Schneier on Security
A blog covering security and security technology.
December 2008 Archives
We already knew that MD5 is a broken hash function. Now researchers have successfully forged MD5-signed certificates:
Molnar, Appelbaum, and Sotirov joined forces with the European MD5 research team in mid-2008, along with Swiss cryptographer Dag Arne Osvik. They realized that the co-construction technique could be used to simultaneously generate one normal SSL certificate and one forged certificate, which could be used to sign and vouch for any other. They purchased a signature for the legitimate certificate from an established company that was still using MD5 for signing, and then applied the legitimate signature to the forged certificate. Because the legitimate and forged certificates had the same MD5 value, the legitimate signature also marked the forged one as acceptable.
This isn't a big deal. The research is great; it's good work, and I always like to see cryptanalytic attacks used to break real-world security systems. Making that jump is often much harder than cryptographers think.
But SSL doesn't provide much in the way of security, so breaking it doesn't harm security very much. Pretty much no one ever verifies SSL certificates, so there's not much attack value in being able to forge them. And even more generally, the major risks to data on the Internet are at the endpoints -- Trojans and rootkits on users' computers, attacks against databases and servers, etc -- and not in the network.
I'm not losing a whole lot of sleep because of these attacks. But -- come on, people -- no one should be using MD5 anymore.
EDITED TO ADD (12/31): While it is true that browsers do some SSL certificate verification, when they find an invalid certificate they display a warning dialog box which everyone -- me included -- ignores. There are simply too many valid sites out there with bad certificates for that warning to mean anything. This is far too true:
If you're like me and every other user on the planet, you don't give a shit when an SSL certificate doesn't validate. Unfortunately, commons-httpclient was written by some pedantic fucknozzles who have never tried to fetch real-world webpages.
From 1999. (It's a PDF.)
The NSA's software does this by measuring the amount of time the network takes to send different types of data from one computer to another and raising a red flag if something takes too long, according to the patent filing.
Alexander is a former Special Operations interrogator who worked in Iraq in 2006. His op-ed is worth reading:
I learned in Iraq that the No. 1 reason foreign fighters flocked there to fight were the abuses carried out at Abu Ghraib and Guantanamo. Our policy of torture was directly and swiftly recruiting fighters for al-Qaeda in Iraq. The large majority of suicide bombings in Iraq are still carried out by these foreigners. They are also involved in most of the attacks on U.S. and coalition forces in Iraq. It's no exaggeration to say that at least half of our losses and casualties in that country have come at the hands of foreigners who joined the fray because of our program of detainee abuse. The number of U.S. soldiers who have died because of our torture policy will never be definitively known, but it is fair to say that it is close to the number of lives lost on Sept. 11, 2001. How anyone can say that torture keeps Americans safe is beyond me -- unless you don't count American soldiers as Americans.
Also, this interview from Harper's:
In Iraq, we lived the "ticking time bomb" scenario every day. Numerous Al Qaeda members that we captured and interrogated were directly involved in coordinating suicide bombing attacks. I remember one distinct case of a Sunni imam who was caught just after having blessed suicide bombers to go on a mission. Had we gotten there just an hour earlier, we could have saved lives. Still, we knew that if we resorted to torture the short term gains would be outweighed by the long term losses. I listened time and time again to foreign fighters, and Sunni Iraqis, state that the number one reason they had decided to pick up arms and join Al Qaeda was the abuses at Abu Ghraib and the authorized torture and abuse at Guantanamo Bay. My team of interrogators knew that we would become Al Qaeda's best recruiters if we resorted to torture. Torture is counterproductive to keeping America safe and it doesn't matter if we do it or if we pass it off to another government. The result is the same. And morally, I believe, there is an even stronger argument. Torture is simply incompatible with American principles. George Washington and Abraham Lincoln both forbade their troops from torturing prisoners of war. They realized, as the recent bipartisan Senate report echoes, that this is about who we are. We cannot become our enemy in trying to defeat him.
EDITED TO ADD (1/13): Yet another interview.
From the New York Times:
Police departments across the country say that shoplifting arrests are 10 percent to 20 percent higher this year than last. The problem is probably even greater than arrest records indicate since shoplifters are often banned from stores rather than arrested.
A previous post listed the most frequently shoplifted items: small, expensive things with a long shelf life.
EDITED TO ADD (1/13): Maybe shoplifting isn't on the rise after all.
