Re: Question on the state of the security industry

[Ian Grigg]

Anne & Lynn Wheeler wrote:
1)
Intuit warns of credit card risk
http://news.com.com/Intuit+warns+of+credit+card+risk/2100-1029_3-5269821.html 
One could postulate that the need to
notify customers, as pushed by California's
legislature, is an example of a good state
intervention.
Securing those credit cards will now carry
with it the cost of carrying out all that
notification kerfuffle, and other incidental
liabilities.  This cost should easily outweigh
the cost of simple disk encryption systems.
2)
Cyberattacks are soaring, countermeasures are sucking up tons of cash, 
and hardware and software vendors for the most part are sitting it out, 
*Bob Evans* says. But big customers are starting to say enough is 
enough, so the business-technology world is about to get whirled.
http://www.informationweek.com/story/showArticle.jhtml;jsessionid=WK0LPHXYB4YSUQSNDBGCKHY?articleID=22104612 
Bob Evans is obviously trying to introduce
people gently to the gathering storm.  Is
he a softie?  Or are his editors nervous?
He missed the big one:  class action suits.
The big firms are mulling over this phishing
thing, and they don't quite smell the blood
yet, but they feel it should be there.
If I was (insert choice list of 4 companies),
I'd be having very rapid contingency meetings
on this.  But I'm not so I don't care.  Will
Kamishlian raised the spectre in this fine
contextual history essay:
http://www.financialcryptography.com/mt/archives/000174.html
...
i've been saying for some time that after market security is broken by 
design ... it is somewhat like after market seat belts of the 60s. for 
security to work, it has to be designed & built in from the start  

I think you are too kind.  Something that wasn't
designed except as a placebo for worried execs
can't really be broken.
some relatively recent comments about after market security:
http://www.garlic.com/~lynn/2002h.html#39 Oh, here's an interesting paper
http://www.garlic.com/~lynn/2002p.html#27 Secure you PC or get kicked 
off the net?
http://www.garlic.com/~lynn/2003n.html#14 Poor people's OS?
iang
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Question on the state of the security industry

[Anne & Lynn Wheeler]

A couple recent news stories
1)
Intuit warns of credit card risk
http://news.com.com/Intuit+warns+of+credit+card+risk/2100-1029_3-5269821.html

2)
Cyberattacks are soaring, countermeasures are sucking up tons of cash, and 
hardware and software vendors for the most part are sitting it out, *Bob 
Evans* says. But big customers are starting to say enough is enough, so the 
business-technology world is about to get whirled.
http://www.informationweek.com/story/showArticle.jhtml;jsessionid=WK0LPHXYB4YSUQSNDBGCKHY?articleID=22104612

...
i've been saying for some time that after market security is broken by 
design ... it is somewhat like after market seat belts of the 60s. for 
security to work, it has to be designed & built in from the start  some 
relatively recent comments about after market security:
http://www.garlic.com/~lynn/2002h.html#39 Oh, here's an interesting paper
http://www.garlic.com/~lynn/2002p.html#27 Secure you PC or get kicked off 
the net?
http://www.garlic.com/~lynn/2003n.html#14 Poor people's OS?

--
Anne & Lynn Wheelerhttp://www.garlic.com/~lynn/ 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Question on the state of the security industry

[Amir Herzberg]

[EMAIL PROTECTED] wrote:
McAfee Research has proposed solutions to some of their larger customers
and has an anti-phishing white paper:

the paper, at:
http://www.networkassociates.com/us/_tier2/products/_media/mcafee/wp_antiphishing.pdf
contains excellent review of the area and of the known, existing tools 
(anti-virus, spam-filter, ...) and good practices for users and 
corporations.

Michael, I've noted that the authors acknowledged you, so could you 
forward them our proposal (at my homepage or directly at 
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm), I'll 
love to hear their feedback..
--
Best regards,

Amir Herzberg
Associate Professor, Computer Science Dept., Bar Ilan University
http://amirherzberg.com (information and lectures in cryptography & 
security)
begin:vcard
fn:Amir  Herzberg
n:Herzberg;Amir 
org:Bar Ilan University;Computer Science
adr:;;;Ramat Gan ;;52900;Israel
email;internet:[EMAIL PROTECTED]
title:Associate Professor
tel;work:+972-3-531-8863
tel;fax:+972-3-531-8863
x-mozilla-html:FALSE
url:http://AmirHerzberg.com
version:2.1
end:vcard

RE: Question on the state of the security industry

[Michael_Heyman]

> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Ian Grigg
> Sent: Wednesday, June 30, 2004 6:49 AM
> 
> Here's my question - is anyone in the security
> field of any sort of repute being asked about
> phishing, consulted about solutions, contracted
> to build?  Anything?
> 
McAfee Research has proposed solutions to some of their larger customers
and has an anti-phishing white paper:


Press release:


-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Question on the state of the security industry (second half not necessarily on topic)

[Matt Blaze]

On Jul 3, 2004, at 14:22, Dave Howe wrote:
Well if nothing else, it is impossible for my bank to send me anything 
I would believe via email now

To take this even slightly more on-topic - does anyone here have a 
bank capable of authenticating themselves to you when they ring you?
I have had four phone calls from my bank this year, all of which start 
out by asking me to identify myself to them. When I point out that 
they must know who I am - as they just phoned me - and that I have no 
way of knowing who they are, they are completely lost (probably takes 
them away from the little paper script pinned to their desk)

