Friday Squid Blogging: Beached Firefly Squid

Pretty photo of firefly squid beached along a coast. I've written about firefly squid before.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on September 21, 2012 at 4:30 PM • 30 Comments

Comments

NaoSeptember 22, 2012 2:40 AM

Hey Bruce, have you heard of the Liar Game? I think there's both an anime and a manga, but it's all about games that involve trust & deception and most rounds of the Liar Game play out just about like that crazy video of Split or Steal you showed us quite a while back.

kashmarekSeptember 22, 2012 7:59 AM

On that HotMail/OutLook password thing, doesn't it beg the question about a more insidious lower level problem at Microsoft. I mean, these things use Micorsoft PassPort, er, Live ID, don't they? How about their encryption system? What else may be impacted by this?

Nick PSeptember 22, 2012 11:37 AM

@ Bruce Schneier

A federal judge just ruled we have no constitutional right to secret ballots and struck down a local attempt to keep them so. If others follow, this will suck for voting, but might make the voting cryptosystems easier, eh? I'd rather have the safe voting, myself.

http://www.denverpost.com/breakingnews/...

I think they should find some good precedents and fight back in a higher court. Precedents, not the Constitution itself, are key to them winning on this one.

Clive RobinsonSeptember 22, 2012 2:24 PM

OFF Topic:

With further regard to passwords...

An article from The Atlantic on a possible fix,

http://www.theatlantic.com/technology/archive/...

The author does not appear to have thought the title of the article through (with regards "how to fix it"), as they run through several of the newer "bio-passwords" and then say,

Are any of these approaches a panacea? Nope. Not even close And as it stands, we've not yet nailed down how many of these ideas measure up quantitatively.

The real solution to "the main" problem with passwords, as I've indicated before, is not to have them sent down the wire or be stored in any way on a server. The "human rememberable" entropy is way too low to be of any use these days.

And as was noted the other day those who run public facing servers don't want to be wasting there performance on endless iterations of hashs etc. Nor do they want the liability of storing the passwords (not that they appear to realise it ;)

The current front runner to solve these problems is Stanfords "Secure Remote Password" (SRP) system,

http://srp.stanford.edu/

It's not perfect (nothing ever is) but it shifts the problem from the server end to the client end where it realy should be.

M.V.September 23, 2012 11:10 AM

@Clive
It's not perfect (nothing ever is) but it shifts the problem from the server end to the client end where it realy should be.

IMO it doesn't shift the problem to the client. It is still possible to perform a dictionary attack on a stolen (user,salt,verifier) database. And that has been quite common in recent times.

Actually i think that problem is unsolvable for any authentication system based only on a password.

Clive RobinsonSeptember 23, 2012 12:04 PM

@ M.V.,

IMO it doesn't shift the problem to the client. It i still possible to perform a dictionary attack on a stolen (user,salt,verifier) database

Whilst it is possible to do a dictionary attack (hence my comment about it not being perfect), the "verifier" is supposed to make it a whole lot harder than it would be otherwise.

To be honest I don"t know what the solution is to "low human entropy" when even supposed "high TRNG entropy" (think 1024bit PK certs) are getting busted in various ways (poor RNG use/design etc).

I definattly don't think these various "Bio-passwords" using various individuals charecteristics are any good be they direct biometrics such as face hand geometry or "muscle memory" / "monkey brain" systems such as the "guitar hero" interface etc.

SRP has the virtue of (supposadly) seperating out "low human entropy" from the network etc making sniffing / MITM worthless as in effect it's high entropy there (and in the verifier). Whilst SRP may not be the solution splitting out the low entropy is definatly a good idea, if we still require "something you know" to be a factor.

DanielSeptember 23, 2012 12:19 PM

I actually think that MS updating the tooltip on their password is a good thing. The real issue isn't the security of the password; the real issue is what we trust to the security of "the cloud."

When you sign into g-mail if you scroll to the bottom of the page you will see that google prints the IP from which you logged on to the account. When they first started doing this it annoyed me because I didn't like the fact Google was tracking me in that way. Then I realized that Google was doing it in any event and now they were being honest about it.

