Schneier on Security
A blog covering security and security technology.
« When Will We See Collisions for SHA-1? |
| New Developments in Captchas »
October 5, 2012
Friday Squid Blogging: Giant Squid Engraving from the 1870s
Neat book illustration.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on October 5, 2012 at 4:38 PM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
@ Ty Sarna
Step One: Want a shuttle, descrepit obsolete death trap that it is...
Ty Sama beat me to the Space Shuttle piece. Nice quip from mcb. Feynman's observations, rather the wisdom behind them, is still relevant today.
Nice summary of how patent system got where it is
I also re-upped on my academic papers. A few were crypto related (AND useful ;). An authenticated broadcasting system with good attributes comes to mind. If anyone wants, I'll post links to a few interesting articles. They're mostly ACM & IEEE, although some are freely available.
(I'm also considering making an offsite version with a large list. Spamming the site with 100+ links seems quite unreasonable, hence ain't happening.)
@ Nick P,
Speaking of your "beat me to" comment ;-)
I don't know it you've seen this,
Basicaly around this time last year there was a report from an "Illinois Fusion Center" that critical infrastructure had been destroyed by the Russians by stealing credentials to a SCADA system. A. well known SCADA "expert" released the Fusion Center Report on his blog site and it went mainstream news shortly there after.
Well it turned out to be not true and the DHS pointed the finger at the Fusion Center and so on as the blaim game started.
However even after that the DHS still reported it as factual to the politicos and even claimed it as a success...
Whilst it proves two principles "Garbage in Garbage out" and "One mans Garbage is another mans gold" it needs to be remembered that the US War Hawks want to treat "Cyber-Sabotage" as an act of war.
So we have the kafkaesque situation of a water pump burning out unexpectedly, an IT Tec spotting an IP address from Russia in the SCADA access logs from five months previously, a third person reporting it to a fusion center and then others pushing various buttonss, thankfully they missed the old Ronnie "Ray Gun" button for "Bomb the Commies"...
Well I guess "there's always next time"...
First off a nice little synopsis of the issues of keeping data secure from Business Week,
It's not saying anything many of us already know, but it's usefull to point less ITSec informed managers etc to as it's kind of got the "seal of approval" that well known business publications have for those sorts of people.
If the middle managers and above still don't grock it then point them over to,
Where they can see what various security concious Gov organisations are trying to combat APT issues.
Over on Brian Krebbs site there is an interesting article on why it's not just the fact that there is a zero day attack on a piece of software you use that should affect your choices but more importantly if it is being used to perform exploits,
Put simply the discovery of a zero day is like the discovery of any other bug, it's been there unknown since the software release and now it's known you have to chose what you are going to do about it. The point is if it's not effecting you then you can in theory carry on using the software, the fly in the ointment is if an exploit is developed for the zero day. Now the probability of that is actually more related to the popularity of the software you use, which leads to some odd looking advise. That is you have the choice of two web browsers MS IE and some other package. They both have current zero days that have been advised, do you do nothing or do you switch from one browser to another? Well the advise is if you normaly use the popular browser MS IE you would be advised to switch but if you use another browser that is not as popular you probably don't need to switch...
Now an interesting story on trust in base metal and why there is more gold in repositories than there should be...
Basicaly people are puting tungstan inside of gold bars as it's sufficiently similar for the bar to "pass the usual tests". The real question is do people realy want to know bearing in mind the effect it could have on the global economy in it's current precarious state...
Whilst I can understand the idea behind a "gold standard" I've always thought that it was unwise to use a single metal and that it should be based on a raft of finite precious resources. This is due partly to the problems with supply and demand on a single finite resource such as gold that is also used for industrial and other uses and partly due to such issuess of fraud as in this case. At the end of the day "wealth" is derived from "the application of work to raw resources to produce goods of value". Thus the alternative to finite raw resources is of course to use energy as the base standard as this is directly related to what we consider "work" in the abstract sense. However although there is only so much energy in the universe from the point of view of humans it's effectivly a continuously renewable resource as long as the sun shines so more accuratly reflects the vaguries of fiscal inflation etc.
