Search This Blog

Wednesday, October 26, 2005

The man-in-the-middle gets caught up in ID theft

NETWORK WORLD NEWSLETTER: DAVE KEARNS ON IDENTITY MANAGEMENT
10/26/05
Today's focus: The man-in-the-middle gets caught up in ID theft

Dear security.world@gmail.com,

In this issue:

* Trying to stay one step ahead of ID thieves
* Links related to Identity Management
* Featured reader resource
_______________________________________________________________
This newsletter is sponsored by Sybase
Data Explosion

It sounds so simple: if you collect enough business information,
you'll glean valuable insights that can drive both revenue
growth and competitive advantage. Along the way, however,
companies are discovering that managing the explosive growth of
online data can prove a formidable challenge. Here's how to
assess your data management style, and maximize your
opportunities to turn online data into business opportunity.
Click here for more on taming the data explosion.
http://www.fattail.com/redir/redirect.asp?CID=118149
_______________________________________________________________
MANAGEMENT FRAMEWORKS ARE OUT - BUT WHAT'S IN?

Many vendors stopped using the term "frameworks" when they
became synonymous with endless deployment cycles. So, if
management frameworks are out, what is the alternative? Does a
series of multiple products from multiple vendors work? Will
Configuration Management Database (CMDB) emerge as the new
"framework" or "platform" for the enterprise? Click here for
more:
http://www.fattail.com/redir/redirect.asp?CID=118200
_______________________________________________________________

Today's focus: The man-in-the-middle gets caught up in ID theft

By Dave Kearns

As I mentioned in the last issue, the Federal Financial
Institutions Examination Council (FFIEC) has issued new guidance
for how financial institutions should plan to authenticate
customers' online identities by the end of next year. These
guidelines, which actually carry the force of mandates, did not
recommend specific methods of strong authentication but did
review some possibilities. Those included digital certificates,
smart cards, one-time passwords, USB plug-ins and biometric
identification methods as being more in line with the guidelines
than the simple username/password combinations currently in use.
In particular, the FFIEC believes that stronger authentication
is needed to combat so-called "phishing" attacks.

Security vendors such as RSA are quick to point to European
financial institutions as being far ahead of their U.S.
counterparts in using tools such as RSA's SecureID one-time
password-generation device. But are these really as secure as we
think they might be?

Rebecca Bace is the CEO of Infidel, a security consultancy.
She's also a venture partner with Trident Capital, specializing
in network security. She learned her trade on the front lines,
during 16 years at the National Security Agency, where she
became one of the world's leading experts on intrusion detection
and prevention. She's also a neat lady with a droll sense of
humor as I learned when we were panelists at the recent Thor
Technology Advisory Council meeting. She's just updated a
presentation she gave at the RSA Conference 2005 called
"Phishing 2.0". You can read the short article
http://www.infidel.net/phishing.php where you'll quickly find
out that so-called strong authentication can also be described
as weak security in many instances.

The problem Bace outlines is the same problem that Dan Blum,
Network World colleague and Burton Group senior vice president,
highlighted in his Weblog http://www.networkworld.com/nldsv9265
: One-time password (OTP) solutions are very susceptible to a
man-in-the-middle (MITM) attack. Simply put, someone intent on
stealing the details of your financial transaction sets up as a
proxy between the client and the financial Web site. By
capturing and replaying the client's credentials and returning
what appears to be legitimate responses the thief has,
essentially, unlimited access to the client's account.

A recent news story
http://www.theregister.co.uk/2005/10/12/outlaw_phishing/ points
out that even low-tech OTP solutions can be thwarted. Some
European banks issue booklets of one-time passwords that clients
use in order. This latest phishing scheme might be called
"Phishing 1.5" according to Bace's scale, as it directed bank
clients to a fake Web site where the client was asked to enter
the next OTP on their list, which was quickly used to login to
the real bank!

