Schneier on Security

Analyzing Reshipping Mule Scams

Interesting paper: "Drops for Stuff: An Analysis of Reshipping Mule Scams. From a blog post:

A cybercriminal (called operator) recruits unsuspecting citizens with the promise of a rewarding work-from-home job. This job involves receiving packages at home and having to re-ship them to a different address, provided by the operator. By accepting the job, people unknowingly become part of a criminal operation: the packages that they receive at their home contain stolen goods, and the shipping destinations are often overseas, typically in Russia. These shipping agents are commonly known as reshipping mules (or drops for stuff in the underground community).
[...]

Studying the management of the mules lead us to some surprising findings. When applying for the job, people are usually required to send the operator copies of their ID cards and passport. After they are hired, mules are promised to be paid at the end of their first month of employment. However, from our data it is clear that mules are usually never paid. After their first month expires, they are never contacted back by the operator, who just moves on and hires new mules. In other words, the mules become victims of this scam themselves, by never seeing a penny. Moreover, because they sent copies of their documents to the criminals, mules can potentially become victims of identity theft.

Tags: academic papers, credit cards, identity theft, scams

Posted on November 4, 2015 at 1:54 PM • 0 Comments

$1M Bounty for iPhone Hack

I don't know whether to believe this story. Supposedly the startup Zerodium paid someone $1M for an iOS 9.1 and 9.2b hack.

Bekrar and Zerodium, as well as its predecessor VUPEN, have a different business model. They offer higher rewards than what tech companies usually pay out, and keep the vulnerabilities secret, revealing them only to certain government customers, such as the NSA.

I know startups like publicity, but certainly an exploit like this is more valuable if it's not talked about.

So this might be real, or it might be a PR stunt. But companies selling exploits to governments is certainly real.

Another news article.

Tags: Apple, exploits, hacking, iOS, iPhone

Posted on November 3, 2015 at 2:31 PM • 18 Comments

Australia Is Testing Virtual Passports

Australia is going to be the first country to have virtual passports. Presumably, the passport data will be in the cloud somewhere, and you'll access it with an app or a URL or maybe just the passport number.

On the one hand, all a passport needs to be is a pointer into a government database with all the relevant information and biometrics. On the other hand, not all countries have access into all databases. When I enter the US with my US passport, I'm sure no one really needs the paper document -- it's all on the officers' computers. But when I enter a random country, they don't have access to the US government database; they need the physical object.

Australia is trialing this with New Zealand. Presumably both countries will have access into each others' databases.

Tags: Australia, cloud computing, passports

Posted on November 3, 2015 at 6:20 AM • 41 Comments

The Rise of Political Doxing

Last week, CIA director John O. Brennan became the latest victim of what's become a popular way to embarrass and harass people on the Internet. A hacker allegedly broke into his AOL account and published e-mails and documents found inside, many of them personal and sensitive.

It's called doxing -- sometimes doxxing -- from the word "documents." It emerged in the 1990s as a hacker revenge tactic, and has since been as a tool to harass and intimidate people, primarily women, on the Internet. Someone would threaten a woman with physical harm, or try to incite others to harm her, and publish her personal information as a way of saying "I know a lot about you -- like where you live and work." Victims of doxing talk about the fear that this tactic instills. It's very effective, by which I mean that it's horrible.

Brennan's doxing was slightly different. Here, the attacker had a more political motive. He wasn't out to intimidate Brennan; he simply wanted to embarrass him. His personal papers were dumped indiscriminately, fodder for an eager press. This doxing was a political act, and we're seeing this kind of thing more and more.

Last year, the government of North Korea did this to Sony. Hackers the FBI believes were working for North Korea broke into the company's networks, stole a huge amount of corporate data, and published it. This included unreleased movies, financial information, company plans, and personal e-mails. The reputational damage to the company was enormous; the company estimated the cost at $41 million.

In July, hackers stole and published sensitive documents from the cyberweapons arms manufacturer Hacking Team. That same month, different hackers did the same thing to the infidelity website Ashley Madison. In 2014, hackers broke into the iCloud accounts of over 100 celebrities and published personal photographs, most containing some nudity. In 2013, Edward Snowden doxed the NSA.

