Re: Question on the state of the security industry

2004-07-16 Thread Anne Lynn Wheeler

A couple recent news stories
1)
Intuit warns of credit card risk
http://news.com.com/Intuit+warns+of+credit+card+risk/2100-1029_3-5269821.html

2)
Cyberattacks are soaring, countermeasures are sucking up tons of cash, and 
hardware and software vendors for the most part are sitting it out, *Bob 
Evans* says. But big customers are starting to say enough is enough, so the 
business-technology world is about to get whirled.
http://www.informationweek.com/story/showArticle.jhtml;jsessionid=WK0LPHXYB4YSUQSNDBGCKHY?articleID=22104612

...
i've been saying for some time that after market security is broken by 
design ... it is somewhat like after market seat belts of the 60s. for 
security to work, it has to be designed  built in from the start  some 
relatively recent comments about after market security:
http://www.garlic.com/~lynn/2002h.html#39 Oh, here's an interesting paper
http://www.garlic.com/~lynn/2002p.html#27 Secure you PC or get kicked off 
the net?
http://www.garlic.com/~lynn/2003n.html#14 Poor people's OS?

--
Anne  Lynn Wheelerhttp://www.garlic.com/~lynn/ 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Question on the state of the security industry

2004-07-13 Thread Amir Herzberg
[EMAIL PROTECTED] wrote:
McAfee Research has proposed solutions to some of their larger customers
and has an anti-phishing white paper:
http://www.networkassociates.com/us/_tier2/products/_media/mcafee/wp_an
tiphishing.pdf
the paper, at:
http://www.networkassociates.com/us/_tier2/products/_media/mcafee/wp_antiphishing.pdf
contains excellent review of the area and of the known, existing tools 
(anti-virus, spam-filter, ...) and good practices for users and 
corporations.

Michael, I've noted that the authors acknowledged you, so could you 
forward them our proposal (at my homepage or directly at 
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm), I'll 
love to hear their feedback..
--
Best regards,

Amir Herzberg
Associate Professor, Computer Science Dept., Bar Ilan University
http://amirherzberg.com (information and lectures in cryptography  
security)
begin:vcard
fn:Amir  Herzberg
n:Herzberg;Amir 
org:Bar Ilan University;Computer Science
adr:;;;Ramat Gan ;;52900;Israel
email;internet:[EMAIL PROTECTED]
title:Associate Professor
tel;work:+972-3-531-8863
tel;fax:+972-3-531-8863
x-mozilla-html:FALSE
url:http://AmirHerzberg.com
version:2.1
end:vcard



RE: Question on the state of the security industry

2004-07-12 Thread Michael_Heyman
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Ian Grigg
 Sent: Wednesday, June 30, 2004 6:49 AM
 
 Here's my question - is anyone in the security
 field of any sort of repute being asked about
 phishing, consulted about solutions, contracted
 to build?  Anything?
 
McAfee Research has proposed solutions to some of their larger customers
and has an anti-phishing white paper:
http://www.networkassociates.com/us/_tier2/products/_media/mcafee/wp_an
tiphishing.pdf

Press release:
http://www.networkassociates.com/us/about/press/mcafee_enterprise/2004/
20040315_094318.htm

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Question on the state of the security industry (second half not necessarily on topic)

2004-07-09 Thread Matt Blaze
On Jul 3, 2004, at 14:22, Dave Howe wrote:
Well if nothing else, it is impossible for my bank to send me anything 
I would believe via email now

To take this even slightly more on-topic - does anyone here have a 
bank capable of authenticating themselves to you when they ring you?
I have had four phone calls from my bank this year, all of which start 
out by asking me to identify myself to them. When I point out that 
they must know who I am - as they just phoned me - and that I have no 
way of knowing who they are, they are completely lost (probably takes 
them away from the little paper script pinned to their desk)

