August 31, 2004

Hayek says "Buy Dinar"

Here's a fascinating article about speculators snarfing up the Dinar unit in Iraq, in the hope that Iraq stabilises and recovers! Of course, Iraq could collapse and burn, in which case so do these speculators' holdings.

Thus, we have an indicator. If the best guess of what people on the ground in Iraq think is stabilsation, the price of old dinar goes up. If collapse is imminent, watch it crash. This is what prices are for, said F.A. Hayek.

Dinar Brokers Boom in Iraq Chaos
By Joanna Glasner

02:00 AM Aug. 17, 2004 PT

From the safety of a computer terminal halfway around the world from battle-weary Baghdad, Bill Burbank is betting that political and economic stability will reign in Iraq some day in the not-too-distant future.

He has a lot riding on that hypothesis. Since October, when Iraq began circulating a new currency to replace its old bills, most of which contained images of Saddam Hussein, Burbank has spent close to $200,000 buying up new Iraqi dinar bills. Through a website based in Alpharetta, Georgia, the day trader and former Navy Seal runs a side business selling the new currency to the public.

"It's just so cheap at a tenth of a penny (per dinar)," he said. "If it just goes to a penny you make a thousand percent. I think there's not too much downside in owning the currency and just holding."

While most are betting far more modest sums on the hopes of economic recovery in Iraq, droves of investors are following a similar logic in buying up dinars. In response, a host of websites have cropped up to cash in on demand, most selling the currency at a steep markup.

Enter the phrase "buy dinar" into a search engine, and the results contain more than a dozen online outlets, most based in the United States, that are willing to sell freshly minted bills. Rates range from about $1,000 to $1,300 for 1 million dinar.

Brokers' prices don't reflect Iraq Central Bank's published exchange rate, because street prices for dinar are usually substantially lower, according to Burbank. Demand for dinars surged in the run up to the June 30 handover of power from the U.S.-led Coalition Provisional Authority to the Iraqi interim government, said Marshall Donnerbauer, owner of the website Investindinar.com. During that period, he was selling around $20,000 worth of dinar a day. In the weeks following the handover, sales slowed to about $5,000 a day.

Donnerbauer says his biggest customers are U.S. soldiers and employees of Kellogg Brown & Root, a subsidiary of the contracting firm Halliburton that has a large workforce in Iraq.

"They are over there seeing the growth and believe that Iraq will be much better in the future," he said.

Still, no one's calling the dinar a risk-free investment. Given that the Iraqi dinar is not yet traded on major global currency exchanges, there's no guarantee that buyers of the bills will be able to easily sell them.

"This is an extremely speculative investment -- there's no question about that," said Richard Lyons, a finance professor at the University of California at Berkeley's Haas School of Business.

History does provide examples of economies and currencies rebounding in the wake of turmoil, such as Kuwait and the Kuwaiti dinar following the 1991 Gulf War and Germany and the Deutschmark following World War II.

However, Lyons noted, history is also replete with examples of currencies whose value deteriorated sharply in the wake of conflict. One case close to dinar investors' hearts is Iraq itself, which saw its currency's value fall apart following the 1991 Gulf War as international sanctions took effect and Saddam maintained his hold on power.

According to several online dinar sellers, the typical investors spend $1,000 or $2,000 to acquire Iraqi currency. In most cases, investors say they want a large enough holding to make a tidy profit if the currency soars, but not enough to bankrupt them if the dinar declines.

"I always advise people: 'Don't invest more than you can afford to lose,'" said Christine Anderson, operations manager for New-Iraqi- Dinar.com , which sells a million Dinars for $1,240.

In weighing whether buying dinars is a sensible move, Lyons believes investors need to consider political factors more than economic ones. Simply stated, if one believes the current chaos engulfing Iraq will eventually be replaced by a stable, effective government, then the dinar ought to be a good buy. If turmoil continues, even the vast reserves of oil under Iraq's sands probably won't be enough to prop up the dinar.

Another factor prospective buyers should consider, Lyons said, is whether the Iraqi government is likely to increase the money supply to pay for things it can't otherwise afford. If a vast quantity of new dinars enters the economy, it would devalue the existing stock.

Burbank, for his part, is exploring the possibility of adding the Iraqi dinar to one of several established, private networks for forex, or foreign currency trading. If people had a single place to both buy and sell dinars, he believes they'd be more comfortable investing in the currency.

Of course, such an idea has its drawbacks as well, at least for websites that sell dinars. If investors could buy the currency from an established bank or trading exchange, most of the upstart online dinar brokers would likely be out of business.

¿ Copyright 2004, Lycos, Inc. All Rights Reserved.
http://www.wired.com/news/business/0,1367,64565,00.html

Posted by iang at 05:44 AM | Comments (0) | TrackBack

Phishing Kits

James Sherwood of ZDNet reports: "Some Web sites are now offering surfers the chance to download free "phishing kits" containing all the graphics, Web code and text required to construct the kind of bogus Web sites used in Internet phishing scams. "



So you want to be a cybercrook...
Published: August 19, 2004, 3:24 PM PDT
By James Sherwood
ZDNet UK

Some Web sites are now offering surfers the chance to download free "phishing kits" containing all the graphics, Web code and text required to construct the kind of bogus Web sites used in Internet phishing scams.

According to security firm Sophos, the kits allow users to design sites that have the same look and feel as legitimate online banking sites that can then be used to defraud unsuspecting users by getting them to reveal the details of their financial accounts.

"By putting the necessary tools in the hands of amateurs, it's likely that the number of attacks will continue to rise," said Graham Cluley, senior technology consultant at Sophos.

Sophos warned that many of the kits also contain spamming software that enables potential fraudsters to send out thousands of phishing e-mails with direct links to their do-it-yourself fraud sites.

"The emergence of these 'build your own phish' kits means that anyone can now mimic bona fide banking Web sites and convince customers to disclose sensitive information such as passwords," Cluley said.

Many online banking Web sites now carry messages urging users not to open any e-mail that they suspect may be fraudulent and to telephone their bank for further information if they do receive suspicious e-mail.

Phishing has become such a problem that there are now several online antiphishing guides to educate users about the con artists' common tricks.

James Sherwood of ZDNet UK reported from London

Posted by iang at 05:12 AM | Comments (0) | TrackBack

August 27, 2004

Privatising Cash

Trends in the physical cash world - notes and coins issued by central banks - indicate that the CBs are moving to privatise the distribution and handling of cash float. The Federal Reserve has announced that it will no longer willingly (read: cheaply) take in surplus cash and ship it out on demand.

This makes a lot of sense, and what's more, it echoes the experiences of the DGC world, where back in 2000, the first independent market makers sprung into life and captured the bulk of the retail trading in digital gold. Leaving the issuers with the much more core job of looking after the tech, governing the issue and only doing occasional big movements of digital and metal.

I draw your attention to one aspect: if the CBs are getting out of the heavy end of carting cash around, I wonder if they are also posturing to get out of issuance altogether? It's not inconceivable - it's been permitted in NZ for a decade or more (and thus, is a plausible play for Australia as well), and the Federal Reserve has permitted all sorts of crazy experiments to go along. The Bank of England has been mildly supportive of the idea as well.

Who knows, check back in another decade.



Cash handling changes on the way

by Ann All, editor * 13 August 2004

The Federal Reserve is poised to make some policy changes that will force many financial institutions to change the way they think about money.

In an effort to reduce its cash handling costs, the Fed has announced its intent to introduce a custodial inventory program which will encourage FIs to hold currency in their vaults rather than shipping it to the Fed.

In 2006, it also plans to begin imposing fees on depository institutions that deposit currency and order currency from Reserve Banks within the same week, a practice it calls cross shipping.

