Schneier on Security
A blog covering security and security technology.
« Liars and Outliers Cover |
| Interview with Me »
August 12, 2011
Friday Squid Blogging: Giant Squid Painted on Canal Narrowboat
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on August 12, 2011 at 4:28 PM
• 49 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
If that boat had better security, there wouldn't be a squid on it.
Lio (newspaper comic strip) has been doing a squid theme this week.
Death of the Password
On a laptop near you, security systems based on our mothers' maiden names are not very secure. Today, we look at some of the ideas people are coming up with to either boost password security, or replace it with something better.
Markus Jakobsson - security researcher and the author of Crimeware: Understanding new Attacks and Defenses.
Jason Perlow - Senior Technology Editor at ZDNet
Type of off-topic. Faking news broadcasts and even repling stuff 5+ years ago.
Intersting were things are going, maybe instead of information overload, information dispartence
Clive Robinson -- can you please contact me.
Hackers break into Subaru Outback via text message.
Title pretty much sums it up - via creation of a temp GSM network similar to the hacker plane mentioned here not too long ago.
Lets hope these and the OnStar system don't have wildcard commands built into them - chaos waiting to happen - like a hacker trying to remote stop all the cars in a major city or the like.
Hopefully my email has reached you if data roaming is working OK.
Hopefully my email has reached you if data roaming is working OK, as I go from wave to wave...
I'm on hols near the Royal Sovereign Light House in the English channel 8)
I've now got my feet back on the beach in the UK so should hopefly be back on the usual IP address range.
crowdsourced crime fighting with Facebook:
Not quite the level of Stasi monitoring, since they are presenting crime footage/photos. However, it wouldn't surprise me if they eventually show a faked clip with someone's face digitally inserted -- we have ways of finding the enemies of the state.
I wish our street artists were as talented in Atlanta. They only seem to excel in writing their street names in those bubbly letters. Or Pictures of their favorite rap artist.
Since we're talking about street artists and security, half of the train cars have graffiti on them, at least around here. Every few years, the news likes to scare everyone into thinking they the terrists gonna blow up one of the tanker cars carrying some form of ammonia or chlorine and kill half the city or something. If this was really a threat, isn't the fact that some street punk has enough time to spray paint half of a box car proof enough that:
1. We can't stop anyone from getting close to critical rail cargo.
2. The authorities and rail lines just don't think the threat is credible enough to lock down the thousands of miles of railroads in this country.
Gabriel: The important thing is: 1) it is a threat, and 2) there's nothing they can do about the threat.
Which is pretty much true about just about every type of threat - with the possible exception of diverting asteroids to hit a target on earth. :-)
XKCD on passwords:
"Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess."
@Richard: unless NASA gets some priorities from the government or someone elsE takes up the slack (not private industry, they don't care about big rocks in space, unless they can make lots of money), I don't think we will be deflecting any near earth asteroids anytime soon. That's assuming we want to put something large near that asteroid to move it, such as a big rocket with fuel, vs a smaller nuke, which has a number of risks.
But yes, it's a question of risk vs damage. Asteroid is not a high risk, but we have the capability of developing technology to protect us. And the potential damage is catastrophic, up to total extinction of the human race in the worst case. Train cars? I'll presume not many people really want to try that, and even if you have enough chemicals to wipe out a city, they won't disperse over that many people
But, it all goes to show how much hype gets made over the improbable, when there are more credible risks to guard against. And as Bruce mentioned, good intelligence can give you a lead on who is training to conduct such an attack, which is the best investment.
Here's another industry just now realizing that computer security is important:
Yeah, I'm sure some of the people here probably realized as soon as OnStar was announced that hooking up a cellular radio to a car's CAN bus might not be the most brilliant of ideas. Now there's an actual attack available. Very interesting.
Wi-Fi Security: Cracking WPA With CPUs, GPUs, And The Cloud
"The current distributed offerings might not offer impressive performance, but their speed isn't what worries us. It's their low price tag. Moxie Marlinspike, a hacker, runs a service called WPACracker, which can be used to crack the four-way handshake capture of WPA-PSK using 400 CPU clusters on Amazon's EC2 cloud. This scaling allows you to crunch through a 135 million word dictionary specifically created for WPA passwords in under 20 minutes. Even though that's ~112 500 passwords per second (equivalent to a single GeForce GTX 590), you only have to pay $17."
Yeah - and probably leave a record of what you did on Amazon's machines.
Interestingly, though, WPA seems pretty secure based on their tests - meaning unless some sort of cluster or multiple GPU systems are used any password over 6 characters, especially if it includes special characters, is likely uncrackable in any reasonable time frame.
Along with Zeus, another trojan malware source now publicly available:
SpyEye Source Code Leaked
"The leak also means the tool is widely available to script kiddies, and is now being sold online for as little as $95 “for those not seasoned enough” to compile the code..."