IMO the real problem is that people are simply too trusting when it comes to the web. I know that for a long time I was and habits die slowly. Rather than freaking out about password strength we should reevaluate what we trust to the web in the first place.

Tamara BensonSeptember 23, 2012 8:22 PM

Out of the Box INSECURITY with Tablet Setup procedures

Sorry if this was discussed elsewhere, I didn't find it.

I and a zillion others have a major problem with the Nexus 7 Tablet; I had the same problem with the IPAD.

The setup can't be escaped, but requires a connection to a wifi connection in order to be able to get to the settings on the tablets.

I have mac address filtering on the router, need the mac address to allow connection. The device isn't configured for security until you can access it, which you can't do until you put it on a network, naked.

I called Nexus support tonight and they insisted that there is NO solution: must put the device on an insecure network before I can get the mac address.

Look, that SN and the MAC address have to be linked in a database SOMEWHERE. They have to be.

Fabulously stupid problem to have in an age of security problems.

I've checked my router logs to see if it can tell me the mac address of the tablet trying to connect, but the logs are neanderthal compared to unix logs, and apparently only record dhcp connections from only KNOWN mac addresses already in the table. (Cisco E4200 works great, logs suck)

Got any suggestions for me on how to trigger some machine somewhere to accept the Nexus' attempt to connect to a wifi SSID and show me the mac address from some connect attempt logfile? I was wondering if my iphone might help, just not sure how yet.

Bottom line: I don't want to give up yet and connect the tablet to an insecure network, or disable my router security, just to determine the mac address. Not yet.

itgrrlSeptember 23, 2012 11:12 PM

@Tamara: I would disconnect your router's Internet connection, disconnect other devices, and then temporarily disable MAC filtering. Once you've got the MAC address, add it in to your filters, re-enable filtering, then reconnect your router to the Internet. Yes, it's a PiTA, but shouldn't take too long or be too onerous. We will have to continue to make such workarounds until vendors bake in a security mindset at all levels (i.e. forever). ;-)

AC2September 24, 2012 1:30 AM

@Tamara

You might as well turn off MAC filtering on the router permanently (assuming you control it). That feature doesn't offer any security benefit...

PSeptember 24, 2012 3:31 AM

@Tamara

Wouldn't wireless sniffing tools show you the MAC in ARP traffic? (Yet more proof that security tools are useful for defence and should not be restricted.)

M.V.September 24, 2012 7:54 AM

@Clive
Whilst it is possible to do a dictionary attack (hence my comment about it not being perfect), the "verifier" is supposed to make it a whole lot harder than it would be otherwise.

It is only one additional computation step compared to saltet hash to go from pw to v. Ok, it is a quite slow step (g^x in a prime based finite field), but something an accelerator may help a lot. Also i bet a dictionary based on the most used passwords is quite small.

Otherwise i agree that SRP should become the standard, it makes dictionary attacks on recorded login sessions virtually impossible.
Also it saves us from stupid WebAdmins storing unsaltet hashes or even plain text passwords.

I agree that "bio passwords" don't work. They don't scale, they can't be changed, etc etc.
Hey maybe surgeons should startoffer a password change service :-)

curtmackSeptember 24, 2012 10:33 AM

@M.V. In the US it's actually illegal to deliberately alter a part of your bio identity, especially fingerprints, since they're used for tracking criminals.

Also, the only way to destroy your fingers enough to render the prints a non-match is to cut off your fingers. Modern matching algorithms are really good at their job.

FigureitoutSeptember 24, 2012 1:27 PM

@curtmack

I think he was joking, but I'd be curious as to the specific legal code that makes it illegal to alter "bio identity" aka your body. This is similar to being a "criminal" for modifying your own property.

Sure you could cut off your fingers, but what about latex gloves? Maybe they're skin colored w/ nails painted on. :)

@Daniel
Rather than freaking out about password strength we should reevaluate what we trust to the web in the first place.

--Agreed, unless you have data automatically uploaded to the internet w/o your knowledge or consent (sadly I have a connection to one such way). The web will never attain its possibilities of spreading knowledge, trust, respect, etc. because of small-minded malice-filled people and blowback. If someone legitimately wants to reach out and help/connect with someone, we may instantly think "scam artist, get away". There will just be..silence and cold shoulders.

