Schneier on Security
A blog covering security and security technology.
« xkcd on PGP |
| Prison Escape »
March 15, 2013
Friday Squid Blogging: WTF, Evolution?
WTF, Evolution? is a great blog, and they finally mentioned squid.
Posted on March 15, 2013 at 4:10 PM
• 45 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
1. About a year ago I called into a beltway radio program (can't recall if it was NPR or...) when they had a TSA guy on the show. I referenced you during my explanation that TSA is security theater and that there were more nefarious issues, such as conflicts of interest in the products being sold to TSA. The guy responded by saying that he too read your blog regularly... and then used some skillfully adept dodge to avoid the issue altogether. Anyway, after that, for some reason, whenever I tried to call into that station number again (maybe once a week for a month, when I heard a good story worth commenting on) I would get sent to a line that would ring for a certain amount of time and then drop the call. This was much different behavior than before I made that comment on air. (you would get line busy signals, operators, etc) Take that as you will, just an interesting thought for the friday squid.
just learned there is such a thing as SWATting after reading this article by Krebs himself.
Brazilian junior doctor caught clocking on at hospital for senior colleagues with collection of six fake silicone fingers
You beat me to it :-)
I first read about it on the UK's Daily Mail website that has a notoriety rating that puts it in a league of it's own. It indicated it had got the story from the UK's Telegraph another paper with a high notoriety rating due to the behaviour of it's owners.
Because of the pictures shown in the DM article I was (and still am) suspicious so I was attempting to track down a less notorious source to check it's veracity before posting...
However what amazes me about the online newspaper sites is the number of people saying "how do you make the fingers"...
It's something I discovered when I was quite young over fourty years ago so it's not difficult to do (red wax from Edam Cheese as the mold, light penetrating oil as mold release and rubber solution glue to make the fake skin from the wax mold).
But I'm guessing a few of the queries are not from the curious but from "wanabies" who want to get past their own "checkin clock" or other biometric security measure.
just learned there is such a thing as SWATting
Yes it's a rather nasty and very dangerous activity. As far as I'm aware it first started in Russia and spread outwards via their criminals to other countries where weaknesses in the telecoms system alow the misrepresentation to work.
Put simply it's a dangerous step up from a bomb hoax call in.
What the hoaxer does is call the local police from what appears to be the victims phone number and say's basicaly armed intruders are in the house doing something nasty to another member of the household. The police will try and verify it but if not they will err on the side of caution and provide an armed response.
Which can easily escalate into shots being fired and innocent people getting hurt or killed. Usually at the very least the person being SWATed will be handcuffed and dragged away by the police to face a fairly rough interegation.
We usually don't hear to much about it because often the people being SWATed are those who are also engaged in criminal activity.
The weakness in the telephone network is that it's fairly easy (and no I'm not going to say how) to make a phone call and have a false phone ID to show up as the Caller ID. If this is the correct number for the person being SWATed then it makes it all the more believable to the police officers...
What's up with the alarmist/defeatist tone in your Wired OpEd? It doesn't sound quite like you. Did the editors ruin a subtle yet incisive argument? Did they catch you on a bad day? Or have you had some sort of gloomy epiphany?
The bad guys always get the first shot and the good guys have always played catch up. Providing security has always been a dynamic undertaking, never a static accomplishment. If we apply defense in depth, overlapping many complimentary solutions, we can detect and delay attackers/defectors. If our defenses are resilient, simple, and ductile they'll fail with grace and warning. We tend to the wounded, spread our losses, prepare a new set of defensive layers, and make a counter-attack if necessary.
Like you point out, there are many more of us than there are them. Be of stout heart and good cheer. We only lose if we give up.
Great story, great headline, and this has to be the quote of the week: "He said the supermarkets had beefed up security in response [...]"
@wired article/Michael Brady
...and I’m not sure how many decades we have left.
thanks for the clarification. Also, it is fairly easy to spoof a phone number-especially from the internet. I wont say how as well :D.
Back to the topic, have there been any SWATs you have heard of where innocent victims have been hurt thus far? It seems very likely, not with trigger happy police in some countries.
Today I'm dealing with and APT/RAT problem that has me perplexed. But, I at least have some new observably data. Seems the NIC interface does some cloning (and I assume is the source of the APT) and usually "borrows" the first and last two octets to produce a new MAC address. Don't have enough information yet to establish a causal link but I can tell you that I went from an absolutely pristine build (verified media, drivers, and sources) to a now suspect system. My suspicion lies somewhere within my ISP's network or between my ISP and some NAP.
