Home page logo
/

funsec logo funsec mailing list archives

Re: funsec Digest, Vol 2, Issue 9
From: Fred Cohen <fred.cohen () all net>
Date: Wed, 5 Oct 2005 10:02:32 -0700

Since there is no unsubscribe link - please unsubscribe me.

FC

On Oct 5, 2005, at 10:00 AM, funsec-request () linuxbox org wrote:

Send funsec mailing list submissions to
    funsec () linuxbox org

To subscribe or unsubscribe via the World Wide Web, visit
    https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
or, via email, send a message with subject or body 'help' to
    funsec-request () linuxbox org

You can reach the person managing the list at
    funsec-owner () linuxbox org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of funsec digest..."


Today's Topics:

   1. Re: Nordea Sweden shuts Internet banking due to targeted
      phishing  (Valdis.Kletnieks () vt edu)
   2. Re: Book: "Spychips" Sees an RFID Conspiracy
      (Fergie (Paul Ferguson))
   3. Re: Nordea Sweden shuts Internet banking due to targeted
      phishing (Dan Kaminsky)
   4. Re: Nordea Sweden shuts Internet banking due to targeted
      phishing  (Valdis.Kletnieks () vt edu)
   5. Re: Nordea Sweden shuts Internet banking due to targeted
      phishing (Craig Webster)
   6. Re: Book: "Spychips" Sees an RFID Conspiracy (Craig Webster)
   7. Re: Nordea Sweden shuts Internet banking due to targeted
      phishing (Florian Weimer)
   8. RE: Book: "Spychips" Sees an RFID Conspiracy (Discini, Sonny)
   9. FTC sues company over spyware (Fergie (Paul Ferguson))
  10. UK: Tsunami relief hacking case opens (Fergie (Paul Ferguson))


----------------------------------------------------------------------

Message: 1
Date: Wed, 05 Oct 2005 11:01:53 -0400
From: Valdis.Kletnieks () vt edu
Subject: Re: [funsec] Nordea Sweden shuts Internet banking due to
    targeted    phishing
To: Drsolly <drsollyp () drsolly com>
Cc: funsec () linuxbox org
Message-ID: <200510051501.j95F1r3K005289 () turing-police cc vt edu>
Content-Type: text/plain; charset="us-ascii"

On Wed, 05 Oct 2005 15:48:32 BST, Drsolly said:

On Wed, 5 Oct 2005, Dan Kaminsky wrote:




Banks could fix the phishing problem if they had the incentive. It isn't
bad enough yet to make them want to fix it.


Once we move to phishers with rootkits, it's kind of game over.
Majority of hosts are infected with spyware, ya know.


You won't be able to rootkit the credit-card sized gizmo.


You don't have to, if you can MITM the transaction. Wait for the user to hit the bank, read the challenge, snarf the gizmo's reply code as the user enters it. Then submit your *own* transaction, and then submit the user's transaction. That then complains about the code having been used already - but the damage is done.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://linuxbox.org/pipermail/funsec/attachments/20051005/ ad2ef3e9/attachment-0001.pgp

------------------------------

Message: 2
Date: Wed, 5 Oct 2005 15:01:37 GMT
From: "Fergie (Paul Ferguson)" <fergdawg () netzero net>
Subject: Re: [funsec] Book: "Spychips" Sees an RFID Conspiracy
To: dan () doxpara com
Cc: funsec () linuxbox org
Message-ID: <20051005.080141.55.64702 () webmail11 lax untd com>
Content-Type: text/plain

Like what?

- ferg


-- Dan Kaminsky <dan () doxpara com> wrote:

RFID has much bigger problems than privacy.

--Dan

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/



------------------------------

Message: 3
Date: Wed, 05 Oct 2005 08:02:44 -0700
From: Dan Kaminsky <dan () doxpara com>
Subject: Re: [funsec] Nordea Sweden shuts Internet banking due to
    targeted    phishing
To: Drsolly <drsollyp () drsolly com>
Cc: funsec () linuxbox org
Message-ID: <4343EB14.5050303 () doxpara com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Drsolly wrote:

On Wed, 5 Oct 2005, Dan Kaminsky wrote:



Banks could fix the phishing problem if they had the incentive. It isn't
bad enough yet to make them want to fix it.



Once we move to phishers with rootkits, it's kind of game over.
Majority of hosts are infected with spyware, ya know.



You won't be able to rootkit the credit-card sized gizmo.


Credit card sized gizmo has an insufficient UI.

