Friday Squid Blogging: Squid Season

It's squid season off the coast of Southern California.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on December 16, 2011 at 4:24 PM • 22 Comments

Comments

JKoellnerDecember 16, 2011 4:51 PM

http://www.giantbomb.com/news/...

Interesting Q&A session regarding Microsoft XBox 360 account security. Yet another reminder to be careful with your passwords. Particularly interesting was the idea of attackers posing as violated customers for the purpose of learning and becoming more efficient with future attacks.

N28BuhmXcL18December 17, 2011 6:34 AM

I read the article on self-defense referenced in this month's Crypto-Gram:

http://www.samharris.org/blog/item/...

And I was surprised that a particular part of it drew no mention:

"Similarly, many home invasions begin with a criminal’s acting like a person in distress: A woman or a teenager might come to your door reporting an accident or some other emergency. Again, the safe move is to keep your door locked and call the police."

While this is obviously true in any given instance, it seems to me more likely that someone asking for help does, in fact, need help. Moreover, since we ourselves are likely to need the help of a stranger at some point in our lives, it seems like the safety of the entire society -- and consequently our own safety -- is best forwarded by encouraging people to help each other out, rather than to assume that a strangers asking for help are actually predators.

Bruce has written about similar subjects before, including how the advice we give to children of "don't talk to strangers" is dead wrong. On the other hand, he's also written about the asymmetry in asking for help v. being asked for help. But still: the advice that you should lock your door when someone comes begging for help strikes me as ultimately more harmful than helpful to the society at large.

Maybe the new book will shed more light on this topic....

NobodySpecialDecember 17, 2011 10:35 AM

@N28BuhmXcL18 - risk assesment = depends where you live.
If I lived in Detroit or Chicago I might lock the door. Here in rural Canada a stranger knocking on your door holding a chain saw or an axe is actual a neighbour needing help!

One neighbour walking home from the local hardware store with a 3ft long felling axe was immediately offered a ride by a complete stranger who wanted to know where he had got the axe.

MikeADecember 17, 2011 1:47 PM

Helping strangers, and the way we become hardened to those in need, is nicely illuminated in
"say what" (cut 13 on the website) from
"Striking Twelve":

http://www.groovelily.com/musicals/striking-12/

(about 2:10 in that track, but seriously, listen to the whole song, or the whole show, or buy the CD, or go see it. Not a participant, but a big fan)

Clive RobinsonDecember 18, 2011 2:49 AM

OFF Topic:

Hmm as an earlier attempt to post failed so I'm splitting the post into parts...

Part 1,

First an interesting little snipit on Reuters about Samsung and Apple (who are locking horns in court over smart phones etc). Apparently Samsung are making the chips for Apples iPad 2 and iPhone 4S in Austin Texas.

http://uk.reuters.com/article/2011/12/16/...

I wonder what was behind the idea to build the new $9Billion "logic chip" (as opposed to "memory chip") FAB in Austin, the reasons given in the Reuters artical sound more PR than Hard Business.

It is of note that Apple are still (currently) using their Chinese sub-contractor for manufacturing the actual finished items, but the question now arises for how much longer... It is no secret that various Apple prooducts are being used by frontline US troops, and there is even a co-ordinated effoort to harness the work done by US soldiers into a "Mil-store" of apps. Thus having more of the silicon made within US boarders may be the start of a series of changes, to reflect US military and political thinking about the security of COTS and other electronic items used in products in MIL use.

Another topical question that keeps comming up currently due to the "Euro Crisis" is, "Why did it all go wrong and the banking crisis start this world of hurt we currently find ourselves going through?".

The initial argument was "Derivatives", but people not unreasonably want to know why in a more meaningfull way. The usual argument is lack of transparancy and regulation of the banking industry. But although we now know that most of the banks that collapsed did so because they were involved with financial contracts where the complexity was so high it was not possible for the banks themselves let alone other see what was going wrong, the quesstion of "Why did they do it?" still remains. Was it "poor impulse control", "poor risk managment" or potentialy "to much transparency to investors"?

Well over on the Financial Cryptography blog, a suggestion has been made that complexity is the modern way banks lie to us so they can make money. That is, without that smoke and mirrors there is to much transparency to investors, and because of this the banks would not be able to create sufficient margin. And the consiquence of that is banks would not be able to exist in the way we had come to expected banks to be,

https://financialcryptography.com/mt/archives/001350.html

A similar theme but from a different viewpoint is presented over on Gunnar Peterson's 1 Raindrop blog,

http://1raindrop.typepad.com/1_raindrop/2011/12/...