Following the thread here, I believe it is time for like-minded, rationale, and thoughtful people to band together in a common cause. The dis-establishment of conventional power (the political classes) and the establishment or a reconstituted representative system of governance. Political parties have hijacked representative democracies world wide. In the UK parliment is nothing more than a three party version of the two party system in the US. Ironic, as it seemed the UK had the upper-hand with three parties. In the US you know it is broken--look at votes held on the floor of congress--mostly party line which tells me that the representative part of the US constitution should be re-written to say that congress either represents republicans or democrats.
"...mostly party line which tells me that the representative part of the US constitution should be re-written to say that congress either represents republicans or democrats."
Well, that would certainly defeat the purpose of the entire constitution, because single party systems become dictatorships. You are ENTIRELY wrong. It should not be changed. Of course, you could be troll who is panning for dictatorship, most likely because your party, whichever it is, can't get its way and doesn't want to compromise. Take your case to the political arena...oh, sorry, that's why you are here because the political arena is unsatisfactory to you and not getting the results you want.
Security tradeoff in organ donation:
Organ donors are not routinely tested for rabies, even if they show the signs. One reason is rabies is extremely rare, with only one to three cases a year nationwide, according to Dr. Richard Franka, the CDC's acting rabies team lead.
Also, many lifesaving organs would be lost if donors were tested for rabies. Only three or four facilities in the country are capable of testing for rabies in humans, Franka said, which means most hospitals would have to ship a potential donor's blood or tissue. It could take two days to get test results, and by then the organs would no longer be usable.
--Yeah ha. Poster by name of "Jason" posted it ~2/3 wks ago. Science > Gossip
@ Petréa Mitchell,
Organ donors are not routinely tested for rabies, even if they show the signs.
This is a subject a little close to my heart seeing as I have been given repeated transfusions of blood.
There are a number of problems due to "time windows" of testing and diseasess presenting them selves prior to donation, as well as some people not actually responding or showing a response to diseases they are carrying (Typhoid Mary types).
One of the causes of the spread of aids and certain types of hepatitis is blood transfusions. It is quite possible for the donor to be be both symptom free and unaware that they have the diseases and it can be both difficult and expensive to test every donation (part of the expense in AIDS testing in the past has been "royalties due" to the person or organisation that developed the test).
We simply cannot afford to screen for all things even if we know how to screen for them. But further some tests take longer to perform than the viability of the organs etc. Such time windows are inevitable for many many diseases.
So the question moves onto should we use organs from people when we don't know how they have died?
Contrary to the myth of omnipiscence of medical diagnoses most people who die in hospital the cause of death is actually unknown and assumed unless a detailed postmortem is carried out. The last time I enquired it was something like 40% of the population below 50 who died there was no immediatly discernible cause hence you hear such things as "Sudden Death Syndrom". In most of those cases the organs are still viable so if they are a card carrying donor what do you do esspecially as there is a desperate need for organs?
The answer is "you play the numbers game" and even in this case it looks like it paid of because three of the four recipients are still alive and symptom free...
There are also a number of questions hanging over rabies, one of which is "why don't we see more of it?". In many parts of the world it is known that rabies is carried in the local wild life like bats and other mammals but again it's symptom free in most places. Even where the bats etc are known to bite people still the number of reported cases in humans is surprisingly low.
Why is this? Is it misdiagnosis? or is it actually not very effective in it's transsmission vectors? or is there actually a high immunity to it? etc etc.
If you look at the numbers reported you have the donor sucumbing to rabies but only one of the four recipiets developing rabies (so far) so depending on how you look at it it's 2 of 5 40% or 1 of 4 25% infection rate...
@ Petréa Mitchell,
As I've indicated cross infection from donor products is something that causes me worries
On looking into the Milwaukee Protocol a while ago (out of curiosity not concern rabies is virtualy unknown in the UK) I did come across a similar case only on this occasion four recipients died,
What is becoming of concern in "Bio-Security" circles is "medical tourism" and "illicit transplant trade" and the resulting human to human transfer of pathogens.
In the UK concern is mounting about people originating from the poorer areas of Asia, specificaly India and Pakistan with a whole host of communicable diseases (treatment resistan tuberculosis being just one of many).
It is known that rabies can take upto six years to develop from a bite as it spreads slowly along the nervous tissues to the brain. And this is a significant symptom free time window. Due to a change in law in India preventing stray dogs being killed the number of people contracting rabies is steadily increasing in that part of the world and now accounts for the bigest national fraction of the 55000 known rabies deaths each year (it may be a much higher figure due to poor diagnosis and reporting methods).
