July 15, 2001
by Bruce Schneier
A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography.
Back issues are available at <http://www.schneier.com/crypto-gram.html>. To subscribe or unsubscribe, see below.
Copyright (c) 2001 by Counterpane Internet Security, Inc.
In this issue:
Phone Hacking: The Next Generation
The phone network and the Internet are converging. That's good news for smart telephones, new telephony services, and customer convenience, and bad news for security. If you think that phone hacking is bad now, take a gander at what's coming.
During the last fifteen years or so, there has been a trend toward intelligent telephone networking. We've seen ISDN. We've seen SS7. We've seen IN (Intelligent Networking). These protocols are responsible for all the cool telephony features we've come to know and love: call forwarding, call following, local number portability, caller ID, etc. These features work fine, but are limited because they are all controlled by the phone company. If you want to initiate caller ID, you need to get the phone company involved. If you want your business calls forwarded to your home after 5:00 PM, you need to turn that on and off every day.
On the corporate side, we've seen Computer Telephony Integration (CTI), which didn't work very well because it was so big and clunky. It might be fine if you're a huge call center, but it just wasn't cost-effective for your average business. Development cycles were long, and service creation horrendously expensive; usage was rare.
But along came the Internet, and everything changed. The notion of intelligent endpoints (computers) and a dumb network (routers) turns the telephony model upside down. There are several consortiums and standards bodies working on bringing the Internet model to the telephone network, and allowing Internet-based control of telephone switching. The idea is to turn the telephone network into a giant networking resource that people outside the telephone network can control and manage. The benefit to the enterprise is more features and control: cost savings, better sales and marketing, improved customer service, etc.
The Parlay Group is a major player in this space. A consortium of software, hardware, and telephony companies, they are creating a specification and API to enable phone-system control from outside the secure telco network. This API will allow software to do such things as reroute calls, get notified of call attempts, retrieve the location of mobile users, and more. Even access to telco billing systems is planned. The idea is that computer applications can have integrated telephone components.
Even more fundamentally, all the switching protocols will interoperate at multiple points. Switches, gatekeepers, proxies, and call control agents will all be components of the new telephony control system. Control can be distributed or centralized, depending on the application.
Meanwhile, the IETF is defining the Session Initiation Protocol (SIP) for Voice over IP (VoIP) and more. This protocol will allow a user to define complicated ways to redirect calls: between 9 AM and 5 PM ring my office number, between 5 and 6 PM call my cell phone, after 6 PM call my home phone, and if my mother calls at any time, send her directly to voice mail. The protocol even includes a programming language, so a user can write a program to handle phone calls to match his own needs. While these features are nominally controlled by the user, the programs are stored in the telco network, and a DNS-like service is used to handle the profile and call forwarding. SIP is becoming a big thing; it's currently being used for VoIP telephony, will control calls in 3G wireless networks, and is being envisaged for all sorts of other uses like Instant Messaging.
The big idea here is to leverage the development techniques of the Web to services for telephony. New services are essential, because all the carriers have cut their collective throats on per-minute long-distance rates. Premium services are seen by many as the only source of meaningful revenue in the future. This means that telephony, which has heretofore been slow and methodical and reliable, will become as freewheeling as the Internet.
I am terrified at the security implications of these services. Sure, the Parlay spec says that communication between the Parlay client and Parlay server in the telco network is encrypted, and authentication will be enforced, but I don't believe for a minute that this will remain unhacked. SIP contains security provisions, but I don't trust them.
It's not the details of the protocols. It doesn't matter how many bits the key is, or what authentication protocol they employ: we've learned from experience that all systems like this are hackable. The worry is that these protocols open a huge hole into the telephone system. The problem is that these telephony control systems will sit on top of insecure operating systems. They will be hacked, and then things will get ugly.
Think about the possibilities for a minute. Denial-of-service attacks are a breeze: just reroute all calls to a person elsewhere. Or reroute all calls to a popular phone-sex service to another person. Or maybe just eavesdrop: set up a three-way conference bridge whenever someone receives a phone call. Remember the Trojan program that quietly made the modem dial Moldavia; this kind of system would make that hack a lot easier. And don't you think all of those hackers who chat on IRC would much rather take over a PBX and set up a conference call? You don't need me to think up the possibilities; there are lots and lots of them, none of them good.
One of the biggest backward steps is the re-merging of the control and voice channels. Switch and PBX hacking used to be very easy when signaling was done in-band. SS7 is an out-of-band signaling system, which separated the voice from the telephone control and made "beeping into the receiver" hacking impossible. These new IP telephony systems rebuild that old, vulnerable model.
