Schneier on Security
A blog covering security and security technology.
August 2006 Archives
This is interesting:
A paper license tag, a salad and stories that didn't make sense pricked the suspicions of a state trooper who stopped the car of a wanted fugitive polygamist in Las Vegas.
This is behavioral profiling done right, and it reminds me of the Diana Dean story. (Here's another example of behavioral profiling done right, and here is an article by Malcolm Gladwell on profiling and generalizations.)
Behavioral profiling is tough to do well. It requires intelligent and well-trained officers. Done badly, it quickly defaults to racial profiling. But done well, it'll do far more to keep us safe than object profiling (e.g., banning liquids on aircraft).
Ross Anderson's Security Engineering is a great book. And I'm not saying that because I wrote the foreword. Since it was published in 2001, I have regularly recommended it to engineers interested in security.
None of this is news. What is news is that you can download the book, free and legally.
"The Dread Pirate Bin Laden" argues that, legally, terrorists should be treated as pirates under international law:
More than 2,000 years ago, Marcus Tullius Cicero defined pirates in Roman law as hostis humani generis, "enemies of the human race." From that day until now, pirates have held a unique status in the law as international criminals subject to universal jurisdiction—meaning that they may be captured wherever they are found, by any person who finds them. The ongoing war against pirates is the only known example of state vs. nonstate conflict until the advent of the war on terror, and its history is long and notable. More important, there are enormous potential benefits of applying this legal definition to contemporary terrorism.
Ross Anderson recognized the parallels between terrorism and piracy back in 2001.
Details are emerging:
What pisses me off most is the second item. By arresting the conspirators early, the police squandered the chance to learn more about the network and arrest more of them -- and to present a less flimsy case. There have been many news reports detailing how the U.S. pressured the UK government to make the arrests sooner, possibly out of political motivations. (And then Scotland Yard got annoyed at the U.S. leaking plot details to the press, hampering their case.)
My initial comments on the arrest are here. I still think that all of the new airline security measures are an overreaction (This essay makes the same point, as well as describing a 1995 terrorist plot that was remarkably similar in both materials and modus operandi -- and didn't result in a complete ban on liquids.)
As I said on a radio interview a couple of weeks ago: "We ban guns and knives, and the terrorists use box cutters. We ban box cutters and corkscrews, and they hide explosives in their shoes. We screen shoes, and the terrorists use liquids. We ban liquids, and the terrorist will use something else. It's not a fair game, because the terrorists get to see our security measures before they plan their attack." And it's not a game we can win. So let's stop playing, and play a game we actually can win. The real lesson of the London arrests is that investigation and intelligence work.
EDITED TO ADD (8/29): Seems this URL is unavailable in the U.K. See the comments for ways to bypass the block.
Get your nominations in.
The "Stupid Security Awards" aim to highlight the absurdities of the security industry. Privacy International's director, Simon Davies, said his group had taken the initiative because of "innumerable" security initiatives around the world that had absolutely no genuine security benefit. The awards were first staged in 2003 and attracted over 5,000 nominations. This will be the second competition in the series.
This is a surreal story about a guy who accidentally drops his iPod into an airplane toilet, prompting a full-scale terror alert. Overreaction at its worst.
USBDumper (article is in French; here's the software) is a cute little utility that silently copies the contents of an inserted USB drive onto the PC. The idea is that you install this piece of software on your computer, or on a public PC, and then you collect the files -- some of them personal and confidential -- from anyone who plugs their USB drive into that computer. (This blog post talks about a version that downloads a disk image, allowing someone to recover deleted files as well.)
No big deal to anyone who worries about computer security for a living, but probably a rude shock to salespeople, conference presenters, file sharers, and many others who regularly plug their USB drives into strange PCs.
EDITED TO ADD (10/24): USBDumper 2.2 has been released. The webpage includes a number of other useful utilities.
Kobi Alexander fled the United States ten days ago. He was tracked down in Sri Lanka via a Skype call:
According to the report, Alexander was located after making a one-minute call via the online telephone Skype service. The call, made from the Sri Lankan capital Colombo, alerted intelligence agencies to his presence in the country.
Ars Technica explains:
The fugitive former CEO may have been convinced that using Skype made him safe from tracking, but he -- and everyone else that believes VoIP is inherently more secure than a landline -- was wrong. Tracking anonymous peer-to-peer VoIP traffic over the Internet is possible (PDF). In fact, it can be done even if the parties have taken some steps to disguise the traffic.
Let this be a warning to all of you who thought Skype was anonymous.
On Aug. 16, two men were escorted off a plane headed for Manchester, England, because some passengers thought they looked either Asian or Middle Eastern, might have been talking Arabic, wore leather jackets, and looked at their watches -- and the passengers refused to fly with them on board. The men were questioned for several hours and then released.
On Aug. 15, an entire airport terminal was evacuated because someone's cosmetics triggered a false positive for explosives. The same day, a Muslim man was removed from an airplane in Denver for reciting prayers. The Transportation Security Administration decided that the flight crew overreacted, but he still had to spend the night in Denver before flying home the next day. The next day, a Port of Seattle terminal was evacuated because a couple of dogs gave a false alarm for explosives.
On Aug. 19, a plane made an emergency landing in Tampa, Florida, after the crew became suspicious because two of the lavatory doors were locked. The plane was searched, but nothing was found. Meanwhile, a man who tampered with a bathroom smoke detector on a flight to San Antonio was cleared of terrorism, but only after having his house searched.