China which also has a problem with rabid dogs has likewise passed legislation with regards to dogs, however they have taken the opposite approach of restricting ownership of dogs.
Many other countries require vulnerabl domestic live stock and pets to be vacinated against rabies and some countries (Auz, NZ, UK) are now belived to be in effect rabies free (though there are issues with bats).
Currently human to human transmission of rabies (outside of transplants) is either virtualy unknown or undocumented.
But as noted there is a great deal of concern over medical tourism and the illegal or illicit organ trade. It is not unknown for people from the poorer parts of Asia such as India to sell organs and in China it has been known for condemned criminals to be organ harvested.
Some estimates put the value of a properly harvested human body up around 2.5Million USD on the illicit market. In the US there have been a number of scandals with regards funeral houses stealing bones etc from bodies sent for enbalming or cremation that end up in various implants. One case involved a famous radio journalist who when they died had cancer in their bones . It is known that in the UK which has a "bone bank" for transplants that bones have been diverted to private companies for profit.
It can only be assumed that this sort of thing is also happening in other parts of the world where the demand for transplant materials is at an all time high.
 Alistair Cooke who provided the BBC with his "letters from America" broadcast for over 50years died aged 95 of lung cancer that by the time of his death had spread to his bones, http://www.telegraph.co.uk/news/worldnews/...
Rabies is not found in Australia but a close relative called the Australian Bat lyssavirus is, which only infects bats and humans, fortunately. It's close enough to rabies that the rabies vaccine protects against it.
As to the silicone fingers, I've read that sex shops are the best place to go to buy a kit for molding, um, assorted body parts.
--I agree w/ your 2nd paragraph, and Bruce is providing a place for it. But, it needs to happen locally; humans aren't advanced enough for global (that's why we're failing so hard now). We aren't moral enough and the incentives aren't there for moral activities.
I can't think of any other solution besides cutting the cords and starting over; very personally, where humans can't act in evil ways b/c we're not total lost causes.
A bit of a tangent to the whole rabies testing:
Organ transplant list is hackable.
Money would be the obvious facilitating factor. More subtle ways exist.
My greatest fear is that someday the aliens will come, and will make the things on that site look cute and cuddly.
Rabies is not found in Australia but a close relative called the Australian Bat lyssavirus is, which only infects bats and humans,
As far as I'm aware simillar is true for NZ, in the UK there is also the occasional issue of bats crossing the channel from other european countries, it's rare but does happen (along with insects, which is one reason our honey bees are in trouble).
I've read that sex shops are the best place to go to buy a kit for molding um, assorted body parts
My reading material is (supprisingly) not that eclectic. And back when I discovered / invented the method it was ssuch a time ago that there are a couple of things to consider,
1, I don't think "sex shops" existed back then.
2, Even if they did I was considerably less than half the adult age, so would not have been alowed in.
Oh and I'm guessing that the products you've read about are probably a more recent invention...
Oh I don"t know if you know but old style modeling mold products like "plaster of paris" have a quite exothermic reaction and if you attempted to mold your finger with it it would probably "cook it off". Obligitory warning this has actually happened to a school girl in an art class . Oh and the Darwin Awards had an honourable mention for some bloke who used cement to make a body part mold and had serious surgery as a result .
It's one of the reasons with old plaster casts for broken limbs they used to put a layer of ordinary bandage etc on first to act as thermal insulation (as well as not ripping hairs out). Then the plaster bandages were applied quite slowly alowing each layer to radiate it's heat into the room.
 The refrence unsurprisingly comes from "down under" http://www.abc.net.au/science/k2/stn/q&a/notes/...
For those of you who remember back that far, I suggested that one of the targets for Stuxnet was N.Korea. And shortly there after N.Korea certainly made it clear to the world that they thought the same thing.
Well the years have ticked by S.Korea has made a very large number od unsupported allegations against the North for computer hacking and GPS jamming and a whole host of other accusations.
Well the stories from supposed defectors to the south about the North recruiting thousands of hackers has alwayss sounded very silly at best (due to the nature of N.Korea's "Internet").
Well it appears that US involvment with trying to provoke the North has stepped up a notch or two according to the North the US is commiting cyberwar against it..
Bear in mind wheen reading it the North has bassicaly said it's ready to go nuclear and certainly has the delivery system and it's reasonable to assume that they may well have a uranium based device capable of causing problems in quite a few places.
As the Chinese curse has it "may you live in interesting times" and...
