Jere, Whatever you might think of Peter Tippett (I think he is mostly on), you might find this of interest (at the risk of copy violation, I have excerpted and provided the URL to the entire article): I would argue that the likelihood of success of sniffing somewhere between your home or office and an e-commerce Web server is incredibly low, perhaps as low as 106 (meaning the likelihood of success would be one in 100,000 sniffing attempts). ... Moore's Law tells us that processors are perhaps three times faster, and disk drives perhaps two times faster. Bandwidth has also increased; today's OC192 pipes are more than 60 times faster than OC3. Translation: As difficult as sniffing was three years ago, it's 20 to 30 times more difficult today. Of course, other factors further reduce the vulnerability, including the problem of identifying which fiber to sniff and the fragmentation of transmitted packets. Now, what about the threat rate? We read lots of news reports about this and that Web site losing thousands of credit card numbers to a database cracker, but have you ever once heard about a cracker obtaining such information by sniffing the public Internet? ...it hasn't happened. In 2000, less than half of the credit card numbers traveling across the Internet were encrypted at all. For the other half, more than 70% of browsers in North America and Western Europe only support 40-bit encryption. Most B2B sites still use private (unencrypted) lines or 56-bit DES. All of this is to demonstrate that the threat is lower than low. In fact, it appears to be zero. So, when we consider all these factors together, here's what our risk equation looks like: The risk of credit card fraud by sniffing the public Internet has a very low vulnerability multiplied by a threat rate near zero multiplied by a very small cost. When you extrapolate this out to the millions of people transmitting credit card numbers over the 'Net, the risk is darn near zero. In fact, I would argue that it's not even in the top 1,000 real risks worth worrying about. Peter Tippett http://www.infosecuritymag.com/articles/may01/columns_executive_view.shtml James R. Wilcox, CISSP Regional Manager SecureInfo Corporation 503 799-8438 503 244-8827 fax TESS Support (888) 753-8377 james.wilcox@private www.secureinfo.com -----Original Message----- From: owner-crime@/var/spool/majordomo/lists/crime [mailto:owner-crime@/var/spool/majordomo/lists/crime]On Behalf Of Jere Retzer Sent: Wednesday, April 17, 2002 10:01 PM To: crime@private; steve@private Subject: Re: Oh, the irony. (Was Re: CRIME NIPC DAILY REPORT: 18 APRIL,2002) Question -- have there been any documented cases of weak encryption leading to significant exploits? I don't mean to belittle the need for encryption but I don't see significant exploits actually happening. Maybe the right attitude is to say if we did not keep up that we would be seeing exploits. >>> Steve Beattie <steve@private> 04/17/02 19:34 PM >>> On Wed, Apr 17, 2002 at 07:34:19AM -0700, George Heuston wrote: > SSL keys coming up short. More than 15 percent of the Secure Sockets > Layer (SSL) servers in the US are using short RSA keys that are in > danger of being compromised with off-the-shelf products and computing > resources available to individuals in most medium-size businesses. SSL > is the de facto standard protocol used to encrypt data going to and > from Web sites, typically for financial transactions on e-commerce > sites. If the RSA key is compromised, an attacker is able to impersonate > the Web site and decrypt traffic intercepted to or from the site. > (Eweek, 15 Apr) > > WWU Comment: The significance of this issue lies in the potential for > individuals with semi-sophisticated capabilities who have access to > readily-available resources to take advantage of lesser security key > implementations of widely used security products. The stature of SSL > as the de facto standard offers a false sense of security when using > the lesser security key implementation in the same manner that fire > walls and intrusion detection systems that are poorly configured fail > to provide adequate protection. It is with great humor that I read this blurb from NIPC, especially their additional comment. The whole idea of the US federal government complaining that too man people are using weak encryption when the US government has been one of the strongest impediments to adopting strong encryption through its ITAR restrictions (crypto is a munition!) is just laughable. Alas, Phil Zimmerman wasn't laughing when he was being threatened with years in jail for distributing PGP. Of course, using strong crypto only buys you transport security. Given the depressing state of host security, using SSL to most websites is like using an armored car to transport your money to a bank made out of a cardboard box. -- Steve Beattie Don't trust programmers? <steve@private> Complete StackGuard distro at http://NxNW.org/~steve/ immunix.org http://www.personaltelco.net -- overthrowing QWest, one block at a time.
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:41:00 PDT