Putting it in a clear plastic baggie magically makes it safe:
Mind you, I had packed the stuff safely. It was in three separate jars: one of charcoal, one of sulphur, and one of saltpetre (potassium nitrate). Each jar was labeled: Charcoal, Sulphur, Saltpetre. I had also thoroughly wet down each powder with tap water. No ignition was possible. As a good citizen, I had packed the resulting pastes into a quart-sized "3-1-1" plastic bag, along with my shampoo and hand cream. This bag I took out of my messenger bag and put on top of my bin of belongings, turned so that the labels were easy for the TSA inspector to read.
Sad squid news.
...vandals got in by taking advantage of a temporary door, smashed windows and broke display cases containing male and female giant squids each measuring ten metres long as well as skeletons of whales, tortoises, marine birds and fossils.
Where was the security?
This is not surprising at all; when money is scarce, these sorts of things go unfunded. Perhaps the biggest surprise is that people thought the cameras were ever monitored -- generally, they're not.
"Securing Cyberspace for the 44th Presidency," by the Center for Strategic and International Studies.
Just declassified, this document -- A History of U.S. Communications Security (Volumes I and II); the David G. Boak Lectures, National Security Agency (NSA), 1973 -- is definitely worth reading. The first sections are highly redacted, but the remainder is fascinating.
Other important differences:
Every day the men and women of the Department of Homeland Security patrol more than 100,000 miles of America's borders. This territory includes airports, seaports, land borders, international mail centers, the open seas, mountains, deserts and even cyberspace. Now viewers will get an unprecedented look at the work of these men and women while they use the newest technology to safeguard our country and enforce our laws, in "Homeland Security USA," which debuts with the episode "This is Your Car on Drugs," TUESDAY, JANUARY 6 (8:00-9:00 p.m., ET) on ABC.
Sure it's propaganda, but the agency can use the image boost.
Seems that it's hard:
"There is no such thing as a voice print," he said. "It's a very very dangerous term. There is no single feature of a voice that is indelible that works like a fingerprint does."
Also Tuesday, the Senate voted to create a registry of cell phone owners to combat kidnappings and extortions in which gangs often use untraceable mobile phones to make ransom demands.
How easy is it to steal a cell phone? I'm generally not impressed with security measures, especially expensive ones, that merely result in the bad guys changing their tactics.
I'm on 60 Minutes today. If you're a new reader who has just found me from that show, welcome. Here are links to some of my previous writings about airplane security:
I also interviewed Kip Hawley last year.
This page contains all my essays and op eds.
Everyone, consider this the thread to discuss the show.
I'm particularly croggled by this quote from the CBS page:
"...it's why the TSA was created: to never forget," Hawley tells Stahl.
This quote summarizes nicely a lot about what's wrong with the TSA. They focus much too much on the specifics of the tactics that have been used, and not enough on the broad threat.
EDITED TO ADD (12/23): Here's the segment.
Ho ho ho, everyone.
At President Bush's press conferences.
Professor Nicolas Christakis, a professor of medical sociology at Harvard Medical School, told the BMJ there was "a gross over-reaction to the magnitude of the threat" posed by food allergies, and particularly nut allergies.
I'll be on 60 Minutes this Sunday. I honestly don't know how it will look; it wasn't my best interview.
EDITED TO ADD (12/23): Here's the segment.
From a reader:
I always get a giggle from reading about TSA security procedures, because of what I go through during my occasional job at an airport. I repair commercial kitchen cooking equipment -- restaurants etc. On occasion I have to go to restaurants inside a nearby airport terminal to repair equipment, sometimes needing a return trip with parts.
And people wonder why I call it all security theater?
Worth reading. One excerpt:
The problem is that NSA was never designed for what it's doing. It was designed after World War II to prevent another surprise attack from another nation-state, particularly the Soviet Union. And from 1945 or '46 until 1990 or '91, that's what its mission was. That's what every piece of equipment, that's what every person recruited to the agency, was supposed to do, practically — find out when and where and if the Russians were about to launch a nuclear attack. That's what it spent 50 years being built for. And then all of a sudden the Soviet Union is not around anymore, and NSA's got a new mission, and part of that is going after terrorists. And it's just not a good fit. They missed the first World Trade Center bombing, they missed the attack on the U.S.S. Cole, they missed the attack on the U.S. embassies in Africa, they missed 9/11. There's this string of failures because this agency was not really designed to do this. In the movies, they'd be catching terrorists all the time. But this isn't the movies, this is reality.
Also worth reading is his new book.
EDITED TO ADD (12/18): an updated version, as pointed out by Redfox in the comments.
Some Brazilian states used a computerised allocation system to levy how much timber can be logged in each area. However, logging firms attempted to subvert these controls by hiring hackers to break systems and increase the companies' allocations.
