January 2011 Archives

Jury Says it's Okay to Record the TSA

The Seattle man who refused to show ID to the TSA and recorded the whole incident has been cleared of all charges:

[The jury] returned not guilty verdicts for charges that included concealing his identity, refusing to obey a lawful order, trespassing, and disorderly conduct.

Papers, Please! says the acquittal proves what TSA critics have said all along: That checkpoint staff have no police powers, that contrary to TSA claims, passengers have the right to fly without providing ID, and yes, passengers are free to video record checkpoints as long as images on screening monitors aren't captured.

"Annoying the TSA is not a crime," the blog post states. "Photography is not a crime. You have the right to fly without ID, and to photograph, film, and record what happens."

And a recent Dilbert is about the TSA.

EDITED TO ADD (1/10): Details and links.

Posted on January 31, 2011 at 6:56 AM70 Comments

Trojan Steals Credit Card Numbers

It's only a proof of concept, but it's scary nonetheless. It's a Trojan for Android phones that looks for credit-card numbers, either typed or spoken, and relays them back to its controller.

Software released for Android devices has to request permissions for each system function it accesses—with apps commonly requesting access to the network, phone call functionality, internal and external storage devices, and miscellaneous hardware functions such as the backlight, LED, or microphone. These requests are grouped into categories and presented to the user at the point of installation—helping to minimise the chance of a Trojan slipping by.

Soundminer takes a novel approach to these restrictions, by only requesting access to 'Phone calls,' to read phone state and identity, 'Your personal information,' to read contact data, and 'Hardware controls' to record audio—none of which will ring alarm bells if the app is marketed as a voice recording tool.

Research paper here. YouTube demo. Another blog post. Research paper; section 7.2 describes some defenses, but I'm not really impressed by any of them.

Posted on January 29, 2011 at 7:45 AM43 Comments

Domodedovo Airport Bombing

I haven't written anything about the suicide bombing at Moscow's Domodedovo Airport because I didn't think there was anything to say. The bomber was outside the security checkpoint, in the area where family and friends wait for arriving passengers. From a security perspective, the bombing had nothing to do with airport security. He could have just as easily been in a movie theater, stadium, shopping mall, market, or anywhere else lots of people are crowded together with limited exits. The large death and injury toll indicates the bomber chose his location well.

I've often written that security measures that are only effective if the implementers guess the plot correctly are largely wastes of money -- at best they would have forced this bomber to choose another target -- and that our best security investments are intelligence, investigation, and emergency response. This latest terrorist attack underscores that even more. "Critics say" that the TSA couldn't have detected this sort of attack. Of course; the TSA can't be everywhere. And that's precisely the point.

Many reporters asked me about the likely U.S. reaction. I don't know; it could range from "Moscow is a long way off and that doesn't concern us" to "Oh my god we're all going to die!" The worry, of course, is that we will need to "do something," even though there is no "something" that should be done.

I was interviewed by the Esquire politics blog about this. I'm not terribly happy with the interview; I was rushed and sloppy on the phone.

Posted on January 28, 2011 at 3:15 PM33 Comments

$100 to Put a Bomb on an Airplane

An undercover TSA agent successfully bribed JetBlue ticket agent to check a suitcase under a random passenger's name and put it on an airplane.

As with a lot of these tests, I'm not that worried because it's not a reliable enough tactic to build a plot around. But untrustworthy airline personnel -- or easily bribeable airline personal -- could be used in a smarter and less risky plot.

Posted on January 28, 2011 at 1:40 PM35 Comments

Whitelisting vs. Blacklisting

The whitelist/blacklist debate is far older than computers, and it's instructive to recall what works where. Physical security works generally on a whitelist model: if you have a key, you can open the door; if you know the combination, you can open the lock. We do it this way not because it's easier -- although it is generally much easier to make a list of people who should be allowed through your office door than a list of people who shouldn't--but because it's a security system that can be implemented automatically, without people.

To find blacklists in the real world, you have to start looking at environments where almost everyone is allowed. Casinos are a good example: everyone can come in and gamble except those few specifically listed in the casino's black book or the more general Griffin book. Some retail stores have the same model -- a Google search on "banned from Wal-Mart" results in 1.5 million hits, including Megan Fox -- although you have to wonder about enforcement. Does Wal-Mart have the same sort of security manpower as casinos?

