Schneier on Security
A blog covering security and security technology.
« Jamming 4G Cell Networks |
| Security Theater in American Diplomatic Missions »
November 16, 2012
Friday Squid Blogging: Vampire Squid
Vampire squid eats marine wastes (paper and video).
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on November 16, 2012 at 4:30 PM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Apparently not much happened this week.
There was the incredibly stupid Skype password reset security flaw but they locked it up. They haven't actually fixed it yet, you're just no longer allowed to change your email address.
Not sure what to make of this one. http://abcnews.go.com/US/wireStory/...
Wearing a watch that contains "switches, wires and fuses," shoes that are too big, and a shirt with a built-in tourniquet will get you arrested. I agree it's odd, but is it a crime?
Dentist Jailed After Terrorist Material Found on Computer
"Manchester Evening News
November 16, 2012
A dentist has been jailed for two years for having a catalog of terrorist material on his computer.
Dr Umer Farooq, 34, was said to have an interest in manuals on explosives, guns, poisons and unarmed combat beyond that of curiosity. He pleaded guilty to 14 counts of possessing material likely to be useful in terrorism.
The Old Bailey was told this included copies of al-Qaeda magazine Inspire, the Terrorist Handbook Of Explosives, and other documents."
The tinfoil hat brigade is out in force tonight: how Anonymous prevented Karl Rove to steal the election in Ohio (again).
I can't really make heads or tails of the explanation. It sounds like they are talking about VPN tunnels.
One of this year's Ig Nobels went to the team that demonstrated how fMRI plus poor statistical analysis can demonstrate surprising brain activity in a dead salmon.
The security angle? fMRI is what everyone's using to try to construct a magic brain scanner to detet lies or criminal intent. Unfortunately, not only is poor statistical analysis common, blood flow doesn't necessarily mean neural activity anyway. Which is why, for all the exciting announcements about allegedly detecting brain patterns relevant to security, everyone is pointing to totally different areas of the brain. And why you can feel safe dismissing all of them as junk science. (And cringe when you see the DHS or CIA throwing real money at the idea.)
Wearing a watch with 'wires, switches, and fuses' and oversized shoes definitely shouldn't be a crime, but I have to say if we are going to go through all this security screening I think the "right thing" to do is to call the bomb squad and arrest the person. After verifying that there are no explosives, interviewing the suspect, checking for terrorist connections, and so forth he should be released.
As someone who travels through airports with weird looking electronic bits occasionally this has the potential to really inconvenience me. I just think that if you aren't going to treat suspicious circumstances seriously you should shut down the TSA.
In any case, this is definitely a better response than almost shooting him like happened to the girl in Boston with the flashing lights on her shirt.
A couple of weeks ago went on a one day business trip (out in the morning, fly back that night). I fly a lot so I am TSA Pre (trusted traveler). Went through the Pre line. I was randomly selected for a hand swab from the "bomb detector". Which triggered. Leading to a wasted 30 minutes while they swabbed EVERYTHING. Missed
Afterwards the agent asked I had washed my hands that morning. Or if I had used any hand lotion. I had taken a shower and put some hand lotion on before heading to the airport. Apparently the new "bomb detectors" trigger on a lot of junk and soap and hand lotion will trigger them. (Glycerin? no idea what they are checking for here.)
This has got to be the most stupid thing ever. From the conversation it appears they are close to a 100% hit rate on people they swab. All false positives.
I've been swabbed at other airports and never triggered it before. Apparently these are new units (or just badly calibrated).
Correction to above: "Missed breakfast due to the screening delay."
You thought TSA was bad. . . The EPA has a plane that flys over mass gatherings, such as sporting events, to measure background levels of radiation, and on-going levels through the event, just in case terrorist decide to detonate a dirty bomb.
Suppose you are the EPA official trying to decide whether to send your plane out to cover an event and you want to follow a rational process. How do you estimate the probability of an event that has never happened in world history?
@ Travel too much,
I've been swabbed at other airports and never triggered it before. Apparently these are new units(or just badly calibrated)
Whilst not being able to rule out poor calibration it would probably be on the bottom of my list of immediatly likely problems, even if it was quite a way off certificate values.
The reason being (as I've said befor ;) that of "background noise" caused by environmental issues.
