Schneier on Security

A blog covering security and security technology.

« April 2006 | Main | June 2006 »

May 2006 Archives

Common Passwords

From a list of 100,000 passwords for a German dating site, we learn that 123456 works 1.4% of the time and that 2.5% of all passwords begin with 1234.

Interesting.

Posted on May 31, 2006 at 02:17 PM • 56 Comments • View Blog Reactions

UK Report on July 7th Terrorist Bombings

About the Intelligence and Security Committee:

Parliamentary oversight of SIS, GCHQ and the Security Service is provided by the Intelligence and Security Committee (ISC), established by the Intelligence Services Act 1994. The Committee examines the expenditure, administration and policy of the three Agencies. It operates within the ‘ring of secrecy’ and has wide access to the range of Agency activities and to highly classified information. Its cross­party membership of nine from both Houses is appointed by the Prime Minister after consultation with the Leader of the Opposition. The Committee is required to report annually to the Prime Minister on its work. These reports, after any deletions of sensitive material, are placed before Parliament by the Prime Minister. The Committee also provides ad hoc reports to the Prime Minister from time to time. The Chairman of the Intelligence and Security Committee is the Right Honourable Paul Murphy. The Committee is supported by a Clerk and secretariat in the Cabinet Office and can employ an investigator to pursue specific matters in greater detail.

They have released the "Intelligence and Security Committee Report into the London Terrorist Attacks on 7 July 2005," and the UK government has issued a response.

Posted on May 31, 2006 at 11:19 AM • 9 Comments • View Blog Reactions

Data Mining Software from IBM

In the long term, corporate data mining efforts are more of a privacy risk than government data mining efforts. And here's an off-the-shelf product from IBM:

IBM Entity Analytic Solutions (EAS) is unique identity disambiguation software that provides public sector organizations or commercial enterprises with the ability to recognize and mitigate the incidence of fraud, threat and risk. This IBM EAS offering provides insight on demand, and in context, on "who is who," "who knows who," and "anonymously."

This industry-leading, patented technology enables enterprise-wide identity insight, full attribution and self-correction in real time, and scales to process hundreds of millions of entities -- all while accumulating context about those identities. It is the only software in the market that provides in-context information regarding non-obvious and obvious relationships that may exist between identities and can do it anonymously to enhance privacy of information.

For most businesses and government agencies, it is important to figure out when a person is using more than one identity Package (that is, name, address, phone number, social insurance number and other such personal attributes) intentionally or unintentionally. Identity resolution software can help determine when two or more different looking identity packages are describing the same person, even if the data is inconsistent. For example, by comparing names, addresses, phone numbers, social insurance numbers and other personal information across different records, this software might reveal that three customers calling themselves Tom R., Thomas Rogers, and T. Rogers are really just the same person.

It may also be useful for organizations to know with whom such a person associates. Relationship resolution software can process resolved identity data to find out whether people have worked for some of the same companies, for example. This would be useful to an organization that tracks down terrorists, but it can also help businesses such as banks, for example, to see whether the Hope Smith who just applied for a loan is related to Rock Smith, the account holder with a sterling credit rating.

Posted on May 31, 2006 at 06:52 AM • 31 Comments • View Blog Reactions

Trusting Windows

The security risks of Windows' hidden features.

Posted on May 30, 2006 at 03:43 PM • 41 Comments • View Blog Reactions

Solzhenitsyn Quote on Data and Privacy

As every man goes through life he fills in a number of forms for the record, each containing a number of questions . .. There are thus hundreds of little threads radiating from every man, millions of threads in all. If these threads were suddenly to become visible, the whole sky would look like a spider's web, and if they materialized as rubber bands, buses; trams and even people would all lose the ability to move, and the wind would be unable to carry torn-up newspapers or autumn leaves along the streets of the city. They are not visible, they are not material, but every man is constantly aware of their existence.... Each man, permanently aware of his own invisible threads, naturally develops a respect for the people who manipulate the threads.

     --Alexander Solzhenitsyn, Cancer Ward, 1968.

Posted on May 30, 2006 at 10:55 AM • 15 Comments • View Blog Reactions

Report from the Future: UK National Identity Register News

From Charlie Stross "A report on the state of the National Identity Register, May 2016".

Posted on May 30, 2006 at 05:31 AM • 13 Comments • View Blog Reactions

Aircraft Locator a "Terrorist's Dream"

The movie plots keep coming and coming. Here's my nomination for dumb movie plot of this week:

Skies 'now terrorist's dream'

Australia's proposed new aviation tracking system would make it easier for terrorists to locate aircraft, aviation campaigner Dick Smith said today.

Mr Smith said a plan by Airservices Australia to replace radar tracking of planes with the Automatic Dependent Surveillance Broadcast (ADS ­ B) system would allow terrorists to track every aircraft in the sky.

"Government policy using conventional radar makes it almost impossible for a terrorist or a criminal to locate the position and identity of an aircraft," Mr Smith said.

"With ADS ­ B it's the opposite because all you need to track every aircraft is a small, non-directional aerial, worth $5."

Under the present system, a terrorist can locate the position of an aircraft by looking up. And if a terrorist is smart enough to perform this intelligence-gathering exercise near an airport, he can locate the position of aircraft that are low to the ground, and easier to shoot at with missiles. Why are we worrying about telling terrorists where all the high-altitude hard-to-hit planes are?

Now I can invent a movie plot that has the terrorists needing to shoot down a particular plane because this or that famous personage is on it, but that's a bit much.