Over on Gunner Peterson's site there are a couple of posts of interest one being his series of articles on Android developmentt the other being about Googel's release of OAuth 2,
Gunner makes the important point about OAuth having to be used with TLS but also several other points about why care should be used by developers of both client side and server side software.
Speaking of Authentication and it's problems over at the UKs CambLabs there is more on the storing of plaintext passwords, this time by the UKs Companies House which is actually quite worrying (see the comments section as to why),
Some of you might have heard that "53 Universities" were hacked and thousands of personaly sensitive details were released. Well whilst some of it might be true other bits are not,
There are a couple of underlying issues as to why this happens. The first is the race to be first on the Internet to comment, this has several advantages financial advantages for the news organisation. The second is that we are nolonger constrained by immutable news publication. That is it's very easy to change the historic record at the press of a button. Some people are honest about this and mark up what they have edited and why but others just make changes without comment, which in my view is dishonest behaviour.
In my view the more people who try to be human and not perfect and thus admit their mistakes and correct them then the easier it is for the rest of society to do the same. As was once observed "perfection is for deities, and even they aren't perfect" or more simply "to err is human". As for me I've occasionaly said "The only time I open my mouth is to change feet" :-)
New show on TV (in US) called Elementary. It's a rehash of Sherlock Holmes. Interesting part is Holmes' New York apartment has lots of book shelves filled with books. One scene has the main characters talking in front of several books by Bruce Schneier. Coincidence? I think not!
@ Clive Robinson re posts
It doesn't seem wise for the US to warmonger against Russia. Soviet capabilities were the main inspiration for the High Robustness standards in INFOSEC. They still have plenty of engineers, they have more spies here than during Cold War (source FBI), & they're hackers are world-class. I say we hold off on bullying a semi-superpower until our critical assets are protected with High Robustness solutions. Unfortunately, the Mayan apocalypse is more likely to happen than that. ;)
Nice article. I noticed they're taking a page out of my book by keeping it simple, in a safe language, & avoiding complex formats like XML. Great work. This caught my eye too:
"Cottingham, who is now with Foresight Consulting, says a combination of the agency's now-automated patching process and whitelisting has basically stopped most APT-type attacks from escalating. "We found 200 threats and passed them over to DSD," he said."
So, advanced attacks are defeated by regular patching & whitelisting? I wish the bar was so low for being considered advanced in my hacking heyday.
Re: Dark Reading
He has interesting points. Part of the problem is the insistence to keep rolling with the momentum of web everything done in web browsers. It's way too much complexity. That's one reason the security considerations spec was around 70 pages long. However, plenty of it could be condensed to something easier for average developer to mentally absorb.
I noticed they're taking a page out of my book by keeping it simple
What book would that be, Nick P? Do you have a title or an ISBN number? Perhaps I will take a gander at it when I have some "free" time...
American expression not to be taken literally. I evangelize certain practices in IT circles (blogs, etc.). Patent and copyright issues have kept me from publishing most of my stuff formally. Although, there has been so much good work in past few years that they're likely to independently invent or surpass much of what I came up with previously. The independent inventions are already coming in areas of assurance bootstrapping, virtualization-empowered security, browser security, TCB minimization, simpler formats, semi-invisible formal methods, and others. In some cases, I posted abstracts of similar approaches on this site or in other public places before them or in similar time frame. A few were based on ongoing discussions with Clive, RobertT and others.
I've honestly been overwhelmed with the amount of useful stuff researchers have been devising. I've been ignoring credit & self-promotion for the past year in favor of brainstorming every useful permutation I can think of with these things. I've been looking for ways to shortcut to huge assurance boosts with only moderately increasing work. I have made some progress. Sitting on them, though, until I see a way to get developers or admins to put them into practice. They can be as bad as users when it comes to using inferior products because they're "cool", standard or some other risk-increasing nonsense.
(Full PDF spec, XML-based protocols, & "everything" over HTTP technology through complex client/servers are recent examples. BYOD & Android are looking to be my next headache.)
