Schneier on Security
A blog covering security and security technology.
« Essay on FBI-Mandated Backdoors |
| TSA Removing Rapiscan Full-Body Scanners from U.S. Airports »
January 18, 2013
Friday Squid Blogging: The Search for the Colossal Squid
Now that videographers have bagged a giant squid, the search turns to the colossal squid.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on January 18, 2013 at 3:31 PM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I've been saying for a while I think the future of authentication is going to be more integration with the physical realm, as clearly passwords aren't cutting. Two factor authentication, although not perfect, seems to be the future, and something along the lines of a physical chip as your digital driver's license or passport seems the most logical conclusion (integration with said documentation is certainly not out of the question either). As such, that Google project seems like a step in the right direction.
@Sam J -- "your digital driver's license or passport"
Here it comes, back from the dead: REAL ID!
Red October via Kaspersky. Sure you all have heard. Issue for discussion.
Question: Why are files encrypted with acid cryptofiler (and according to Der Spiegel also chiasmus) targeted? Some commentators say that that is because the hack installs a keylogger which produces the keys, but in that case any encrypted files would be vulnerable. Is this evidence that both encryption systems have been broken?
"An alternative to chip and pin?"
Interesting piece. There are quite a few alternatives to chip and pin. They have varying tradeoffs. The two concerns I have with this one are (1) biometric and (2) acceptance of it.
Biometric effectiveness is often debated. Many vendors promise nearly issue-free biometric schemes that are later found to have issues. This leads many adopters to pick biometric options that have been proven in practice for years and whose technology is very mature. Finger vein recognition is still pretty new and we already have inexpensive, effective fingerprint readers.
The other issue is adoption. People often don't like using biometrics. Security experts caution against more companies having your biometric information, which can't be changed after a breach. Additionally, it's less convenient than other options and convenience is [unfortunately] quite important in this industry.
JCitizen on Krebs on Security suggested using Magneprint and PassWindow in combination. I think that's a nice idea b/c it's easy, cheap and Magneprint is already in widespread deployment. The Magneprint alone stops card cloning, saving plenty of money.
It wouldn't worry me, because I'll never have a lot to steal, but is there a risk with these things of the bad guys taking their victim to the machine, or offering the alternative of taking part of their victim to the machine?
Biometrics is firmly snake oil security. Just ask the Chaos Computer Club who broke into a cabinet member's office because they lifted his prints from a glass or the countless other groups who have found ways around it.
You're also right about storing biometric information. If it's breached and stolen, you can't exactly change your fingerprint or eye scan.
Here's a nice comedy skit by Don Friesen about password selection. It covers hints, weak passwords (anything he can remember), and an opinion on the rules for complex passwords. I think I've seen some of his points on this blog before.
in the first place RSA already provided token based security . they got hacked . by malware .
in the second place hackers don't care about passwords or tokens: they use YOUR credentials . this is done using un-authorized programming generally known as malware. e.g. Black Hole, ZEUS, Citadel, etc
malware simply re-directs the actions of your computer -- using your credentials -- while you are logged on . the malware problem has to be addressed before there can be any meaningful discussion of passwords and security tokens
passwords provide adequate security -- when administered properly:
1 sign on should allow only 3 tries and then lock the account
2 help desk limited to sending a 1-time only replacement password via e/mail
3 passwords must be at leas 8 characters and contain letters,numbers, and symbols. no commonly used passwords and no dictionary words
4 failed log-ons should be reported by e/mail to owner
5 log-on dialog should report date/time of previous log-on
security is composed of 3 main elements:
our biggest issue right now is we lack any kind of software audit . how can you detect an intrusion if you don't even know what is supposed to be on your computer ?
UEFI could help here but it needs to be extended to checking the CRC,date, and size of every program loaded into kernel(root) mode .
security conscious users may want to look into switching to Linux. the switch to Ubuntu is not difficult .
@mike acker (who is not me):
security conscious users may want to look into switching to Linux. the switch to Ubuntu is not difficult .