Posted on May 29, 2006 at 12:00 PM • 53 Comments • View Blog Reactions

TrueCrypt

On-the-fly encryption with plausible deniability.

Posted on May 29, 2006 at 07:32 AM • 105 Comments • View Blog Reactions

Friday Squid Blogging: Ask the Giant Squid

Seems that this has been going on for years.

Posted on May 26, 2006 at 04:44 PM • 4 Comments • View Blog Reactions

A Robotic Bill of Rights

Asimov's Three Laws of Robotics are a security device, protecting humans from robots:

1) A robot may not harm a human being, or, through inaction, allow a human being to come to harm.

2) A robot must obey the orders given to it by human beings, except where such orders would conflict with the First Law.

3) A robot must protect its own existence, as long as such protection does not conflict with the First or Second Law.

In an interesting blog post, Greg London wonders if we also need explicit limitations on those laws: a Robotic Bill of Rights. Here are his suggestions:

First amendment: A robot will act as an agent representing its owner's best interests.

Second amendment: A robot will not hide the execution of any order from its owner.

Third amendment: A robot will not perform any order that would be against its owner's standing orders.

Fourth amendment: The robot's standing orders can only be overridden by the robot's owner.

Fifth amendment: A robot's execution of any of its orders can be halted by the robot's owner.

Sixth amendment: Any standing orders in a robot can be overridden by the robot's owner.

Seventh amendment: A robot will not perform any order issued by anyone other than its owner without explicitely informing its owner of the order, the effects the order would have, and who issued the order, and then getting the owner's permission to execute the order.

I haven't thought enough about this to know if these seven amendments are both necessary and sufficient, but it's a fascinating topic of discussion.

Posted on May 26, 2006 at 12:17 PM • 69 Comments • View Blog Reactions

Dangers of Reporting a Computer Vulnerability

This essay makes the case that there no way to safely report a computer vulnerability.

The first reason is that whenever you do something “unnecessary�, such as reporting a vulnerability, police wonder why, and how you found out. Police also wonders if you found one vulnerability, could you have found more and not reported them? Who did you disclose that information to? Did you get into the web site, and do anything there that you shouldn’t have? It’s normal for the police to think that way. They have to. Unfortunately, it makes it very uninteresting to report any problems.

A typical difficulty encountered by vulnerability researchers is that administrators or programmers often deny that a problem is exploitable or is of any consequence, and request a proof. This got Eric McCarty in trouble -- the proof is automatically a proof that you breached the law, and can be used to prosecute you! Thankfully, the administrators of the web site believed our report without trapping us by requesting a proof in the form of an exploit and fixed it in record time. We could have been in trouble if we had believed that a request for a proof was an authorization to perform penetration testing. I believe that I would have requested a signed authorization before doing it, but it is easy to imagine a well-meaning student being not as cautious (or I could have forgotten to request the written authorization, or they could have refused to provide it…). Because the vulnerability was fixed in record time, it also protected us from being accused of the subsequent break-in, which happened after the vulnerability was fixed, and therefore had to use some other means. If there had been an overlap in time, we could have become suspects.

Interesting essay, and interesting comments. And here's an article on the essay.

Remember, full disclosure is the best tool we have to improve security. It's an old argument, and I wrote about it way back in 2001. If people can't report security vulnerabilities, then vendors won't fix them.

EDITED TO ADD (5/26): Robert Lemos on "Ethics and the Eric McCarty Case."

Posted on May 26, 2006 at 07:35 AM • 41 Comments • View Blog Reactions

The Ultimate Net Monitoring Tool

You too can spy on the Internet, just like the NSA.

(And while we're on the topic, you really should read about the equipment the NSA installed at the AT&T switches. Wow.)

Posted on May 25, 2006 at 02:21 PM • 17 Comments • View Blog Reactions

Cheating on Tests

"How to Cheat Good."

Edit > Paste Special > Unformatted Text

This is my Number 1 piece of advice, even if it is numbered eight. When you copy things from the web into Word, ignoring #3 above, don't just "Edit > Paste" it into your document. When I am reading a document in black, Times New Roman, 12pt, and it suddenly changes to blue, Helvetica, 10pt (yes, really), I'm going to guess that something odd may be going on. This seems to happen in about 1% of student work turned in, and periodically makes me feel like becoming a hermit.

Posted on May 25, 2006 at 12:26 PM • 41 Comments • View Blog Reactions

Winkler on NSA Spying

Ira Winkler on why the NSA spying hurts security.

Posted on May 25, 2006 at 08:30 AM • 11 Comments • View Blog Reactions

Movie Clip Mistaken for Al Qaeda Video

Oops:

Reuters quoted a Pentagon official, Dan Devlin, as saying, "What we have seen is that any video game that comes out... (al Qaeda will) modify it and change the game for their needs."

The influential committee, chaired by Rep. Peter Hoekstra (R-MI), watched footage of animated combat in which characters depicted as Islamic insurgents killed U.S. troops in battle. The video began with the voice of a male narrator saying, "I was just a boy when the infidels came to my village in Blackhawk helicopters..."

Several GP readers immediately noticed that the voice-over was actually lifted from Team America: World Police, an outrageous 2004 satirical film produced by the creators of the popular South Park comedy series. At about the same time, gamers involved in the online Battlefield 2 community were pointing out the video footage shown to Congress was not a mod of BF2 at all, but standard game footage from EA's Special Forces BF2 add-on module, a retail product widely available in the United States and elsewhere.

