Schneier on Security
A blog covering security and security technology.
« Cheyenne Mountain Retired |
| Heathrow Tests Biometric ID »
October 26, 2006
Interesting article, available to subscribers only (unfortunately):
Prehistoric evidence indicates that people have always been concerned with detecting whether others have tampered with their belongings. Early human beings may have swept the ground in front of their dwellings to detect trespassers' footprints. At least 7,000 years ago, intricate stone carvings were pressed into clay to seal jars and later, writing tablets. What is the most secure way to ensure that people are not messing with your things? Roger Johnston's tests have covered everything from ancient clay seals to metal flange seals used to secure cargo containers and electronic seals used on nuclear material. He has found that high-tech, expensive seals are often no more reliable, and factors such as properly training inspectors to know what to look for are often just as important as the seal itself. Johnston has also developed some new electronic seals that are harder to defeat because they use "anti-evidence": They provide the correct passcode only when they are not tampered with, and the passcode is erased if they are interrupted.
Posted on October 26, 2006 at 7:01 AM
• 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Well as the man said in a previous article. "Security is paying attention" Technology can improve security but the people using it can make all efforts useless.
I was going to read the article, but there seems to be some sort of tamper resistant seal that's keeping me out.
a better approach would be to have the electronic seal give a different passcode if tampered with, then one's opponent would not know if the seal had detected their tampering. Also, a failure of the device not related to tampering might also cause data to be erased.
Tamper-evident seals by themselves do nothing to "ensure that people are not messing with your things"--they just provide a way to detect when it happens. And, like checksums, they are only useful if you plan to act on the evidence. The seal is the easy part; what's hard is figuring out what to do when the seal is damaged.
Our elections board in Maryland fails to understand this.
"Our elections board in Maryland fails to understand this."
Yeah. My name is linked to wired article wherein I found this six-word-long story by David Brin:
Democracy postponed. Whence franchise? Ask Diebold...
- David Brin
Tamper-evident seals must first provide some evidence that they were actaully in place.
For example, if I purchase a bottle of iced tea, before I open the bottle I should be able to tell not only if the seal has been tapered with, but that some sort of seal actually existed. Too many of the tamper-seals used on food products can be removed without leaving a trace.
Good point. Tamper resistance should indicate when it is interfered with, removed, or altered in any way. Pharma seems to have this down (many medications that have a sticky cap label/sticker leave nasty residue when removed), but I have a subconscious tendency to remove the ENTIRE plastic wrapper from my Arizona Iced Tea bottles. It's defense in depth; detection AND notification. What good is IDS if you don't tune the alerts and read the logs?
As Ray Semko says, "It's all about education, education, education." In a loud voice, of course. :-)
"Everyone have a D*I*C*E day!"
Tamper proof seals do have a weakness. I have many times opened something that had a "void if removed" sticker on it. If I completely remove the sticker and any sticky evidence, I can return the same items under a full warranty. I was thinking about ATM type PIN password security. Let's say my password is "1234". If the machine that's supposed to be checking my password ignores all wrong guesses, but immediately locks down totally (maybe a relay forces an important fuse to blow) when "1233" and "1235" are guessed, I suppose that would be a pretty good deterrent. It's sort of a compromise between an accidentally typed password and a brute force attempt.
Well, you'd better hope that typing "1235" for "1234" isn't a common failure mode, and that attackers try PINs sequentially.
> ... factors such as properly training inspectors to know what to look for are ...
I recall being told this more than a decade ago; the most important thing in the successful use of seals is simply showing inspectors what seals look like when someone has been tampering with them. All the usual tricks -- heat, cold, solvents, prying with a thin blade etc. -- leave characteristic signs which are generally pretty obvious if you know what to look for, but easily overlooked if you glance at it casually (this, of course, is actually what the opponent is hoping!).
The big problem is tamper evident seals for use by the public, for example to prevent product tampering. I wonder if the idea is not so much a faint hope that grandma will notice that a seal has been artfully tampered, but rather that when a company receives an extortion threat, trained inspectors will search the shelves for suspect items. In that case, a totally missing seal will be obvious.
Don't overlook that with product tampering labels one is usually presented with a collection of the same item to choose from on a store shelf. In this context, a single tampered or missing seal is much more likely to be noticed, even by a casual observer. The stocker also may notice. So it's, in the general case, not as difficult a problem as all that.
I still vaguely recall the events that were the principle cause for the tamper-evident product seals, at least in the U.S. These included, IIRC a tainted analgesic (was it Tylenol?) in the late '70s, and tainted eyedrops in the early '80s. I don't recall, however, at what point in the supply chain the investigations determined that the tampering occurred. If it was early enough, then the tamper-evident seals don't really help against the historical threat.
Anyone remember the details?
> Don't overlook that with product tampering labels one is usually presented with a collection of the same item to choose from on a store shelf.
Good point. This implies that in product tampering seals, absolute uniformity of appearance will be a desireable characteristic.
> I don't recall, however, at what point in the supply chain the investigations determined that the tampering occurred.
The Tylenol murders case was never solved; someone was convicted for extortion but there was clear evidence that he was an opportunist and not the tamperer. The killer's motive was never established but seems to have been "simple" misanthropy.
However, examination of tampered items & distribution of tampered batch numbers indicated the offender had purchased the product at a small number of closely located stores, tampered with it elsewhere (likely at home), and surreptitiously returned it to several different stores.
All of the product tampering cases I have heard of are much the same, products are tampered off-site and reinserted onto store shelves. (Consequently, anti-shoplifting measures may also help to prevent tampering.) I think doing it within the factory would actually be much harder, as well as a higher risk of getting caught.
More by Roger Johnston is available at the website of the Vulnerability Assessment Team (VAT) at Argonne National Laboratory:
Roger Johnston and the VAT moved to Argonne since October 2007.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.