gmane.law.cryptography.uk

Apologies for the previous top post.

David Biggins — 2013-05-19T19:50:53

D.

BBC Moneybox - contactless hiccups

Roland Perry — 2013-05-18T10:34:55

        "Some Marks and Spencer customers have told the BBC of cases
        where the chain's contactless payment terminals have taken money
        from cards other than the ones intended for payment.

        "Card are supposed to be within about 4cm of the front of the
        contactless terminal to work.

        "But some customers say payments have been taken from cards
        while in purses and wallets at much greater distances.

http://www.bbc.co.uk/news/business-22545804

BBC News - 'Fresh proposals' planned over cyber-monitoring

Ian Batten — 2013-05-08T12:42:56

http://www.bbc.co.uk/news/uk-politics-22449209

You have to wonder at the people the BBC talks to:

Yeah.  You mean "IPv6 would be a good idea", I think.

ian

practical homomorphic encryption (allegedly)

Peter Tomlinson — 2013-05-08T09:56:36

Have received a link to the following article:

IBM takes a big new step in cryptography: practical homomorphic encryption

http://nakedsecurity.sophos.com/2013/05/05/ibm-takes-big-new-step-in-cryptography/

by Paul Ducklin on May 5, 2013

IBM just released an open source software package called HELib.

The HE stands for homomorphic encryption.

Although it doesn't sound terribly sexy or impressive, HELib is actually 
an interesting and important milestone in cryptography.

HE is also a surprisingly relevant topic right now, with our 
ever-increasing attraction to cloud computing.

<more in the article>

Peter

FAQ on UK law

Nicholas Cole — 2013-05-07T09:43:42

Dear List,

Is there an FAQ anywhere on the state of UK law as it relates to the
development of cryptography and software that uses cryptography?

I've read the Crypto Law Survey:

http://www.cryptolaw.org

and the rules surrounding domestic use are very clear.

What is much less clear is the question of "export".  Does, for example,
hosting a piece of software like PuTTY or ssh or gnupg on a UK-based
website count as "export"? What about providing support for such software?
 Unlike the Americans, who seem to have specific regulations for Open
Source Software, I can't see anything comparable in UK law.  There was a
flurry of activity around this in the late 1990s, and things seem to have
cooled down since, but clarity still seems to be lacking!

Nicholas

Best practice for federated authentication and authorisation?

James Fidell — 2013-05-02T10:19:15

I'm currently looking for some sort of definition of best practice for
implementing federated authentication and authorisation systems, but
struggling to find much.

What I'm looking at is an application that uses Gmail/Facebook/Twitter
etc. for authentication via a bespoke intermediate ("cloud-based")
registration service and then does access control by verifying claims
with another bespoke cloud-based system.

Can anyone point me to any documents that discuss best practice for
implementation of such a system?  I'm thinking that handling all
transactions over HTTPS really isn't sufficient for this and that they
should all be at least time-stamped, digitally signed and use both
client and server certificates for HTTPS, but if I'm being overly
paranoid, or not paranoid enough, it would be useful to know :)

Thanks,
James

Phone hacking: the telco angle

Florian Weimer — 2013-05-01T14:43:26

I recently revisited parts of the phone hacking coverage (mainly
related to the activities of NotW), and it seems that this was never
framed as a security failure at the mobile phone operators who ran the
network and provisioned the attacked services.

Is there any explanation for this?

3D Secure / Verified By Visa

Ian Batten — 2013-04-17T10:18:15

Does anyone know more about how it currently works than Wikipedia and Murdoch and Anderson 2010 [1] and high-level descriptions for application writers [2]?

Originally, it took you to an iFrame which prompted you for a password you had previously agreed with the issuer. Later, for me at least (Lloyds TSB) it instead put up the Verified by Visa or its Mastercard equivalent logo, said it was authenticating, and then immediately succeeded. I assumed, without checking, that it had dropped a random cookie which the issuer regarded as sufficient proof the card hadn't been stolen. Not ideal, but better than nothing, and avoids having to type the password.

