November 2011 Archives

Full Disclosure in Biology

The debate over full disclosure in computer security has been going on for the better part of two decades now. The stakes are much higher in biology:

The virus is an H5N1 avian influenza strain that has been genetically altered and is now easily transmissible between ferrets, the animals that most closely mimic the human response to flu. Scientists believe it's likely that the pathogen, if it emerged in nature or were released, would trigger an influenza pandemic, quite possibly with many millions of deaths.

In a 17th floor office in the same building, virologist Ron Fouchier of Erasmus Medical Center calmly explains why his team created what he says is "probably one of the most dangerous viruses you can make"­and why he wants to publish a paper describing how they did it. Fouchier is also bracing for a media storm. After he talked to ScienceInsider yesterday, he had an appointment with an institutional press officer to chart a communication strategy.

Of course, there's value to the research:

"These studies are very important," says biodefense and flu expert Michael Osterholm, director of the Center for Infectious Disease Research and Policy at the University of Minnesota, Twin Cities. The researchers "have the full support of the influenza community," Osterholm says, because there are potential benefits for public health. For instance, the results show that those downplaying the risks of an H5N1 pandemic should think again, he says.

Knowing the exact mutations that make the virus transmissible also enables scientists to look for them in the field and take more aggressive control measures when one or more show up, adds Fouchier. The study also enables researchers to test whether H5N1 vaccines and antiviral drugs would work against the new strain.

And we know how badly this sort of security works:

Osterholm says he can't discuss details of the papers because he's an NSABB member. But he says it should be possible to omit certain key details from controversial papers and make them available to people who really need to know. "We don't want to give bad guys a road map on how to make bad bugs really bad," he says.

Posted on November 30, 2011 at 12:28 PM34 Comments

Bad CIA Operational Security

I have no idea if this story about CIA spies in Lebanon is true, and it will almost certainly never be confirmed or denied:

But others inside the American intelligence community say sloppy "tradecraft" -- the method of covert operations -- by the CIA is also to blame for the disruption of the vital spy networks.

In Beirut, two Hezbollah double agents pretended to go to work for the CIA. Hezbollah then learned of the restaurant where multiple CIA officers were meeting with several agents, according to the four current and former officials briefed on the case. The CIA used the codeword "PIZZA" when discussing where to meet with the agents, according to U.S. officials. Two former officials describe the location as a Beirut Pizza Hut. A current US official denied that CIA officers met their agents at Pizza Hut.

Posted on November 30, 2011 at 6:57 AM18 Comments

Security Systems as a Marker for High-Value Targets

If something is protected by heavy security, it's obviously worth stealing. Here's an example from the insect world:

Maize plants, like many others, protect themselves with poisons. They pump their roots with highly toxic insecticides called BXDs, which deters hungry mandibles. But these toxins don’t come free. The plant needs energy to act as its own pharmacist, so it distributes the poison to the areas that deserve the greatest fortification -- its crown roots.

Maize seedlings grow roots either from the embryo itself (embryonic roots), or from the growing stem (crown roots). Christelle Robert found that the crown roots are especially important. They contain the most nutrients, and their loss matters more to the seedlings. As such, they receive the greatest investment of BXDs; they contain five times more of one particularly toxic compound called DIMBOA.

So, if plant-eating insects want to nibble on the most nutritious roots, they also swallow the highest amount of poison. Instead, they target the more lightly defended embryonic roots, which are less valuable to the plant. But the Western corn rootworm ignores these rules of engagement.

The larva of this beetle eats the roots of maize, corn and other cereals and it’s a significant pest that can ravage entire crops. Its success stems from its ability to turn maize’s defence against it. Robert found that the rootworm, unlike other insects, ignore the embryonic roots and head straight for the crown ones.

When Robert gave rootworms a mutant plant that couldn’t produce BXDs, it lost its interest in the crown roots. Rather than being deterred by the plant’s poisons, the rootworm actually uses them to track down the most nutritious meals.

The rootworms are immune to the poison, of course. Otherwise the trick wouldn't work.

