December 2013 Archives

More about the NSA's Tailored Access Operations Unit

Der Spiegel has a good article on the NSA's Tailored Access Operations unit: basically, its hackers.

"Getting the ungettable" is the NSA's own description of its duties. "It is not about the quantity produced but the quality of intelligence that is important," one former TAO chief wrote, describing her work in a document. The paper seen by SPIEGEL quotes the former unit head stating that TAO has contributed "some of the most significant intelligence our country has ever seen." The unit, it goes on, has "access to our very hardest targets."

Defining the future of her unit at the time, she wrote that TAO "needs to continue to grow and must lay the foundation for integrated Computer Network Operations," and that it must "support Computer Network Attacks as an integrated part of military operations." To succeed in this, she wrote, TAO would have to acquire "pervasive, persistent access on the global network." An internal description of TAO's responsibilities makes clear that aggressive attacks are an explicit part of the unit's tasks. In other words, the NSA's hackers have been given a government mandate for their work. During the middle part of the last decade, the special unit succeeded in gaining access to 258 targets in 89 countries -- nearly everywhere in the world. In 2010, it conducted 279 operations worldwide.

[...]

Certainly, few if any other divisions within the agency are growing as quickly as TAO. There are now TAO units in Wahiawa, Hawaii; Fort Gordon, Georgia; at the NSA's outpost at Buckley Air Force Base, near Denver, Colorado; at its headquarters in Fort Meade; and, of course, in San Antonio.

The article also has more details on how QUANTUM -- particularly, QUANTUMINSERT -- works.

Until just a few years ago, NSA agents relied on the same methods employed by cyber criminals to conduct these implants on computers. They sent targeted attack emails disguised as spam containing links directing users to virus-infected websites. With sufficient knowledge of an Internet browser's security holes -- Microsoft's Internet Explorer, for example, is especially popular with the NSA hackers -- all that is needed to plant NSA malware on a person's computer is for that individual to open a website that has been specially crafted to compromise the user's computer. Spamming has one key drawback though: It doesn't work very often.

Nevertheless, TAO has dramatically improved the tools at its disposal. It maintains a sophisticated toolbox known internally by the name "QUANTUMTHEORY." "Certain QUANTUM missions have a success rate of as high as 80%, where spam is less than 1%," one internal NSA presentation states.

A comprehensive internal presentation titled "QUANTUM CAPABILITIES," which SPIEGEL has viewed, lists virtually every popular Internet service provider as a target, including Facebook, Yahoo, Twitter and YouTube. "NSA QUANTUM has the greatest success against Yahoo, Facebook and static IP addresses," it states. The presentation also notes that the NSA has been unable to employ this method to target users of Google services. Apparently, that can only be done by Britain's GCHQ intelligence service, which has acquired QUANTUM tools from the NSA.

A favored tool of intelligence service hackers is "QUANTUMINSERT."

[...]

Once TAO teams have gathered sufficient data on their targets' habits, they can shift into attack mode, programming the QUANTUM systems to perform this work in a largely automated way. If a data packet featuring the email address or cookie of a target passes through a cable or router monitored by the NSA, the system sounds the alarm. It determines what website the target person is trying to access and then activates one of the intelligence service's covert servers, known by the codename FOXACID.

This NSA server coerces the user into connecting to NSA covert systems rather than the intended sites. In the case of Belgacom engineers, instead of reaching the LinkedIn page they were actually trying to visit, they were also directed to FOXACID servers housed on NSA networks. Undetected by the user, the manipulated page transferred malware already custom tailored to match security holes on the target person's computer.

The technique can literally be a race between servers, one that is described in internal intelligence agency jargon with phrases like: "Wait for client to initiate new connection," "Shoot!" and "Hope to beat server-to-client response." Like any competition, at times the covert network's surveillance tools are "too slow to win the race." Often enough, though, they are effective. Implants with QUANTUMINSERT, especially when used in conjunction with LinkedIn, now have a success rate of over 50 percent, according to one internal document.

Another article discusses the various tools TAO has at its disposal.