Last month I had a rather good experience with American Express
in this regard.  I recently moved and had ordered something
to be shipped to my new address (this was before I changed my
billing address with AMEX).  Apparently the merchant had Amex
verify the transaction, and so AMEX called me.
Naturally, I asked how I was supposed to know it was really them
calling.  Without missing a beat, the caller invited me to hang
up and call back the number on the back of my card, which I did.
After the usual exchange of information to establish my identity,
I was transferred to the right department, and ended up speaking with
the same person who had originally called me(!).
After confirming the validity of the transaction in question, I
asked how many people are as suspicious as I was in asking for
confirmation that it's really AMEX calling.  He said not many,
but a significant enough number that they're ready to handle it
routinely when it happens (he also congratulated me for my
diligence).
It's nice that they have a procedure for this, but it's still a
mixed success for security against the theft of sensitive personal
information.  People like me (us?) remain the exception rather
than the rule, and while it's comforting that the standard procedures
accommodate us, the vast majority of people appear to happily give any
information requested to whoever calls them.  And when banks and
credit card issuers make calls requesting sensitive information
as part of their routine operations, they're training their customers
to engage in exactly the same behavior that they should be trying to
discourage.
Perhaps a better procedure would be to always simply ask the customer
to call back the known, trusted contact number (e.g., as printed on
the card), and never ask for any personal or sensitive information
in an unsolicited call.  They could widely advertise that this is
always the procedure and ask customers to be alert for any caller
who deviates from it.
-matt
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Question on the state of the security industry (second half not necessarily on topic)

2004-07-08 Thread Steven M. Bellovin
In message [EMAIL PROTECTED], Jason H
olt writes:


[...]

I had the same question about the NSA when some friends were interviewing
there.  Apparently investigators will just show up at your house and want to
know all sorts of things about your friends, who you may or may not know to be
in the process of looking for work there.

As I understand it, the investigators don't even carry NSA badges; they're DSS
or private investigators.

In all seriousness, background investigations have been outsourced...

I had a similar experience a few years ago.  I was supposed to visit 
the --- agency.  Someone I had *not* been dealing with called to ask 
for my social security number and birthdate.  I declined, on the 
grounds that I had no idea who he was.  But if I'm not legitimate, how 
do I know you're going to visit tomorrow?  My reply was you're from 
--- and you don't think people can learn things they're not supposed
to know?

He was livid -- if you don't tell me, you can't visit.  I told him 
that that was fine with me, and he should get my usual contact to call 
me.  But he's unavailable today!.  I indicated that I was still 
unconcerned -- and 10 minutes later, this unavailable person called 
me...

On the other hand, when my broker called last week and asked for some 
confidential info, he was very understanding and co-operative when I 
declined to give out that information over the phone when he had called 
me.  So it's not completely hopeless.


--Steve Bellovin, http://www.research.att.com/~smb


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Question on the state of the security industry

2004-07-07 Thread Peter Gutmann
Steve Furlong [EMAIL PROTECTED] writes:

On Wed, 2004-06-30 at 06:49, Ian Grigg wrote:

 Here's my question - is anyone in the security
 field of any sort of repute being asked about
 phishing, consulted about solutions, contracted
 to build?  Anything?

Nothing here. Spam is the main concern on people's minds, so far as I can
tell.

I never considered phishing to be much of an issue until about a month ago,
when I had a long discussion with someone at a security conference about a
scale and type of phishing you never really hear about much.  Not small-scale
script-kiddie stuff but large-scale phishing run as a standard commercial
business, with (literally) everything but 24-hour helpdesks (if you can read
Portuguese you may be able to find more info at http://www.nbso.nic.br/). 
Some of this I've already covered in the Why isn't the Internet secure yet
tutorial I mentioned a while back: Trojans that control your DNS to direct you
to fake web sites, trojans that grab copies of legit web sites from your
browser cache and render them asking for your to re-validate yourself since
your session has expired, trojans that intercept data from inside your browser
before it gets to the SSL channel, etc etc.  This isn't stuff that only
newbies will fall for, these are exact copies of the real site that look and
act exactly like the real site.

