Schneier on Security
A blog covering security and security technology.
July 2011 Archives
Friday Squid Blogging: 25-foot Giant Squid Caught in Fishing Net
Bypassing the lock on luggage.
Hacking Apple Laptop Batteries
Security researcher Charlie Miller, widely known for his work on Mac OS X and Apple's iOS, has discovered an interesting method that enables him to completely disable the batteries on Apple laptops, making them permanently unusable, and perform a number of other unintended actions. The method, which involves accessing and sending instructions to the chip housed on smart batteries could also be used for more malicious purposes down the road.
As components get smarter, they also get more vulnerable.
ShareMeNot is a Firefox add-on for preventing tracking from third-party buttons (like the Facebook "Like" button or the Google "+1" button) until the user actually chooses to interact with them. That is, ShareMeNot doesn't disable/remove these buttons completely. Rather, it allows them to render on the page, but prevents the cookies from being sent until the user actually clicks on them, at which point ShareMeNot releases the cookies and the user gets the desired behavior (i.e., they can Like or +1 the page).
Data Privacy as a Prisoner's Dilemma
Companies would be better off if they all provided meaningful privacy protections for consumers, but privacy is a collective action problem for them: many companies would love to see the ecosystem fixed, but no one wants to put themselves at a competitive disadvantage by imposing unilateral limitations on what they can do with user data.
The solution -- and one endorsed by the essay -- is a comprehensive privacy law. That reduces the incentive to defect.
Cryptography and Wiretapping
Matt Blaze analyzes the 2010 U.S. Wiretap Report.
In 2000, government policy finally reversed course, acknowledging that encryption needed to become a critical part of security in modern networks, something that deserved to be encouraged, even if it might occasionally cause some trouble for law enforcement wiretappers. And since that time the transparent use of cryptography by everyday people (and criminals) has, in fact, exploded. Crypto software and algorithms, once categorized for arms control purposes as a "munition" alongside rocket launchers and nuclear triggers, can now be openly discussed, improved and incorporated into products and services without the end user even knowing that it's there. Virtually every cellular telephone call is today encrypted and effectively impervious to unauthorized over-the-air eavesdropping. Web transactions, for everything from commerce to social networking, are now routinely encrypted end-to-end. (A few applications, particularly email and wireline telephony, remain stubbornly unencrypted, but they are increasingly the exception rather than the rule.)
I second Matt's recommendation of Susan Landau's book: Surveillance or Security: The Risks Posed by New Wiretapping Technologies (MIT Press, 2011). It's an excellent discussion of the security and politics of wiretapping.
Ars Technica on Liabilities and Computer Security
Halderman argued that secure software tends to come from companies that have a culture of taking security seriously. But it's hard to mandate, or even to measure, "security consciousness" from outside a company. A regulatory agency can force a company to go through the motions of beefing up its security, but it's not likely to be effective unless management's heart is in it.
Duplicating Physical Keys from Photographs (Sneakey)
The access control provided by a physical lock is based on the assumption that the information content of the corresponding key is private -- that duplication should require either possession of the key or a priori knowledge of how it was cut. However, the ever-increasing capabilities and prevalence of digital imaging technologies present a fundamental challenge to this privacy assumption. Using modest imaging equipment and standard computer vision algorithms, we demonstrate the effectiveness of physical key teleduplication -- extracting a key's complete and precise bitting code at a distance via optical decoding and then cutting precise duplicates. We describe our prototype system, Sneakey, and evaluate its effectiveness, in both laboratory and real-world settings, using the most popular residential key types in the U.S.
The design of common keys actually makes this process easier. There are only ten possible positions for each pin, any single key uses only half of those positions, and the positions of adjacent pins are deliberately set far apart.
EDITED TO ADD (7/26): I seem to have written about this in 2009. Apologies.
iPhone Iris Scanning Technology
No indication about how well it works:
The smartphone-based scanner, named Mobile Offender Recognition and Information System, or MORIS, is made by BI2 Technologies in Plymouth, Massachusetts, and can be deployed by officers out on the beat or back at the station.
Revenge Effects of Too-Safe Playground Equipment
Sometimes too much security isn't good.