National borders certainly have that kind of manpower, and Marcus is correct to point to passport control as a system with both a whitelist and a blacklist. There are people who are allowed in with minimal fuss, people who are summarily arrested with as minimal a fuss as possible, and people in the middle who receive some amount of fussing. Airport security works the same way: the no-fly list is a blacklist, and people with redress numbers are on the whitelist.

Computer networks share characteristics with your office and Wal-Mart: sometimes you only want a few people to have access, and sometimes you want almost everybody to have access. And you see whitelists and blacklists at work in computer networks. Access control is whitelisting: if you know the password, or have the token or biometric, you get access. Antivirus is blacklisting: everything coming into your computer from the Internet is assumed to be safe unless it appears on a list of bad stuff. On computers, unlike the real world, it takes no extra manpower to implement a blacklist -- the software can do it largely for free.

Traditionally, execution control has been based on a blacklist. Computers are so complicated and applications so varied that it just doesn't make sense to limit users to a specific set of applications. The exception is constrained environments, such as computers in hotel lobbies and airline club lounges. On those, you're often limited to an Internet browser and a few common business applications.

Lately, we're seeing more whitelisting on closed computing platforms. The iPhone works on a whitelist: if you want a program to run on the phone, you need to get it approved by Apple and put in the iPhone store. Your Wii game machine works the same way. This is done primarily because the manufacturers want to control the economic environment, but it's being sold partly as a security measure. But in this case, more security equals less liberty; do you really want your computing options limited by Apple, Microsoft, Google, Facebook, or whoever controls the particular system you're using?

Turns out that many people do. Apple's control over its apps hasn't seemed to hurt iPhone sales, and Facebook's control over its apps hasn't seemed to affect Facebook's user numbers. And honestly, quite a few of us would have had an easier time over the Christmas holidays if we could have implemented a whitelist on the computers of our less-technical relatives.

For these two reasons, I think the whitelist model will continue to make inroads into our general purpose computers. And those of us who want control over our own environments will fight back -- perhaps with a whitelist we maintain personally, but more probably with a blacklist.

This essay previously appeared in Information Security as the first half of a point-counterpoint with Marcus Ranum. You can read Marcus's half there as well.

Posted on January 28, 2011 at 5:02 AM52 Comments

U.S. Strategy to Prevent Leaks is Leaked

As the article says, it doesn't get any more ironic than that.

More importantly, it demonstrates how hard it is to keep secrets in the age of the Internet.

Me:

I think the government is learning what the music and movie industries were forced to learn years ago: it's easy to copy and distribute digital files. That's what's different between the 1970s and today. Amassing and releasing that many documents was hard in the paper and photocopier era; it's trivial in the Internet era. And just as the music and movie industries are going to have to change their business models for the Internet era, governments are going to have to change their secrecy models. I don't know what those new models will be, but they will be different.

The more I think about it, the more I see this as yet another example of the Internet making information available. It's done that to the music and movie industry. It's done that to corporations and other organizations. And it's doing that to government as well. This is the world we live in; the sooner the U.S. government realizes its secrecy paradigm has irrevocably changed, the sooner it will figure out how to thrive in this new paradigm.

Shutting WikiLeaks down won't stop government secrets from leaking any more than shutting Napster down stopped illegal filesharing.

EDITED TO ADD (1/27): The story turned out to be too good to be true; it's been retracted.

Posted on January 27, 2011 at 6:22 AM41 Comments

Security Theater in the Theater

This is a bit surreal:

Additional steps are needed to prepare Broadway theaters in New York City for a potential WMD attack or other crisis, a New York state legislature subcommittee said yesterday.

[...]

Broadway district personnel did not know "what to do in case of an emergency as well as the unique problems that a theater workplace poses in the event of a fire or evacuation," according to the report, which drew on interviews with theater employees following the attempted bombing.

"Taking the May 1, 2010, car bomb as an example, theater employees expressed how unprepared they were in dealing with the situation," the report reads. "They were given misinformation, and they were directed to exit through portals they did not even know existed, indicating their lack of knowledge of the building they work in and exit routes. In the event of another attack, the same issues would arise."

Posted on January 26, 2011 at 1:42 PM39 Comments

Unsecured IP Security Cameras

It's amazing how many security cameras are on the Internet, accessible by anyone.

And it's not just for viewing; a lot of these cameras can be reprogrammed by anyone.

EDITED TO ADD (2/13): This site lists Google search terms to find cameras, as does the comments section in this Slashdot story.