On Aug. 16, a woman suffered a panic attack and became violent on a flight from London to Washington, so the plane was escorted to the Boston airport by fighter jets. "The woman was carrying hand cream and matches but was not a terrorist threat," said the TSA spokesman after the incident.
And on Aug. 18, a plane flying from London to Egypt made an emergency landing in Italy when someone found a bomb threat scrawled on an air sickness bag. Nothing was found on the plane, and no one knows how long the note was on board.
I'd like everyone to take a deep breath and listen for a minute.
The point of terrorism is to cause terror, sometimes to further a political goal and sometimes out of sheer hatred. The people terrorists kill are not the targets; they are collateral damage. And blowing up planes, trains, markets or buses is not the goal; those are just tactics. The real targets of terrorism are the rest of us: the billions of us who are not killed but are terrorized because of the killing. The real point of terrorism is not the act itself, but our reaction to the act.
And we're doing exactly what the terrorists want.
We're all a little jumpy after the recent arrest of 23 terror suspects in Great Britain. The men were reportedly plotting a liquid-explosive attack on airplanes, and both the press and politicians have been trumpeting the story ever since.
In truth, it's doubtful that their plan would have succeeded; chemists have been debunking the idea since it became public. Certainly the suspects were a long way off from trying: None had bought airline tickets, and some didn't even have passports.
Regardless of the threat, from the would-be bombers' perspective, the explosives and planes were merely tactics. Their goal was to cause terror, and in that they've succeeded.
Imagine for a moment what would have happened if they had blown up 10 planes. There would be canceled flights, chaos at airports, bans on carry-on luggage, world leaders talking tough new security measures, political posturing and all sorts of false alarms as jittery people panicked. To a lesser degree, that's basically what's happening right now.
Our politicians help the terrorists every time they use fear as a campaign tactic. The press helps every time it writes scare stories about the plot and the threat. And if we're terrified, and we share that fear, we help. All of these actions intensify and repeat the terrorists' actions, and increase the effects of their terror.
(I am not saying that the politicians and press are terrorists, or that they share any of the blame for terrorist attacks. I'm not that stupid. But the subject of terrorism is more complex than it appears, and understanding its various causes and effects are vital for understanding how to best deal with it.)
The implausible plots and false alarms actually hurt us in two ways. Not only do they increase the level of fear, but they also waste time and resources that could be better spent fighting the real threats and increasing actual security. I'll bet the terrorists are laughing at us.
Another thought experiment: Imagine for a moment that the British government arrested the 23 suspects without fanfare. Imagine that the TSA and its European counterparts didn't engage in pointless airline-security measures like banning liquids. And imagine that the press didn't write about it endlessly, and that the politicians didn't use the event to remind us all how scared we should be. If we'd reacted that way, then the terrorists would have truly failed.
It's time we calm down and fight terror with antiterror. This does not mean that we simply roll over and accept terrorism. There are things our government can and should do to fight terrorism, most of them involving intelligence and investigation -- and not focusing on specific plots.
But our job is to remain steadfast in the face of terror, to refuse to be terrorized. Our job is to not panic every time two Muslims stand together checking their watches. There are approximately 1 billion Muslims in the world, a large percentage of them not Arab, and about 320 million Arabs in the Middle East, the overwhelming majority of them not terrorists. Our job is to think critically and rationally, and to ignore the cacophony of other interests trying to use terrorism to advance political careers or increase a television show's viewership.
The surest defense against terrorism is to refuse to be terrorized. Our job is to recognize that terrorism is just one of the risks we face, and not a particularly common one at that. And our job is to fight those politicians who use fear as an excuse to take away our liberties and promote security theater that wastes money and doesn't make us any safer.
This essay originally appeared on Wired.com.
EDITED TO ADD (3/24): Here's another incident.
EDITED TO ADD (3/29): There have been many more incidents since I wrote this -- all false alarms. I've stopped keeping a list.
Interesting paper: "You are what you say: privacy risks of public mentions," Proceedings of the 29th Annual International ACM SIGIR Conference on Research and Development in Information Retrieval, 2006.
Unfortunately, the paper is only available to ACM members.
EDITED TO ADD (8/24): Paper is here.
TrackMeNot runs in Firefox as a low-priority background process that periodically issues randomized search-queries to popular search engines, e.g., AOL, Yahoo!, Google, and MSN. It hides users' actual search trails in a cloud of indistinguishable 'ghost' queries, making it difficult, if not impossible, to aggregate such data into accurate or identifying user profiles. TrackMeNot integrates into the Firefox 'Tools' menu and includes a variety of user-configurable options.
Let's count the ways this doesn't work.
One, it doesn't hide your searches. If the government wants to know who's been searching on "al Qaeda recruitment centers," it won't matter that you've made ten thousand other searches as well -- you'll be targeted.
Two, it's too easy to spot. There are only 1,673 search terms in the program's dictionary. Here, as a random example, are the program's "G" words:
gag, gagged, gagging, gags, gas, gaseous, gases, gassed, gasses, gassing, gen, generate, generated, generates, generating, gens, gig, gigs, gillion, gillions, glass, glasses, glitch, glitched, glitches, glitching, glob, globed, globing, globs, glue, glues, gnarlier, gnarliest, gnarly, gobble, gobbled, gobbles, gobbling, golden, goldener, goldenest, gonk, gonked, gonking, gonks, gonzo, gopher, gophers, gorp, gorps, gotcha, gotchas, gribble, gribbles, grind, grinding, grinds, grok, grokked, grokking, groks, ground, grovel, groveled, groveling, grovelled, grovelling, grovels, grue, grues, grunge, grunges, gun, gunned, gunning, guns, guru, gurus
The program's authors claim that this list is temporary, and that there will eventually be a TrackMeNot server with an ever-changing word list. Of course, that list can be monitored by any analysis program -- as could any queries to that server.
