July 2012 Archives

Fake Irises Fool Scanners

We already know you can wear fake irises to fool a scanner into thinking you're not you, but this is the first fake iris you can use for impersonation: to fool a scanner into thinking you're someone else.

EDITED TO ADD (8/13): Paper and slides.

Also This:

Daugman says the vulnerability in question, which involves using an iterative process to relatively quickly reconstruct a workable iris image from an iris template, is a classic "hill-climbing" attack that is a known vulnerability for all biometrics."

Posted on July 31, 2012 at 11:11 AM18 Comments

Hacking Tool Disguised as a Power Strip

This is impressive:

The device has Bluetooth and Wi-Fi adapters, a cellular connection, dual Ethernet ports, and hacking and remote access tools that let security professionals test the network and call home to be remotely controlled via the cellular network. The device comes with easy-to-use scripts that cause it to boot up and then phone home for instructions.

A "text-to-bash" feature allows sending commands to the device using SMS messages. Power Pwn is preloaded with Debian 6, Metasploit, SET, Fast-Track, w3af, Kismet, Aircrack, SSLstrip, nmap, Hydra, dsniff, Scapy, Ettercap, Bluetooth/VoIP/IPv6 tools and. It really can function as a 120/240v AC outlet strip.

It was funded with DARPA money.

Posted on July 31, 2012 at 6:30 AM21 Comments

Fear-Mongering at TED

This TED talk trots out the usual fear-mongering that technology leads to terrorism. The facts are basically correct, but there are no counterbalancing facts, and the conclusions all one-sided. I'm not impressed with the speaker's crowdsourcing solution, either. Sure, crowdsourcing is a great tool for a lot of problems, but it's not the single thing that's going to protect us from technological crimes.

If I didn't know better, I would say it was a propaganda video.

Posted on July 30, 2012 at 12:40 PM32 Comments

Detroit Bomb Threats

There have been a few hoax bomb threats in Detroit recently (Windsor tunnel, US-Canada bridge, Tiger Stadium). The good news is that police learned; during the third one, they didn't close down the threatened location.

Posted on July 30, 2012 at 7:34 AM26 Comments

Criminals Using Commercial Spamflooding Services

Cybercriminals are using commercial spamflooding services to distract their victims during key moments of a cyberattack.

Clever, but in retrospect kind of obvious.

Posted on July 27, 2012 at 9:42 AM6 Comments

Police Sting Operation Yields No Mobile Phone Thefts

Police in Hastings, in the UK, outfitted mobile phones with tracking devices and left them in bars and restaurants, hoping to catch mobile phone thieves in the act. But no one stole them:

Nine premises were visited in total and officers were delighted that not one of the bait phones was 'stolen'. In fact, on nearly every occasion good hearted members of the public handed them to bar or security staff.

I'm not sure about the headline: "Operation Mobli deters mobile phone thieves in Hastings."

There are two things going on here. One, people are generally nice and will return property to its rightful owner. Two, it's hard for the average person to profit from a stolen cell phone. He already has a cell phone that's assigned to his phone number. He doesn't really know if he can sell a random phone, especially one assigned to the number of someone who had her phone stolen. Yes, professional phone thieves know what to do, but what's the odds that one of those is dining out in Hastings on a particular night?

Posted on July 26, 2012 at 6:55 AM44 Comments

Making Handcuff Keys with 3D Printers

Handcuffs pose a particular key management problem. Officers need to be able to unlock handcuffs locked by another officer, so they're all designed to be opened by a standard set of keys. This system only works if the bad guys can't get a copy of the key, and modern handcuff manufacturers go out of their way to make it hard for regular people to get copies of the key.

At the recent HOPE conference, someone made copies of these keys using a 3D printer:

In a workshop Friday at the Hackers On Planet Earth conference in New York, a German hacker and security consultant who goes by the name "Ray" demonstrated a looming problem for handcuff makers hoping to restrict the distribution of the keys that open their cuffs: With plastic copies he cheaply produced with a laser-cutter and a 3D printer, he was able to open handcuffs built by the German firm Bonowi and the English manufacturer Chubb, both of which attempt to control the distribution of their keys to keep them exclusively in the hands of authorized buyers such as law enforcement.

[...]

Unlike keys for more common handcuffs, which can be purchased (even in forms specifically designed to be concealable) from practically any survivalist or police surplus store, Bonowi's and Chubb's keys can't be acquired from commercial vendors. Ray says he bought a Chubb key from eBay, where he says they intermittently appear, and obtained the rarer Bonowi key through a source he declined to name. Then he precisely measured them with calipers and created CAD models, which he used to reproduce the keys en masse, both in plexiglass with a friend's standard laser cutter and in ABS plastic with a Repman 3D printer. Both types of tools can be found in hacker spaces around the U.S. and, in the case of 3D printers, thousands of consumers' homes.