Morris Menasche, managing director of the Americas for Transoft International, a provider of cash management software and consulting services, said the proposed changes "will force practically every financial institution to look at its downstream supply of cash and figure out how they can consume more of their cash inventories."

"The Fed is saying 'enough is enough,'" said Bob Blacketer, director of consulting for Carreker Corporation, another provider of currency management software and consulting services. "It wants to get out of currency handling operations and focus more on policy making and risk management."

World view

The Fed's position is far from unique, Blacketer said. Central banks around the world are adopting a more privatized view of cash handling.

In Australia, the Reserve Bank has virtually exited the role of depository and distributor, leaving commercial banks fully accountable for cash on their balance sheets. As a result, three of the country's leading banks formed a shared utility called Cash Services Australia to provide currency transportation services for FIs.

In the United Kingdom, the Bank of England adopted a Note Circulation Scheme in which verified and sorted notes are segregated to specified NCS inventories, with banks receiving credit for balances placed in the NCS.

As a result, most British FIs began outsourcing cash handling operations or formed joint ventures with other FIs. Only one of Britain's largest banks continues to perform cash handling in-house, Blacketer said.

During 2002, U.S. Reserve Banks processed 34.2 billion notes at a total cost of approximately $342 million, according to the Fed. The number included 19.4 billion $5 through $20 bills -- nearly 6.7 billion of which were followed or preceded by orders of the same denomination by the same institution in the same business week.

Most cross shipping, "probably 75 to 80 percent" occurs at the nation's 100 largest depository institutions, Blacketer said.

Based on the 2002 data, the Fed estimates that it could avoid currency processing costs of up to $35 million a year by cutting down on cross shipping of $5 to $20 notes, the only denominations that would be initially included in the new policy.

The plan

The Fed's plan includes two parts. First, FIs will be allowed to transfer $5, $10 and $20 bills that they might otherwise cross-ship into custodial inventories. The currency will be owned by a Reserve Bank -- even though it will remain at an FI's facility.

The second part is a proposed penalty of $5 to $6 for each bundle of cross-shipped currency in the $5 to $20 denominations. FIs would not pay a penalty for the first 1,000 cross-shipped bundles in a particular zone or sub-zone each quarter.

According to the Fed, the exemption will limit the impact of the cross-shipping policy on institutions which may not be able to justify investments in sorting equipment, and will help FIs deal with unanticipated customer demands for cash.

To become eligible to hold a custodial inventory, an FI must commit to recirculating a significant amount of currency. Participating FIs also must have facilities large enough to segregate the currency from their own cash.

It's possible, said Blacketer, that some large banks with well developed cash handling infrastructures may be able to provide cash processing services for smaller FIs and other customers -- much as they have provided check processing services for years.

"Instead of a loss leader, they could break even or even make a small profit with their cash handling operations by providing cash products and services for customers like retailers, ISOs and credit unions," he said.

But Menasche said it may be difficult to eke profitability out of cash handling operations -- particularly if transportation costs are included.

"More than anything else, this is a logistics issue," he said. "It's easy to underestimate the costs of transporting cash. They could end up transporting the same cash three or four times."

The good news for cash management software providers like Transoft, Menasche said, is that the proposed changes are driving an increased interest in their products.

"Our decision support tools can help financial institutions assess cash processing and transportation costs, and show them when it may be cheaper to send cash back to the Fed and pay a penalty," he said. "If they allow those decisions to become subjective and decentralized, they could get into serious trouble."

The ATM effect

The tremendous growth of ATMs, from 200,000 machines in 1998 to some 370,000 machines today, has helped drive the increased demand for fit currency.

The Fed's proposed policy change could unduly impact FIs' ATM networks, particularly non-branch machines, according to Amy Dronzek, national manager of Cash Vault Services for KeyBank.

"Most cross shipping of currency in our industry results from the need for currency fit enough for automation, such as for ATMs. Large scale need for this type of currency requires automated fitness processing to be cost effective, historically proven more cost effective in a centralized versus a decentralized environment," Dronzek wrote in a letter submitted to the Fed.

Some FIs will have to invest in more currency sorting equipment to support their ATM networks, Dronzek wrote. The alternative will likely be paying higher fees to ATM service personnel.

"If the armored courier companies obtain currency from depository institutions, then they will increase ATM service fees for the additional handling of the currency that will be required," Dronzek wrote, "as Federal Reserve currency is viewed as 100 percent accurate due to the state-of-the-art, high-speed currency sorting equipment which many depository institutions will be unable to afford."

In KeyBank's comment letter, Dronzek urges the Fed to exempt ATMs from the new policy.

For more info on the Fed's proposal: http://www.federalreserve.gov/boarddocs/press/other/2003/20031008/attachment.pdf
And to read comments on the proposal: http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm
(posted under Federal Reserve Bank Currency Recirculation Policy)

"Enable depository institutions the opportunity for limited cross-shipping activity to support their ATM networks using a separate endpoint or other delimiter," she wrote. "This will minimize impact to the consumer by allowing institutions the opportunity to maintain existing ATM networks, especially those that are remote."

In its comment letter, Huntington Bank raised the possibility that "using recirculated money that does not meet strict fitness levels could cause ATM downtime or additional costs for emergency cash transportation."

Alternative approaches

Some FIs would like to see the Fed adopt an alternative approach.

In a comment letter, Greg Smith, a senior vice president at SunTrust Bank, encouraged the Fed to approach cash processing "in a similar fashion to check clearing and electronic payments types by helping to create a processing utility among the banks and armored carriers that would act as an intermediary between depository institutions and the Federal Reserve."

Jim Roemer, senior vice president of Cash Services for U.S. Bank, said in his letter that U.S. Bank is involved in discussions with other FIs to explore the idea of establishing a "cash clearing house," similar to Cash Services Australia.

"In order for the cash clearing house concept to be successful, the participating depository institutions will require some level of cooperation from the Federal Reserve," Roemer wrote.

In its comment letter, Wells Fargo also signals its intent to "proceed with the creation of a non-profit organization in conjunction with other financial institutions."

The Fed began a pilot of the custodial inventory program earlier this month, with 14 pilot sites and 10 participating depository institutions. According to a Fed spokesperson, the pilot program will run for six months, however "the clock will not begin until the last pilot is set up," likely in September.

Copyright 2004 NetWorld Alliance LLC. All rights reserved.
Terms and conditions of use.

Posted by iang at 02:14 PM | Comments (1) | TrackBack

August 26, 2004

Paranoia Goes Better With Coke

Most threats are mundane and well known. Some are just plain silly. Then, there are some that slice through the over-paranoid security systems and make them look daft. Here's one. Is it a threat? You be the judge.

Paranoia Goes Better With Coke
Associated Press 09:57 AM Jul. 02, 2004 PT

There's a new security threat at some of the nation's military bases - and it looks uncannily like a can of Coke. Specially rigged Coke cans, part of a summer promotion, contain cell phones and global positioning chips. That has officials at some installations worried the cans could be used to eavesdrop, and they are instituting protective measures.

Coca-Cola says such concerns are nothing but fizz.

Mart Martin, a Coca-Cola spokesman, said no one would mistake one of the winning cans from the company's "Unexpected Summer" promotion for a regular Coke. "The can is dramatically different looking," he said. The cans have a recessed panel on the outside and a big red button. "It's very clear that there's a cell phone device."

Winners activate it by pushing the button, which can only call Coke's prize center, he said. Data from the GPS device can only be received by Coke's prize center. Prizes include cash, a home entertainment center and an SUV.

"It cannot be an eavesdropping device," he said.

Nonetheless, military bases, including the U.S. Army Armor Center at Fort Knox, Kentucky, are asking soldiers to examine their Coke cans before bringing them in to classified meetings.

"We're asking people to open the cans and not bring it in if there's a GPS in it," said Master Sgt. Jerry Meredith, a Fort Knox spokesman. "It's not like we're examining cans at the store. It's a pretty commonsense thing."

