Schneier on Security
A blog covering security and security technology.
October 2011 Archives
I was not surprised that police forces are buying this system, but at its capabilities.
Britain's largest police force is operating covert surveillance technology that can masquerade as a mobile phone network, transmitting a signal that allows authorities to shut off phones remotely, intercept communications and gather data about thousands of users in a targeted area.
This brazen tactic is from Malaysia. Robbers sabotage the machines, and then report the damage to the bank. When the banks send repair technicians to open and repair the machines, the robbers take the money at gunpoint.
It's hardly a technology-related attack. But from what I know about ATMs, the security of the money safe inside the machine is separate from the security of the rest of the machine. So it seems that the repair technicians might be given access to only the machine but not the safe inside.
It's hard to tell if he likes it.
Brian Krebs has done the analysis; it's something like 760 companies that were compromised.
Among the more interesting names on the list are Abbott Labs, the Alabama Supercomputer Network, Charles Schwabb & Co., Cisco Systems, eBay, the European Space Agency, Facebook, Freddie Mac, Google, the General Services Administration, the Inter-American Development Bank, IBM, Intel Corp., the Internal Revenue Service (IRS), the Massachusetts Institute of Technology, Motorola Inc., Northrop Grumman, Novell, Perot Systems, PriceWaterhouseCoopers LLP, Research in Motion (RIM) Ltd., Seagate Technology, Thomson Financial, Unisys Corp., USAA, Verisign, VMWare, Wachovia Corp., and Wells Fargo & Co.
It's a good one. Be sure to read the hover-over text.
Researchers have invented a new form of secret messaging using bacteria that make glowing proteins only under certain conditions. In addition to being useful to spies, the new technique could also allow companies to encode secret identifiers into crops, seeds, or other living commodities.
EFF reports on the security of SSL:
The most interesting entry in that table is the "CA compromise" one, because those are incidents that could affect any or every secure web or email server on the Internet. In at least 248 cases, a CA chose to indicate that it had been compromised as a reason for revoking a cert. Such statements have been issued by 15 distinct CA organizations.
I don't follow historical cryptography, so all of this comes as a surprise to me. But something called the Copiale Cipher from the 18th Century has been cracked.
EDITED TO ADD (11/14): Here's the academic website.
Google releases statistics:
Google received more than 15,600 requests in the January-June period, 10 percent more than the final six months of last year. The requests in the latest period spanned more than 25,400 individual accounts worldwide - a tiny fraction of Google's more than billion users.
I'm sure they have an office full of attorneys versed in the laws of various countries.
I've been told that the Twofish encryption algorithm is mentioned in the book Abuse of Power, in the first paragraph of Chapter 3. Did the terrorists use it? Did our hero break it? I am unlikely to read it; can someone scan the page for me.
EDITED TO ADD (10/25): Google Books has it:
The line was picked up after three rings. The cell phones were encrypted using a Twofish algorithm and a 4096-bit Diffie-Hellman key exchange.
The second document in this file is the recently unclassified "Guide to Historical Cryptologic Acronyms and Abbreviations, 1940-1980," from the NSA
Note that there are still some redactions.
It's illegal for Blue Coat to sell its technology for this purpose, but there are lots of third-parties who are willing to act as middlemen:
"Blue Coat does not sell to Syria. We comply with US export laws and we do not allow our partners to sell to embargoed countries," [Blue Coat spokesman Steve] Schick told the Bureau. "In addition, we do not allow any of our resellers, regardless of their location in the world, to sell to an embargoed country, such as Syria."
Bet you anything that the Syrian Blue Coat products are registered, and that they receive all the normal code and filter updates.
EDITED TO ADD (11/14): The Wall Street Journal confirms it:
The appliances do have Blue Coat service and support contracts. The company says it has now cut off contracts for the devices.