Last month I had a rather good experience with American Express
in this regard.  I recently moved and had ordered something
to be shipped to my new address (this was before I changed my
billing address with AMEX).  Apparently the merchant had Amex
verify the transaction, and so AMEX called me.
Naturally, I asked how I was supposed to know it was really them
calling.  Without missing a beat, the caller invited me to hang
up and call back the number on the back of my card, which I did.
After the usual exchange of information to establish my "identity,"
I was transferred to the right department, and ended up speaking with
the same person who had originally called me(!).
After confirming the validity of the transaction in question, I
asked how many people are as suspicious as I was in asking for
confirmation that it's really AMEX calling.  He said not many,
but a significant enough number that they're ready to handle it
routinely when it happens (he also congratulated me for my
diligence).
It's nice that they have a procedure for this, but it's still a
mixed success for security against the theft of sensitive personal
information.  People like me (us?) remain the exception rather
than the rule, and while it's comforting that the standard procedures
accommodate us, the vast majority of people appear to happily give any
information requested to whoever calls them.  And when banks and
credit card issuers make calls requesting sensitive information
as part of their routine operations, they're training their customers
to engage in exactly the same behavior that they should be trying to
discourage.
Perhaps a better procedure would be to always simply ask the customer
to call back the known, trusted contact number (e.g., as printed on
the card), and never ask for any personal or sensitive information
in an unsolicited call.  They could widely advertise that this is
always the procedure and ask customers to be alert for any caller
who deviates from it.
-matt
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: authentication and authorization (was: Question on the state of the security industry)

[Anton Stiglic]

>However, in some scenarios
>http://www.garlic.com/~lynn/2001h.html#61
>the common use of static data is so pervasive that an individual's
>information
>is found at thousands of institutions. The value of the information to the
>criminal is that the same information can be used to perpetrate fraud
>across all institutions and so the criminal value is enormous. However
>the value to each individual institution may be minimal. As a result
>there can be situations where an individual institution hasn't the
>infrastructure or the funding to provide the countermeasures necessary
>to keep the criminals away from the information (they simply don't
>have the resources to provide security proportional to the risk).
>
>The value of the static data authentication information to a criminal
>is far greater than the value of the information to the institution ...
>or the cost to the criminal to acquire the information is possibly
>orders of magnitude less than the value of the information (for
>criminal purposes).

Agreed.  This is where federated identity management becomes a tricky
problem to solve.  It is important to get something like the Liberty
Alliance right.

A solution that I like can be found here (there is also a ppt presentation
that can be found on the site):

http://middleware.internet2.edu/pki04/proceedings/cross_domain_identity.pdf


>Given such a situation  the infrastructures simply don't have
>the resources to provide the countermeasures adequate to meet
>the attacks they are going to experience (there is such a huge
>mismatch between the value of the information to the individual
>institutions and the value of the information to the criminal).

>Which results in my assertion that there has to be a drastic
>move away from the existing "static data" authentication paradigm
> because there is such a mismatch between the value
>to secure the information verses the value of attacks to
>obtain the information.

>It isn't that theory can't provide  mechanisms to protect
>the information  it that the information is spread far and
>wide and is in constant use by thousands of business processes,
>and that protection problem is analogous to the problem of
>having people  memorize a hundred different 8+character
>passwords that  change every month (which is also a shortcoming
>of the static data authenticaton paradigm).

Yes, theory is far more advanced than what is used in practice.
With Zeroknowledge proofs and attribute authentication, based on 
secrets stored on smart cards held by the proper owners, and possibility
to delegate part of the computation to a server (so clients can 
authenticate on low powered devices), without revealing information 
about the secret, etc...

I agree that what you call "static data" authentication paradigm
is the cause of many problems, including identity theft.  It is 
one reason why Identity Management is a hot topic these days; businesses
are loosing control of all these "static data" associated to the various
systems they have, and when an employee leaves a company he often has an
active account on some system even months after his departure.
This is the de-provisioning problem.

Not to sure about the wording however, if you take a zeroknowledge
Proof to authenticate possession of an attribute, prover will hold
some static data (some sort of secret), the only difference is that
the verifier doesn't need to know the secret, and in fact you can't
learn anything from looking at the communication link when the proof
is executed.  You can't learn anything either by modifying the protocol
from the verifier's point (malicious verifier).  But if you can steal
the secret that the prover possesses, than you can impersonate her.


--Anton 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Question on the state of the security industry (second half not necessarily on topic)

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, Jason H
olt writes:
>

>[...]
>
>I had the same question about the NSA when some friends were interviewing
>there.  Apparently investigators will just show up at your house and want to
>know all sorts of things about your friends, who you may or may not know to be
>in the process of looking for work there.
>
>As I understand it, the investigators don't even carry NSA badges; they're DSS
>or private investigators.

In all seriousness, background investigations have been outsourced...

I had a similar experience a few years ago.  I was supposed to visit 
the --- agency.  Someone I had *not* been dealing with called to ask 
for my social security number and birthdate.  I declined, on the 
grounds that I had no idea who he was.  "But if I'm not legitimate, how 
do I know you're going to visit tomorrow?"  My reply was "you're from 
--- and you don't think people can learn things they're not supposed
to know?"

He was livid -- "if you don't tell me, you can't visit".  I told him 
that that was fine with me, and he should get my usual contact to call 
me.  "But he's unavailable today!".  I indicated that I was still 
unconcerned -- and 10 minutes later, this unavailable person called 
me...

On the other hand, when my broker called last week and asked for some 
confidential info, he was very understanding and co-operative when I 
declined to give out that information over the phone when he had called 
me.  So it's not completely hopeless.