Posted on May 24, 2006 at 02:14 PM • 20 Comments • View Blog Reactions

Counterfeit Electronics as a Terrorist Tool

Winning my award for dumb movie-plot threat of the week, here's someone who thinks that counterfeit electronics are a terrorist tool:

Counterfeit Electronics as Weapons of Mass Disruption?

Some customers may consider knockoff clothing and watches to be good values, but counterfeit electronics can be devastating. What would happen, then, if some criminal element bent on wreaking havoc and inducing public panic were to intentionally introduce such a bogus product into the electronics supply chain -- malfunctioning printed-circuit boards in a critical air-traffic-control system, say, or faulty parts into automobile braking systems? Even the suggestion that such an act had occurred might set off a wave of recalls and might ground suspect systems.

Gadzooks.

EDITED TO ADD (6/2): Here's another article:

"Many attacks of this kind would have two components. One would alter the process control system to produce a defective product. The other would alter the quality control system so that the defect wouldn't easily be detected," Borg says. "Imagine, say, a life-saving drug being produced and distributed with the wrong level of active ingredients. This could gradually result in large numbers of deaths or disabilities. Yet it might take months before someone figured out what was going on." The result, he says, would be panic, people afraid to visit hospitals and health services facing huge lawsuits.

Deadly scenarios could occur in industry, too. Online outlaws might change key specifications at a car factory, Borg says, causing a car to "burst into flames after it had been driven for a certain number of weeks". Apart from people being injured or killed, the car maker would collapse. "People would stop buying cars." A few such attacks, run simultaneously, would send economies crashing. Populations would be in turmoil. At the click of a mouse, the terrorists would have won.

Posted on May 24, 2006 at 11:57 AM • 39 Comments • View Blog Reactions

The Problems with Data Mining

Great op-ed in The New York Times on why the NSA's data mining efforts won't work, by Jonathan Farley, math professor at Harvard.

The simplest reason is that we're all connected. Not in the Haight-Ashbury/Timothy Leary/late-period Beatles kind of way, but in the sense of the Kevin Bacon game. The sociologist Stanley Milgram made this clear in the 1960's when he took pairs of people unknown to each other, separated by a continent, and asked one of the pair to send a package to the other -- but only by passing the package to a person he knew, who could then send the package only to someone he knew, and so on. On average, it took only six mailings -- the famous six degrees of separation -- for the package to reach its intended destination.

Looked at this way, President Bush is only a few steps away from Osama bin Laden (in the 1970's he ran a company partly financed by the American representative for one of the Qaeda leader's brothers). And terrorist hermits like the Unabomber are connected to only a very few people. So much for finding the guilty by association.

A second problem with the spy agency's apparent methodology lies in the way terrorist groups operate and what scientists call the "strength of weak ties." As the military scientist Robert Spulak has described it to me, you might not see your college roommate for 10 years, but if he were to call you up and ask to stay in your apartment, you'd let him. This is the principle under which sleeper cells operate: there is no communication for years. Thus for the most dangerous threats, the links between nodes that the agency is looking for simply might not exist.

(This, by him, is also worth reading.)

Posted on May 24, 2006 at 07:44 AM • 56 Comments • View Blog Reactions

El Al Doesn't Trust the TSA

They want to do security themselves at Newark Airport, as they already do at four other U.S. airports.

No other airline has such an arrangement with U.S. officials, authorities acknowledged. At the four other airports, El Al has installed its own security software at bomb-detection machines, which authorities said is more sensitive than that used by American carriers.

Posted on May 23, 2006 at 03:30 PM • 43 Comments • View Blog Reactions

Spammers Win One

Blue Security was an Israeli company that fought spam with spam:

Eran Reshef had an idea in the battle against spam e-mail that seemed to be working: he fought spam with spam. Today, he'll give up the fight.

Reshef's Silicon Valley company, Blue Security Inc., simply asked the spammers to stop sending junk e-mail to his clients. But because those sort of requests tend to be ignored, Blue Security took them to a new level: it bombarded the spammers with requests from all 522,000 of its customers at the same time.

That led to a flood of Internet traffic so heavy that it disrupted the spammers' ability to send e-mails to other victims -- a crippling effect that caused a handful of known spammers to comply with the requests.

Then, earlier this month, a Russia-based spammer counterattacked, Reshef said. Using tens of thousands of hijacked computers, the spammer flooded Blue Security with so much Internet traffic that it blocked legitimate visitors from going to Bluesecurity.com, as well as to other Web sites. The spammer also sent another message: Cease operations or Blue Security customers will soon find themselves targeted with virus-filled attacks.

Last week Blue Security gave up:

Wednesday, Blue Security said it had to give up because it couldn't sustain the fight against spammers. "Several leading spammers viewed [us] as a strategic threat to their spam business," Eran Reshef, Blue Security chief executive wrote in the message posted to the company's site.

"After recovering from the attack, we determined that once we reactivated the Blue Community, spammers would resume their attacks. We cannot take the responsibility for an ever-escalating cyber war through our continued operations.

"As much as it saddens us, we believe this is the responsible thing to do," said Reshef, who did not respond to an e-mail requesting additional comment. Later Wednesday, a spokesman said that the company would not be making any additional statements beyond the message on its site.

Another news article. And Marcus Ranum on Blue Security's idea.

