Schneier on Security
A blog covering security and security technology.
« Hacking BMW's Remote Keyless Entry System |
| Remote Scanning Technology »
July 13, 2012
Friday Squid Blogging: Barbecued Squid -- New Summer Favorite
In the UK, barbecued squid is in:
Sales of squid have tripled in recent months due to the growing popularity of Mediterranean food and the rise of the Dukan diet, as calamari looks set to become the barbecue hit of the summer.
Posted on July 13, 2012 at 4:53 PM
• 49 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
You said "barbecue hit". At first, I thought you wrote barbecue pit.
A glimpse into the London Olympics threat model is available courtesy of their list of banned items (PDF). The model includes not only people attempting to harm other people directly, but also disrupting other spectators' experience, and getting around the exclusive deals the Olympics have with some sponsors.
Although even with that in mind, there are a few puzzling items. Anyone have a hypothesis for what the threat from "large quantities of coins" is?
When I was little, throwing coins at the goal keeper kept us interested when the match got boring.
Is there any particular reason for using a coin, rather than just any small throwable object you may find lying around?
A bomb scare was phoned in for the Detroit-Windsor tunnel. Are there any figures on how many phoned or mailed threats actually are for explosives? When a call is made to a school it always turns out to be some kid that didn't study. But the authorities put on a big show so people FEEL safe that they are doing something.
Rolls of Coins have long been used as a Fist load, like leaded Gloves or Brass knuckles to add force to punches.
Can also be put into Sock or similar to make Flail capable of breaking bones a lot easier.
A flaw in credit card terminals has been found by german security researchers. An article now has been posted on Ars Technica. As claimed on the German site heise.de, the interesting point is that no physical access is required, one needs only to be on the same network.
Re: The Gentleman's Guide To Forum Spies,
Reminds me of David Sternlight. And perhaps of Austin O'Byrne who writes a lot in sci.crypt.
Sure, and I'd've assumed that was the reason if they'd been listed under weapons. But since they're listed as annoyances, it seems that wasn't what the Olympics organizers are wprried about.
Is the TSA running security at the London Olympics?
The account, in The Daily Mail, told of recruits repeatedly failing to spot fake bombs and grenades during X-ray training, and clearing people through security during their training without spotting hidden weapons, in one case a 9-millimeter pistol stuffed into a “test spectator’s” sock. The paper quoted one whistle-blower, whom it described as having a military background, as saying: “Some of the people on that course you would not hire to empty a dustbin. You are talking about really poorly educated, slovenly slobs.”
Petréa Mitchell: it's not all bad, they're banned vuvuzelas.
Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware
In Response To Slashdot Article: Former Pentagon Analyst: China Has Backdoors To 80% of Telecoms 87
How many rootkits does the US use officially or unofficially?
How much of the free but proprietary software in the US spies on you?
Which software would that be?
Visit any of the top freeware sites in the US, count the number of thousands or millions of downloads of free but proprietary software, much of it works, again on a proprietary Operating System, with files stored or in transit.
How many free but proprietary programs have you downloaded and scanned entire hard drives, flash drives, and other media? Do you realize you are giving these types of proprietary programs complete access to all of your computer's files on the basis of faith alone?
If you are an atheist, the comparison is that you believe in code you cannot see to detect and contain malware on the basis of faith! So you do believe in something invisible to you, don't you?
I'm now going to touch on a subject most anti-malware, commercial or free, developers will DELETE on most of their forums or mailing lists:
APT malware infecting and remaining in BIOS, on PCI and AGP devices, in firmware, your router (many routers are forced to place backdoors in their firmware for their government) your NIC, and many other devices.