A document viewed by SPIEGEL resembling a product catalog reveals that an NSA division called ANT has burrowed its way into nearly all the security architecture made by the major players in the industry -- including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell.

[...]

In the case of Juniper, the name of this particular digital lock pick is "FEEDTROUGH." This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive "across reboots and software upgrades." In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH "has been deployed on many target platforms."

[...]

Another program attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of the latter, are American companies. Here, too, it appears the US intelligence agency is compromising the technology and products of American companies.

[...]

There is no information in the documents seen by SPIEGEL to suggest that the companies whose products are mentioned in the catalog provided any support to the NSA or even had any knowledge of the intelligence solutions.

The German version of the article had a couple of pages from the 50-page catalog of tools; they're now on Cryptome. Leaksource has the whole TOP SECRET catalog; there's a lot of really specific information here about individual NSA TAO ANT devices. (We don't know what "ANT" stands for. Der Spiegel speculates that it "stands for Advanced or Access Network Technology.") For example:

(TS//SI//REL) SOUFFLETROUGH is a BIOS persistence implant for Juniper SSG 500 and SSG 300 series firewalls. It persists DNT's BANANAGLEE software implant. SOUFFLETROUGH also has an advanced persistent back-door capability.

And NIGHTSTAND:

(TS//SI//REL) An active 802.11 wireless exploitation and injection tool for payload/exploit delivery into otherwise denied target space. NIGHTSTAND is typically used in operations where wired access to the target is not possible.

NIGHTSTAND can work from as far away as eight miles, and "the attack is undetectable by the user."

One more:

(TS//SI//REL) DROPOUTJEEP is a software implant for Apple iPhone that utilizes modular mission applications to provide specific SIGNIT functionality. This functionality includes the ability to remotely push/pull files from the device, SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control, and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.

(TS//SI//REL) The initial release of DROPOUTJEEP will focus on installing the implant via close access methods. A remote installation capabilitiy will be pursued for a future release.

There's lots more in the source document. And note that this catalog is from 2008; presumably, TAO's capabilities have improved significantly in the past five years.

And -- back to the first article -- TAO can install many of the hardware implants when a target orders new equipment through the mail:

If a target person, agency or company orders a new computer or related accessories, for example, TAO can divert the shipping delivery to its own secret workshops. The NSA calls this method interdiction. At these so-called "load stations," agents carefully open the package in order to load malware onto the electronics, or even install hardware components that can provide backdoor access for the intelligence agencies. All subsequent steps can then be conducted from the comfort of a remote computer.

These minor disruptions in the parcel shipping business rank among the "most productive operations" conducted by the NSA hackers, one top secret document relates in enthusiastic terms. This method, the presentation continues, allows TAO to obtain access to networks "around the world."

They can install the software implants using techniques like QUANTUM and FOXACID.

Related is this list of NSA attack tools. And here is another article on TAO from October.

Remember, this is not just about the NSA. The NSA shares these tools with the FBI's black bag teams for domestic surveillance, and presumably with the CIA and DEA as well. Other countries are going to have similar bags of tricks, depending on their sophistication and budgets. And today's secret NSA programs are tomorrow's PhD theses, and the next day's criminal hacking tools. Even if you trust the NSA to only spy on "enemies," consider this an advance warning of what we have to secure ourselves against in the future.

I'm really happy to see Jacob Appelbaum's byline on the Der Spiegel stories; it's good to have someone of his technical ability reading and understanding the documents.

Slashdot thread. Hacker News thread. MetaFilter thread. Ars Technica article. Wired article. Article on Appelbaum's talk at 30c3.

EDITED TO ADD: Here's Appelbaum's talk. And three BoingBoing posts.

Posted on December 31, 2013 at 7:31 AM140 Comments

Joseph Stiglitz on Trust

Joseph Stiglitz has an excellent essay on the value of trust, and the lack of it in today's society.

Trust is what makes contracts, plans and everyday transactions possible; it facilitates the democratic process, from voting to law creation, and is necessary for social stability. It is essential for our lives. It is trust, more than money, that makes the world go round.