This morning, I used my credit card for a transaction in my wife's name, because my wife's card had been declined [3]. It was a non-trivial amount of money to a website I have never used before, but which Sue uses regularly for small transactions. This transaction was probably two orders of magnitude greater than any previous one. Our credit cards are separate accounts. I was using her web browser while logged in to her account. My card went straight through, without asking for a 3DS password.

To which I say, huh? What state is there in a random user account on an OSX machine which allows it to assert that it's me? What are 3DS checking?

ian

[1] http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf

[2] http://www.web-merchant.co.uk/3dsecure.asp

[3] Itself an interesting point. We suspect that as we use my card for making large online purchases, I've built up a history of doing "that sort of thing", while Sue hasn't. Alternatively, if you do a lot of transactions of size x with a merchant, a transaction of size 100x might scream "insider fraud with stored credentials", while a first-time transaction of the same size doesn't raise the same concern.

‘Secretbook’ Lets You Encode Hidden Messages in Your Facebook Pics

Owen Blacker — 2013-04-10T13:16:42

http://www.wired.com/dangerroom/2013/04/secretbook/

Facebook is a place where you can share pictures of cute animals and fun
activities. Now there’s a browser extension that lets you encode those
images with secret, hard-to-detect messages.

That’s the idea behind
Secretbook<https://chrome.google.com/webstore/detail/secretbook/plglafijddgpenmohgiemalpcfgjjbph>,
a browser extension released this week by 21-year-old Oxford University
computer science student and former Google intern Owen-Campbell Moore. With
the extension, anyone — you, your sister, a terrorist — could share
messages hidden in JPEG images uploaded to
Facebook<http://www.wired.com/magazine/2013/04/facebookqa/> without
the prying eyes of the company, the government or anyone else noticing or
figuring out what the messages say. The only way to unlock them is through
a password you create.

“The goal of this research was to demonstrate that JPEG steganography can
be performed on social media where it has previously been impossible,”
Campbell-Moore tells Danger Room. He says he spent about two months spread
out over the last year working on the extension as a research project for
the university.

[…]

It wasn’t easy developing the extension. “Many tools for steganography in
JPEGs have existed in the past although they have always required that the
images are transmitted exactly as they are,” Campbell-Moore says.

This could be a single pixel changed to a different color, and then
repeated over several images, spelling out a message — which you can’t see,
unless you have the translation key, and know which pixel to look for. But
when you upload an image to Facebook, the image is automatically
recompressed, which can lower the image quality. If you’ve encoded a secret
message in the image, Facebook will garble
it<http://www.owencampbellmoore.com/blog/2013/04/hide-secret-messages-in-facebook-photos-using-this-new-chrome-extension/>.
Facebook competitor Google+ doesn’t do this, so you can share encoded
messages <http://www.greatplay.net/essays/steganography-in-social-media> there
without needing an app for it.

[continues…]

BBC News - Anti-cyber threat centre launched

Ian Batten — 2013-03-27T08:35:09

http://www.bbc.co.uk/news/uk-21945702

I'm really sceptical about this sort of story. Incredible (in every sense) claims are made as to the cost of cyber-crime, but there doesn't seem to be any evidence for it.

Suppose it's true that shadowy gangs are extorting money from British companies. How are the payments made? Large amounts of cash dropped by trees? Bogus invoicing for invisible services? Direct transfer to numbered accounts in opaque offshore banks? Have you tried getting significant amounts of money out of a company without triggering attention from your bank (obligated under money-laundering regulations to report suspicious activity), your auditors (terrified of being the next Arthur Anderson) and the taxman (for obvious reasons)? It simply doesn't stand examination that there could be a significant flow of money out of businesses without it being noticed by someone, and that someone would have far more incentive to report it than to keep quiet.