As long as they don't mind running afoul of the PAMD bug a while back, for which the only advice offered on the support fora was "You're going to have to nuke the disk and re-install from scratch. Hope you have backups, and BTW: we don't support your chipset anymore".
Although I have been a Linux kernel contributor, stuff I care about runs on BSD.
Which is not to get into an OS pissing match, but to point out that in fact there is no quick+easy solution. Well, other than giving up all computers that are connected to anything, and that you didn't fully define from the gates up.
"nuke the disk and re-install"
this is a hazard every computer user faces every time he/she boots up their system
it happened to my wife's Win7 about a year ago . the system simply announced it was in recovery mode and did she want to make a data recovery disk
after she got done screeching at me i sent her off to work and got a thumb drive for the recovery
first, i had to recover all her data files . in this case it was her o/s that was toast; the data came off clean
then i had to wait while recovery reformatted the main partition .
after than i had to re-install her products
and then her data
anyone running a computer used for storing valuable data has to be ready to do this
in an another case i might have had to go to her backups -- which we keep on an external hard drive
or in a worse case i might have needed to order a replacement hard disk . on these HP systems they have you make a recovery (dvd or thumb dive ) from which to reload the o/s and factory installed software
these notes are for our readers, really . i think most folks reading this site probably know how to recover a crashed computer . and that it can happen to any system .
the search turns to the colossal squid.
--ADD much? Why can't we enjoy (and study) our discovery a little and let "the colossal" live in peace. Everyone knows what it's like to have bright lights shined in your pupils when you're in a dark room, imagine the squid's pain around the bottom of the ocean.
Home Physical Security Question[s]:
@Clive Robinson re: this post.
--Would you have advanced knowledge of placement of [multiple] IR sensors? What about an IR for the door? On one of mine, a simple attack of wearing black reduces sense-range to half. I have this idea about audible sensors and a pebble-field-moat, would noise-canceling be an attack? Obviously, I'm going to have some other tricks up the sleeve.
--I forgot to add, of course just sensing the intrusion isn't enough. If I'm not home and someone breaks in, a sensor isn't much good unless it captures some identifying info or preferably applies some [painful] deterrent. Even better would be attachment of an identifying material so I can at least attempt to hunt down the perpetrator and let him/her feel what it's like being physically violated and have to randomly look over your shoulder.
Been looking at mega.co.nz (new site from the MegaUpload people) and I like what they are doing on security. If I am reading their info correctly, their servers never see the actual keys needed to decrypt specific data (just encrypted key blobs that cant be decrypted without other passwords/keys)
And they have opened up all their algorithms and encryption (and seem to be encouraging alternative clients to be produced thanks to their API).
Gives them deniability in terms of being held responsible for the contents of files stored on their storage (i.e. we will remove any file given its URL and key or whatever) and the open crypto makes it harder to change it in ways that make it weaker without the change being noticeable (e.g. inserting back doors for law enforcement)
Timothy B Lee @ Ars Technica
On the morality of file sharing:
The distinction between public and private sharing is central to Americans' thinking about the morality of file sharing. Eight in 10 Americans believe that it's OK to share copyrighted content with family members, and six in 10 extend the same logic to friends. But only a small minority of Americans—between four and 15 percent—say it's reasonable to upload copyrighted content for public consumption, post links to pirated content on Facebook, or sell unauthorized copies of copyrighted materials.
If only google could add a numerical keypad ON the developped usb dongle ...
Otherwise, it is easy for a virus to make MITM attacks.
@keypad: Indeed, and I've stated that before in other places
I'm sure some people might have seen this one, but still... Apparently the people in charge of security for nuclear plants think a sailplane flying in unrestricted airspace over a power plant can threaten a reactor.
And "For a while local 'security' officials considered shooting the glider down."
Luckily they "just" detained the pilot for 24 hours to be questioned. Question- Did anyone follow through with giving nuke plants anti-air capability on their own? Or would these morons have to phone up the Air Force? I'd like to believe any pilot scrambled to shoot down a sailplane would laugh hysterically at the thought and refuse to do anything that stupid. But then, I'd like to believe this was a free country too.