Sue Murphy, a spokeswoman for Wright-Patterson Air Force Base in Dayton, Ohio, said personal electronic devices aren't permitted in some buildings and conference rooms on base.

"We've taken measures to make sure everyone's aware of this contest and to make sure devices are cleared before they're taken in" to restricted areas, she said. "In the remote possibility a can were found in one of these areas, we'd make sure the can wasn't activated, try to return it to its original owner and ask that they activate it at home," she said. "It's just another measure we have to take to keep everyone out here safe and secure."

The Marine Corps said all personnel had been advised of the cans and to keep them away from secure areas.

Paul Saffo, research director at The Institute for the Future, a technology research firm, compared the concern about the Coke cans to when the Central Intelligence Agency banned Furbies, the stuffed toys that could repeat phrases.

"There are things generals should stay up late at night worrying about," he said. "A talking Coke can isn't one of them."

But Bruce Don, a senior analyst at the Rand Corp., said the military's concern is rational and appropriate.

"There's a lot of reason to worry about how that technology could be taken advantage of by a third party without Coke's knowledge," he said. "I wouldn't worry if one was in my refrigerator, but if you had a sensitive discussion or location, it's not inconceivable the thing could be used for something it was not designed for."

Martin said Thursday the world's largest soft drink maker has received phone calls inquiring about the promotion from Hill Air Force Base in Ogden, Utah, and from a military base in Anchorage, Alaska. The callers did not mention any concerns, and Coke has not been contacted by the bases in Ohio and Kentucky, Martin said.

Asked if Coke would curtail the promotional campaign because of the security issues raised, Martin said, "No. There's no reason to."

¿ Copyright 2004, Lycos, Inc. All Rights Reserved.
http://www.wired.com/news/technology/0,1282,64078,00.html

Posted by iang at 04:58 AM | Comments (0) | TrackBack

August 25, 2004

Using PGP with an USB smartcard token

The financial cryptographer's decade old dream of token-based security is inching closer. The ideal is a custom configured iPaq or palmPilot with only the secure application on it.

Although lacking a display, here's a cost effective compromise - a USB "keyfob" token that generates your PGP keys and keeps them safe inside the internal smart card. Edwin Woudt wrote up how to hook up a USB token with PGP Inc's current (paid) product, using tokens from OpenFortress.

Hint to the GPG guys - how cool is this?

Posted by iang at 08:56 AM | Comments (9) | TrackBack

August 24, 2004

An Overview of Steganography for the Computer Forensics Examiner

A pretty good review of steganography. The taxonomy and references look good, and the explanations and examples are easy to understand: there are innocent looking pictures, and the maps that are hidden in them.

The only thing that dampened the scientific credibility was the conclusion that because we can't find any steganography (references well supplied and well analysed!) that doesn't mean there isn't any! As the author drifts off into law enforcement wet dreams, his grip on reality diminishes: "Steganography will not be found if it is not being looked for." Nonsense. It'll be found when it does some damage, and the correct posture is to ignore it, until found, along with all the MITM attacks, alien abductions, snipers in the street, and other things that go bump in the night.

Still, aside from that one little blemish, it's a good resource that refers to a lot of good stego programs for making and for searching.

http://www.garykessler.net/library/fsc_stego.html

Posted by iang at 06:46 PM | Comments (1) | TrackBack

August 15, 2004

SHA0 is cracked

According to the below post, SHA-0 has been cracked. The researchers crunched their way through lots of data and lots of cycles and finally found some text that hashes to the same value. And people at Crypto 2004 in Santa Barbara are reporting the fall of many older message digests such as MD5 as well.

A brief explanation: SHA-0 is one of a big class of messaging digest algorithms that has a particular magical property: it gives you a big number that is one-to-one with a document. So take any document and hash it with a message digest, and you get this big number, reliably. Here's one for the dollar contract my company issues: SHA#e3b445c2a6d82df81ef46b54d386da23ce8f3775. It's big, but small enough to post or send around in email [0].

Notwithstanding last week's result, you can't find a document that also hashes to that number, so software and people can reliably say, oh, yes, that's the Systemics PSD dollar. In short, message digests make wonderful digital identifiers, and also digital signatures, and we use them bountifully in Ricardo [1].

So if SHA-0 has been cracked, it might be a big deal. Is our digital infrastructure at risk? Yes, it's a big deal, but no, there is little risk. Here's why.

In cryptographic terms, this is a big deal. When the NSA designed SHA back in the early 90s, it was designed to be strong. Then, as the standards process plodded along, the NSA came out with a correction. It seems as though a flaw had been discovered, but they didn't say what that flaw was.

So we ended up with SHA-0, the suspect one, and SHA-1, the replacement. Of course, cryptographers spent years analysing the tiny differences, and about 6 years ago it all became clear (don't ask me, ask them). And now, those flaws have been exploited by the crack and by the machines. So now we know it can be done to SHA-0.

Luckily, we all use the replacement, SHA-1, but this will also fall in time. Once again, it is lucky that there is a new generation coming online: SHA-256, SHA-512 and the like.

But as a practical matter, this is not a big issue. When we as financial cryptographers build systems based on long term persistence of hashes, we weave the hash and its document into a system. This is called entanglement, whereby the hash and the document are verified over time and usage [2]. We use the software to lay a trail, as it were, and if someone were to turn up with a bogus document but a matching hash, there would be all sorts of other trip wires to catch any simplistic usage.

Also, bear in mind that the two documents that hashed to the same value are pretty useless. It took Antoine Joux and his team 80,000 CPU hours to do it, even then. So in cryptography terms, this is a milestone in knowledge, not a risk: For practical purposes, any message digest still fits the bill, as long as it is designed into a comprehensive system that provides backup by entanglement [3].



Addendums:
Also see SHA0 crack paper. Especially, at Crypto, Wang, Feng, Lai, Yu announced a fast crack: Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD. This reportedly also improves Joux, et al's result by 1000 on SHA-0, see Greg Rose's comment posted below.

Ed Felton reported a rumour that SHA-1 had already suffered the same fate, but this appeared to unfounded: so far, nothing but suggestions that SHA-1 looks shaky.

Also, Eric Rescorla gets more technical with the risks to systems, and agrees that this is big news but not big risks.

More links:
http://www.theregister.com/2004/08/19/hash_crypto/
http://www.certainkey.com/news/?12
http://eprint.iacr.org/2004/146
http://www.md5crk.com/sha0col/
http://www.tcs.hut.fi/~mjos/md5/
http://www.freedom-to-tinker.com/archives/000662.html
http://www.iacr.org/conferences/crypto2004/rump.html

http://www.computerworld.com/securitytopics/security/story/0,,95343,00.html?SKC=security-95343



[0] And it is in SHA-1 ...
[1] To see how message digests make a fine digital signature, see The Ricardian Contract which as an aside also carries a private-key signature as well.
[2] Maniatis and Baker, Secure History Preservation through Timeline Entanglement
[3] MD5 is the old favourite, which was first attacked in Dobertin's 1996 paper (and here) and now seems to be trashed in Wang, Feng, Lai, Yu paper Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD.


-------- Original Message --------
Subject: Joux found a collision for SHA-0 !
Date: Fri, 13 Aug 2004 15:32:29 +0200
From: Pascal Junod
Organization: EPFL - LASEC
To: cryptography@metzdowd.com

Hi !

This has appeared on a french mailing-list related to crypto. The results of
Joux improve on those of Chen and Biham which will be presented next week at
CRYPTO'04.

Enjoy !

<quote>

Thursday 12th, August 2004

We are glad to announce that we found a collision for SHA-0.