We're reduced to the "but everyone is sworn to secrecy and no-one breaks their oath" stuff of conspiracy theorists to explain how all this money is disappearing out of the UK economy in a completely frictionless manner. Why, for example, hasn't there been a case of a company being accused of tax fraud (transferring large sums of money offshore) and then turning out to be, or claiming to be, the victim of extortion? Why has no company had their accounts queried because of large cash payments? Why aren't the FSA worrying about this? Cyber-crime gets almost no mention in the FSA Policy Guide on financial crime [1], and the section on it (section 6.8 on page 20) is all about insider risks.

What about the claim of large off-the-books losses? Well, there's a vague suggestion of that:

Translation: they bid for a contract with a total contract value of £800m and lost to a foreign company. Well, there's a million and one reasons why that could happen, starting with your price being too high or your delivery schedule being too slow, and ending with your salesman committing some terrible faux-pas over dinner. It's impossible to ascribe one explanation, but obviously "it was shadowy hackers that lost us the business" is a very easy excuse for everyone involved.

I don't for a second deny that there is _risk_ associated with cyber-crime. But the question is, is that risk proportional to the money, time and emotional capital expended on it? Would the typical company be better off worrying about putting better locks on its warehouse doors and making sure they have a decent policy of random searches of cars leaving the premises? And once we're into a world of "there are shadowy gangs committing shadowy crimes who have to be paid off in a shadowy way", isn't a serious risk that financial controllers become party to the IT function in the business siphoning money off and then disappearing ("we need to pay this gang in Faraway-istan, or is it Faraway-ia, £1m in cash or they'll bankrupt us, yes, of course I'm volunteering to deliver the cash").

ob.ukcrypto: this all smacks of the high days of crypto-wars, in which government presented "evidence" of arrival of the four horsemen of the apocalypse in order to justify the controls they wanted to impose.

ian

[1] http://www.fsa.gov.uk/pubs/policy/ps11_15.pdf

Organisational Standards for Cyber Security: Government’s Call for Evidence

Peter Tomlinson — 2013-03-26T10:16:20

 From IAAC via BCS:

Organisational Standards for Cyber Security: Government’s Call for Evidence

The government intends to select and endorse an organisational standard 
that best meets the requirements for effective cyber risk management. 
There are currently various relevant standards and guidance which can be 
confusing for organisations, businesses and companies that want to 
improve their cyber security.

BIS and Cabinet Office are therefore calling for bodies and groups of 
organisations to submit their evidence in support of their preferred 
cyber security standard.     Expressions of interest are requested 
before 8 April (as shown on the website).  BIS and Cabinet Office can 
then rationalise the submissions i.e. if a number of bodies want to 
submit on ISO27001 then we can invite them to get-together and put 
forward 1 submission between them.

Full details of the call for evidence is at 
https://www.gov.uk/government/consultations/cyber-security-organisational-standards-call-for-evidence

** end quote **

Peter Tomlinson

Biggest Fake Conference in Computer Science

2013-03-22T20:08:50

Biggest Fake Conference in Computer Science

I graduated from University of Florida (UFL) and am currently
running a computer firm in Florida. I have attended WORLDCOMP
conference (see http://sites.google.com/site/worlddump1 for
details) in 2010. Except for few keynote speeches and
presentations, the conference was very disappointing due to a
large number of poor quality papers and cancellation of some
sessions. I was instantly suspicious of this conference.

Me and my friends started a study on WORLDCOMP.
We submitted a fake paper to WORLDCOMP 2011 and again (the
same paper with a modified title) to WORLDCOMP 2012. This paper
had numerous fundamental mistakes. Sample statements from
that paper include:

(1). Binary logic is fuzzy logic and vice versa
(2). Pascal developed fuzzy logic
(3). Object oriented languages do not exhibit any polymorphism or inheritance
(4). TCP and IP are synonyms and are part of OSI model
(5). Distributed systems deal with only one computer
(6). Laptop is an example for a super computer
(7). Operating system is an example for computer hardware

Also, our paper did not express any conceptual meaning. However, it
was accepted both the times without any modifications (and without
any reviews) and we were invited to submit the final paper and a
payment of $500+ fee to present the paper. We decided to use the
fee for better purposes than making Prof. Hamid Arabnia (Chairman
of WORLDCOMP) rich. After that, we received few reminders from
WORLDCOMP to pay the fee but we never responded.