--Steve Bellovin, http://www.research.att.com/~smb


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: authentication and authorization (was: Question on the state of the security industry)

[Anne & Lynn Wheeler]

At 07:23 AM 7/5/2004, Anton Stiglic wrote:
Identity has many meanings.   In a typical dictionary you will find several
definitions for the word identity.  When we are talking about information
systems, we usually talk about a digital identity, which has other meanings
as well. If you are in the field of psychology, philosophy, or computer
science, identity won't mean the same thing. One definition that relates to
computer science that I like is the following:
"the individual characteristics by which a thing or person is recognized or
known".
another way of looking at it in an authentication/authorization infrastructure
is that some set of privileges are asserted ... this is typically done by 
having some
sort of identification associated with those privileges (like an account number
or userid). There can be some confusion whether what is being asserted is a
tag, identity or identification. if the tag being asserted, is something 
like a
person's name, the institution is likely just using it for a tag to look up 
the
set of privileges associated with that name (they may not actually care who
you are ... they want to know what privileges are associated with the 
name/tag).

then there is some sort of authentication as to the binding to those set of
privileges  aka 3-factor authentication taxonomy
* something you know
* something you have
* something you are
note, in some scenarios  it is possible that knowing the account
number provides both the privilege assertion as well as the "something you
know" authentication (aka knowing the account number is sufficient
to make withdrawals).
in any case there are frequently used institutional processes that can be
characterized by assertion of privileges and authentication. The taxonomy
of those processes can be considered independent of the terms used to
label the processes (is a guard really interested in who you are or just
finding out what privileges and permissions you have).
so we have an environment with institutions and CSOs and an attitude
that the institution and the institution integrity must be protected from
outsiders (and criminal insiders)
however, with the prevalent use of "static data" and "something you know"
authentication paradigms ... there is huge amounts of static data laying
around, ripe for the harvesting ... where the criminal impersonates an
individual. so one view is that the vulnerability is the extensive use
by institutions of "static data" and "something you know" authentication,
where the individual may have little or no ability to protect the majority
of the information. The crime appears to be against the individual and
the source of the information may be totally unrelated to where the
crime actually occurs. Assuming that the source of the vulnerability
are the institutional infrastructures, some laws have been passed to
try and hold the institutions responsible for the protection of
individual information. in some scenarios, institutions are
charged with protecting individual information from the institution
itself (which sort of inverts a security officers job of protecting
institution from others).
However, in some scenarios
http://www.garlic.com/~lynn/2001h.html#61
the common use of static data is so pervasive that an individual's information
is found at thousands of institutions. The value of the information to the
criminal is that the same information can be used to perpetrate fraud
across all institutions and so the criminal value is enormous. However
the value to each individual institution may be minimal. As a result
there can be situations where an individual institution hasn't the
infrastructure or the funding to provide the countermeasures necessary
to keep the criminals away from the information (they simply don't
have the resources to provide security proportional to the risk).
The value of the static data authentication information to a criminal
is far greater than the value of the information to the institution ...
or the cost to the criminal to acquire the information is possibly
orders of magnitude less than the value of the information (for
criminal purposes).
Given such a situation  the infrastructures simply don't have
the resources to provide the countermeasures adequate to meet
the attacks they are going to experience (there is such a huge
mismatch between the value of the information to the individual
institutions and the value of the information to the criminal).
Which results in my assertion that there has to be a drastic
move away from the existing "static data" authentication paradigm
 because there is such a mismatch between the value
to secure the information verses the value of attacks to
obtain the information.
It isn't that theory can't provide  mechanisms to protect
the information  it that the information is spread far and
wide and is in constant use by thousands of business processes,
and that protection problem is analogous to the problem of
having people  memorize a hundred di

RE: authentication and authorization (was: Question on the state of the security industry)

[Anton Stiglic]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Denker
Sent: 1 juillet 2004 14:27
To: [EMAIL PROTECTED]
Cc: Ian Grigg
Subject: Re: authentication and authorization (was: Question on the state of
the security industry)

>1) For starters, "identity theft" is a misnomer.  My identity
>is my identity, and cannot be stolen.  The current epidemic
>involves something else, namely theft of an authenticator ...

Identity has many meanings.   In a typical dictionary you will find several
definitions for the word identity.  When we are talking about information
systems, we usually talk about a digital identity, which has other meanings
as well. If you are in the field of psychology, philosophy, or computer
science, identity won't mean the same thing. One definition that relates to
computer science that I like is the following:
"the individual characteristics by which a thing or person is recognized or
known".

A digital identity is usually composed of a set of identifiers (e.g. Unix
ID, email address, X.500 DN, etc.) and other information associated to an
entity (an entity can be an individual, computer machine, service, etc.).  
"Other information" may include usage profiles, employee profiles, security
profiles, cryptographic keys, passwords, etc.

Identity can be stolen in the sense that this information can be copied,
revealed to someone, and that someone can use it in order to identify and
authenticate himself to a system and get authorization to access resources
he wouldn't normally be allowed to.

The following document has a nice diagram on the first page of appendix A:
http://www.ec3.org/Downloads/2002/id_management.pdf

I came up with a similar diagram for a presentation I recently gave, but
instead of talking about primary and secondary identifying documents I
mention primary and secondary identifying information in general, and I also
have an "identifiers" circle situated beside the bigger circle, containing
identifiers that belong to an entity but are not linkable to the entity
(talking about nyms and pseudonyms).  Recall that there are basically 3
types of authentication:  individual authentication (such as via biometrics,
where you use primary identifying information to authenticate someone),
identity authentication (where the identity may or may not be linkable to an
individual), and attribute authentication (where you need reveal nothing
more than the possession of a certain attribute, such as can be done with
Stefan Brands digital credentials).

--Anton
 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

authentication and authorization (was: Question on the state of the security industry)

[Nicholas Bohm]

At 12:26 PM 7/1/2004, John Denker wrote:

>The object of phishing is to perpetrate so-called "identity
>theft", so I must begin by objecting to that concept on two
>different grounds.

Subsequent posters have doubted the wisdom of quibbling with the term "identity 
theft".  I think the terminology deserves some attention of its own.

There is a long-established term, "impersonation", which is wholly adequate to 
describe what is now called "identity theft".  Is this just a change of fashion?  I 
suggest that there is more to the change.

