Friday Squid Blogging: Sperm Whale Eats Squid

A post-mortem of a stranded sperm whale shows that he had recently eaten squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on July 22, 2016 at 4:14 PM105 Comments

Cyberweapons vs. Nuclear Weapons

Good essay pointing out the absurdity of comparing cyberweapons with nuclear weapons.

On the surface, the analogy is compelling. Like nuclear weapons, the most powerful cyberweapons -- malware capable of permanently damaging critical infrastructure and other key assets of society -- are potentially catastrophically destructive, have short delivery times across vast distances, and are nearly impossible to defend against. Moreover, only the most technically competent of states appear capable of wielding cyberweapons to strategic effect right now, creating the temporary illusion of an exclusive cyber club. To some leaders who matured during the nuclear age, these tempting similarities and the pressing nature of the strategic cyberthreat provide firm justification to use nuclear deterrence strategies in cyberspace. Indeed, Cold War-style cyberdeterrence is one of the foundational cornerstones of the 2015 U.S. Department of Defense Cyber Strategy.

However, dive a little deeper and the analogy becomes decidedly less convincing. At the present time, strategic cyberweapons simply do not share the three main deterrent characteristics of nuclear weapons: the sheer destructiveness of a single weapon, the assuredness of that destruction, and a broad debate over the use of such weapons.

Posted on July 22, 2016 at 11:08 AM20 Comments

DARPA Document: "On Countering Strategic Deception"

Old, but interesting. The document was published by DARPA in 1973, and approved for release in 2007. It examines the role of deception on strategic warning systems, and possible actions to protect from strategic foreign deception.

Posted on July 21, 2016 at 9:54 AM8 Comments

Detecting Spoofed Messages Using Clock Skew

Two researchers are working on a system to detect spoofed messages sent to automobiles by fingerprinting the clock skew of the various computer components within the car, and then detecting when those skews are off. It's a clever system, with applications outside of automobiles (and isn't new).

To perform that fingerprinting, they use a weird characteristic of all computers: tiny timing errors known as "clock skew." Taking advantage of the fact that those errors are different in every computerĀ­ -- including every computer inside a carĀ­ -- the researchers were able to assign a fingerprint to each ECU based on its specific clock skew. The CIDS' device then uses those fingerprints to differentiate between the ECUs, and to spot when one ECU impersonates another, like when a hacker corrupts the vehicle's radio system to spoof messages that are meant to come from a brake pedal or steering system.

Paper: "Fingerprinting Electronic Control Units for Vehicle Intrusion Detection," by Kyong-Tak Cho and Kang G. Shin.

Abstract: As more software modules and external interfaces are getting added on vehicles, new attacks and vulnerabilities are emerging. Researchers have demonstrated how to compromise in-vehicle Electronic Control Units (ECUs) and control the vehicle maneuver. To counter these vulnerabilities, various types of defense mechanisms have been proposed, but they have not been able to meet the need of strong protection for safety-critical ECUs against in-vehicle network attacks. To mitigate this deficiency, we propose an anomaly-based intrusion detection system (IDS), called Clock-based IDS (CIDS). It measures and then exploits the intervals of periodic in-vehicle messages for fingerprinting ECUs. The thus-derived fingerprints are then used for constructing a baseline of ECUs' clock behaviors with the Recursive Least Squares (RLS) algorithm. Based on this baseline, CIDS uses Cumulative Sum (CUSUM) to detect any abnormal shifts in the identification errors -- a clear sign of intrusion. This allows quick identification of in-vehicle network intrusions with a low false-positive rate of 0.055%. Unlike state-of-the-art IDSs, if an attack is detected, CIDS's fingerprinting of ECUs also facilitates a rootcause analysis; identifying which ECU mounted the attack. Our experiments on a CAN bus prototype and on real vehicles have shown CIDS to be able to detect a wide range of in-vehicle network attacks.

Posted on July 20, 2016 at 7:26 AM33 Comments

Stealing Money from ISPs Through Premium Rate Calls

I think the best hacks are the ones that are obvious once they're explained, but no one has thought of them before. Here's an example:

Instagram ($2000), Google ($0) and Microsoft ($500) were vulnerable to direct money theft via premium phone number calls. They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This allowed a dedicated attacker to steal thousands of EUR/USD/GBP/... . Microsoft was exceptionally vulnerable to mass exploitation by supporting virtually unlimited concurrent calls to one premium number. The vulnerabilities were submitted to the respective Bug Bounty programs and properly resolved.

News articles. Slashdot threads.

Posted on July 19, 2016 at 6:21 AM13 Comments

Futuristic Cyberattack Scenario

This is a piece of near-future fiction about a cyberattack on New York, including hacking of cars, the water system, hospitals, elevators, and the power grid. Although it is definitely a movie-plot attack, all the individual pieces are plausible and will certainly happen individually and separately.

Worth reading -- it's probably the best example of this sort of thing to date.

Posted on July 18, 2016 at 6:27 AM40 Comments

Friday Squid Blogging: Stuffed Squid with Chard and Potatoes

Looks like a tasty recipe.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on July 15, 2016 at 9:16 PM257 Comments

Security Effectiveness of the Israeli West Bank Barrier

Interesting analysis:

Abstract: Objectives -- Informed by situational crime prevention (SCP) this study evaluates the effectiveness of the "West Bank Barrier" that the Israeli government began to construct in 2002 in order to prevent suicide bombing attacks.

Methods -- Drawing on crime wave models of past SCP research, the study uses a time series of terrorist attacks and fatalities and their location in respect to the Barrier, which was constructed in different sections over different periods of time, between 1999 and 2011.

Results -- The Barrier together with associated security activities was effective in preventing suicide bombings and other attacks and fatalities with little if any apparent displacement. Changes in terrorist behavior likely resulted from the construction of the Barrier, not from other external factors or events.

Conclusions -- In some locations, terrorists adapted to changed circumstances by committing more opportunistic attacks that require less planning. Fatalities and attacks were also reduced on the Palestinian side of the Barrier, producing an expected "diffusion of benefits" though the amount of reduction was considerably more than in past SCP studies. The defensive roles of the Barrier and offensive opportunities it presents, are identified as possible explanations. The study highlights the importance of SCP in crime and counter-terrorism policy.

Unfortunately, the whole paper is behind a paywall.

Note: This is not a political analysis of the net positive and negative effects of the wall, just a security analysis. Of course any full analysis needs to take the geopolitics into account. The comment section is not the place for this broader discussion.

Posted on July 14, 2016 at 5:58 AM71 Comments

Visiting a Website against the Owner's Wishes Is Now a Federal Crime

While we're on the subject of terrible 9th Circuit Court rulings:

The U.S. Court of Appeals for the 9th Circuit has handed down a very important decision on the Computer Fraud and Abuse Act.... Its reasoning appears to be very broad. If I'm reading it correctly, it says that if you tell people not to visit your website, and they do it anyway knowing you disapprove, they're committing a federal crime of accessing your computer without authorization.

Posted on July 13, 2016 at 2:10 PM63 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.