"I get riled up whenever someone talks about cutting funding for research, especially NASA. It boggles my mind that we can send almost 4 Curiosity rovers per year, every year, for the cost of employing our little army of voyeuristic Freedom Fluffers."
Israeli forces have shoot down a fairly large UAV that encroched on it's airspace from the Mediterranean.
Footage of it being shot down has been released to various broadcast organisations.
What is unknown currently is where it originated however Israel have indicated they do not currently believe it originated from the Gaza strip.
The question is not so much where the UAV came from but from whom, Israel's comments apears to let Hezbula of the hook, which leaves several other nations including Israel or even the US.
Laser strikes on aircraft becoming epidemic...
It depends on what you mean as "strikes" you can purchase various battery/hand held lasers some green lasers are sufficiently powerful to be clearly seen reflecting off of buildings considerably more than a mile away on dull overcast days.
At night they can be seen reflecting atleast 2-3miles away without any augmentation.
You can easily augment the range by using a pair of binoculars where you shine the laser into one eye piece which effectivly colimates the beam. You can then look through the other eye piece and I've been told that distances of well over ten miles are possible.
That said you can augment the laser even further, because some green lasers are actually much higher power infra red laser diodes shining into a crystal that multiplies up the frequency to make it visable in the visable light spectrum. The power loss in this conversion is 15-20db.
Importantly although this infrared is not visable to the human eye it is very much visable to the IR cameras used on police / customs / military helicopters and can be used to jam some of these systems with little difficulty. Also some IR laser diodes produce significant output in the range that can also effect visable light cameras.
However most comercial aircraft once the front wheels are off of the tarmac are not effected by low powered lasers of any frequency simply because they take off and fly in such a way that the pilots eyes are shielded by the airframe. However this is not true for aircraft that are landing where the pilots eyes are more vulnerable.
The problem for helicopters doing some kind of surveillance is that when "painted" by a laser the pilot has little or no idea if it is just a hand held laser or some kind of gun sight. The pilots eyes are in danger of being partialy or fully blinded temporarily due to iris closing down in the same way as happens with the headlights on full beam of an oncoming car at night. Further as indicated the laser can also shut down the cameras thus effectivly blinding the pilot and observer, which leaves the pilot with few options the best of which is to turn away from the laser and fly out of range of a potential sniper weapon which is effectivly 2-4Km.
From a criminals point of view using a laser that can easily fit in a coat pocket that will cause a surveillance helicopter to break off is rather usefull when making a get away, especialy if they can get others to point lasers at the helicopter as well by simply phoning them up.
@ Nick P,
It doesn't seem wise for the US to warmonger against Russia
Yes Russia is still very much a super power these days, it's just that the political influence tactics have changed.
Where as it was once militaristic with high counts of bodies in uniform, guns, tanks, planes, bombs and laterly nukes that defined a super power these days the reality is economic with the high counts of raw resources you control.
Both Russia and China control vast raw resources and are activly seaking control of more in other nations, realising that these are in essence the Achilles heel of an industrialised nation. Whilst China and Russia originaly had some very limited capacity to process the raw resources they have realised that the real trick is to get the organisations with the real processing know-how from the West and East Asia to setup production on their soil where they are easier targets for industrial espionage and political take over.
The Russians under Putin have shown that they are quite able and willing to "turn the gas off" on nations they want to exert political control over, just as the Chinese have shown they will not export the likes of rare earth minerals that they have a virtual monopoly on unless companies agree to set up their research and production on Chinese soil. The Chinese have also shown just as the Russians have that they are more than capable of engineering disputes with Western companies that have built large plant in China and effectivly confiscate the plant via their courts etc.
Some Western super powers are finaly waking up to the fact that their Hi-Tec weaponss systems are now totaly reliant on parts and raw resources they have no control over that come from nations that are not dependant or tied to these Western nations that are at best 'old school' Super Powers.
Super power status is rapidly moving to those who control the supply of resources the most important of which is energy. History shows us with the likes of "water rights wars" what is happening currently in the resource supply game and what in all likely hood will happen in the future. Quite literally the Super Power game is turning into one of "power" politics.