"Impersonation" as a term focuses attention on the fact that the criminal is deceiving 
someone in order to gain advantage by claiming to have some valuable characteristics 
or authorisations in fact belonging not to the criminal but to some other person.  The 
person deceived is the primary victim in contemplation when this terminology is used.

"Identity theft", by contrast, suggests that the victim is the person impersonated, 
because his or her "identity" has been "stolen".

This way of looking at things implies that the losses which arise out of the 
impersonation fall on the person impersonated, rather than on the person deceived by 
the impersonation.

"Identity theft" as a label is attractive to, for example, banks who may wish to 
suggest that losses must be carried by their customers because they failed to take 
proper care of their "identity".

I think the use of the term "identity theft" should alert us to the risk that victims 
of crime are trying to pass the blame and the loss to someone else.

Regards

Nicholas

Salkyns, Great Canfield,
Takeley, Bishop’s Stortford CM22 6SX, UK

Phone   01279 871272(+44 1279 871272)
Fax 020 7788 2198   (+44 20 7788 2198)
Mobile  07715 419728(+44 7715 419728)

PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:
9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF  

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Question on the state of the security industry

[Peter Gutmann]

Steve Furlong <[EMAIL PROTECTED]> writes:

>On Wed, 2004-06-30 at 06:49, Ian Grigg wrote:
>
>> Here's my question - is anyone in the security
>> field of any sort of repute being asked about
>> phishing, consulted about solutions, contracted
>> to build?  Anything?
>
>Nothing here. Spam is the main concern on people's minds, so far as I can
>tell.

I never considered phishing to be much of an issue until about a month ago,
when I had a long discussion with someone at a security conference about a
scale and type of phishing you never really hear about much.  Not small-scale
script-kiddie stuff but large-scale phishing run as a standard commercial
business, with (literally) everything but 24-hour helpdesks (if you can read
Portuguese you may be able to find more info at http://www.nbso.nic.br/). 
Some of this I've already covered in the "Why isn't the Internet secure yet"
tutorial I mentioned a while back: Trojans that control your DNS to direct you
to fake web sites, trojans that grab copies of legit web sites from your
browser cache and render them asking for your to re-validate yourself since
your session has expired, trojans that intercept data from inside your browser
before it gets to the SSL channel, etc etc.  This isn't stuff that only
newbies will fall for, these are exact copies of the real site that look and
act exactly like the real site.

This stuff is the scariest security threat I've heard of in (at least) the
last couple of years because it's almost impossible to defend against.  There
is simply no way to protect a user on a standard Windows PC from this type of
attack - even if you can afford to give each user a SecurID or crypto
challenge-response calculator, that doesn't help you much because the attacker
controls the PC. It's like having users stick their bank cards into and give
their PIN to a MafiaBank branded ATM, the only way to safely use it is to not
use it at all.

The only solution I can think of is to use the PC only as a proxy/router and
force users to do their online banking via a small terminal (not running
Windows) that talks to the PC via the USB port, but it's not really
economically viable.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Question on the state of the security industry (second half not necessarily on topic)

[Jason Holt]

On Sun, 4 Jul 2004, Ed Reed wrote:

> I recently had the same trouble with the Centers for Disease Control
> (CDC) - who were calling around to followup on infant influenza
> innoculations given last fall.
> 
> Ultimately, they wanted me to provide authorization to them to receive
> HIPPA protected patient records from my son's pediatrician, and I 
> couldn't figure out how to get them to definitively pursuade me that
> they were really the CDC, who I was willing to be so authorized.
[...]

I had the same question about the NSA when some friends were interviewing
there.  Apparently investigators will just show up at your house and want to
know all sorts of things about your friends, who you may or may not know to be
in the process of looking for work there.

As I understand it, the investigators don't even carry NSA badges; they're DSS
or private investigators.  I eventually found a phone number for the DSS, but
AFAICT there's no standard way of authenticating the agents when they show up.

Richard Bizarro had the same problem:
http://www.salon.com/people/feature/2002/02/20/bizzaro/index.html

Someone pointed out that the NSA isn't as concerned about other people
(agencies, etc.) compromising your privacy as they are about making sure
/they/ know everything about their employees.

DSS: Sir, I need to ask you some questions about John Doe.

Me: Okay, err, where's that NSA public key... windows registry... you don't 
have a certificate, I take it?

DSS: Well, I have this badge here.

Me: Hm, sorry, no.  I don't suppose you know anything about zero-knowledge
proofs...

DSS: ...

Me: Right.  Okay, look.  I'm going to randomly generate a 1024-bit -- no, 
better make that a 4096-bit integer.  We'll run it in blocks through SHA512, 
and then you can raise it to your private [mumbling].  Do you have a coin?  
On second thought, better use my own.  Lesse,  heads...

DSS: I have this gun, too.

Me: So, what do you want to know?

This was also amusing:
http://www.penny-arcade.com/view.php3?date=2004-06-25&res=l

-J

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Question on the state of the security industry (second half not necessarily on topic)

[Ed Reed]

I recently had the same trouble with the Centers for Disease Control
(CDC) - who were calling around to followup on infant influenza
innoculations given last fall.

Ultimately, they wanted me to provide authorization to them to receive
HIPPA protected patient records from my son's pediatrician, and I 
couldn't figure out how to get them to definitively pursuade me that
they were really the CDC, who I was willing to be so authorized.

Such research MAY be appropriate, and in this case, I'm a believer in
the
flu shots, and am generally supportive.

But, while I could (and had to) identify myself to them (it was
a random-number dial canvas), they had no way, short of giving
me an 800 number to call (with obvious trust bootstrap problems
with that) to get past it.

Eventually, I found enough information on the CDC websites
(assuming that DNS wasn't hacked, that my ISP wasn't redirecting
my http queries to a Russian web site, and that the CDC site
hadn't been hacked) to cooperate (talked with 2 supervisors,
5 followup canvasers, etc.)