"Clive Robinson -- can you please contact me."
Now THAT is interesting. Too bad we'll never really know what would call for a big time crypto/security guru to call upon an eccentric genius like Clive. Even if it was mundane, nobody would believe it. Well, not the kind of people who frequent blogs like these. ;)
I'm not sure if any of you have been following this "collar bomb" but they just arrested someone
I'm mentioning this case because the details of how they traced the owner of the ransom email account and physically located him are very interesting, especially for those of us who wonder about what Internet monitoring capabilities big brother really has, and exactly what information is being stored when we access the net.
RobertT: Didn't bother following this case at all, but it just occurs to me that he got the idea from a Hawaii Five-O episode last year where a member of the team had a bomb attached to him. It's a nice plan, I'll have to keep it in mind. :-)
As for the email tracking:
"Also on the note police say was an email address which was created in Chicago and then accessed only three times, all in Australia in the hours after Madeleine Pulver's initial call to police. Police say the email account was accessed on a computer in this Central Coast video store."
Well, that's pretty straightforward. They get the logs from the email provider, then track the IP back to the video store. Trivial. No great forensics capability required there, just good cooperation between Australian and US law enforcement. Try that between China and the US...
"MICK RYAN, VIDEO STORE OWNER: We had, like, seven or eight police here, detectives, including computer guys and forensics and they were pretty secretive about it all, saying it was a classified investigation, so they didn't really tell us much."
Where they confirmed the source IP and get the security camera footage. Again, basic police work and basic computer forensics.
"LISA MILLAR: The email account was also allegedly used at a library at Kincumber, north of Sydney."
"In both instances, security camera footage shows a man fitting Paul Peter's description."
Which is where he screwed up. If he'd wirelessly accessed the email from somewhere with no cameras, it would be a lot harder to get such excellent evidence.
Lesson learned: People who don't know computer security shouldn't be committing crimes that involve use of a computer.
Or as Slashdot comments on the bomber case:
RockDoctor writes "Reports indicate that a suspect has been arrested in the Australian 'collar bomb' hostage/extortion case. The allegation is that the suspect had set up a Gmail account, through which he (allegedly) planned to communicate with the extortion victims and arrange delivery of the payment. Unfortunately for him, records were kept showing the location and time the account was set up, and also for a number of accesses. This information, combined with 'CCTV footage and motor vehicle records,' allowed the police to put an identity to the suspect, and arrange for his arrest. So, if you're planning an extortion scheme, don't drive your car to the internet cafe, don't set up the account from an airport, wear anonymous clothes (like Jason Bourne does?) and do all your accesses through hacked shell accounts somewhere in Outer Mongolia. But, this being Slashdot, everyone knew that already."
Heh, heh... Snark!
So people criticized Anonymous for releasing San Francisco BART customer data as part of their hack.
So Anonymous corrected their ways by releasing info on 100 BART COPS! LOL!
Anonymous Hacks BART Police Website, Releases Personal Information of 100 Officers
"Don't F**K with Anonymous" appears to be the lesson here. :-)
Yes the Email tracking is trivial, But here we have a guy who went to considerable trouble to hide his identity, he created a Gmail account using an airport computer in Chicago, never used it again until he checked for response to a ransom request, he only ever accessed the accounts using public computers (library, video store, airport) presumably without providing any ID.
Bottom line it is not just the IP address from which email's are sent that is tracked, but rather EVERY IP address used to access a gmail account is logged, AND easily accessible (apparently without a warrant). (nothing new for you or me but did joe-public know this)
Additionally they already had a part of the guys name PaulP based on metadata relating to the computer he used to access the USB stick which contained the ransom-note.
LEO's were very quickly able to identify the stores where both the USB stick and the basball bat were purchased. And if I'm reading it correctly they have video of both purchases.
For me the speed with which this arrest happened is a wake-up call to clean up my web access signature, and add a few more degrees of separation between myself and any tainted accounts or tainted hardware.
It is easy to find faults with the any perps methods especially "after the fact" but seen the other way, he was smart enough to create a gmail account 2 months before he needed it, using a public computer. (maybe using an airport computer is not so smart)
He apparently never accessed this account using any personal computing hardware. He would probably have been better off to have used a hijacked WiFi and a cheap second hand laptop, but thats the benefit of hindsight. At least, that way, the police would not have video of the computer that was used to access the ransom email account.
I can think of hackers with much sloppier technique that have never been "discovered"
SpyEye source code NOT leaked!
One interesting thing that happened this week was a massive outbreak of absolutely the worst security-related journalism I have ever seen. What has in fact been leaked is the source code of a patching tool that cracks the security features embedded in the binaries of the SpyEye builder, allowing it to be used by other than the registered owner on their registered hardware. And although most of the articles actually say that in so many words, quoting the Damballa article, somehow they have all managed to copy each others' incorrect headlines.