In a lab clean environment it may well be possible to measure on or two molecules per cubic millimeter of "air" but when in the real world you have to ask how many molecules are going to be there for entirely innocent reasons, not suspect reasons.
I usually use nitrates as an example but the same goes for nearly all chemicals that are used in conventional explosives, that is there are way more innocent uses for them than suspect uses.
So how can you tell an innocent use of a chemical and the resulting trace amounts detected and the suspect use and the trace amounts detected?
The simple answer is if they are the same chemical than you cannot...
So as you "up the sensitivity" of the equipment eventually you end up measuring the environmental noise created by all the innocent uses...
The only way around this problem is to look for chemicals that have no innocent uses, and as the components of by far the majority of explosives are common fuels and oxidizers you expect to find in food and cosmetics, energy sources for cooking heating and vehicles, clearning agents and most other manufactured goods...
It's the old "ok in theory not in practice" issue...
The risks of automatic translations
"Cash or Octopus"
@blackbox: WTF? Two years because he read the wrong texts? Why is the UK still called a democracy?
It's ridiculous anyway; with some basic knowledge of chemistry, Wikipedia is more than enough to find out how to make explosives with household chemicals. Most extreme example: You can make something comparable to black powder with nothing but salt, sugar, some electricity and an oven. It's good enough for pipe bombs or even rockets.
@ Pwned on Mouseover,
Seen this yet?
With regards Stewart Barker and,
"Ralph Langner, the man who reverse-engineered Stuxnet. He wanted to compare views on cyberweapons and industrial control systems."
Well a lot of it is very silly as some of the commenters have argued and it actually shows a lot of ill thought out reasoning.
One such is the cyber attack is not like a hurricane, well yes and no.
Firstly with a hurricane you get several days warning via NOAA and son's (although there's significant issues with the ratio of satellite malfunction to launches of replacments) which probably would not be the case for a well designed cyber attack, But few if any are well planned so I guess some warning would occur (it's supposadly one of the reasons the DHS has Fussion Centers).
Secondly the damage caused by a hurricane is more like a more conventional physical attack with kinetic and chemical weapons (the wind, wind bourn objects, water and salt in the water etc). But if you look a little further into storm damage it actually consists of primary storm damage and secondary damage caused by the effects of the primary damage and tertiary damage to the supply side that slows or hampers repairs again releated to the primary damage. Whilst a cyber attack cannot produce primary damage of the sort a hurricane can it will produce the secondary damage and thus the tertiary damage. For instance the primary storm damage is a supply cable breaking down due to say the wind or shorting caused by flooding, in either case it throws the load onto other parts of the network and the secondary damage is the cascade failure due to lack of resilience in the system. A cyber attack would cause a cascade failure by manipulating switchess and breakers, from the start of the cascade failure the ressults are very much the same.
Speaking of hurricanes and electricity supplies NYC and DC and other areas did not suffer as badly as they might otherwise have done if Irene in 2011 and the power losses in the 2012 heatwave had not happened. Simply because the utility companies in the area (BGE, PEPCO, etc) had had to realy up their game because of these precursors to Sandy. Further due to the evacuation there were less secondary effects. However as was seen with the hospitals failing the way they did we can make educated guesses as to what would have happened if the people had not been evacuated, but we actually don't need to extrapolate that much, the secondary failures caused by the heatwave where there were no evacuations will actually provide a reasonable starting point (oh for those not in the DC area during the heatwave and who did not experiance it first hand you might want to read http://www.wsws.org/articles/2012/jul2012/... whilst it is political it does bring across the feelings of many in DC at the time and some of what they did to eleviate their woes).
Another quite silly side story in the Stewart&Ralph chat was that of the mothballing of old coal fired power generation... Put simply mothballed plant degrades way way faster than plant that continues to opperate. Further the longer it's mothballed the longer it takes to un mothball. And further more and quite importanttly coal plant is the top of a supply chain, you mothball it and much of the supply chain has no reason to continue to exist and will very very quickly disappeare, most likely never to return so where do you get the coal when you need to unmothball a coal plant? All in all it could easily take well more than a year to pull a mothballed coal powerplant back on line by which time it would be way to late to matter.
