Re: funsec Digest, Vol 2, Issue 9

[Fred Cohen <fred.cohen () all net>]

Since there is no unsubscribe link - please unsubscribe me.

FC

On Oct 5, 2005, at 10:00 AM, funsec-request () linuxbox org wrote:

> Send funsec mailing list submissions to
>     funsec () linuxbox org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>     https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> or, via email, send a message with subject or body 'help' to
>     funsec-request () linuxbox org
>
> You can reach the person managing the list at
>     funsec-owner () linuxbox org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of funsec digest..."
>
>
> Today's Topics:
>
>    1. Re: Nordea Sweden shuts Internet banking due to targeted
>       phishing  (Valdis.Kletnieks () vt edu)
>    2. Re: Book: "Spychips" Sees an RFID Conspiracy
>       (Fergie (Paul Ferguson))
>    3. Re: Nordea Sweden shuts Internet banking due to targeted
>       phishing (Dan Kaminsky)
>    4. Re: Nordea Sweden shuts Internet banking due to targeted
>       phishing  (Valdis.Kletnieks () vt edu)
>    5. Re: Nordea Sweden shuts Internet banking due to targeted
>       phishing (Craig Webster)
>    6. Re: Book: "Spychips" Sees an RFID Conspiracy (Craig Webster)
>    7. Re: Nordea Sweden shuts Internet banking due to targeted
>       phishing (Florian Weimer)
>    8. RE: Book: "Spychips" Sees an RFID Conspiracy (Discini, Sonny)
>    9. FTC sues company over spyware (Fergie (Paul Ferguson))
>   10. UK: Tsunami relief hacking case opens (Fergie (Paul Ferguson))
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 05 Oct 2005 11:01:53 -0400
> From: Valdis.Kletnieks () vt edu
> Subject: Re: [funsec] Nordea Sweden shuts Internet banking due to
>     targeted    phishing
> To: Drsolly <drsollyp () drsolly com>
> Cc: funsec () linuxbox org
> Message-ID: <200510051501.j95F1r3K005289 () turing-police cc vt edu>
> Content-Type: text/plain; charset="us-ascii"
>
> On Wed, 05 Oct 2005 15:48:32 BST, Drsolly said:
>
> > On Wed, 5 Oct 2005, Dan Kaminsky wrote:
> >
> >
> > > > Banks could fix the phishing problem if they had the incentive.  
> > > > It isn't
> > > > bad enough yet to make them want to fix it.
> > > Once we move to phishers with rootkits, it's kind of game over.
> > > Majority of hosts are infected with spyware, ya know.
> >
> > You won't be able to rootkit the credit-card sized gizmo.
>
> You don't have to, if you can MITM the transaction.  Wait for the  
> user to hit
> the bank, read the challenge, snarf the gizmo's reply code as the  
> user enters it.
> Then submit your *own* transaction, and then submit the user's  
> transaction. That
> then complains about the code having been used already - but the  
> damage is done.
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 226 bytes
> Desc: not available
> Url : http://linuxbox.org/pipermail/funsec/attachments/20051005/ 
> ad2ef3e9/attachment-0001.pgp
>
> ------------------------------
>
> Message: 2
> Date: Wed, 5 Oct 2005 15:01:37 GMT
> From: "Fergie (Paul Ferguson)" <fergdawg () netzero net>
> Subject: Re: [funsec] Book: "Spychips" Sees an RFID Conspiracy
> To: dan () doxpara com
> Cc: funsec () linuxbox org
> Message-ID: <20051005.080141.55.64702 () webmail11 lax untd com>
> Content-Type: text/plain
>
> Like what?
>
> - ferg
>
>
> -- Dan Kaminsky <dan () doxpara com> wrote:
>
> RFID has much bigger problems than privacy.
>
> --Dan
>
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawg () netzero net or fergdawg () sbcglobal net
>  ferg's tech blog: http://fergdawg.blogspot.com/
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 05 Oct 2005 08:02:44 -0700
> From: Dan Kaminsky <dan () doxpara com>
> Subject: Re: [funsec] Nordea Sweden shuts Internet banking due to
>     targeted    phishing
> To: Drsolly <drsollyp () drsolly com>
> Cc: funsec () linuxbox org