It gets worse. The FCC is mandating that cell phone companies pinpoint phone locations to within 50-100 meters (for use with 911 calls). The carriers plan to use this information to create new data services based on location. The location information will also be available through services like Parlay for third parties to use. Imagine the security implications of that information getting into unauthorized hands. What if someone correlated a person's cell phone with his online identity? Could he pinpoint locations of desktop computers on the Internet? (This is actually a serious issue for 911 services. Unless one can somehow manage location information for endpoints, there's no hope of fielding a reasonable life-critical communications system based on the Internet.)
And think about reliability. The one thing about the telephone system is that it just works. That reliability is very hard to engineer using Internet protocols. As the phone system starts to look more and more like the Internet, it will become as reliable as the Internet. This means that it will forever be in beta. This means there will be software incompatibilities, upgrade problems, and random weird errors. This means that it will fail, catastrophically, once in a while.
Telephone hacking is not new. There have been decades of allegations and investigations into Las Vegas crime syndicates surreptitiously rerouting escort-service phone numbers, and the automatic telephone exchange was invented in the late 1800s by someone convinced that operators were rerouting his calls to rival businesses. Before the Internet, the phone network was the primary focus of hackers.
But it's a hard network to hack. Telephony is still a controlled closed universe. The protocols are often proprietary, access is limited, and information is scarce. You need to speak SS7, have the right physical connections, etc. There is nominally no interconnect to the TCP/IP Internet. Even with knowledge, it is the limited physical access that provides the most constraint. Voice and control are on separate channels. None of this provides absolute security, but it helps keep the number of hackers down.
The Internet, on the other hand, is much easier to hack. It's public. It's available. Anyone can connect a computer up to the Internet. Anyone can download boatloads of hacking tools. Anyone can become a script kiddie.
What we're seeing is another example of the tension between functionality and security. Opening the network is a good thing from the perspective of creating innovative new services, speeding up development cycles, adding value to data and voice. Yet when we do this, we open up the potential for the bad things as well. It's impossible to get the one without the other.
Soon the phone network will become just like the Internet. Putting control of telephony networks on the Internet means anyone can hack chicago.switch.uswest.net. These protocols will turn control over to both authorized and unauthorized Internet control. If you think phone phreaking was bad, just wait until anyone can do it.
Standards and companies active in this area:
Steve Bass and John Ladwig both helped with this article.
Those of you who have subscribed recently might have missed these essays from back issues.
The Future of Crypto-Hacking:
Full Disclosure and the CIA:
Security Risks of Unicode:
Security is a people problem:
The NSA has released a bunch of guides to help DoD organizations secure Windows 2000.
I'm not sure what to make of this one. Robert Hanssen, the FBI agent accused of spying for the Russians, wanted to retire into a job with Invicta Networks. (Invicta Networks is the company run by Soviet KGB defector Viktor Sheymov that I talked about last month.) Is Invicta Networks a government front? For which government? This is just plain weird.
Rental car companies use GPS features in their cars to spy on renters.
Insiders are a serious security concern.
I have long wondered about the security of various online competitions. Here is a Coca Cola competition that has been hacked.
Negligence causes security problems. (Does this surprise anyone?)
Here's a story about a Microsoft IIS vulnerability, a patch that many people have not bothered installing, and a hacker tool that exploits the vulnerability. Often the tools are made public, and are used by thousands of script kiddies world-wide. At this time, it seems that the hacker tools are being held closer to the vest because they are so valuable.
How the FBI investigates computer crime:
Parody: "Terms used in the disciplines of Cryptography, IT Security and Risk Analysis."
Excellent three-part series on developing good security habits:
NIST has released a new FIPS 140 standard. This has been the de facto standard for cryptographic modules, and is evoked for other crypto hardware devices. There aren't many changes in the new FIPS 140-2, but there are some.
Comparing computer viruses with biological viruses:
Terrorists are using encryption!!! This is a terrible story, one-sided and full of hyperbole. But it plays well as FBI propaganda. Remember kids, cryptography is for criminals. Big Brother is your friend. What I particularly like is the way key escrow is proposed as the solution when steganography is described as the problem. Geez.
Big Brother is Tampa's friend. During the recent Super Bowl in Tampa, Florida, the city installed video cameras that watched everybody coming into the stadium. Then, the faces were compared to an archive of wanted criminal suspects, looking for a match. (The system matched nineteen people, all wanted for minor offenses. No one was arrested.) Tampa liked the system so much they're making it permanent.
Time for some good news. The EU is funding a project to build an intelligent agent that executes actions in compliance with European standard privacy legislation.
