smalltime mafioso whose hard drive they'd already
taken a copy of.

it turned out to be his father's federal prison number.


On Wed, Apr 19, 2006 at 11:10:49AM -0400, Perry E. Metzger wrote:
 
 It seems not everyone has gotten the message that monoalphabetic
 substitution was broken many hundreds of years ago. Excerpt:
 
   The recently arrested boss of bosses of the Sicilian Mafia, Bernardo
   Provenzano, wrote notes using an encryption scheme similar to the one
   used by Julius Caesar more than 2,000 years ago, according to a
   biography of Italy's most wanted man.
 
 http://dsc.discovery.com/news/briefs/20060417/mafiaboss_tec.html?source=rss
 
 -- 
 Perry E. Metzger  [EMAIL PROTECTED]
 
 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: NY Times reports: Documents show link between ATT and NSA

2006-04-13 Thread mis
in this case, poorly chosen example.

it's hard to not print documents used by the technician(s) to install
splitters in the fibers and specify the details of wiring in and between
various racks and cabinets.

On Thu, Apr 13, 2006 at 08:04:07PM +0200, lorenzo wrote:
 On 4/13/06, Perry E. Metzger [EMAIL PROTECTED] wrote:
  http://www.nytimes.com/2006/04/13/us/nationalspecial3/13nsa.html
 [...]
  Now Mr. Klein and a few company documents he saved have emerged as key
  elements in a class-action lawsuit filed against ATT on Jan. 31 by a
  civil liberties group, the Electronic Frontier Foundation. The suit
  accuses the company of helping the security agency invade its customers'
  privacy.
 
 Am I wrong or if we were living in a DRM- or Trusted Computing- World,
 those documents probably would be unreadable, if they were digital
 documents? Also they could have prevented printing of the documents,
 and so on.
 
 Of course, the human is still the weaker ring, but this is not of much
 help in such cases.
 
 --
 :lorenzo grespan
 GPG Key fingerprint = 5372 1B49 9E61 747C FB9A  4DAE 5D2A A9A0 74B4 8F1A
 
 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-06 Thread mis
please, can people tell us about what their country's liability
framework is, as they understand it, and where the onus of proof is
for what sorts of transactions?

this is one of the few areas where consumers have some actual
protection in the us.

due to ross anderson, i have heard about the uk.   has this been harmonized
in the eu?

many other countries are a mystery to me.

it would seem to me even in countries with pro-bank/anti-consumer stances
the risk could be limited by putting few eggs in that basket, rather than
giving up on using baskets entirely.

as an offering from left field, here's an pretty good paper about
fraud and identity in .au and .nz
http://www.aic.gov.au/conferences/other/smith_russell/2003-09-identity.html


On Mon, Dec 05, 2005 at 07:09:33PM +0100, Jonathan Thornburg wrote:
 I would never use online banking, and I advise all my friends and
 colleagues (particularly those who _aren't_ computer-security-geeks)
 to avoid it.
 
 
 On Sun, Dec 04, 2005 at 05:51:11PM -0500, [EMAIL PROTECTED] wrote:
 I've been using online banking for many years, both US and Germany.
 The German PIN/TAN system is reasonably secure,
 being an effective one-time pad distributed through out of band channel
 
 Ahh, but how do you know that the transaction actually sent to the
 bank is the same as the one you thought you authorized with that OTP?
 If your computer (or web browser) has been cracked, you can't trust
 _anything_ it displays.  There are already viruses in the wild
 attacking German online banking this way:
   http://www.bsi.bund.de/av/vb/pwsteal_e.htm
 
 
 I also don't trust RSAsafe or other such 2-factor authentication
 gadgets, for the same reason.
 