> Message-ID: <4343EB14.5050303 () doxpara com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Drsolly wrote:
>
> > On Wed, 5 Oct 2005, Dan Kaminsky wrote:
> >
> >
> >
> > > > Banks could fix the phishing problem if they had the incentive.  
> > > > It isn't
> > > > bad enough yet to make them want to fix it.
> > > Once we move to phishers with rootkits, it's kind of game over.
> > > Majority of hosts are infected with spyware, ya know.
> >
> > You won't be able to rootkit the credit-card sized gizmo.
> Credit card sized gizmo has an insufficient UI.
>
> --Dan
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 05 Oct 2005 11:07:53 -0400
> From: Valdis.Kletnieks () vt edu
> Subject: Re: [funsec] Nordea Sweden shuts Internet banking due to
>     targeted    phishing
> To: Craig Webster <craig () xeriom net>
> Cc: funsec () linuxbox org, Blue Boar <BlueBoar () thievco com>
> Message-ID: <200510051507.j95F7rok005706 () turing-police cc vt edu>
> Content-Type: text/plain; charset="us-ascii"
>
> On Wed, 05 Oct 2005 15:14:25 BST, Craig Webster said:
>
>
> > This is only true so long as clients actually care about security  
> > and don't
> > think "oh it'll never happen to me; I'll stick with my current  
> > bank because
> > it's less hastle."
>
> And a lot of people managed to miss a point that Schneier keeps  
> making: Security
> is about *tradeoffs*.
>
> I do business with a bank that's somewhat underclued in the e- 
> security area,
> and admitted it when I went to talk to them about it.  However,  
> they'd have to
> be a *lot* more unclued than they are before their lack of clue on  
> this one
> thing outweighed the benefits of my having done most of my banking  
> there for
> the last 15 years - everything from them having more ATMs in the  
> places I need
> them on a daily basis (and avoid a $2.50 charge each time) to the  
> fact that in
> the last decade, none of the other banks with a presence around  
> here has made a
> better offer for my business. Cheapest, most convenient, *and* most  
> helpful -
> it's gonna take a lot to make me move. :)
>
> And defence in depth helps here too - my bank is a bit weak on the  
> e-security side,
> but they've called me several times when they've spotted an  
> anomalous transaction
> (turned out each time I'd done something truly oddball compared to  
> my usual
> business pattern - but they did in fact notice the oddness..)
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 226 bytes
> Desc: not available
> Url : http://linuxbox.org/pipermail/funsec/attachments/ 
> 20051005/6b233d94/attachment-0001.pgp
>
> ------------------------------
>
> Message: 5
> Date: Wed, 5 Oct 2005 16:14:15 +0100
> From: Craig Webster <craig () xeriom net>
> Subject: Re: [funsec] Nordea Sweden shuts Internet banking due to
>     targeted    phishing
> To: Valdis.Kletnieks () vt edu
> Cc: funsec () linuxbox org, Blue Boar <BlueBoar () thievco com>
> Message-ID: <20051005151415.GI12270 () xeriom net>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> > Cheapest, most convenient, *and* most helpful -
> > it's gonna take a lot to make me move. :)
>
> <argh>
> It'd take very little to make me move and as far as I'm aware my bank
> has fairly tight security and I haven't seen even one phishing scam
> relating to it. Nice and secure, ATMs everywhere, cheap, evil little
> sods that charge me at every possible opportunity, screw up basic  
> things
> like changing the date on a standing order, enjoy being as  
> unhelpful as
> possible when it comes to direct debits, lock me out of telephone
> banking for giving the correct password and look down their noses  
> at me
> whenever I go into the branch.
>
> Can you tell that I love my bank? And yet, as far as I'm aware they're
> the best bank for me. I don't really care about security at this
