Schneier on Security

A blog covering security and security technology.

Friday Squid Blogging: Preserving Your Giant Squid

Plastination:

For several years von Hagens and his team experimented using smaller squid, and found that the fragility of the skin needed a slower replacement process than other animal specimens.

Some 1500 litres of silicone later, the plastination of the giant cephalopods was completed in January.

Posted on March 19, 2010 at 4:47 PM • 1 Comments

Bringing Lots of Liquids on a Plane at Schiphol

This would worry me, if the liquid ban weren't already useless.

The reporter found the security flaw in the airport's duty-free shopping system. At Schiphol airport, passengers flying to countries outside the Schengan Agreement Area can buy bottles of alcohol at duty-free shops before going through security. They are then permitted to take these bottles onto flights, provided that they have the bottles sealed at the shop.

Mr Stegeman bought a bottle, emptied it and refilled it with another liquid. After that he returned to the same shop and 'bought' the refilled bottle again. The shop sealed the bottle in a bag, allowing him to take it with him through security and onto a London-bound flight. In London, he transferred planes and carried the bottle onto a flight to Washington DC.

The flaw, of course, is the assumption that bottles bought at a duty-free shop actually come from the duty-free shop.

But note that 1) it's the same airport as underwear bomber, 2) reporter is known for trying to defeat airport security, and 3) body scanners would have made no difference.

Watch the TV program here.

Posted on March 19, 2010 at 12:58 PM • 34 Comments

Security Trade-Offs and Sacred Values

Interesting research:

Psychologist Jeremy Ginges and his colleagues identified this backfire effect in studies of the Israeli-Palestinian conflict in 2007. They interviewed both Israelis and Palestinians who possessed sacred values toward key issues such as ownership over disputed territories like the West Bank or the right of Palestinian refugees to return to villages they were forced to leave—these people viewed compromise on these issues completely unacceptable. Ginges and colleagues found that individuals offered a monetary payout to compromise their values expressed more moral outrage and were more supportive of violent opposition toward the other side. Opposition decreased, however, when the other side offered to compromise on a sacred value of its own, such as Israelis formerly renouncing their right to the West Bank or Palestinians formally recognizing Israel as a state. Ginges and Scott Atran found similar evidence of this backfire effect with Indonesian madrassah students, who expressed less willingness to compromise their belief in sharia, strict Islamic law, when offered a material incentive.

[...]

After giving their opinions on Iran’s nuclear program, all participants were asked to consider one of two deals for Iranian disarmament. Half of the participants read about a deal in which the United States would reduce military aid to Israel in exchange for Iran giving up its military program. The other half of the participants read about a deal in which the United States would reduce aid to Israel and would pay Iran $40 billion. After considering the deal, all participants predicted how much the Iranian people would support the deal and how much anger they would feel toward the deal. In line with the Palestinian-Israeli and Indonesian studies, those who considered the nuclear program a sacred value expressed less support, and more anger, when the deal included money.

Posted on March 19, 2010 at 6:58 AM • 34 Comments

Disabling Cars by Remote Control

Who didn't see this coming?

More than 100 drivers in Austin, Texas found their cars disabled or the horns honking out of control, after an intruder ran amok in a web-based vehicle-immobilization system normally used to get the attention of consumers delinquent in their auto payments.

[...]

Ramos-Lopez’s account had been closed when he was terminated from Texas Auto Center in a workforce reduction last month, but he allegedly got in through another employee’s account, Garcia says. At first, the intruder targeted vehicles by searching on the names of specific customers. Then he discovered he could pull up a database of all 1,100 Auto Center customers whose cars were equipped with the device. He started going down the list in alphabetical order, vandalizing the records, disabling the cars and setting off the horns.

Posted on March 18, 2010 at 7:41 AM • 55 Comments

Casino Hack

Nice hack:

Using insider knowledge the two hacked into software that controlled remote betting machines on live roulette wheels, the report said.

The machines would print out winning betting slips regardless of the results on the wheel, Peterborough Today said.

I'd like to know how they got caught.

EDITED TO ADD (4/17): They got their math wrong:

However, the scheme came unstuck after an alert cashier noticed a winning slip for £600 for a £10 bet at odds of 35-1. The casino launched an investigation that unearthed a string of other suspicious bets, traced back to Ashley and Bhagat, IT contractors working at the casino at the time of the scam.

Posted on March 17, 2010 at 6:33 AM • 54 Comments

Secret Questions

Interesting research:

Analysing our data for security, though, shows that essentially all human-generated names provide poor resistance to guessing. For an attacker looking to make three guesses per personal knowledge question (for example, because this triggers an account lock-down), none of the name distributions we looked at gave more than 8 bits of effective security except for full names. That is, about at least 1 in 256 guesses would be successful, and 1 in 84 accounts compromised. For an attacker who can make more than 3 guesses and wants to break into 50% of available accounts, no distributions gave more than about 12 bits of effective security. The actual values vary in some interesting ways-South Korean names are much easier to guess than American ones, female first names are harder than male ones, pet names are slightly harder than human names, and names are getting harder to guess over time.

I've written about this problem.

Posted on March 16, 2010 at 6:44 AM • 60 Comments

USB Combination Lock

Here's a promotional security product designed by someone who knows nothing about security. The USB drive is "protected" by a combination lock. There are only two dials, so there are only 100 possible combinations. And when the drive is "locked" and the connector is retracted, the contact are still accessible.

Maybe it should be given away by companies that sell security theater.

Posted on March 15, 2010 at 1:59 PM • 57 Comments

Typosquatting

"Measuring the Perpetrators and Funders of Typosquatting," by Tyler Moore and Benjamin Edelman:

Abstract. We describe a method for identifying "typosquatting", the intentional registration of misspellings of popular website addresses. We estimate that at least 938 000 typosquatting domains target the top 3 264 .com sites, and we crawl more than 285 000 of these domains to analyze their revenue sources. We find that 80% are supported by pay-per-click ads often advertising the correctly spelled domain and its competitors.Another 20% include static redirection to other sites. We present an automated technique that uncovered 75 otherwise legitimate websites which benefited from direct links from thousands of misspellings of competing websites. Using regression analysis, we find that websites in categories with higher pay-per-click ad prices face more typosquatting registrations, indicating that ad platforms such as Google AdWords exacerbate typosquatting. However, our investigations also confirm the feasibility of signicantly reducing typosquatting. We find that typosquatting is highly concentrated: Of typo domains showing Google ads, 63% use one of five advertising IDs, and some large name servers host typosquatting domains as much as four times as often as the web as a whole.

The paper appeared at the Financial Cryptography conference this year.

Posted on March 15, 2010 at 6:13 AM • 41 Comments

Friday Squid Blogging: Cipherlopods

This makes no sense to me, even though -- I suppose -- it's a squid cryptography joke.

Posted on March 12, 2010 at 4:21 PM • 16 Comments

Another Schneier Interview

This one on simple-talk.com.

Posted on March 12, 2010 at 1:19 PM • 1 Comments

Why DRM Doesn't Work

Funny comic.

Posted on March 12, 2010 at 11:31 AM • 30 Comments

More Hollow Coins

A hollowed-out U.S. nickel can hold a microSD card. Pound and euro coins are also available. I blogged about this about a year ago as well.

Posted on March 12, 2010 at 6:58 AM • 36 Comments

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.