--Dan



------------------------------

Message: 4
Date: Wed, 05 Oct 2005 11:07:53 -0400
From: Valdis.Kletnieks () vt edu
Subject: Re: [funsec] Nordea Sweden shuts Internet banking due to
    targeted    phishing
To: Craig Webster <craig () xeriom net>
Cc: funsec () linuxbox org, Blue Boar <BlueBoar () thievco com>
Message-ID: <200510051507.j95F7rok005706 () turing-police cc vt edu>
Content-Type: text/plain; charset="us-ascii"

On Wed, 05 Oct 2005 15:14:25 BST, Craig Webster said:


This is only true so long as clients actually care about security and don't think "oh it'll never happen to me; I'll stick with my current bank because
it's less hastle."


And a lot of people managed to miss a point that Schneier keeps making: Security
is about *tradeoffs*.

I do business with a bank that's somewhat underclued in the e- security area, and admitted it when I went to talk to them about it. However, they'd have to be a *lot* more unclued than they are before their lack of clue on this one thing outweighed the benefits of my having done most of my banking there for the last 15 years - everything from them having more ATMs in the places I need them on a daily basis (and avoid a $2.50 charge each time) to the fact that in the last decade, none of the other banks with a presence around here has made a better offer for my business. Cheapest, most convenient, *and* most helpful -
it's gonna take a lot to make me move. :)

And defence in depth helps here too - my bank is a bit weak on the e-security side, but they've called me several times when they've spotted an anomalous transaction (turned out each time I'd done something truly oddball compared to my usual
business pattern - but they did in fact notice the oddness..)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://linuxbox.org/pipermail/funsec/attachments/ 20051005/6b233d94/attachment-0001.pgp

------------------------------

Message: 5
Date: Wed, 5 Oct 2005 16:14:15 +0100
From: Craig Webster <craig () xeriom net>
Subject: Re: [funsec] Nordea Sweden shuts Internet banking due to
    targeted    phishing
To: Valdis.Kletnieks () vt edu
Cc: funsec () linuxbox org, Blue Boar <BlueBoar () thievco com>
Message-ID: <20051005151415.GI12270 () xeriom net>
Content-Type: text/plain; charset=us-ascii

Hi,

Cheapest, most convenient, *and* most helpful -
it's gonna take a lot to make me move. :)


<argh>
It'd take very little to make me move and as far as I'm aware my bank
has fairly tight security and I haven't seen even one phishing scam
relating to it. Nice and secure, ATMs everywhere, cheap, evil little
sods that charge me at every possible opportunity, screw up basic things like changing the date on a standing order, enjoy being as unhelpful as
possible when it comes to direct debits, lock me out of telephone
banking for giving the correct password and look down their noses at me
whenever I go into the branch.

Can you tell that I love my bank? And yet, as far as I'm aware they're
the best bank for me. I don't really care about security at this
moment in time -- I want customer service, I want access to advisors
and I want trained staff!
</argh>

Yours,
Craig
--
Craig Webster | web: http://xeriom.net/
Xeriom.NET    | tel: +44 (0)131 516 8595


------------------------------

Message: 6
Date: Wed, 5 Oct 2005 16:15:52 +0100
From: Craig Webster <craig () xeriom net>
Subject: Re: [funsec] Book: "Spychips" Sees an RFID Conspiracy
To: "Fergie (Paul Ferguson)" <fergdawg () netzero net>
Cc: funsec () linuxbox org
Message-ID: <20051005151552.GJ12270 () xeriom net>
Content-Type: text/plain; charset=us-ascii

Hi,

Like what?


Well it tastes pretty bad...

Craig
--
Craig Webster | web: http://xeriom.net/
Xeriom.NET    | tel: +44 (0)131 516 8595


------------------------------

Message: 7
Date: Wed, 05 Oct 2005 17:21:08 +0200
From: Florian Weimer <fw () deneb enyo de>
Subject: Re: [funsec] Nordea Sweden shuts Internet banking due to
    targeted    phishing
To: funsec () linuxbox org
Message-ID: <87zmpogfbv.fsf () mid deneb enyo de>
Content-Type: text/plain; charset=us-ascii

* Steven Champeon:


on Wed, Oct 05, 2005 at 11:34:02AM +0200, Florian Weimer wrote:

* Justin Mason:


- Adam Shostack's _Preserving the Internet Channel Against Phishers_,
  http://www.homeport.org/~adam/phishing.html , in which he gives
  4 simple steps that *will* fix the problem.


What is the problem?  "Phishing" or online fraud?


The problem is that Bank X uses Service Y to send its email.


This doesn't answer my question because outsourcing your bulk mailings
certainly isn't a security problem in itself.

Maybe it's time for a little poll.  Who has heard of "PWSteal",
"Bancos" or "ASH"?