Posted on January 26, 2011 at 6:28 AM42 Comments

Bioencryption

A group of students at the Chinese University in Hong Kong have figured out how to store data in bacteria. The article talks about how secure it is, and the students even coined the term "bioencryption," but I don't see any encryption. It's just storage.

Another article:

They have also developed a three-tier security fence to encode the data, which may come as welcome news to U.S. diplomats, who have seen their thoughts splashed over the Internet thanks to WikiLeaks.

"Bacteria can't be hacked," points out Allen Yu, another student instructor.

"All kinds of computers are vulnerable to electrical failures or data theft. But bacteria are immune from cyber attacks. You can safeguard the information."

The team have even coined a word for this field -- biocryptography -- and the encoding mechanism contains built-in checks to ensure that mutations in some bacterial cells do not corrupt the data as a whole.

Why can't bacteria be hacked? If the storage system is attached to a network, it's just as vulnerable as anything else attached to a network. And if it's disconnected from any network, then it's just as secure as anything else disconnected from a network. The problem the U.S. diplomats had was authorized access to the WikiLeaks cables by someone who decided to leak them. No cryptography helps against that.

There is cryptography in the project:

In addition we have created an encryption module with the R64 Shufflon-Specific Recombinase to further secure the information.

If the group is smart, this will be some conventional cryptography algorithm used to encrypt the data before it is stored on the bacteria.

In any case, this is fascinating and interesting work. I just don't see any new form of encryption, or anything inherently unhackable.

Posted on January 25, 2011 at 1:40 PM62 Comments

REAL-ID Implementation

According to this study, REAL-ID has not only been cheaper to implement than the states estimated, but also helpful in reducing fraud.

States are finding that implementation of the 2005 REAL ID Act is much easier and less expensive than previously thought, and is a significant factor in reducing fraud. In cases like Indiana, REAL ID has significantly improved customer satisfaction, resulting in that state receiving AAMVA’s “customer satisfaction” award of the year. This is not just a win-win for national and economic security, but a win (less expensive) -win (doable) -win (fraud reduction) -win (improved customer satisfaction) for federal and state governments as well as individuals.

Moreover, 11 states are already in full compliance, well ahead of the May 2011 deadline for the 18 benchmarks. Another eight are close behind. Some states, like Delaware and Maryland, have achieved REAL ID compliance within a year. Washington State refuses REAL ID compliance, but has already implemented the most difficult benchmarks.

Perhaps most astonishing is that from the cost numbers currently available, it looks like implementation of the 18 REAL ID benchmarks in all the states may end up costing somewhere between $350 million and $750 million, significantly less than the $1 billion projected by those still seeking to change the law.

Legal presence is being checked in all but two states, up 28 states from 2006. Only Washington and New Mexico still do not require legal presence to obtain a license, but Washington so significantly upgraded its license issuance in 2010 that the fraudulent attempts to garner licenses in that state are now significantly reduced. Every state is now checking Social Security numbers.

This might be the first government IT project ever that came in under initial cost estimates. Perhaps the reason is that the states did not want to implement REAL-ID in 2005, so they overstated the costs.

As to fraud reduction -- I'm not so sure. As the difficulty of getting a fraudulent ID increases, so does its value. I think we'll have to wait a while longer and see how criminals adapt.

EDITED TO ADD (2/11): CATO's Jim Harper argues that this report does not show that implementing the national ID program envisioned in the national ID law is a cost-effective success. It only assesses compliance with certain DHS-invented "benchmarks" related to REAL ID, and does so in a way that skews the results.

Posted on January 25, 2011 at 6:16 AM42 Comments

Hacking Tamper-Evident Devices

At the Black Hat conference lasts week, Jamie Schwettmann and Eric Michaud presented some great research on hacking tamper-evident seals.

Jamie Schwettmann and Eric Michaud of i11 Industries went through a long list of tamper evident devices at the conference here and explained, step-by-step, how each seal can be circumvented with common items, such as various solvents, hypodermic needles, razors, blow driers, and in more difficult cases with the help of tools such as drills.

Tamper-evident devices may be as old as civilization, and today are used in everyday products such as aspirin containers' paper seals. The more difficult devices may be bolt locks designed to secure shipping containers, or polycarbonate locks designed to shatter if cut.

But they all share something in common: They can be removed and the anti-tampering device reassembled.