This stuff is the scariest security threat I've heard of in (at least) the
last couple of years because it's almost impossible to defend against.  There
is simply no way to protect a user on a standard Windows PC from this type of
attack - even if you can afford to give each user a SecurID or crypto
challenge-response calculator, that doesn't help you much because the attacker
controls the PC. It's like having users stick their bank cards into and give
their PIN to a MafiaBank branded ATM, the only way to safely use it is to not
use it at all.

The only solution I can think of is to use the PC only as a proxy/router and
force users to do their online banking via a small terminal (not running
Windows) that talks to the PC via the USB port, but it's not really
economically viable.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Question on the state of the security industry

2004-07-04 Thread Ian Grigg
[EMAIL PROTECTED] wrote:
I shared the gist of the question with a leader
of the Anti-Phishing Working Group, Peter Cassidy.
Thanks Dan, and thanks Peter,
...
I think we have that situation.  For the first
time we are facing a real, difficult security
problem.  And the security experts have shot
their wad. 
--- Part One
(just addressing Part one in this email)
I think the reason that, to date, the security community has
been largely silent on phishing is that this sort of attack was
considered a confidence scheme that was only potent against
dim-wits - and we all know how symathetic the IT
security/cryptography community is to those with less than
powerful intellects.

OK.  It could well be that the community has an
inbuilt bias against protecting those that aren't
able to protect themselves.  If so, this would be
cognitive dissonance on a community scale:  in this
case, SSL, CAs, browsers are all set up to meet
the goal of totally secure by default.
Yet, we know there aren't any secure systems, this
is Adi Shamir's 1st law.
http://www.financialcryptography.com/mt/archives/000147.html
Ignoring attacks on dimwits is one way to meet that
goal, comfortably.
But, let's go back to the goal.  Why has it been
set?  Because it's been widely recognised and assumed
that the user is not capable of dealing with their own
security.  In fact, in its lifetime over the last decade,
browsers have migrated from a ternary security rating
presented to the user, to whit, the old 40 bit crypto
security, to a binary security rating, confirming
the basic principle that users don't know and don't
care, and thus the secure browsing model has to do
all the security for the user.  Further, they've been
protected from the infamous half-way house of self-
signed certs, presumably because they are too dim-
witted to recognise when they need less or more
security against the evil and pervasive MITM.
http://www.iang.org/ssl/mallory_wolf.html
Who is thus a dimwit.  And, in order to bring it
together with Adi's 1st law, we ignore attacks
on dimwits (or in more technical terms, we assume
that those attacks are outside the security model).
(A further piece of evidence for this is a recent
policy debate conducted by Frank Hecker of Mozilla,
which confirmed that the default build and root
list for distribution of Mozilla is designed for
users who could not make security choices for
themselves.)
So, I think you're right.
 Also, it is true, it was considered a
 sub-set of SPAM.
And?  If we characterise phishing as a sub-set
of spam, does this mean we simply pass the buck
to anti-spam vendors?  Or is this just another
way of cataloging the problem in a convenient
box so we can ignore it?
(Not that I'm disagreeing with the observation,
just curious as to where it leads...)

The reliance on broadcast spam as a vehicle for consumer data
recruitment is remaining but the payload is changing and, I
think, in that advance is room for important contributions by
the IT security/cryptography community. In a classic phishing
scenario, the mark gets a bogus e-mail, believes it and
surrenders his consumer data and then gets a big surprise on his
next bank statement. What is emerging is the use of spam to
spread trojans to plant key-loggers to intercept consumer data
or, in the future, to silently mine it from the consumer's PC.
Some of this malware is surprizingly clever. One of the APWG
committeemen has been watching the devleopment of trojans that
arrive as seemingly random blobs of ASCII that decrypt
themselves with a one-time key embedded in the message - they
all go singing straight past anti-virus.
This is actually much more serious, and I've
noticed that the media has picked up on this,
but the security community remains
characteristically silent.
What is happening now is that we are getting
much more complex attacks - and viruses are
being deployed for commercial theft rather
than spyware - information theft - or ego
proofs.  This feels like the nightmare
scenario, but I suppose it's ok because it
only happens to dimwits?
(On another note, as this is a cryptography
list, I'd encourage Peter and Dan to report
on the nature of the crypto used in the
trojans!)
Since phishing, when successful, can return real money the
approaches will become ever more sophisticated, relying far less
on deception and more on subterfuge.
I agree this is to be expected.  Once a
revenue stream is earnt, we can expect that
money to be invested back into areas that
are fruitful.  So we can expect much more
and more complex and difficult attacks.
I.e., it's only just starting.