At the end, he discusses a bit about the security mechanisms necessary to restore it:

I suspect there is only one way to really get trust back. We need to pass strong regulations, embodying norms of good behavior, and appoint bold regulators to enforce them. We did just that after the roaring ’20s crashed; our efforts since 2007 have been sputtering and incomplete. Firms also need to do better than skirt the edges of regulations. We need higher norms for what constitutes acceptable behavior, like those embodied in the United Nations’ Guiding Principles on Business and Human Rights. But we also need regulations to enforce these norms ­ a new version of trust but verify. No rules will be strong enough to prevent every abuse, yet good, strong regulations can stop the worst of it.

This, of course, is what my book Liars and Outliers is about.

Posted on December 30, 2013 at 9:55 AM53 Comments

Friday Squid Blogging: Kim Jong Un Tours Frozen Squid Factory

Frozen squid makes him happy.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on December 27, 2013 at 4:14 PM93 Comments

Operation Vula

"Talking to Vula" is the story of a 1980s secret communications channel between black South African leaders and others living in exile in the UK. The system used encrypted text encoded into DTMF "touch tones" and transmitted from pay phones.

Our next project was one that led to the breakthrough we had been waiting for. We had received a request, as members of the Technical Committee, to find a way for activists to contact each other safely in an urban environment. Ronnie had seen a paging device that could be used between users of walkie-talkies. A numeric keypad was attached to the front of each radio set and when a particular number was pressed a light would flash on the remote set that corresponded to the number. The recipient of the paging signal could then respond to the caller using a pre-determined frequency so that the other users would not know about it.

Since the numbers on the keypad actually generated the same tones as those of a touch-tone telephone it occurred to us that instead of merely having a flashing light at the recipient`s end you could have a number appear corresponding to the number pressed on the keypad. If you could have one number appear you could have all numbers appear and in this way send a coded message. If the enemy was monitoring the airwaves all they would hear was a series of tones that would mean nothing.

Taking this a step further we realised that if you could send the tones by radio then they could also be sent by telephone, especially as the tones were intended for use on telephone systems. Ronnie put together a little microphone device that - when held on the earpiece of the receiving telephone - could display whatever number was pressed at the sending end. Using touch-tone telephones or separate tone pads as used for telephone banking services two people could send each other coded messages over the telephone. This could be done from public telephones, thus ensuring the safety of the users.

To avoid having to key in the numbers while in a telephone booth the tones could be recorded on a tape recorder at home and then played into the telephone. Similarly, at the receiving end, the tones could be recorded on a tape recorder and then decoded later. Messages could even be sent to an answering machine and picked up from an answering machine if left as the outgoing message.

We gave a few of these devices, disguised as electronic calculators, to activists to take back to South Africa. They were not immensely successful as the coding still had to be done by hand and that remained the chief factor discouraging people from communicating.

The next step was an attempt to marry the tone communication system with computer encryption. Ronnie got one of the boffins at the polytechnic to construct a device that produced the telephone tones at very high speed. This was attached to a computer that did the encryption. The computer, through the device, output the encrypted message as a series of tones and these could be saved on a cassette tape recorder that could be taken to a public telephone. This seemed to solve the problem of underground communications as everything could be done from public telephones and the encryption was done by computer.

Lots more operational details in the article.

Posted on December 26, 2013 at 6:44 AM43 Comments

NSA Spying: Whom Do You Believe?

On Friday, Reuters reported that RSA entered into a secret contract to make DUAL_EC_PRNG the default random number generator in the BSAFE toolkit. DUA_EC_PRNG is now known to have been backdoored by the NSA.

Yesterday, RSA denied it:

Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.

[...]

We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.

We know from both Mark Klein and Edward Snowden -- and pretty much everything else about the NSA -- that the NSA directly taps the trunk lines of AT&T (and pretty much every other telcom carrier). On Friday, AT&T denied that:

In its statement, AT&T sought to push back against the notion that it provides the government with such access. "We do not allow any government agency to connect directly to our network to gather, review or retrieve our customers’ information," said Watts.

