Schneier on Security
A blog covering security and security technology.
November 2011 Archives
The virus is an H5N1 avian influenza strain that has been genetically altered and is now easily transmissible between ferrets, the animals that most closely mimic the human response to flu. Scientists believe it's likely that the pathogen, if it emerged in nature or were released, would trigger an influenza pandemic, quite possibly with many millions of deaths.
Of course, there's value to the research:
"These studies are very important," says biodefense and flu expert Michael Osterholm, director of the Center for Infectious Disease Research and Policy at the University of Minnesota, Twin Cities. The researchers "have the full support of the influenza community," Osterholm says, because there are potential benefits for public health. For instance, the results show that those downplaying the risks of an H5N1 pandemic should think again, he says.
And we know how badly this sort of security works:
Osterholm says he can't discuss details of the papers because he's an NSABB member. But he says it should be possible to omit certain key details from controversial papers and make them available to people who really need to know. "We don't want to give bad guys a road map on how to make bad bugs really bad," he says.
I have no idea if this story about CIA spies in Lebanon is true, and it will almost certainly never be confirmed or denied:
But others inside the American intelligence community say sloppy "tradecraft" -- the method of covert operations -- by the CIA is also to blame for the disruption of the vital spy networks.
If something is protected by heavy security, it's obviously worth stealing. Here's an example from the insect world:
Maize plants, like many others, protect themselves with poisons. They pump their roots with highly toxic insecticides called BXDs, which deters hungry mandibles. But these toxins don’t come free. The plant needs energy to act as its own pharmacist, so it distributes the poison to the areas that deserve the greatest fortification -- its crown roots.
The rootworms are immune to the poison, of course. Otherwise the trick wouldn't work.
Paper, behind a paywall.
The cellphone tracking technology, called Footpath, is made by Path Intelligence Ltd., a Portsmouth, U.K.-based company. It uses sensors placed throughout the mall to detect signals from mobile phones and track their path around the mall. The sensors cannot gather phone numbers or other identifying data, or intercept or log data about calls or SMS messages, the company says.
EDITED TO ADD (12/14): Two malls have shelved the system for now.
Shichang Zhang, Teck Hui Koh, Wee Khee Seah, Yee Hing Lai, Mark A. Elgar, and Daiqin Li (2011), "A Novel Property of Spider Silk: Chemical Defence Against Ants," Proceedings of the Royal Society B: Biological Sciences (full text is behind a paywall).
Abstract: Spider webs are made of silk, the properties of which ensure remarkable efficiency at capturing prey. However, remaining on, or near, the web exposes the resident spiders to many potential predators, such as ants. Surprisingly, ants are rarely reported foraging on the webs of orb-weaving spiders, despite the formidable capacity of ants to subdue prey and repel enemies, the diversity and abundance of orb-web spiders, and the nutritional value of the web and resident spider. We explain this paradox by reporting a novel property of the silk produced by the orb-web spider Nephila antipodiana (Walckenaer). These spiders deposit on the silk a pyrrolidine alkaloid (2-pyrrolidinone) that provides protection from ant invasion. Furthermore, the ontogenetic change in the production of 2-pyrrolidinone suggests that this compound represents an adaptive response to the threat of natural enemies, rather than a simple by-product of silk synthesis: while 2-pyrrolidinone occurs on the silk threads produced by adult and large juvenile spiders, it is absent on threads produced by small juvenile spiders, whose threads are sufficiently thin to be inaccessible to ants.
It seems to be harder and harder to keep people scared:
The Department’s "If You See Something, Say Something™" partnership with the MLS Cup will feature a "If You See Something, Say Something™" graphic that will aired on the video board during the MLS Cup championship game in Carson City, Calif. Safety messaging will also be printed on the back of MLS Cup credentials for staff, players, and volunteers and in game day programs distributed to fans. Throughout the MLS season "If You See Something, Say Something™" campaign graphics appeared on video boards and on the MLS website, and the "If You See Something, Say Something™" Public Service Announcement was read at games.
Will there also be "If You See Something, Say Something™" Day, with Janet Napolitano bobbleheads given to all the kids?
There was an interdisciplinary cephalopod art conference earlier this year, in Minneapolis. Videos of the conference are available online.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
The Android platform is where the malware action is:
What happens when anyone can develop and publish an application to the Android Market? A 472% increase in Android malware samples since July 2011. These days, it seems all you need is a developer account, that is relatively easy to anonymize, pay $25 and you can post your applications.
I believe that smart phones are going to become the primary platform of attack for cybercriminals in the coming years. As the phones become more integrated into people's lives -- smart phone banking, electronic wallets -- they're simply going to become the most valuable device for criminals to go after. And I don't believe the iPhone will be more secure because of Apple's rigid policies for the app store.