For those interested in "nutty professor solutions" to coal plant look to Drax near Selby in Yorkshire in the UK, for reasons of misplaced carbon reduction subsidies they are going to convert part of it to "peanut husk burning" ( http://www.guardian.co.uk/business/... ) or other biomass such as wood waste, straw etc.
I cann't say much for peanut husks other than they don't have a high energy density and are far from localy sourced, as for wood and straw both would be better utilized in producing high insulation building materials. What nobody appears to have considered is just where and how the biomass is to be sourced and what secondary effects it will have. Further whilst biomass conversion works well on a small scale close to the area where tthe biomass is produced it is not going to work well when you look at the costs of the energy transmission to and from tha plant. That is the cost in energy terms of making and fueling the trucks and other vehicles to ship the low energy density biomass to Selby and the transmission loss in the power cables to the end consumer is quite bad, then the amount of carbon dumped into the atmosphear at selby won't be reaborbed into the carbon cycle for a considerable period of time so potentialy makes the ten year carbon footprint actually worse...
Interesting statement regarding the TSA X-Ray devices...
I myself was quite impressed upon reading the JHL assessment regarding the devices, specifically that they concluded that: 1) the machines they were given to test were not the same as those used in airports. 2) the radiation level directly outside the scanner is deadly to the TSA rep after a workday, and 3) There is no safe level of radiation exposure anyways.
None of that seemed to make it into national news, however, even though the report itself was referenced all over the place.
I'm not sure if this is an improvement:
The latest FBI terrorist plot was not made up by an FBI agent, but by a drug dealer receiving $250,000 and a greencard for his effort:
Santana and Deleon are accused of telling a confidential source working for the FBI that they planned to go to Afghanistan to take part in "violent jihad," the complaint said. Santana is a permanent resident born in Mexico, authorities said, and Deleon is a permanent resident born in the Philippines.
The confidential source was paid more than $250,000 in October by the federal government and received unspecified "immigration benefits," according to a footnote in the criminal complaint. The source was previously convicted of trafficking in pseudoephedrine.
A round up of bits that might be of interest,
Firstly there is some more info on the UK Navy CPO who (allegedly) tried to sell Nuclear Sub Secrets to tthe Russians,
When it says about encryption programs I suspect that what iss ment is "handeling proceadures" I doubt that the CPO would have had access to the actuall encryption algorithms they are usually embedded in custom chips that have various tamper resistant features (have a search on the Internet for "UK encryption BID equipment" if you want to know more also search with BID replaced with "British Inter-Departmental" which is what it stands for, there are various bits of BID equipment in various crypto museums around the world (but not in Britain ;) that go back to the old "Commonwealth" days.
And NASA "do it again", they've lost another laptop this time with a load of employee PII. Finally they are "closing the barn door" and have instructed all their CIO's that all laaptops musst have FDE by Dec21,
Bruce bloged about "Anonymous" supposadly mucking about with the US election, well they are more obviously diging into the Israeli Gov, Mil and related companies over Gaza,
Bruce also bloged about Cloud encryption, what some people don't realise is that about 1/3 of organisations using SaaS have either very sensitive financial data (34%) or Healthcare data (29%) Forester have produced a report on this which you can read some of the highlights of at,
You can take it as read that this and nearly all other sensitive information in SaaS will be easily available to crackers who root various Cloud services or intermediary communications nodes (MItM etc) or even simple simple authentication attacks.
Speaking of reports Gov Computer News has a sysnopsis of a report from Verizon into IP theft from Government systems that is worth a look at,
GCN also have an interesting artical about another report about "Supply Chain Poisoning/threats",
With another about the more general issue and how some organisations are dealing with it,
Like the issues to do with the sensitive information in the Cloud this is just starting to become visable on the more general radar. Whilst the only publicaly known historical examples of supply chain poisoning have been for conventional Cyber-Crime targets such as putting PC computer malware on Apple products and mobile phone and WiFi/bluetooth bugs in EPOS terminal card readers used by "supermarket" and "bookshop" stores it is now accepted that communications technology used in the lower 4 layers of the ISO OSI stack are prime targets along with mobile phone and other communications networks. It is known that an Israeli supplier of such equipment has in the past left/put in "test software" that is in effect the equivalent of a back door. Likewise GSM mobile phone switches supplied by most if not all suppliers including Erricson have all the hooks available for "Law Enforcment Monitoring" which have been missused by others (think back to Greek Olympiic Games). Further Chinese suppliers of Telco switches and routers etc have fairly openly marketed software for use by Governments to perform mass survailence on their populaces. Which although the US Gov don't mind the NSA et al doing, gives them a fit of the hives when they realise it can be done by foreign organisations and as tools for represive governments that cause political fall out for the US Gov. Which when you see one of the reports mentione only singles out Chinese Telcos and ignores the likes of Cisco that do exactly the same smacks strongly of hypocrisy and protectionism of markets whilst also doing a bit of US War Hawk Saber rattling.