These aren't the first instances of politically motivated doxing, but there's a clear trend. As people realize what an effective attack this can be, and how an individual can use the tactic to do considerable damage to powerful people and institutions, we're going to see a lot more of it.

On the Internet, attack is easier than defense. We're living in a world where a sufficiently skilled and motivated attacker will circumvent network security. Even worse, most Internet security assumes it needs to defend against an opportunistic attacker who will attack the weakest network in order to get -- for example -- a pile of credit card numbers. The notion of a targeted attacker, who wants Sony or Ashley Madison or John Brennan because of what they stand for, is still new. And it's even harder to defend against.

What this means is that we're going to see more political doxing in the future, against both people and institutions. It's going to be a factor in elections. It's going to be a factor in anti-corporate activism. More people will find their personal information exposed to the world: politicians, corporate executives, celebrities, divisive and outspoken individuals.

Of course they won't all be doxed, but some of them will. Some of them will be doxed directly, like Brennan. Some of them will be inadvertent victims of a doxing attack aimed at a company where their information is stored, like those celebrities with iPhone accounts and every customer of Ashley Madison. Regardless of the method, lots of people will have to face the publication of personal correspondence, documents, and information they would rather be private.

In the end, doxing is a tactic that the powerless can effectively use against the powerful. It can be used for whistleblowing. It can be used as a vehicle for social change. And it can be used to embarrass, harass, and intimidate. Its popularity will rise and fall on this effectiveness, especially in a world where prosecuting the doxers is so difficult.

There's no good solution for this right now. We all have the right to privacy, and we should be free from doxing. But we're not, and those of us who are in the public eye have no choice but to rethink our online data shadows.

This essay previously appeared on Vice Motherboard.

EDITED TO ADD: Slashdot thread.

Tags: CIA, doxing, hacking, North Korea, privacy, reputation, Sony

Posted on November 2, 2015 at 6:47 AM • 68 Comments

Friday Squid Blogging: Baby Giant Squid Found

First ever examples of a baby giant squid have been found.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Tags: squid

Posted on October 30, 2015 at 4:08 PM • 150 Comments

The Onion on the State of IT Security

"China Unable To Recruit Hackers Fast Enough To Keep Up With Vulnerabilities In U.S. Security Systems." It's only funny because it's true.

Tags: China, hacking, humor, security engineering, vulnerabilities

Posted on October 30, 2015 at 2:35 PM • 14 Comments

Weaknesses in the PLAID Protocol

In 2009, the Australian government released the Protocol for Lightweight Authentication of Identity (PLAID) protocol. It was recently analyzed (original paper is from 2014, but was just updated), and it's a security disaster. Matt Green wrote a good blog post back in 2014 that explains the problems.

Slashdot thread. Reddit thread.

Tags: academic papers, protocols, vulnerabilities

Posted on October 30, 2015 at 6:40 AM • 13 Comments

Flash Drive Lock

This device is clever: it's a three-digit combination lock that prevents a USB drive from being read. It's not going to keep out anyone serious, but is a great solution for the sort of casual security that most people need.

Tags: computer security, flash drives, locks, USB

Posted on October 29, 2015 at 1:38 PM • 41 Comments

Tracking Connected Vehicles

Researchers have shown that it is both easy and cheap to surveil connected vehicles.

The second link talks about various anonymization techniques, none of which I am optimistic about.

Tags: anonymity, cars, Internet of things, privacy, surveillance, tracking

Posted on October 29, 2015 at 6:33 AM • 17 Comments

Why Is the NSA Moving Away from Elliptic Curve Cryptography?

In August, I wrote about the NSA's plans to move to quantum-resistant algorithms for its own cryptographic needs.

Cryptographers Neal Koblitz and Alfred Menezes just published a long paper speculating as to the government's real motives for doing this. They range from some new cryptanalysis of ECC to a political need after the DUAL_EC_PRNG disaster -- to the stated reason of quantum computing fears.

Read the whole paper. (Feel free to skip over the math if it gets too hard, but keep going until the end.)

Tags: academic papers, cryptography, encryption, quantum computing

Posted on October 28, 2015 at 2:11 PM • 87 Comments

← Earlier Entries

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.