Here's their paper, and here are the slides from their presentation. (These two direct download links from GoogleDocs also work.) There was more information in the presentation than in either the paper or the PowerPoint slides. If the video ever gets online, I'll link to it in this post.

Posted on January 24, 2011 at 1:20 PM27 Comments

Brute-Force Safecracking

This safecracking robot tries every possible combination, one after another:

Combination space optimization is the key. By exploiting of the mechanical tolerances of the lock and certain combination "forbidden zones", we reduced the number of possible combinations by about an order of magnitude.

Opening the safe took "just a few hours."

Along the same lines, here's a Lego robot that cracks combination locks. I wrote about another, non-Lego, brute-force combination lock cracker a few years ago. The original link is broken, but the project is here.

EDITED TO ADD (2/13): In this video, champion safecracker Jeff Sitar opens a similar safe by feel and sound in just 5 minutes and 19 seconds.

Posted on January 24, 2011 at 6:15 AM38 Comments

Cyberwar is Overhyped

A new report from the OECD says the threat of cyberwar has been grossly exaggerated. (Hey, that's what I said.)

There are lots of news articles.

Also worth reading is this article on cyberwar hype and how it isn't serving our national interests, with some good policy guidelines.

Posted on January 21, 2011 at 11:59 AM29 Comments

The Legality of the Certificate Authority Trust Model

Interesting research:

We looked at the standard legal documents issued by the certificate authorities or "CAs," including exemplar Subscriber Agreements (agreements between CAs and website operators); "Certification Practice Statements" (statements by CAs outlining their business practices); and Relying Party Agreements (purported agreements between CAs and "relying parties," such as end-users). What we found was surprising:

  • "Relying Party Agreements" purport to bind end-users to their terms despite the apparent absence of any mechanism to either affirmatively alert the end-user as to the existence of the supposed Agreements or afford the end-user an opportunity to register his or her acceptance or rejection of the Agreements' terms

  • Certification Practice Statements that suffer from the same problem (i.e. no affirmative notice to the end-user and no meaningful opportunity for acceptance or rejection of terms)

There were other issues as well. For example, the Relying Party Agreements and Certification Practice Statements set forth various obligations on the part of end-users (i.e. "relying parties") such as: the requirement that end-users make an independent determination of whether it is reasonable to trust a website offering a secure connection (isn't that the whole point of having a CA, so that the end-user doesn't have to do that?); the requirement that the end-user be familiar with the crypto software and processes used to carry out the authentication process; and the end-user's duty to indemnify and hold harmless the CA in the event of legal claims by third parties.

Paper here.

EDITED TO ADD (2/10)> Matt Blaze on CAs.

Posted on January 21, 2011 at 5:31 AM43 Comments

Cost-Benefit Analysis of Full-Body Scanners

Research paper from Mark Stewart and John Mueller:

The Transportation Security Administration (TSA) has been deploying Advanced Imaging Technologies (AIT) that are full-body scanners to inspect a passenger's body for concealed weapons, explosives, and other prohibited items. The terrorist threat that AITs are primarily dedicated to is preventing the downing of a commercial airliner by an IED (Improvised Explosive Device) smuggled on board by a passenger. The cost of this technology will reach $1.2 billion per year by 2014. The paper develops a cost-benefit analysis of AITs for passenger screening at U.S. airports. The analysis considered threat probability, risk reduction, losses, and costs of security measures in the estimation of costs and benefits. Since there is uncertainty and variability of these parameters, three alternate probability (uncertainty) models were used to characterise risk reduction and losses. Economic losses were assumed to vary from $2-50 billion, and risk reduction from 5-10%. Monte-Carlo simulation methods were used to propagate these uncertainties in the calculation of benefits, and the minimum attack probability necessary for AITs to be cost-effective was calculated. It was found that, based on mean results, more than one attack every two years would need to originate from U.S. airports for AITs to pass a cost-benefit analysis. In other words, to be cost-effective, AITs every two years would have to disrupt more than one attack effort with body-borne explosives that otherwise would have been successful despite other security measures, terrorist incompetence and amateurishness, and the technical difficulties in setting off a bomb sufficiently destructive to down an airliner. The attack probability needs to exceed 160-330% per year to be 90% certain that AITs are cost-effective.

EDITED TO ADD (1/26): Response from one of the paper's authors.

Posted on January 20, 2011 at 1:39 PM39 Comments

Do Corporations Have a Right to Privacy?