In any case, every twelve seconds -- exactly -- the program picks a random pair of words and sends it to either AOL, Yahoo, MSN, or Google. My guess is that your searches contain more than two words, you don't send them out in precise twelve-second intervals, and you favor one search engine over the others.
Three, some of the program's searches are worse than yours. The dictionary includes:
HIV, atomic, bomb, bible, bibles, bombing, bombs, boxes, choke, choked, chokes, choking, chain, crackers, empire, evil, erotics, erotices, fingers, knobs, kicking, harier, hamster, hairs, legal, letterbomb, letterbombs, mailbomb, mailbombing, mailbombs, rapes, raping, rape, raper, rapist, virgin, warez, warezes, whack, whacked, whacker, whacking, whackers, whacks, pistols
Does anyone reall think that searches on "erotic rape," "mailbombing bibles," and "choking virgins" will make their legitimate searches less noteworthy?
And four, it wastes a whole lot of bandwidth. A query every twelve seconds translates into 2,400 queries a day, assuming an eight-hour workday. A typical Google response is about 25K, so we're talking 60 megabytes of additional traffic daily. Imagine if everyone in the company used it.
I suppose this kind of thing would stop someone who has a paper printout of your searches and is looking through them manually, but it's not going to hamper computer analysis very much. Or anyone who isn't lazy. But it wouldn't be hard for a computer profiling program to ignore these searches.
Imagine a cop pulls you over for speeding. As he approaches, you realize you left your wallet at home. Without your driver's license, you could be in a lot of trouble. When he approaches, you roll down your window and shout. "Hello Officer! I don't have insurance on this vehicle! This car is stolen! I have weed in my glovebox! I don't have my driver's license! I just hit an old lady minutes ago! I've been running stop lights all morning! I have a dead body in my trunk! This car doesn't pass the emissions tests! I'm not allowed to drive because I am under house arrest! My gas tank runs on the blood of children!" You stop to catch a breath, confident you have supplied so much information to the cop that you can't possibly be caught for not having your license now.
Yes, data mining is a signal-to-noise problem. But artificial noise like this isn't going to help much. If I were going to improve on this idea, I would make the plugin watch the user's search patterns. I would make it send queries only to the search engines the user does, only when he is actually online doing things. I would randomize the timing. (There's a comment to that effect in the code, so presumably this will be fixed in a later version of the program.) And I would make it monitor the web pages the user looks at, and send queries based on keywords it finds on those pages. And I would make it send queries in the form the user tends to use, whether it be single words, pairs of words, or whatever.
But honestly, I don't know that I would use it even then. The way serious people protect their web-searching privacy is through anonymization. Use Tor for serious web anonymization. Or Black Box Search for simple anonymous searching (here's a Greasemonkey extension that does that automatically.) And set your browser to delete search engine cookies regularly.
I've met users, and they're not fluent in security. They might be fluent in spreadsheets, eBay, or sending jokes over e-mail, but they're not technologists, let alone security people. Of course, they're making all sorts of security mistakes. I too have tried educating users, and I agree that it's largely futile.
Part of the problem is generational. We've seen this with all sorts of technologies: electricity, telephones, microwave ovens, VCRs, video games. Older generations approach newfangled technologies with trepidation, distrust and confusion, while the children who grew up with them understand them intuitively.
But while the don't-get-it generation will die off eventually, we won't suddenly enter an era of unprecedented computer security. Technology moves too fast these days; there's no time for any generation to become fluent in anything.
Earlier this year, researchers ran an experiment in London's financial district. Someone stood on a street corner and handed out CDs, saying they were a "special Valentine's Day promotion." Many people, some working at sensitive bank workstations, ran the program on the CDs on their work computers. The program was benign -- all it did was alert some computer on the Internet that it was running -- but it could just have easily been malicious. The researchers concluded that users don't care about security. That's simply not true. Users care about security -- they just don't understand it.
I don't see a failure of education; I see a failure of technology. It shouldn't have been possible for those users to run that CD, or for a random program stuffed into a banking computer to "phone home" across the Internet.
The real problem is that computers don't work well. The industry has convinced everyone that people need a computer to survive, and at the same time it's made computers so complicated that only an expert can maintain them.
If I try to repair my home heating system, I'm likely to break all sorts of safety rules. I have no experience in that sort of thing, and honestly, there's no point in trying to educate me. But the heating system works fine without my having to learn anything about it. I know how to set my thermostat and to call a professional if anything goes wrong.
Punishment isn't something you do instead of education; it's a form of education -- a very primal form of education best suited to children and animals (and experts aren't so sure about children). I say we stop punishing people for failures of technology, and demand that computer companies market secure hardware and software.
This originally appeared in the April 2006 issue of Information Security Magazine, as the second part of a point/counterpoint with Marcus Ranum. You can read Marcus's essay here, if you are a subscriber. (Subscriptions are free to "qualified" people.)
EDITED TO ADD (9/11): Here's Marcus's half.