Posted on May 23, 2006 at 12:58 PM • 40 Comments • View Blog Reactions

Smart Profiling from the DHS

About time:

Here's how it works: Select TSA employees will be trained to identify suspicious individuals who raise red flags by exhibiting unusual or anxious behavior, which can be as simple as changes in mannerisms, excessive sweating on a cool day, or changes in the pitch of a person's voice. Racial or ethnic factors are not a criterion for singling out people, TSA officials say. Those who are identified as suspicious will be examined more thoroughly; for some, the agency will bring in local police to conduct face-to-face interviews and perhaps run the person's name against national criminal databases and determine whether any threat exists. If such inquiries turn up other issues countries with terrorist connections, police officers can pursue the questioning or alert Federal counterterrorism agents. And of course the full retinue of baggage x-rays, magnetometers and other checks for weapons will continue.

Posted on May 23, 2006 at 06:20 AM • 54 Comments • View Blog Reactions

Diebold Doesn't Get It

This quote sums up nicely why Diebold should not be trusted to secure election machines:

David Bear, a spokesman for Diebold Election Systems, said the potential risk existed because the company's technicians had intentionally built the machines in such a way that election officials would be able to update their systems in years ahead.

"For there to be a problem here, you're basically assuming a premise where you have some evil and nefarious election officials who would sneak in and introduce a piece of software," he said. "I don't believe these evil elections people exist."

If you can't get the threat model right, you can't hope to secure the system.

Posted on May 22, 2006 at 03:22 PM • 54 Comments • View Blog Reactions

Coast Guard Solicits Hollywood to Help with Movie Plot Threats

Really:

Trying to avoid a failure of imagination in its uncharted new role, the agency has even called in screenwriters from Hollywood to help sketch terrorism situations.

"The biggest change is that the Coast Guard has gone from being an organization that ran when the bell went off to being a cop on the beat at all times," said Capt. Peter V. Neffenger, who recently gave up command of the port here for a position in Washington and who consulted with the screenwriters.

Anyone who's watched Hollywood's output in recent years knows that screenwriters aren't the most creative bunch of people on the planet. And anyway, they can have all of these ideas for free.

Posted on May 22, 2006 at 07:49 AM • 26 Comments • View Blog Reactions

Friday Squid Blogging: 1866 Parisienne Squid Fad

Started by Victor Hugo:

Hugo turned away from social/political issues in his next novel, Les Travailleurs de la Mer (Toilers of the Sea), published in 1866. Nonetheless, the book was well received, perhaps due to the previous success of Les Misérables. Dedicated to the channel island of Guernsey where he spent 15 years of exile, Hugo's depiction of Man's battle with the sea and the horrible creatures lurking beneath its depths spawned an unusual fad in Paris: Squids. From squid dishes and exhibitions, to squid hats and parties, Parisiennes became fascinated by these unusual sea creatures, which at the time were still considered by many to be mythical.

Posted on May 19, 2006 at 04:09 PM • 6 Comments • View Blog Reactions

The Value of Privacy

Last week, revelation of yet another NSA surveillance effort against the American people has rekindled the privacy debate. Those in favor of these programs have trotted out the same rhetorical question we hear every time privacy advocates oppose ID checks, video cameras, massive databases, data mining, and other wholesale surveillance measures: "If you aren't doing anything wrong, what do you have to hide?"

Some clever answers: "If I'm not doing anything wrong, then you have no cause to watch me." "Because the government gets to define what's wrong, and they keep changing the definition." "Because you might do something wrong with my information." My problem with quips like these -- as right as they are -- is that they accept the premise that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

Two proverbs say it best: Quis custodiet custodes ipsos? ("Who watches the watchers?") and "Absolute power corrupts absolutely."

Cardinal Richelieu understood the value of surveillance when he famously said, "If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." Watch someone long enough, and you'll find something to arrest -- or just blackmail -- with. Privacy is important because without it, surveillance information will be abused: to peep, to sell to marketers and to spy on political enemies -- whoever they happen to be at the time.

Privacy protects us from abuses by those in power, even if we're doing nothing wrong at the time of surveillance.

We do nothing wrong when we make love or go to the bathroom. We are not deliberately hiding anything when we seek out private places for reflection or conversation. We keep private journals, sing in the privacy of the shower, and write letters to secret lovers and then burn them. Privacy is a basic human need.

A future in which privacy would face constant assault was so alien to the framers of the Constitution that it never occurred to them to call out privacy as an explicit right. Privacy was inherent to the nobility of their being and their cause. Of course being watched in your own home was unreasonable. Watching at all was an act so unseemly as to be inconceivable among gentlemen in their day. You watched convicted criminals, not free citizens. You ruled your own home. It's intrinsic to the concept of liberty.

For if we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness. We become children, fettered under watchful eyes, constantly fearful that -- either now or in the uncertain future -- patterns we leave behind will be brought back to implicate us, by whatever authority has now become focused upon our once-private and innocent acts. We lose our individuality, because everything we do is observable and recordable.

How many of us have paused during conversation in the past four-and-a-half years, suddenly aware that we might be eavesdropped on? Probably it was a phone conversation, although maybe it was an e-mail or instant-message exchange or a conversation in a public place. Maybe the topic was terrorism, or politics, or Islam. We stop suddenly, momentarily afraid that our words might be taken out of context, then we laugh at our paranoia and go on. But our demeanor has changed, and our words are subtly altered.

This is the loss of freedom we face when our privacy is taken from us. This is life in former East Germany, or life in Saddam Hussein's Iraq. And it's our future as we allow an ever-intrusive eye into our personal, private lives.

Too many wrongly characterize the debate as "security versus privacy." The real choice is liberty versus control. Tyranny, whether it arises under threat of foreign physical attack or under constant domestic authoritative scrutiny, is still tyranny. Liberty requires security without intrusion, security plus privacy. Widespread police surveillance is the very definition of a police state. And that's why we should champion privacy even when we have nothing to hide.

