1996-02-05 - Re: FV’s blatant double standards

Header Data

From: John Pettitt <jpp@software.net>
To: nit@chron.com
Message Hash: 953e058372efd3433be6367eca6dee0a320fce37ea05680393b2481329ac7754
Message ID: <2.2.32.19960205213944.0109c138@mail.software.net>
Reply To: N/A
UTC Datetime: 1996-02-05 22:22:28 UTC
Raw Date: Tue, 6 Feb 1996 06:22:28 +0800

Raw message

From: John Pettitt <jpp@software.net>
Date: Tue, 6 Feb 1996 06:22:28 +0800
To: nit@chron.com
Subject: Re: FV's blatant double standards
Message-ID: <2.2.32.19960205213944.0109c138@mail.software.net>
MIME-Version: 1.0
Content-Type: text/plain


At 09:26 AM 2/4/96 -0500, Simson L. Garfinkel wrote:
>At 8:18 AM 1/31/96, Rishab Aiyer Ghosh wrote:
>>FV demonstrated, through it's "card sharp" or whatever, that
>>real-time transactions are vulnerable to sniffers on the recipient's
>>own machine. Of course. We all knew that. But the mistake is to
>>assume that FV isn't _equally_ vulnerable to that threat. If you
>>can write a trojan that will somehow get privileged access to my
>>machine, trap my keystrokes, and identify my credit card number,
>>you can certainly write one that will, sitting on my machine:
>>    "intercept the user's electronic mail, read the confirmation
>>    message from First Virtual's computers, and send out a fraudulent
>>    reply"
>>(to quote from Simson's article). Simson further quotes FV's Lee
>>Stein: "A single user can be targeted, Stein said, but ''it is very
>>difficult. . . . There are too many packets moving . . . to too many
>>different machines.''" - which is of course equally true for real-time
>>Netscape transactions.
>
>Oh, I think that such a program can be written. However, it would be much
>harder to get right, considering all of the different ways that people read
>e-mail.
>
>
The code looks something like this:

1) hook into the winsock and look for an FV message in the web data stream,
save the ID.

2) now look for an approve/deny/fraud, when you see one you know that the
user uses 
an IP connection for mail and web.

3) Forward the ID to an anon box.

4) Look for outbound FV messages with 'fraud' or 'deny' and change to 'approve'.

Clearly this will miss AOL, CI$ etc al but thats not important.

The issue is not FV noticing the error, they will, it's how long it takes
 and how much you can steal in the interim.

There is a Helen Keller quote I'm rather fond of which starts:
 "Security is mostly a superstition ..."

  *If the machine is not secure all bets are off*

The most likly failure vector for this attack is that so few people use FV :-)







John Pettitt, jpp@software.net
VP Engineering, CyberSource Corporation, 415 473 3065
 "Technology is a way of organizing the universe so that man
  doesn't have to experience it." - Max Frisch






Thread