October 2011 Archives

Cell Phone Surveillance System

I was not surprised that police forces are buying this system, but at its capabilities.

Britain's largest police force is operating covert surveillance technology that can masquerade as a mobile phone network, transmitting a signal that allows authorities to shut off phones remotely, intercept communications and gather data about thousands of users in a targeted area.

The surveillance system has been procured by the Metropolitan police from Leeds-based company Datong plc, which counts the US Secret Service, the Ministry of Defence and regimes in the Middle East among its customers. Strictly classified under government protocol as "Listed X", it can emit a signal over an area of up to an estimated 10 sq km, forcing hundreds of mobile phones per minute to release their unique IMSI and IMEI identity codes, which can be used to track a person's movements in real time.

[...]


Datong's website says its products are designed to provide law enforcement, military, security agencies and special forces with the means to "gather early intelligence in order to identify and anticipate threat and illegal activity before it can be deployed".

The company's systems, showcased at the DSEi arms fair in east London last month, allow authorities to intercept SMS messages and phone calls by secretly duping mobile phones within range into operating on a false network, where they can be subjected to "intelligent denial of service". This function is designed to cut off a phone used as a trigger for an explosive device.

A transceiver around the size of a suitcase can be placed in a vehicle or at another static location and operated remotely by officers wirelessly. Datong also offers clandestine portable transceivers with "covered antennae options available". Datong sells its products to nearly 40 countries around the world, including in Eastern Europe, South America, the Middle East and Asia Pacific.

Company website.

Posted on October 31, 2011 at 12:29 PM45 Comments

Another ATM Theft Tactic

This brazen tactic is from Malaysia. Robbers sabotage the machines, and then report the damage to the bank. When the banks send repair technicians to open and repair the machines, the robbers take the money at gunpoint.

It's hardly a technology-related attack. But from what I know about ATMs, the security of the money safe inside the machine is separate from the security of the rest of the machine. So it seems that the repair technicians might be given access to only the machine but not the safe inside.

Posted on October 31, 2011 at 8:18 AM24 Comments

Friday Squid Blogging: Video of Kid Eating Squid

It's hard to tell if he likes it.


As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on October 28, 2011 at 4:25 PM31 Comments

Full Extent of the Attack that Compromised RSA in March

Brian Krebs has done the analysis; it's something like 760 companies that were compromised.

Among the more interesting names on the list are Abbott Labs, the Alabama Supercomputer Network, Charles Schwabb & Co., Cisco Systems, eBay, the European Space Agency, Facebook, Freddie Mac, Google, the General Services Administration, the Inter-American Development Bank, IBM, Intel Corp., the Internal Revenue Service (IRS), the Massachusetts Institute of Technology, Motorola Inc., Northrop Grumman, Novell, Perot Systems, PriceWaterhouseCoopers LLP, Research in Motion (RIM) Ltd., Seagate Technology, Thomson Financial, Unisys Corp., USAA, Verisign, VMWare, Wachovia Corp., and Wells Fargo & Co.

News article.

Posted on October 28, 2011 at 3:21 PM14 Comments

Secret Codes in Bacteria

Neat:

Researchers have invented a new form of secret messaging using bacteria that make glowing proteins only under certain conditions. In addition to being useful to spies, the new technique could also allow companies to encode secret identifiers into crops, seeds, or other living commodities.

[...]

The new scheme replaces the fuse with seven colonies of Escherichia coli bacteria, each given a gene for a different fluorescent protein. When, and only when, these genes are turned on do the bacteria make these proteins and light up. The colors, including yellow, green, and red, vary based on which gene is expressed. All are clearly visibly different to the naked eye. With their colorful bacterial colonies in hand, the researchers then created a code using pairs of different colored bacteria. Having seven colors gave them 49 combinations, which they used to encode the 26 different letters and 23 alphanumeric symbols such as "@" and "$." They wrote a message by simply blotting pairs of colored bacteria in rows. To "print" the message, the researchers transferred the bacteria onto a plate containing agar, a bacterial growth medium, into which they pressed a sheet of nitrocellulose "paper" that immobilizes the bacteria.

