Schneier on Security: Blog: 2012 Archives

Blog: 2012 Archives

Terms of Service as a Security Threat

After the Instagram debacle, where it changed its terms of service to give itself greater rights over user photos and reversed itself after a user backlash, it’s worth thinking about the security threat stemming from terms of service in general.

As cloud computing becomes the norm, as Internet security becomes more feudal, these terms of service agreements define what our service providers can do, both with the data we post and with the information they gather about how we use their service. The agreements are very one-sided—most of the time, we’re not even paying customers of these providers—and can change without warning. And, of course, none of us ever read them.

Here’s one example. Prezi is a really cool presentation system. While you can run presentations locally, it’s basically cloud-based. Earlier this year, I was at a CISO Summit in Prague, and one of the roundtable discussions centered around services like Prezi. CISOs were worried that sensitive company information was leaking out of the company and being stored insecurely in the cloud. My guess is that they would have been much more worried if they read Prezi’s terms of use:

With respect to Public User Content, you hereby do and shall grant to Prezi (and its successors, assigns, and third party service providers) a worldwide, non-exclusive, perpetual, irrevocable, royalty-free, fully paid, sublicensable, and transferable license to use, reproduce, modify, create derivative works from, distribute, publicly display, publicly perform, and otherwise exploit the content on and in connection with the manufacture, sale, promotion, marketing and distribution of products sold on, or in association with, the Service, or for purposes of providing you with the Service and promoting the same, in any medium and by any means currently existing or yet to be devised.

With respect to Private User Content, you hereby do and shall grant to Prezi (and its successors, assigns, and third party service providers) a worldwide, non-exclusive, perpetual, irrevocable, royalty-free, fully paid, sublicensable, and transferable license to use, reproduce, modify, create derivative works from, distribute, publicly display, publicly perform, and otherwise exploit the content solely for purposes of providing you with the Service.

Those paragraphs sure sound like Prezi can do anything it wants, including start a competing business, with any presentation I post to its site. (Note that Prezi’s human readable—but not legally correct—terms of use document makes no mention of this.) Yes, I know Prezi doesn’t currently intend to do that, but things change, companies fail, assets get bought, and what matters in the end is what the agreement says.

I don’t mean to pick on Prezi; it’s just an example. How many other of these Trojan horses are hiding in commonly used cloud provider agreements: both from providers that companies decide to use as a matter of policy, and providers that company employees use in violation of policy, for reasons of convenience?

Tags: cloud computing, feudal security, terms of service

Posted on December 31, 2012 at 6:44 AM • 47 Comments

Friday Squid Blogging: William Gilly, Squid Researcher

Good article.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Tags: squid

Posted on December 28, 2012 at 3:16 PM • 17 Comments

I Seem to Be a Verb

From “The Insider’s TSA Dictionary“:

Bruce Schneiered: (V, ints) When a passenger uses logic in order to confound and perplex an officer into submission. Ex: “A TSA officer took my Swiss army knife, but let my scissors go. I then asked him wouldn’t it be more dangerous if I were to make my scissors into two blades, or to go into the bathroom on the secure side and sharpen my grandmother’s walking stick with one of the scissor blades into a terror spear. Then after I pointed out that all of our bodies contain a lot more than 3.4 ounces of liquids, the TSA guy got all pissed and asked me if I wanted to fly today. I totally Schneirered [sic] his ass.”

Supposedly the site is by a former TSA employee. I have no idea if that’s true.

Tags: air travel, DHS, homeland security, TSA

Posted on December 28, 2012 at 12:34 PM • 19 Comments

Becoming a Police Informant in Exchange for a Lighter Sentence

Fascinating article.

Snitching has become so commonplace that in the past five years at least 48,895 federal convicts—one of every eight—had their prison sentences reduced in exchange for helping government investigators, a USA TODAY examination of hundreds of thousands of court cases found. The deals can chop a decade or more off of their sentences.

How often informants pay to acquire information from brokers such as Watkins is impossible to know, in part because judges routinely seal court records that could identify them. It almost certainly represents an extreme result of a system that puts strong pressure on defendants to cooperate. Still, Watkins’ case is at least the fourth such scheme to be uncovered in Atlanta alone over the past 20 years.

Those schemes are generally illegal because the people who buy information usually lie to federal agents about where they got it. They also show how staggeringly valuable good information has become— prices ran into tens of thousands of dollars, or up to $250,000 in one case, court records show.

There are all sorts of complexities and unintended consequences in this system. This is just a small part of it:

The risks are obvious. If the government rewards paid-for information, wealthy defendants could potentially buy early freedom. Because such a system further muddies the question of how informants—already widely viewed as untrustworthy —know what they claim to know, “individual cases can be undermined and the system itself is compromised,” U.S. Justice Department lawyers said in a 2010 court filing.

Plea bargaining is illegal in many countries precisely because of the perverse incentives it sets up. I talk about this more in Liars and Outliers.

