Schneier on Security

A blog covering security and security technology.

Casino Hack

Nice hack:

Using insider knowledge the two hacked into software that controlled remote betting machines on live roulette wheels, the report said.

The machines would print out winning betting slips regardless of the results on the wheel, Peterborough Today said.

I'd like to know how they got caught.

EDITED TO ADD (4/17): They got their math wrong:

However, the scheme came unstuck after an alert cashier noticed a winning slip for £600 for a £10 bet at odds of 35-1. The casino launched an investigation that unearthed a string of other suspicious bets, traced back to Ashley and Bhagat, IT contractors working at the casino at the time of the scam.

Posted on March 17, 2010 at 6:33 AM • 28 Comments

Secret Questions

Interesting research:

Analysing our data for security, though, shows that essentially all human-generated names provide poor resistance to guessing. For an attacker looking to make three guesses per personal knowledge question (for example, because this triggers an account lock-down), none of the name distributions we looked at gave more than 8 bits of effective security except for full names. That is, about at least 1 in 256 guesses would be successful, and 1 in 84 accounts compromised. For an attacker who can make more than 3 guesses and wants to break into 50% of available accounts, no distributions gave more than about 12 bits of effective security. The actual values vary in some interesting ways-South Korean names are much easier to guess than American ones, female first names are harder than male ones, pet names are slightly harder than human names, and names are getting harder to guess over time.

I've written about this problem.

Posted on March 16, 2010 at 6:44 AM • 57 Comments

USB Combination Lock

Here's a promotional security product designed by someone who knows nothing about security. The USB drive is "protected" by a combination lock. There are only two dials, so there are only 100 possible combinations. And when the drive is "locked" and the connector is retracted, the contact are still accessible.

Maybe it should be given away by companies that sell security theater.

Posted on March 15, 2010 at 1:59 PM • 52 Comments

Typosquatting

"Measuring the Perpetrators and Funders of Typosquatting," by Tyler Moore and Benjamin Edelman:

Abstract. We describe a method for identifying "typosquatting", the intentional registration of misspellings of popular website addresses. We estimate that at least 938 000 typosquatting domains target the top 3 264 .com sites, and we crawl more than 285 000 of these domains to analyze their revenue sources. We find that 80% are supported by pay-per-click ads often advertising the correctly spelled domain and its competitors.Another 20% include static redirection to other sites. We present an automated technique that uncovered 75 otherwise legitimate websites which benefited from direct links from thousands of misspellings of competing websites. Using regression analysis, we find that websites in categories with higher pay-per-click ad prices face more typosquatting registrations, indicating that ad platforms such as Google AdWords exacerbate typosquatting. However, our investigations also confirm the feasibility of signicantly reducing typosquatting. We find that typosquatting is highly concentrated: Of typo domains showing Google ads, 63% use one of five advertising IDs, and some large name servers host typosquatting domains as much as four times as often as the web as a whole.

The paper appeared at the Financial Cryptography conference this year.

Posted on March 15, 2010 at 6:13 AM • 40 Comments

Friday Squid Blogging: Cipherlopods

This makes no sense to me, even though -- I suppose -- it's a squid cryptography joke.

Posted on March 12, 2010 at 4:21 PM • 16 Comments

Another Schneier Interview

This one on simple-talk.com.

Posted on March 12, 2010 at 1:19 PM • 1 Comments

Why DRM Doesn't Work

Funny comic.

Posted on March 12, 2010 at 11:31 AM • 30 Comments

More Hollow Coins

A hollowed-out U.S. nickel can hold a microSD card. Pound and euro coins are also available. I blogged about this about a year ago as well.

Posted on March 12, 2010 at 6:58 AM • 36 Comments

Wikibooks Cryptography Textbook

Over at Wikibooks, they're trying to write an open source cryptography textbook.

Posted on March 11, 2010 at 12:26 PM • 23 Comments

Wanted: Trust Detector

It's good to dream:

IARPA's five-year plan aims to design experiments that can measure trust with high certainty -- a tricky proposition for a psychological study. Developing such experimental protocols could prove very useful for assessing levels of trust within one-on-one talks, or even during group interactions.

A second part of the IARPA proposal might involve using new types of sensors and software to gauge human facial, language or body signals that might help predict trustworthiness. Perhaps facial recognition technology that could deduce emotions or facial tics might help, not to mention better lie detectors.

IARPA is the Intelligence Advanced Research Projects Activity, the U.S. intelligence community's answer to DARPA.

Posted on March 11, 2010 at 6:17 AM • 44 Comments

Nose Biometrics

Really:

Since they are hard to conceal, the study says, noses would work well for identification in covert surveillance.

The researchers say noses have been overlooked in the growing field of biometrics, studies into ways of identifying distinguishing traits in people.

"Noses are prominent facial features and yet their use as a biometric has been largely unexplored," said the University of Bath's Dr Adrian Evans.

"Ears have been looked at in detail, eyes have been looked at in terms of iris recognition but the nose has been neglected."

The researchers used a system called PhotoFace, developed by researchers at the University of the West of England, Bristol and Imperial College, London, for the 3D scans.

Posted on March 10, 2010 at 1:47 PM • 42 Comments

The Limits of Identity Cards

Good legal paper on the limits of identity cards: Stephen Mason and Nick Bohm, "Identity and its Verification," in Computer Law & Security Review, Volume 26, Number 1, Jan 2010.

Those faced with the problem of how to verify a person's identity would be well advised to ask themselves the question, 'Identity with what?' An enquirer equipped with the answer to this question is in a position to tackle, on a rational basis, the task of deciding what evidence will be useful for the purpose. Without the answer to the question, the verification of identity becomes a sadly familiar exercise in blind compliance with arbitrary rules.

Posted on March 10, 2010 at 7:09 AM • 51 Comments

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.