Interview with an NSA Hacker

Peter Maas interviewed the former NSA official who wrote the infamous "I Hunt Sysadmins" memo.

It's interesting, but I wanted to hear less of Peter Maas -- I already know his views -- and more from the NSA hacker.

Posted on June 29, 2016 at 6:29 AM20 Comments

Security Analysis of TSA PreCheck

Interesting research: Mark G. Stewart and John Mueller, "Risk-based passenger screening: risk and economic assessment of TSA PreCheck increased security at reduced cost?"

Executive Summary: The Transportation Security Administration's PreCheck program is risk-based screening that allows passengers assessed as low risk to be directed to expedited, or PreCheck, screening. We begin by modelling the overall system of aviation security by considering all layers of security designed to deter or disrupt a terrorist plot to down an airliner with a passenger-borne bomb. Our analysis suggests that these measures reduce the risk of such an attack by at least 98%. Assuming that the accuracy of Secure Flight may be less than 100% when identifying low and high risk passengers, we then assess the effect of enhanced and expedited (or regular and PreCheck) screening on deterrence and disruption rates. We also evaluate programs that randomly redirect passengers from the PreCheck to the regular lines (random exclusion) and ones that redirect some passengers from regular to PreCheck lines (managed inclusion). We find that, if 50% of passengers are cleared for PreCheck, the additional risk reduction (benefit) due to PreCheck is 0.021% for attacks by lone wolves, and 0.056% for ones by terrorist organisations. If 75% of passengers rather than 50% go through PreCheck, these numbers are 0.017% and 0.044%, still providing a benefit in risk reduction. Under most realistic combinations of parameter values PreCheck actually increases risk reduction, perhaps up to 1%, while under the worst assumptions, it lowers risk reduction only by some 0.1%. Extensive sensitivity analyses suggests that, overall, PreCheck is most likely to have an increase in overall benefit.

The report also finds that adding random exclusion and managed inclusion to the PreCheck program has little effect on the risk reducing capability of PreCheck one way or the other. For example, if 10% of non-PreCheck passengers are randomly sent to the PreCheck line, the program still is delivers a benefit in risk reduction, and provides an additional savings for TSA of $11 million per year by reducing screening costs -- while at the same time improving security outcomes.

There are also other co-benefits, and these are very substantial. Reducing checkpoint queuing times improves in the passenger experience, which would lead to higher airline revenues, can exceed several billion dollars per year. TSA PreCheck thus seems likely to bring considerable efficiencies to the screening process and great benefits to passengers, airports, and airlines while actually enhancing security a bit.

Posted on June 28, 2016 at 2:10 PM19 Comments

Facebook Using Physical Location to Suggest Friends

This could go badly:

"People You May Know are people on Facebook that you might know," a Facebook spokesperson said. "We show you people based on mutual friends, work and education information, networks you're part of, contacts you've imported and many other factors."

One of those factors is smartphone location. A Facebook spokesperson said though that shared location alone would not result in a friend suggestion, saying that the two parents must have had something else in common, such as overlapping networks.

"Location information by itself doesn't indicate that two people might be friends," said the Facebook spokesperson. "That's why location is only one of the factors we use to suggest people you may know."

The article goes on to describe situations where you don't want Facebook to do this: Alcoholics Anonymous meetings, singles bars, some Tinder dates, and so on. But this is part of Facebook's aggressive use of location data in many of its services.

BoingBoing post.

EDITED TO ADD: Facebook backtracks.

Posted on June 28, 2016 at 6:56 AM25 Comments

Crowdsourcing a Database of Hotel Rooms

There's an app that allows people to submit photographs of hotel rooms around the world into a centralized database. The idea is that photographs of victims of human trafficking are often taken in hotel rooms, and the database will help law enforcement find the traffickers.

I can't speak to the efficacy of the database -- in particular, the false positives -- but it's an interesting crowdsourced approach to the problem.

Posted on June 27, 2016 at 6:05 AM40 Comments

Friday Squid Blogging: Bioluminescence as Camouflage

Interesting:

There is one feature of the squid that is not transparent and which could act as a signal to prey ­ the eyes. However, the squid has a developed protection here as well. The large eyes of the squid are camouflaged with bioluminescence.