Paper, behind a paywall.

Posted on November 29, 2011 at 2:13 PM16 Comments

Shopper Surveillance Using Cell Phones

Electronic surveillance is becoming so easy that even marketers can do it:

The cellphone tracking technology, called Footpath, is made by Path Intelligence Ltd., a Portsmouth, U.K.-based company. It uses sensors placed throughout the mall to detect signals from mobile phones and track their path around the mall. The sensors cannot gather phone numbers or other identifying data, or intercept or log data about calls or SMS messages, the company says.

EDITED TO ADD (12/14): Two malls have shelved the system for now.

Posted on November 29, 2011 at 7:01 AM38 Comments

Spider Webs Contain Ant Poison

Shichang Zhang, Teck Hui Koh, Wee Khee Seah, Yee Hing Lai, Mark A. Elgar, and Daiqin Li (2011), "A Novel Property of Spider Silk: Chemical Defence Against Ants," Proceedings of the Royal Society B: Biological Sciences (full text is behind a paywall).

Abstract: Spider webs are made of silk, the properties of which ensure remarkable efficiency at capturing prey. However, remaining on, or near, the web exposes the resident spiders to many potential predators, such as ants. Surprisingly, ants are rarely reported foraging on the webs of orb-weaving spiders, despite the formidable capacity of ants to subdue prey and repel enemies, the diversity and abundance of orb-web spiders, and the nutritional value of the web and resident spider. We explain this paradox by reporting a novel property of the silk produced by the orb-web spider Nephila antipodiana (Walckenaer). These spiders deposit on the silk a pyrrolidine alkaloid (2-pyrrolidinone) that provides protection from ant invasion. Furthermore, the ontogenetic change in the production of 2-pyrrolidinone suggests that this compound represents an adaptive response to the threat of natural enemies, rather than a simple by-product of silk synthesis: while 2-pyrrolidinone occurs on the silk threads produced by adult and large juvenile spiders, it is absent on threads produced by small juvenile spiders, whose threads are sufficiently thin to be inaccessible to ants.

Posted on November 28, 2011 at 12:55 PM11 Comments

The DHS Partners with Major League Soccer to Promote Fear

It seems to be harder and harder to keep people scared:

The Department’s "If You See Something, Say Something™" partnership with the MLS Cup will feature a "If You See Something, Say Something™" graphic that will aired on the video board during the MLS Cup championship game in Carson City, Calif. Safety messaging will also be printed on the back of MLS Cup credentials for staff, players, and volunteers and in game day programs distributed to fans. Throughout the MLS season "If You See Something, Say Something™" campaign graphics appeared on video boards and on the MLS website, and the "If You See Something, Say Something™" Public Service Announcement was read at games.

Will there also be "If You See Something, Say Something™" Day, with Janet Napolitano bobbleheads given to all the kids?

This kind of thing only serves to ratchet up fear, and doesn't make us any safer. I've written about this before.

Posted on November 28, 2011 at 7:26 AM39 Comments

Friday Squid Blogging: Cephalopod Art Conference

There was an interdisciplinary cephalopod art conference earlier this year, in Minneapolis. Videos of the conference are available online.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on November 25, 2011 at 4:27 PM22 Comments

Android Malware

The Android platform is where the malware action is:

What happens when anyone can develop and publish an application to the Android Market? A 472% increase in Android malware samples since July 2011. These days, it seems all you need is a developer account, that is relatively easy to anonymize, pay $25 and you can post your applications.

[...]

In addition to an increase in the volume, the attackers continue to become more sophisticated in the malware they write. For instance, in the early spring, we began seeing Android malware that was capable of leveraging one of several platform vulnerabilities that allowed malware to gain root access on the device, in the background, and then install additional packages to the device to extend the functionality of the malware. Today, just about every piece of malware that is released contains this capability, simply because the vulnerabilities remain prevalent in nearly 90% of Android devices being carried around today.