 [I don't particularly trust buying things online with a credit card,
 either, but there my liability is limited to 50 Euros or so, and the
 credit card companies actually put a modicum of effort into watching
 for suspicious transactions, so I'm willing to buy (a few) things online.]
 
 ciao,
 
 -- 
 -- Jonathan Thornburg [EMAIL PROTECTED]
Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
Golm, Germany, Old Europe http://www.aei.mpg.de/~jthorn/home.html
Washing one's hands of the conflict between the powerful and the
 powerless means to side with the powerful, not to be neutral.
   -- quote by Freire / poster by Oxfam
 
 
 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-05 Thread mis
On Mon, Dec 05, 2005 at 09:24:04AM +, Ian G wrote:
 [EMAIL PROTECTED] wrote:

 it seems to me the question is how much liability do i expose myself to by
 doing this, in return for what savings and convenience.  
 
 That part I agree with, but this part:
 
 i don't keep a lot of money in banks (why would anyone?)  -- most of
 the assets are in (e.g.)  brokerage accounts.  at most  i'm exposing
 a month of payroll check to an attacker briefly until it pays some
 bill or is transferred to another asset account.  
 
 George's story - watching my Ameritrade account get phished out in 3 minutes
 https://www.financialcryptography.com/mt/archives/000515.html
 
 Seems like a hopeful categorisation!
 
 iang

okay, i read this story from 7/2005 reporting an incident in 5/2005.  the short 
form of it is:

the bad guys changed the associated bank account,
then they placed orders to sell everything at market prices.
at some point they changed the email address to a hotmail account  (if they'd 
done this first he would
have gotten less notice)
for some unexplained reason he received confirmations of the trades at the old 
email address.
actual cash didn't get transfered at least because of the 3 day settlement time 
for the trades.

the rest was dealing with law enforcement and customer service punes who 
wouldn't tell him
anything for privacy reasons.  

well, i have lots of nit-picking questions, about the actual incident
and about the general point.

about the actual incident:
maybe his password was phished, maybe it was malware, 
maybe it was password reuse and some other account was phished.  
how was the bofa account set up?  (the fraudster's destination account) 
in these days of 
patriot act know your customer? (or was it someone's phished account 
also used just for transit?)

why didn't they just do the wire transfer early, and leave him with a 
giant margin balance
to be paid from the proceeds at settlement?  


about the general point:

the main thing online access changes (compared with phone access, or written
instructions) is the velocity.  
most sensible institutions provide change of account status 
notifications
by both email and postal mail (to both the old and the new addresses).
some sensible institutions put brakes on removing money from the system,
certainly for new accounts and (as i recommend to my clients) after an 
account 
change reflecting identity or control.

aside from the time and energy drain of identity theft, what is the
financial liability for consumers if your us-based brokerage account
is phished resulting in a fraudulent funds transfer?  does anyone know 
if there is any uniform protection (such as reg e would cover for interbank
funds transfers?)

i insert the weasel-words consumers and us-based because
of bofa's behavior in the joe lopez malware case, where they
are trying to claim he is a business not a consumer, and that
they are without fault in wire transfering his funds to latvia.

slightly off-topic:
remember abraham abdallah, the brooklyn busboy who assumed the
identity of a large number of the fortune 200 richest?  made goldman
sachs signature guaranteed stamps and opened accounts in their number?
had 800 fraudulent credit cards and 2 blank cards when he was 
arrested?  (hey kids!  collect 'em all!).  my point is only that this 
is
possible without my participating.  as jerry leichter reminded me, 
the fact there there are these facilities available means a bad guy can
use them even if i do not, unless i can not only opt out but forbid 
anyone
else from subsequently opting in, the moral equivalent of cutting your 
debit
card in half and returning it to the bank (rather than just destroying 
the PIN).


even more off-topic:
i'm surprised that the people on this list don't feel as if they have 
enough
personal connections that at least they could figure out what happened 
to them
as *some* financial institution.  doesn't anyone else ask, as a basis 
for imputing
trust  exactly who did that {protocol, architecture, code} review as a 
basis for 
imputing trust?  maybe i'm delusional, but i give fidelity some 
residual credit 
for having adam shostack there, even some years ago, and there are some 
firms
i'd use because i've been there enough to see their level of care.