Now suppose that TSA head Kip Hawley came to you and asked you to submit voluntarily to a pat-down search the next time you travel. And suppose you knew, with complete certainty, that if you agreed to the search, this would magically give the TSA a 0.1% chance of stopping a deadly crime. You'd agree to the search, wouldn't you? Any reasonable person would accept the search to save (by assumption) at least 0.001 lives. This hypothetical TSA program is reasonable, even though it only has a 0.1% arrest rate. (I'm assuming here that an attack would cost only one life. Attacks that killed more people would justify searches with an even smaller arrest rate.)
Right. It's not just about the hit rate. It's the cost vs. benefit: cost in taxpayer money, passenger time, TSA screener attention, fundamental liberties, etc.
I have mixed feelings about this:
The NYPD wants all 1,000 Police Academy recruits trained to use M4 automatic machine guns - which are now carried only by the 400 cops in its elite Emergency Service Unit - in time for the holiday celebration in Times Square.
On the one hand, deploying these weapons seems like a bad idea. On the other hand, training is almost never a bad thing.
Oh, and in case you were worried:
There is no intelligence Times Square will be a target on New Year's Eve. The area will be on high alert, but has been so for every year since the millennium.
Speaking to the BBC, HMRC spokesperson Clare Merrills warned that faulty counterfeit consoles could be unsafe.
Why be rational, when you can stoke fear instead?
EDITED TO ADD (1/13): How to spot a fake Nintendo console.
Really interesting article on snipers:
It might be because there's another side to snipers and sniping after all. In particular, even though a sniper will often be personally responsible for huge numbers of deaths -- body counts in the hundreds for an individual shooter are far from unheard of -- as a class snipers kill relatively few people compared to the effects they achieve. Furthermore, when a sniper kills someone, it is almost always a person they meant to kill, not just someone standing around in the wrong place and time. These are not things that most branches of the military can say.
A reporter managed to file legal papers, transferring ownership of the Empire State Building to himself. Yes, it's a stunt:
The office of the city register, upon receipt of the phony documents prepared by the newspaper, transferred ownership of the 102-story building from Empire State Land Associates to Nelots Properties, LLC. Nelots is "stolen" spelled backward.
Still, this sort of thing has been used to commit fraud in the past, and will continue to be a source of fraud in the future. The problem is that there isn't enough integrity checking to ensure that the person who is "selling" the real estate is actually the person who owns it.
The frightening, but fascinatingly cool hovering robot - MKV (Multiple Kill Vehicle), is designed to shoot down enemy ballistic missiles.
Okay, people. Now is the time to start discussing the rules of war for autonomous robots. Now, when it's still theoretical.
And a new cartoon.
I have been named as one of the 25 most influential people in the security industry.
Anyway, turning someone away from the border is a trivial security against terrorism because terrorists are fungible. Turning away a known terrorist merely inconveniences a terrorist group, which just has to recruit someone different. The 9/11 attacks were conducted for the most part by people who had no known record of terrorism and who arrived on visas granted to them by the State Department. Biometric border security would have prevented none of them entering.
NIST has published all 51 first-round candidates in its hash algorithm competition. (Presumably the other submissions -- we heard they received 64 -- were rejected because they weren't complete.) You can download the submission package from the NIST page. The SHA-3 Zoo is still the best source for up-to-date cryptanalysis information.
And there's news about Skein's performance. And two Java implementations. (Does anyone want to do an implementation of Threefish?) In general, the Skein website is the place to go for up-to-date Skein information.
People just don't understand security:
Mr. Somsel, in an interview Thursday, said he had done further research and was concerned that the radio signal — or the Internet instructions that would be sent, in an emergency, from utilities' central control stations to the broadcasters sending the FM signal — could be hacked into.
I wonder what she'll think when someone hacks the system?
As the first digital president, Barack Obama is learning the hard way how difficult it can be to maintain privacy in the information age. Earlier this year, his passport file was snooped by contract workers in the State Department. In October, someone at Immigration and Customs Enforcement leaked information about his aunt's immigration status. And in November, Verizon employees peeked at his cell phone records.
What these three incidents illustrate is not that computerized databases are vulnerable to hacking -- we already knew that, and anyway the perpetrators all had legitimate access to the systems they used -- but how important audit is as a security measure.
When we think about security, we commonly think about preventive measures: locks to keep burglars out of our homes, bank safes to keep thieves from our money, and airport screeners to keep guns and bombs off airplanes. We might also think of detection and response measures: alarms that go off when burglars pick our locks or dynamite open bank safes, sky marshals on airplanes who respond when a hijacker manages to sneak a gun through airport security. But audit, figuring out who did what after the fact, is often far more important than any of those other three.