Article on NSA's Cryptologic Museum:
Eli Lilly leaks 600 names of Prozac users. I wonder what the "computer programming error" was -- using "To:" instead of "Bcc:" in an e-mail?
Outlook Redemption is a developer tool specifically designed to let Outlook applications evade the Outlook security patches and built-in features of Outlook 2000 that warn users when applications send mail on their behalf, read their address book, and so forth. This can't possibly be a good idea.
This story is interesting because it shows how easy it is to track someone trying to be anonymous on the Internet, especially someone who doesn't understand how the Internet works.
Yet another scary hacking tool. Sure, there's a patch available. But what percentage of users actually have installed the patch? Anyone care to take a guess?
Trojan horse that is a spam tool; it sends bulk e-mail without the user's knowledge.
Having a firewall set up on your system doesn't do you much good if you don't monitor it for abnormal behavior.
An argument for anonymity: From "The Economist": "Scientists and engineers at Xerox's Palo Alto Research Center (PARC), for instance, were discouraged from searching an online database of patents maintained by IBM. Xerox feared that if IBM tracked the pattern of inquiries made by its engineers at PARC, the computer giant could build a fairly accurate profile of the kind of research under way in the Palo Alto laboratories."
Top 10 security mistakes. Not a bad list, actually. The main problem is that some of these mistakes are not fixable. At least, it's not realistic to expect them to be fixed.
You have to love the irony of this story. "A U.S. government website devoted to helping businesses keep sensitive information private instead revealed confidential information about American firms." Honestly, I don't think the so-called Safe Harbor idea is going to work long-term. As soon as European governments realize that private information is being leaked, they are going to demand the same controls on non-collection that they subject their own companies to.
Malware of the future will be worse.
Counterpane Internet Security News
Some time ago I talked about various cool things going on at Counterpane that I couldn't talk about. One was the reseller agreement with Exodus, which I mentioned last month. The other is our VAR program. This is a big deal. A whole bunch of security VARs and resellers have signed up to resell Counterpane's Managed Security Monitoring service.
Alliance between Counterpane and Cigital:
Schneier is speaking at the 3rd Annual CERT Conference in Omaha on 6 August:
A video interview with Bruce Schneier is on silicon.com:
(Note: This essay advocates something that my company, Counterpane Internet Security, is selling. If this will offend you, please do not read this. I have announced my bias. You are forewarned.)
You have a safe in a dilapidated building, and you need to secure it. What's the first thing you do? Inventory the safe? Assess the security of the building? Install better locks on the doors and bars on the windows? Probably not. The first thing you do, as quickly as possible, is alarm the safe. Once the safe is being monitored, you can then afford the time and attention needed to inventory the stock, analyze the environment, and improve the security. Without monitoring, you're vulnerable until your security is perfect. If you monitor first, you're immediately more secure.
Network security has this backwards. Companies see monitoring as something to do after they have their security products in place. First they develop a security policy. Then they do a vulnerability analysis. Then they install a firewall, and maybe an intrusion detection system. And finally they think about monitoring. Rationally, this makes no sense.
Monitoring should be the first step in any network security plan. It's something that a network administrator can do today to provide immediate value. Policy analysis and vulnerability assessments take time, and don't actually improve a network's security until they're acted upon. Installing security products improves security, but only if they are installed correctly and in the right places. How does a CIO know what products to install, and whether they are actually working -- in the actual corporate environment, not as they worked in the lab? The only way he can know is to monitor. Monitoring ensures that security products are working properly.
This kind of thinking is especially important in dynamic environments like company networks. The network changes every day: new applications, new servers, new vulnerabilities. A CIO can go to sleep one night confident that his network is secure, and can wake up the following morning to read about a major vulnerability in the newspaper. Suddenly his network is wide open, even though nothing changed. A CIO can reconfigure his network to increase productivity, or add a new network service, or simply upgrade a software package, and suddenly the security of his environment is completely different. Networks are extremely complex -- nonlinear and tightly coupled -- and it's impossible to predict how different subsystems interact. How does he know the security ramifications of what he does? The only way is to monitor security.
It's specious logic for a CIO to decide to wait until his network is stable, he understands his security, and all his patches are up to date. It'll never happen. Monitoring's best value is when a network is in flux -- as all large networks always are -- due to internal and external factors. Monitoring provides immediate security in a way that a vulnerability assessment can never provide, in a way that dropping a firewall into a network can never provide. Monitoring provides dynamic security in a way that a random product can never provide. And as security products are added into a network -- firewalls, IDSs, specialized security devices -- monitoring only gets better.