This is a problem that "real life" has.  This sort of problem has
been around since telephones came into existence (I didn't think
to check the caller-id on the call, presuming it would point me
to a call center located somewhere on the planet).

We cope.  And when the annoyance gets too bad, we kvetch,
pass laws, and file law suits.  Isn't that pretty much what's
happening, now?

Thought-control countries present separate problems (whether
that's the Patriot Act or the Chinese censorship of SMS messages).

For them, we have to rely on the Internet to route around censorship.
And facilitate alternate routes (silent ones?) when the routers are
own3d by the censors. (sorry - cross-over to another thread).

Ed

>>> Dave Howe <[EMAIL PROTECTED]> 7/3/2004 8:22:56 PM >>>
Joseph Ashwood wrote:
> I am continually asked about spam, and I personally treat phishing as
a
> subset of it, but I have seen virtually no interest in correcting
the
> problem. I have personally been told I don't even know how many times
that
> phishing "is not an issue."
Well if nothing else, it is impossible for my bank to send me anything
I 
would believe via email now

To take this even slightly more on-topic - does anyone here have a bank

capable of authenticating themselves to you when they ring you?
I have had four phone calls from my bank this year, all of which start

out by asking me to identify myself to them. When I point out that they

must know who I am - as they just phoned me - and that I have no way of

knowing who they are, they are completely lost (probably takes them
away 
from the little paper script pinned to their desk)

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Question on the state of the security industry

[Ian Grigg]

[EMAIL PROTECTED] wrote:
I shared the gist of the question with a leader
of the Anti-Phishing Working Group, Peter Cassidy.
Thanks Dan, and thanks Peter,
...
I think we have that situation.  For the first
time we are facing a real, difficult security
problem.  And the security experts have shot
their wad. 
--- Part One
(just addressing Part one in this email)
I think the reason that, to date, the security community has
been largely silent on phishing is that this sort of attack was
considered a confidence scheme that was only potent against
dim-wits - and we all know how symathetic the IT
security/cryptography community is to those with less than
powerful intellects.

OK.  It could well be that the community has an
inbuilt bias against protecting those that aren't
able to protect themselves.  If so, this would be
cognitive dissonance on a community scale:  in this
case, SSL, CAs, browsers are all set up to meet
the goal of "totally secure by default."
Yet, we know there aren't any secure systems, this
is Adi Shamir's 1st law.
http://www.financialcryptography.com/mt/archives/000147.html
Ignoring attacks on dimwits is one way to meet that
goal, comfortably.
But, let's go back to the goal.  Why has it been
set?  Because it's been widely recognised and assumed
that the user is not capable of dealing with their own
security.  In fact, in its lifetime over the last decade,
browsers have migrated from a "ternary security rating"
presented to the user, to whit, the old 40 bit crypto
security, to a "binary security rating," confirming
the basic principle that users don't know and don't
care, and thus the secure browsing model has to do
all the security for the user.  Further, they've been
protected from the infamous half-way house of self-
signed certs, presumably because they are too dim-
witted to recognise when they need less or more
security against the evil and pervasive MITM.
http://www.iang.org/ssl/mallory_wolf.html
Who is thus a dimwit.  And, in order to bring it
together with Adi's 1st law, we ignore attacks
on dimwits (or in more technical terms, we assume
that those attacks are outside the security model).
(A further piece of evidence for this is a recent
policy debate conducted by Frank Hecker of Mozilla,
which confirmed that the default build and root
list for distribution of Mozilla is designed for
users who could not make security choices for
themselves.)
So, I think you're right.
> Also, it is true, it was considered a
> sub-set of SPAM.
And?  If we characterise phishing as a sub-set
of spam, does this mean we simply pass the buck
to anti-spam vendors?  Or is this just another
way of cataloging the problem in a convenient
box so we can ignore it?
(Not that I'm disagreeing with the observation,
just curious as to where it leads...)

The reliance on broadcast spam as a vehicle for consumer data
recruitment is remaining but the payload is changing and, I
think, in that advance is room for important contributions by
the IT security/cryptography community. In a classic phishing
scenario, the mark gets a bogus e-mail, believes it and
surrenders his consumer data and then gets a big surprise on his
next bank statement. What is emerging is the use of spam to
spread trojans to plant key-loggers to intercept consumer data
or, in the future, to silently mine it from the consumer's PC.
Some of this malware is surprizingly clever. One of the APWG
committeemen has been watching the devleopment of trojans that
arrive as seemingly random blobs of ASCII that decrypt
themselves with a one-time key embedded in the message - they
all go singing straight past anti-virus.
This is actually much more serious, and I've
noticed that the media has picked up on this,
but the security community remains
characteristically silent.
What is happening now is that we are getting
much more complex attacks - and viruses are
being deployed for commercial theft rather
than spyware - information theft - or ego
proofs.  This feels like the nightmare
scenario, but I suppose it's ok because it
only happens to dimwits?
(On another note, as this is a cryptography
list, I'd encourage Peter and Dan to report
on the nature of the crypto used in the
trojans!)
Since phishing, when successful, can return real money the
approaches will become ever more sophisticated, relying far less
on deception and more on subterfuge.
I agree this is to be expected.  Once a
revenue stream is earnt, we can expect that
money to be invested back into areas that
are fruitful.  So we can expect much more
and more complex and difficult attacks.
I.e., it's only just starting.

--- Part Two

iang
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Question on the state of the security industry (second half not necessarily on topic)

[Dave Howe]

Joseph Ashwood wrote:
I am continually asked about spam, and I personally treat phishing as a
subset of it, but I have seen virtually no interest in correcting the
problem. I have personally been told I don't even know how many times that
phishing "is not an issue."
Well if nothing else, it is impossible for my bank to send me anything I 
would believe via email now

To take this even slightly more on-topic - does anyone here have a bank 
capable of authenticating themselves to you when they ring you?
I have had four phone calls from my bank this year, all of which start 
out by asking me to identify myself to them. When I point out that they 
must know who I am - as they just phoned me - and that I have no way of 
knowing who they are, they are completely lost (probably takes them away 
from the little paper script pinned to their desk)

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Question on the state of the security industry

[geer]

I shared the gist of the question with a leader
of the Anti-Phishing Working Group, Peter Cassidy.