Not a bad list:
10. ChoicePoint data spill
EDITED TO ADD (8/22): Daniel Solove comments.
This is impressive:
A fraudster contacts an AT&T service rep and says he works at a pizza parlor and that the phone is having trouble. Until things get fixed, he requests that all incoming calls be forwarded to another number, which he provides.
Those of us who know security have been telling people not to trust incoming phone calls -- that you should call the company if you are going to divulge personal information to them. Seems like that advice isn't foolproof.
The problem is the phone company, of course. They're forwarding calls based on an unauthenticated request. AT&T doesn't really want to talk about details:
He was reluctant to discuss the steps AT&T has taken to improve its call-forwarding system so this sort of thing doesn't happen again. What, for example, is to prevent someone from convincing AT&T to forward all calls to a local flower store or some other business that takes orders by phone?
It seems to me that AT&T would solve this problem more quickly if it were liable. Shouldn't a pizza customer who has been scammed be allowed to sue AT&T? After all, the phone company didn't route the customer's calls properly. Does the credit card company have a basis for a suit? Certainly the pizza parlor does, but the effects of AT&T's sloppy authentication are much greater than a few missed pizza orders.
In Australia, criminals are posing as census takers and harvesting personal data for fraudulent purposes.
EDITED TO ADD (8/21): I didn't notice that this link is from 2001. Sorry about missing that, but it actually makes the story more interesting. This is the sort of identity-theft tactic that I would have expected to see this year, as criminals have gotten more and more sophisticated. It surprises me that they were doing this five years ago as well.
A fisherman snags a rare catch in the Santa Barbara Channel, a tentacle belonging to a giant squid.
I've long been a fan of behavioral profiling, as opposed to racial profiling. The U.S. has been testing such a program. While there are legitimate fears that this could end up being racial profiling in disguise, I think this kind of thing is the right idea. (Although I am less impressed with this kind of thing.)
EDITED TO ADD (8/18): Funny cartoon on profiling.
There's a moral here. Profiling is something we all do, and we do it because -- for the most part -- it works. But when you're dealing with an intelligent adversary, as opposed to the cat, you invite that adversary to deliberately try to subvert your profiling system. The effectiveness of any profiling system is directly related to how likely it will be subverted.
From the TSA's web page on prohibited items:
We encourage everyone to pack gel-filled bras in their checked baggage.
Everyone? Do I have to as well? Where should I go buy one?
EDITED TO ADD (8/21): Language Log makes a serious comment.
Back in the 1980s, Yosemite National Park was having a serious problem with bears: They would wander into campgrounds and break into the garbage bins. This put both bears and people at risk. So the Park Service started installing armored garbage cans that were tricky to open -- you had to swing a latch, align two bits of handle, that sort of thing. But it turns out it's actually quite tricky to get the design of these cans just right. Make it too complex and people can't get them open to put away their garbage in the first place. Said one park ranger, "There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists."
It's a tough balance to strike. People are smart, but they're impatient and unwilling to spend a lot of time solving the problem. Bears are dumb, but they're tenacious and are willing to spend hours solving the problem. Given those two constraints, creating a trash can that can both work for people and not work for bears is not easy.
I was interviewed by Martin McKeay.
The Science of Fingerprints: Classification and Uses, FBI, 1963. Introduction by J. Edgar Hoover.
You can buy a real copy here.
A futile attempt to improve the security of Japan's hanko identification system.
Last year, New York City implemented a program of random bag searches in the subways. It was a silly idea, and I wrote about it then. Recently the U.S. Court of Appeals for the 2nd Circuit upheld the program. Daniel Solove wrote about the ruling:
The 2nd Circuit panel concluded that the program was "reasonable" under the 4th Amendment's special needs doctrine. Under the special needs doctrine, if there are exceptional circumstances that make the warrant and probable cause requirements unnecessary, then the search should be analyzed in terms of whether it is "reasonable." Reasonableness is determined by balancing privacy against the government 's need. The problem with the 2nd Circuit decision is that under its reasoning, nearly any search, no matter how intrusive into privacy, would be justified. This is because of the way it assesses the government's side of the balance. When the government's interest is preventing the detonation of a bomb on a crowded subway, with the potential of mass casualties, it is hard for anything to survive when balanced against it.
Really interesting analysis of the chemistry involved in the alleged UK terrorist plot:
Based on the claims in the media, it sounds like the idea was to mix H2O2 (hydrogen peroxide, but not the low test kind you get at the pharmacy), H2SO4 (sulfuric acid, of necessity very concentrated for it to work at all), and acetone (known to people worldwide as nail polish remover), to make acetone peroxides. You first have to mix the H2O2 and H2SO4 to get a powerful oxidizer, and then you use it on acetone to get the peroxides, which are indeed explosive.
Read the whole thing.
EDITED TO ADD (8/16): More speculation.
EDITED TO ADD (8/17): Even more speculation.
Department of Homeland Security, Office of the Inspector General, "Review of CBP Actions Taken to Intercept Suspected Terrorists at U.S. Ports of Entry," OIG-06-43, June 2006.
Results in Brief:
CBP has improved information sharing capabilities within the organization to smooth the flow of arriving passengers and increase the effectiveness of limited resources at POEs. Earlier, officers at POEs possessed limited information to help them resolve the identities of individuals mistakenly matched to the terrorist watch list, but a current initiative aims to provide supervisors at POEs with much more information to help them positively identify and clear individuals with names similar to those in the terrorist database. CBP procedures are highly prescriptive and withhold from supervisors the authority to make timely and informed decisions regarding the admissibility of individuals who they could quickly confirm are not the suspected terrorist.