I believe that smart phones are going to become the primary platform of attack for cybercriminals in the coming years. As the phones become more integrated into people's lives -- smart phone banking, electronic wallets -- they're simply going to become the most valuable device for criminals to go after. And I don't believe the iPhone will be more secure because of Apple's rigid policies for the app store.

EDITED TO ADD (11/26): This article is a good debunking of the data I quoted above. And also this:

"A virus of the traditional kind is possible, but not probable. The barriers to spreading such a program from phone to phone are large and difficult enough to traverse when you have legitimate access to the phone, but this isn't Independence Day, a virus that might work on one device won't magically spread to the other."

DiBona is right. While some malware and viruses have tried to make use of Bluetooth and Wi-Fi radios to hop from device to device, it simply doesn't happen the way security companies want you to think it does.

Of course he's right. Malware on portable devices isn't going to look or act the same way as malware on traditional computers. It isn't going to spread from phone to phone. I'm more worried about Trojans, either on legitimate or illegitimate apps, malware embedded in webpages, fake updates, and so on. A lot of this will involve social engineering the user, but I don't see that as much of a problem.

But I do see mobile devices as the new target of choice. And I worry much more about privacy violations. Your phone knows your location. Your phone knows who you talk to and -- with a recorder -- what you say. And when your phone becomes your digital wallet, your phone is going to know a lot more intimate things about you. All of this will be useful to both criminals and marketers, and we're going to see all sorts of illegal and quasi-legal ways both of those groups will go after that information.

And securing those devices is going to be hard, because we don't have the same low-level access to these devices we have with computers.

Anti-virus companies are using FUD to sell their products, but there are real risks here. And the time to start figuring out how to solve them is now.

Posted on November 25, 2011 at 6:06 AM55 Comments

Hack Against SCADA System

A hack against a SCADA system controlling a water pump in Illinois destroyed the pump.

We know absolutely nothing here about the attack or the attacker's motivations. Was it on purpose? An accident? A fluke?

EDITED TO ADD (12/1): Despite all sorts of allegations that the Russians hacked the water pump, it turns out that it was all a misunderstanding:

Within a week of the report’s release, DHS bluntly contradicted the memo, saying that it could find no evidence that a hack occurred. In truth, the water pump simply burned out, as pumps are wont to do, and a government-funded intelligence center incorrectly linked the failure to an internet connection from a Russian IP address months earlier.

The end of the article makes the most important point, I think:

Joe Weiss says he’s shocked that a report like this was put out without any of the information in it being investigated and corroborated first.

"If you can't trust the information coming from a fusion center, what is the purpose of having the fusion center sending anything out? That’s common sense," he said. "When you read what’s in that [report] that is a really, really scary letter. How could DHS not have put something out saying they got this [information but] it’s preliminary?"

Asked if the fusion center is investigating how information that was uncorroborated and was based on false assumptions got into a distributed report, spokeswoman Bond said an investigation of that sort is the responsibility of DHS and the other agencies who compiled the report. The center’s focus, she said, was on how Weiss received a copy of the report that he should never have received.

"We're very concerned about the leak of controlled information," Bond said. "Our internal review is looking at how did this information get passed along, confidential or controlled information, get disseminated and put into the hands of users that are not approved to receive that information. That’s number one."

Notice that the problem isn't that a non-existent threat was over hyped in a report circulated in secret, but that the report became public. Never mind that if the report hadn't become public, the report would have never been revealed as erroneous. How many other reports like this are being used to justify policies that are as erroneous as the data that supports them?

Posted on November 21, 2011 at 6:57 AM42 Comments

Friday Squid Blogging: Squid Camouflage

Some squid can switch their camouflage instantly.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on November 18, 2011 at 4:41 PM35 Comments

A Link between Altruism and Fairness

I write a lot about altruism, fairness, and cooperation in my new book (out in February!), and this sort of thing interests me a lot:

In a new study, researchers had 15-month old babies watch movies of a person distributing crackers or milk to two others, either evenly or unevenly. Babies look at things longer when they're surprised, so measuring looking time can be used to gain insight into what babies expect to happen. In the study, the infants looked longer when the person in the video distributed the foods unevenly, suggesting surprise, and perhaps even an early perception of fairness.

But the team also say they established a link between fairness and altruism. In a second part of the experiment, the babies chose between two toys, and were then asked to share one of the toys with an experimenter. About a third of the babies were "selfish sharers": they shared the toy they hadn't chosen. Another third were "altruistic sharers": they shared their chosen toy. (The rest chose not to share. They may have been inhibited by the unfamiliarity of the experimenter, or maybe they just weren't that into sharing.)

What's interesting about the second half of the study was that by and large it was the babies who had previously been surprised by the unfair cracker and milk distribution who tended to share the preferred toy with the experimenter (the altruistic sharers). The babies who shared the rejected toy hadn't expressed much surprise over unequal distribution. This led the researchers to suggest that there's a fundamental link between altruism and a sense of equity.

Both psychology and neuroscience have a lot to say about these topics, and the resulting debate reads like a subset of the "Is there such a thing as free will?" debate. I think those who believe there is no free will are misdefining the term.

What does this have to do with security? Everything. It's not until we understand the natural human tendencies of fairness and altruism that we can really understand people who take advantage of those tendencies, and build systems to prevent them from taking advantage.

EDITED TO ADD (12/14): Related research with dogs.

Posted on November 18, 2011 at 5:50 AM49 Comments

EU Bans X-Ray Body Scanners

The European Union has banned X-ray full body scanners at airports. Millimeter wave scanners are allowed as long as they conform to privacy guidelines.

Under the new EU legislation the use of security scanners is only allowed in accordance with minimum conditions such as for example that: security scanners shall not store, retain, copy, print or retrieve images; any unauthorised access and use of the image is prohibited and shall be prevented; the human reviewer analysing the image shall be in a separate location and the image shall not be linked to the screened person and others. Passengers must be informed about conditions under which the security scanner control takes place. In addition, passengers are given the right to opt out from a control with scanners and be subject to an alternative method of screening.

Article.

Posted on November 17, 2011 at 1:13 PM31 Comments

Detecting Psychopaths by their Speech Patterns

Interesting:

The researchers interviewed 52 convicted murderers, 14 of them ranked as psychopaths according to the Psychopathy Checklist-Revised, a 20-item assessment, and asked them to describe their crimes in detail. Using computer programs to analyze what the men said, the researchers found that those with psychopathic scores showed a lack of emotion, spoke in terms of cause-and-effect when describing their crimes, and focused their attention on basic needs, such as food, drink and money.

[...]

To examine the emotional content of the murderers' speech, Hancock and his colleagues looked at a number of factors, including how frequently they described their crimes using the past tense. The use of the past tense can be an indicator of psychological detachment, and the researchers found that the psychopaths used it more than the present tense when compared with the nonpsychopaths. They also found more dysfluencies -- the "uhs" and "ums" that interrupt speech -- among psychopaths. Nearly universal in speech, dysfluencies indicate that the speaker needs some time to think about what they are saying.

I worry about people being judged by these criteria. Psychopaths make up about 1% of the population, so even a small false-positive rate can be a significant problem.

Posted on November 17, 2011 at 6:37 AM65 Comments

Sam Harris on Self-Defense

I thought this was very interesting. His three principles are:

  1. Avoid dangerous people and dangerous places.
  2. Do not defend your property.
  3. Respond immediately and escape.

Posted on November 16, 2011 at 9:17 AM85 Comments

Identity Theft Call Center

There's a group who charges to make social engineering calls to obtain missing personal information for identity theft.

This doesn't surprise me at all. Fraud is a business, too.

Posted on November 15, 2011 at 5:26 AM14 Comments

Remotely Opening Prison Doors

This seems like a bad vulnerability:

Researchers have demonstrated a vulnerability in the computer systems used to control facilities at federal prisons that could allow an outsider to remotely take them over, doing everything from opening and overloading cell door mechanisms to shutting down internal communications systems.