In engineering, control theory is based on the concept of monitoring. An engineer might want to be able to tune his factory: "How can I control this plastic film extruder to ensure a uniform thickness of plastic?" This is a real question, and a complicated one. The plastics extruder might have a dozen different dials controlling things like temperature, pressure, and speed. You can adjust the amount and force of the air being blown, the amount of plastic bead material in the machine, or how rapidly the film is pulled out of the machine. All of these controls affect the thickness of the plastic; but what you really want is to turn a single dial that says "4 mil plastic." But since each dial affects the others, can even cause time-dependent feedback loops, it's not nearly as simple as that. So what do you do? You monitor the system, not just at the output but internally. Then, based on what you've observed, you establish feedback loops to create a closed-loop system (I am i
Security is no different. Monitoring is what gives companies a window into their security. Did you install a firewall? An IDS? Why? Did it increase security or not? Did you configure it right? Did you install it at the right place in your network? How do you know? Monitoring is how you know. Monitoring is the only way you can really know. And once you know, you can start making changes. If you make changes without monitoring, you're just guessing.
Monitoring is the feedback loop that makes all the other network security activities more effective. It's how you determine where to install security devices, and whether or not they're doing any good. It's how you know if your security devices are configured correctly. It's how you ensure that your security doesn't degrade over time. And it needs to be done first.
Comments from Readers
From: Hal Lockhart <hal.lockhartentegrity.com>
In recent years, I have become convinced that one of the biggest obstacles to information security is incorrect reasoning based on false analogies. Don't get me wrong. I think analogies are great, I use them all the time to explain technical concepts to laymen. The problem comes when you try to design solutions from the analogy rather than the technology. A familiar, non-computer example is when people who don't understand the math try to argue about relativity. Closer to home, I have seen many people who put their Web server with private key outside the firewall. "I don't want to let somebody inside my wall until I check their credentials," they say. They are thinking about a guy with a crowbar, not computers sending and receiving messages.
This brings me to your articles on war as a metaphor for hacking, which makes me nervous for the reasons stated. I am always happy to steal good ideas from anybody, but hacking as war strikes me more as rhetoric than reality. In a war, the enemy has some identity, common characteristics, loyalty and objectives. While we would prefer to defeat the enemy, we can have confidence that if the enemy achieves some set of goals they will be willing to stop fighting.
The current state of the Internet seems a lot more like anarchy or vandalism. Attackers have no common characteristics or objectives, except the attacks themselves. In fact it appears that in most cases they have no external objective at all. Web defacements in particular seem almost exactly like spray painting graffiti on subway trains. This is a problem that was once thought to be insoluble, but was eventually reduced to acceptable levels by the combined use of technology (padlocks and special paints) and labor (cops and cleaners).
However if you insist on war as the metaphor, here are two thoughts along those lines. First, the war, if that is what it is, is surely a guerrilla war. The entities being attacked are large, visible, slow-moving and part of the power structure. They have much greater resources than the attackers, but no effective way to apply them. The attackers and few, dispersed, hidden and have few resources. But what they have is the free choice of when and where to attack.
To fight guerrillas it is necessary to a) identify them; i.e., distinguish them from civilians and b) control some resource that is essential to their survival. Given the Internet as it exists today, I don't see much hope of doing either of these. If the authorities decide to employ broadly targeted, draconian measures, they will find like the British in America and the Americans in Vietnam, that the collateral effects on innocent civilians are simply unacceptable.
My second thought about hacking as war is that the situation can be compared to that in many wars, but most especially the American Civil War. While some people were busy fighting and dying, war profiteers made fortunes selling rotten food, unserviceable uniforms and non-working weapons. With a market full of snake oil security, bug-ridden applications and vendors who are more interested in suing or prosecuting people who reveal security problems than fixing them, this seems like the kind of war we are in.
From: Bill McGonigle <billzettabyte.net>
>From: Richard Straub <firstname.lastname@example.org>
It cannot be argued that a human law created less than 300 years ago is a natural law. Copyright was established in 1710 by the Statute of Anne by the British Parliament to protect the public from the publishers.
This was an artifact of the printing press. After Gutenberg invented it a market for books developed. Before that people actually memorized and told stories. Books were way too expensive and had to be hand-copied by monks (in papal states). People decided they liked books, probably since then they could spend time on things besides memorizing stories. Once people didn't remember how to memorize stories, publishers figured out that they could make a bunch of money by creating a scarcity of stories in the books market. The Parliament put a stop to that with the copyright law by limiting the term of exclusivity, but since the capital costs of hiring a logging team, building a pulp plant and building a printing press are beyond that of ordinary citizens, a scarcity still existed, and publishers could make a fair profit.