The Security Week article linked by Richard Steven Hack above has at least been updated; the headline to it now reads "SpyEye Builder Patch Source Code Leaked", not "SpyEye Source Code Leaked" as it originally read at the time Richard linked to it! But most online press have thoroughly failed to correct the misinformation they have been thoughtlessly repeating.
It's a classic example of the "Internet Echo Chamber" phenomenon in full effect.
A couple of "side channel" attacks on keypad entry.
The first uses a thermal imager to not only record which keys have been pressed but give a very reliable indication of in which order for nearly a minute after the keypresses
It is a practical demonstration of ideas expressed back in 2005 and earlier by various people.
The second is a real mind blower and was presented at HotSec11. Smart phones often use touchscreen keyboards and some smartphones also have orientation sensors such as accelerometers. Now most smart phone OS's go to quite carefull lengths to ensure keypress entry only goes to the forground application, and cannot be read by other apps. Not so the accelerometers, these remain open and thus become a side channel through which the keypress's can be worked out. The researchers wrote an Android app as a demo but it has been mentioned that an iPhone is also open to this sort of attack.
@ Clive Robinson
I just found the thermal imaging independently today, but the touchscreen slipped past me. Thanks for the link. Did the W3C draft ever get implemented? It's dated originally 2004 but is still considered non-stable. Considering the editors, Android will be the first to get the feature if it's standardized. Idk what our concern level should be on that one. However, subverted apps that run in the background are a real threat using TouchLogger.
DaveK: Thanks for the clarification. I agree, most tech "journalism" sucks. But then, these days most "journalism" sucks.
RobertT: Sure, the guy took some obvious steps to distance himself from the email he was using to commit a crime with. But he totally forgot about surveillance cameras? Fail.
And all the efforts he took to distance himself from the email account were totally useless because he still left a trackable IP. Fail.
Ordinary users just don't understand the concept that EVERYTHING IS LOGGED on computers. And even stuff that isn't actually logged remains until it's overwritten or deliberately wiped. This is why forensics is still a feasible profession (despite the rise of anti-forensics.)
Had he left a trackable IP that ended up with no witness and no picture of himself or his vehicle, he'd be free today. Except he'd probably made some other mistake...
As William S. Burroughs said, "Battles are fought to be won, and this is what happens when you lose." And as I've said before, the first goal of committing a crime is to get away with it.
Another article on how the collar bomber was caught:
Collar Bomber Gets Owned By Word Metadata & USB Drive
"well he was doing this for a ransom..so really he should have just bought a new pen-drive for the job."
Agree. Another fail.
"He had a decent enough idea for extortion I suppose, just a really poor execution. Perhaps he’s been watching too many Hollywood movies where these things seem really easy and nothing even goes wrong."
Yup. As Dick Marcinko said, Murphy always comes along for the ride. If you're going to be a criminal, being really paranoid about making mistakes is a job requirement, along with knowing literally everything about the deal and doing plenty of research about every aspect of the deal. I know from experience - because I didn't. :-)
Oh, man, this is brilliant! An animated version of Anonymous hacking the BART system. You gotta watch this!
The Inevitable Taiwanese Animation of Anonymous' BART Protest
Well, it's been awhile since we've heard from those delightfully lo-fi, but possibly overplayed animators at NMA.tv. In their latest video, the comically misinformed Taiwanese news team sums up this whole messy situation in an economical minute. Nevermind the fact that BART looks more like Muni Metro here, if one were to rely on the NMA.tv as their sole source of information they'd come away thinking BART PD was made up of homeless-hunting Robocops and the transit agency has the ability to make cellphones fly right out of riders' hands. The personification of hacker group Anonymous as a lone, masked overlord watching a bank of TV screens is kind of how we pictured it though. Anyhow, enjoy:"
Anonymous takes on BART over cell phone shut down
" Except he'd probably made some other mistake..."
The more you dig the more mistakes, BUT most come back to understanding that ALL gmail accesses are logged. Without the logging of the Email read / logon IP the police have no idea where they need to look.
Driving mistake: Girl in question lives in Mosman, but email account access occurred at Avoca beach, (about 1 hrs drive north) There is only one route take between the two locations and it has plenty of cameras. The ID fragment PaulP have them a short list of cars registered to drivers named PaulPxxx (one a Range Rover) which guess what drove along the highway precisely at the expected time. (**** He drove his own personal car to commit a felony, while carrying an enabled GSM phone (I'll bet)).
Heck being a successful criminal looks to much like hard work...oh well back to more mundane matters.
"New way to verify a device via PUF's. Uses variations in NAND flash manufacturing. Initial tests also showed it would be hard to fake with a subverted device due to sheer amount of data required & capacity on chip."