It also partly explains what is going on with the US/Israel and Iran. Historicaly Iran is not a warlike nation in that in the past 400 years or so they have not been the attackers but the defenders. Further Iran is very resource rich, and whilst sitting on what was and may still be the worlds largest lake of oil, the export of crude oil only accounts for something like 17-20% of it's foreign income. Like several other middle eastern nations they know that the oil is a finite resource and are thus like many western nations looking for alternative energy resources to maintain their political independance and not fall into the trap of becoming a vassal nation that gets it's finite raw resources "asset stripped" by super powers. For obvious reasons it's not in the US interest to allow Iran or any other nation with raw mineral reources to gain energy independance as this removes a major form of leverage when "negotiating" for the mineral resources, now that the "point of the gun" negotiation/theft of Empire building of old is no longer seen as politicaly acceptable by the US voting citizens.
But from the Russian and Chinese view point some Hi-Tec Western Companies are not playing the game, because they are not falling into the trap of moving their research or production to their soil hence we see the rise of APT in it's various forms. Not that Russia and China are the only nations doing APT certainly most EU countries and other WASP nations are doing it as well even if passively.
When the US war hawks jump up and down about "China APT" they are either showing bias for other reasons or their ignorance (take your pick it could be both ;-).
As I've indicated in the past it is well worth thinking about the route data takes to get from the US to China much of it gets routed through other places such as Japan and Australia both of which could monitor the APT traffic passively, or in fact launch attacks that look identical to that which does come from/through China. Likewise China can monitor all APT traffic that comes through them.
Much APT return traffic is in plain text or only lightly obsficated and even where it is encrypted the keys are either known or can be fairly easily got at via various MITM and other tricks. The reason this is possible is quite simply that with APT there is no "far end" "end point security" thus symetric keys are vulnerable and PK can be either subverted or by passed.
Which means that anyone sitting in the comms path of the APT return channel can passivly see the contents that has been stolen... Which brings a loverly new twist to the phrase "Who watches the watchers...".
It is this realisation that may well have caused "the sons of Stuxnet" designers to use some of the methods they did to protect the real payload of flame and presumably other similar yet to be discovered attack vectors.
It also raises another point that I've not seen others discuss which is "traffic analysis" of the "return channel". As you know the more advanced APT uses cut outs in the return channel, many assume that this is for the traditional reason of using cut outs. However consider that the network locations for these cut outs might be selected to specificaly stear the return channel away from various segments of the Internet that are known to be monitored. Analysis of where is being avoided or specificaly included may well provide information on who the actual originator of the APT is not who it appears to be.
Thanks for the feedback. I was not concerned about the technical aspects of the activity, but the count. At 3700 a year, that is more than 10 per day, and since there is a count, they must all be documented. Really? A google search indicates this is all based on ONE FBI story. I still think security theatre is driving this as another avenue to suck money from the government for something that is not much of an issue.
(should I be surprised to be "first!" on the squid itself?)
Perusing the stacks in the Crerar Library one day, . . .
When I was in high school, chasing down an obscure math puzzle, I went to the Crerar, filled out a call slip for a century old journal, and they handed it to me . . .
Talk about love at first sight! The Crerar is a treasure.
Your numbers are wrong on Iran. It derives closer to 80% of its export revenue from petroleum.
Your numbers are wrong on Iran. It derives closer to 80% of its export revenue from petroleum
I think you've got that 80% number from Wikipedia which is very much based on out of date information sourses based on pre sanction data.
Further it is an agrigate figure for primary (crude), secondary (refined) and tertiary products, not just crude which was what I was giving.
It is important to distinquish between primary and other oil products because the other products result from industrial economic development within the country and give a good indicator of the countries economic development. Importantly Iran did not used to be a petrol producer and imported the bulk of it's petrol. Since sanctions they have started producing their own petrol in increasing quantities, but have offset this by reducing and removing subsidies which has caused inflationary preasures, the value of the Iranian currancy has devalued by a significant amount as a consiquence of the sanctions.