Most security against crime comes from audit. Of course we use locks and alarms, but we don't wear bulletproof vests. The police provide for our safety by investigating crimes after the fact and prosecuting the guilty: that's audit.
Audit helps ensure that people don't abuse positions of trust. The cash register, for example, is basically an audit system. Cashiers have to handle the store's money. To ensure they don't skim from the till, the cash register keeps an audit trail of every transaction. The store owner can look at the register totals at the end of the day and make sure the amount of money in the register is the amount that should be there.
The same idea secures us from police abuse, too. The police have enormous power, including the ability to intrude into very intimate aspects of our life in order to solve crimes and keep the peace. This is generally a good thing, but to ensure that the police don't abuse this power, we put in place systems of audit like the warrant process.
The whole NSA warrantless eavesdropping scandal was about this. Some misleadingly painted it as allowing the government to eavesdrop on foreign terrorists, but the government always had that authority. What the government wanted was to not have to submit a warrant, even after the fact, to a secret FISA court. What they wanted was to not be subject to audit.
That would be an incredibly bad idea. Law enforcement systems that don't have good audit features designed in, or are exempt from this sort of audit-based oversight, are much more prone to abuse by those in power -- because they can abuse the system without the risk of getting caught. Audit is essential as the NSA increases its domestic spying. And large police databases, like the FBI Next Generation Identification System, need to have strong audit features built in.
For computerized database systems like that -- systems entrusted with other people's information -- audit is a very important security mechanism. Hospitals need to keep databases of very personal health information, and doctors and nurses need to be able to access that information quickly and easily. A good audit record of who accessed what when is the best way to ensure that those trusted with our medical information don't abuse that trust. It's the same with IRS records, credit reports, police databases, telephone records – anything personal that someone might want to peek at during the course of his job.
Which brings us back to President Obama. In each of those three examples, someone in a position of trust inappropriately accessed personal information. The difference between how they played out is due to differences in audit. The State Department's audit worked best; they had alarm systems in place that alerted superiors when Obama's passport files were accessed and who accessed them. Verizon's audit mechanisms worked less well; they discovered the inappropriate account access and have narrowed the culprits down to a few people. Audit at Immigration and Customs Enforcement was far less effective; they still don't know who accessed the information.
Large databases filled with personal information, whether managed by governments or corporations, are an essential aspect of the information age. And they each need to be accessed, for legitimate purposes, by thousands or tens of thousands of people. The only way to ensure those people don't abuse the power they're entrusted with is through audit. Without it, we will simply never know who's peeking at what.
This essay first appeared on the Wall Street Journal website.
This is a 2 Gig USB drive disguised as a piece of frayed cable. You'll still want to encrypt it, of course, but it is likely to be missed if your bags are searched at customs, the police raid your house, or you lose it.
The paper, "Terrorism-Related Fear and Avoidance Behavior in a Multiethnic Urban Population," is for subscribers only.
This is certainly related. As people search for health-related information on the Internet, a common result of their newfound "knowledge" is more stress and anxiety, which can manifest itself in new symptoms.
Two years ago, all it took to bypass airport security was filling out a form:
Grant was flying from Boston to San Diego on Jan. 1, 2007, when he approached an American Airlines ticket counter at Logan International Airport and flashed a badge he carries as a part-time assistant harbor master in Chatham, according to federal prosecutors.
Since then, the TSA has made changes in procedure.
At the airport, law enforcers now need advance permission to fly armed.
The Mumbai terrorists used Google Earth to help plan their attacks. This is bothering some people:
Google Earth has previously come in for criticism in India, including from the country's former president, A.P.J. Abdul Kalam.
Of course the terrorists used Google Earth. They also used boats, and ate at restaurants. Don't even get me started about the fact that they breathed air and drank water.
A Google spokeswoman said in an e-mail today that Google Earth's imagery is available through commercial and public sources. Google Earth has also been used by aid agencies for relief operations, which outweighs abusive uses, she said.
That's true for all aspects of human infrastructure. Yes, the bad guys use it: bank robbers use cars to get away, drug smugglers use radios to communicate, child pornographers use e-mail. But the good guys use it, too, and the good uses far outweigh the bad uses.
Interesting list of tourist scams:
I have only heard of this happening in Spain on the Costa del Sol, but it could happen anywhere. This scam depends on you paying a restaurant/bar bill in cash, usually with a €50 note. The waiter will take your payment, then return shortly after, apologetically telling you that the note is a fake and that you need to pay again. He will return the "fake" bill to you, and any change you're due. Of course, you gave him a REAL note, he gave you a FAKE note, and you gave him a second real note, so you paid €100 for a €50 meal. What I do now is write unobtrusively on all large notes I get, so I can challenge them if it happens to me.