-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: [Clips] Banks Seek Better Online-Security Tools

2005-12-04 Thread mis
dan, maybe you should just keep less money in the bank.

i use online banking and financial services of almost every kind
(except bill presentment, because i like paper bills).  i ccannot do
without it.

it seems to me the question is how much liability do i expose myself to by
doing this, in return for what savings and convenience.  

i don't keep a lot of money in banks (why would anyone?)  -- most of
the assets are in (e.g.)  brokerage accounts.  at most  i'm exposing
a month of payroll check to an attacker briefly until it pays some
bill or is transferred to another asset account.  

(the lack of payment planning tools is my biggest beef with bill
paying systems... it's so stupid that they don't show you the future
running balances based on already arranged scheduled payments and
regular withdrawals).

i have an slightly too elaborate drip-feed system set up, with direct
deposit of the paycheck into an account which pays (as scheduled
payments) my fixed bills automatically every month and makes minimum
credit card payments too, so i don't often pay nuisance fees.  (my
utilities have been switched to average payment plans, or more
recently to bill to credit cards so they fit into this plan).

i haven't written more than a few paper checks in years.  i just add the
payee to the online system and have the bank do it.  the online system
has paid around 200 bills so far this year. 

so i save on time, on postage, on the float (since the banks do ach
transfers to the larger payees which often post in 2-3 days), on
nuisance and finance charges, and on the phone, complaining about
problems posting paper checks.

i would notice a fraudulent transfer on my online backing long before
i would notice a fraudulent paper check written against the same account.

not only do i use online banking, i use aggregation systems which scrape
screens for most of my accounts and display recent transactions,
current balances, etc.  

i think i've tried almost all of these.
fidelity's full view seems among the best of the group (they 
use
yodlee for the scraping but manage their own password store).
(while dan is surveying, i'll ask if anyone is using gnucash 
for this).

i find this extremely helpful in managing diversification across
several accounts, and in noticing such details such as both sides of
payments or transfers between institutions or charges on infrequently
used credit card accounts.

an interesting question regarding aggregation was whether i should let
them use the information they scraped to decide what to offer me.  (so
far they haven't offered me a free toaster to entice me to move assets
to them.  according to an informant, they don't use the information
for poaching.)

On Fri, Dec 02, 2005 at 11:05:29PM -0500, [EMAIL PROTECTED] wrote:
 
 You know, I'd wonder how many people on this
 list use or have used online banking.  
 
 To start the ball rolling, I have not and won't.
 
 --dan
 
 
 Cryptography is nothing more than a mathematical framework for
 discussing the implications of various paranoid delusions.
 -- Don Alvarez 
 
 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Digital Water Marks Thieves

2005-02-22 Thread mis
at the risk of being accused of being humor impaired:

the particles are ignorant.  it's the police officers that need to
know to look for the taggants.  civilians could look, but might not
have access to the semantic content in the database.

this is similar, i think to the taggants that are imbedded in industrial
explosives to indicate the explosive batch number (to try to trace the
pre-bang chain of custody).

google for taggants if this interests you particularly.




On Wed, Feb 16, 2005 at 10:36:33PM -0600, Matt Crawford wrote:
 
 On Feb 15, 2005, at 12:40, R.A. Hettinga wrote:
 
 Instant, is a property-marking fluid that, when
 brushed on items like office equipment or motorcycles, tags them with
 millions of tiny fragments, each etched with a unique SIN (SmartWater
 identification number) that is registered with the owner's details on a
 national police database and is invisible until illuminated by police
 officers using ultraviolet light.
 
 That's amazing!  How do the tiny particles know that it's not a 
 civilian illuminating them with ultraviolet light?
 
 And how does Wired reporter Robert Andrews fail to ask that question?
 
 
 -
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]