First message (2048 bits represented in hex):
a766a602 b65cffe7 73bcf258 26b322b3 d01b1a97 2684ef53 3e3b4b7f 53fe3762
24c08e47 e959b2bc 3b519880 b9286568 247d110f 70f5c5e2 b4590ca3 f55f52fe
effd4c8f e68de835 329e603c c51e7f02 545410d1 671d108d f5a4000d cf20a439
4949d72c d14fbb03 45cf3a29 5dcda89f 998f8755 2c9a58b1 bdc38483 5e477185
f96e68be bb0025d2 d2b69edf 21724198 f688b41d eb9b4913 fbe696b5 457ab399
21e1d759 1f89de84 57e8613c 6c9e3b24 2879d4d8 783b2d9c a9935ea5 26a729c0
6edfc501 37e69330 be976012 cc5dfe1c 14c4c68b d1db3ecb 24438a59 a09b5db4
35563e0d 8bdf572f 77b53065 cef31f32 dc9dbaa0 4146261e 9994bd5c d0758e3d

Second message:
a766a602 b65cffe7 73bcf258 26b322b1 d01b1ad7 2684ef51 be3b4b7f d3fe3762
a4c08e45 e959b2fc 3b519880 39286528 a47d110d 70f5c5e0 34590ce3 755f52fc
6ffd4c8d 668de875 329e603e 451e7f02 d45410d1 e71d108d f5a4000d cf20a439
4949d72c d14fbb01 45cf3a69 5dcda89d 198f8755 ac9a58b1 3dc38481 5e4771c5
796e68fe bb0025d0 52b69edd a17241d8 7688b41f 6b9b4911 7be696f5 c57ab399
a1e1d719 9f89de86 57e8613c ec9e3b26 a879d498 783b2d9e 29935ea7 a6a72980
6edfc503 37e69330 3e976010 4c5dfe5c 14c4c689 51db3ecb a4438a59 209b5db4
35563e0d 8bdf572f 77b53065 cef31f30 dc9dbae0 4146261c 1994bd5c 50758e3d

Common hash value (can be found using for example "openssl sha file.bin"
after creating a binary file containing any of the messages)
c9f160777d4086fe8095fba58b7e20c228a4006b

This was done by using a generalization of the attack presented at Crypto'98
by Chabaud and Joux. This generalization takes advantage of the iterative
structure of SHA-0. We also used the "neutral bit" technique of Biham and
Chen (To be presented at Crypto'2004).

The computation was performed on TERA NOVA (a 256 Intel-Itanium2 system
developped by BULL SA, installed in the CEA DAM open laboratory
TERA TECH). It required approximatively 80 000 CPU hours.
The complexity of the attack was about 2^51.

We would like to thank CEA DAM, CAPS Entreprise and BULL SA for
their strong support to break this challenge.

Antoine Joux(*) (DCSSI Crypto Lab)
Patrick Carribault (Bull SA)
Christophe Lemuet, William Jalby
(Universit'e de Versailles/Saint-Quentin en Yvelines)

(*) The theoretical cryptanalysis was developped by this author.
The three others authors ported and optimized the attack on the TERA NOVA
supercomputer, using CAPS Entreprise tools.

$hexdump fic1.bin
0000000 66a7 02a6 5cb6 e7ff bc73 58f2 b326 b322
0000010 1bd0 971a 8426 53ef 3b3e 7f4b fe53 6237
0000020 c024 478e 59e9 bcb2 513b 8098 28b9 6865
0000030 7d24 0f11 f570 e2c5 59b4 a30c 5ff5 fe52
0000040 fdef 8f4c 8de6 35e8 9e32 3c60 1ec5 027f
0000050 5454 d110 1d67 8d10 a4f5 0d00 20cf 39a4
0000060 4949 2cd7 4fd1 03bb cf45 293a cd5d 9fa8
0000070 8f99 5587 9a2c b158 c3bd 8384 475e 8571
0000080 6ef9 be68 00bb d225 b6d2 df9e 7221 9841
0000090 88f6 1db4 9beb 1349 e6fb b596 7a45 99b3
00000a0 e121 59d7 891f 84de e857 3c61 9e6c 243b
00000b0 7928 d8d4 3b78 9c2d 93a9 a55e a726 c029
00000c0 df6e 01c5 e637 3093 97be 1260 5dcc 1cfe
00000d0 c414 8bc6 dbd1 cb3e 4324 598a 9ba0 b45d
00000e0 5635 0d3e df8b 2f57 b577 6530 f3ce 321f
00000f0 9ddc a0ba 4641 1e26 9499 5cbd 75d0 3d8e


$ hexdump fic2.bin
0000000 66a7 02a6 5cb6 e7ff bc73 58f2 b326 b122
0000010 1bd0 d71a 8426 51ef 3bbe 7f4b fed3 6237
0000020 c0a4 458e 59e9 fcb2 513b 8098 2839 2865
0000030 7da4 0d11 f570 e0c5 5934 e30c 5f75 fc52
0000040 fd6f 8d4c 8d66 75e8 9e32 3e60 1e45 027f
0000050 54d4 d110 1de7 8d10 a4f5 0d00 20cf 39a4
0000060 4949 2cd7 4fd1 01bb cf45 693a cd5d 9da8
0000070 8f19 5587 9aac b158 c33d 8184 475e c571
0000080 6e79 fe68 00bb d025 b652 dd9e 72a1 d841
0000090 8876 1fb4 9b6b 1149 e67b f596 7ac5 99b3
00000a0 e1a1 19d7 899f 86de e857 3c61 9eec 263b
00000b0 79a8 98d4 3b78 9e2d 9329 a75e a7a6 8029
00000c0 df6e 03c5 e637 3093 973e 1060 5d4c 5cfe
00000d0 c414 89c6 db51 cb3e 43a4 598a 9b20 b45d
00000e0 5635 0d3e df8b 2f57 b577 6530 f3ce 301f
00000f0 9ddc e0ba 4641 1c26 9419 5cbd 7550 3d8e

$ diff fic1.bin fic2.bin
Binary files fic1.bin and fic2.bin differ

$ openssl sha fic1.bin
SHA(fic1.bin)= c9f160777d4086fe8095fba58b7e20c228a4006b

$ openssl sha fic2.bin
SHA(fic2.bin)= c9f160777d4086fe8095fba58b7e20c228a4006b

</quote>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Pascal Junod http://crypto.junod.info *
* Security and Cryptography Laboratory (LASEC) *
* Swiss Federal Institute of Technology (EPFL), CH-1015 Lausanne *
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

Posted by iang at 11:04 AM | Comments (4) | TrackBack

August 13, 2004

How much to crack a PIN code entry device?

All forms of security are about cost/benefit and risk analysis. But people have trouble with the notion that something is only secure up to a certain point [1]. So suppliers often pretend that their product is totally secure, which leads to interesting schisms between the security department and the marketing department.

Secrecy is one essential tool in covering up the yawning gulf between the public's need to believe in absolute security, and the supplier's need to deliver a real product. Quite often, anything to do with security is kept secret. This is claimed to deliver more protection, but that protection, known as "security by obscurity," can lead to a false sense of security.

In my experience, another effect often occurs: Institutional cognitive dissonance surrounding the myth of absolute security leads to security paralysis. Not only is the system secure, by fiat, but any attempt to point out the flaws is treated somewhere between an affront and a crime. Then, when the break occurs, regardless of the many unheeded warnings, widespread shock spreads rapidly as beliefs are shatttered.

Anyway, getting to the point: banks and other FIs rarely reveal how much security is built in, using real numbers. Below, the article reveals a dollar number for an attack on a Pin Entry Device (PED). For those in a hurry, skip down to the emboldened sections, half way down.

[1] addendum: This article, Getting Naked for Big Brother amply makes this point.