A version of this essay originally appeared on Wired.com.

EDITED TO ADD (5/24): Daniel Solove comments.

Posted on May 19, 2006 at 12:00 PM • 95 Comments • View Blog Reactions

U.S. Government Sensitive but Unclassified Information

New report from the GAO: "GAO-06-385 - The Federal Government Needs to Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified Information," March 2006:

Federal agencies report using 56 different sensitive but unclassified designations (16 of which belong to one agency) to protect sensitive information--from law or drug enforcement information to controlled nuclear information--and agencies that account for a large percentage of the homeland security budget reported using most of these designations. There are no governmentwide policies or procedures that describe the basis on which agencies should use most of these sensitive but unclassified designations, explain what the different designations mean across agencies, or ensure that they will be used consistently from one agency to another. In this absence, each agency determines what designations to apply to the sensitive but unclassified information it develops or shares. For example, one agency uses the Protected Critical Infrastructure Information designation, which has statutorily prescribed criteria for applying, sharing and protecting the information, whereas 13 agencies designate information For Official Use Only, which does not have similarly prescribed criteria. Sometimes agencies used different labels and handling requirements for similar information and, conversely, similar labels and requirements for very different kinds of information. More than half of the agencies reported encountering challenges in sharing such information. For example, DHS said that sensitive but unclassified information disseminated to its state and local partners had, on occasion, been posted to public Internet sites or otherwise compromised, potentially revealing possible vulnerabilities to business competitors.

Here's the list:

Table 2: Sensitive but Unclassified Designations in Use at Selected Federal Agencies

Designation Agencies using designation

1 Applied Technology *Department of Energy (DOE)
2 Attorney-Client Privilege Department of Commerce (Commerce), *DOE
3 Business Confidential *DOE
4 Budgetary Information Environmental Protection Agency (EPA)
5 Census Confidential Commerce
6 Confidential Information Protection and Statistical Efficiency Act Information (CIPSEA) Social Security Administration (SSA)
7 Computer Security Act Sensitive Information (CSASI) Department of Health and Human Services (HHS)
8 Confidential Department of Labor
9 Confidential Business Information (CBI) Commerce, EPA
10 Contractor Access Restricted Information (CARI) HHS
11 Copyrighted Information *DOE
12 Critical Energy Infrastructure Information (CEII) Federal Energy Regulatory Commission (FERC)
13 Critical Infrastructure Information Office of Personnel Management (OPM)
14 DEA Sensitive Department of Justice (DOJ)
15 DOD Unclassified Controlled Nuclear Information Department of Defense (DOD)
16 Draft EPA
17 Export Controlled Information *DOE
18 For Official Use Only (FOUO) Commerce, DOD, Department of Education, EPA, General Services Administration, HHS, DHS, Department of Housing and Urban Development (HUD), DOJ, Labor, OPM, SSA, and the Department of Transportation (DOT)
19 For Official Use Only‹Law Enforcement Sensitive DOD
20 Freedom of Information Act (FOIA) EPA
21 Government Confidential Commercial Information *DOE
22 High-Temperature Superconductivity Pilot Center Information *DOE
23 In Confidence *DOE
24 Intellectual Property *DOE
25 Law Enforcement Sensitive Commerce, EPA, DHS, DOJ, HHS, Labor, OPM
26 Law Enforcement Sensitive/Sensitive DOJ
27 Limited Distribution Information DOD
28 Limited Official Use (LOU) DHS, DOJ, Department of Treasury
29 Medical records EPA
30 Non-Public Information FERC
31 Not Available National Technical Information Service Commerce
32 Official Use Only (OUO) DOE, SSA, Treasury
33 Operations Security Protected Information (OSPI) HHS
34 Patent Sensitive Information *DOE
35 Predecisional Draft *DOE
36 Privacy Act Information *DOE, EPA
37 Privacy Act Protected Information (PAPI) HHS
38 Proprietary Information *DOE, DOJ
39 Protected Battery Information *DOE
40 Protected Critical Infrastructure Information (PCII) DHS
41 Safeguards Information Nuclear Regulatory Commission (NRC)
42 Select Agent Sensitive Information (SASI) HHS
43 Sensitive But Unclassified (SBU) Commerce, HHS, NASA, National Science Foundation (NSF), Department of State, U.S. Agency for International Development (USAID)
44 Sensitive Drinking Water Related Information (SDWRI) EPA
45 Sensitive Information DOD, U.S. Postal Service (USPS)
46 Sensitive Instruction SSA
47 Sensitive Internal Use *DOE
48 Sensitive Unclassified Non-Safeguards Information NRC
49 Sensitive Nuclear Technology *DOE
50 Sensitive Security Information (SSI) DHS, DOT, U.S. Department of Agriculture (USDA)
51 Sensitive Water Vulnerability Assessment Information EPA
52 Small Business Innovative Research Information *DOE
53 Technical Information DOD
54 Trade Sensitive Information Commerce
55 Unclassified Controlled Nuclear Information (UCNI) DOE
56 Unclassified National Security-Related *DOE

I've already written about SSI (Sensitive Security Information).

Posted on May 19, 2006 at 07:52 AM • 20 Comments • View Blog Reactions

How to Get Through Identity Theft

Really good advice, step by step.

Posted on May 18, 2006 at 01:46 PM • 30 Comments • View Blog Reactions

NIST on Security Logs

The National Institute of Standards and Technology has released a document detailing how federal agencies should manage security logs: NIST Special Publication 800-92: Guide to Computer Security Log Management.