Put bluntly all telco and other major switch / router suppliers have hooks built in to do this sort of monitoring it's a legal requirment in the USA, Europe and most WASP and "first world" countries as well as represive regimes the world over due to anti-terror legislation or whatever other excuse the nation concerned thinks appropriate. It even occasionaly has a funny side such as the "fake Cisco" products that a US Gov supplier supposadly tried to get into US Gov networks.
As Bruce has blogged with regards the FBI and the now Ex CIA Director this sort of indepth monitoring goes on where ever you are it's just that the US pretends it doesn't do it to it's own people in just the same way as represive regimes do. Oh and GCN has it's own take on the Petraeus Email issues,
But whilst we worry about communications network security we ttend to forget the more basic infrastructures it is vitaly dependent on. As those in NYC and DC have found out several times in the past year and a bit when the power goes out so does comms and many other things including food and fuel. The simple fact is the US power grid was built on the cheap in many respects and where as other countries bury supply cables in urban and metropolitan environments the US mainly does not. Burying cables is very much more expensive than just stringing them up on poles and pylons, but three to twenty feet or more of good solid dirt provides one heck of a lot of protection to cables not just to terestrial storms such as hurricane Sandy but also to extra-terestrial storms due to solar prominences and other significant solar activity which is increasing in intensity just as the earths magnetic field appears to be decreasing in a number of places thus reducing the protection of the van Allen belt and magnetosphere.
Rather than go down the bury route somepeople are proposing a "smartgrid" approach that will alow "self reorganisation/healing" thus hopefully reducing overloads and fäaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
@Nick P, re: the Mannequin spys
--I think that's more LOL-worthy than spooky. Can't the cameras at the entrance do what they want to do anyway? Maybe they could complement you on that "lovely outfit" that "accentuates your curves" and since they're w/in reach a quick little tape cover or spray, or the more innocent "clothes hanger" method :)
@ Nick P,
Hmm did you see the Dr Who episodes with the "killer mannequines"?
Failing that take the robot charecter with the machine gun chest played by Liz Hurley in "The Spy that Shagged Me" and cross it with these creepy mannequines to get an idea of a similar threat...
What do you think happens when you take some well sealed boxes of Android tablets with some features such as the camera disabled and no instruction manuals to a village in Ethiopia where nobody speaks English or has even seen a computer and leave them there?
Well read on,
It turns out not only do the kids start to use them, but they start to learn English and get around to un-disabeling the disabled features within a few months.
The moral is when it comes to human ingenuity you just cann't beat a kid with a curious mind....
US GAO report into TSA complaints procedures,
GAO recommends that TSA, among other actions, establish (1) a consistent policy for receiving complaints, (2) a process to systematically analyze nformation on complaints from all mechanisms, and (3) a policy for informing passengers about the screening complaint processes and mechanisms to share best practices among airports. TSA concurred and is taking actions in response
What's the betting this report effectivly goes down the same shute all those TSA conviscated. drinks and toothpaste tubes etc goes?
And as Bruce posted about US diplomatic missions security anothe US GAO report that might be of interest,
You can't make up this stuff, but just in case you thought I did, here's the link to TSA's rule for bringing the latest WMDs in you carry-on luggage:
**Snow globes that appear to contain less than 3.4 ounces (approximately tennis ball size) will be permitted if the entire snow globe, including the base, is able to fit in the same one clear, plastic, quart-sized, re-sealable bag, as the passenger’s other liquids, such as shampoo, toothpaste and cosmetics.
The rules have been relaxed somewhat. This brochure lists snowglobes along with dynamite and handgrenades as prohibited items.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.