Underneath the eyes of the squid are silvery patches of cells called photophores. These provide under surface bioluminescence which adds to the camouflage. The cells leak put light in multiple directions that effectively make the squid invisible when viewed from above. The resultant glowing blur makes the eyes of the glass squid less conspicuous to predator approaching from a variety of angles.

Research paper.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on June 24, 2016 at 4:39 PM151 Comments

Using Social Media to Discover Hidden Wealth

Stories of burglars using social media to figure out who's on vacation are old hat. Now financial investigators are using social media to find hidden wealth.

Posted on June 24, 2016 at 6:29 AM10 Comments

Comparing Messaging Apps

Michah Lee has a nice comparison among Signal, WhatsApp, and Allo.

In this article, I'm going to compare WhatsApp, Signal, and Allo from a privacy perspective.

While all three apps use the same secure-messaging protocol, they differ on exactly what information is encrypted, what metadata is collected, and what, precisely, is stored in the cloud ­- and therefore available, in theory at least, to government snoops and wily hackers.

In the end, I'm going to advocate you use Signal whenever you can -­ which actually may not end up being as often as you would like.

EDITED TO ADD (6/25): Don't use Telegram.

Posted on June 23, 2016 at 6:54 AM77 Comments

Fraudsters are Buying IPv4 Addresses

IPv4 addresses are valuable, so criminals are figuring out how to buy or steal them.

Hence criminals' interest in ways to land themselves IP addresses, some of which were detailed this week by ARIN's senior director of global registry knowledge, Leslie Nobile, at the North American Network Operators Group's NANOG 67 conference.

Nobile explained that criminals look for dormant ARIN records and try to establish themselves as the rightful administrator. ARIN has 30,556 legacy network records, she said, but a validated point of contact for only 54 per cent of those networks. The remaining ~14,000 networks are ripe for targeting by hijackers who Nobile said are only interested in establishing legitimacy with ARIN so they can find a buyer for unused IPv4 addresses possessed by dormant legacy networks.

Criminals do so by finding dormant ARIN records and Whois data to see if there is a valid contact, then ascertaining if IPv4 allocations are currently routed. If the assigned addresses are dark and no active administrator exists, hijackers can revive dormant domain names or even re-register the names of defunct companies in order to establish a position as legitimate administrators of an address space. If all goes well, the hijackers end up with addresses to sell.

Video presentation here.

Posted on June 22, 2016 at 1:15 PM10 Comments

Situational Awareness and Crime Prevention

Ronald V. Clarke argues for more situational awareness in crime prevention. Turns out if you make crime harder, it goes down. And this has profound policy implications.

Whatever the benefits for Criminology, the real benefits of a greater focus on crime than criminality would be for crime policy. The fundamental attribution error is the main impediment to formulating a broader set of policies to control crime. Nearly everyone believes that the best way to control crime is to prevent people from developing into criminals in the first place or, failing that, to use the criminal justice system to deter or rehabilitate them. This has led directly to overuse of the system at vast human and economic cost.

Hardly anyone recognizes--whether politicians, public intellectuals, government policy makers, police or social workers--that focusing on the offender is dealing with only half the problem. We need also to deal with the many and varied ways in which society inadvertently creates the opportunities for crime that motivated offenders exploit by (i) manufacturing crime-prone goods, (ii) practicing poor management in many spheres of everyday life, (iii) permitting poor layout and design of places, (iv) neglecting the security of the vast numbers of electronic systems that regulate our everyday lives and, (v) enacting laws with unintended benefits for crime.

Situational prevention has accumulated dozens of successes in chipping away at some of the problems created by these conditions, which attests to the principles formulated so many years ago in Home Office research. Much more surprising, however, is that the same thing has been happening in every sector of modern life without any assistance from governments or academics. I am referring to the security measures that hundreds, perhaps thousands, of private and public organizations have been taking in the past 2-3 decades to protect themselves from crime.

Posted on June 21, 2016 at 12:16 PM31 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.