Original URL: http://www.theregister.co.uk/2004/07/21/atm_keypad_security/
The ATM keypad as security portcullis
By Kevin Poulsen, SecurityFocus (klp at securityfocus.com)
Published Wednesday 21st July 2004 09:38 GMT

Behold the modern automated teller machine, a tiny mechanical fortress in a world of soft targets. But even with all those video cameras, audit trails, and steel reinforced cash vaults, wily thieves armed with social engineering techniques and street technology are still making bank. Now the financial industry is working to close one more chink in the ATM's armor: the humble PIN pad.

Last year Visa International formally launched a 50-point security certification process for "PIN entry devices" (PEDs) on ATMs that accept Visa. The review is exhaustive: an independent laboratory opens up the PED and probes its innards; it examines the manufacturing process that produced the device; and it attacks the PED as an adversary might, monitoring it, for example, to ensure that no one can identify which buttons are being pressed by sound or electromagnetic emission. "If we are testing a product that is essentially compliant, we typically figure it's about a four week process," says Ken Kolstad, director of operations at California-based InfoGard, one of three certification labs approved by Visa International worldwide.
Cash`n`Carrion

If that seems like a lot of trouble over a numeric keypad, you haven't cracked open an ATM lately. The modern PED is a physically and logically self contained tamper-resistant unit that encrypts a PIN within milliseconds of its entry, and within centimeters of the customer's fingertips. The plaintext PIN never leaves the unit, never travels over the bank network, isn't even available to the ATM's processor: malicious code running on a fully compromised Windows-based ATM machine might be able to access the cash dispenser and spit out twenties, but in theory it couldn't obtain a customer's unencrypted ATM code.

The credit card companies have played a large role in advancing the state of this obscure art. In additional to Visa's certification program, MasterCard has set an 1 April, 2005 deadline for ATMs that accept its card to switch their PIN encryption from DES to the more secure Triple DES algorithm (some large networks negotiated a more lenient deadline of December 2005). But despite these efforts, the financial sector continues to suffer massive losses to increasingly sophisticated ATM fraud artists, who take home some $50m a year in the U.S. alone, according to estimates by the Electronic Funds Transfer Association (EFTA). To make these mega withdrawals, swindlers have developed a variety of methods for cloning or stealing victim's ATM and credit cards.

Some techniques are low-tech. In one scam that Visa says is on the rise, a thief inserts a specially-constructed sleeve in an ATM's card reader that physically captures the customer's card. The con artist then lingers near the machine and watches as the frustrated cardholder tries to get his card back by entering his PIN. When the customer walks away, the crook removes the sleeve with the card in it, and makes a withdrawal.

At the more sophisticated end, police in Hong Kong and Brazil have found ATMs affixed with a hidden magstripe reader attached to mouth of the machine's real reader, expertly designed to look like part of the machine. The rogue reader skims each customer's card as it slides in. To get the PIN for the card, swindlers have used a wireless pinhole camera hidden in a pamphlet holder and trained on the PED, or attached fake PIN pads affixed over the real thing that store the keystrokes without interfering with the ATM's normal operation. "They'll create a phony card later and use that PIN," says Kurt Helwig, executive director of the EFTA. "They're getting pretty sophisticated on the hardware side, which is where the problem has been."

Solenoid fingers

Visa's certification requirements try to address that hardware assisted fraud. Under the company's standards, each PED must provide "a means to deter the visual observation of PIN values as they are being entered by the cardholder". And the devices must be sufficiently resistant to physical penetration so that opening one up and bugging it would either cause obvious external damage, cost a thief at least $25,000, or require that the crook take the PIN pad home with him for at least 10 hours to carry out the modification.

"There are some mechanisms in place that help protect against some of these attacks... but there's no absolute security," says InfoGard's Kolstad. "We're doing the best we can to protect against it."

That balancing approach - accounting for the costs of cracking security, instead of aspiring to be unbreakable - runs the length and breadth of Visa's PED security standards. Under one requirement, any electronics utilizing the encryption key must be confined to a single integrated circuit with a geometry of one micron or less, or be encased in Stycast epoxy. Another requirement posits an attacker with a stolen PED, a cloned ATM card, and knowledge of the cyphertext PIN for that card. To be compliant, the PED must contain some mechanism to prevent this notional villain from brute forcing the PIN with an array of computer-controlled solenoid fingers programmed to try all possible codes while monitoring the output of the PED for the known cyphertext.

"In fact, these things are quite reasonable," says Hansup Kwon, CEO of Tranax Technologies, an ATM company that submitted three PEDs for approval to InfoGard. Before its PIN pads could be certified, Tranax had the change the design of the keycaps to eliminate nooks and crannies in which someone might hide a device capable of intercepting a cardholder's keystrokes. "We had to make the keypad completely visible from the outside, so if somebody attacks in between, it's complete visible," says Kwon.

Where Visa went wrong, Kwon says, is in setting an unrealistic timetable for certification. When Visa launched the independent testing program last November, it set a 1 July deadline: any ATMs rolling into service after that date would have to have laboratory certified PIN pads, or they simply couldn't accept Visa cards.

That put equipment makers in a tight spot, says Kwon. "It's almost a six months long process... If you make any design modification, it takes a minimum of three months or more to implement these changes," he says. "So there was not enough time to implement these things to meet the Visa deadline."

Visa International's official position is that they gave manufactures plenty of time - 1 July saw 31 manufacturers with 105 PIN pads listed on the company's webpage of approved PEDs. But in late June, with the deadline less than a week away, Visa suddenly dropped the certification deadline altogether. "I think what we realized was that it was important to work with the other industry players," says spokesperson Sabine Middlemass.

Visa says it's now working with rival MasterCard to develop an industry wide standard before setting a new deadline for mandatory compliance. In the meantime, the company is encouraging vendors to submit their PIN pads for certification under the old requirements anyway, voluntarily, for the sake of security.

Copyright © 2004, 0 (http://www.securityfocus.com/)

Posted by iang at 06:20 AM | Comments (1) | TrackBack

August 12, 2004

crypto wars - NSA the victor

Here's a long but worthwhile article full of clues as to how the NSA benefitted in the aftermath of the crypto wars of the 1990s [1]. In brief, there has been little impact on their operations, and massive net mining flags the few encrypted packets out there for further traffic analysis. On the whole, good stuff, for them.

It's pretty obvious that the NSA won the crypto wars, even if the net won some of the battles. Open source warriers managed to force the hugely uncrackable 128 bits and 1024 bits into open international distribution, but simply failed to deploy it in any significant numbers [2]. In some senses, we won the right to fight, and then went home feeling mighty chuffed with ourselves.

Director of NSA shifts to new path
Hayden makes changes to keep up with technology; 'He's had to move the culture'

By Scott Shane, Baltimore Sun National Staff, August 8, 2004

Last year, long before CIA Director George J. Tenet resigned in advance of a series of damning reports on intelligence failures before the Sept. 11, 2001, attacks, the chief of an even larger spy agency was quietly asked to extend his term.

Lt. Gen. Michael V. Hayden, director of the National Security Agency, was asked by Tenet and Defense Secretary Donald H. Rumsfeld to stay on as director until at least September 2005. The 6 1/2 -year term will make the three-star Air Force general by far the longest-serving NSA boss in the agency's 52-year history.

Hayden's survival amid the harsh assessment of pre-Sept. 11 intelligence may reflect his ability to turn around the gargantuan eavesdropping agency in an era of shifting technology and threats.

Even as stateless terrorists have replaced Soviet missile bases as the agency's prime target, so the boom in cell phones, the Internet and the spread of fiber-optic cable and computerized encryption have forced it to reinvent eavesdropping technology.

"The whole ballgame of where and how you collect signals intelligence changed," says Charles G. Boyd, a retired Air Force general who was executive director of the Hart-Rudman Commission on national security in the late 1990s and now heads Business Executives for National Security.

"And that's where [Hayden] has moved this institution. To do that, he's not only changed technologies and processes. He's had to move the culture itself, and that's very difficult to do."