Something I missed earlier in the year but is well worth a look through is a series of articles focusing on targeted threats. Published by SearchSecurity and TechTarget in their July-August 2011 edition (Warning it's a PDF)

http://docs.media.bitpipe.com/io_24x/io_24618/...

My attention was drawn to the articles via one of the authors -- Richard Bejtlich's Tao of Security -- blog.

Speaking of targeted attacks, back to the "techie" in depth side of attack vectors on banks and associated financial organisations. I don't know if anybody has looked into this "Persistent XSS on Steroids" proof of concept code but it's almost certainly now coming to you or one of your loved ones in a new form real soon,

http://qnrq.se/...

It's written by Niklas Femerstrand who a month or so ago discovered an interesting little problem in Amex's code that had some customer security issues.

Niklas's story of how he tried to report it is a prime example of people "just not getting it",

http://qnrq.se/full-disclosure-american-express/

Clive RobinsonDecember 18, 2011 3:37 AM

OFF Topic:

Part 2.

However it's not just Amex having ITsec probs, Visa and the Romanian Banks Association have reported notifications of a possible database security breach at a European processor. Details are being kept quite currently but... you can read more at,

http://www.scmagazineuk.com/...

Naturaly one of the questions some people will ask is "Were insiders involved?". Normally we don't get to hear much if anythingg at all about insider theft of customer details etc. But over on his blog Brian Krebs has an interesting couple of posts on the subject.

The first post is on street criminal gangs in NYC using insiders for ID theft,

http://m.krebsonsecurity.com/2011/12/...

The second coincidentaly is in Romania again, where the Romanian authorities have arrested a Ukranian General and a couple of others,

http://m.krebsonsecurity.com/2011/12/...

But when you get down to it the real issue underlying all of this is access to databases and the information we put in them and why. Some of the reasons are frankly ludicrous and have the side effect of turning a database with low value to the creators (and thus often low security) into a very high value target (thus a significant security risk) for those with less than honest intentions.

Ross J. Anderson over at Cambridge labs has an example of this,

http://www.lightbluetouchpaper.org/2011/12/14/...

Unfortunatly it appears that in most cases the wrong problem (ie access) is being addressed and at best woefully inadequately. It looks simple on paper, deny access and the problem does not exist, but that is not the case in practice because autherised access is still required. Firstly is the question of "insider attacks" be they deliberate or by social engineering. But secondly it is becomming more and more obvious that outsiders will get arround any and all access controls with a little lateral thinking and persistence. Often this is by getting malware onto an authorised users client machine, thus bypassing the autherisation controls. As we know from bitter experiance all current commodity operating systems are vulnerable and non commodity OS's although more secure generaly have other issues resulting in increased costs. But even with secure OS's the problem has moved up into the intermediate application layer. The use of web browsers for "clients" means that the web browser needs to be as secure as the underlying OS, currently no commodity browser is even close.So other methods have to be considered based on the assumption that unautherised access will be made.

In part the solution is the removal of non essential data from data bases it's simple, it's effective but unfortunatly it has "business isssues" that often prevents it's use. Also in part for the data that remains, is some effective form of anonymisation to help reduce the impact of any such loss. This is because the current thinking of "encrypt the database" only works for "data at rest" not when it's in use which is where attackers are focusing, simply because it's where the data is effectively decrypted. But as we are finding out the hard way anonymising data effectivly, is at best difficult if not actually impossible with many data sets.

Unfortunatly in the UK the Government has anounced it is just going to make everybodies health records available to the "chosen few" companies supposadly for "research reasons" but in reality to bring cash into the Treasury (but no doubt certain MP's and Tory Party funds and senior civil servants will benifit as well). In order to "placate the masses" we are being assured the data will be "anonymous". But we know from previous experiance it's a "big fail" in that even relativly minor analysis against other databases starts striping of the anonymization.

Ross J. Anderson gave a presentation on the problems with health and other DBs containing significant personal and highly confidential data at a new conferance,

http://www.lightbluetouchpaper.org/2011/12/05/...

It's certainly one to keep an eye on.

Clive RobinsonDecember 18, 2011 3:42 AM

OFF Topic:

Part 3.

I know that SOPA is of concern to quite a few people in the US and it should --due to other inept laws-- also be of concern to people in the UK and Europe. The following article should be of some interest because it raises further doubts about SOPA and how it will work,

https://freedom-to-tinker.com/blog/wseltzer/stopping-sopas-anticircumvention

And Finaly this weeks "shutting of the stable door" award must go to the "Certification Authority/Browser Forum" for their ideas on how to fix SSL in browsers. They have come up with a list of "requirments" that browser software development organisations should follow,

http://www.cabforum.org/...