Patent application number 2011/023240:
Communicating Information in a Social Network System about Activities from Another Domain
EDITED TO ADD (10/24): Facebook claims that, while they do collect information on non-users, they don't use it for profiling. This feels like hair-splitting to me; I get emails from Facebook with lists of friends who are already on the site.
EDITED TO ADD (10/24): It's a patent application, not a patent.
the hacktivist group Anonymous hacked into several BART servers. They leaked part of a database of users from myBART, a website which provides frequent BART riders with email updates about activities near BART stations. An interesting aspect of the leak is that 1,346 of the 2,002 accounts seem to have randomly-generated passwords-a rare opportunity to study this approach to password security.
EDITED TO ADD (11/14): A contrarian view.
Things are getting interesting in Europe:
Max is a 24 year old law student from Vienna with a flair for the interview and plenty of smarts about both technology and legal issues. In Europe there is a requirement that entities with data about individuals make it available to them if they request it. That's how Max ended up with a personalized CD from Facebook that he printed out on a stack of paper more than a thousand pages thick (see image below). Analysing it, he came to the conclusion that Facebook is engineered to break many of the requirements of European data protection. ...
EDITED TO ADD (11/14): The 22 complaints are here
There's big news in the world of giant squid:
Researchers initially thought that this strange grouping of 45-foot-long marine reptiles had either died en masse from a poisonous plankton bloom or had become stranded in shallow water.
Here's a good debunking:
There is no direct evidence for the existence of the animal the McMenamins call "the kraken." No exceptionally preserved body, no fossilized tentacle hooks, no beak—nothing. The McMenamins’ entire case is based on peculiar inferences about the site.
I find this fascinating:
A central California man has been arrested for possession of child pornography, thanks to a tip from burglars who robbed the man's property, authorities said.
I am reminded of the UK story of a burglar finding some military secrets on a laptop -- or perhaps a USB drive -- that he stole, and returning them with a comment that was something like: "I'm a crook; I'm not a bloody traitor."
Anyone have any ideas?
The Chaos Computer Club has disassembled and analyzed the Trojan used by the German police for legal intercept. In its default mode, it takes regular screenshots of the active window and sends it to the police. It encrypts data in AES Electronic Codebook mode with -- are you ready? -- a fixed key across all versions. There's no authentication built in, so it's easy to spoof. It sends data to a command-and-control server in the U.S., which is almost certainly against German law. There's code to allow the controller to install additional software onto the target machine, but that's not authenticated either, so it would be easy to fool the Trojan into installing anything.
Abstract: We report a novel attack on two CAPTCHAs that have been widely deployed on the Internet, one being Google's home design and the other acquired by Google (i.e. reCAPTCHA). With a minor change, our attack program also works well on the latest ReCAPTCHA version, which uses a new defence mechanism that was unknown to us when we designed our attack. This suggests that our attack works in a fundamental level. Our attack appears to be applicable to a whole family of text CAPTCHAs that build on top of the popular segmentation-resistant mechanism of "crowding character together" for security. Next, we propose a novel framework that guides the application of our well-tested security engineering methodology for evaluating CAPTCHA robustness, and we propose a new general principle for CAPTCHA design.
A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones.
EDITED TO ADD (10/13): No one told the IT department for two weeks.
Andrew W. Appel, "Security Seals on Voting Machines: A Case Study," ACM Transactions on Information and System Security, 14 (2011): 1–29.
EDITED TO ADD (10/13): XKCD makes the sam point.
To catch up with the new technologies of malfeasance, FBI director Robert Mueller traveled to Silicon Valley last November to persuade technology companies to build "backdoors" into their products. If Mueller’s wish were granted, the FBI would gain undetected real-time access to suspects’ Skype calls, Facebook chats, and other online communicationsand in "clear text," the industry lingo for unencrypted data. Backdoors, in other words, would make the Internet -- and especially its burgeoning social media sector -- "wiretappable."