This week, the U.S. Supreme Court will hear arguments about whether or not corporations have the same rights to "personal privacy" that individuals do.

This is a good analysis of the case.

I signed on to a "friend of the court" brief put together by EPIC, arguing that they do not.

More background here. And an editorial from The Washington Post.

EDITED TO ADD (1/25): Here's a much more entertaining take on the issue.

Posted on January 20, 2011 at 6:44 AM63 Comments

Odd Art Forger

He's not in it for the money:

Mr. Landis...has been one of the most prolific forgers American museums have encountered in years, writing, calling and presenting himself at their doors, where he tells well-concocted stories about his family's collection and donates small, expertly faked works, sometimes in honor of nonexistent relatives.

Unlike most forgers, he does not seem to be in it for the money, but for a kind of satisfaction at seeing his works accepted as authentic. He takes nothing more in return for them than an occasional lunch or a few tchotchkes from the gift shop. He turns down tax write-off forms, and it's unclear whether he has broken any laws.

EDITED TO ADD (1/23): Another article on Landis.

Posted on January 19, 2011 at 7:02 AM47 Comments

Movie-Plot Threats at the U.S. Capitol

This would make a great movie:

Rep. Dan Burton, R-Ind., renewed his call for the installation of an impenetrable, see-through security shield around the viewing gallery overlooking the House floor. Burton points out that, while guns and some bombs would be picked up by metal detectors, a saboteur could get into the Capitol concealing plastic explosives.

The House floor, he pointed out, is the only room where all three branches of government gather to hear the president speak, as President Obama will do when he delivers his State of the Union address on Jan. 25.

Burton introduced the legislation in the past, but it's gone nowhere. He's hoping the tragic events of Saturday could help it win more serious consideration by the Republican leadership.

"I think the risk is there," Burton told The Washington Examiner. "The threat is more now than it has ever been."

Posted on January 18, 2011 at 6:29 AM76 Comments

More Stuxnet News

This long New York Times article includes some interesting revelations. The article claims that Stuxnet was a joint Israeli-American project, and that its effectiveness was tested on live equipment: "Behind Dimona's barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran's at Natanz, where Iranian scientists are struggling to enrich uranium."

The worm itself now appears to have included two major components. One was designed to send Iran's nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.

My two previous Stuxnet posts. And an alternate theory: The Chinese did it.

EDITED TO ADD (2/12): More opinions on Stuxnet.

Posted on January 17, 2011 at 12:31 PM71 Comments

New Revelations in the Mahmoud al-Mabhouh Assassination

I wrote a lot last year about the assassination of Mahmoud al-Mabhouh in Dubai. There's a new article by an Israeli investigative journalist that tells the story we already knew, and adds a bunch of interesting details. Well worth reading.

Posted on January 17, 2011 at 5:47 AM34 Comments

Me on Airport Security

Last week, I spoke at an airport security conference hosted by EPIC: The Stripping of Freedom: A Careful Scan of TSA Security Procedures. Here's the video of my half-hour talk.

Posted on January 14, 2011 at 2:11 PM16 Comments

Loaded Gun Slips Past TSA

I'm not really worried about mistakes like this. Sure, a gun slips through occasionally, and a knife slips through even more often. (I'm sure the TSA doesn't catch 100% of all bombs in tests, either.) But these items are caught by the TSA often enough, and when the TSA does catch someone, they're going to call the police and totally ruin his day. A terrorist can't build a plot around succeeding.

It's things like liquids that are the real problem. Because there are no consequences to trying -- the bottle of water just gets thrown into the trash -- a terrorist can repeatedly try until he succeeds in slipping it through.

I asked then-TSA Administrator Kip Hawley about this in 2007. He didn't answer.

Posted on January 14, 2011 at 11:03 AM36 Comments

Surviving a Terrorist's Nuclear Attack

Interesting reading, mostly for the probable effects of a terrorist-sized nuclear bomb.

A terrorist bomb is likely to be relatively small -- possibly only a fraction of the Hiroshima bomb's explosive power -- and likely exploded at ground level. This means that the area totally destroyed by the explosion is likely to be much smaller than the area exposed to lesser damage or to fallout radiation (this nuclear weapons effects calculator from the Federation of Atomic Scientists will let you see the effect of different sized bombs burst at different heights). Because of this, Homeland Security people in the Obama Administration have been encouraging a duck-and-cover approach, followed by advice to "shelter in place" against fallout rather than trying to evacuate the area.