------------------------------

Message: 8
Date: Wed, 5 Oct 2005 11:49:21 -0400
From: "Discini, Sonny" <Sonny.Discini () montgomerycountymd gov>
Subject: RE: [funsec] Book: "Spychips" Sees an RFID Conspiracy
To: "Fergie \(Paul Ferguson\)" <fergdawg () netzero net>,
    <funsec () linuxbox org>
Message-ID:
    <066F402A7185F04E8B7506F582E00E8902E29E7F () mcg-ex02 mcgov org>
Content-Type: text/plain;    charset="us-ascii"


Fergie Wrote:

I enjoy a good conspiracy theory as much as the next guy. ;-)

Via Wired News:

[snip]

A new book by privacy advocates makes the case that
corporations and government agencies are in collusion to put
tiny radio transmitters on nearly everything we buy.
Companies say it's about providing thought leadership, not
the Mark of the Beast.

Katherine Albrecht and Liz McIntyre hope to become the twin
Erin Brockoviches of RFID, by revealing the threat posed by
the radio tag replacements for barcode labels

They may get their wish, if readers believe the conclusions
of the privacy advocates' new book, "Spychips: How Major
Corporations and Government Plan to Track Your Every Move with RFID".

Albrecht and McIntyre make a staggering accusation in
Spychips: that Philips, Procter and Gamble, Gillette, NCR and
IBM are conspiring with each other and the federal government
to follow individual consumers everywhere, using embedded
radio tags planted in their clothing and belongings.

[snip]

http://wired-vig.wired.com/news/technology/0,1282,69068,00.html

- ferg





Interesting. When I opened a pack of Gillette razors the other day,
indeed I found an RFID chip inside. I knew those bastards were up to
something when I signed up for that shopping bonus card!  ;-)


Sonny Discini, Senior Network Security Engineer
Department of Technology Services
Enterprise Infrastructure Division
Montgomery County Government




------------------------------

Message: 9
Date: Wed, 5 Oct 2005 16:36:37 GMT
From: "Fergie (Paul Ferguson)" <fergdawg () netzero net>
Subject: [funsec] FTC sues company over spyware
To: funsec () linuxbox org
Message-ID: <20051005.093656.55.66532 () webmail11 lax untd com>
Content-Type: text/plain

Via C|Net News:

[snip]

The Federal Trade Commission announced on Wednesday that it has sued a company it says secretly installed spyware and adware purporting to be peer-to-peer file sharing software. The company offered claims such as "Download music without fear," and "Don't let the record companies win," but in reality did things like rewriting search engine results and generating pop-up ads, the agency said.

Wednesday's announcement seems to be an effort to stave off possible enforcement-related criticism from Congress, which is holding a hearing on the topic later in the day. The defendant in the case is Odysseus Marketing of New Hampshire, whose ClientMan program is listed in Computer Associates' spyware encyclopedia.

[snip]

C|Net article:
http://news.com.com/FTC+sues+company+over+spyware/ 2110-7348_3-5889202.html

FTC announcement:
http://www.ftc.gov/opa/2005/10/odysseus.htm

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/



------------------------------

Message: 10
Date: Wed, 5 Oct 2005 16:50:46 GMT
From: "Fergie (Paul Ferguson)" <fergdawg () netzero net>
Subject: [funsec] UK: Tsunami relief hacking case opens
To: funsec () linuxbox org
Message-ID: <20051005.095124.55.66813 () webmail11 lax untd com>
Content-Type: text/plain

Here's a story with an interesting twist. Although additional
details are sketchy, it will be interesting to see what details
become available and how this case ends up.

Via The Register:

[snip]

Horseferry Road Magistrates Court has heard the first day of evidence against the East London man accused of hacking into a donations site for the tsunami appeal last December.

Daniel James Cuthbert, 28, of Whitechapel, London, is accused of breaches of Section One of the Computer Misuse Act, 1990, on the afternoon of New Year’s Eve, 2004. He had earlier pleaded not guilty.

Cuthbert is accused of attempting a directory traversal attack on the donate.bt.com site which handles credit card payments on behalf of the Disasters Emergency Committee.

Giving evidence on his own behalf, Cuthbert, at times near tears, said he had made a £30 donation to the site, after clicking on a banner advert. Because he received no final thank you or confirmation page he became concerned it may have been a phishing site, so he carried out two tests to check the security of the site.

The case continues tomorrow.

[snip]

http://www.theregister.co.uk/2005/10/05/dec_case/

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/



------------------------------

_______________________________________________
funsec mailing list
funsec () linuxbox org
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec


End of funsec Digest, Vol 2, Issue 9
************************************



-- This communication is confidential to the parties it is intended to serve --
Security Posture            securityposture.com          tel/fax
University of New Haven               unhca.com        925-454-0171
Fred Cohen & Associates                 all.net      572 Leona Drive
Security Management Partners    policygeeks.com    Livermore, CA 94550


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault