Schneier on Security
A blog covering security and security technology.
« Robbing a Bank as Part of a Penetration Test |
| First-Person Account of a TSA Airport Screener »
December 9, 2011
Friday Squid Blogging: Humbolt Squid Mystery Solved
Humbolt Squid off the coast of Mexico are spawning younger and smaller than usual. El Nino is to blame. The mystery was solved by a class of biology students. (A blog of the expedition.)
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on December 9, 2011 at 4:30 PM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The class act at TSA again...
What's next, gun shaped tattoos, gun shaped gummy bears? I hear they have occasionally let gun shaped guns through.
I wonder if the downing of the US Stealth UAV RQ-170 is in any way connected to the reports about viruses at Creech AFB where these drones are controlled from.
It seems plausible to me that an interested party, after hearing of the lack of security there might have put together a custom made malware to achieve this result. Perhaps this was of stuxnet level complexity but I suspect things might actually be a lot simpler than that.
I have not heard a lot about the abilities of the Iranian side in malware production and I am not sure how complicated task this would be (Script kiddie level, Sony rootkit level, Average criminal level, or Stuxnet level). I would certainly believe such an undertaking to be within, for example, the Chinese capabilities.
Iranians are claiming that their "military cyber-warfare unit" managed to take over controls of the drone and bring it down. If the Iranians have broken that encryption then this would either be based on a major break in some algorithm or a major blunder by the designers of the drone control link. Of course both these things are possible (the latter more than the former) but I am sure the designers of the drone put a lot of effort into employing all the most unbreakable encryption in this area. After all, the security of the control link is vital for the drone to be effictive. This must have been tested extensively, as the threat of a take-over is obvious.
However the lack of security at the control center for these drones make some kind of malware operation more likely. The computer security at this sort of control center is probably something that is taken for granted by the designers of the drone system. It has been reported, that the drones are programmed to return to base under certain circumstances, for example loss of pilot's control link. If somebody, through rootkits or other malware stuff, could gain access to the system repsonsible for uploading the drones configurations/instructions, they would probably be able to do anything to the drones. Like making it believe that it was actually based in Kashmar, Iran and should return there instead of some boring little runway in Afghanistan.
If you had asked me before these media reports about the viruses at Creech AFB, I would have said this kind of scenario was remote or impossible. The US military has a reputation for keeping better security than this. But when you see comments like the one below, a malware/rootkit operation starts to sound more plausible:
"We keep wiping it off, and it keeps coming back," says a source familiar with the network infection, one of three that told Danger Room about the virus. "We think it’s benign. But we just don’t know."
Here is some more information on this.
Of course it could also just be a simple case of operator error ("ok, which were the co-ordinates to spy on and which where the co-ordinates to land on? Well, it is 50-50 chance of getting it right")
Or, this was a deliberate action. The old "tried but now known to be failed" Iraq nuclear option was not generating enough attention to foment war in Iran, so perhaps a new technique was employed. Of course, this device will end up in China and payment will be whatever is necessary or requested.
Closing down the USSR was dangerous to the rest of the world, as the rest of the world became the target for war to feed the military industrial complex.
Security by Obscurity?
Two would-be carjacking victims still have their car after their assailants were thwarted by an unlikely ally: The car's stick shift.
The men then jumped into the vehicle and started it up, but that's where they were foiled. They couldn't drive a stick.
Police said the two men gave up and ran north on 31st Street.
Bruce, I am frankly shocked that you buy the Creech AFB story. That was LOL worthy when I first read it on Wired.
"The computer security at this sort of control center is probably something that is taken for granted by the designers of the drone system."
For the reason that the said security regime is the responsibility of USAF? What happened to USAF after cold war? Before we could maintain airspace defense and keep computers controlling ICBMs secure, but now cave men with box cutters and "chinese hackers" (LOL) penetrate both at will?
Oops. I see that was a comment by a reader. Never mind :)
@ronnie - people stealing fixed gear bikes are even funnier
"Of course it could also just be a simple case of operator error"
Once upon a time it was accepted that "if the pilot died in the crash it was the pilots fault it crashed" the trouble with these drones where the pilot parks his rump X000miles away from the plane but only ten yards from the coffe machine is the don't conveniantly die in the crash.
Which means that either they have to find something/someone else to blaim or carry out a proper investigation (because the pilot/operator would cry blue murder if they tried to courtmarshall them without a proper investigation).
Some times "convenient technology" is not as "convenient" as some might wish ;)
I'd be more interested in the "Chrome is most secure browser" report if either a) it had come up with a different answer than Chrome; or b) it hadn't been paid for by Google. A report paid for by Google saying "Chrome is best" is just completely uninteresting.