Tamara BensonSeptember 24, 2012 3:45 PM

@itgrrl
You solved my problem!
Thank you!

This Nexus 7 was a gift, and I didn't have time to figure out what would come with it. I am disappointed to see that it doesn't seem to have a terminal like app. Probably have to see what software is available for looking at the OS.
It looks and acts just like an IPAD. I'm hoping for more of a Linux experience once I find some utilities.

Thanks again!

Tamara BensonSeptember 24, 2012 3:47 PM

@AC2
Would you like to expand on that comment?
'Nothing is secure on the internet', but the mac filtering kept the new toy from connecting...

Tamara BensonSeptember 24, 2012 3:51 PM

@P
Yes, if I'd had tools ready to go last night, that would have helped. I'll get them.
Not sure which show mac addresses, ethereal/etherape/admsniff is old/tcpdump has so much info but don't recall seeing mac addresses.
Thanks! I will do my homework.

Steven HooberSeptember 24, 2012 6:55 PM

This was a little while ago, but I haven't seen ANY discussion of it outside of the city.

http://www.kansascity.com/2012/09/14/3815271/...

It is MUCH sillier than it even is reported. In very summary:

* Local well-known crazy man is informant on terrorists from 10 years ago, used to be in witness protection even, kept being too publicly crazy so that ended years ago.
* Goes into Fed building to ask FBI why he (believes he is?) under surveillance. They talk to him quite reasonably
* Apparently: At some point he says something like "do you think I have a bomb in my car?"
* Despite this being uttered to FBI agents, in the FBI counter terror office, and no one with a badge and gun panics, someone else (passer-by, admin?) calls the cops
* Local cops flip out, goes to bomb robot opening the trunk, being befuddled by tarp, etc.
* Local news also flips out, films breathlessly with helicopters, etc. Parts of downtown evacuated, etc.
* Feds take over air-space, for no apparent reason. E.g. news helicopter attempting to refuel is redirected to regional airport ATC (not airport 1 mile away) and then FBI guys decide if he can land or not.
* Meanwhile, other FBI guys are having a casual chat with the crazy man.
* So casual that when a reporter stops being in a tizzy, looks the guy up (based on non-obscured license plate) and calls his mobile phone, the guy answers and eventually indicates the FBI wants to talk to him more.
* This is reported, but ignored by everyone else, who seems happier to be in a total panic.
* No arrests are made. The cops put all the stuff back in the trunk after the robot finds no bombs, etc.

Total waste, for no good reason, and apparently all because of miscommunication, kneejerk reactions to worst-case CYA procedures, and total lack of coordination between agencies.

Reminds me of work every day.

Steven HooberSeptember 24, 2012 7:01 PM

@Tamara

On device setup. WiFi devices are cheap. I have a spare (e.g. actually unplugged when idle) I can theoretically (practically, I am too lazy mostly) set up to do things like ping devices in the area to get info, and not actually let them on the network.

When I bought a handset recently, I'll note the Verizon store had several WiFi networks. One was named something like VZ-SETUP. Only could be gotten to by the store staff with a password, and (I asked) used only for setup of devices, for much this reason I suspect. Not on the public WiFi with it's danger of arbitrary devices, not on the truly private WiFi with their own needs for internal security.

Interestingly, it does not appear in my WiFi history list now. Not sure how they did that, since I did not see the employee "forget" the network. Wonder if it's something systematic that the device OS overlay deliberately forgets the network for the same security reasons. I may be ascribing too much forethought to them, though.

Tamara BensonSeptember 24, 2012 7:53 PM

@Steve Hoober
My complaint Steve is that these expensive mobile tablets don't let me play with them, get to know them, before I am forced to put them on the internet. Live on the internet is not the default I'm looking for.

These things are powerful little computers and yet I can't find any evidence of a firewall or virus checker, or any logs to monitor.

It's instant gratification without a safety net.