At this point, the bacteria on the nitrocellulose paper remain invisible. But the message receiver can turn on the key genes and make the colors light up by pressing the nitrocellulose paper into an agar plate containing a chemical trigger that activates expression of the fluorescent proteins. (The proteins chosen to light up are ones the bacteria don't normally use, so unless the researchers activate them, they stay quiescent.) As long as the receiver knows which colors correspond to which characters, the message is revealed. But Walt and his colleagues added one more safeguard as well. Into some bacteria they inserted genes for resistance to particular antibiotics; the idea is that only the antibiotic-resistant bacteria are carrying the real message. If the message fell into the wrong hands, the receiver would see a mix of colors once the genes were activated and be unable to read it. But if the decoder added the right antibiotic, nonresistant bacteria and their colors die away, and the message becomes clear. The first example, reported in today's issue of the Proceedings of the National Academy of Sciences reads "this is a bioencoded message from the walt lab @ tufts university 2010."

Posted on October 27, 2011 at 12:01 PM28 Comments

The Security of SSL

EFF reports on the security of SSL:

The most interesting entry in that table is the "CA compromise" one, because those are incidents that could affect any or every secure web or email server on the Internet. In at least 248 cases, a CA chose to indicate that it had been compromised as a reason for revoking a cert. Such statements have been issued by 15 distinct CA organizations.

Posted on October 27, 2011 at 6:45 AM26 Comments

Cracking the Copiale Cipher

I don't follow historical cryptography, so all of this comes as a surprise to me. But something called the Copiale Cipher from the 18th Century has been cracked.

EDITED TO ADD (11/14): Here's the academic website.

Posted on October 26, 2011 at 6:02 AM20 Comments

Demands from Law Enforcement for Google Data

Google releases statistics:

Google received more than 15,600 requests in the January-June period, 10 percent more than the final six months of last year. The requests in the latest period spanned more than 25,400 individual accounts worldwide - a tiny fraction of Google's more than billion users.

[...]

The highest volume of government demands for user data came from the U.S. (5,950 requests, a 29 percent increase from the previous six-month stretch); India (1,739 requests, up 2 percent); France (1,300 requests, up 27 percent); Britain (1,273 requests, up 10 percent); and Germany (1,060 requests, up 38 percent).

[...]

The company usually complies with at least a portion of most government demands. Google has said that it often has little choice because it must obey laws in the countries where it operates. The alternative is to leave, as it did last year when it shifted its search engine to Hong Kong so it wouldn't have to follow mainland China's censorship requirements.

In the U.S., Google gave federal, state and other agencies what they wanted 93 percent of the time. The nearly 6,000 requests affected more than 11,000 user accounts during the January-June period.

In India, Google honored 70 percent of the 1,739 requests, which targeted more than 2,400 users, the second highest totals.

Google, which is based in Mountain View, Calif., rejected the most government demands for user information in Argentina, where 68 percent of the requests were denied. Less than 50 percent of the government requests for user data were complied with in Canada, Chile, France, Hong Kong, Mexico, the Netherlands, Russia, Turkey and South Korea.

I'm sure they have an office full of attorneys versed in the laws of various countries.

Another article.

Posted on October 26, 2011 at 5:54 AM12 Comments

Twofish Mentioned in Thriller Novel

I've been told that the Twofish encryption algorithm is mentioned in the book Abuse of Power, in the first paragraph of Chapter 3. Did the terrorists use it? Did our hero break it? I am unlikely to read it; can someone scan the page for me.

EDITED TO ADD (10/25): Google Books has it:

The line was picked up after three rings. The cell phones were encrypted using a Twofish algorithm and a 4096-bit Diffie-Hellman key exchange.

No one would be listening in.

Posted on October 25, 2011 at 12:58 PM27 Comments

NSA Acronyms

The second document in this file is the recently unclassified "Guide to Historical Cryptologic Acronyms and Abbreviations, 1940-1980," from the NSA

Note that there are still some redactions.

Posted on October 25, 2011 at 5:31 AM16 Comments

Blue Coat Products Enable Web Censorship in Syria

It's illegal for Blue Coat to sell its technology for this purpose, but there are lots of third-parties who are willing to act as middlemen:

"Blue Coat does not sell to Syria. We comply with US export laws and we do not allow our partners to sell to embargoed countries," [Blue Coat spokesman Steve] Schick told the Bureau. "In addition, we do not allow any of our resellers, regardless of their location in the world, to sell to an embargoed country, such as Syria."

However, Schick did not rule out the possibility that the equipment could have been bought via a third party re-seller, noting that Blue Coat equipment can be found on websites like eBay.

Bet you anything that the Syrian Blue Coat products are registered, and that they receive all the normal code and filter updates.