Posted on January 14, 2011 at 7:07 AM40 Comments

Stealing SIM Cards from Traffic Lights

Johannesburg installed hundreds of networked traffic lights on its streets. The lights use a cellular modem and a SIM card to communicate.

Those lights introduced a security risk I'll bet no one gave a moment's thought to: that criminals might steal the SIM cards from the traffic lights and use them to make free phone calls. But that's exactly what happened.

Aside from the theft of phone service, repairing those traffic lights is far more expensive than those components are worth.

I wrote about this general issue before:

These crimes are particularly expensive to society because the replacement cost is much higher than the thief's profit. A manhole is worth $5–$10 as scrap, but it costs $500 to replace, including labor. A thief may take $20 worth of copper from a construction site, but do $10,000 in damage in the process. And the increased threat means more money being spent on security to protect those commodities in the first place.

Security can be viewed as a tax on the honest, and these thefts demonstrate that our taxes are going up. And unlike many taxes, we don't benefit from their collection. The cost to society of retrofitting manhole covers with locks, or replacing them with less re­salable alternatives, is high; but there is no benefit other than reducing theft.

These crimes are a harbinger of the future: evolutionary pressure on our society, if you will. Criminals are often referred to as social parasites, but they are an early warning system of societal changes. Unfettered by laws or moral restrictions, they can be the first to respond to changes that the rest of society will be slower to pick up on. In fact, currently there's a reprieve. Scrap metal prices are all down from last year -- copper is currently $1.62 per pound, and lead is half what Berge got -- and thefts are down too.

We've designed much of our infrastructure around the assumptions that commodities are cheap and theft is rare. We don't protect transmission lines, manhole covers, iron fences, or lead flashing on roofs. But if commodity prices really are headed for new higher stable points, society will eventually react and find alternatives for these items -- or find ways to protect them. Criminals were the first to point this out, and will continue to exploit the system until it restabilizes.

Posted on January 13, 2011 at 12:54 PM55 Comments

The Security Threat of Forged Law-Enforcement Credentials

Here's a U.S. Army threat assessment of forged law-enforcement credentials.

The authors bought a bunch of fake badges:

Between November 2009 and March 2010, undercover investigators were able to purchase nearly perfect counterfeit badges for all of the Department of Defense's military criminal investigative organizations to include the Army Criminal Investigation Command (Army CID), Naval Criminal Investigative Service (NCIS), Air Force Office of Special Investigations (AFOSI), and the Marine Corps Criminal Investigation Division (USMC CID). Also, purchased was the badge for the Defense Criminal Investigative Service (DCIS).

Also available for purchase were counterfeit badges of 42 other federal law enforcement agencies including the Federal Bureau of Investigation (FBI), Drug Enforcement Administration (DEA), Alcohol, Tobacco and Firearms (ATF), Secret Service, and the US Marshals Service.

Of the other federal law enforcement agency badges available, the investigators found exact reproductions of the badges issued to Federal Air Marshals, Transportation Security Administration (TSA) Screeners, TSA Inspectors, and Special Agents of the TSA Office of Inspector General.

Average price: $60.

Then, they tried using them:

During the period of January to June 2010, undercover investigators utilized fraudulent badges and credentials of the DoD's military criminal investigative organizations to penetrate the security at: 6 military installations; 2 federal courthouses; and 3 state buildings in the New York and New Jersey area.

[...]

Once being granted access to the military installation or federal facility, the investigators proceeded to areas that were designed as "Restricted Area" or "Authorized Personnel Only" and were able to wander around without being challenged by employees or security personnel. On one military installation, investigators were able to go to the police station and request local background checks on several fictitious names. All that was required was displaying the fraudulent badge and credentials to a police officer working the communications desk.

The authors didn't try it getting through airport security, but they mentioned a 2000 GAO report where investigators did:

The investigation found that investigators were 100% successful in penetrating 19 federal sites and 2 commercial airports by claiming to be law enforcement officers and entering the facilities unchecked by security where they could have carried weapons, listening devices, explosives, chemical/biological agents and other such materials.

Websites are listed in the report, if you want to buy your own fake badge and carry a gun onto an airplane.

I've written about this general problem before:

When faced with a badge, most people assume it's legitimate. And even if they wanted to verify the badge, there's no real way for them to do so.