--- Part Two

iang
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Question on the state of the security industry (second half not necessarily on topic)

2004-07-04 Thread Ed Reed
I recently had the same trouble with the Centers for Disease Control
(CDC) - who were calling around to followup on infant influenza
innoculations given last fall.

Ultimately, they wanted me to provide authorization to them to receive
HIPPA protected patient records from my son's pediatrician, and I 
couldn't figure out how to get them to definitively pursuade me that
they were really the CDC, who I was willing to be so authorized.

Such research MAY be appropriate, and in this case, I'm a believer in
the
flu shots, and am generally supportive.

But, while I could (and had to) identify myself to them (it was
a random-number dial canvas), they had no way, short of giving
me an 800 number to call (with obvious trust bootstrap problems
with that) to get past it.

Eventually, I found enough information on the CDC websites
(assuming that DNS wasn't hacked, that my ISP wasn't redirecting
my http queries to a Russian web site, and that the CDC site
hadn't been hacked) to cooperate (talked with 2 supervisors,
5 followup canvasers, etc.)

This is a problem that real life has.  This sort of problem has
been around since telephones came into existence (I didn't think
to check the caller-id on the call, presuming it would point me
to a call center located somewhere on the planet).

We cope.  And when the annoyance gets too bad, we kvetch,
pass laws, and file law suits.  Isn't that pretty much what's
happening, now?

Thought-control countries present separate problems (whether
that's the Patriot Act or the Chinese censorship of SMS messages).

For them, we have to rely on the Internet to route around censorship.
And facilitate alternate routes (silent ones?) when the routers are
own3d by the censors. (sorry - cross-over to another thread).

Ed

 Dave Howe [EMAIL PROTECTED] 7/3/2004 8:22:56 PM 
Joseph Ashwood wrote:
 I am continually asked about spam, and I personally treat phishing as
a
 subset of it, but I have seen virtually no interest in correcting
the
 problem. I have personally been told I don't even know how many times
that
 phishing is not an issue.
Well if nothing else, it is impossible for my bank to send me anything
I 
would believe via email now

To take this even slightly more on-topic - does anyone here have a bank

capable of authenticating themselves to you when they ring you?
I have had four phone calls from my bank this year, all of which start

out by asking me to identify myself to them. When I point out that they

must know who I am - as they just phoned me - and that I have no way of

knowing who they are, they are completely lost (probably takes them
away 
from the little paper script pinned to their desk)

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to
[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Question on the state of the security industry (second half not necessarily on topic)

2004-07-01 Thread Joseph Ashwood
- Original Message - 
From: Ian Grigg [EMAIL PROTECTED]
Subject: Question on the state of the security industry


 Here's my question - is anyone in the security
 field of any sort of repute being asked about
 phishing, consulted about solutions, contracted
 to build?  Anything?

I am continually asked about spam, and I personally treat phishing as a
subset of it, but I have seen virtually no interest in correcting the
problem. I have personally been told I don't even know how many times that
phishing is not an issue.

I personally know it's an issue because between my accounts I receive ~3-5
phishing attempts/day, and the scams apparently account for a major portion
of the GNP of many small countries.

 Or, are security professionals as a body being
 totally ignored in the first major financial
 attack that belongs totally to the Internet?