I should point out that one of the vendors Bace advises is
TriCipher, whose TriCipher Armored Credential System (which I
wrote about last spring http://www.networkworld.com/nldsv9266 )
is specifically touted as preventing MITM phishing attacks. I
should also point out that she talked her venture capital firm
into investing in TriCipher because it paid attention to MITM
attacks.

You also need to be aware of MITM and its use in identity theft.
Make sure you don't have a false sense of security with whatever
strong authentication methods you might be exploring - or using.

The top 5: Today's most-read stories

1. Cisco talking IP-radio nets
http://www.networkworld.com/nldsv9712
2. How to respond to a security breach
http://www.networkworld.com/nldsv9713
3. School traps infected PCs in its web
http://www.networkworld.com/nldsv9365
4. Cartoon of the Week http://www.networkworld.com/nldsv9366
5. CTO: BellSouth lost 9 COs to Katrina
http://www.networkworld.com/nldsv9714

_______________________________________________________________
To contact: Dave Kearns

Dave Kearns is a writer and consultant in Silicon Valley. He's
written a number of books including the (sadly) now out of print
"Peter Norton's Complete Guide to Networks." His musings can be
found at Virtual Quill http://www.vquill.com/.

Kearns is the author of three Network World Newsletters: Windows
Networking Tips, Novell NetWare Tips, and Identity Management.
Comments about these newsletters should be sent to him at these

respective addresses: mailto:windows@vquill.com,
mailto:netware@vquill.com, mailto:identity@vquill.com.

Kearns provides content services to network vendors: books,
manuals, white papers, lectures and seminars, marketing,
technical marketing and support documents. Virtual Quill
provides "words to sell by..." Find out more by e-mail at
mailto:info@vquill.com
_______________________________________________________________
This newsletter is sponsored by Hitachi Data Systems
Achieve Enterprise-Class Business Continuity and Data Governance
on a Midrange Budget

Viruses, disaster recovery and regulation compliance are issues
front and center with all IT professionals. However, the
architects of the mid size platform face these concerns with
limited resources. In this Special Report: How to Achieve
Enterprise-Class Business Continuity on a Midrange Budget, learn
about strategies to confront IT challenges within your own
means.
http://www.fattail.com/redir/redirect.asp?CID=118117
_______________________________________________________________
ARCHIVE LINKS

Archive of the Identity Management newsletter:
http://www.networkworld.com/newsletters/dir/index.html
_______________________________________________________________
FEATURED READER RESOURCE

GRID TAKING SHAPE IN THE ENTERPRISE

Grid computing continues to gain ground and vendors such as IBM,
Platform Computing, Sun, SAS and Univa are launching services,
products and partnerships to support this growth. But will
challenges such as software licensing, security and bandwidth
issues hinder grid rollouts? Click here for more:

http://www.networkworld.com/news/2005/101005-grid.html
_______________________________________________________________
May We Send You a Free Print Subscription?
You've got the technology snapshot of your choice delivered
at your fingertips each day. Now, extend your knowledge by
receiving 51 FREE issues to our print publication. Apply
today at http://www.subscribenw.com/nl2

International subscribers click here:
http://nww1.com/go/circ_promo.html
_______________________________________________________________
SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World e-mail
newsletters, go to:
http://www.nwwsubscribe.com/Changes.aspx

To change your e-mail address, go to:
http://www.nwwsubscribe.com/ChangeMail.aspx

Subscription questions? Contact Customer Service by replying to
this message.

This message was sent to: security.world@gmail.com
Please use this address when modifying your subscription.
_______________________________________________________________

Have editorial comments? Write Jeff Caruso, Newsletter Editor,
at: mailto:jcaruso@nww.com

Inquiries to: NL Customer Service, Network World, Inc., 118
Turnpike Road, Southborough, MA 01772

For advertising information, write Kevin Normandeau, V.P. of
Online Development, at: mailto:sponsorships@nwfusion.com

Copyright Network World, Inc., 2005

No comments: