Schneier on Security
A blog covering security and security technology.
« How To Tell if Your Hotel Guest Is a Terrorist |
| Encryption in Cloud Computing »
November 9, 2012
Friday Squid Blogging: Squid Ink as a Condiment
Burger King introduces a black burger with ketchup that includes squid ink. Only in Japan, of course.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on November 9, 2012 at 4:16 PM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Of course, squid ink has also been a traditional ingredient in Italian cuisine.
Also "Nero di seppia" is a typical italian pasta (and rice) condiment. And... it's squid ink. Tastes marvellous.
Black rice and squid (made with squid ink) is a very common recipe here, in Spain. We really don't have much in common with japanese cuisine but octopus, squids, clams, scallops and many other "shellfish" are delicacy in my country.
Squid ink is a self-defense mechanism used by squids to confuse light-aware predators. And we have them in video-camera. That's why Bruce loves squids.
Fairy wrens use passwords to detect cuckoos. Unforunately for the wren, this only works after the cuckoo chick has killed the wren's own progeny.
On a similar note, I was surprised at the early account of password cracking in Lord Dunsany's 1926 fantasy novel The Charwoman's Shadow. In an attempt to unlock a magical box, the hero recovers part of the command by social engineering, then continues searching by brute force.
This happened almost a month ago (though the update was pretty funny, props). It gets into the "security by obscurity" issue. Personally, if someone has to put considerable effort into figuring out how a particular system works, it is more secure (In My Opinion!). It depends on what type of security, in the case of algorithms I can see the other side. From a manufacturing/full configuration I'd much rather cover peeping eyes...Since we live in the "internet era", one may be wise as to who we give access to our creations.
These issues would be bad enough for any application, they seem quite damning for an antivirus. I have to wonder if the problems are specific to Sophos or reflect the entire state of the industry. We already knew that antiviruses were not terribly useful, we have to wonder if they make the attack surface larger than that of the naked OS.
"Personally, if someone has to put considerable effort into figuring out how a particular system works, it is more secure (In My Opinion!)"
There's a few people on this blog, myself included, that like obfuscation as an additional security measure. The value of the obfuscation depends on the implementation if it's a widely disseminated product. I think there's less value in obscurity here. Let me explain.
In the early days, software companies of all sorts made the exact same claim for their Windows software. They, along with IT mags, showed how much more difficult assembler was to understand & said it would make attackers jobs that much harder. That was the theory.
What they didn't understand was that attackers were usually assembler experts. They could piece together what code was doing quite well. Many potential attack spots are also pretty easy to spot, even with tools, because they involved manipulating a buffer or string. Their tools also let them step through the running program or pause it during critical moments to analyze its internal state. The end result of all of this was hundreds of vulnerabilities, virus and worms for those applications.
We already have an exemplar[y failure] from obfuscated "secure" talk: Skype. They're a very sneaky outfit, but passed review by a cryptographer. They then applied an insane amount of code obfuscation for their comms protocols. Some hackers (link below) peeled it all away like an onion, layer by layer, until they had captured the essence of the original. The end result was basic flaws in the crypto & remote code execution vulnerabilities. Using an open protocol like SSL/TLS with peer reviewed customization might have prevented some of these problems.
I think my best contribution came after when I noted that their model of skype behavior doesn't match the description in the independent review of its crypto. Either I made a mistake or Skype did a public review to increase trust, then secretly swapped the crypto out for something that allowed remote code execution. Then, they obfuscated it to make detection harder. See why I prefer open protocol implementation?
Wierd, would like to try it though.
We already knew that antiviruses were not terribly useful, we have to wonder if they make the attack surface larger than that of the naked OS
Yes and no, it depends on how the user and OS supplier have set it up but as a general case I would assume it would increase the attack surface unless the user took some very specific measure.
I wonder how much of this stuff is true. If it is, McAfee made quite a transition in life since running one of big AV brands.
See why I prefer open proto imp?
The McAfee story's kind of wierd...the "plugging" bit...yikes. Going off the freaky stories that make you go hmmm: http://www.telegraph.co.uk/news/worldnews/...
The picture speaks for itself, HOME-SEC I guess you could call it. I thought Nat. gas but still being investigated.
In another "those in glass houses should not throw rocks first" article, various TLA speak out that as for cyber-defense the US (read all Western Nations as well) have not yet put their toes on the start line let alone started to move in the race.
Actually the article makes interesting reading from the technical side as well as the political, because it shows some of the things that need to happen to get an effective defence up and running.
One major point being speed of response to attack, currently systems detect an intrusion attempt and log it in some way, then at some later point a human looks at the log and then might pass it on... In the same time if it is an attack many more hosts will have been attacked probably successfully. Thus ways of eliminating part of the human issue from the loop would be desirable simply because it makes the response time window shorter. However with all automated systems you do havee to watch for DoS attacks be they designed or just a function of delays and complexity.
What do you do if a $3.5 Billion device doesn't work? If you're DHS you recommend spending another $3.1 Billion.....
Dr. Tara O'Toole, the department's undersecretary for science and technology, doubts that the so-called Generation 3 version of BioWatch could be relied on to detect anthrax, smallpox, plague or other deadly germs in the event of a biological attack, scientists familiar with the matter said.
O'Toole is also concerned that the cost of the upgrade — $3.1 billion for the initial five years — would divert money from measures she considers more beneficial, such as establishing computer links between hospitals, large HMOs and public health agencies to speed the distribution of medicine after an attack, the scientists said.
Her reservations notwithstanding, enthusiasm for Generation 3 has persisted within the Homeland Security Department. On March 29, the department's chief medical officer, Dr. Alexander Garza, told a House subcommittee that deploying Generation 3 would be "imperative to saving lives."
In New York, the prototypes repeatedly generated false readings, prompting officials there to demand their removal.
The tests in Utah and Washington found that the automated units could detect a pathogen only if exposed to concentrations far exceeding the levels that can sicken or kill.
"What do you do if a $3.5 Billion device doesn't work? If you're DHS you recommend spending another $3.1 Billion....."
It's ridiculous. Hard to be surprised at the amount of tax evasion & expatriation going on in US when looking at gov't waste numbers like that. INFOSEC wise, you'd be surprised how much security I could give SCADA, cross-domain, etc. for that much money. Our industry won't see it, though.
"The McAfee story's kind of wierd"
So is the mysterious death of the founder of Webroot software. It's dated, but I suspect Mkultra'd. He showed all the signs for an intelligent person.
Devs cook up 'leakproof' all-Tor untrackable platform Whonix? You'll never find out, The Man
By John Leyden | 11.13.2012
"Developers are brewing an anonymous general purpose computing platform, dubbed Whonix.
Whonix is designed to ensure that applications (such as Flash and Java etc) can only connect through Tor. The design goal, at least, is that direct connections (leaks) ought to be impossible. "This is the only way we know of that can reliably protect your anonymity from client application vulnerabilities and IP/DNS and protocol leaks," the developers explain.
The main goal is to prevent the determination of users' IP address and location. Not even malware that has buried deep into machines can access IP address information. In this way, Whonix aims to be safer than Tor anonymity software alone.
Whonix can be used in conjunction with VPN technology - routing networks through isolated remote computer networks - for even greater security.
The technology is better described as design approach or platform than as an operating system. In one example, the implementation of anonymity is provided around Tor on two virtual machines using VirtualBox and Debian GNU/Linux. Whonix can be installed on every computer capable of running Virtual Box (virtualisation software), so it supports Windows, OS X, Linux, BSD and Solaris. Running the technology on physically separate machines (a Whonix gateway and a Whonix workstation) would also work, and might provide greater security, say the devs.
The technology is currently only at an Alpha stage of early development, making it suitable for use only for the computing equivalent of test pilots.
In a post to a full disclosure mailing list last week, the main developer behind the project explains its goal and requests help from other members of the development community.
More details on the emerging computing platform can be found in a development Wiki here. The developers are pretty open about the tradeoff in using their technology (more complex set-up, potentially slower) as well as the anonymity advantages of their approach.
Paul Ducklin, head of technology in Asia Pacific for Sophos, said the approach followed by Whonix is different from the Live CDs associated with more traditional anonymity systems. This brings advantages as well as some drawbacks.
"Whonix is different from most existing 'all-in-one anonymity' systems inasmuch as the lead developer decided not to stick to the idea of a Live CD but to go with a set of virtual machines that don't need to fit on a CD or to boot from one," Ducklin explained.
"This allows much greater functionality and easier security updating."
The main disadvantage is that Whonix is more complex than comparable systems.
"The safety and security of your Whonix environment is dependent on the safety and security of your host OS, of the virtualisation software and of its configuration," Ducklin told El Reg. "The anonymity system then becomes, at worst, no more secure than the host itself. So you just took one problem (guest anonymity) and made it two problems (guest anonymity and host security).
"Whonix's size also makes its internal surface area larger than is strictly necessary. That in turn brings its own risks."
Ducklin added that there are many "tricks and traps of anonymity online", many covered by the Whonix developer. He added that users would be well advised to review these before placing their faith in Whonix (or any other approach) to shield their identity online."
The closed nature of Skype and the fact that its impossible to know if the bad guys (or the cops and spooks) are listening in is why I dont have it installed on my PC.
The fact that its not only closed but protected so heavily against cracking/reverse engineering and therefore its impossible to know how having Skype installed and running increases the attack surface is even more reason not to use it.
The closed nature of Microsoft Windows and the fact that its impossible to know if the bad guys (or the cops and spooks) are listening in is why I dont have it installed on my PC.
The fact that its not only closed but protected so heavily against cracking/reverse engineering and therefore its impossible to know how having Microsoft Windows installed and running increases the attack surface is even more reason not to use it.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.