Posted on May 18, 2006 at 08:34 AM • 13 Comments • View Blog Reactions

Bundesamt für Sicherheit in der Informationstechnik

The Bundesamt für Sicherheit in der Informationstechnik, or Federal Office for Information Security, or BSI, is Germany's equivalent of the NSA. They have an English-language website that has a number of English-language security publications.

Posted on May 17, 2006 at 12:21 PM • 19 Comments • View Blog Reactions

Online Student Exams

I'm sure this is a good idea, but I wonder when the first case of cheating-by-rootkit will occur.

Posted on May 17, 2006 at 07:06 AM • 32 Comments • View Blog Reactions

Economics and Information Security

I would like to bring your attention to two conferences. The Workshop on Economics and Information Security is now in its fifth year. The next one will be held on June 26-28 in Cambridge (England, not Massachusetts). The paper selections have been announced, and it looks like a great conference.

The The Workshop on the Economics of Securing the Information Infrastructure will be held on October 23-24 in Washington, DC. This is a new workshop, and papers are still being solicited.

WEIS is currently my favorite security conference. I think that economics has a lot to teach computer security, and it is very interesting to get economists, lawyers, and computer security experts in the same room talking about issues.

I am on the program committee for both WEIS and WESII.

Posted on May 16, 2006 at 03:10 PM • 8 Comments • View Blog Reactions

Trading Privacy for Convenience

Does this surprise anyone?

While privacy remains a major concern for people around the world, a majority of consumers would share personal data if they knew the information was securely protected and if sharing it would make their lives easier, according to Unisys' Global Study on the Public's Perceptions about Identity Management.

Posted on May 16, 2006 at 06:23 AM • 47 Comments • View Blog Reactions

Digital Notarization

Public-key cryptography for digital notarization in Pennsylvania. And a commentary.

Posted on May 15, 2006 at 03:44 PM • 29 Comments • View Blog Reactions

Movie-Plot Threat Contest: Second Status Report

On April 1, I announced my (possibly First) Movie-Plot Threat Contest (update here).

The submission deadline was the end of April, and I had hoped to have picked winners by now. But there are just too many entrants to wade through.

I'll announce winners by the next Crypto-Gram; that's June 15.

Promise.

(If any of you want to suggest a winner, please list your choices here.)

Posted on May 15, 2006 at 01:06 PM • 33 Comments • View Blog Reactions

Reconceptualizing National Intelligence

From the Federation of American Scientists:

A new study published by the CIA Center for the Study of Intelligence calls for a fundamental reconceptualization of the process of intelligence analysis in order to overcome the "pathologies" that have rendered it increasingly dysfunctional.

"Curing Analytic Pathologies" (pdf) by Jeffrey R. Cooper has been available up to now in limited circulation in hard copy only. Like several other recent studies critical of U.S. intelligence, it was withheld from the CIA web site. It has now been published on the Federation of American Scientists web site.

It's an interesting report. Unfortunately, the PDF on the website is scanned, so it's hard to copy and paste sections into this blog.

Posted on May 15, 2006 at 07:21 AM • 14 Comments • View Blog Reactions

NSA Eavesdropping

This is the line that's done best for me on the radio: "The NSA would like to remind everyone to call their mothers this Sunday. They need to calibrate their system."

Posted on May 13, 2006 at 12:59 PM • 24 Comments • View Blog Reactions

Friday Squid Blogging: Squid Hat

Knit yourself a squid hat. At least one person did, and then took pictures.

Here's a cat in a squid hat.

Posted on May 12, 2006 at 03:55 PM • 7 Comments • View Blog Reactions

"The TSA's Constitution-Free Zone"

Interesting first-person account of someone on the U.S. Terrorist Watch List:

To sum up, if you run afoul of the nation's "national security" apparatus, you're completely on your own. There are no firm rules, no case law, no real appeals processes, no normal array of Constitutional rights, no lawyers to help, and generally none of the other things that we as American citizens expect to be able to fall back on when we've been (justly or unjustly) identified by the government as wrong-doers.

Posted on May 12, 2006 at 01:38 PM • 42 Comments • View Blog Reactions

Thief Disguises Himself as Security Guard

Another in our series on the security problems of trusting people in uniform:

A thief disguised as a security guard Tuesday duped the unsuspecting staff of a top Italian art gallery into giving him more than 200,000 euros ($253,100), local media reported.

The thief showed up Tuesday morning at the Pitti Palace, a grandiose renaissance construction in central Florence and one of Italy's best known museums, wearing the same uniform used by employees of the security firm which every day collects the institution's takings.

After the cashier staff gave him three bags full of money, he signed a receipt and calmly walked out.

Posted on May 12, 2006 at 06:10 AM • 23 Comments • View Blog Reactions

Major Vulnerability Found in Diebold Election Machines

This is a big deal:

Elections officials in several states are scrambling to understand and limit the risk from a "dangerous" security hole found in Diebold Election Systems Inc.'s ATM-like touch-screen voting machines.

The hole is considered more worrisome than most security problems discovered on modern voting machines, such as weak encryption, easily pickable locks and use of the same, weak password nationwide.

Armed with a little basic knowledge of Diebold voting systems and a standard component available at any computer store, someone with a minute or two of access to a Diebold touch screen could load virtually any software into the machine and disable it, redistribute votes or alter its performance in myriad ways.

"This one is worse than any of the others I've seen. It's more fundamental," said Douglas Jones, a University of Iowa computer scientist and veteran voting-system examiner for the state of Iowa.