Specifically, I shared this fragment:

> Here's my question - is anyone in the security
> field of any sort of repute being asked about
> phishing, consulted about solutions, contracted
> to build?  Anything?
>
> Or, are security professionals as a body being
> totally ignored in the first major financial
> attack that belongs totally to the Internet?
>
> What I'm thinking of here is Scott's warning of
> last year:
>
>Subject: Re: Maybe It's Snake Oil All the Way Down
>At 08:32 PM 5/31/03 -0400, Scott wrote:
>...
>>When I drill down on the many pontifications made by computer
>>security and cryptography experts all I find is given wisdom.  Maybe
>>the reason that folks roll their own is because as far as they can see
>>that's what everyone does.  Roll your own then whip out your dick and
>>start swinging around just like the experts.
>
> I think we have that situation.  For the first
> time we are facing a real, difficult security
> problem.  And the security experts have shot
> their wad.


--- Part One

I think the reason that, to date, the security community has
been largely silent on phishing is that this sort of attack was
considered a confidence scheme that was only potent against
dim-wits - and we all know how symathetic the IT
security/cryptography community is to those with less than
powerful intellects. Also, it is true, it was considered a
sub-set of SPAM.

The reliance on broadcast spam as a vehicle for consumer data
recruitment is remaining but the payload is changing and, I
think, in that advance is room for important contributions by
the IT security/cryptography community. In a classic phishing
scenario, the mark gets a bogus e-mail, believes it and
surrenders his consumer data and then gets a big surprise on his
next bank statement. What is emerging is the use of spam to
spread trojans to plant key-loggers to intercept consumer data
or, in the future, to silently mine it from the consumer's PC.
Some of this malware is surprizingly clever. One of the APWG
committeemen has been watching the devleopment of trojans that
arrive as seemingly random blobs of ASCII that decrypt
themselves with a one-time key embedded in the message - they
all go singing straight past anti-virus.

Since phishing, when successful, can return real money the
approaches will become ever more sophisticated, relying far less
on deception and more on subterfuge.

Peter

--- Part Two


You can also tell them that the Anti-Phishing Working Group was
organized in Nov 2003 to investigate, quantify and propose
solutions (drawing from off-the-shelf technologies) to the
phishing threat. It now has 500 members from banks, ISPs,
payment processors, federal law enforcement (US, UK, Canada and
Australia) - some 300 companies and agencies in all. You'd
recognize some of the individuals involved. I am coordinating
the research effort. Among the committee chairs is Phillip
Hallam Baker who is heading up the Solutions Evaluations
subcommittee whose work is being synchronized with the FSTC and
its member banks. Description of the APWG's committee's system
follows:

The Anti-Phishing Working Group (APWG) is an industry
association focused on eliminating the identity theft and fraud
that result from the growing problem of phishing and email
spoofing. The organization provides a forum to discuss phishing
issues, to define the scope of the phishing problem in terms of
hard and soft costs, and to share information and best practices
for eliminating the problem. Where appropriate, the APWG will
also look to share this information with law enforcement.

The research and cross-disciplinary investigations into
phishing, related pre-texting scams and subterfuge schemes to
animate identity thefts and subsequent illicit transactions are
driven by seven sub-committees. Each sub-committee has its own
chairs, writes its own agenda in coordination with the APWG
executive committee and organizes its own research for
presentation to the plenary at meetings and through the APWG
members Web site: https://antiphishing.kavi.com/

Though the lion's share of the APWG is being driven by member
experts and practitioners within the committee system, the APWG
foresees many opportunities for extramural collaborations such
as the Working Group has already initialized with the Financial
Services Technology Consortium (FSTC) and others. As well, where
appropriate, the APWG will be recruiting visiting fellows and
expert practitioners to contribute research if relevant
expertise to complete it cannot be recruited from the ranks of
the APWG membership. To date, the seven standing committees to
have formed are:

- Solution Evaluation and Trial 
- Best Practices 
- Education 
- Future Threat Models and Forensics 
- Phishing Repository, Data Streams and Alerts 
- Sizing and Quantifying the Problem 
- Working with Law Enforcement

Regards

Re: authentication and authorization (was: Question on the state of the security industry)

[Anne & Lynn Wheeler]

At 12:26 PM 7/1/2004, John Denker wrote:
The object of phishing is to perpetrate so-called "identity
theft", so I must begin by objecting to that concept on two
different grounds.
there are two sides of this  some amount of crime statistics call it 
ID-theft  which plausibly could be either identity or identification 
... but in general involves situation where criminal is impersonating you 
to one degree or another to perform some fraudulent action.

there has been some attempt to distinguish impersonation events between 
fraudulently extracting money from existing accounts and fraudulently 
creating new accounts in your name.

practically, objecting to the label id-theft may be like objecting to the 
label suicide bomber.

in general, the problem is using any kind of static data for 
authentication. it applies to name, birthdate, mother's maiden name, pins, 
passwords, account numbers  any kind of static data. it worked for a 
long time ... but it was based on assumption that it had characteristics of 
1) shared-secret and 2) used uniquely, different static data in different 
security domains.

the growth of electronic environments has drastically affected this in lots 
of ways (invalidating the core assumptions that was behind the use of such 
static data for authentication, it wasn't that static data didn't work ... 
but it worked well only as long as the underlying assumptions were valid):

1) drastic increase in number of different electronic environments 
requiring unique shared secrets . basic human factors making it 
impossible to process unique shared secret for every possible (scores of 
unique) environment