[...]

The researchers began their work after Strauchs was called in by a warden to investigate an incident in which all the cell doors on one prison's death row spontaneously opened. While the computers that are used for the system control and data acquisition (SCADA) systems that control prison doors and other systems in theory should not be connected to the Internet, the researchers found that there was an Internet connection associated with every prison system they surveyed. In some cases, prison staff used the same computers to browse the Internet; in others, the companies that had installed the software had put connections in place to do remote maintenance on the systems.

The weirdest part of the article was this last paragraph.

"You could open every cell door, and the system would be telling the control room they are all closed," Strauchs, a former CIA operations officer, told the Times. He said that he thought the greatest threat was that the system would be used to create the conditions needed for the assassination of a target prisoner.

I guess that's a threat. But the greatest threat?

EDITED TO ADD (11/14): The original paper.

Posted on November 14, 2011 at 7:14 AM26 Comments

Advanced Persistent Threat (APT)

It's taken me a few years, but I've come around to this buzzword. It highlights an important characteristic of a particular sort of Internet attacker.

A conventional hacker or criminal isn't interested in any particular target. He wants a thousand credit card numbers for fraud, or to break into an account and turn it into a zombie, or whatever. Security against this sort of attacker is relative; as long as you're more secure than almost everyone else, the attackers will go after other people, not you. An APT is different; it's an attacker who -- for whatever reason -- wants to attack you. Against this sort of attacker, the absolute level of your security is what's important. It doesn't matter how secure you are compared to your peers; all that matters is whether you're secure enough to keep him out.

APT attackers are more highly motivated. They're likely to be better skilled, better funded, and more patient. They're likely to try several different avenues of attack. And they're much more likely to succeed.

This is why APT is a useful buzzword.

Posted on November 9, 2011 at 1:51 PM84 Comments

Cutting Wallets Out of Drunks' Pockets on New York City Subways

It's a crime with finesse:

But he is actually a middle-aged or older man who has been doing this for a very long time. And he is a fading breed.

"It's like a lost art," the lieutenant said. "It's all old-school guys who cut the pocket. They die off." And they do not seem to be replacing themselves, he said. "It's like the TV repairman."

Lush workers date back at least to the beginning of the last century, their ilk cited in newspaper crime stories like one in The New York Times in 1922, describing "one who picks the pockets of the intoxicated. He is the old 'drunk roller' under a new name." While the term technically applies to anyone who steals from a drunken person, most police officers reserve it for a special kind of thief who uses straight-edge razors found in any hardware store.

EDITD TO ADD (11/14): Pick-pockets of all kinds may be a dying breed in New York.

Posted on November 7, 2011 at 12:43 PM34 Comments

Fake Documents that Alarm if Opened

This sort of thing seems like a decent approach, but it has a lot of practical problems:

In the wake of Wikileaks, the Department of Defense has stepped up its game to stop leaked documents from making their way into the hands of undesirables -- be they enemy forces or concerned citizens. A new piece of software has created a way to do this by generating realistic, fake documents that phone home when they're accessed, serving the dual purpose of providing false intelligence and helping identify the culprit.

Details aside, this kind of thing falls into the general category of data tracking. It doesn't even have to be fake documents; you could imagine some sort of macro embedded into Word or pdf documents that phones home when the document is opened. (I have no idea if you actually can do it with those formats, but the concept is plausible.) This allows the owner of a document to track when, and possibly by what computer, a document is opened.

But by far the biggest drawback from this tech is the possibility of false positives. If you seed a folder full of documents with a large number of fakes, how often do you think an authorized user will accidentally double click on the wrong file? And what if they act on the false information? Sure, this will prevent hackers from blindly trusting that every document on a server is correct, but we bet it won't take much to look into the code of a document and spot the fake, either.

I'm less worried about false positives, and more concerned by how easy it is to get around this sort of thing. Detach your computer from the Internet, and the document no longer phones home. A fix is to combine the system with an encryption scheme that requires a remote key. Now the document has to phone home before it can be viewed. Of course, once someone is authorized to view the document, it would be easy to create an unprotected copy -- screen captures, if nothing else -- to forward along,

While potentially interesting, this sort of technology is not going to prevent large data leaks. But it's good to see research.