Here's a sophisticated credit card fraud ring that intercepted credit card authorization calls in Phuket, Thailand.
The fraudsters loaded this data onto MP3 players, which they sent to accomplices in neighbouring Malaysia. Cloned credit cards were manufactured in Malaysia and sent back to Thailand, where they were used to fraudulently purchase goods and services.
It's 2006 and those merchant terminals still don't encrypt their communications?
Good essay on "faux disclosure": disclosing a vulnerability without really disclosing it.
You've probably heard of full disclosure, the security philosophy that calls for making public all details of vulnerabilities. It has been the subject of debates among researchers, vendors, and security firms. But the story that grabbed most of the headlines at the Black Hat Briefings in Las Vegas last week was based on a different type of disclosure. For lack of a better name, I'll call it faux disclosure. Here's why.
Full disclosure is the only thing that forces vendors to fix security problems. The further we move away from full disclosure, the less incentive vendors have to fix problems and the more at-risk we all are.
The Guardian has the story:
One of Britain's biggest high street banks has left millions of online bank accounts exposed to potential fraud because of a glaring security loophole, the Guardian has learned.
Sounds pretty bad.
But look at this:
The flaw, which is not being detailed by the Guardian, revolves around the way HSBC customers access their web-based banking service. Criminals using so-called "keyloggers" - readily available gadgets or viruses which record every keystroke made on a target computer - can easily deduce the data needed to gain unfettered access to accounts in just a few attempts.
So, the "scandalous" flaw is that an attacker who already has a keylogger installed on someone's computer can break into his HSBC account. Seems to me if an attacker has a keylogger installed on someone's computer, then he's got all sorts of security issues.
If this is the biggest flaw in HSBC's login authentication system, I think they're doing pretty good.
Hours-long waits in the security line. Ridiculous prohibitions on what you can carry onboard. Last week's foiling of a major terrorist plot and the subsequent airport security graphically illustrates the difference between effective security and security theater.
None of the airplane security measures implemented because of 9/11 -- no-fly lists, secondary screening, prohibitions against pocket knives and corkscrews -- had anything to do with last week's arrests. And they wouldn't have prevented the planned attacks, had the terrorists not been arrested. A national ID card wouldn't have made a difference, either.
Instead, the arrests are a victory for old-fashioned intelligence and investigation. Details are still secret, but police in at least two countries were watching the terrorists for a long time. They followed leads, figured out who was talking to whom, and slowly pieced together both the network and the plot.
The new airplane security measures focus on that plot, because authorities believe they have not captured everyone involved. It's reasonable to assume that a few lone plotters, knowing their compatriots are in jail and fearing their own arrest, would try to finish the job on their own. The authorities are not being public with the details -- much of the "explosive liquid" story doesn't hang together -- but the excessive security measures seem prudent.
But only temporarily. Banning box cutters since 9/11, or taking off our shoes since Richard Reid, has not made us any safer. And a long-term prohibition against liquid carry-ons won't make us safer, either. It's not just that there are ways around the rules, it's that focusing on tactics is a losing proposition.
It's easy to defend against what the terrorists planned last time, but it's shortsighted. If we spend billions fielding liquid-analysis machines in airports and the terrorists use solid explosives, we've wasted our money. If they target shopping malls, we've wasted our money. Focusing on tactics simply forces the terrorists to make a minor modification in their plans. There are too many targets -- stadiums, schools, theaters, churches, the long line of densely packed people before airport security -- and too many ways to kill people.
Security measures that require us to guess correctly don't work, because invariably we will guess wrong. It's not security, it's security theater: measures designed to make us feel safer but not actually safer.
Airport security is the last line of defense, and not a very good one at that. Sure, it'll catch the sloppy and the stupid -- and that's a good enough reason not to do away with it entirely -- but it won't catch a well-planned plot. We can't keep weapons out of prisons; we can't possibly keep them off airplanes.
The goal of a terrorist is to cause terror. Last week's arrests demonstrate how real security doesn't focus on possible terrorist tactics, but on the terrorists themselves. It's a victory for intelligence and investigation, and a dramatic demonstration of how investments in these areas pay off.
And if you want to know what you can do to help? Don't be terrorized. They terrorize more of us if they kill some of us, but the dead are beside the point. If we give in to fear, the terrorists achieve their goal even if they were arrested. If we refuse to be terrorized, then they lose -- even if their attacks succeed.
This op ed appeared today in the Minneapolis Star-Tribune.
EDITED TO ADD (8/12): Another Dr. Fun squid cartoon.
EDITED TOADD (8/12): and another.
About a quarter of the way down on this page, you'll find a scan of a 1970s Superman comic in which a hacker kid breaks into the Fortress of Solitude's computer system, using what looks to be a TRS-80 Model III. Superman's password was "Kal-El": his Kryptonian name.
Department of Homeland Security, Office of the Inspector General, "Enhanced Security Controls Needed For US-VISIT's System Using RFID Technology (Redacted)," OIG-06-39, June 2006.
From the Executive Summary:
We audited the Department of Homeland Security (DHS) and select organizational components' security programs to evaluate the effectiveness of controls implemented on Radio Frequency Identification (RFID) systems. Systems employing RFID technology include a tag and reader on the front end and an application and database on the back end.