Lets just say I wouldn't mind being a fly on the wall when Obama has his little chat about cyberattacks when he calls the new Chinese President. I suspect that the diplomatic tone will be a little streached to put it mildly...
The NYTime article was pretty funny, because the White House press spokesman said the opposite.
Cyberthreats featured prominently in President Obama’s congratulatory call to the new Chinese president, Xi Jinping, on Thursday.
The president used the occasion to discuss the loss of United States intellectual property from cyberattacks
Now what the White House actually said was:
Q There are some reports that the President had telephone calls with the President of China today. Do you have anything on that? And did our President bring up Chinese hacking?
MR. CARNEY: I can confirm that the President spoke with President Xi today, and we will have a fuller readout of that conversation so I don’t have any details about it. He congratulated President Xi on his new positions. And this is a very important relationship and a very important series of issues that we deal with on a regular basis with the Chinese government.
And, again, I don’t have specifics from this phone call, but I can tell you that at every level, when we engage with our counterparts in the Chinese government, we talk about all the range of issues that are important between us, all the substantial economic cooperation, security cooperation, and also the issues where we have disagreements and concerns.
This is "bureaucratese" for "no Obama didn't bring up the topic."
Also, it's not hard to be a "fly on the wall" for these sorts of things. Any major policy initiative requires a lot of discussion between different groups, and this tends to be rather loud if you know where to look on the web.
Both the US and China have tons of transcripts on their websites. It's usually pretty funny to compare what the newspapers said someone said with what they actually said.
The other thing is that Obama is a very, very busy person and so is Xi Jinping. They don't have time to discuss *anything* in much detail. I'm rather certain that the call between Xi and Obama was a "protocol" thing (i.e. it's like getting a Christmas card. The important thing is that you get one, and now what it said).
The important discussions happen at foreign ministry levels, and the really, really important discussions usually happen between interlocutors at the think tank level.
Basically, it can be impossible for two government officials to have a "real" discussion so they can often find retired officials or former officials who have the freedom to say what they actually think to each other. Most of the conferences are pretty open, and the sponsors actually like "random people" to show up.
Knowing how the government works and how to get your ideas across is pretty important.
Clive: Well the stories from supposed defectors to the south about the North recruiting thousands of hackers has alwayss sounded very silly at best (due to the nature of N.Korea's "Internet")
Well you don't have to use your own internet. You could for example, use the fact that most computers in Shanghai are unsecured, and cause a lot of mischef......
The other thing is why do you *need* thousands of hackers? You can cause a lot of damage with a dozen good ones.
Something that is interesting is that China has been talking a lot about "outside nations" and the US hasn't challenged China on this. I have the suspicion that both the Chinese and US intelligence services know that they aren't the real danger to each other, and they both have a good idea who the real danger is.
China has a very strange relationship with North Korea. Sort of like the US relationship with Pakistan.
If someone was interested in ID theft, IP theft, and other nefarious intents...not that I would ever contemplate it ...Hospitals and tax collectors are a treasure trove of information with many under-trained personnel.
Tying in to that...Expats collecting benefits like medicare/social security or reporting overseas income are such easy targets that I am surprised by the lack of theft.
On yet another tangent: A NASA employee Bo Jiang from Virginia was sent to get caught with "classified" information on the way to China.
Meet the 'Corporate Enemies of the Internet' for 2013
Paris-based Reporters Without Borders names five companies as "digital mercenaries" that have decided to sell their surveillance technology to authoritarian regimes.
by Declan McCullagh
March 11, 2013 4:01 PM PDT
HackingTeam: "Hacking Team's 'DaVinci' Remote Control System is able, the company says, to break encryption and allow law enforcement agencies to monitor encrypted files and emails (even ones encrypted with PGP), Skype, and other voice over IP or chat communication. It allows identification of the target's location and relationships. It can also remotely activate microphones and cameras on a computer and works worldwide. Hacking Team claims that its software is able to monitor hundreds of thousands of computers at once, all over the country."
From 'WarGames' to Aaron Swartz: How U.S. anti-hacking law went astray
The 1983 movie "WarGames" led to an anti-hacking law with felony penalties aimed at deterring intrusions into NORAD. Over time, it became broad and vague enough to ensnare the late Aaron Swartz.
by Declan McCullagh
March 13, 2013 4:00 AM PDT
We have got so used to "Cyber-Warefare" on this blog we tend to forget the good old fashioned espionage with fem fatals etc...
Well just to whet your appitite a 59 year old US Gov contractor and reserve Lte Col, with a secret 27year old "Chinese student" girlfriend has been arrested,
Oh apparently his contracting role is to do with cyber security, and it's his "research" outside that role that apparently sparked interest in him...