We MUST say that you should look at the website
http://sites.google.com/site/worlddump1 if you have any thoughts
to submit a paper to WORLDCOMP. DBLP and other indexing agencies
have stopped indexing WORLDCOMP’s proceedings since 2011 due to its fakeness.

The status of your WORLDCOMP papers can be changed from “scientific”
to “other” (i.e., junk or non-technical) at anytime. See the comments
http://www.mail-archive.com/tccc-FPEHb7Xf0XXUo1n7N8X6UoWGPAHP3yOg< at >public.gmane.org/msg05168.html
of a respected researcher on this. Better not to have a paper than
having it in WORLDCOMP and spoil the resume and peace of mind forever!

Our study revealed that WORLDCOMP is a money making business,
using University of Georgia mask, for Prof. Hamid Arabnia. He is throwing
out a small chunk of that money (around 20 dollars per paper published
in WORLDCOMP’s proceedings) to his puppet who publicizes WORLDCOMP
and also defends it at various forums, using fake/anonymous names.
The puppet uses fake names and defames other conferences/people to
divert traffic to WORLDCOMP. That is, the puppet does all his best
to get a maximum number of papers published at WORLDCOMP to get more
money into his (and Prof. Hamid Arabnia’s) pockets.

Monte Carlo Resort (the venue of WORLDCOMP until 2012) has refused to
provide the venue for WORLDCOMP’13 because of the fears of their image
being tarnished due to WORLDCOMP’s fraudulent activities.

WORLDCOMP will not be held after 2013.

The paper submission deadline for WORLDCOMP’13 was March 18 and it is
extended to April 6 (it will be extended many times, as usual) but
still there are no committee members, no reviewers, and there is no
conference Chairman. The only contact details available on WORLDCOMP’s
website is just an email address!

What bothers us the most is that Prof. Hamid Arabnia never posted an
apology for the damage he has done to the research community. He is still
trying to defend WORLDCOMP. Let us make a direct request to him: publish
all reviews for all the papers (after blocking identifiable details) since
2000 conference. Reveal the names and affiliations of all the reviewers
(for each year) and how many papers each reviewer had reviewed on average.
We also request him to look at the Open Challenge at
http://sites.google.com/site/dumpconf

We think that it is our professional obligation to spread this message to
alert the computer science community. Sorry for posting to multiple lists.
Spreading the word is the only way to stop this bogus conference.
Please forward this message to other mailing lists and people.

We are shocked with Prof. Hamid Arabnia and his puppet’s activities
http://worldcomp-fake-bogus.blogspot.com Search Google using the
keywords “worldcomp, fake” for additional links.

Sincerely,
Peter

security policy question

Root — 2013-03-04T23:29:52

Hi All,

I am not sending this from my usual account as gmail seems to have hit 
various blacklists. Even though the 2 factor auth and MITM detection seems 
to be a good thing in a web-mail service. So instead i am probably going to 
be giving spamd on this OBSD box a good work out.

I am looking for a bit of advice.
I work for part of the NHS and was recently given a new version of our 
security policy to sign.
It contains the usual i will be a good citizen, take care of the datas, 
not hand out my password or transfer data onto unencrypted memory 
sticks/laptops and leave them in taxis etc.

I am generally in favor of these and usually have no problems appending my 
signature but the difference between the old and new policy is the 
following:
"I further understand that I am responsible for any transactions carried 
out under my personal password and code"

I have no confidence that it wouldn't be trivial for someone to get hold 
of my user-name and password by methods which don't involve me being 
irresponsible. 

