 |
Thursday, August 9, 2001 |
|
Two-and-a-half years ago I received an unexpected telephone call at about
2230 on my British Telecom phone. The caller was adamant that I had called
him at about 2020 the same night, from my phone -- he had used "1471" when
he arrived home himself, to access the CLID of the last call to his number.
But I had been out of the house until 2200, and the house had been empty.
It took some effort to persuade my unknown caller that I hadn't called him
earlier that evening. So the following day I asked on the BT fault reporting
line how this could have happened. I was told that this sort of thing
happens quite often. I may well have been in trouble if a crime had been
committed at the other house that night.
BT don't advertise this failure mode at all.
Andrew Hilborne [Andrew Hilborne via risks-digest Volume 21, Issue 60]
0:00
#
G!
| |
|
This is to elaborate and correct the initial mentioning of Safeguard Easy
in RISKS-21.58.
It was reported in national media - including tv - that the police had
successfully broken the encryption. This, it seems, is not the case. The
police have managed to find the passwords of the five encrypted computers.
The information concerning the successful decryption of the five computers
protected with Safeguard Easy was presented in court by chief prosecutor
Poul Gade. Investigation is lead by chief of police in Holstebro, Jens
Kaasgaard.
I have just interviewed Jens Kaasgaard. He says:
'To avoid misunderstandings, we haven't broken Safeguard by technically
breaking down the encryption. We have located the passwords in different
ways. We have done it like any hacker would have done, by trying to figure
out the most probable passwords. This has payed success in five cases.'
'After doing that we entered the document-parts, the harddisk of the
computer. Here we found some of the files unencrypted and other files
further encrypted.'
'When you use Safeguard you put a sort of shell around your data. This is
the first part you need to enter. This is what is claimed to be
impossible. It is impossible. We have had six private companies looking at
this, and they have all failed.'
'We have used completely ordinary police investigation methods. We know
precisely who have had access to the encrypted machines. Then we can start
assessing probabilities and calculate upon this and set up models for how,
if you were a hacker, you'd find your way into the machines. That's what
we have done.'
You did this yourself?
'Yes. We did this inside the police system.'
To conclude: Be careful when you choose your password.
Bo Elkjaer [Bo Elkjaer via risks-digest Volume 21, Issue 59]
0:00
#
G!
| |
|
[From the cryptography mailing list. --Declan; lightly-PGN-ed for RISKS]
> Date: Tue, 7 Aug 2001 22:51:08 +0200
> From: bo.elkjaer@eb.dk
> Subject: Utimacos Safeguard Easy broken by Danish police in tax evasion case
> The German encryption program Safeguard Easy has been broken by the Danish
> police. Today the police from the city Holstebro in Jutland presented
> evidence in court, that was provided after breaking the encryption on five
> out of sixteen computers that where seized april 25 this year.
> All 16 computers were protected with Safeguard Easy from the german
> encryption provider Utimaco. It is not known whether DES, 128-bit IDEA,
> Blowfish or Stealth was used as algorithm on the computers. All four
> algorithms are built in Safeguard Easy. Details are sparse. It is not
> known how the encryption was broken, whether it was brute forced or flaws
> in the program was exploited.
> The computers where seized from the humanitarian (leftwing) foundation
> Tvind (Humana) in connection with a case about tax evasion. Among the
> evidence provided from the encrypted computers were e-mails sent among the
> leaders of the foundation, Poul Jorgensen and Mogens Amdi Petersen
> describing transfers of large sums of money.
> Apparently, but not confirmed, British Scotland Yard has been involved in
> breaking the encryption. The Danish police doesn't have the capacity to
> break encryption by themselves. Neither has the Danish civilian
> intelligence service. Routine is that cases concerning encryption is
> handed over to the Danish defence intelligence service DDIS. This
> procedure has been described earlier this year by the Danish minister of
> justice in connection with another case. DDIS denies involvement with the
> Tvind case.
> Employees and leaders at Tvind has denied handing over their passwords to
> the computers. One even wrote a public letter mocking the chief of police
> in Holstebro, describing how he changed his password weekly, and stating
> that he'd probably even forgotten his password by now. At a time, the
> police considered putting employees in custody until passwords were handed
> over.
> Bo Elkjaer, Denmark
[followed by a response]
> Date: Tue, 7 Aug 2001 16:25:03 -0700 (PDT)
> From: "Jay D. Dyson"
> Subject: Re: Utimacos Safeguard Easy broken by Danish police in tax evasion case
> If the OS used was Windows, it's quite likely that the plaintext and/or
> passphrases were recovered in the Windows swap file. Barring OS
> considerations, it's also possible that the police put a keystroke logger
> on the system, just as the FBI here in the States did with an organized
> crime suspect.
> My gut sense is that, since only five of sixteen systems were "cracked,"
> it seems likely that it was the swap file that let the cat out of the bag.
> Even so, a flaw in the cryptosystem should be investigated and proven or
> ruled out.
> Let us not also forget that people can be pressured to divulge
> passphrases. Rubber-hose cryptanalysis isn't just a humorous concept.
> Jay D. Dyson - jdyson@treachery.net
FROM POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/ [Declan McCullagh via risks-digest Volume 21, Issue 58]
0:00
#
G!
| |
|
A colleague of mine recently received the following e-mail, apropos nothing:
> Date: Wed, 8 Aug 2001 16:41:07 +0530
> From: HDFC Bank Support
> To: [name elided] <[address elided]>
> Subject: " Welcome to HDFC Bank. "
>
> This is an auto-generated mail. Please do not reply to it.
> Dear Customer,
> Thank you for opening an account with us.
> We have received your account opening form and opened an account as
> per the details mentioned below.
> You can now access all your accounts from any of our branches across
> the country. To give you quick access to all your accounts with us, we
> have generated a Customer Identification Number (Customer ID No.). All
> your accounts are linked to this number, and you only need to quote
> this number to our Personal Bankers or Tellers for any help you
> may require.
> Your Customer ID No. is [number elided].
> The Account details are:
> Account Number: [number elided]
> Primary Account Holder: [name elided]
> The Welcome Letter is being sent to you separately by mail.
[snip]
They sent a real account name, account number and customer ID to a complete
stranger on the basis of a new user's registration information, without
first validating it in any way. The user in this case had /almost/ got his
email address right - only the Top Level Domain was incorrect.
On informing the bank of their error they claimed "The information we send
across to across e mail is limited hence the possibility of misuse is not
possible".
The risks are obvious.
Doug Winter, CTO, Business Europe, 3 Waterhouse Square, Holborn Bars,
142 Holborn, London EC1N 2NX +44 (0)20 7961 0341 dwinter@businesseurope.com [Doug Winter via risks-digest Volume 21, Issue 60]
0:00
#
G!
| |
Maximillian Dornseif, 2002.
|
|
|