 What I'm thinking of here is Scott's warning of
 last year:

Subject: Re: Maybe It's Snake Oil All the Way Down
At 08:32 PM 5/31/03 -0400, Scott wrote:
...
When I drill down on the many pontifications made by computer
security and cryptography experts all I find is given wisdom.  Maybe
the reason that folks roll their own is because as far as they can see
that's what everyone does.  Roll your own then whip out your dick and
start swinging around just like the experts.

 I think we have that situation.  For the first
 time we are facing a real, difficult security
 problem.  And the security experts have shot
 their wad.

 Comments?

In large part that's the way it looks to me as well. We have an effectively
impotent security community, because all the solutions we've ever made
either didn't work, or worked too well. We basically have two types of
security solutions the ones that are referred to as That doesn't work, we
had it and it did everything it shouldn't have and those that result in I
don't think it works, but I can't be sure because we were never attacked.
The SSL/TLS protocol is an example of this second type, I am unaware of any
blackhats that bother attacking SSL/TLS because they simply assume it is
impenetrable. At the same time we have the situation where Windows is
continually not because it is less secure than the others, but because it is
_believed_ to be less secure than the others, so the Windows security is
clearly of the first type. The biggest problem I've seen is that we're
dealing with generally undereducated peoople as far as security goes. We
need to start selling that we facilitate a business process, and that
because of this all you will see are the failures, the successes are almost
always be invisible.

Also as with all business processes, there is never a final state, it must
be often reanalyzed and revised. This puts us in a rather strange situation,
where somethign that I have always offered becomes important, we become an
outsourced analyst, almost an auditor situation. To build this properly the
security model that is constructed needs to be built to include emergency
threshholds and revision timeframes. By supporting the security process as a
business process it allows the concepts to more easily permeate the CXO
offices, which means that you are far more likely to make more money, build
a long term client, and create a strong security location.

To make the point clearer, I have ended up with clients that were previously
with better known cryptanalysts, including some worldwide names. These
clients have been told by their previous consultants that there security is
good, but their consultant never told themthat it needs reanalysis, they
never encouraged the creation of a business process around it, it was always
Ask me when you have questions. I did not poach these clients, they left
their previous consultants, and found me through referrals. These
relationships are extremely profitable for me, for many reasons; I actually
cost less than their prior consultants, but I make more, because everything
is done quickly, efficiently, and effectively.

This security process builds stronger security, and while I admit I am still
rarely asked about phishing, and even rarer is my advice listened to, my
clients are rarely successfully hacked, and have lower than average losses.

Our biggest problem is that we view the security process as distinct from
business processes. I truly wish I could make the Sarbanes-Oxley 2002
(http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf) act
required reading for every security consultant, because it demonstrates very
much that proper security consulting is actually a business process.

Getting back to the topic, by doing this we can help them move from the
dick swinging phase to a best practices security infrastructure used
accurately and appropriately. We also need to start putting our money where
our mouth is, I've seen too many security consultants whose primary job
was to sell the add-on services available from their employer, instead we
need to follow 

Re: Question on the state of the security industry

2004-07-01 Thread Steve Furlong
On Wed, 2004-06-30 at 06:49, Ian Grigg wrote:

 Here's my question - is anyone in the security
 field of any sort of repute being asked about
 phishing, consulted about solutions, contracted
 to build?  Anything?

Nothing here. Spam is the main concern on people's minds, so far as I
can tell. Please note, though, that I'm not specifically a computer
security consultant but rather a broad-spectrum computer consultant who
does some security work and a private security guy who does some
computer work.

Topical anecdote: my last full-time but short-term consulting* gig was
at a bank. You know, money and stuff. Computer security in the
development shop consisted of telling the programmers to run NAV daily.
They used Outlook for email, with no filters on incoming mail that I
could track down. I did some minor testing from my home system. Didn't
send myself any viruses, but I did send a few executable attachments.
They all made it through.

* Not really consulting. They wanted a warm-body programmer, and not
only ignored the process improvement suggestions I was putatively hired
to provide, but seemed offended that I had suggestions to make at all.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]