> moment in time -- I want customer service, I want access to advisors
> and I want trained staff!
> </argh>
>
> Yours,
> Craig
> --
> Craig Webster | web: http://xeriom.net/
> Xeriom.NET    | tel: +44 (0)131 516 8595
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 5 Oct 2005 16:15:52 +0100
> From: Craig Webster <craig () xeriom net>
> Subject: Re: [funsec] Book: "Spychips" Sees an RFID Conspiracy
> To: "Fergie (Paul Ferguson)" <fergdawg () netzero net>
> Cc: funsec () linuxbox org
> Message-ID: <20051005151552.GJ12270 () xeriom net>
> Content-Type: text/plain; charset=us-ascii
>
> Hi,
>
> > Like what?
>
> Well it tastes pretty bad...
>
> Craig
> --
> Craig Webster | web: http://xeriom.net/
> Xeriom.NET    | tel: +44 (0)131 516 8595
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 05 Oct 2005 17:21:08 +0200
> From: Florian Weimer <fw () deneb enyo de>
> Subject: Re: [funsec] Nordea Sweden shuts Internet banking due to
>     targeted    phishing
> To: funsec () linuxbox org
> Message-ID: <87zmpogfbv.fsf () mid deneb enyo de>
> Content-Type: text/plain; charset=us-ascii
>
> * Steven Champeon:
>
>
> > on Wed, Oct 05, 2005 at 11:34:02AM +0200, Florian Weimer wrote:
> >
> > > * Justin Mason:
> > >
> > >
> > > > - Adam Shostack's _Preserving the Internet Channel Against  
> > > > Phishers_,
> > > >   http://www.homeport.org/~adam/phishing.html , in which he gives
> > > >   4 simple steps that *will* fix the problem.
> > >
> > > What is the problem?  "Phishing" or online fraud?
> >
> > The problem is that Bank X uses Service Y to send its email.
>
> This doesn't answer my question because outsourcing your bulk mailings
> certainly isn't a security problem in itself.
>
> Maybe it's time for a little poll.  Who has heard of "PWSteal",
> "Bancos" or "ASH"?
>
>
> ------------------------------
>
> Message: 8
> Date: Wed, 5 Oct 2005 11:49:21 -0400
> From: "Discini, Sonny" <Sonny.Discini () montgomerycountymd gov>
> Subject: RE: [funsec] Book: "Spychips" Sees an RFID Conspiracy
> To: "Fergie \(Paul Ferguson\)" <fergdawg () netzero net>,
>     <funsec () linuxbox org>
> Message-ID:
>     <066F402A7185F04E8B7506F582E00E8902E29E7F () mcg-ex02 mcgov org>
> Content-Type: text/plain;    charset="us-ascii"
>
>
> Fergie Wrote:
>
> > I enjoy a good conspiracy theory as much as the next guy. ;-)
> >
> > Via Wired News:
> >
> > [snip]
> >
> > A new book by privacy advocates makes the case that
> > corporations and government agencies are in collusion to put
> > tiny radio transmitters on nearly everything we buy.
> > Companies say it's about providing thought leadership, not
> > the Mark of the Beast.
> >
> > Katherine Albrecht and Liz McIntyre hope to become the twin
> > Erin Brockoviches of RFID, by revealing the threat posed by
> > the radio tag replacements for barcode labels
> >
> > They may get their wish, if readers believe the conclusions
> > of the privacy advocates' new book, "Spychips: How Major
> > Corporations and Government Plan to Track Your Every Move with RFID".
> >
> > Albrecht and McIntyre make a staggering accusation in
> > Spychips: that Philips, Procter and Gamble, Gillette, NCR and
> > IBM are conspiring with each other and the federal government
> > to follow individual consumers everywhere, using embedded
> > radio tags planted in their clothing and belongings.
> >
> > [snip]
> >
> > http://wired-vig.wired.com/news/technology/0,1282,69068,00.html
> >
> > - ferg
>
>
>
>
> Interesting. When I opened a pack of Gillette razors the other day,
> indeed I found an RFID chip inside. I knew those bastards were up to
> something when I signed up for that shopping bonus card!  ;-)
>
>
> Sonny Discini, Senior Network Security Engineer
> Department of Technology Services
> Enterprise Infrastructure Division
> Montgomery County Government
>
>
>
>
> ------------------------------