"In the other ones, we've been arguing about the security of the locks on the front door," Jones said. "Now we find that there's no back door. This is the kind of thing where if the states don't get out in front of the hackers, there's a real threat."

This newspaper is withholding some details of the vulnerability at the request of several elections officials and scientists, partly because exploiting it is so simple and the tools for doing so are widely available.

[...]

Scientists said Diebold appeared to have opened the hole by making it as easy as possible to upgrade the software inside its machines. The result, said Iowa's Jones, is a violation of federal voting system rules.

"All of us who have heard the technical details of this are really shocked. It defies reason that anyone who works with security would tolerate this design," he said.

The immediate solution to this problem isn't a patch. What that article refers to is election officials ensuring that they are running the "trusted" build of the software done at the federal labs and stored at the NSRL, just in case someone installed something bad in the meantime.

This article compares the security of electronic voting machines with the security of electronic slot machines. (My essay on the security of elections and voting machines.)

EDITED TO ADD (5/11): The redacted report is available.

Posted on May 11, 2006 at 01:08 PM • 92 Comments • View Blog Reactions

NSA Creating Massive Phone-Call Database

There's other NSA news today: USA Today is reporting that the NSA is collecting a massive traffic-analysis database on Americans' phone calls. This looks like yet another piece of Echelon technology turned against Americans.

The NSA's domestic program, as described by sources, is far more expansive than what the White House has acknowledged. Last year, Bush said he had authorized the NSA to eavesdrop — without warrants — on international calls and international e-mails of people suspected of having links to terrorists when one party to the communication is in the USA. Warrants have also not been used in the NSA's efforts to create a national call database.

[...]

The government is collecting "external" data on domestic phone calls but is not intercepting "internals," a term for the actual content of the communication, according to a U.S. intelligence official familiar with the program. This kind of data collection from phone companies is not uncommon; it's been done before, though never on this large a scale, the official said. The data are used for "social network analysis," the official said, meaning to study how terrorist networks contact each other and how they are tied together.

Note that this database does not just contain phone calls that either originate or terminate outside the U.S. This database is mostly domestic calls: calls we all make everyday.

AT&T, Verizon, and BellSouth are all providing this information to the NSA. Only Quest has refused.

According to sources familiar with the events, Qwest's CEO at the time, Joe Nacchio, was deeply troubled by the NSA's assertion that Qwest didn't need a court order — or approval under FISA — to proceed. Adding to the tension, Qwest was unclear about who, exactly, would have access to its customers' information and how that information might be used.

Financial implications were also a concern, the sources said. Carriers that illegally divulge calling information can be subjected to heavy fines. The NSA was asking Qwest to turn over millions of records. The fines, in the aggregate, could have been substantial.

The NSA told Qwest that other government agencies, including the FBI, CIA and DEA, also might have access to the database, the sources said. As a matter of practice, the NSA regularly shares its information — known as "product" in intelligence circles — with other intelligence groups. Even so, Qwest's lawyers were troubled by the expansiveness of the NSA request, the sources said.

The NSA, which needed Qwest's participation to completely cover the country, pushed back hard.

Trying to put pressure on Qwest, NSA representatives pointedly told Qwest that it was the lone holdout among the big telecommunications companies. It also tried appealing to Qwest's patriotic side: In one meeting, an NSA representative suggested that Qwest's refusal to contribute to the database could compromise national security, one person recalled.

In addition, the agency suggested that Qwest's foot-dragging might affect its ability to get future classified work with the government. Like other big telecommunications companies, Qwest already had classified contracts and hoped to get more.

Unable to get comfortable with what NSA was proposing, Qwest's lawyers asked NSA to take its proposal to the FISA court. According to the sources, the agency refused.

We should also assume that the cellphone companies received the same pressure, and probably caved.

This is important to every American, not just those with something to hide. Matthew Yglesias explains why:

It's important to link this up to the broader chain. One thing the Bush administration says it can do with this meta-data is to start tapping your calls and listening in, without getting a warrant from anyone. Having listened in on your calls, the administration asserts that if it doesn't like what it hears, it has the authority to detain you indefinitely without trial or charges, torture you until you confess or implicate others, extradite you to a Third World country to be tortured, ship you to a secret prison facility in Eastern Europe, or all of the above. If, having kidnapped and tortured you, the administration determines you were innocent after all, you'll be dumped without papers somewhere in Albania left to fend for yourself.

Judicial oversight is a security system, and unchecked military and police power is a security threat.

Another analysis here.

EDITED TO ADD (5/11): Orin Kerr on the legality of the program. Updated here.

Posted on May 11, 2006 at 10:40 AM • 79 Comments • View Blog Reactions

Computer Problems at the NSA

Interesting:

Computers are integral to everything NSA does, yet it is not uncommon for the agency's unstable computer system to freeze for hours, unlike the previous system, which had a backup mechanism that enabled analysts to continue their work, said Matthew Aid, a former NSA analyst and congressional intelligence staff member.

When the agency's communications lines become overloaded, the Groundbreaker system has been known to deliver garbled intelligence reports, Aid said. Some analysts and managers have said their productivity is half of what it used to be because the new system requires them to perform many more steps to accomplish what a few keystrokes used to, he said. They also report being locked out of their computers without warning.

Similarly, agency linguists say the number of conversation segments they can translate in a day has dropped significantly under Groundbreaker, according to another former NSA employee.

Under Groundbreaker, employees get new computers every three years on a rotating schedule, so some analysts always have computers as much as three years older than their colleagues', often with incompatible software, the former employee said.