The only solution, if this counts as one, is to move to real-time verification. A credit card used to be a credential; it gave the bearer certain privileges. But the problem of forged and stolen credit cards was so pervasive that the industry moved to a system where now the card is mostly a pointer to a database. Your passport, when you present it to the customs official in your home country, is basically the same thing. I'd like to be able to photograph a law-enforcement badge with my camera, send it to some police website, and get back a real-time verification -- with picture -- that the officer is legit.

Of course, that opens up an entire new set of database security issues, but I think they're more manageable than what we have now.

Posted on January 13, 2011 at 8:00 AM87 Comments

Attacking High-Frequency Trading Networks

Turns out you can make money by manipulating the network latency.

cPacket has developed a proof of concept showing that these side-channel attacks can be used to create tiny delays in the transmission of market data and trades. By manipulating specific trading activities by several microseconds, an attacker could gain unfair trading advantage. And because the operation occurs outside the range of monitoring technology, it would remain invisible. "We believe that such techniques pose a substantial risk of creating unfair trading, if used by the wrong people," Kay says.

It's hard to know how real this threat is. Certainly micro-traders pay attention to latency, and sometimes even place their computers physically close to exchanges so they can reduce latency. And while it would be illegal to deliberately manipulate someone else's trades, it is probably okay to place a gazillion trades at the same time which -- as a side effect -- increases latency for everyone else. My guess is that this isn't a movie-plot threat, and that traders are trying lots of things along this line to give them a small advantage over everyone else.

On the same subject, can anyone explain this?

Posted on January 12, 2011 at 6:59 AM59 Comments

"Homeland Security Hasn't Made Us Safer"

This will be nothing new to readers of this blog, but it's nice to read other people saying it too.

Posted on January 11, 2011 at 7:47 AM58 Comments

James Fallows on Political Shootings

Interesting:

So the train of logic is:

  1. anything that can be called an "assassination" is inherently political;
  2. very often the "politics" are obscure, personal, or reflecting mental disorders rather than "normal" political disagreements. But now a further step,
  3. the political tone of an era can have some bearing on violent events. The Jonestown/Ryan and Fromme/Ford shootings had no detectable source in deeper political disagreements of that era. But the anti-JFK hate-rhetoric in Dallas before his visit was so intense that for decades people debated whether the city was somehow "responsible" for the killing. (Even given that Lee Harvey Oswald was an outlier in all ways.)

Posted on January 10, 2011 at 7:04 AM183 Comments

Friday Squid Blogging: Biggest Squid Ever

It's an oil field:

Brazil's state-run Petrobras confirmed Wednesday that oil fields recently discovered offshore contained 8.3 billion barrels of recoverable crude and gas -- and said the biggest field was being renamed "Lula."

That nomenclature happens to be the nickname of President Luiz Inacio Lula da Silva, who steps down on Saturday after overseeing eight years of prosperity in Brazil capped by the oil discoveries.

Petrobras explained, though, that the decision to change the name of the field from Tupi to Lula came from its tradition of naming such deepwater zones after marine animals.

Lula in Portuguese means squid. The president formally added the nickname to his full name, and he is universally known as Lula in the country.

"It's not my name -- it's the name of a crustacean," Lula protested when asked whether the move was to honor him, after he bolstered Petrobras's control over the oil.

Does anyone believe that excuse?

Posted on January 7, 2011 at 4:08 PM21 Comments

The Social Dynamics of Terror

Good essay:

Nineteenth-century anarchists promoted what they called the "propaganda of the deed," that is, the use of violence as a symbolic action to make a larger point, such as inspiring the masses to undertake revolutionary action. In the late 1960s and early 1970s, modern terrorist organizations began to conduct operations designed to serve as terrorist theater, an undertaking greatly aided by the advent and spread of broadcast media. Examples of attacks designed to grab international media attention are the September 1972 kidnapping and murder of Israeli athletes at the Munich Olympics and the December 1975 raid on OPEC headquarters in Vienna. Aircraft hijackings followed suit, changing from relatively brief endeavors to long, drawn-out and dramatic media events often spanning multiple continents.

Today, the proliferation of 24-hour television news networks and the Internet have allowed the media to broadcast such attacks live and in their entirety. This development allowed vast numbers of people to watch live as the World Trade Center towers collapsed on Sept. 11, 2001, and as teams of gunmen ran amok in Mumbai in November 2008.