Where are the commercial or free anti-malware organizations and individual's products which hash and compare in the cloud and scan for malware for these vectors? If you post on mailing lists or forums of most anti-malware organizations about this threat, one of the following actions will apply: your post will be deleted and/or moved to a hard to find or 'deleted/junk posts' forum section, someone or a team of individuals will mock you in various forms 'tin foil hat', 'conspiracy nut', and my favorite, 'where is the proof of these infections?' One only needs to search Google for these threats and they will open your malware world view to a much larger arena of malware on devices not scanned/supported by the scanners from these freeware sites. This point assumed you're using the proprietary Microsoft Windows OS. Now, let's move on to Linux.
The rootkit scanners for Linux are few and poor. If you're lucky, you'll know how to use chkrootkit (but you can use strings and other tools for analysis) and show the strings of binaries on your installation, but the results are dependent on your capability of deciphering the output and performing further analysis with various tools or in an environment such as Remnux Linux. None of these free scanners scan the earlier mentioned areas of your PC, either! Nor do they detect many of the hundreds of trojans and rootkits easily available on popular websites and the dark/deep web.
Compromised defenders of Linux will look down their nose at you (unless they are into reverse engineering malware/bad binaries, Google for this and Linux and begin a valuable education!) and respond with a similar tone, if they don't call you a noob or point to verifying/downloading packages in a signed repo/original/secure source or checking hashes, they will jump to conspiracy type labels, ignore you, lock and/or shuffle the thread, or otherwise lead you astray from learning how to examine bad binaries. The world of Linux is funny in this way, and I've been a part of it for many years. The majority of Linux users, like the Windows users, will go out of their way to lead you and say anything other than pointing you to information readily available on detailed binary file analysis.
Don't let them get you down, the information is plenty and out there, some from some well known publishers of Linux/Unix books. Search, learn, and share the information on detecting and picking through bad binaries. But this still will not touch the void of the APT malware described above which will survive any wipe of r/w media. I'm convinced, on both *nix and Windows, these pieces of APT malware are government in origin. Maybe not from the US, but most of the 'curious' malware I've come across in poisoned binaries, were written by someone with a good knowledge in English, some, I found, functioned similar to the now well known Flame malware. From my experience, either many forum/mailing list mods and malware developers/defenders are 'on the take', compromised themselves, and/or working for a government entity.
Search enough, and you'll arrive at some lone individuals who cry out their system is compromised and nothing in their attempts can shake it of some 'strange infection'. These posts receive the same behavior as I said above, but often they are lone posts which receive no answer at all, AT ALL! While other posts are quickly and kindly replied to and the 'strange infection' posts are left to age and end up in a lost pile of old threads.
If you're persistent, the usual challenge is to, "prove it or STFU" and if the thread is not attacked or locked/shuffled and you're lucky to reference some actual data, they will usually attack or ridicule you and further drive the discussion away from actual proof of APT infections.
The market is ripe for an ambitious company or individual to begin demanding companies and organizations who release firmware and design hardware to release signed and hashed packages and pour this information into the cloud, so everyone's BIOS is checked, all firmware on routers, NICs, and other devices are checked, and malware identified and knowledge reported and shared openly.
But even this will do nothing to stop backdoored firmware (often on commercial routers and other networked devices of real importance for government use - which again opens the possibility of hackers discovering these backdoors) people continue to use instead of refusing to buy hardware with proprietary firmware/software.
Many people will say, "the only safe computer is the one disconnected from any network, wireless, wired, LAN, internet, intranet" but I have seen and you can search yourself for and read about satellite, RF, temperature, TEMPEST (is it illegal in your part of the world to SHIELD your system against some of these APT attacks, especially TEMPEST? And no, it's not simply a CRT issue), power line and many other attacks which can and do strike computers which have no active network connection, some which have never had any network connection. Some individuals have complained they receive APT attacks throughout their disconnected systems and they are ridiculed and labeled as a nutter. The information exists, some people have gone so far as to scream from the rooftops online about it, but they are nutters who must have some serious problems and this technology with our systems could not be possible.