As a result of compatibility problems, e-mail attachments can get lost in the system. An internal incident report, obtained by The Sun, states that when an employee inquired about what had happened to missing attachments, the Eagle Alliance administrator said only that "they must have fallen out."

Posted on May 11, 2006 at 07:31 AM • 22 Comments • View Blog Reactions

RFID Hacking

Five stories from Wired.

In related news, IBM thinks it has a solution to the RFID privacy problem:

The so-called Clipped Tag has a notched antenna that consumers can tear off, much like the end of a ketchup packet. Removing this panel drastically reduces the readable range of the device, from about 30 feet to less than 2 inches, according to IBM.

Posted on May 10, 2006 at 01:02 PM • 38 Comments • View Blog Reactions

When "Off" Doesn't Mean Off

According to the specs of the new Nintendo Wii (their new game machine), "Wii can communicate with the Internet even when the power is turned off." Nintendo accentuates the positive: "This WiiConnect24 service delivers a new surprise or game update, even if users do not play with Wii," while ignoring the possibility that Nintendo can deactivate a game if they choose to do so, or that someone else can deliver a different -- not so wanted -- surprise.

We all know that, but what's interesting here is that Nintendo is changing the meaning of the word "off." We are all conditioned to believe that "off" means off, and therefore safe. But in Nintendo's case, "off" really means something like "on standby." If users expect the Nintendo Wii to be truly off, they need to pull the power plug -- assuming there isn't a battery foiling that tactic. Maybe they need to pull both the power plug and the Ethernet cable. Unless they have a wireless network at home.

Maybe there is no way to turn the Nintendo Wii off.

There's a serious security problem here, made worse by a bad user interface. "Off" should mean off.

Posted on May 10, 2006 at 06:45 AM • 103 Comments • View Blog Reactions

Security Risks of Airline Passenger Data

Reporter finds an old British Airways boarding pass, and proceeds to use it to find everything else about the person:

We logged on to the BA website, bought a ticket in Broer's name and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.

Using this information and surfing publicly available databases, we were able - within 15 minutes - to find out where Broer lived, who lived there with him, where he worked, which universities he had attended and even how much his house was worth when he bought it two years ago. (This was particularly easy given his unusual name, but it would have been possible even if his name had been John Smith. We now had his date of birth and passport number, so we would have known exactly which John Smith.)

Notice the economic pressures:

"The problem here is that a commercial organisation is being given the task of collecting data on behalf of a foreign government, for which it gets no financial reward, and which offers no business benefit in return," says Laurie. "Naturally, in such a case, they will seek to minimise their costs, which they do by handing the problem off to the passengers themselves. This has the neat side-effect of also handing off liability for data errors."

Posted on May 09, 2006 at 01:17 PM • 27 Comments • View Blog Reactions

The Ultimate Terrorist Threat: Flying Robot Drones

This one really pegs the movie-plot threat hype-meter:

The technology for remote-controlled light aircraft is now highly advanced, widely available -- and, experts say, virtually unstoppable.

Models with a wingspan of five metres (16 feet), capable of carrying up to 50 kilograms (110 pounds), remain undetectable by radar.

And thanks to satellite positioning systems, they can now be programmed to hit targets some distance away with just a few metres (yards) short of pinpoint accuracy.

Security services the world over have been considering the problem for several years, but no one has yet come up with a solution.

[...]

Armed militant groups have already tried to use unmanned aircraft, according to a number of studies by institutions including the Center for Nonproliferation studies in Monterey, California, and the Center for Arms Control, Energy and Environmental Studies in Moscow.

In August 2002, for example, the Colombian military reported finding nine small remote-controlled planes at a base it had taken from the Revolutionary Armed Forces of Colombia (FARC).

On April 11, 2005 the Lebanese Shiite militia group, Hezbollah, flew a pilotless drone over Israeli territory, on what it called a "surveillance" mission. The Israeli military confirmed this and responded by flying warplanes over southern Lebanon.

Remote-control planes are not hard to get hold of, according to Jean-Christian Delessert, who runs a specialist model airplane shop near Geneva.

"Putting together a large-scale model is not difficult -- all you need is a few materials and a decent electronics technician," says Delessert.

In his view, "if terrorists get hold of that, it will be impossible to do anything about it. We did some tests with a friend who works at a military radar base: they never detected us... if the radar picks anything up, it thinks it is a flock of birds and automatically wipes it."

Posted on May 09, 2006 at 07:36 AM • 64 Comments • View Blog Reactions

Shell Suspends Chip & Pin in the UK

According to the BBC:

Petrol giant Shell has suspended chip-and-pin payments in 600 UK petrol stations after more than £1m was siphoned out of customers' accounts.

This is just sad:

"These Pin pads are supposed to be tamper resistant, they are supposed to shut down, so that has obviously failed," said Apacs spokeswoman Sandra Quinn.

She said Apacs was confident the problem was specific to Shell and not a systemic issue.

A Shell spokeswoman said: "Shell's chip-and-pin solution is fully accredited and complies with all relevant industry standards.

That spokesperson simply can't conceive of the fact that those "relevant industry standards" were written by those trying to sell the technology, and might possibly not be enough to ensure security.

And this is just after APACS (that's the Association of Payment Clearing Services, by the way) reported that chip-and-pin technology reduced fraud by 13%.

Good commentary here. See also this article. Here's a chip-and-pin FAQ from February.

EDITED TO ADD (5/8): Arrests have been made. And details emerge:

The scam works by criminals implanting devices into chip and pin machines which can copy a bank card's magneti