2) drastic increase in number of different electronic environments ... 
drastically increasing the number of places that shared secrets are being 
used ... which increasing the places that shared secrets can be harvested 
(for criminal purposes)

3) drastic increase in electronic environments that contain information 
about individuals ... drastically increasing the number of places that 
personal information can be harvested (of the type that is likely to be 
used in shared-secret, static authentication information) for criminal 
purposes.

minor reference to the account based scenario  security proportional to 
risk
http://www.garlic.com/~lynn/2001h.html#61

and then there is the whole thing about frequent confusion of 
identification and authentication:
http://www.garlic.com/~lynn/aepay3.htm#mcomm (my) misc. additional comments 
on X9.59 issues.
http://www.garlic.com/~lynn/aepay7.htm#3dsecure 3D Secure Vulnerabilities? 
Photo ID's and Payment Infrastructure
http://www.garlic.com/~lynn/aadsm9.htm#pkcs12b A PKI Question: PKCS11-> PKCS12
http://www.garlic.com/~lynn/aadsm14.htm#40 The real problem that https has 
conspicuously failed to fix
http://www.garlic.com/~lynn/aadsm14.htm#41 certificates & the alternative view
http://www.garlic.com/~lynn/aadsm17.htm#13 A combined EMV and ID card
http://www.garlic.com/~lynn/aadsm17.htm#16 PKI International Consortium
http://www.garlic.com/~lynn/aepay11.htm#66 Confusing Authentication and 
Identiification?
http://www.garlic.com/~lynn/aepay11.htm#72 Account Numbers. Was: Confusing 
Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/aepay11.htm#73 Account Numbers. Was: Confusing 
Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/2003j.html#47 The Tao Of Backup: End of postings


Anne & Lynn Wheelerhttp://www.garlic.com/~lynn/ 

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: authentication and authorization (was: Question on the state of the security industry)

[John Denker]

Ian Grigg wrote:
The phishing thing has now reached the mainstream,
epidemic proportions that were feared and predicted
in this list over the last year or two. 
OK.
>  For the first
time we are facing a real, difficult security
problem.  And the security experts have shot
their wad.
The object of phishing is to perpetrate so-called "identity
theft", so I must begin by objecting to that concept on two
different grounds.
1) For starters, "identity theft" is a misnomer.  My identity
is my identity, and cannot be stolen.  The current epidemic
involves something else, namely theft of an authenticator ...
or, rather, breakage of a lame attempt at an authentication
and/or authorization scheme.  See definitions and discusions
in e.g. _Handbook of Applied Cryptography_
  http://www.cacr.math.uwaterloo.ca/hac/about/chap10.pdf
I don't know of any "security experts" who would think for a
moment that a reusable sixteen-digit number and nine-digit
number (i.e. credit-card and SSN) could constitute a sensible
authentication or authorization scheme.
2) Even more importantly, the whole focus on _identity_ is
pernicious.  For the vast majority of cases in which people
claim to want ID, the purpose would be better served by
something else, such as _authorization_.  For example,
when I walk into a seedy bar in a foreign country, they can
reasonably ask for proof that I am authorized to do so,
which in most cases boils down to proof of age.  They do
*not* need proof of my car-driving privileges, they do not
need my real name, they do not need my home address, and
they really, really, don't need some "ID" number that some
foolish bank might mistake for sufficient authorization to
withdraw large sums of money from my account.  They really,
really, reeeally don't need other information such as what
SCI clearances I hold, what third-country visas I hold, my
medical history, et cetera.  I could cite many additional
colorful examples, but you get the idea:  The more info is
linked to my "ID" (either by writing it on the "ID" card or
by linking databases via "ID" number) the _less_ secure
everything becomes.  Power-hungry governments and power-
hungry corporations desire such linkage, because it makes
me easier to exploit ... but any claim that such linkable
"ID" is needed for _security_ is diametrically untrue.
===
Returning to:
>  For the first
> time we are facing a real, difficult security
> problem.  And the security experts have shot
> their wad.
I think a better description is that banks long ago
deployed a system that was laughably insecure.  (They got
away with it for years ... but that's irrelevant.)  Now
that there is widespread breakage, they act surprised, but
none of this should have come as a surprise to anybody,
expert or otherwise.
Now banks and their customers are paying the price.  As
soon as the price to the banks gets a little higher, they
will deploy a more-secure payment authorization scheme,
and the problem will go away.
(Note that I didn't say "ID" scheme.  I don't care who
knows my SSN and other "ID" numbers ... so long as they
cannot use them to steal stuff.  And as soon as there
is no value in knowing "ID" numbers, people will stop
phishing for them.)
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Question on the state of the security industry

[Steve Furlong]

On Wed, 2004-06-30 at 06:49, Ian Grigg wrote:

> Here's my question - is anyone in the security
> field of any sort of repute being asked about
> phishing, consulted about solutions, contracted
> to build?  Anything?

Nothing here. Spam is the main concern on people's minds, so far as I
can tell. Please note, though, that I'm not specifically a computer
security consultant but rather a broad-spectrum computer consultant who
does some security work and a private security guy who does some
computer work.

Topical anecdote: my last full-time but short-term consulting* gig was
at a bank. You know, money and stuff. Computer security in the
development shop consisted of telling the programmers to run NAV daily.
They used Outlook for email, with no filters on incoming mail that I
could track down. I did some minor testing from my home system. Didn't
send myself any viruses, but I did send a few executable attachments.
They all made it through.

* Not really consulting. They wanted a warm-body programmer, and not
only ignored the process improvement suggestions I was putatively hired
to provide, but seemed offended that I had suggestions to make at all.