As a glider pilot I can assure everyone that the damage suffered by a power plant due to a kamikaze glider strike would be... lemme see here... carry the zero.. oh yes, NOTHING. Even if you flew one into exterior fuel ponds, it'd just make a splash and kill the pilot. I suppose you could crash it into the transformer/transmission farm that carries power away from the generator building- but that's hardly a threat to the republic. You can't really pack it with enough explosives either, because to use enough to threaten the reactor you'd mess up the weight and balance and never get off the ground.
The last time anyone used gliders in combat was WWII and it wasn't exactly an efficient tool of war (esp from the point of view of occupant survivability) compared to pretty much anything we've got now. I suppose cryogenically frozen nazis *could* be planning a mass assault on our power plants by landing assault gliders on their roofs and storming the control rooms. But I think it's vastly more likely that the people in charge of plant security are just dangerously stupid.
But it's not just plant security of course, the poor pilot got detained overnight in jail, questioned by federal agents, and apparently no one along the way stopped and said, "This is beyond F-ing stupid. He was in open, unrestricted airspace, doing what glider pilots always do and flying what's essentially an oversized paper airplane. Release this guy and fire whoever detained him in the first place."
Remember back in the day, when people used to make fun of the Soviets for their "papers please" security state? Being smugly superior about how resilient and free our society was compared to their backwards, illogical and repressive one? No, we're not as bad as they were, but it's not looking so funny anymore.
@Bruce, and the security click, what's your take on the employee who outsourced his job? Any key lessons here?
@ Bobby re outsourcing one's own job
You must be referring to this little gem.
It's an entertaining modern instance of an old concept. You could say it's an evolution of the whole software company concept itself. Currently, you might pay a significant sum to a software "firm" to develop software. That firm hires others (i.e. developers) that produce the software for them, pays them a smaller amount of money, and pockets the difference. Now, we have individual employees figuring out they can be middlemen too.
I've toyed with variations of this scheme and there's countless versions in industry in form of "virtual" organizations. My contribution was when I got started in INFOSEC around turn of the century. I noticed "penetration tests" showing vulnerabilities in networks were popular. However, they seemed mostly interested in a list of vulnerabilities and recommendations rather than having dedicated security guys doing real security. So, my scheme was to use the emerging vulnerability scanners like Retina to do automated assessments, manually do what it couldn't do, dress it up as a report and deliver it. The tool cost low three digits, assessments started at high three digits to mid four digits. You do the profit math. ;)
I ultimately didn't do it on principle. Also, my area didn't have much of a market for it. Others copied my idea and there was tons of the stuff before you know it. Far as outsourcing, many firms have been outsourcing software development to Indian and Chinese firms for years. A one-man operation that specializes in schools told me last year he can get deliverables at $50k/yr American level for $12k/yr in India.
On the ethical side, I don't see anything inherently wrong with it either. If I pulled such a stunt, I would add a quality review step to ensure the code I received met requirements and didn't do anything fishy. I may even have coding standards that ease analysis. It's funny that his firm seems outraged at him being a profitable middleman when that's what most firms try to do anyway. They're just less profitable.
Of course, long time readers of this blog might want my thoughts on operational security side. Maybe they are thinking this already: he should never have given them remote access. You have a dedicated workstation in a physical location. You are supposed to be doing work. Yet, your computer is steadily involved in play and your work is coming from China. What an idiot.
The ideal setup for this scheme is air gap with manual review. You download the requirements from your computer onto non-company hardware. Prepare it for the outsourcer, send it over medium not corporate monitored (open wifi or 3G), and simply upload the files (or hand type them) into the workstation. This lets you do two things: not look suspicious to auditors and periodically post things from your physical location.
Adding more risk and convenience now for slackers. Create a dead drop for the code. The outsourcing firm will deposit their deliverables in a dedicated portion of the site that requires username/password and has innoculous name (admin.domain.com.). They notify you by personal email or text to your phone. Disguise the site as something useful day to day, like a personal information manager. Even better, use it for some personal and professional things. Upon notification, connect over HTTPS, download documents from drop, quick once-over, and upload to the repository.