EDITED TO ADD (11/14): The Wall Street Journal confirms it:

The appliances do have Blue Coat service and support contracts. The company says it has now cut off contracts for the devices.

Posted on October 24, 2011 at 1:39 PM26 Comments

Facebook Patent to Track Users Even When They are Not Logged In to Facebook

Patent application number 2011/023240:

Communicating Information in a Social Network System about Activities from Another Domain

Abstract: In one embodiment, a method is described for tracking information about the activities of users of a social networking system while on another domain. The method includes maintaining a profile for each of one or more users of the social networking system, each profile identifying a connection to one or more other users of the social networking system and including information about the user. The method additionally includes receiving one or more communications from a third-party website having a different domain than the social network system, each message communicating an action taken by a user of the social networking system on the thirdparty website. The method additionally includes logging the actions taken on the third-party website in the social networking system, each logged action including information about the action. The method further includes correlating the logged actions with one or more advertisements presented to the one or more users on the third-party website as well as correlating the logged actions with a user of the social networking system.

Facebook denies that this is a patent for that. Although Facebook does seem to track users even when they are not logged in, as well as people who aren't even Facebook users.

EDITED TO ADD (10/24): Facebook claims that, while they do collect information on non-users, they don't use it for profiling. This feels like hair-splitting to me; I get emails from Facebook with lists of friends who are already on the site.

EDITED TO ADD (10/24): It's a patent application, not a patent.

Posted on October 24, 2011 at 6:42 AM49 Comments

Random Passwords in the Wild

Interesting analysis:

the hacktivist group Anonymous hacked into several BART servers. They leaked part of a database of users from myBART, a website which provides frequent BART riders with email updates about activities near BART stations. An interesting aspect of the leak is that 1,346 of the 2,002 accounts seem to have randomly-generated passwords-a rare opportunity to study this approach to password security.

Posted on October 20, 2011 at 6:25 AM26 Comments

New Malware: Duqu

A newly discovered piece of malware, Duqu, seems to be a precursor to the next Stuxnet-like worm and uses some of the same techniques as the original.

EDITED TO ADD (11/14): A contrarian view.

Posted on October 19, 2011 at 11:05 AM31 Comments

Discovering What Facebook Knows About You

Things are getting interesting in Europe:

Max is a 24 year old law student from Vienna with a flair for the interview and plenty of smarts about both technology and legal issues. In Europe there is a requirement that entities with data about individuals make it available to them if they request it. That's how Max ended up with a personalized CD from Facebook that he printed out on a stack of paper more than a thousand pages thick (see image below). Analysing it, he came to the conclusion that Facebook is engineered to break many of the requirements of European data protection. ...

The logical next step was a series of 22 lucid and well-reasoned complaints that he submitted to the Irish Data Protection Commissioner (Facebook states that European users have a relationship with the Irish Facebook subsidiary).

EDITED TO ADD (11/14): The 22 complaints are here

Posted on October 18, 2011 at 6:34 AM71 Comments

Friday Squid Blogging: Prehistoric Sentient Squid—Or Not

There's big news in the world of giant squid:

Researchers initially thought that this strange grouping of 45-foot-long marine reptiles had either died en masse from a poisonous plankton bloom or had become stranded in shallow water.

But recent geological analysis of the fossil site indicates that the park was deep underwater when these shonisaurs swam the prehistoric seas. So why were their bones laid in such a bizarre pattern? A new theory suggests that a 100-foot-long cephalopod arranged these bones as a self-portrait after drowning the reptiles

Here's a good debunking:

There is no direct evidence for the existence of the animal the McMenamins call "the kraken." No exceptionally preserved body, no fossilized tentacle hooks, no beak—nothing. The McMenamins’ entire case is based on peculiar inferences about the site.

Another article. And another debunking.

Posted on October 14, 2011 at 4:07 PM21 Comments

Burglars Tip Off Police About Bigger Crime

I find this fascinating:

A central California man has been arrested for possession of child pornography, thanks to a tip from burglars who robbed the man's property, authorities said.

I am reminded of the UK story of a burglar finding some military secrets on a laptop -- or perhaps a USB drive -- that he stole, and returning them with a comment that was something like: "I'm a crook; I'm not a bloody traitor."