EDITED TO ADD (7/29): Interesting comment.

EDITED TO ADD (8/13): Comment from the presenter.

Posted on July 25, 2012 at 6:42 AM51 Comments

Implicit Passwords

This is a really interesting research paper (article here) on implicit passwords: something your unconscious mind remembers but your conscious mind doesn't know. The Slashdot post is a nice summary:

A cross-disciplinary team of US neuroscientists and cryptographers have developed a password/passkey system that removes the weakest link in any security system: the human user. It's ingenious: The system still requires that you enter a password, but at no point do you actually remember the password, meaning it can't be written down and it can't be obtained via coercion or torture -- i.e. rubber-hose cryptanalysis. The system, devised by Hristo Bojinov of Stanford University and friends from Northwestern and SRI, relies on implicit learning, a process by which you absorb new information -- but you're completely unaware that you've actually learned anything; a bit like learning to ride a bike. The process of learning the password (or cryptographic key) involves the use of a specially crafted computer game that, funnily enough, resembles Guitar Hero. Their experimental results suggest that, after a 45 minute learning session, the 30-letter password is firmly implanted in your subconscious brain. Authentication requires that you play a round of the game -- but this time, your 30-letter sequence is interspersed with other random 30-letter sequences. To pass authentication, you must reliably perform better on your sequence. Even after two weeks, it seems you are still able to recall this sequence.

The system isn't very realistic -- people aren't going to spend 45 minutes learning their passwords and a few minutes authenticating themselves -- but I really like the direction this research is going.

Posted on July 24, 2012 at 6:28 AM59 Comments

How the Norwegians Reacted to Terrorism

An antidote to the American cycle of threat, fear, and overspending in response to terrorism is this, about Norway on the first anniversary of its terrorist massacre:

And at the political level, the Prime Minister Jens Stoltenberg pledged to do everything to ensure the country's core values were not undermined.

"The Norwegian response to violence is more democracy, more openness and greater political participation," he said.

A year later it seems the prime minister has kept his word.

There have been no changes to the law to increase the powers of the police and security services, terrorism legislation remains the same and there have been no special provisions made for the trial of suspected terrorists.

On the streets of Oslo, CCTV cameras are still a comparatively rare sight and the police can only carry weapons after getting special permission.

Even the gate leading to the parliament building in the heart of Oslo remains open and unguarded.

Posted on July 23, 2012 at 6:15 AM99 Comments

Camera-Transparent Plastic

I just wrote about the coming age of invisible surveillance. Here's another step along that process.

The material is black in color and cannot be seen through with the naked eye. However, if you point a black and white camera at a sheet of Black-Ops Plastic, it becomes transparent allowing the camera to record whatever is on the other side.

What this means is you can hide a camera inside an object made of this special plastic and no one will know it is there. But the camera is free to record without having its view blocked.

The article doesn't talk about the technology.

Posted on July 19, 2012 at 6:46 AM29 Comments

Chinese Airline Rewards Crew for Resisting Hijackers

Normally, companies instruct their employees not to resist. But Hainan Airlines did the opposite:

Two safety officers and the chief purser got cash and property worth 4m yuan ($628,500; £406,200) each. The rest got assets worth 2.5m yuan each.

That's a lot of money, especially in China. I'm sure it will influence future decisions by crew, and even passengers, about resisting terrorist attacks.

Posted on July 18, 2012 at 9:27 AM27 Comments

Remote Scanning Technology

I don't know if this is real or fantasy:

Within the next year or two, the U.S. Department of Homeland Security will instantly know everything about your body, clothes, and luggage with a new laser-based molecular scanner fired from 164 feet (50 meters) away. From traces of drugs or gun powder on your clothes to what you had for breakfast to the adrenaline level in your body -- agents will be able to get any information they want without even touching you.

The meta-point is less about this particular technology, and more about the arc of technological advancements in general. All sorts of remote surveillance technologies -- facial recognition, remote fingerprint recognition, RFID/Bluetooth/cell phone tracking, license plate tracking -- are becoming possible, cheaper, smaller, more reliable, etc. It's wholesale surveillance, something I wrote about back in 2004.