I wrote about US-VISIT in 2004 and again in 2006. In that second essay, I gave a price of $15B. I have since come to not believe that data, and I don't have any better information on the price. But I still think my analysis holds. I would much rather take the money spent on US-VISIT and spend it on intelligence and investigation, the kind of security that resulted in the U.K. arrests earlier this week and is likely to actually make us safer.
A collection of 11 prison shivs confiscated over 20 years ago in New Jersey.
Think about these, and the adverse conditions they were made under, the next time you see someone's pocket knife being taken away from them at airport security. We can't keep weapons out of prisons; we can't possibly expect to keep them out of airports.
All short-haul inbound flights to Heathrow airport have been cancelled. Some flights in and out of Gatwick have been suspended.
In addition, pretty much no carry-ons are allowed:
These measures will prevent passengers from carrying hand luggage into the cabin of an aircraft with the following exceptions (which must be placed in a plastic bag):
Across the Atlantic, the TSA has announced new security rules:
Passengers are not allowed to have gels or liquids of any kind at screening points or in the cabin of any airplane.
See the TSA rules for more detail.
Given how little we know of the extent of the plot, these don't seem like ridiculous short-term measures. I'm sure glad I'm not flying anywhere this week.
EDITED TO ADD (8/10): Interesting analysis by Eric Rescorla.
The big news in professional bicycle racing is that Floyd Landis may be stripped of his Tour de France title because he tested positive for a banned performance-enhancing drug. Sidestepping the entire issue of whether professional athletes should be allowed to take performance-enhancing drugs, how dangerous those drugs are, and what constitutes a performance-enhancing drug in the first place, I'd like to talk about the security and economic issues surrounding the issue of doping in professional sports.
Drug testing is a security issue. Various sports federations around the world do their best to detect illegal doping, and players do their best to evade the tests. It's a classic security arms race: improvements in detection technologies lead to improvements in drug detection evasion, which in turn spur the development of better detection capabilities. Right now, it seems that the drugs are winning; in places, these drug tests are described as "intelligence tests": if you can't get around them, you don't deserve to play.
But unlike many security arms races, the detectors have the ability to look into the past. Last year, a laboratory tested Lance Armstrong's urine and found traces of the banned substance EPO. What's interesting is that the urine sample tested wasn't from 2005; it was from 1999. Back then, there weren't any good tests for EVO in urine. Today there are, and the lab took a frozen urine sample -- who knew that labs save urine samples from athletes? -- and tested it. He was later cleared -- the lab procedures were sloppy -- but I don't think the real ramifications of the episode were ever well understood. Testing can go back in time.
This has two major effects. One, doctors who develop new performance-enhancing drugs may know exactly what sorts of tests the anti-doping laboratories are going to run, and they can test their ability to evade drug detection beforehand. But they cannot know what sorts of tests will be developed in the future, and athletes cannot assume that just because a drug is undetectable today it will remain so years later.
Two, athletes accused of doping based on years-old urine samples have no way of defending themselves. They can't resubmit to testing; it's too late. If I were an athlete worried about these accusations, I would deposit my urine "in escrow" on a regular basis to give me some ability to contest an accusation.
The doping arms race will continue because of the incentives. It's a classic Prisoner's Dilemma. Consider two competing athletes: Alice and Bob. Both Alice and Bob have to individually decide if they are going to take drugs or not.
Imagine Alice evaluating her two options:
"If Bob doesn't take any drugs," she thinks, "then it will be in my best interest to take them. They will give me a performance edge against Bob. I have a better chance of winning.
"Similarly, if Bob takes drugs, it's also in my interest to agree to take them. At least that way Bob won't have an advantage over me.
"So even though I have no control over what Bob chooses to do, taking drugs gives me the better outcome, regardless of what his action."
Unfortunately, Bob goes through exactly the same analysis. As a result, they both take performance-enhancing drugs and neither has the advantage over the other. If they could just trust each other, they could refrain from taking the drugs and maintain the same non-advantage status -- without any legal or physical danger. But competing athletes can't trust each other, and everyone feels he has to dope -- and continues to search out newer and more undetectable drugs -- in order to compete. And the arms race continues.
Some sports are more vigilant about drug detection than others. European bicycle racing is particularly vigilant; so are the Olympics. American professional sports are far more lenient, often trying to give the appearance of vigilance while still allowing athletes to use performance-enhancing drugs. They know that their fans want to see beefy linebackers, powerful sluggers, and lightning-fast sprinters. So, with a wink and a nod, they only test for the easy stuff.
For example, look at baseball's current debate on human growth hormone: HGH. They have serious tests, and penalties, for steroid use, but everyone knows that players are now taking HGH because there is no urine test for it. There's a blood test in development, but it's still some time away from working. The way to stop HGH use is to take blood tests now and store them for future testing, but the players' union has refused to allow it and the baseball commissioner isn't pushing it.
In the end, doping is all about economics. Athletes will continue to dope because the Prisoner's Dilemma forces them to do so. Sports authorities will either improve their detection capabilities or continue to pretend to do so -- depending on their fans and their revenues. And as technology continues to improve, professional athletes will become more like deliberately designed racing cars.
This essay originally appeared on Wired.com.
Minnesota Public Radio interviewed me while wandering around Minneapolis, looking for cameras and other forms of mass surveillance.
This is interesting. Seems that a group of Sri Lankan credit card thieves collected the data off a bunch of UK chip-protected credit cards.