Boyd knows Hayden well from their Air Force service and has followed his work at NSA closely. "As a manager of change and a manager of intelligence overall, I think Mike Hayden is the best we have," he says.

Agency changes

Matthew M. Aid, a respected intelligence historian in Washington who is writing a book on the NSA, says the changes under Hayden appear to be producing results.

"The al-Qaida operatives who are being tracked down and caught - that's largely the result of signals intelligence," which is spy lingo for the intercept of phone calls, e-mail and other messages that is NSA's turf, Aid says. "NSA is flush with cash. It's hiring thousands of new people. It's clearly an agency that's going places."

Some NSA veterans complain that Hayden "brought in corporate types who gave him Harvard Business School models" that "don't work for an intelligence agency," Aid says.

But the people at the CIA, the White House, the State Department and the Pentagon who receive NSA's reports see a difference, he says: NSA "has a lot more respect from intelligence consumers than it had when Hayden arrived in 1999."

The changes at NSA have been wrenching, with large numbers of veterans taking early retirement and contractors brought in to handle much of the agency's retooling. More than 22 percent of the agency's civilian work force has been hired since 2000, with more than 1,300 new employees expected to come on board this year, agency officials say.

Aid estimates that 25,000 civilian and military employees work on NSA's sprawling Fort Meade campus off the Baltimore-Washington Parkway, although the exact number is classified. At least an additional 10,000 eavesdroppers are scattered elsewhere in the United States and around the world, he says.

Many agency old-timers aren't happy, says retiree Mike Levin, who worked at the agency from 1947 to 1993. "I have a very negative view of General Hayden. Before he had a chance to know what was going on, he announced he was going to clean the place out," Levin says.

But others say the NSA was in need of radical surgery well before the Sept. 11 attacks.

"NSA was set up to monitor an enormous country, the Soviet Union, that didn't go anywhere," says James Bamford, author of two books on the agency. "It was never set up to follow individual terrorists around the world using phone cards, disposable cell phones and e-mail."

Of Hayden, Bamford says, "I think he's done about as good a job as anyone could do given the limitations."

In fact, the author says, the cerebral 59-year-old intelligence veteran, a Bulgarian linguist early in his career, might emerge as a candidate for the post of national intelligence director proposed by the Sept. 11 commission.

Keeping up

When Hayden arrived in March 1999, the agency was by all accounts hurting. Its budget had been cut by about a third since the height of the Cold War, but it had to devise new intercept systems to keep up with what Hayden calls "the greatest revolution in communications since Gutenberg discovered movable type."

The shift of international communications traffic from satellites and microwave links to hard-to-tap fiber-optic cables posed a major challenge. Encryption described by NSA officials as impossible to break was spreading. National magazine stories on the secret agency began to ask: Is the NSA going deaf?

Then, in January 2000, a huge computer crash took the agency offline for days, dramatizing the need for an updated infrastructure.

Russian linguists were in oversupply, while there was an extreme shortage of speakers of Arabic and other languages more relevant to terrorism. Older employees who had mastered radio and microwave intercepts were not so adept at monitoring cellular networks and the Internet.

After Sept. 11, 2001 - when most of NSA was evacuated for fear it might be the hijackers' next target - it became obvious that the agency would be permitted to expand. But Hayden decided to go forward the next month with a final early-retirement program, watching 765 employees leave even as the agency geared up to hire.

"It was not because anyone was dumb, incompetent, lazy or calcified or anything else," Hayden said in an interview last week in his whisper-quiet office at the top of one of NSA's massive glass towers at Fort Meade. "It was just a work force that historically did not change over very much. ... So if we were going to get new skills, we were going to have to get new people."

The old Soviet target, Hayden said, was "exceptionally slow-moving, oligarchic and technologically inferior," and what NSA was then interested in was "big things. You wanted to know where their nuclear missile submarines were. You wanted to know about Soviet forces in Germany - were they in garrison or in the field? You wanted to know if there were bombers at Arctic staging bases."

By contrast, he said, "in the current war, you're looking for infinitely more granular information. You want to know where this human being is. And it's not good enough to say he's in Afghanistan. In terms of our current ops [operations] tempo, it's not even good enough to know what city. You have to know what building he's in."

Rather than the special communications systems used by foreign militaries, "al-Qaida rides on the global [commercial] communications structure." To listen in, "you're putting yourself into their communication pattern. If your pattern doesn't match their pattern ... you don't hear."

Technology revolution

Given the dire assessments a few years ago, it is notable that Hayden says the communications revolution has on the whole been a plus, not a minus, for the NSA.

The NSA director declines to elaborate. But interviews with outside experts suggest that the agency has managed to overcome the challenges posed by fiber-optic cable and encryption.

"My opinion is that at this point, those are little more than a speed bump to NSA," says Steve Uhrig, president of SWS Security, a Harford County firm that builds eavesdropping and counter-eavesdropping systems for U.S. and foreign police agencies. "They have a virtually unlimited budget, and they can put amazing resources to work on a problem."

Several sources who regularly speak with NSA officials say they believe Uhrig is right. Although they do not know the details, they say the agency has almost certainly managed to tap fiber cables on a large-scale basis, making access to the information inside less of a problem than its overwhelming volume.

The NSA has also found a silver lining to the use of encrypted e-mail: Even if a particular message cannot be read, the very use of encryption can flag it for NSA's attention. By tracking the relatively few Internet users in a certain country or region who take such security measures, NSA analysts might be able to sketch a picture of a terrorist network.

Information 'in motion'

And by focusing their electronic tricks on messages as they are first typed on a computer or when they are read on the other end - what security experts call "information at rest" - NSA technical experts might be able to bypass otherwise-unbreakable encryption used when the information is "in motion."

Meanwhile, the popularity of e-mail and particularly of cell phones has worked to the NSA's advantage in the battle against terrorism.

The NSA's computers can track and sort huge volumes of e-mail far more easily than they can manage telephone intercepts, because text is consistently represented in digital code.

And cell phones - as handy for terrorist plotters as for everyone else - provide not just an eavesdropping target but also a way to physically track the user.

Uhrig, who has installed cellular intercept systems in several countries, says that as cell phones have proliferated, the "cells" served by a tower or other antenna have correspondingly grown smaller. "A big hotel may have a cell for every other floor. Every big office building is its own cell," he says.

Easier tracking

By following a switched-on cell phone as it shifts from cell to cell, "you can watch the person move," Uhrig says. "You can tell the direction he's moving. If he's moving slow, he's walking. If he's moving fast, he's in a car. The tracking is sometimes of much more interest than the contents of a call."

But Hayden will say nothing about reports in the news media and from outside specialists that NSA telephone intercepts led to the recent series of arrests of suspected terrorists in Pakistan. Confirming the agencies' victories would only warn future targets to take precautions against eavesdropping.

The most devastating such loss in recent years came in 1998, when al-Qaida leader Osama bin Laden stopped using the satellite phone the NSA had used for years to track him and his plans.

Whether he was tipped off by press reports - as the Sept. 11 commission has claimed - or by the United States' cruise missile attack on his camp in Afghanistan remains unclear.

"This is the most fragile of all intelligence disciplines," Hayden said. "We would not want many of our successes broadcast."

Copyright © 2004, The Baltimore Sun

[1] Original article over on Cryptome.org
[2] "How effective is open source crypto?"

Posted by iang at 05:25 AM | Comments (1) | TrackBack

August 11, 2004

Cellphones on aircraft

Ever since the BA crash in the early 90s, when an engine failed on takeoff, and the pilots shut down the wrong one from instrument confusion, mobile phones have been banned on British aircraft, and other countries more or less followed suit. Cell phones (mobiles, as they are called in many countries) were blamed initially, and as some say, it's guilty until proven innocent in air safety.