Digital reproduction drives the scarcity towards zero since the costs of reproduction and distribution of text are extremely low. Digital copyright protection seeks to artificially enforce the scarcity. But the function of the publishers as converters of trees into books is approaching obsolescence in the post-Gutenberg era. Rich citizens can afford to commission works directly, and poor citizens can cooperate with something like the Street Performer protocol.
Neither Sophocles nor Chaucer nor Shakespeare had the benefit of copyright protection.
From: Russell Nelson <nelsoncrynwr.com>
>From: Paul Kocher <email@example.com>
Sorry, Paul, but Bruce is right. Without end-to-end encryption (in other words, directly inserted from the distributor into the person's senses without ever being available in plaintext -- using some technology that I doubt could exist or if it could, wouldn't be accepted by consumers), the hostile attacker (in other words, the user in the privacy of their home) can intercept the communications.
Okay, so the plaintext is available. Now, I take that plaintext and encrypt it. I tell everyone "Suck down a copy of this file. I'll tell you what it is later; possibly much later." How is a content "owner" to deal with that? They can't decrypt it. They don't even know it's their content. They might think they own it if I describe it vaguely, or even exactly. But how to prove it in a court of law? "Sorry, your honor, I don't really know what that file is. I got it from someone else. No, your honor, I can't give you the key. Only the encryptor has the key to it, and I didn't encrypt it."
The endgame has only two possibilities: 1) the complete prohibition of publishing anything with random bits in it, or 2) the death of copyright. #1 is not in the cards, therefore you can count on #2. Any action taken by any content owner to stop copying is just a delaying action based on revising their business plan or implementing same. Any action NOT based on the reality of #2 is head-in-the-sand idiocy, to be whacked by knowledgeable stockholders.
Reply-To: Vladimir Katalov <firstname.lastname@example.org>
> All digital copy protection schemes can be broken, and once they
Totally agree. Unfortunately, not all the people (especially developers of DRM (or how you call it: "digital copy protection schemes") think so. Our company specializes in password recovery and decryption software; just about two weeks ago, we have released a product that decrypts protected Adobe Acrobat PDF files and e-books, removing all protections. And immediately got problems with Adobe: they did their best to close our site etc. Now the site is functional again, we don't sell the program anymore. Also, they 'closed' the hole
You can read the whole story about our battle with Adobe (and get our
From: Mike <John.Michael.Williamscomputer.org>
In your 6/15 newsletter, Ken Ayer <email@example.com> wrote in justification of the Common Criteria (CC): "Every vendor (whether of a chip, card, lab or consulting service) says it's the best, but we need a way to compare these claims... What Visa has done with the Common Criteria is to start a dialogue on how to clearly express security requirements... We are making progress, though there remains work to be done...."
This is the Fallacy of Incomplete Requirements: If we could all just get along, and write down what we REALLY want done, we could have those 'droid techies fix this annoying aberration.
We informally compare marketing/technical claims all the time, those involving the life-and-limb of ourselves and our family -- for example, automotive safety. Show me the SAE spec for "automotive security," or component-wise, cockpit-collapse security, comparable to what the CC ilk want.
Government and professional societies like SAE, IEEE, ACM, (or hybrids like CC bureaucracies) can't begin to do this. Collapse rate of a steering column? Right. Impact of a side-airbag? Right. Tire safety? Hmmm ... check the net for hearings and litigation, possibly criminal, on Ford vs. Firestone.
Safety-rating of a cockpit, a vehicle, a model, a brand? No way. The market and painful experience reject the failures (the pre-'65 Chevy Corvairs, and maybe the Ford Explorers, for examples).
What no one acknowledges is an observation I've made since entering the biz in '73. Science generally is extremely poor at detecting fraud and deception -- one doesn't get one's doctorate by proving why the big guys' ideas don't work, and you don't win tenure by winnowing out colleagues' detritus. Some of the biggest suckers for stage magic and plain old collusion have been scientists, especially government scientists.
Computer security is unique in an aspect it fails to acknowledge: it contains the notion, and realization, of hostile automata. Let's see a requirements spec for that!
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography.
To subscribe, visit <http://www.schneier.com/crypto-gram.html> or send a blank message to firstname.lastname@example.org. To unsubscribe, visit <http://www.schneier.com/crypto-gram-faq.html>. Back issues are available on <http://www.counterpane.com>.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of Counterpane Internet Security Inc., the author of "Secrets and Lies" and "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of the International Association for Cryptologic Research, EPIC, and VTW. He is a frequent writer and lecturer on computer security and cryptography.
Counterpane Internet Security, Inc. is the world leader in Managed Security Monitoring. Counterpane's expert security analysts protect networks for Fortune 2000 companies world-wide.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.