All new credit cards in the UK come embedded come with RFID chips that contain different pieces of user information, in order to access the account and withdraw cash the ATMs has to verify both the magnetic strip and the RFID tag. Without this double verification the ATM will confiscate the card, and possibly even notify the police.
They're not RFID chips, they're normal smart card chips that require physical contact -- but that's not the point.
They couldn't clone the chips, so they took the information off the magnetic stripe and made non-chip cards. These cards wouldn't work in the UK, of course, so the criminals flew down to India where the ATMs only verify the magnetic stripe.
Backwards compatibility is often incompatible with security. This is a good example, and demonstrates how criminals can make use of "technological arbitrage" to leverage compatibility.
EDITED TO ADD (8/9): Facts corrected above.
AOL has released very private data about its users without their permission. While the AOL username has been changed to a random ID number, the ability to analyze all searches by a single user will often lead people to easily determine who the user is, and what they are up to. The data includes personal names, addresses, social security numbers and everything else someone might type into a search box.
This is search data for roughly 658,000 anonymized users over a three month period from March to May -- about 1/3 of 1 per cent of their total data for that period.
Anyone who wants to play NSA can start datamining for terrorists. Let us know if you find anything.
EDITED TO ADD (8/9): The New York Times:
And search by search, click by click, the identity of AOL user No. 4417749 became easier to discern. There are queries for "landscapers in Lilburn, Ga," several people with the last name Arnold and "homes sold in shadow lake subdivision gwinnett county georgia."
In case you needed a comprehensive database of malware.
Malware Distribution Project (MD:Pro) offers developers of security systems and anti-malware products a vast collection of downloadable malware from a secure and reliable source, exclusively for the purposes of analysis, testing, research and development.
This isn't free. You can subscribe at 1,250 euros for a month, or 13,500 euros a year. (There are cheaper packages with less comprehensive access.)
They claim to have a stringent vetting process, ensuring that only legitimate researchers have access to this database:
It should be noted that we are not a malware/VX distribution site, nor do we condone the public spreading and/or distribution of such information, hence we will be vetting our registrants stringently. We do appreciate that this puts a severe restriction on private (individual) malware researchers and enthusiasts with limited or no budget, but we do feel that providing free malware for public research is out of the scope of this project.
EDITED TO ADD (8/8): The hacker group Cult of the Dead Cow also has a malware repository, free and with looser access restrictions.
Terrorists can be defeated simply by not becomming terrorized -- that is, anything that enhances fear effectively gives in to them.
EDITED TO ADD (8/7): Commentary from BoingBoing.
At BlackHat last week, Brendan O'Connor warned about the dangers of insecure printers:
"Stop treating them as printers. Treat them as servers, as workstations," O'Connor said in his presentation on Thursday. Printers should be part of a company's patch program and be carefully managed, not forgotten by IT and handled by the most junior person on staff, he said.
I remember the L0pht doing work on printer vulnerabilities, and ways to attack networks via the printers, years ago. But the point is still valid and bears repeating: printers are computers, and have vulnerabilities like any other computers.
Once a printer was under his control, O'Connor said he would be able to use it to map an organization's internal network--a situation that could help stage further attacks. The breach gave him access to any of the information printed, copied or faxed from the device. He could also change the internal job counter--which can reduce, or increase, a company's bill if the device is leased, he said.
Getting copies of all printed documents is definitely a security vulnerability, but I think the biggest threat is that the printers are inside the network, and are a more-trusted launching pad for onward attacks.
One of the weaknesses in the Xerox system is an unsecured boot loader, the technology that loads the basic software on the device, O'Connor said. Other flaws lie in the device's Web interface and in the availability of services such as the Simple Network Management Protocol and Telnet, he said.
One of the reasons this is a particularly nasty problem is that people don't update their printer software. Want to bet approximately 0% of the printer's users installed that patch? And what about printers whose code can't be patched?
EDITED TO ADD (8/7): O'Connor's name corrected.
Nice article from CIO Magazine about data mining and terrorism.
It's being built in a Japanese town:
...on July 18, a group of Hakodate residents made an official announcement regarding plans to create a giant robotic squid for the city.
Not because they're annoying, but as a security measure:
Cell phones have been banned inside the five branches of the First National Bank in the Chicago area, to enhance security.
This is just plain dumb. It's easy to get around the ban: a Bluetooth earpiece is inconspicuous enough. Or a couple of earbuds that look like an iPod. Or an SMS device. It only has to work at the beginning. After all, once you start actually robbing the bank, a ban isn't going to deter you from using your cell phone.
It's on their website:
"Diebold has made the testing and certification process practically irrelevant," according to Dechert. "If you have access to these machines and you want to rig an election, anything is possible with the Diebold TS -- and it could be done without leaving a trace. All you need is a screwdriver." This model does not produce a voter verified paper trail so there is no way to check if the voter's choices are accurately reflected in the tabulation.
If this is true, this is an enormously big deal.
What do you do when you find someone else stealing bandwidth from your wireless network? I don't care, but this person does. So he "runs squid with a trivial redirector that downloads images, uses mogrify to turn them upside down and serves them out of it's local webserver." The images are hysterical. He also tries modifying all the images so they are blurry.
It was demonstrated today at the BlackHat conference.
Grunwald says it took him only two weeks to figure out how to clone the passport chip. Most of that time he spent reading the standards for e-passports that are posted on a website for the International Civil Aviation Organization, a United Nations body that developed the standard. He tested the attack on a new European Union German passport, but the method would work on any country's e-passport, since all of them will be adhering to the same ICAO standard.