EDITED TO ADD (11/26): This article is a good debunking of the data I quoted above. And also this:
"A virus of the traditional kind is possible, but not probable. The barriers to spreading such a program from phone to phone are large and difficult enough to traverse when you have legitimate access to the phone, but this isn't Independence Day, a virus that might work on one device won't magically spread to the other."
Of course he's right. Malware on portable devices isn't going to look or act the same way as malware on traditional computers. It isn't going to spread from phone to phone. I'm more worried about Trojans, either on legitimate or illegitimate apps, malware embedded in webpages, fake updates, and so on. A lot of this will involve social engineering the user, but I don't see that as much of a problem.
But I do see mobile devices as the new target of choice. And I worry much more about privacy violations. Your phone knows your location. Your phone knows who you talk to and -- with a recorder -- what you say. And when your phone becomes your digital wallet, your phone is going to know a lot more intimate things about you. All of this will be useful to both criminals and marketers, and we're going to see all sorts of illegal and quasi-legal ways both of those groups will go after that information.
And securing those devices is going to be hard, because we don't have the same low-level access to these devices we have with computers.
Anti-virus companies are using FUD to sell their products, but there are real risks here. And the time to start figuring out how to solve them is now.
Dan Boneh of Stanford University is teaching a free cryptography class starting in January.
A hack against a SCADA system controlling a water pump in Illinois destroyed the pump.
We know absolutely nothing here about the attack or the attacker's motivations. Was it on purpose? An accident? A fluke?
EDITED TO ADD (12/1): Despite all sorts of allegations that the Russians hacked the water pump, it turns out that it was all a misunderstanding:
Within a week of the report’s release, DHS bluntly contradicted the memo, saying that it could find no evidence that a hack occurred. In truth, the water pump simply burned out, as pumps are wont to do, and a government-funded intelligence center incorrectly linked the failure to an internet connection from a Russian IP address months earlier.
The end of the article makes the most important point, I think:
Joe Weiss says he’s shocked that a report like this was put out without any of the information in it being investigated and corroborated first.
Notice that the problem isn't that a non-existent threat was over hyped in a report circulated in secret, but that the report became public. Never mind that if the report hadn't become public, the report would have never been revealed as erroneous. How many other reports like this are being used to justify policies that are as erroneous as the data that supports them?
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
I write a lot about altruism, fairness, and cooperation in my new book (out in February!), and this sort of thing interests me a lot:
In a new study, researchers had 15-month old babies watch movies of a person distributing crackers or milk to two others, either evenly or unevenly. Babies look at things longer when they're surprised, so measuring looking time can be used to gain insight into what babies expect to happen. In the study, the infants looked longer when the person in the video distributed the foods unevenly, suggesting surprise, and perhaps even an early perception of fairness.
Both psychology and neuroscience have a lot to say about these topics, and the resulting debate reads like a subset of the "Is there such a thing as free will?" debate. I think those who believe there is no free will are misdefining the term.
What does this have to do with security? Everything. It's not until we understand the natural human tendencies of fairness and altruism that we can really understand people who take advantage of those tendencies, and build systems to prevent them from taking advantage.
EDITED TO ADD (12/14): Related research with dogs.
The European Union has banned X-ray full body scanners at airports. Millimeter wave scanners are allowed as long as they conform to privacy guidelines.
Under the new EU legislation the use of security scanners is only allowed in accordance with minimum conditions such as for example that: security scanners shall not store, retain, copy, print or retrieve images; any unauthorised access and use of the image is prohibited and shall be prevented; the human reviewer analysing the image shall be in a separate location and the image shall not be linked to the screened person and others. Passengers must be informed about conditions under which the security scanner control takes place. In addition, passengers are given the right to opt out from a control with scanners and be subject to an alternative method of screening.
The researchers interviewed 52 convicted murderers, 14 of them ranked as psychopaths according to the Psychopathy Checklist-Revised, a 20-item assessment, and asked them to describe their crimes in detail. Using computer programs to analyze what the men said, the researchers found that those with psychopathic scores showed a lack of emotion, spoke in terms of cause-and-effect when describing their crimes, and focused their attention on basic needs, such as food, drink and money.
I worry about people being judged by these criteria. Psychopaths make up about 1% of the population, so even a small false-positive rate can be a significant problem.
I thought this was very interesting. His three principles are:
There's a group who charges to make social engineering calls to obtain missing personal information for identity theft.
This doesn't surprise me at all. Fraud is a business, too.
EDITED TO ADD (11/14): Blog post.
This seems like a bad vulnerability:
Researchers have demonstrated a vulnerability in the computer systems used to control facilities at federal prisons that could allow an outsider to remotely take them over, doing everything from opening and overloading cell door mechanisms to shutting down internal communications systems.
The weirdest part of the article was this last paragraph.
"You could open every cell door, and the system would be telling the control room they are all closed," Strauchs, a former CIA operations officer, told the Times. He said that he thought the greatest threat was that the system would be used to create the conditions needed for the assassination of a target prisoner.