The problem with deniable encryption is that they can just keep hitting you with the rubber hose until they are satisfied you either don't have anything more to hide or are willing to die for your cause. At this point, the attacker would be happy to oblige. The better option for deniable encryption is for the carrier to not know how many levels there are nor the key to decrypt it. The data should not get to the person who can do so until it is entirely out of reach of whoever would want to intercept it. The carrier should also not know who created the data. This isn't too far in concept from the British identity puzzle from WWII Bruce posted a few weeks ago, except much more information than a simple identification challenge.
Anyone recognise this;
dft rwj dts bxn cjj gos ydz hti cqe dhk xlk swg hfu lhx rxb csf gef qaa wqh rsl ivv hky rwu dzl jzp jmz blo dhk rtc yuf ufw nmg yvg hex vei arm mpw aly rmn opo wkx ptj ufw bcj qpd ane rni crz jur uns
I am getting similar messages to this posted daily to a comments section of website I have some control of.
Some sort of encrypted comms?
@ Z / Intrigued,
Does the site get regularly scanned by a web robot for the likes of google?
If so it might be somebody trying to implement a "head less bot net control channel" badly, or some other method of nearly anonyomised communications.
I'd better explain how it works befor your eyebrow reaches the back of your head ;)
One of the major problems with bot nets or anonymous communications is having their control channel taken over by the "take down squads", or one end of your comms channel being fixed and thus known to those you don't wish it to be known to (such as the Secret Police or your favorit squeeses parents etc)
Some considerable time ago I gave some thought to the problem and realised that search engines like google could be used very effectivly.
What you can do this as a bot herder or anonymous corespondent is to find any of the myriad of blog sites that allow you to post a message without authentigating yourself. Randomly select one to post your controll / love messsage and use another for the next etc.
At some point a web robot will come along and slurp your posted message up into it's search engine (this usually happens befor the blog admin has a chance to take the message down).
You program your bots or tell your secret squeez not to go to an IP address or DNSs named site for their control / love message from you but to use a search engine to look for some kind of unique identifier for the messsage.
They then pull the message out of the search engine cache to read it. Which as search engine requests are fairly normal traffic from any network with human used PC's it is unlikely to attract attention.
The problem however is keeping it all covert, which is where this message fails miserably.
I originaly envisaged using some form of stego and time based human readable identifiers, such that the message would atleast look like a valid post to the blog.
Of course it could be something else entirely but it's one guess without knowing other info like the IP address it came from etc.
@ Nick P,
In my search to work out where El Reg journos where getting their "Darwin Award" style stories from a came across this little titbit,
Apparently some journos go over and above the expected just to get a story. One in particular for Mr Murdoch (of News International and Illegal Celebrity Phone Hacking fame),
The site has a weekly "digest". As above but also a "pro blog" with even more snippits of weird and wonderfull news.
@Clive - thanks very interesting.
It certainly seems a possibility - does the fact that the above string (nor all the others) is not found if you search for it in Google change matters?
All posts come from the same address. I don't mind posting the IP as that's part of the T&C of posting messages.
Yes, it does get scanned by bots.
Maybe your site is just a dead drop, where both parties know the URL.
Consider adding a trivial captcha.
"Maybe your site is just a dead drop, where both parties know the URL."
It's possible. If it's actually people, then a CAPTCHA won't help. I used to post hashes of my trade secrets on a bunch of public blogs. Sometimes, I pretended it was a weird PGP signature. The idea was that they would be a free timestamping service to prove I came up with the idea first. But two-way, asynchronous communication by two parties in secret is best done with anonymous remailers & open WiFi hotspots.
@ Clive Robinson
I've been reading News of the Weird on and off for years. Hadn't checked it in a while. Glad you mentioned it. This reporter's dedication to the news was obviously a step beyond his dedication to the women in his life. Was it worth it? We can only guess.
@ Intrigued / Z,
"It certainly seems a possibility - does the fact that the above string (nor all the others) is not found if you search for it in Google change matters"
I found that as well with that set of trigrams, which is a bit odd in of it's self because Google certainly indexes other sites with pages of trigrams. hmmm
So the next couple of questions to ask are do you know anything about the IP address, like has it sent any other more normal traffic, is there any tempo to these odd messages etc.
Then some questions about your own site like what CPU it has (Intel, IBM, Sun) and is there any way an attacker would be able to find out using Nmap etc. Because it could be a possibility that somebody is trying a new or varient attack of some kind.
Conceivably the messages could be a smoke screen for some other activity or even an accidental by product of some automated process.
Or again it might be the site operators they are testing to find out what your threshold is before you take action of some kind, thus there may not be any meaning in the messages only the the pattern of the messages.
But getting back to the messages themselves do you think they are human or machine in origin?
That is when you look at them all are there any oddities like somebody has made a typing error such as a bigram or double space etc?
Or are they of some standard format like exactly N trigrams etc or do all trigrams in a given place start with the same initial letter etc. Which you might expect if they were generated by software.
Then when looking at the messages on mass is there any correlation between the individual posted pages?
Such as a common run of trigrams etc, what is the frequency of the individual trigrams etc etc
Usually you would expect some level of correlation in some form up to a point. If the messages had any meaning and were not encrypted then you would expect some kind of distrubution to appear.
However a warning at this point there are odd people out there who do things for the strangest of reasons that don't realy make sense to them let alone anybody else... This applies even at National level look up "Russian Number Stations" for an example.
Which means there is only a very limited mileage on investigation before your time would be better spent just blocking the IP address at the firewall etc.
But if you have time on your hands a little investigation could be viewed as an investment in learning the hows and ways of the cold war style signals analysts (read about the VERONA project). but again be rational about it, unless someone is paying you decent money to do it, or you are going to publish results that might further your career, your time is almost certainly better spent on other things such as getting to know those around you better. Reading Cliff Stolls "Stalking the wiely hacker" will tell you just how much of an obsession / itch this sort of thing can be and how it can turn quite rapidly into a "black hole" slurping up time and resources.
If the theory about search engines is correct then there would be a series of "identifying words" and then some "content". There are over 17 thousand three letter words possible. Strike out "the bit and dog are god" and other valid three letter words, and you're left with 14 bits of information per three letter word. That could mean up to 700 bits of command and control. Sounds reasonable.
On the other hand, I seem to be getting lots of sites that list ALL three letter words if I search for a bunch of the quoted three letter words.....
A warning is often repeated about burglars using Facebook posts to target homes. I've heard of this being tried only once. The parties involved knew their victims and had robbed them several times before without Facebook. It sounds impractical to come across a post from someone nearby announcing they are going on vacation unless you know them. Another example are the See Something ads warn us to watch out for briefcases but a quick search only found one incident in India using that method to conceal a device.
Any particular security risk is theoretically possible, but what is the actual reality of how often or if a weakness is actually exploited.
Not just in security matters, but people often state that something could happen. A counter argument is an asteroid has wiped out life on Earth before so it is a more likely worry than something that only exists as speculation.
An accurate picture of any risk can help us to be safe but not paranoid.
@Clive. Thanks again. I'll do some digging.
What Makes a Rogue Trader Tick?
the rogue trader is a species of sorts within the world of finance, a special breed with certain behaviors and characteristics that are consistent through time. Gapper delves into evolutionary biology and the research of Daniel Kahneman to better understand the nature of men like Nick Leeson, Joe Jett, and Jerome Kerviel.
More serious "Industrial Control Systems" (ICS of which SCADA is just a small part) woes,
All the old silly faults of the 1970's such as hardcoded passwords are still present on modern PLC systems. Some of which appear directly accessable from the Internet...
@ Clive Robinson
I once said that the gradual increase in security of smartphones will probably resemble the troubled history of the PC. I think I should expand this claim to include ICS and other safety-critical systems that are remotely accessible in some way.
@ Nick P,
"I once said that the gradual increase in security of smartphones will probably resemble the troubled history of the PC"
There's one big difference though "multiprocessors", apart from major servers multiprocessors or multicore processors are very very recent to the field of battle.
The thing is that most "smartphones" are multicore / miltyprocessor (MultiC/P) where as PC's are only recently starting to get in on the act for various reasons (on clasic being multicore chips but OS/software not multicore capable).
And MultiC/P brings with it a whole new set of problems to do with concurancy. One of which is concurancy issues can make sand box walls invisable, and also malware invisable to AV software fairly easily.
Back in 2007 WOOT was held for the first time and Robert Watson of the UK's Cambridge Uni's Computer Research Labs presented some interesting work,
The thing is "code cutters" are generaly not that hot on security hence the need for sandboxes and similar protection. It gets worse because even security concious programers have difficulty geting their head around simple let alone complex concurancy issues. And as you might expect concurancy as it relates to security is not exactly getting as well researched as it could and is currently a green field site for PhD seekers.
It's one of the things I'm trying to partialy solve or effectivly mitigate with the "Prison-v-Castle" for the obvious reason it ivolves not just a few MultiC/P but potentialy hundreds. And thankfully the hierarchical nature of the "prisoner-trustee-guard-warden-govener" security hypervisor system does lend it's self to resolution of many of the issues.
Any Robert Watson has some interesting work on it as part of his involvment with TrustedBSD project, he's a director of the FreeBSD Foundation and has put some of his work into Capsicum for it. Some of which you can find on his page up on Camb Labs server,
But also his own personal home page tucked away on his DNS named server (which is effectivly for his consulting etc),
Oh and Intel (yup I know you don't like chip errata the size of phone books ;) has some blurb on it as well,
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.