I stand by what I said:
Also, my personal security guru, Bruce Schneier, says it's foolish even to worry about hotel safety, because the chances of something happening on any particular night in any particular hotel are vanishingly small. The taxi ride to the hotel is invariably more dangerous than the hotel itself.
But if you tend to stay in targeted hotels, the advice is pretty good.
So maybe this isn't an obvious tactic, and maybe large packages coming into a prison are searched more thoroughly than large packages leaving a prison -- but you'd expect prison guards to pay attention to anything large enough for a person to fit into.
At the end of his shift, the inmate climbed into a cardboard box and was taken out of prison by express courier. His whereabouts are still unknown.
I am remembering the tour of Alcatraz I took some years ago, and I think the tour guide talked about someone who tried to escape in a laundry cart. So maybe this isn't such a new idea after all.
EDITED TO ADD (12/12): He was recaptured.
EDITED TO ADD (12/13): In 1977 Nazi war criminal Herbert Kappler was smuggled out of a hospital, concealed in a large suitcase.
It's been going on for a while.
This is a nifty little device: a credit card with an onboard one-time password generator. The idea is that the user enters his PIN every time he makes an online purchase, and enters the one-time code on the screen into the webform. The article doesn't say if the code is time-based or just sequence-based, but in either case the credit card company will be able to verify it remotely.
The idea is that this cuts down on card-not-present credit card fraud.
The efficacy of this countermeasure depends a lot on how much these new credit cards cost versus the amount of this type of fraud that happens, but in general it seems like a really good idea. Certainly better than that three-digit code printed on the back of cards these days.
According to the article, Visa will be testing this card in 2009 in the UK.
EDITED TO ADD (12/6): Several commenters point out that banks in the Netherlands have had a similar system for years.
EDITED TO ADD (12/4): Consensus is that it's faked.
This is the story of a woman who sent the scammers $400K:
She wiped out her husband's retirement account, mortgaged the house and took a lien out on the family car. Both were already paid for.
EDITED TO ADD (12/13): More about the story.
In this story about luggage stealing at Los Angeles International Airport, we find this interesting paragraph:
They both say there are organized rings of thieves, who identify valuables in your checked luggage by looking at the TSA x-ray screens, then communicate with baggage handlers by text or cell phone, telling them exactly what to look for.
Someone should investigate the extent to which the TSA's security measures facilitate crime.
This looks like it was a very interesting conference.
And here's a random paper on the subject.
Twitter was a vital source of information in Mumbai:
News on the Bombay attacks is breaking fast on Twitter with hundreds of people using the site to update others with first-hand accounts of the carnage.
But we simply have to be smarter than this:
In the past hour, people using Twitter reported that bombings and attacks were continuing, but none of these could be confirmed. Others gave details on different locations in which hostages were being held.
I can't stress enough: people can and will use these devices and apps in a terrorist attack, so it is imperative that officials start telling us what kind of information would be relevant from Twitter, Flickr, etc. (and, BTW, what shouldn't be spread: one Twitter user in Mumbai tweeted me that people were sending the exact location of people still in the hotels, and could tip off the terrorists) and that they begin to monitor these networks in disasters, terrorist attacks, etc.
This fear is exactly backwards. During a terrorist attack -- during any crisis situation, actually -- the one thing people can do is exchange information. It helps people, calms people, and actually reduces the thing the terrorists are trying to achieve: terror. Yes, there are specific movie-plot scenarios where certain public pronouncements might help the terrorists, but those are rare. I would much rather err on the side of more information, more openness, and more communication.
I'm still reading about the Mumbai terrorist attacks, and I expect it'll be a long time before we get a lot of the details. What we know is horrific, and my sympathy goes out to the survivors of the dead (and the injured, who often seem to get ignored as people focus on death tolls). Without discounting the awfulness of the events, I have some initial observations:
If there's any lesson in these attacks, it's not to focus too much on the specifics of the attacks. Of course, that's not the way we're programmed to think. We respond to stories, not analysis. I don't mean to be unsympathetic; this tendency is human and these deaths are really tragic. But 18 armed people intent on killing lots of innocents will be able to do just that, and last-line-of-defense countermeasures won't be able to stop them. Intelligence, investigation, and emergency response. We have to find and stop the terrorists before they attack, and deal with the aftermath of the attacks we don't stop. There really is no other way, and I hope that we don't let the tragedy lead us into unwise decisions about how to deal with terrorism.
Powered by Movable Type. Photo at top by Per Ervland.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.