I guess that's a threat. But the greatest threat?
EDITED TO ADD (11/14): The original paper.
It turns out that "2bon2btitq" is not a strong password.
It's taken me a few years, but I've come around to this buzzword. It highlights an important characteristic of a particular sort of Internet attacker.
A conventional hacker or criminal isn't interested in any particular target. He wants a thousand credit card numbers for fraud, or to break into an account and turn it into a zombie, or whatever. Security against this sort of attacker is relative; as long as you're more secure than almost everyone else, the attackers will go after other people, not you. An APT is different; it's an attacker who -- for whatever reason -- wants to attack you. Against this sort of attacker, the absolute level of your security is what's important. It doesn't matter how secure you are compared to your peers; all that matters is whether you're secure enough to keep him out.
APT attackers are more highly motivated. They're likely to be better skilled, better funded, and more patient. They're likely to try several different avenues of attack. And they're much more likely to succeed.
This is why APT is a useful buzzword.
This security bug is just plain weird.
EDITED TO ADD (11/14): The bug has been patched.
It's a crime with finesse:
But he is actually a middle-aged or older man who has been doing this for a very long time. And he is a fading breed.
EDITD TO ADD (11/14): Pick-pockets of all kinds may be a dying breed in New York.
In the wake of Wikileaks, the Department of Defense has stepped up its game to stop leaked documents from making their way into the hands of undesirables -- be they enemy forces or concerned citizens. A new piece of software has created a way to do this by generating realistic, fake documents that phone home when they're accessed, serving the dual purpose of providing false intelligence and helping identify the culprit.
Details aside, this kind of thing falls into the general category of data tracking. It doesn't even have to be fake documents; you could imagine some sort of macro embedded into Word or pdf documents that phones home when the document is opened. (I have no idea if you actually can do it with those formats, but the concept is plausible.) This allows the owner of a document to track when, and possibly by what computer, a document is opened.
But by far the biggest drawback from this tech is the possibility of false positives. If you seed a folder full of documents with a large number of fakes, how often do you think an authorized user will accidentally double click on the wrong file? And what if they act on the false information? Sure, this will prevent hackers from blindly trusting that every document on a server is correct, but we bet it won't take much to look into the code of a document and spot the fake, either.
I'm less worried about false positives, and more concerned by how easy it is to get around this sort of thing. Detach your computer from the Internet, and the document no longer phones home. A fix is to combine the system with an encryption scheme that requires a remote key. Now the document has to phone home before it can be viewed. Of course, once someone is authorized to view the document, it would be easy to create an unprotected copy -- screen captures, if nothing else -- to forward along,
While potentially interesting, this sort of technology is not going to prevent large data leaks. But it's good to see research.
Someone edited Star Trek IV, removing the whales and replacing them with giant squid.
Why does anyone think this is a good idea?
The police in Montgomery County – and area north of Houston, Texas – is the first local police in the united States to deploy a drone that can carry weapons.
I'm sure it works much better in the movies than it does in real life.
From the Journal of Strategic Studies: "Cyber War Will Not Take Place":
Abstract: For almost two decades, experts and defense establishments the world over have been predicting that cyber war is coming. But is it? This article argues in three steps that cyber war has never happened in the past, that cyber war does not take place in the present, and that it is unlikely that cyber war will occur in the future. It first outlines what would constitute cyber war: a potentially lethal, instrumental, and political act of force conducted through malicious code. The second part shows what cyber war is not, case-by-case. Not one single cyber offense on record constitutes an act of war on its own. The final part offers a more nuanced terminology to come to terms with cyber attacks. All politically motivated cyber attacks are merely sophisticated versions of three activities that are as old as warfare itself: sabotage, espionage, and subversion.
Here's another article: "The Non-Existent 'Cyber War' Is Nothing More Than A Push For More Government Control."
EDITED TO ADD (11/4): A reader complained to the publication, and they removed the paywall from the first article.
Interesting research on how parents help their children lie about their age to get onto Facebook.
One reaction to our data might be that companies should not be allowed to restrict access to children on their sites. Unfortunately, getting the parental permission required by COPPA is technologically difficult, financially costly, and ethically problematic. Sites that target children take on this challenge, but often by excluding children whose parents lack resources to pay for the service, those who lack credit cards, and those who refuse to provide extra data about their children in order to offer permission. The situation is even more complicated for children who are in abusive households, have absentee parents, or regularly experience shifts in guardianship. General-purpose sites, including communication platforms like Gmail and Skype and social media services like Facebook and Twitter, generally prefer to avoid the social, technical, economic, and free speech complications involved.
I note that the three "industry leaders" speaking at the DARPA Cyber Colloquium next week have about 75 years of government experience between them.
Powered by Movable Type. Photo at top by Per Ervland.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.