As they have no way of getting the software houses to follow it and users have no way of checking it and the well over 600 CA's can say what they want dodgy root certs are not realy going to be effected by it...

AnonDecember 18, 2011 8:50 AM

I recently learned that Firefox add-ons include not just Javascript, which is inherently unsafe, but in rare cases can also include object code. This is the case with Firesheep, which you have to manually install. I wonder how many add-ons have made it into the official add-on download page from Mozilla.

TDecember 18, 2011 10:47 AM

@Daniel

Yep, it's complete and utter bullshit. That article makes a number of assumptions about the underlying physiological and psychological nature of the human you are dealing with. (To say nothing of their training!)

Someone on the autistic spectrum will trip a number of so-called "red" flags, even when the person involved is incapable of lying. Someone with deep seated psychological problems may trip none, and truly believe they are recalling the truth, even though they are obviously lying through their teeth.

In one case, I observed an individual who would present current events accurately, while various past events were recalled dramatically distorted. In this particular case, it appears that the individual may have had an underlying issue with memory corruption during short-term memory consolidation.

If you want to tell if someone is lying, note the facts over a period of time. Keep a record. Observe the inconsistencies. Nobody is entirely perfectly truthful all the time. It's a limitation of our underlying biochemistry and the nature of how our memories are stored. But, over time, you can get an idea of who's really messed up.

This idea that you can look at someone, and tell off the cuff whether they are telling the truth or lying, is very desirable to certain folks. Some of those folks have deep pockets. That's why you see so much snake oil out there. But even polygraphs are largely worthless. Real life is rarely so simple.

A blog readerDecember 18, 2011 3:00 PM

Apparently, iPhone software crash reports have been used in efforts to find techniques for "jailbreaking" iPhone handsets. At the same time, the article says that crash reports can alert Apple into fixing software bugs. (From what one understands, with iOS5, it is possible to specify whether "diagnostic information" is sent to Apple, but there is the question as to whether this setting includes software crash reports.)

For a while, there was an iPhone app that allowed users to add a photo and information to a driver's license template. The app was removed after Senator Bob Casey (D-Penn) and the Coalition for a Secure Driver's License expressed concerns about the app facilitating the production of fraudulent IDs. (Among other things, there was claim that "National security systems depend on the trustworthiness of driver’s licenses.")

Petréa MitchellDecember 18, 2011 11:07 PM

T:

"If you want to tell if someone is lying, note the facts over a period of time. Keep a record. Observe the inconsistencies. Nobody is entirely perfectly truthful all the time."

For that matter, memories change over time. Actually, they can change quite quickly, too. There's a lot of research on how easy it is to plant false memories.

kingsnakeDecember 20, 2011 9:39 AM

kashmarek: I long ago learned never put in electronic form that which you do not wish others to know.

Clive RobinsonDecember 21, 2011 3:57 PM

@ Kingsnake,

"I long ago learned never put in electronic form that which you do not wish others to know."

It's a bit more awkward than that, sometimes you are required (by a judge etc) to reveal information, and thhese days all the talk is "electronic submission"...

This is needlessly dangerous for a number of reasons both legal and pragmatic, which is why I always advise,

"Paper, Paper, never data"

That is submit a paper copy and put a big red stamp across it that says "Copyright, under no circumstances may this document be copied or transmited in any form without prior written authorisation from the copyright holder." with a hand written issue and serial number on each page.

Aside from making the copyright of the document blatently obvious it serves two purposes,

Firstly it means they only get what you haves seen, as many document storage formats contain hidden meta-data that can be unknown to you.

Secondly and perhaps more importantly why should you make the compeling parties job any easier by giving them the ability to put the doccuments into a DB which they can then search easily or perform statistical analysis on.

Thus it goes without saying that any paper documents you submit should be in as an unfriendly to OCR font/format as possible. Which is also printed from a large single image file per page, which has been put through Ross Anderson's program for distorting images to break up hidden watermarks.

If the judge or who ever does not like it and insists on electronic format then scan the paper document into a brand new never used before computer and save each page as an image (preferably in an obscure format) with the copyright included and charge a fee for doing so.

The basic rule of thumb is to deny your adversary any advantage they might seek to gain at your expense.

One problem people are starting to see in US Courts is "Electronic Discovery" whereby an adversary seeks to effectivly bankrupt the opposition by making them pay for steadily more difficult to do presentation of documentation whilst also trying to get more information than is actually required.

The solution to this is as noted don't keep information in electronic format, and if it starts that way get into.

meDecember 25, 2011 6:17 PM

When you guys get off topic, you don't play around do you? ;)

Re: squid boats

Does not look like a good week for the squids :(

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..