Tags: courts, law enforcement, police, police informants

Posted on December 28, 2012 at 6:37 AM • 17 Comments

Breaking Hard-Disk Encryption

The newly announced ElcomSoft Forensic Disk Decryptor can decrypt BitLocker, PGP, and TrueCrypt. And it’s only $300. How does it work?

Elcomsoft Forensic Disk Decryptor acquires the necessary decryption keys by analyzing memory dumps and/or hibernation files obtained from the target PC. You’ll thus need to get a memory dump from a running PC (locked or unlocked) with encrypted volumes mounted, via a standard forensic product or via a FireWire attack. Alternatively, decryption keys can also be derived from hibernation files if a target PC is turned off.

This isn’t new. I wrote about AccessData doing the same thing in 2007:

Even so, none of this might actually matter. AccessData sells another program, Forensic Toolkit, that, among other things, scans a hard drive for every printable character string. It looks in documents, in the Registry, in e-mail, in swap files, in deleted space on the hard drive … everywhere. And it creates a dictionary from that, and feeds it into PRTK.

And PRTK breaks more than 50 percent of passwords from this dictionary alone.

It’s getting harder and harder to maintain good file security.

Tags: cryptanalysis, cryptography, encryption, full-disk encryption, PGP, side-channel attacks, TrueCrypt

Posted on December 27, 2012 at 1:02 PM • 56 Comments

Public Shaming as a Security Measure

In Liars and Outliers, I talk a lot about the more social forms of security. One of them is reputational. This post is about that squishy sociological security measure: public shaming as a way to punish bigotry (and, by extension, to reduce the incidence of bigotry).

It’s a pretty rambling post, first listing some of the public shaming sites, then trying to figure out whether they’re a good idea or not, and finally coming to the conclusion that shaming doesn’t do very much good and—in many cases—unjustly rewards the shamer.

I disagree with a lot of this. I do agree with:

I do think that shame has a role in the way we control our social norms. Shame is a powerful tool, and it’s something that we use to keep our own actions in check all the time. The source of that shame varies immensely. Maybe we are shamed before God, or our parents, or our boss.

But I disagree with the author’s insistence that “shame, ultimately, has to come from ourselves. We cannot be forced to feel shame.” While technically it’s true, operationally it’s not. Shame comes from others’ reactions to our actions. Yes, we feel it inside—but it originates from out lifelong inculcation into the norms of our social group. And throughout the history of our species, social groups have used shame to effectively punish those who violate social norms. No one wants a bad reputation.

It’s also true that we all have defenses against shame. One of them is to have an alternate social group for whom the shameful behavior is not shameful at all. Another is to simply not care what the group thinks. But none of this makes shame a less valuable tool of societal pressure.

Like all forms of security that society uses to control its members, shame is both useful and valuable. And I’m sure it is effective against bigotry. It might not be obvious how to deploy it effectively in the international and sometimes anonymous world of the Internet, but that’s another discussion entirely.

Tags: reputation, shame

Posted on December 27, 2012 at 6:21 AM • 32 Comments

Cryptography Engineering Available as an eBook

Finally, Cryptography Engineering is available as an ebook. Even better, it’s today’s deal of the day at O’Reilly: $27.50 (50% off) and no copy protection. (The discount won’t show until you add the book to your cart.)

Tags: books, Cryptography Engineering, DRM, ebooks

Posted on December 26, 2012 at 11:50 AM • 4 Comments

Hackers Use Backdoor to Break System

Industrial control system comes with a backdoor:

Although the system was password protected in general, the backdoor through the IP address apparently required no password and allowed direct access to the control system. “[Th]e published backdoor URL provided the same level of access to the company’s control system as the password-protected administrator login,” said the memo.

The security of this backdoor is secrecy. Of course, that never lasts:

Hackers broke into the industrial control system of a New Jersey air conditioning company earlier this year, using a backdoor vulnerability in the system, according to an FBI memo made public this week.

Tags: backdoors, hacking, ICS, SCADA

Posted on December 26, 2012 at 6:05 AM • 10 Comments

Peruvian Spider Species Creates Decoys

Clyclosa spiders create decoys to fool predators.

Tags: decoys, natural security

Posted on December 24, 2012 at 12:59 PM • 4 Comments

Phishing via Twitter

Interesting firsthand phishing story:

A few nights ago, I got a Twitter direct message (DM) from a friend saying that someone was saying nasty things about me, with a link. The link was a shortened (t.co) link, so it was hard to see exactly what it pointed to. I followed the link on my cell phone, and got to a website that certainly looked legit, and I was foolish enough to login. Pwnd. A few minutes later, my Twitter account was spewing tweetspam about the latest pseudo-scientific weight loss fad.

Tags: phishing, Twitter

Posted on December 24, 2012 at 6:31 AM • 25 Comments

← 2011 2013 →Calendar

Sidebar photo of Bruce Schneier by Joe MacInnis.