I believe most modern computer hardware is more powerful than many of us imagine, and a lot of these systems swept from above via satellite and other attacks. Some exploits take advantage of packet radio and some of your proprietary hardware. Some exploits piggyback and unless you really know what you're doing, and even then... you won't notice it.
Back to the Windows users, a lot of them will dismiss any strange activity to, "that's just Windows!" and ignore it or format again and again only to see the same APT infected activity continue. Using older versions of sysinternals, I've observed very bizarre behavior on a few non networked systems, a mysterious chat program running which doesn't exist on the system, all communication methods monitored (bluetooth, your hard/software modems, and more), disk mirroring software running, scans running on different but specific file types, command line versions of popular Windows freeware installed on the system rather than the use of the graphical component, and more.
 In one anonymous post on pastebin, claiming to be from an intel org, it blasted the group Anonymous, with a bunch of threats and information, including that their systems are all mirrored in some remote location anyway.
 Or other government, US used in this case due to the article source and speculation vs. China. This is not to defend China, which is one messed up hell hole on several levels and we all need to push for human rights and freedom for China's people. For other, freer countries, however, the concentration camps exist but you wouldn't notice them, they originate from media, mostly your TV, and you don't even know it. As George Carlin railed about "Our Owners", "nobody seems to notice and nobody seems to care".
Try this yourself on a wide variety of internet forums and mailing lists, push for malware scanners to scan more than files, but firmware/BIOS. See what happens, I can guarantee it won't be pleasant, especially with APT cases.
So scan away, or blissfully ignore it, but we need more people like RMS in the world. Such individuals tend to be eccentric but their words ring true and clear about electronics and freedom.
I believe we're mostly pwned, whether we would like to admit it or not, blind and pwned, yet fiercely holding to misinformation, often due to lack of self discovery and education, and "nobody seems to notice and nobody seems to care".
Mr Schneier, I think you lost the plot in your last essay.
#1 bloggers don't matter, the only people that bloggers matter to are other bloggers and people making money from it, directly or indirectly
#2 to be good at security you need a personal interest in it and have fun, just like coding. It's fun and profitable. These idiots that go into it just because there's some degree involved or they think they'll make over $9/hr will never be good at it.
Just simple thoughts from someone who's been in this, not as long as you sir, but for a time.
@ So scan away
How would one scan the BIOS for malware? OS does not have total access to BIOS. In fact, the BIOS can pre-empt the OS at anytime (SMI for example). You need different technologies for that. We also don't have known signatures to scan for. Best thing to do is to treat the whole computer as a black box, and monitor all incoming and outgoing packets with separate equipment.
Your post reminds me of a joke though, I was tempted to use it, but I didn't.
So there was this mentally stressed person that went to a psychiatrist for help. He told the psychiatrist that his problem is people treating him like a deck of cards. psychiatrist told him: OK, shuffle off, I will deal with you later.
oh, you're a card!
But more to the point, how on earth *would* you scan the BIOS? Short of an electron microscope, I can't think how to be sure I had accurately read the entire thing.
@ So scan away
Microsoft is trying to address a number of common BIOS/hardware attack vectors with it's UEFI (Unified Extensible Firmware Interface) secure boot, intended to lock up tight new Windows 8 PC's. The Linux community understandably is less than amused because this will make it a lot more difficult to create dual boot systems. Then again, with most Linux vendors and private enthusiasts cooking up workarounds, it's just a matter of time before it will get hacked in pretty much the same way Sony's PS 3 was.
In a somewhat broader context, most readers on this blog are well-aware of the issues you are mentioning. Our phones are no longer phones but tracking devices you can make a call with. Hardware and software is being backdoored by vendors or on behalf of governments. Corporations and TLA's are spying on our every move, with or without the proper legal frameworks in place for it. Crime syndicates have tapped into a market that is rapidly becoming more profitable for them than other activities, and definitely less riskier. Nation states are actively developing and using APT's for espionage and sabotage purposes.