After observing children on playgrounds in Norway, England and Australia, Dr. Sandseter identified six categories of risky play: exploring heights, experiencing high speed, handling dangerous tools, being near dangerous elements (like water or fire), rough-and-tumble play (like wrestling), and wandering alone away from adult supervision. The most common is climbing heights.
Smuggling Drugs in Unwitting People's Car Trunks
A few miles away across the Rio Grande, the FBI determined that Chavez and Gomez were using lookouts to monitor the SENTRI Express Lane at the border. The lookouts identified "targets" -- people with regular commutes who primarily drove Ford vehicles. According to the FBI affidavit, the smugglers would follow their targets and get the vehicle identification number off the car's dashboard. Then a corrupt locksmith with access to Ford's vehicle database would make a duplicate key.
This attack works because 1) there's a database of keys available to lots of people, and 2) both the SENTRI system and the victims are predictable.
Friday Squid Blogging: Glass Squid
Is There a Hacking Epidemic?
Freakonomics asks: "Why has there been such a spike in hacking recently? Or is it merely a function of us paying closer attention and of institutions being more open about reporting security breaches?"
They posted five answers, including mine:
The apparent recent hacking epidemic is more a function of news reporting than an actual epidemic. Like shark attacks or school violence, natural fluctuations in data become press epidemics, as more reporters write about more events, and more people read about them. Just because the average person reads more articles about more events doesn’t mean that there are more events—just more articles.
Google Detects Malware in its Search Data
This is interesting:
As we work to protect our users and their information, we sometimes discover unusual patterns of activity. Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software, or “malware.” As a result of this discovery, today some people will see a prominent notification at the top of their Google web search results....
There's a lot that Google sees as a result of it's unique and prominent position in the Internet. Some of it is going to be stuff they never considered. And while they use a lot of it to make money, it's good of them to give this one back to the Internet users.
Members of "Anonymous" Hacker Group Arrested
The police arrested sixteen suspected members of the Anonymous hacker group.
Whatever you may think of their politics, the group committed crimes and their members should be arrested and prosecuted. I just hope we don't get a media flurry about how they were some sort of cyber super criminals. Near as I can tell, they were just garden variety hackers who were lucky and caught a media wave.
EDITED TO ADD (7/19): I understand that the particular people arrested are innocent until proven guilty -- hence my use of the word "suspected" in the first sentence -- but there doesn't seem any question that members of the group claimed credit for criminal cyber attacks. I suppose I could have said "the group allegedly committed crimes," but that seemed overly cautious.
And yes, I agree that calling them a "group" is probably giving them more organizational credit than they have.
EDITED TO ADD (7/25): Last December, Richard Stallman wrote about the Anonymous group and their actions as a form of protest.
EDITED TO ADD (8/12): Department of Justice press release on the arrests.
Telex Anti-Censorship System
This is really clever:
Many anticensorship systems work by making an encrypted connection (called a “tunnel”) from the user's computer to a trusted proxy server located outside the censor's network. This server relays requests to censored websites and returns the responses to the user over the encrypted tunnel. This approach leads to a cat-and-mouse game, where the censor attempts to discover and block the proxy servers. Users need to learn the address and login information for a proxy server somehow, and it's very difficult to broadcast this information to a large number of users without the censor also learning it.
EDITED TO ADD (8/1): Another article.
EDITED TO ADD (8/13): Another article.
British Phone Hacking Scandal
Ross Anderson discusses the technical and policy details.
EDITED TO ADD (7/18): Yet again, my preoccupation with my book is making it harder for me to write timely and lengthy blog posts. So I thank Ross for writing about this issue, so I don't have to.
Friday Squid Blogging: Giant School of Squid
Interview in Infosecurity Magazine
I think I gave this interview at the RSA Conference in February.
Degree Plans of the Future
You can now get a Master of Science in Strategic Studies in Weapons of Mass Destruction. Well, maybe you can't:
"It's not going to be open enrollment (or) traditional students," Giever said. "You worry about whether you might be teaching the wrong person this stuff."
My Next Book Title: Liars and Outliers
Thank you for all your comments and suggestions regarding my next book title. It will be:
Liars and Outliers:
We're still deciding on a cover, but it won't be any of the five from the above link. Vaguely ominous crowd scenes are not what I want.