Interesting method, however very similar in principle to SRAM PUF's. It is a method for creating a unique signature for a NAND flash that can be used subsequently to verify the device integrity.
If I understood the technique they are altering the trip threshold for 1/0 data and mapping this analog quantity into the devices logical space. and thereby creating a map of offsets vs location.
This makes it very hard to fake because to have precise repeatable control of the manufacturing offset you would need to make a much larger device (which would not fit in the required chip area). It would also be practically impossible to systematically stress a new NAND device to match a known measured devices exact analog characteristics (even if you knew how to do this).
Oh well the PUF competition is heating-up
@the two Richards: there was another interesting lesson-to-be-learned in the "getting away with it" department earlier in the week:
IT admin cops to crippling ex-employer's network
In this case, the lesson was "Don't buy anything with your credit card in Mickey D's immediately before using their free wireless to attack your ex-employer's systems, because the odds are that you will have been the only disgruntled ex-employee to have used their credit card in that particular branch during those few minutes, and that's probably enough to convince a jury even without CCTV footage."
So you second the use of this technology and its probable effectiveness in tamper detection? If so, I might want to start factoring it into my recommendations on trusted distribution. So, how would this work? There could be MITM attacks before the first measurements. So, the best way is to have trusted (i hate that word) guys picking the chips up right at the foundry & taking them to a storage & fingerprinting site. Then, at least one trusted individual ensures the devices are kept safe & fingerprinted properly. He PGP signs the fingerprint list for each shipment and sends it to those at the other end of the supply line.
My problem is that this only detects problems with *flash*. Malicious SOC's, at least processors, might still be an issue. The method assumes there's no way to substitute those critical parts of the SOC without making the material looked tampered with. How hard is this really? I figure difficult, but for pro's with decent budget? What would that take?
@ Robert T,
"Heck being a successful criminal looks to much ike hard work...oh well back to more mundane matters."
When I was quite young and was upto "innocent mischief" (ie picking locks because I could) my father pointed out a very usefull observation,
"If you are smart enought to commit the perfect crime, you are smart enough to earn more money honestly"
And I admit every time I have thought "I wonder if I could do..." on thinking it through I find to many bases to cover to make it worthwhile to think any further.
The thing is it is not the big things that get you caught (you can see and plan for those) it's the little things which cause a "cover" to start peeling. It's those same little things that give a person in authority that "hinky feeling" that causes them to dig a little further...
@ Clive Robinson (on my fone)
I will post again that i disagree with that mantra. For one, the profit margins or hourly rates of many crimes exceed most honest work. Two, theres not competition in many crimes: just security on both sides. Finally, the entry cost and abundant opportunities make online fraud very lucrative compared to legit work.
Cc fraud regularly doubles to triples each investment. And theres howtos on the net and google gives u suppliers. Wat legit work beats that? And u dont have to be that smart to burglarize a house or infect a computer these days. Pay for the kit, pay tiny amount per install, and collect stuff for resale. Easy. Any street hustler could learn to do this. Try making a few grand for an hours work in most legit industries. Wont happen. Crime pays more & easier. Its why they stay on it and take the risks.
"So you second the use of this technology and its probable effectiveness in tamper detection? "
PUF's are all about repeatability under all conditions over the device lifetime. So it is difficult to comment, I would need to do is run what are called "Schmoo" test and see what the results revealed.
A Schmoo test measures the sensitivity of a particular test against other factors like DeviceTemp, Enclosure Temp, Supply Voltage, adjacent cell data, erase cycles, die location, temp cycling. In the end you get a multi-dimensional data set of the pass fail areas, this lets you set limits for expected changes.
All of these variables are VERY likely to have an impact on the threshold of the individual Flash Fet, used to make the PUF. However, to get around this the method most probably tries to measure Delta shifts in paired devices. i.e. two locations know to be "ones" shift by 20mV due to chip surface stress (bending). This bending stress occurs mainly because of the device packaging procedures, unfortunately for anyone trying to make a PUF the package stress relaxes with temp cycling.
Bottom line: it is a good starting basis to construct a PUF but the devil is in the details...
What does this do:
basically it makes sure that the data in the Flash remains unchanged and that the Flash (read Bios chips) were not swapped for some other program (read attack vector)
Processors and system SOC's are completely unprotected by this PUF. However it is at least three orders of magnitude more likely that the Bios will be changed than that the attacker will develop a fictionally compatible SOC and replace the original with the compromised device. So it is probably worth the effort.
Unfortunately like all anti-virus systems YOU must be in control of the system to make the method work. Any good root kit can make all anti virus programs completely ineffective by simply not giving you access to that which you think you are accessing, and there is no difference with PUF access.
Thanks for the info! :)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.