We're at a unique time in the history of surveillance: the cameras are everywhere, and we can still see them. Fifteen years ago, they weren't everywhere. Fifteen years from now, they'll be so small we won't be able to see them. Similarly, all the debates we've had about national ID cards will become moot as soon as these surveillance technologies are able to recognize us without us even knowing it.

EDITED TO ADD (8/13): Related papers, and a video.

Posted on July 16, 2012 at 1:59 PM90 Comments

Friday Squid Blogging: Barbecued Squid -- New Summer Favorite

In the UK, barbecued squid is in:

Sales of squid have tripled in recent months due to the growing popularity of Mediterranean food and the rise of the Dukan diet, as calamari looks set to become the barbecue hit of the summer.

Posted on July 13, 2012 at 4:53 PM49 Comments

Hacking BMW's Remote Keyless Entry System

It turns out to be surprisingly easy:

The owner, who posted the video at 1addicts.com, suspects the thieves broke the glass to access the BMW's on-board diagnostics port (OBD) in the footwell of the car, then used a special device to obtain the car's unique key fob digital ID and reprogram a blank key fob to start the car. It took less than 3 minutes to accomplish the feat. (That said, despite their sophistication, the thieves were, comically, unable to thwart the surveillance cameras, though they tried.)

[...]

Jalopnik reports that BMW thieves are likely exploiting a gap in the car's internal ultrasonic sensor system to avoid tripping its alarm when they access the car.

But there's another security flaw in play. The OBD system doesn't require a password to access it and program a key fob. According to Jalopnik, this is a requirement in Europe so that non-franchised mechanics and garages can read the car's digital diagnostic data.

More details here.

Posted on July 13, 2012 at 6:51 AM30 Comments

All-or-Nothing Access Control for Mobile Phones

This paper looks at access control for mobile phones. Basically, it's all or nothing: either you have a password that protects everything, or you have no password and protect nothing. The authors argue that there should be more user choice: some applications should be available immediately without a password, and the rest should require a password. This makes a lot of sense to me. Also, if only important applications required a password, people would be more likely to choose strong passwords.

Abstract: Most mobile phones and tablets support only two access control device states: locked and unlocked. We investigated how well allornothing device access control meets the need of users by interviewing 20 participants who had both a smartphone and tablet. We find all-or-nothing device access control to be a remarkably poor fit with users' preferences. On both phones and tablets, participants wanted roughly half their applications to be available even when their device was locked and half protected by authentication. We also solicited participants' interest in new access control mechanisms designed specifically to facilitate device sharing. Fourteen participants out of 20 preferred these controls to existing security locks alone. Finally, we gauged participants' interest in using face and voice biometrics to authenticate to their mobile phone and tablets; participants were surprisingly receptive to biometrics, given that they were also aware of security and reliability limitations.

Posted on July 12, 2012 at 12:59 PM30 Comments

Dropped USB Sticks in Parking Lot as Actual Attack Vector

For years, it's been a clever trick to drop USB sticks in parking lots of unsuspecting businesses, and track how many people plug them into computers. I have long argued that the problem isn't that people are plugging the sticks in, but that the computers trust them enough to run software off of them.

This is the first time I've heard of criminals trying this trick.

Posted on July 12, 2012 at 9:47 AM31 Comments

Petition the U.S. Government to Force the TSA to Follow the Law

This is important:

In July 2011, a federal appeals court ruled that the Transportation Security Administration had to conduct a notice-and-comment rulemaking on its policy of using "Advanced Imaging Technology" for primary screening at airports. TSA was supposed to publish the policy in the Federal Register, take comments from the public, and justify its policy based on public input. The court told TSA to do all this "promptly." A year later, TSA has not even started that public process. Defying the court, the TSA has not satisfied public concerns about privacy, about costs and delays, security weaknesses, and the potential health effects of these machines. If the government is going to "body-scan" Americans at U.S. airports, President Obama should force the TSA to begin the public process the court ordered.

The petition needed 150 signatures to go "public" on Whitehouse.gov (currently at 296), and needs 25,000 to require a response from the administration. You have to register before you can sign, but it's a painless procedure. Basically, they're checking that you have a valid e-mail address.

Everyone should sign it.

Posted on July 11, 2012 at 12:39 PM79 Comments

Attacking Fences

From an article on the cocaine trade between Mexico and the U.S.:

"They erect this fence," he said, "only to go out there a few days later and discover that these guys have a catapult, and they're flinging hundred-pound bales of marijuana over to the other side." He paused and looked at me for a second. "A catapult," he repeated. "We've got the best fence money can buy, and they counter us with a 2,500-year-old technology."