Physical Key Escrow
This creates far more security risks than it solves:
The city council in Cedar Falls, Iowa has absolutely crossed the line. They voted 6-1 in favor of expanding the use of lock boxes on commercial property. Property owners would be forced to place the keys to their businesses in boxes outside their doors so that firefighters, in that one-in-a-million chance, would have easy access to get inside.
We in the computer security world have been here before, over ten years ago.
Interview with Evgeny Kaspersky
Insurgent Groups Exhibit Learning Curve
After analyzing reams of publicly available data on casualties from Iraq, Afghanistan, Pakistan and decades of terrorist attacks, the scientists conclude that "insurgents pretty much seemed to be following a progress curve—or a learning curve—that's very common in the manufacturing literature," says physicist Neil Johnson of the University of Miami in Florida and lead author of the study.
History of Stuxnet
EDITED TO ADD (7/13): Stuxnet timeline.
Friday Squid Blogging: Giant Squid Egg
Organized Crime in Ireland Evolves As Security Increases
The whole article is interesting, but here's just one bit:
The favoured quick-fix money-making exercise of the average Irish organised crime gang had, for decades, been bank robberies. But a massive investment by banks in branch security has made the traditional armed hold-up raids increasingly difficult.
Comparing al Qaeda and the IRA
Al Qaeda played all out, spent all its assets in a few years. In my dumb-ass 2005 article, I called the Al Qaeda method "real war" and the IRA's slow-perc campaign "nerf war." That was ignorance talking, boyish war-loving ignorance. I wanted more action, that was all. I saw what an easy target the London transport system made for a few amateur Al Qaeda recruits and just thought that since the IRA had several long-term sleeper teams in place in London, they could have wreaked a million times more havoc. Which was true, they could've. But could've and should've are different things, and a guerrilla group that goes all-out, does everything it can, is doomed.
Man Flies with Someone Else's Ticket and No Legal ID
Last week, I got a bunch of press calls about Olajide Oluwaseun Noibi, who flew from New York to Los Angeles using an expired ticket in someone else's name and a university ID. They all wanted to know what this says about airport security.
It says that airport security isn't perfect, and that people make mistakes. But it's not something that anyone should worry about. It's not like Noibi figured out a new hole in the airport security system, one that he was able to exploit repeatedly. He got lucky. He got real lucky. It's not something a terrorist can build a plot around.
I'm even less concerned because I've never thought the photo ID check had any value. Noibi was screened, just like any other passenger. Even the TSA blog makes this point:
In this case, TSA did not properly authenticate the passenger's documentation. That said, it's important to note that this individual received the same thorough physical screening as other passengers, including being screened by advanced imaging technology (body scanner).
Seems like the TSA is regularly downplaying the value of the photo ID check. This is from a Q&A about Secure Flight, their new system to match passengers with watch lists:
Q: This particular "layer" isn't terribly effective. If this "layer" of security can be circumvented by anyone with a printer and a word processor, this doesn't seem to be a terribly useful "layer" ... especially looking at the amount of money being expended on this particular "layer". It might be that this money could be more effectively spent on other "layers".
Yes, the answer says that they need to spend millions to ensure that terrorists with a viable plot also need a computer, but you can tell that their heart wasn't in the answer. "Checkpoints! Dogs! Air marshals! Ignore the stupid photo ID requirement."
Noibi is an embarrassment for the TSA and for the airline Virgin America, who are both supposed to catch this kind of thing. But I'm not worried about the security risk, and neither is the TSA.
Research in Secure Chips
Unsuprisingly, the U.S. military is funding reseach in this.
Friday Squid Blogging: Giant Squid as an Emblem for Ocean Conservation
It's a proposal.
There's a new version:
The latest TDL-4 version of the rootkit, which is used as a persistent backdoor to install other types of malware, infected 4.52 million machines in the first three months of this year, according to a detailed technical analysis published Wednesday by antivirus firm Kaspersky Lab. Almost a third of the compromised machines were located in the United States. With successful attacks on US-based PCs fetching premium fees, those behind the infections likely earned $250,000 on that demographic alone.
Article on the NSA's Menwith Hill listening station in the UK.
Powered by Movable Type. Photo at top by Geoffrey Stone.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.