Posted on November 7, 2011 at 6:26 AM51 Comments

Friday Squid Blogging: Star Trek IV, now with Squid

Someone edited Star Trek IV, removing the whales and replacing them with giant squid.


As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on November 4, 2011 at 4:47 PM42 Comments

Weaponized UAV Drones in the Hands of Local Police

Why does anyone think this is a good idea?

The police in Montgomery County – and area north of Houston, Texas – is the first local police in the united States to deploy a drone that can carry weapons.

[...]

He said they are designed to carry weapons for local law enforcement. "The aircraft has the capability to have a number of different systems on board. Mostly, for law enforcement, we focus on what we call less lethal systems," he said, including Tazers that can send a jolt to a criminal on the ground or a gun that fires bean bags known as a "stun baton."

"You have a stun baton where you can actually engage somebody at altitude with the aircraft. A stun baton would essentially disable a suspect," he said.

I'm sure it works much better in the movies than it does in real life.

Posted on November 4, 2011 at 5:05 AM75 Comments

Journal Article on Cyberwar

From the Journal of Strategic Studies: "Cyber War Will Not Take Place":

Abstract: For almost two decades, experts and defense establishments the world over have been predicting that cyber war is coming. But is it? This article argues in three steps that cyber war has never happened in the past, that cyber war does not take place in the present, and that it is unlikely that cyber war will occur in the future. It first outlines what would constitute cyber war: a potentially lethal, instrumental, and political act of force conducted through malicious code. The second part shows what cyber war is not, case-by-case. Not one single cyber offense on record constitutes an act of war on its own. The final part offers a more nuanced terminology to come to terms with cyber attacks. All politically motivated cyber attacks are merely sophisticated versions of three activities that are as old as warfare itself: sabotage, espionage, and subversion.

Here's another article: "The Non-Existent 'Cyber War' Is Nothing More Than A Push For More Government Control."

EDITED TO ADD (11/4): A reader complained to the publication, and they removed the paywall from the first article.

Posted on November 3, 2011 at 1:22 PM31 Comments

Underage Children on Facebook

Interesting research on how parents help their children lie about their age to get onto Facebook.

One reaction to our data might be that companies should not be allowed to restrict access to children on their sites. Unfortunately, getting the parental permission required by COPPA is technologically difficult, financially costly, and ethically problematic. Sites that target children take on this challenge, but often by excluding children whose parents lack resources to pay for the service, those who lack credit cards, and those who refuse to provide extra data about their children in order to offer permission. The situation is even more complicated for children who are in abusive households, have absentee parents, or regularly experience shifts in guardianship. General-purpose sites, including communication platforms like Gmail and Skype and social media services like Facebook and Twitter, generally prefer to avoid the social, technical, economic, and free speech complications involved.

While there is merit to thinking about how to strengthen parent permission structures, focusing on this obscures the issues that COPPA is intended to address: data privacy and online safety. COPPA predates the rise of social media. Its architects never imagined a world where people would share massive quantities of data as a central part of participation. It no longer makes sense to focus on how data are collected; we must instead question how those data are used. Furthermore, while children may be an especially vulnerable population, they are not the only vulnerable population. Most adults have little sense of how their data are being stored, shared, and sold.

COPPA is a well-intentioned piece of legislation with unintended consequences for parents, educators, and the public writ large. It has stifled innovation for sites focused on children and its implementations have made parenting more challenging. Our data clearly show that parents are concerned about privacy and online safety. Many want the government to help, but they don’t want solutions that unintentionally restrict their children’s access. Instead, they want guidance and recommendations to help them make informed decisions. Parents often want their children to learn how to be responsible digital citizens. Allowing them access is often the first step.

Here's the journal article. And some media coverage.

Posted on November 3, 2011 at 7:03 AM29 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..