>
> Message: 9
> Date: Wed, 5 Oct 2005 16:36:37 GMT
> From: "Fergie (Paul Ferguson)" <fergdawg () netzero net>
> Subject: [funsec] FTC sues company over spyware
> To: funsec () linuxbox org
> Message-ID: <20051005.093656.55.66532 () webmail11 lax untd com>
> Content-Type: text/plain
>
> Via C|Net News:
>
> [snip]
>
> The Federal Trade Commission announced on Wednesday that it has  
> sued a company it says secretly installed spyware and adware  
> purporting to be peer-to-peer file sharing software. The company  
> offered claims such as "Download music without fear," and "Don't  
> let the record companies win," but in reality did things like  
> rewriting search engine results and generating pop-up ads, the  
> agency said.
>
> Wednesday's announcement seems to be an effort to stave off  
> possible enforcement-related criticism from Congress, which is  
> holding a hearing on the topic later in the day. The defendant in  
> the case is Odysseus Marketing of New Hampshire, whose ClientMan  
> program is listed in Computer Associates' spyware encyclopedia.
>
> [snip]
>
> C|Net article:
> http://news.com.com/FTC+sues+company+over+spyware/ 
> 2110-7348_3-5889202.html
>
> FTC announcement:
> http://www.ftc.gov/opa/2005/10/odysseus.htm
>
> - ferg
>
>
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawg () netzero net or fergdawg () sbcglobal net
>  ferg's tech blog: http://fergdawg.blogspot.com/
>
>
>
> ------------------------------
>
> Message: 10
> Date: Wed, 5 Oct 2005 16:50:46 GMT
> From: "Fergie (Paul Ferguson)" <fergdawg () netzero net>
> Subject: [funsec] UK: Tsunami relief hacking case opens
> To: funsec () linuxbox org
> Message-ID: <20051005.095124.55.66813 () webmail11 lax untd com>
> Content-Type: text/plain
>
> Here's a story with an interesting twist. Although additional
> details are sketchy, it will be interesting to see what details
> become available and how this case ends up.
>
> Via The Register:
>
> [snip]
>
> Horseferry Road Magistrates Court has heard the first day of  
> evidence against the East London man accused of hacking into a  
> donations site for the tsunami appeal last December.
>
> Daniel James Cuthbert, 28, of Whitechapel, London, is accused of  
> breaches of Section One of the Computer Misuse Act, 1990, on the  
> afternoon of New Year’s Eve, 2004. He had earlier pleaded not guilty.
>
> Cuthbert is accused of attempting a directory traversal attack on  
> the donate.bt.com site which handles credit card payments on behalf  
> of the Disasters Emergency Committee.
>
> Giving evidence on his own behalf, Cuthbert, at times near tears,  
> said he had made a £30 donation to the site, after clicking on a  
> banner advert. Because he received no final thank you or  
> confirmation page he became concerned it may have been a phishing  
> site, so he carried out two tests to check the security of the site.
>
> The case continues tomorrow.
>
> [snip]
>
> http://www.theregister.co.uk/2005/10/05/dec_case/
>
> - ferg
>
>
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawg () netzero net or fergdawg () sbcglobal net
>  ferg's tech blog: http://fergdawg.blogspot.com/
>
>
>
> ------------------------------
>
> _______________________________________________
> funsec mailing list
> funsec () linuxbox org
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
>
>
> End of funsec Digest, Vol 2, Issue 9
> ************************************

-- This communication is confidential to the parties it is intended  
to serve --
Security Posture            securityposture.com          tel/fax
University of New Haven               unhca.com        925-454-0171
Fred Cohen & Associates                 all.net      572 Leona Drive
Security Management Partners    policygeeks.com    Livermore, CA 94550


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.