Primary production figures you see quoted are usually given on well head Barrels of production figures that are often very misleading as there are various types of crude oil that have vastly diferent dollar values per barrel. Thus well head barrel production figures cannot be related directly to monetary figures, and it is long known that these figures are "fudged" by both producers and economic viewers. In this respect it's a bit like trying to work out a companies profit and overhead by just observing what quantaties of raw materials/components have going in the company gate.
Further many if not all oil producers these days do not actual export well head crude but process (partialy refine) it prior to export. This process usually involves removing light gases such as LPG etc and heavy products and condensates etc. This is done for both practical reasons (ie transportation issues) and to meet the requirments of other down stream processors which gives a value added product with much higher per barrel dollar figures.
As noted some producers further refine the crude into secondary products such as natural gas, LPG,petrol, aviation fuel, fuel oil and other energy products as well as chemical industry products. Some further process into other bulk products such as fertilizer, plastic pelets used for injection moulding etc whilst others further process to finished consumer products such as plastic bags, buckets etc. At each stage the value added increases greatly and thus it's value to the dollar export value.
Further recent sanctions are currently against crude but not other products and this has caused the contributions to "visable" export figures to distort markedly (supposadly there has been a 50% reduction in crude exports). But we have reason to believe that Iran now "barters" crude products rather than trades them for "hard currancy" with a number of nations such as China as a way to sanctions bust.
Iranian crude tends to be light in the lighter products and it's gas reserves come from seperate sources to it's oil. It thus tends towards fuel oil for bulk energy production rather than road vehicle used petrol products for export. Prior to the sanctions Iran mainly imported petrol and subsidized it heavily to encorage economic growth. Since the recent sanctions Iran has started producing low grade petrol which unfortunatly has significant environmental and health impacts over and above the economic impacts.
The latest US Congresional Research Service report on Iranian Oil sanctions (by Kenneth Katzman) was published on 13th Sept is available if you wish to read it's 84 pages of US sanctions related information and it provides clues that the figures for Iran are quite different currently than they were back prior to the 2010 figures you see else where.
Such as the US Energy Industry Analysis (EIA) report on Iran, which although is reasonably readable it's analysis is based on pre 2010 information (and appears to be consistent with the CIA world fact book).
Thus the figures I gave of 17-20% for crude are based on what is thought to currently be the case in late 2012 based on the Iranian crude that is visably traded and also what is assumed to be bartered invisably. But does not include crude that is exported as a swap for crude received from adjoining nations and regions.
Last week James E Burke, former Johnson & Johnson CEO passed away. He had the helm during the "Tainted Tylenol Scare" back in 1982. I think it's interesting and relevant, because it was in many ways a security problem, and especially a problem in managing expectations. J&J handled the problem remarkably well, and managed to keep the Tylenol brand name alive, and regain trust.
Interesting article on Burke, the incident, and the response:
In my comment above to @ Nick P, I mentioned,
It is this realisation that may well have caused "the sons of Stuxnet"designers to use some of the methods they did to protect the real payload of flame and presumably other similar yet to be discovered attack vectors.
Without giving further info on the "yet to be discovered"... It is known that the C&C servers that dealt with flame were also (potentialy) used for three other sets of Malware only one of which has sofar been identified.
Those interested might want to have a look at,
The use of the same "cut-out" servers for the return channel of the C&C raises a big question of why? A sensible person would have realised that at some point one set of malware would be discovered and thus so would the C&C servers giving rise to the knowledge that there were atleast three other sets of malware by the same designers in use... This is not good tradecraft which sugests that the deployment teams are both over confident and under trained in the ways of malware hunting and Botnet be-heading.
This sugests that those involved are likley employed by a Gov Agency directly out off college/University. Why? Because although they are very knowledgable theoreticaly and might well associate with top flight cryptographers, they are not worldly wise to the cut and thrust of real world Botnet herding, detection and taking out. Thus they are not likley to have been recruited from the industry...
But as I always point out this sort of thing is a "game of smoke and mirrors" thus you have to watch out for that maze of twisty little passages of double think that can give rise to assumptions that are not of necessity valid.
@ Clive Robinson
Bout to leave so only time for a quick thought. The second article implies most of these were from the same people making Stuxnet, which other sources say was joint US-Israeli operation. Let's put that in one paraphrased sentence: "our analysts say the team that made Stuxnet & Duqu may be behind the malware hitting banks right now."