Posted on July 10, 2012 at 4:33 AM65 Comments

Sensible Comments about Terrorism

Two, at least:

Is this a new trend in common sense?

In case you forgot, here's a comprehensive list of ridiculous predictions about terrorist attacks (and an essay).

And here's the best data on U.S. terrorism deaths since 9/11.

Posted on July 9, 2012 at 12:36 PM41 Comments

Students Hack DHS Drone

A team at the University of Texas successfully spoofed the GPS and took control of a DHS drone, for about $1,000 in off-the-shelf parts. Does anyone think that the bad guys won't be able to do this?

EDITED TO ADD (7/9): It wasn't a DHS drone. It was a drone owned by the university.

Posted on July 9, 2012 at 6:02 AM25 Comments

Friday Squid Blogging: Dissecting a Squid

This was suprisingly interesting.

When a body is mysterious, you cut it open. You peel back the skin and take stock of its guts. It is the science of an arrow, the epistemology of a list. There and here and look: You tick off organs, muscles, bones. Its belly becomes fact. It glows like fluorescent lights. The air turns aseptic and your eyes, you hope, are new.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on July 6, 2012 at 4:58 PM117 Comments

So You Want to Be a Security Expert

I regularly receive e-mail from people who want advice on how to learn more about computer security, either as a course of study in college or as an IT person considering it as a career choice.

First, know that there are many subspecialties in computer security. You can be an expert in keeping systems from being hacked, or in creating unhackable software. You can be an expert in finding security problems in software, or in networks. You can be an expert in viruses, or policies, or cryptography. There are many, many opportunities for many different skill sets. You don't have to be a coder to be a security expert.

In general, though, I have three pieces of advice to anyone who wants to learn computer security.

  • Study. Studying can take many forms. It can be classwork, either at universities or at training conferences like SANS and Offensive Security. (These are good self-starter resources.) It can be reading; there are a lot of excellent books out there -- and blogs -- that teach different aspects of computer security out there. Don't limit yourself to computer science, either. You can learn a lot by studying other areas of security, and soft sciences like economics, psychology, and sociology.
  • Do. Computer security is fundamentally a practitioner's art, and that requires practice. This means using what you've learned to configure security systems, design new security systems, and -- yes -- break existing security systems. This is why many courses have strong hands-on components; you won't learn much without it.
  • Show. It doesn't matter what you know or what you can do if you can't demonstrate it to someone who might want to hire you. This doesn't just mean sounding good in an interview. It means sounding good on mailing lists and in blog comments. You can show your expertise by making podcasts and writing your own blog. You can teach seminars at your local user group meetings. You can write papers for conferences, or books.

I am a fan of security certifications, which can often demonstrate all of these things to a potential employer quickly and easily.

I've really said nothing here that isn't also true for a gazillion other areas of study, but security also requires a particular mindset -- one I consider essential for success in this field. I'm not sure it can be taught, but it certainly can be encouraged. "This kind of thinking is not natural for most people. It's not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world that way, you'll never notice most security problems." This is especially true if you want to design security systems and not just implement them. Remember Schneier's Law: "Any person can invent a security system so clever that she or he can't think of how to break it." The only way your designs are going to be trusted is if you've made a name for yourself breaking other people's designs.

One final word about cryptography. Modern cryptography is particularly hard to learn. In addition to everything above, it requires graduate-level knowledge in mathematics. And, as in computer security in general, your prowess is demonstrated by what you can break. The field has progressed a lot since I wrote this guide and self-study cryptanalysis course a dozen years ago, but they're not bad places to start.

This essay originally appeared on "Krebs on Security," the second in a series of answers to the question. This is the first. There will be more.

Posted on July 5, 2012 at 6:17 AM44 Comments

Commercial Espionage Virus

It's designed to steal blueprints and send them to China.

Note that although this is circumstantial evidence that the virus is from China, it is possible that the Chinese e-mail accounts that are collecting the blueprints are simply drops, and the controllers are elsewhere on the planet.

Posted on July 3, 2012 at 6:22 AM8 Comments

WEIS 2012

Last week I was at the Workshop on Economics and Information Security in Berlin. Excellent conference, as always. Ross Anderson liveblogged the event; see the comments for summaries of the talks.

On the second day, Ross and I debated -- well, discussed -- cybersecurity spending. At the first WEIS, he and I had a similar discussion: I argued that we weren't spending enough on cybersecurity, and he argued that we were spending too much. For this discussion, we reversed our positions.

Posted on July 2, 2012 at 6:20 AM11 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..