Now there is talk of allowing them again [1] [2]. They should never have been banned in the first place. Here's why.

(As a security engineer, it's often instructive to reverse-engineer the security decisions of other people's systems. Security is like economics, we don't get to try out our hypothesies except in real life. So we have to practice where we can. Here is a security-based analysis on whether it's safe to fly and dial.)

In security, we need a valid threat. Imagined threats are a waste of time and money. Once we identify and validate the threat (normally, by the damage it does) we create a regime to protect it. Then, we conduct some sort of test to show that the protection works. Otherwise, we are again wasting our time and money. We would be negligent, as it were, because we are wasting the clients money and potentially worse if we get it wrong.

Now consider pocket phones. It's pretty easy to see they are an imagined threat - there is no validated case [3]. But skip that part and consider the protection - banning mobile phones.

Does it work? Hell no. If you have a 747 full of people, what is the statistical likelihood of people leaving their phone on accidentally? Quite significant, really. Enough that there is going to be a continual, ever present threat of transmissions. Inescapably, mobile phones are on when the plane takes off and lands - through shear accidental activity.

In real safety systems, asking people not to do it is stupid. If it has to be stopped, it has to be stopped proactively. Which means one of three things:

  • the planes have to be made invulnerable to the phones, or
  • the plane operators have to install minicells to detect phones and alert aircrew to the danger, or
  • the planes are not vulnerable to cellular phones in the first place.

If planes are vulnerable, then the operators have to respond. As they haven't responded, we can easily conclude that the planes are not vulnerable. If it tuns out that they are vulnerable, then instead of the warnings being justified as some might have it, we have a different situation:

The operators would be negligent. Grossly and criminally, probably, as if a plane were to go down through cell phone interference, saying "but we said 'turn it off'" simply doesn't cut the mustard.

So, presumably, planes are not vulnerable to cell phones.

PS: so why did operators ban phones? Two reasons that I know of. In the US, there were complaints that the fast moving phones were confusing the cells. Also, the imminent roll-out of in-flight phones in many airlines was known to be a dead duck if passengers could use their cellphones...

[1] To talk or not to talk, Rob Bamforth
http://www.theregister.co.uk/2004/08/09/in_flight_comms/
[2] Miracles and Wonders By Alan Cabal
http://www.nypress.com/17/30/news&columns/AlanCabal.cfm
[3] This extraordinarily flawed security analysis leaves one gaping... but it does show that if a cellphone is blasting away 30cm from flight deck equipment, there might be a problem.
http://www.caa.co.uk/docs/33/FOD200317web.pdf

Posted by iang at 05:05 AM | Comments (1) | TrackBack

August 10, 2004

Kerckhoffs' 6 principles from 1883

Auguste Kerckhoffs, a Dutch cryptographer who taught in France in the latter part of the 19th century, wrote an influential article that expounded basic principles of a communications security system [1]. Kerckhoffs' 6 basic principles are:

  1. The system must be practically, if not mathematically, indecipherable;
  2. It must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience;
  3. Its key must be communicable and retainable without the help of written notes, and changeable or modifiable at the will of the correspondents;
  4. It must be compatible with the means of communication;
  5. It must be portable, and its usage and function must not require the concourse of several people;
  6. Finally, it is necessary, given the circumstances that command its application, that the system be easy to use, requiring neither mental strain nor the knowledge of a long series of rules to observe.

This list was derived from the translation from the original French [2], also one on Wikipedia [3], and slightly updated for modern times (point 4).

Principle 2 is often referred to as Kerckhoffs' law, and also known as Shannon's maxim: "the enemy knows the system [4]." I guess cryptographers think that makes it more important, but I can't see it myself, there are plenty of systems around that fail on the other principles, and plenty of systems around that deliver security through obscurity.

Like any set of principles, knowing them is a given. It's knowing when to break them that distinguishes [5].

[1] Auguste Kerckhoffs, "La cryptographie militaire ('Military Cryptography')," Journal des sciences militaires, vol. IX, pp. 5-38, Jan. 1883, pp. 161-191, Feb. 1883.
[2] fabien a. p. petitcolas's site includes the original French article as well.
http://www.petitcolas.net/fabien/kerckhoffs/index.html#english
[3] http://en.wikipedia.org/wiki/Auguste_Kerckhoffs
[4] http://en.wikipedia.org/wiki/Kerckhoffs'_law
[5] See for example Leo Marks' use of written keys silk as described in "Between Silk and Cyanide". Steve Bellovin summarised this on 9th September 2004, which might be in the cryptography archives by tomorrow.

Posted by iang at 05:21 AM | Comments (4) | TrackBack

August 09, 2004

DoCoMo releases first 3G mobile wallet phone

Japan's NTT DoCoMo (writes "Mobile Pipeline News") will release Saturday (Aug. 7) what it calls the first 3G phone that is capable of serving as a "mobile wallet" for making purchases and for conducting ATM withdrawals and credit card transactions [1].

The company said its F900iC uses a smart card to work with its FeliCa mobile wallet service. That service enables users to use the phone's near-field wireless technology to make credit card purchases and conduct other transactions.

For security, the smart card functions can be locked using either a password or fingerprint sensor, the company said in a statement. In addition, the smart card function can be locked remotely using other phones.

The phone also sports a built-in 1.28 megapixel camera and a 2.4-inch high-resolution color LCD. It also has a built-in miniSD memory card slot.

The device works with DoCoMo's 3G service, although the electronic wallet also requires a subscription to the company's consumer i-mode service.

[1] Warning - the URL for the article generates some form of popup:
URL: http://www.commsdesign.com/showArticle.jhtml?articleID=26806340
[2] Here is a better article:
Japanese get first mobile wallets

Posted by iang at 06:35 PM | Comments (1) | TrackBack

FCC votes to tap Internet calls

In the US, the FCC has voted to enforce CALEA - wiretap rules - on VoIP operators [1] [2]. These businesses (like Vonage) provide Internet calls to their switches and then onto the public network. They are fantastically successful, because they deliver good service for cheap, something so implausible for the fixed wire competitors (like Sprint, AT&T and the baby bells) that it must be against FCC rules.

VoIP (voice over IP) operators are of course ideally placed to listen to the calls, something that is currently only done under subpoena. CALEA will force them to provide high performance infrastructure to enable massive monitoring.

This could presage a new phase in crypto deployment. Obviously, direct PC to PC comms cannot be covered by such rules, and equally obviously, people will prefer to talk privately. Products like Skype and the rough predecessors PGPPhone and SpeakFreely will get a boost.

IMHO, the FCC will do more damage to the eavesdroppers' objectives than they realise. The FCC has been one of the agencies at the forefront of letting the Internet develop without overbearing regulation, knowing that they can't help, but they can certainly hinder. Perhaps they do realise?

[2] FCC approves taps on broadband and VoIP
[1] Wiretap law would apply to broadband

Posted by iang at 04:09 AM | Comments (1) | TrackBack

August 04, 2004

When is a phish not a phish?

When it's a class action payout! Yep, Paypal got into a mess when it had to mail out notifications to many users announcing a class action payout and encouraging them to ... you guessed it, click on the link and register their details.

http://www.internetnews.com/bus-news/article.php/3390191

August 3, 2004
Mass Action on PayPal Settlement Site
By Susan Kuchinskas

An awful lot of people want a piece of PayPal. They overwhelmed a site offering a minimum of $50 to anyone with an account, the result of a class action suit.

The site went live in late July, after the United States District Court for the Northern District of California in San Jose approved a $9.25 million settlement in a class action suit alleging that the online payment platform owned by eBay unreasonably restricted, froze or closed customer accounts.