This exposure not only allows people to be informed about unfolding events, it also permits them to become secondary victims of the violence they have watched unfold before them. As the word indicates, the intent of "terrorism" is to create terror in a targeted audience, and the media allow that audience to become far larger than just those in the immediate vicinity of a terrorist attack. I am not a psychologist, but even I can understand that on 9/11, watching the second aircraft strike the South Tower, seeing people leap to their deaths from the windows of the World Trade Center Towers in order to escape the ensuing fire and then watching the towers collapse live on television had a profound impact on many people. A large portion of the United State was, in effect, victimized, as were a large number of people living abroad, judging from the statements of foreign citizens and leaders in the wake of 9/11 that "We are all Americans."

Posted on January 7, 2011 at 6:30 AM39 Comments

SMS of Death

This will be hard to fix:

Using only Short Message Service (SMS) communications—messages that can be sent between mobile phones—a pair of security researchers were able to force low-end phones to shut down abruptly and knock them off a cellular network. As well as text messages, the SMS protocol can be used to transmit small programs, called "binaries," that run on a phone. Network operators use these files to, for example, change the settings on a device remotely. The researchers used the same approach to attack phones. They performed their tricks on handsets made by Nokia, LG, Samsung, Motorola, Sony Ericsson, and Micromax, a popular Indian cell-phone manufacturer.

[...]

The researchers were able to create malicious SMS messages for each type of phone they studied. The messages affect the phones without any response from the user. Because feature phones are so common, Mulliner says, such an attack "could take out a large percentage of mobile communications."

To target a specific user, an attacker would need to know what kind of phone he or she uses, since each platform requires a different message. But Mulliner says that attackers could easily knock out large numbers of phones by sending a set of five SMS messages—targeted to the five most popular models—to every device on a specific network. Mulliner notes that there are Internet-based services that send SMS messages en masse either cheaply or free, making it possible for an antagonist with limited resources to carry out such an attack from anywhere in the world.

EDITED TO ADD (1/9): A response from one of the researchers.

EDITED TO ADD (1/12): Their talk is online.

Posted on January 6, 2011 at 1:13 PM48 Comments

Sony PS3 Security Broken

Sony used an ECDSA signature scheme to protect the PS3. Trouble is, they didn't pay sufficient attention to their random number generator.

EDITED TO ADD (1/13): More info.

Posted on January 6, 2011 at 5:52 AM85 Comments

Eavesdropping on GSM Calls

It's easy and cheap:

Speaking at the Chaos Computer Club (CCC) Congress in Berlin on Tuesday, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network "sniffers," a laptop computer, and a variety of open source software.

The encryption is lousy:

Several of the individual pieces of this GSM hack have been displayed before. The ability to decrypt GSM's 64-bit A5/1 encryption was demonstrated last year at this same event, for instance. However, network operators then responded that the difficulty of finding a specific phone, and of picking the correct encrypted radio signal out of the air, made the theoretical decryption danger minimal at best.

But:

As part of this background communication, GSM networks send out strings of identifying information, as well as essentially empty "Are you there?" messages. Empty space in these messages is filled with buffer bytes. Although a new GSM standard was put in place several years ago to turn these buffers into random bytes, they in fact remain largely identical today, under a much older standard.

This allows the researchers to predict with a high degree of probability the plain-text content of these encrypted system messages. This, combined with a two-terabyte table of precomputed encryption keys (a so-called rainbow table), allows a cracking program to discover the secret key to the session's encryption in about 20 seconds.

Did you notice that? A two-terabyte rainbow table. A few years ago, that kind of storage was largely theoretical. Now it's both cheap and portable.

Posted on January 5, 2011 at 6:20 AM39 Comments

Guard Towers at Walmart

This feels very creepy and police-state-like. What on earth could Walmart be worried about?

EDITED TO ADD (1/4): A reader points out that they're increasingly common in parking lots to deter automobile crimes.

Posted on January 4, 2011 at 9:34 AM104 Comments

Polar Bears Destroying Hidden Cameras

Watch the video.

What valuable security lessons does this teach?

EDITED TO ADD (1/3): And why aren't the polar bears destroying the hidden cameras that are filming the polar bears destroying the hidden cameras?

EDITED TO ADD (1/13): Sadly, the BBC has taken the video down on copyright grounds.

Posted on January 3, 2011 at 9:07 AM55 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..