Getting the Nexus setup done without it being on the internet (thanks to itgrrl!) at least gave me the time to set a password, decide whether to encrypt it and set a pw, and choose some other configurations, but the basic out of the box configuration doesn't let me check log files, do any kind of baseline of the system.
It could have come with malware for all I know. And the point is is that I don't know and without formatting it, I can't know.

Part of the setup is asking whether I have an existing google account--if you put all that info in for an existing account, where does it all go?

Teenagers blindly trust. I want some idea of what's going on. :)

FigureitoutSeptember 25, 2012 4:43 PM

@Steven Hoober
Thx for that, hilarious. I'm assuming your a LEO somewhere? I liked how the dog gave a false positive too and that trainer was like "Meh, cleaning materials, it's possible." Using falsehoods/false witnesses to violate people's space. Plus look how easy it is to cause chaos and waste! I guess a police state bordering on military state in an economic depression can be funny, hmm.....

@Tom
As much as I love to fling hate at politicians, I had a class once where we were turned into a legislature and had to come up w/ rules and pass legislation; just like you said people were excited and cooperative at the very beginning, and it all went downhill. Part of it was people couldn't take it seriously; so there's a bit of bias there. Nonetheless, it is extremely hard to convince a group of people to do something together, w/o various types of coercion.

@Doug
Speechless.

Clive RobinsonSeptember 26, 2012 4:49 AM

OFF Topic:

On the "you heard it first here" principle, Computer world has an article on Cyber-espionage on energy companies,

http://www.computerworld.com/s/article/9231596/...

It is based on information from SecureWorks on the Mirage Malware program that gets described as "very crafty" and is "designed to evade easy detection".

Whilst the atribution (all be it questionable) to the same or similar group who did the number on RSA a little while ago is of interest, the bit that interests me most is hidden further down,

All of its communications with its command and control servers are disguised to appear like the URL traffic pattern associated with Google searches

I had this idea a number of years ago and developed it into a way to actually having command and control channels that were compleate "one offs" per command that in effect could not be blocked, taken out or taken over as is now the current practice of dealing with bot type malware. Further that it would decouple the traffic flow such that "back tracing" would be very difficult.

And if you search back on this Blog you will see my ideas on how to implement the "control side" but that I also chose very deliberatly not to show how you could implement a similarly "decoupled" "back channel". The reason for that was for "espionage" and other forms of "for gain" cyber-attack the old "follow the money" rule would be broken which would otherwise leave a trail via the backchannel back to the spys / attackers.

It is interesting to note that the designers of other APT like cyber-espionage systems that have so far been found (such as flame) still use traditional style back channels with little or no "cut out" decoupling (ie use the same "dead letter drop box" over and over).

It gives rise to the question of "Why?", is it simply because such systems have not been found/ reported on or that the attackers currently either don't know how to, or don't currently need to go to such measures.

There is a (sort of) funny story about "letter drops" in essence they consist of two parts the public signaling system and the actual secret drop location. Aldrich Ames signalling system was to put a chalk mark on a post box in Washington when he had left a drop. His Russian handler on seeing a new chalk mark would go and pick up the drop. However such was the amount of drops and the fact that the chalk marks were not being removed made some locals joke the marks must be made by spies long before Aldrich was actualy suspected.

The story contains a lesson for would be spies in that you not only need to be careful about the selection of the secret drop location you also need to be just if not more so carefull with the choice and care of the public signaling system.

The problem is that with some signaling systems (think a certain popular drinks can thrown by a public refuse bin) they can have false triggers which is why you sometimes need to have a "keep alive" protocol around the secret drop site such that as the handler passes the site they will know if there is actually a drop or if the signal was a false positive or if the agent thinks that they might be being watched / suspect. That is the "keep alive" also acts like a "duress" code/key.

DavidSeptember 28, 2012 2:53 AM

http://www.guardian.co.uk/technology/2012/sep/27/...

Cory Doctorow reports
The UK banks are now outsourcing their fraud prevention to computers that can make dozens of calls all at once, around the clock, fishing (or phishing) for someone who just happened to have made an unusual purchase and is thus willing to spill all his details down the phone to get it approved.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..