Any advice would be very helpful before i make a nuisance of myself.

thanks
mike

Googlegroups spam

Peter Fairbrother — 2013-02-11T17:52:50

A bit OT, but..

Suppose someone who operates a Google group adds my email address to the 
group without asking me (which is a thing Google permit). I then get 
lots of spam from the group (maybe commercial, maybe not - I don't know, 
it isn't in English letters), sent from Google.


Do I have any legal comeback against Google?


Thx,

Chip and Pin compromised at B&N US

Martin Hepworth — 2013-01-19T11:54:38

Interesting story here..


http://blog.elementps.com/element_payment_solutions/2013/01/data-breach-hits-barnes-noble.html

Anyone any knowledge of the C&P terminals used etc as I'm not aware of C&P
being 'popular' in the USA (well it's been a couple years since I was last
there and things change rapidly, so could have gained alot of traction by
now).

Elcomsoft $300 decryption tool.

Brian L Johnson — 2012-12-21T09:48:04

http://thenextweb.com/insider/2012/12/20/this-299-tool-is-reportedly-capable-of-cracking-bitlocker-pgp-and-truecrypt-disks-in-real-time/

"This $299 tool is reportedly capable of decrypting BitLocker, PGP, and  
TrueCrypt disks in real-time"

The actual press release is at:

http://www.elcomsoft.com/PR/EFDD_121220_en.pdf

So the computer has to be turned on? Or have hibernation files laying  
around in memory?

Victory for the Mail! Children WILL be protected from online pornafter Cameron orders sites to be blocked automatically | Mail Online

Ian Batten — 2012-12-20T09:55:59

Yes, I know, reading the Daily Mail rots the brain, although in my defence I only saw this story because it was on the front page that Paxman showed at the end of last night's Newsnight.  David Cameron is trying to square the circle of the Mail's howling about online pornography and the resounding results of the recent consultation exercise:

David Cameron writes:


So, for those of us in the security community, it appears Dave is going to solve the problem of home users sharing computers and/or sharing accounts at a stroke.  All the issues associated with people using one login (or, more commonly, no logins) will be gone.  And, better, devices which don't have the concept of multiple users (such as those iPads which so few people have bought, and which have been so unpopular since their damp-squib launch) will now be locked to a single user and won't be shared around in households.  Excellent!  That's a major security issue solved at a stroke!

ian

NSTIC (USA)

Peter Tomlinson — 2012-12-17T06:40:32

This, I'm well aware, is a UK group, but from across the pond comes news 
of NSTIC and the USA Identity Ecosystem Pilots:

http://nstic.blogs.govdelivery.com/2012/12/13/seeking-small-business-partners-to-evaluate-nstic-identity-ecosystem-pilots/

Seasons Greetings,

Peter

Transaction history of Paywave cards

Roland Perry — 2012-12-14T09:06:01

Paywave cards are now accepted on London buses (in a very basic 
configuration, no daily capping, no use on the tube), as an alternative 
to Oyster.

If a ticket inspector wants to check your Oyster card on the bus to see 
if you have paid, then it contains a recent journey history (10 
transactions I think).

Do Paywave cards have any history stored on them - even as minimal as 
the time/date/amount of the most recent usage?

Perfect Forward Secrecy: Not So Perfect, Not So Forward

Ian Batten — 2012-12-11T07:20:03

Communication Data scrutiny report [1], paragraph 92 implies that Google are in a position to retrospectively decrypt SSL sessions.   

ian



[1] http://www.publications.parliament.uk/pa/jt201213/jtselect/jtdraftcomuni/79/79.pdf

BBC News - Draft Communications Bill: May says web monitoring willsave lives

Ian Batten — 2012-10-31T17:06:12

http://www.bbc.co.uk/news/uk-politics-20157059


More than ten thousand lives a year being saved by urgent requests for communications data.  Impressive.  But I bet you that the vast majority are reverse DQ and location data on 999 calls, which I don't think anyone rational is attempting to prevent.

ian