This is one of the cyber threats I talked about last week: insecurities deliberately created in some mistaken belief that they will stop crime. Once you build a backdoor into a product, you need to ensure that only the good guys use that backdoor, and only when they should. We'd all be much more secure if the backdoor didn't exist at all.
Last weekend, I completely reframed the book. I realized that the book isn't about security. It's about trust. I'm writing about how society induces people to behave in the group interest instead of some competing personal interest. It's obvious that society needs to do this; otherwise, it can never solve collective action problems. And as a social species, we have developed both moral systems and reputational systems that encourage people behave in the group interest. I called these systems "societal security," along with more recent developments: institutional (read "legal") systems and technological systems.
That phrasing strained the definition of "security." Everything, from the Bible to your friends treating you better if you were nice to them, was a security system. In my reframing, those are all trust pressures. It's a language that's more intuitive. We already know about moral pressure, peer pressure, and legal pressure. Reputational pressure, institutional pressure, and security pressure is much less of a stretch. And it puts security back in a more sensible place. Security is a mechanism; trust is the goal.
This reframing lets me more easily talk directly about the central issues of the book: how these various pressures scale to larger societies, and how security technologies are necessary for them to scale. Trust changes focus as society scales, too. In smaller societies (a family, for example), trust is more about intention and less about actions. In larger societies, trust is all about actions. It's more like compliance. And as things scale even further, trust becomes less about people and more about systems. I don't need to trust any particular banker, as long as I trust the banking system. And as we scale up, security becomes more important.
Possibly the book's thesis statement: "Security is a set of constructed systems that extend the naturally occurring systems that humans have always used to induce trust and enable society. This extension became necessary when society began to operate at a scale and complexity where the naturally occurring mechanisms started to break down, and is more necessary as society continues to grow in scale."
So the phrase "societal security" is completely gone from the book. (Like the phrase "dishonest minority," it only exists in old blog posts.) There's more talk about the role of trust in society. There's more talk about how security, real security this time, enables trust. It felt like a major change when I embarked on it, but the fact that I did it in three days says how this framing was always there under the surface. And the fact that the book reads a lot more cleanly now says this framing is the right one.
The title remains the same: Liars and Outliers. The cover remains the same. The table of contents is the same, although some chapters have different names. The subtitle has to change, though. Candidates include:
Any other ideas?
The manuscript is still due to the publisher at the end of the month, and publication is still set for mid-February. I am enjoying writing it, but I am also looking forward to it being done.
This is both news and not news:
Indeed, the Argonne team's attack required no modification, reprogramming, or even knowledge, of the voting machine's proprietary source code. It was carried out by inserting a piece of inexpensive "alien electronics" into the machine.
It's not news because we already know that if you have access to the internals of a voting machine, you can make it do whatever you want.
It is news because it's so easy. The entire hack took two hours, start to finish. The attacker doesn't have to know how the machine works, he just needs physical access. (And we know that voting machines are routinely left unguarded, and have locks that are easily bypassed.)
I find this all so frustrating because there are a gazillion ways to hack electronic voting machines. Specific attacks get the headlines, and the voting machine companies counter with reasons why those attacks are not "valid." And in the noise and counter-noise, no one hears the general truth: these systems are insecure, and should not be used in elections.
Nice cartoon on the problems of content filtering.
October is National Cybersecurity Awareness Month, sponsored by the Department of Homeland Security. The website has some sample things you can do to celebrate, but they're all pretty boring. Surely we can do better. Post your suggestions in comments.
A great find:
In his 1956 short story, "Let's Get Together," Isaac Asimov describes security measures proposed to counter a terrorist threat:"Consider further that this news will leak out as more and more people become involved in our countermeasures and more and more people begin to guess what we're doing. Then what? The panic might do us more harm than any one TC bomb."
This Jeffreys guy sounds as if he works for the TSA.
Custom HTC firmware breaks standard permissions and allows rogue apps to access location, address book, and account info without authorization.
Powered by Movable Type. Photo at top by Per Ervland.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.