As for "the lady in question" she appears to be a bit of a mystery,
Any way it appears she has not be charged with anything and the two charges against the man are those nebulos all encompasing type charges...
I guess we will have to wait a while to see what actually the real case is.
Any how back to "cyber"
The "Tallinn Manual" after three years of work was published this week.
It's said to be "The rule book" on International Law Applicable to Cyber Warfare,
It's been put together by a couple of dozen experts in the field from around the globe for NATO’s Cooperative Cyber Defense Center of Excellence. Reputedly it lays the groundwork for cyberwar guidelines.
Various people have various views on it however one area of concern are "hacktervists" in effect are they civilian protestors involved in civil unrest or enemy ununiformed combatats (effectivly spies / sabbotours even though they not have direct or even indirect affiliation with an enemy countries military, law enforcment or political hierarchies.
Whilst in the west we don't have the same sort of poliiticaly orientated hacktervists as they do in Russia and China there are considerable concerns over them.
Both Chinese and Russian news outlets have made comment over the Tallinn Manual,
AND on another not unrelated note more on the two Koreas,
It would appear that things are ramping up over there. It will be interesting to see what stance the US and China take on this.
Re: Tallinin manual
International law doesn't work that way.
One basic problem with international law is that it's often hard to figure out what the law is. In domestic law, you have a legislature or sovereign say "this is the law' but for the most part international law doesn't work that way. Most of international law boils down to "custom" and a lot of disputes end up being what the custom really is. However one nice thing about international law is that unlike domestic law, what people actually do matters. If in domestic law, someone regularly violates a written law, then that doesn't invalidate the law, but in international law, if some country says "this is the law" and then violates that norm, then you can argue that this is not the law.
The Tallinn Manual has as much legal force as a blog entry. It only will start having legal force if it is considered a statement of international custom or if it becomes part of a treaty.
And there is the idea of "lawfare" which involves hiring lawyers that define the rules so that you win. One problem with "lawfare" is that it biases things toward large governments with good lawyers and it kills groups that don't have good lawyers (i.e. indigenous peoples).
One thing that doesn't make sense as a principle:
Legally, a cyberattack that sparks a fire at a military base is indistinguishable from an attack that uses an incendiary shell.
The trouble is that this clearly is not true. By custom and usage nations have applied different rules.
It would appear now is not a good time to be in South Korea.
The attacks on S.Korean banks and broadcasting organisations appears to be getting worse, with a version of malware wiping hard drives and the MBR making some analysis somewhat difficult.
However guess what some people think the attacks originate in China, others that it's False Flag attacks from S.Korea or one of their (supposed) allies, yet others think it's hacktavists, and yet others think it's script kiddies after publicity, whilst the S.Korean Military steps up it's aleert status a notch closer to a war footing with N.Korea...
In otherwords everybody is making guesses and talking as though their speculation is based on facts. Which is just the sort of wild speculation and potential false attribution more sensible heads are seriously concerned about with the idea of Cyber-warfare and going kinetic.
EVERYONE IS A VPN
Users flock to Japan student's firewall-busting thesis project
'VPN Gate,' designed by PhD student Daiyuu Nobori to circumvent government firewalls, has drawn 77,000 users in less than a week
By Jay Alabaster, IDG News Service | Security, VPN
March 13, 2013, 6:50 AM —
A man is seen through a hole in the former Berlin Wall March 4, 2013.
Image credit: REUTERS/Thomas Peter
If you're not sure about the purpose behind Daiyuu Nobori's online thesis project, perhaps the large picture of the collapse of the Berlin Wall will help.
Nobori created VPN Gate
to help individuals in countries that restrict Internet use to beat government firewalls. The service encourages members of the public to set up VPN (virtual private network) servers and offer free connections to individual users, aiming to make the technology more accessible.
"Today's VPN software is very complex. They are not easy to use. Some VPN services around the world are expensive for people in other parts of the world," Nobori said in an interview with IDG News Service.
His service maintains a public, real-time list of freely available VPN servers for users to choose from. It also offers downloadable server software to run the VPN, and a client that greatly simplifies the process of finding and connecting to one of the free servers, for the less technically inclined.
The 28 year-old doctoral student at Tsukuba University, about 30 miles northeast of Tokyo, wasn't sure what the reaction would be when he launched last Friday. He did little to advertise it outside of the home page and a few mentions on tech forums.
Five days later, the service has drawn 77,000 users and served nearly 4 terabytes of data.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.