The only thing we can do about it is remain vigilant, stay informed, apply security best practices and raise our voices against anything eroding our online liberties and privacy. Although anyone can significantly raise the bar for any type of wrongdoing, ultimately you have no chance against a resourceful and determined opponent. The moment this thought becomes unbearable, the only solution is to get off the grid, move out of town and go completely lo-tech. Which will still not protect you from being ratted out by someone close to you.
You normally don't expect the ABA Journal to be breaking such hot news....but....well...speechless. I guess I'll soon understand what it like to live in Britain whether I travel there or not.
@ O W and David
Been a few years since I worked on BIOS... If you are in Real mode, you are limited to 1MB of memory, and BIOS last I saw was sitting in an 8MB part. What you need to do is switch to Big Real mode, which will give you access to 4GB of address space. You still will not see the whole BIOS - if I remember correctly. Also, some of the BIOS code modules are encrypted, BIOS is also compressed and gets decompressed at some stage in the boot process. There were four segments in the BIOS: Boot Block, POST, Overlay, and Runtime. They are not all available once you boot from DOS (real mode)... But I guess you mainly care about the runtime and the SMI/SMM handlers which some stealthy operations can take place behind the OS's (and hypervisor's) back. Then there is the problem of reverse engineering. I worked in BIOS for a couple of years. Not a single person in the group understood all parts of the BIOS. You need a team of SMEs. USB SME, Memory / DDR SME, serial ports, Bluetooth, Video, PCI/AGP, ...
Very hard for one person to dump the whole BIOS and understand what is going on. If you take the black box approach, maybe that will give you a better bang for the buck ... I am talking about Legacy BIOS here, which is already sunsetting, and being replaced with EFI. That, I have not worked on.
@ WAEL & O W on BIOS
"Very hard for one person to dump the whole BIOS and understand what is going on. If you take the black box approach, maybe that will give you a better bang for the buck ..."
The Mebromi malware rootkits the BIOS. I think there was academic work on that stuff too. The results appear to be in line with your prediction. Of course, do we need to dump a BIOS out of a system? When I was looking into it, my plan was to pull the BIOS out of an update from the manufacturer's website. In light of the complexity you describe, I also doubt anyone would try to understand the whole thing, but rather find a place or modification for their injected code. (academics did that) Then, they'd want to flash it into the target system. If anything, this issue seems like one where there are possibilities to side-step around difficulties.
I'm also talking about legacy BIOS. I don't know the details of UEFI & have some trust issues with it till I know more.
@ Nick P & O W on BIOS
I was talking about someone not trusting what BIOS or other FW does on their systems, and wanting to see what was going on, as in "Is my BIOS sabotaged". If you are talking about someone trying to inject code, then they will have to do other things as you said...
"bloggers don't matter"
And yet you seem to feel the need to post comments on one...
"The Intel BIOS Implementation Test Suite (BITS) provides a bootable pre-OS environment for testing BIOSes and in particular their initialization of Intel processors, hardware, and technologies. BITS can verify your BIOS against many Intel recommendations. In addition, BITS includes Intel's official reference code as provided to BIOS, which you can use to override your BIOS's hardware initialization with a known-good configuration, and then boot an OS."
@Wael + @So Scan Away: Thanks to both for discussing issue. It is not fiction, and it does actually happen. I was also interested to read post from Nick P. I think these issues deserve more attention.
@Petréa Mitchell: My guess is that if you were to throw a lot of coins on the ground in a big crowd, it would be disruptive in that a lot of people would stop and start picking them up. Just a guess.
@ paranoia destroys ya
The axiom "Threateners Don’t Bomb and Bombers Don’t Threaten" is almost always true...
...and I'd like to see the datum - the one black swan - that proves it's not actually always true.
Canadian encryption software beats Syrian regime’s censors
There are anywhere from 25,000 to 40,000 Syrians bypassing the country’s Internet censors each day – thanks, in large part, to an ingenious piece of Canadian-made software called Psiphon.