Tada! Slacker extraordinaire!
what's your take on the employee who outsourced his job?
Well if the story is true (and there appears to be some uncertainty on this) he's not that clever let alone competent because he got caught...
Also depending on the company he could have pulled the "twin brother" switcheroo to double his money.
Without going into the details, you do an inverse job share where instead of two employees doing one job you share yoursellf between two jobs (something board execs do but usually at different companies).
Essentialy what you do is get a job in a department as one twin and work early hours, then slightly later get another job in another department as the second twin and work late hours.
The trick is always where a white shirt but accessorise in different colours so one twin has a tweed jacket and blue tie, the other has a blue blazer and red tie, make the ties the clip on type so you can swap them almost instantly and different glasses say one large heavy "clark kent" style frames, the other wire frame letterbox style. Further one has a large satchel type bag the other a small slimline executive brief case (which can slide into the satchel and be out of sight. Then you need a "sick mother" or equivalent story to explain why you are never seen with your twin.
Combine that with outsourcing and writing trashy bodice ripper novels or magazine articles for a little extra income then you start showing your stuff ;-)
Red October malware
Whilst it does appear to go for cryptofiiler systems you left out the bit that made me smile.
As I and one or two others have mentioned on this blog before USB Thumb Drives / memory sticks use low write cycle flash ROM to store files.
And because of the low number of write cycles, then the manufactures of these USB memory devices use a round robin method with memory page usage to make their "wear leveling algorithms".
As I've noted in the past (with "war on photogrophy" and the police deleatiing photos on digital cameras) deleting on such solid state memory does not mean actually deleating or even overwrighting the file, so a knowledgable person can undelete the files fairly simply.
Well that's what the authors of this Red October malware appear to have done, that is the code recovers deleted files of of Flash memory and sends that as well.
So chalk another one up to you "Heard it on Bruce's Blog First".
I wonder how long it will be before Bruce's blog gets banned for subversive activities, or even conspiracy to commit a crime etc ;-)
Tails Linux version 0.16 - Fir3wall Disabling Script Waits For Expl0itation
If you’re running Tails version 0.15 or 0.16, please locate and del3te the following file each session:
The file, if ran with correct permissions, will completely disable your firewall! So much for the idea that Tails always routes everything through Tor! Where this news has been posted and comments allowed, mysterious “anonymous” users have expressed their low brow intelligence leaving comments such as, “Well you need to be root to run it so it doesn’t matter, if you have root you can do anything!”
First of all, a file called “do_not_ever_run_me” shouldn’t be on a Linux system. If it should NEVER BE RUN, and that means by anyone, root or user, local or remote, it SHOULD NOT BE INCLUDED IN THE DISTRIBUTION!
Any current or future exploit which targets this file will “drop the shields” for the Tails user.
Perhaps Tails itself in its next version, 0.17, should be nicknamed, “do_not_ever_run_me”.
Another questionable decision by the Tails developers is to place the following line within the torrc file (located at /etc/tor/torrc):
## We don’t care if applications do their own DNS lookups since our Tor
## enforcement will handle it safely.
Oh, really? We don’t care? Who is we? It’s not me! As the man page for Tor states, this is set to 1 by default, yet Tails sets it for 0! So if something “leaks”, you will never know it? Each session, delete this line or comment it out so the default is 1 like it should be for a Tor session.
What else can we find in this anonymously developed distribution? I’m glad I’m not driving a car with software made by this group of developers.
I have this idea about audible sensors and a pebble-field-moat, would noise-canceling be an attack
Agh the old "gravel crunch alarm" or even earliar "Canary squeak floor" which reputadly was used by Ming Dynasty and earlier Emperors several thousand years ago.
The idea is that it attracts the atttention of a guard or guard dog and then they raise the alarm.
If it was me these days I would put vibration or preasure sensors in amongst the peddles/gravel and tune it via DSP for the maximum sensitivity in the audio bands of interest.