Under the terms of the settlement, anyone who had a PayPal account from October 1, 1999 to January 31, 2004 can receive up to $50 by filing a short form; those who went through PayPal's dispute resolution process or want to claim a higher damage award fill out a longer form and receive a portion of the $5.92 million left after the attorneys are paid.

Although claims must be submitted online, the site at times was unavailable or extremely slow, and some e-mails requesting information bounced.

A notice on the index page reads, "The website is experiencing delays and other problems due to an extremely high volume of traffic." Noting that the deadline for submitting claims isn't until October 23, it advises people to check back in a week or so.

Aside from the sheer volume of hits on the site, there were other glitches: The online form refuses to accept e-mail addresses that contain hyphens or multiple periods, and some people were unable to print the required certification firm, which must be mailed.

"The PayPal settlement site is being hosted by a company hired by the plaintiffs' side of the agreement," said a PayPal spokesperson. "They are aware of the issues with this site and have been working to get them fixed. We've done everything on our end to assist with that, but ultimately it's their site."

While some claimants had difficulty using the site, others worried about whether they should even click on the link in the PayPal e-mail. Internet users are right to be wary of e-mails purporting to be from PayPal. It's been one of the top victims of phishing schemes.

Phishers try to lure the unsuspecting to phony sites that mimic those of reputable companies. Once there, they're asked to input credit card, Social Security and bank account numbers that the fraudsters then exploit.

Most e-mail users receive a relentless barrage of fake PayPal requests to "Update your account immediately!" So, when present and former PayPal account holders received notice last Friday that the company was ready to pay up, it might have seemed a little dodgy.

The link in the e-mail read "paypal.com," but it redirected surfers to the somewhat spam-sounding settlement4onlinepayments.com. That site is hosted by a company with the suspiciously generic-sounding moniker "The Garden City Group."

It's for real, said A.J. De Bartolomeo, one of the lead attorneys in the suit. "This Web site is the official and only official Web site," she said.

De Bartolomeo, a principal in the San Francisco law firm of Girard Gibbs & De Bartolomeo, said all elements of the settlement site and notification e-mails were carefully considered in light of the phishing problem.

Regarding the settlement site's URL, "We realized that using PayPal in the actual Web address might make people think it was a scam," she said. "So we tried to do something that was descriptive. It's an online payment service, and this is the settlement for it."

On the other hand, PayPal sent out the notification e-mails, rather than a third party, she said, because "an e-mail notice from a third party would look a lot like a spoof." Including a link to PayPal's site, which redirected surfers to the Garden City site, she added, "seemed the best way to have the highest legitimacy possible for people who are, for a lot of reasons, suspicious. No notice program is ever perfect," she said.

According to the June Phishing Attack Trends Report from the Anti-Phishing Working Group, Tumbleweed Communications and Websense, in that month there were 1,422 new, unique phishing attacks, a 19 percent increase over the 1,197 attacks reported in May.

Girard Gibbs & De Bartolomeo has several other class action suits against technology companies in the works. It recently filed a class action against Apple Computer on behalf of iPod owners whose batteries have died or lost their ability to hold a charge.

De Bartolomeo said that so far, response to the PayPal settlement has been about what she expected. A judgment won by the firm against MCI (Quote, Chart) for overcharging, in which claims could be filed via paper, the Internet or the telephone, garnered an 8 percent claim rate, while a recent settlement with Hyundai Motor Co. for overstating the horsepower of vehicles drew a whopping 23 percent of eligible claimants. De Bartolomeo said it's too early to tell whether the ability to file claims online combined with widespread consumer Internet use might up the average claim rate.

The PayPal settlement will be a good test.

Posted by iang at 01:11 PM | Comments (0) | TrackBack

Professional email snooping

The below Register article " America - a nation of corporate email snoops" reports on the trend in email snooping by US corporates. I'll spare you the trouble of reading it - 44% of large companies pay someone to monitor email, and 38% regularly audit the content.

In the search for the eavesdropper, it was always clear that this was a real threat. A small one, but a real one. Unfortunately, the entire crypto industry got distracted on protecting against another threat, the MITM, which was too difficult and obscure to be real. Consequently, the net community fielded systems that didn't really work because of their grossly costly rollouts, and eavesdropping wasn't covered in any real sense (1% of servers use SSL, and 2% of email is encrypted, after a decade of trying).

Since the dawn of Internet crypto time, we've now gone from eavesdropping as a small threat to a potentially large threat. What is really worrying is not so much the corporate eavesdropping, but that we are on the verge of seeing massive ISP-based eavesdropping. All to be reported with a shrug and smile. All because Internet security experts are convinced that the MITM is a threat.



America - a nation of corporate email snoops

By John Leyden
Published Tuesday 27th July 2004 17:16 GMT

Forget Big Brother, US conglomerates are paying low-tech snoopers to read workers' emails.

According to research from Forrester Consulting, 44 per cent of large US companies (20,000 workers and above) pay someone to monitor the firm's outgoing mail, with 38 per cent regularly auditing email content. According to the study - reported without question in the mainstream press - companies' motivation was mostly due to fears that employees were leaking confidential memos.

Proof, were it needed, that your own staff are the biggest security risk. If the study is to be believed, the dystopian visions of films such as Brazil and George Orwell's 1984 are an everyday reality of today's corporate America. Yes, that's right: "privacy officers" are scouring your email looking for incriminating snippets among the flirtatious email, jokes exchanged between mates and the small amount of work-related stuff you might send during the course of the day.

Scary stuff. And we're asked to believe they are often doing this with little recourse to technology. Even scarier.

Paranoid Android

Joking aside, the 44 per cent figure on corporate snoops struck us as very high. So we got in touch with Forrester asking it to justify its conclusions. Forrester directed our enquiries towards Proofpoint, the email filtering firm which sponsored the research. Forrester Consulting, the custom research arm of Forrester Research, did the leg work for the survey but it was Proofpoint which wrote up the final report.

So how does Proofpoint explain its findings on email monitoring? It's all to do with complying with external regulations.

A wide variety of external regulations applying to email are driving the monitoring trend, according to Keith Crosley, director of corporate communications at Proofpoint. He cited US regulations such as HIPAA (which regulates the handling of personal health information) and Gramm-Leach-Bliley (which regulates the handling of private personal and financial information) as examples.

"It's because of these concerns that companies employ staff to monitor outbound email. Technology solutions for detecting confidential information or for detecting other breaches of email policy or external regulations have, to date, not been particularly effective or popular so the best recourse that companies have has been to have human beings monitor email," he said.

Proofpoint's angle here is that its anti-spam technology can be used as a way of ensuring that outbound emails comply with government regulations. "We believe that companies will, over time, turn to technology to help enforce their internal policies," said Crosley.

The (email) Conversation

If low-tech snooping is currently so widespread, could Proofpoint name a company which is paying someone specifically to check emails? We'd welcome the chance to have a chat to a modern day Harry Call (the lead charecter played by Gene Hackman in 70s classic The Conversation) but sadly we're out of luck.

"We have come into contact with numerous companies that employ staff (even full time staff) to monitor or audit outbound email, but I don't have a company name that you could use," said Crosley. "Because of this 'anecdotal' information, I can say that the results of the survey didn't really surprise us. But as you might imagine, most companies are not willing to talk openly about the use of these sorts of techniques even though they are completely legal in the US."

"To people not familiar with this issue, however, the number does seem astonishing. But our findings on other points are not out of line with other recent email related research. In a somewhat similar survey conducted by the ePolicy Institute, which found that about 60 per cent of companies use some sort of technology to monitor incoming and outgoing email."

Readers can review Proofpoint's survey here. ®

Related stories

netReplay is watching you
Google's Gmail: spook heaven?
US defends cybercrime treaty
Security fears over UK 'snooper's charter'
Merrill Lynch shackles employee Net access
Privacy in the workplace is a 'myth'

Posted by iang at 06:55 AM | Comments (3) | TrackBack