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Question on the state of the security industry (second half not necessarily on topic)

[Joseph Ashwood]

- Original Message - 
From: "Ian Grigg" <[EMAIL PROTECTED]>
Subject: Question on the state of the security industry


> Here's my question - is anyone in the security
> field of any sort of repute being asked about
> phishing, consulted about solutions, contracted
> to build?  Anything?

I am continually asked about spam, and I personally treat phishing as a
subset of it, but I have seen virtually no interest in correcting the
problem. I have personally been told I don't even know how many times that
phishing "is not an issue."

I personally know it's an issue because between my accounts I receive ~3-5
phishing attempts/day, and the scams apparently account for a major portion
of the GNP of many small countries.

> Or, are security professionals as a body being
> totally ignored in the first major financial
> attack that belongs totally to the Internet?
>
> What I'm thinking of here is Scott's warning of
> last year:
>
>Subject: Re: Maybe It's Snake Oil All the Way Down
>At 08:32 PM 5/31/03 -0400, Scott wrote:
>...
>>When I drill down on the many pontifications made by computer
>>security and cryptography experts all I find is given wisdom.  Maybe
>>the reason that folks roll their own is because as far as they can see
>>that's what everyone does.  Roll your own then whip out your dick and
>>start swinging around just like the experts.
>
> I think we have that situation.  For the first
> time we are facing a real, difficult security
> problem.  And the security experts have shot
> their wad.
>
> Comments?

In large part that's the way it looks to me as well. We have an effectively
impotent security community, because all the "solutions" we've ever made
either didn't work, or worked too well. We basically have two types of
security solutions the ones that are referred to as "That doesn't work, we
had it and it did everything it shouldn't have" and those that result in "I
don't think it works, but I can't be sure because we were never attacked."
The SSL/TLS protocol is an example of this second type, I am unaware of any
blackhats that bother attacking SSL/TLS because they simply assume it is
impenetrable. At the same time we have the situation where Windows is
continually not because it is less secure than the others, but because it is
_believed_ to be less secure than the others, so the Windows security is
clearly of the first type. The biggest problem I've seen is that we're
dealing with generally undereducated peoople as far as security goes. We
need to start selling that we facilitate a business process, and that
because of this all you will see are the failures, the successes are almost
always be invisible.

Also as with all business processes, there is never a final state, it must
be often reanalyzed and revised. This puts us in a rather strange situation,
where somethign that I have always offered becomes important, we become an
outsourced analyst, almost an auditor situation. To build this properly the
security model that is constructed needs to be built to include emergency
threshholds and revision timeframes. By supporting the security process as a
business process it allows the concepts to more easily permeate the CXO
offices, which means that you are far more likely to make more money, build
a long term client, and create a strong security location.

To make the point clearer, I have ended up with clients that were previously
with better known cryptanalysts, including some worldwide names. These
clients have been told by their previous consultants that there security is
good, but their consultant never told themthat it needs reanalysis, they
never encouraged the creation of a business process around it, it was always
"Ask me when you have questions." I did not poach these clients, they left
their previous consultants, and found me through referrals. These
relationships are extremely profitable for me, for many reasons; I actually
cost less than their prior consultants, but I make more, because everything
is done quickly, efficiently, and effectively.

This security process builds stronger security, and while I admit I am still
rarely asked about phishing, and even rarer is my advice listened to, my
clients are rarely successfully hacked, and have lower than average losses.

Our biggest problem is that we view the security process as distinct from
business processes. I truly wish I could make the Sarbanes-Oxley 2002
(http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf) act
required reading for every security consultant, because it demonstrates very
much that proper security consulting is actually a business process.

Getting back to the topic, by doing this we can help them move from the
"dick sw

Question on the state of the security industry

[Ian Grigg]

The phishing thing has now reached the mainstream,
epidemic proportions that were feared and predicted
in this list over the last year or two.  Many of
the "solution providers" are bailing in with ill-
thought out tools, presumably in the hope of cashing
in on a buying splurge, and hoping to turn the
result into lucrative cash flows.
In other news, Verisign just bailed in with a
service offering [1].  This is quite cunning,
as they have offered the service primarily as
a spam protection service, with a nod to phishing.
In this way they have something, a toe in the
water, but they avoid the embarrassing questions
about whatever happened to the last security
solution they sold.
Meanwhile, the security field has been deathly
silent.  (I recently had someone from the security
industry authoritively tell me phishing wasn't
a problem  ... because the local plod said he
couldn't find any!)
Here's my question - is anyone in the security
field of any sort of repute being asked about
phishing, consulted about solutions, contracted
to build?  Anything?
Or, are security professionals as a body being
totally ignored in the first major financial
attack that belongs totally to the Internet?
What I'm thinking of here is Scott's warning of
last year:
  Subject: Re: Maybe It's Snake Oil All the Way Down
  At 08:32 PM 5/31/03 -0400, Scott wrote:
  ...
  >When I drill down on the many pontifications made by computer
  >security and cryptography experts all I find is given wisdom.  Maybe
  >the reason that folks roll their own is because as far as they can see
  >that's what everyone does.  Roll your own then whip out your dick and
  >start swinging around just like the experts.
I think we have that situation.  For the first
time we are facing a real, difficult security
problem.  And the security experts have shot
their wad.
Comments?
iang
[1] Lynn Wheeler's links below if anyone is interested:
VeriSign Joins The Fight Against Online Fraud
http://www.informationweek.com/story/showArticle.jhtml;jsessionid=25FLNINV0L5DCQSNDBCCKHQ?articleID=22102218
http://www.infoworld.com/article/04/06/28/HNverisignantiphishing_1.html
http://zdnet.com.com/2100-1105_2-5250010.html
http://news.com.com/VeriSign+unveils+e-mail+protection+service/2100-7355_3-5250010.html?part=rss&tag=5250010&subj=news.7355.5
[2] sorry, the original email I couldn't
find, but here's the snippet, routed at:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg01435.html
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]