I hope we get sources that clear the connection between the bank malware & our intelligence agencies. Otherwise, there's an implication: false flag operation. Our people hitting our banks. Cyberwar agenda, such as funding & laws, is a motive.
I'm also remembering the evidence that the bank failures leading to the Federal Reserve were staged. There were investigators at the time that had that belief. Old philosopher said Problem-Reaction-Solution is best strategy. Gotta create a public crisis & panic before a power grab. Many power grab attempts recently. It's all getting too disturbing Stateside, imho.
As some of you may know a bipartisan report has been released on the DHS's Flagship Fusion Centers as bing in effect usless at their stated job and thus a compleate waste of money, over and above their questionable and probably illegal activities (including it would appear corruption).
The UK's Daily Mail has even commented on it,
Which bearing in mind their normal editorial political leanings is very surprising.
I do however need to say as I always do about certain UK newspapers (Daily Mail, Daily Mirror, Sun and others) please treat as though it has an implicit health warning attached.
@ Nick P,
I hope we get sources that clear the connection between the bank malware & our intelligence agencies. Otherwise, there's an implication: false flag operation.
Whilst I would not rule out a "fund raiser" we have seen them before with the likes of the FBI going out and recruiting idiots to use as "terror suspects" to show that "there is a real danger out there folks".
I'm not certain that there is sufficient evidence to justify the "same developers" claim, mostly because as we saw with Stuxnet there were quite a few teams of people involved. So it is possible
that the original developers produced a framework that is now being used by other developers. It could even be that the original team were "freelancers" and individuals have sold/used the framework as the basis of other work or those buying originaly have sold it on to others.
Therefor I'm sort of sitting on the fence on the connection having any specific meaning (the code could have been stolen etc).
But yes False Flag / Fund Raiser is a very definate possability as you can not have a war against an enemy that does not exist, you have to make them exist even as a pale imitation of what you might claim is the enemy.
A thought occured to me some time ago when thinking about the Somali AQ connection, when the female student was shown to have been set up over the courier bombs. Just how diffficult would it be in that part of the world to run false flag operations...
It would appear thatt the US Gov believes that the Russias are stealing HiTec again,
Reading the article a couple of things don't sound right with the story, for instance the electronic component's that were listed in all probability may not have been designed or manufactured in the US just purchased there. Further they are not components that you could not purchase for other reasons without elaborate stories.
For US Attorney General Loretta Lynch to say that "The defendants tried to take advantage of America's free markets to steal American technologies for the Russian government," is somewhat silly. After all the esential essence of a "Free Market" is that it is unregulated and open to all with the financial resources to "purchase" the goods and services offered by others...
So my guess is there is something a lot more interesting behind the story which is not being talked about...
But I actually doubt these few people are the only ones at it for Russia and likewise I think that several other countries are doing similar things.
Fancy printing your own gun?
Have a read of a NYTimes Blog,
The important part is at the end. It would appear legaly in the US the only part that is regulated is the "lower receiver" that holds the magazine trigger assembly etc, the rest it would appear is quite legal to buy at a gun shop either local to you on the internet.
Oh and if you want to know how to build your own gun from bit from your local plumber/hardware store the article refrences a "zip gun" that you can google for and down load the plans.
Historicaly during WWII the British ran into a problem in that the traditional soldiers weapon the 0.303" Short Mag Lienfield was manufacturing intensive and was designed for use in open country not built up urban areas. There was also a glut of 9mm pistol amunition at the time (not so these days in the UK due to the law making semi and fully automatic hand guns effectivly illegal). So back then somebody came up with the idea for a "blow back weapon" that eventually became the Short Machine Gun or SMG that was also known less than effectionatly as "the plumbers delight" and was indead originaly constructed from pipe fittings. Though it later moved to castings for some of the parts.
Well you can see a modernish version you could build at home with moderate metal working skills that a 12year old could master. You can see photos of the bits without downloading the plans at,
They can also smile at FB's share price.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.