As for "Noise Cancelling" in the general case it's a very hard problem, which is why it's only realy available for headphones and microphones.
The issue is 'sound originates sphericaly from a point', and thus to cancell over an area the size of a small field requires a lot of knowledge of where a targets ears are and the ability to provide wave forms that cancell out the sound (try drawing it on graph paper to see why).
I'm not sure that I should post this as viewed even from a short distance it discriminates by sex, which could cause adverse comments from both sides.
However it can be argued that it is a social good trying to level the playing field,
Whilst I would activly encorage people to participate, I've witnessed many such schemes in science and engineering in the past and been involved with some, and unfortunatly. in general they have been either counter productive or of at best of negligable effect.
I thus feel that I need to explain why I think this happens not just in my own defence, but because I think we are aiming in the wrong place to resolve the issue.
I personaly feel the reason for the gender imbalance in engeneering is perhaps more deep routed in societal norms than many think and thus "quick fix" schemes probably won't work.
Back in the 1940's and 50's girls were raised with the expectation of being "homemakers" and even in the 1960's classes in non grammer schools certainly gave the indication that boys were trades people doing wood/metal working whilst the girls did "home economics" with the ideal of "The well cooked baked bean on toast for your childrens tea" being the hight of prudent womanhood, closely followed by the "pipe and slippers placed lovingly for the old man when he returned from a tyring day at the office" etc...
This gender bias was very clearly seen in childrens toys and books that featured strongly in their early development (luckily most "tech toys" are now about as genderless as you can get).
Thankfully attitudes in education started to change in the 1970's and in the 1980's I was involved with a number of similar schemes to get girls/women to consider engineering as a viable life long vocation (oddly perhaps Maggie Thatcher helped not just as a role model but also by destroying traditional male industries such as minimg and shipbuilding in her efforts to destroy unions, giving families no choice but for women to go and work in factories and light engineering).
However any improvment was against considerable resistance of the old guard in education many of whom were women themselves and considered it to be "blue collar" work not fit for well educated women (but nursing etc was...).
I had hoped in the early 1990's that we were on the road to change, however the old guard were still fighting through the next generation. One such "politicaly correct" complaint was, that it was the words used in engineering such as "grease nipple" and "bugs" that put women off (seriously such stuff was printed in the Times Newspaper in the UK). Actualy to us "at the coal face" it appeared to be that it was more likely the lack of money, uncomftable work conditions and discrimination from other women not the words.
Even with the significant changes in the late 90's and early 00's with the standards of pay and conditions improving dramatical women were still not that interested in engineering. At this time it was blaimed on the "nerd culture" but as I knew from a number of close lady friends who worked in engineering, they did not talk about what they did socialy because they felt "stigmatised" by their female contemporaries, who had chosen accountancy, law and marketing and "did things in the city" (which was and still is a horrendously sexsist place to work).
And it was interesting to note that infact when "trade wages" rose to above the equivalent of 100,000USD per annum quite a few "city women" re-trained to become plumbers, carpenters, decorators and associated trades as well as designers of homes, offices and gardens and landscapes. With a considerable contingent moving into "country skills and trades". In effect becoming their own business women in the process with many becoming employers in their own right.
Of more recent times it feels like we are actually going backwards in womens attitudes to engineering, you actually get a strong feeling it's regarded by many as not just as "unproffessional" work but something done by "social rejects", "women of a certain type" and those "dispicable forigners" in China and third world countries (yes I've actualy heard these words and worse, and why socialy I call myself a consultant not an engineer)...
Perhaps it is a prime example of Lexical Degregation of a needed proffession by the "chattering classes" (yes even in the UK manufacturing especialy in engineering still contributes considerably more to the national wealth than all the various finance sectors combined).
Thankfully though science is fairing better in this respect so hopefully changed attitudes in that area will "rub off" onto engineering.
@ Modderator / Bruce,
I suspect the above (@ 8:58 PM) is "marketing blurb" being used for commercial promotional purposes.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.