Its primary goal, according to Psiphon’s website, is “to make available Internet content that’s otherwise censored” in places such as Syria, China and beyond. In Iran, for example, another 150,000 use Psiphon each day to access services such as Facebook, Twitter or Skype.
@ Gina Star, So Scan Away
Dang! Last post was meant for you...
It was not just the Award BIOS that had problems, I found one in the Phoenix BIOS as well many moons ago (anyone else remember 486SX's running at 50MHz?).
I suspect that Nick P might also be aware of others as well from his past comments.
Now I notice you might have briefly opened a side channel and thus leaked some infor about yourself with "paper by a colleague of mine".
As others have realised I tend to note such things..
Speaking of which @ yt are you still reading the blog? It would be nice to hear from you occasionaly if you are as I appeared to frighten you away with my observations.
@ Clive Robinson
Now I notice you might have briefly opened a side channel and thus leaked some infor about yourself with "paper by a colleague of mine
How observant of you :) No! I have not opened a side channel, although it's not difficult to find. Back to definitions:
Colleague : Noun. A fellow worker or member of a staff, department, profession, etc
He is a colleague of profession that I have known for over ten years. I asked him to chime in, but he was too busy. I have a feeling he will join one day -- trying hard to get him here ;) I will say it in a very un-British-like way: No! I don't work at McAfee, and never did :)
I also detect these things pretty fast. My specialty is patterns. I recently discovered that I use "So" a lot. So, I gotta reduce that. Speaking of work, I have eliminated one company you did not work for: Cliffs' Notes :)
Now let me think of a way to get out of this mess I got myself into after "Petréa Mitchell" and "MingoV" said their two cents...
@mbc - The axiom "Threateners Don’t Bomb and Bombers Don’t Threaten" is almost always true...
...and I'd like to see the datum - the one black swan - that proves it's not actually always true.
That axiom certainly didn't apply to the IRA campaigns where they would usually telephone a bomb threat using pre-arranged code words known to the police to allow them to quickly determine the validity of the threat.
Article from the Independent
@ Dirk Praet at July 15, 2012 12:37 PM
"The Hardware is crippled for the sake of Microsoft. Period.
Secure boot is Microsoft's attempt to maintain computer OS market share as their influences is being stripped away by the likes of Google (Android) and Apple (iOS). With HTML5 on the way, we will have WEB based applications that rival desktop versions, and run on ANY device. The OS is just a layer to get to where the real work gets done, information exchange.
AND the worst part is, secure boot doesn't actually fix the problem it pretends it solves. It can't. This is the whole DRM of DVD's and BluRay all over again. Look at how well that is working out.
DRM is broken by design."
"Richard Stallman has finally spoken out on this subject. He notes that 'if the user doesn't control the keys, then it's a kind of shackle, and that would be true no matter what system it is.' He says, 'Microsoft demands that ARM computers sold for Windows 8 be set up so that the user cannot change the keys; in other words, turn it into restricted boot.' Stallman adds that 'this is not a security feature. This is abuse of the users. I think it ought to be illegal.'""
@anon@mbc: re bombers & threats. Is this a semantic squabble? Were not the IRA calls made subsequent to planting the bombs? To me, in plain (not ITSec) English, a threat in the sense cited by "mbc" is something made or implied before an action is carried out (M-W: "an expression of intention to inflict evil, injury, or damage") In the case of the IRA calls, I think it can be argued that the action had already been carried out, albeit with a temporal delay, and that the calls were a separate action. I tend to agree with the general sense of the premise. In my personal experience, bullies tend to make threats to achieve intimidation, and mostly seem to need to work themselves up to actual physical attacks through a crescendo of rhetoric. If a non-bully believes he legitimately needs to attack, he will be more inclined to do so without warning. None of this is absolute, and YMMV, significantly.
this isn't a blog it's a message board
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.