Posted on October 14, 2011 at 12:34 PM56 Comments

Official Malware from the German Police

The Chaos Computer Club has disassembled and analyzed the Trojan used by the German police for legal intercept. In its default mode, it takes regular screenshots of the active window and sends it to the police. It encrypts data in AES Electronic Codebook mode with -- are you ready? -- a fixed key across all versions. There's no authentication built in, so it's easy to spoof. It sends data to a command-and-control server in the U.S., which is almost certainly against German law. There's code to allow the controller to install additional software onto the target machine, but that's not authenticated either, so it would be easy to fool the Trojan into installing anything.

Detailed analysis in German. F-Secure has announced it will treat the Trojan as malware. I hope all the other anti-virus companies will do the same.

EDITED TO ADD (10/12): Another story. And some good information on the malware. Germany's Justice Minister is calling for an investigation.

Posted on October 13, 2011 at 6:03 AM40 Comments

New Attacks on CAPTCHAs

Nice research:

Abstract: We report a novel attack on two CAPTCHAs that have been widely deployed on the Internet, one being Google's home design and the other acquired by Google (i.e. reCAPTCHA). With a minor change, our attack program also works well on the latest ReCAPTCHA version, which uses a new defence mechanism that was unknown to us when we designed our attack. This suggests that our attack works in a fundamental level. Our attack appears to be applicable to a whole family of text CAPTCHAs that build on top of the popular segmentation-resistant mechanism of "crowding character together" for security. Next, we propose a novel framework that guides the application of our well-tested security engineering methodology for evaluating CAPTCHA robustness, and we propose a new general principle for CAPTCHA design.

Posted on October 12, 2011 at 6:57 AM24 Comments

U.S. Drones Have a Computer Virus

You'd think we would be more careful than this:

A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones.

[...]

"We keep wiping it off, and it keeps coming back," says a source familiar with the network infection, one of three that told Danger Room about the virus. "We think it’s benign. But we just don’t know."

EDITED TO ADD (10/13): No one told the IT department for two weeks.

Posted on October 10, 2011 at 6:38 AM64 Comments

Friday Squid Blogging: Hundreds of Squid Wash Up on Southern California Beaches

Humboldt squid are washing up on beaches across Southern California. Seems like it's no big deal; the squid just swam too close to shore.

Posted on October 7, 2011 at 4:51 PM26 Comments

Security Seals on Voting Machines

Related to this blog post from Wednesday, here's a paper that looks at security seals on voting machines.

Andrew W. Appel, "Security Seals on Voting Machines: A Case Study," ACM Transactions on Information and System Security, 14 (2011): 1–29.

Abstract: Tamper-evident seals are used by many states' election officials on voting machines and ballot boxes, either to protect the computer and software from fraudulent modification or to protect paper ballots from fraudulent substitution or stuffing. Physical tamper-indicating seals can usually be easily defeated, given they way they are typically made and used; and the effectiveness of seals depends on the protocol for their application and inspection. The legitimacy of our elections may therefore depend on whether a particular state's use of seals is effective to prevent, deter, or detect election fraud. This paper is a case study of the use of seals on voting machines by the State of New Jersey. I conclude that New Jersey;s protocols for the use of tamper-evident seals have been not at all effective. I conclude with a discussion of the more general problem of seals in democratic elections.

Posted on October 7, 2011 at 1:11 PM16 Comments

FBI-Sponsored Backdoors

From a review of Susan Landau's Surveillance or Security?:

To catch up with the new technologies of malfeasance, FBI director Robert Mueller traveled to Silicon Valley last November to persuade technology companies to build "backdoors" into their products. If Mueller’s wish were granted, the FBI would gain undetected real-time access to suspects’ Skype calls, Facebook chats, and other online communications­and in "clear text," the industry lingo for unencrypted data. Backdoors, in other words, would make the Internet -- and especially its burgeoning social media sector -- "wiretappable."

This is one of the cyber threats I talked about last week: insecurities deliberately created in some mistaken belief that they will stop crime. Once you build a backdoor into a product, you need to ensure that only the good guys use that backdoor, and only when they should. We'd all be much more secure if the backdoor didn't exist at all.

Posted on October 7, 2011 at 6:01 AM35 Comments

Status Report: Liars and Outliers

Last weekend, I completely reframed the book. I realized that the book isn't about security. It's about trust. I'm writing about how society induces people to behave in the group interest instead of some competing personal interest. It's obvious that society needs to do this; otherwise, it can never solve collective action problems. And as a social species, we have developed both moral systems and reputational systems that encourage people behave in the group interest. I called these systems "societal security," along with more recent developments: institutional (read "legal") systems and technological systems.