I've long been opposed (that last link is an op-ed from The International Herald-Tribune) to RFID chips in passports, although last year I -- mistakenly -- withdrew my objections based on the security measures the State Department was taking.
That's silly. I'm not opposed to chips on ID cards, I am opposed to RFID chips. My fear is surreptitious access: someone could read the chip and learn your identity without your knowledge or consent.
Sure, the State Department is implementing security measures to prevent that. But as we all know, these measures won't be perfect. And a passport has a ten-year lifetime. It's sheer folly to believe the passport security won't be hacked in that time. This hack took only two weeks!
The best way to solve a security problem is not to have it at all. If there's an RFID chip on your passport, or any of your identity cards, you have to worry about securing it. If there's no RFID chip, then the security problem is solved.
Until I hear a compelling case for why there must be an RFID chip on a passport, and why a normal smart-card chip can't do, I am opposed to the idea.
Crossposted to the ACLU blog.
To kick off his new Browser Fun blog, H.D. Moore began with "A Month of Browser Bugs":
This blog will serve as a dumping ground for browser-based security research and vulnerability disclosure. To kick off this blog, we are announcing the Month of Browser Bugs (MoBB), where we will publish a new browser hack, every day, for the entire month of July. The hacks we publish are carefully chosen to demonstrate a concept without disclosing a direct path to remote code execution. Enjoy!
Thirty-one days, and thirty-one hacks later, the blog lists exploits against all the major browsers:
My guess is that he could have gone on for another month without any problem, and possibly could produce a new browser bug a day indefinitely.
The moral here isn't that IE is less secure than the other browsers, although I certainly believe that. The moral is that coding standards are so bad that security flaws are this common.
Eric Rescorla argues that it's a waste of time to find and fix new security holes, because so many of them still remain and the software's security isn't improved. I think he has a point. (Note: this is not to say that it's a waste of time to fix the security holes found and publicly exploited by the bad guys. The question Eric tries to answer is whether or not it is worth it for the security community to find new security holes.)
Another commentary is here.
It's not happening anytime soon:
Congress agreed to pay for the development of the systems to protect the planes from such weapons, but balked at proposals to spend the billions needed to protect all 6,800 commercial U.S. airliners.
Probably for the best, actually. One, there are far more effective ways to spend that money on counterterrorism. And two, they're only effective against a particular type of missile technology:
Both BAE and Northrop systems use lasers to jam the guidance systems of incoming missiles, which lock onto the heat of an aircraft's engine.
Taking a cue from a useless American idea, the UK has announced a system of threat levels:
"Threat levels are designed to give a broad indication of the likelihood of a terrorist attack," the intelligence.gov.uk website said in a posting. "They are based on the assessment of a range of factors including current intelligence, recent events and what is known about terrorist intentions and capabilities. This information may well be incomplete and decisions about the appropriate security response are made with this in mind."
The current level is "severe":
"Severe" is the second-highest threat level, but the Web site did not say what kind of attack was likely. The assessment is roughly the same as it has been for a year.
I wrote about the stupidity of this sort of system back in 2004:
In theory, the warnings are supposed to cultivate an atmosphere of preparedness. If Americans are vigilant against the terrorist threat, then maybe the terrorists will be caught and their plots foiled. And repeated warnings brace Americans for the aftermath of another attack.
The Bush administration used this system largely as a political tool. Perhaps Tony Blair has the same idea.
Crossposted to the ACLU blog.
This computerized servomotor opens combination locks by brute forcing all the combinations. This isn't particular surprising, but it is nice to see some actually build one.
What's more interesting is the link describing how to open a common Master brand lock in about 10 minutes. The design makes those 403 possible combinations collapse to 121. It's a physical metaphor for bad cryptography.
The top three antivirus programs -- from Symantec, McAfee, and Trend Micro -- are less likely to detect new viruses and worms than less popular programs, because virus writers specifically test their work against those programs:
On Wednesday, the general manager of Australia's Computer Emergency Response Team (AusCERT), Graham Ingram, described how the threat landscape has changed -- along with the skill of malware authors.
It's interesting to watch the landscape change, as malware becomes less the province of hackers and more the province of criminals. This is one move in a continuous arms race between attacker and defender.
On the Firewall Wizards mailing list last year, Dave Piscitello made a fascinating observation. Commenting on the traditional four-step security model:
Authentication (who are you)
This model is no longer sufficient because it does not include asserting the trustworthiness of the endpoint device from which a (remote) user will authenticate and subsequently access data. Network admission and endpoint control are needed to determine that the device is free of malware (esp. key loggers) before you even accept a keystroke from a user. So let's prepend "admissibility" to your list, and come up with a 5-legged stool, or call it the Pentagon of Trust.
He's 100% right.
EDITED TO ADD (8/1): The paper is only viewable by subscribers. Here are some excerpts:
Fortunately, buffer-overflow attacks have a weakness: the intruder must know precisely what part of the computer's memory to target. In 1996, Forrest realised that these attacks could be foiled by scrambling the way a program uses a computer's memory. When you launch a program, the operating system normally allocates the same locations in a computer's random access memory (RAM) each time. Forrest wondered whether she could rewrite the operating system to force the program to use different memory locations that are picked randomly every time, thus flummoxing buffer-overflow attacks.
EDITED TO ADD (8/2): The article is online here.
Powered by Movable Type. Photo at top by Per Ervland.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.