That phrasing strained the definition of "security." Everything, from the Bible to your friends treating you better if you were nice to them, was a security system. In my reframing, those are all trust pressures. It's a language that's more intuitive. We already know about moral pressure, peer pressure, and legal pressure. Reputational pressure, institutional pressure, and security pressure is much less of a stretch. And it puts security back in a more sensible place. Security is a mechanism; trust is the goal.

This reframing lets me more easily talk directly about the central issues of the book: how these various pressures scale to larger societies, and how security technologies are necessary for them to scale. Trust changes focus as society scales, too. In smaller societies (a family, for example), trust is more about intention and less about actions. In larger societies, trust is all about actions. It's more like compliance. And as things scale even further, trust becomes less about people and more about systems. I don't need to trust any particular banker, as long as I trust the banking system. And as we scale up, security becomes more important.

Possibly the book's thesis statement: "Security is a set of constructed systems that extend the naturally occurring systems that humans have always used to induce trust and enable society. This extension became necessary when society began to operate at a scale and complexity where the naturally occurring mechanisms started to break down, and is more necessary as society continues to grow in scale."

So the phrase "societal security" is completely gone from the book. (Like the phrase "dishonest minority," it only exists in old blog posts.) There's more talk about the role of trust in society. There's more talk about how security, real security this time, enables trust. It felt like a major change when I embarked on it, but the fact that I did it in three days says how this framing was always there under the surface. And the fact that the book reads a lot more cleanly now says this framing is the right one.

The title remains the same: Liars and Outliers. The cover remains the same. The table of contents is the same, although some chapters have different names. The subtitle has to change, though. Candidates include:

  1. How Trust Holds Society Together -- my publisher probably won't allow me to write a book without the word "security" somewhere in the title.

  2. Security, Trust, and Society -- not punchy enough.

  3. How Security Enables the Trust that Holds Society Together -- probably too long.

  4. How Trust and Security Hold Society Together -- maybe.

Any other ideas?

The manuscript is still due to the publisher at the end of the month, and publication is still set for mid-February. I am enjoying writing it, but I am also looking forward to it being done.

Posted on October 5, 2011 at 7:38 PM189 Comments

Insider Attack Against Diebold Voting Machines

This is both news and not news:

Indeed, the Argonne team's attack required no modification, reprogramming, or even knowledge, of the voting machine's proprietary source code. It was carried out by inserting a piece of inexpensive "alien electronics" into the machine.

It's not news because we already know that if you have access to the internals of a voting machine, you can make it do whatever you want.

It is news because it's so easy. The entire hack took two hours, start to finish. The attacker doesn't have to know how the machine works, he just needs physical access. (And we know that voting machines are routinely left unguarded, and have locks that are easily bypassed.)

I find this all so frustrating because there are a gazillion ways to hack electronic voting machines. Specific attacks get the headlines, and the voting machine companies counter with reasons why those attacks are not "valid." And in the noise and counter-noise, no one hears the general truth: these systems are insecure, and should not be used in elections.

Posted on October 5, 2011 at 6:58 AM48 Comments

National Cybersecurity Awareness Month

October is National Cybersecurity Awareness Month, sponsored by the Department of Homeland Security. The website has some sample things you can do to celebrate, but they're all pretty boring. Surely we can do better. Post your suggestions in comments.

Posted on October 4, 2011 at 6:31 AM49 Comments

Isaac Asimov on Security Theater

A great find:

In his 1956 short story, "Let's Get Together," Isaac Asimov describes security measures proposed to counter a terrorist threat:

"Consider further that this news will leak out as more and more people become involved in our countermeasures and more and more people begin to guess what we're doing. Then what? The panic might do us more harm than any one TC bomb."

The Presidential Assistant said irritably, "In Heaven's name, man, what do you suggest we do, then?"

"Nothing," said Lynn. "Call their bluff. Live as we have lived and gamble that They won't dare break the stalemate for the sake of a one-bomb head start."

"Impossible!" said Jeffreys. "Completely impossible. The welfare of all of Us is very largely in my hands, and doing nothing is the one thing I cannot do. I agree with you, perhaps, that X-ray machines at sports arenas are a kind of skin-deep measure that won't be effective, but it has to be done so that people, in the aftermath, do not come to the bitter conclusion that we tossed our country away for the sake of a subtle line of reasoning that encouraged donothingism."

This Jeffreys guy sounds as if he works for the TSA.

Posted on October 3, 2011 at 1:20 PM33 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..