I've written before about how the NSA has corroded our trust in the Internet and communications technologies. The debates over these companies' statements, and about exactly how they are using and abusing individual words to lie while claiming they are not lying, is a manifestation of that.

Me again:

This sort of thing can destroy our country. Trust is essential in our society. And if we can't trust either our government or the corporations that have intimate access into so much of our lives, society suffers. Study after study demonstrates the value of living in a high-trust society and the costs of living in a low-trust one.

Rebuilding trust is not easy, as anyone who has betrayed or been betrayed by a friend or lover knows, but the path involves transparency, oversight and accountability. Transparency first involves coming clean. Not a little bit at a time, not only when you have to, but complete disclosure about everything. Then it involves continuing disclosure. No more secret rulings by secret courts about secret laws. No more secret programs whose costs and benefits remain hidden.

Oversight involves meaningful constraints on the NSA, the FBI and others. This will be a combination of things: a court system that acts as a third-party advocate for the rule of law rather than a rubber-stamp organization, a legislature that understands what these organizations are doing and regularly debates requests for increased power, and vibrant public-sector watchdog groups that analyze and debate the government's actions.

Accountability means that those who break the law, lie to Congress or deceive the American people are held accountable. The NSA has gone rogue, and while it's probably not possible to prosecute people for what they did under the enormous veil of secrecy it currently enjoys, we need to make it clear that this behavior will not be tolerated in the future. Accountability also means voting, which means voters need to know what our leaders are doing in our name.

This is the only way we can restore trust. A market economy doesn't work unless consumers can make intelligent buying decisions based on accurate product information. That's why we have agencies like the FDA, truth-in-packaging laws and prohibitions against false advertising.

We no longer know whom to trust. This is the greatest damage the NSA has done to the Internet, and will be the hardest to fix.

EDITED TO ADD (12/23): The requested removal of an NSA employee from an IETF group co-chairmanship is another manifestation of this mistrust.

Posted on December 23, 2013 at 6:26 AM75 Comments

Yes, I'm Leaving BT

The Register reported that I am leaving BT at the end of the year. It quoted BT as saying:

We hired Bruce because of his thought leadership in security and as part of our acquisition of Counterpane. We have agreed to part ways as we felt our relationship had run its course and come to a natural end. It has nothing to do with his recent blogs. We hired Bruce because of his thought leadership in security, not because we agree with everything he says. In fact, it's his ability to challenge our assumptions that made him especially valuable to BT.

Yes, it's true. And contrary to rumors, this has nothing to do with the NSA or GCHQ. No, BT wasn't always happy with my writings on the topic, but it knew that I am an independent thinker and didn't try to muzzle me in any way. I'm just ready to leave. I spent seven years at BT, and seven years at Counterpane Internet Security, Inc., before BT bought us. It's past time for something new.

As to what comes next: answer cloudy; ask again later.

More news here. And a SlashDot and Hacker News thread.

Posted on December 20, 2013 at 2:31 PM36 Comments

Eben Moglen and I Talk about the NSA

Last week, Eben Moglen and I had a conversation about NSA surveillance. Audio and video are online.

EDITED TO ADD: The site seems to be down, so here's a YouTube link.

Posted on December 20, 2013 at 6:30 AM17 Comments

Acoustic Cryptanalysis

This is neat:

Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.

Beyond acoustics, we demonstrate that a similar low-bandwidth attack can be performed by measuring the electric potential of a computer chassis. A suitably-equipped attacker need merely touch the target computer with his bare hand, or get the required leakage information from the ground wires at the remote end of VGA, USB or Ethernet cables.

Posted on December 19, 2013 at 6:29 AM70 Comments

Tor User Identified by FBI

Eldo Kim sent an e-mail bomb threat to Harvard so he could skip a final exam. (It's just a coincidence that I was on the Harvard campus that day.) Even though he used an anonymous account and Tor, the FBI identified him. Reading the criminal complaint, it seems that the FBI got itself a list of Harvard users that accessed the Tor network, and went through them one by one to find the one who sent the threat.

This is one of the problems of using a rare security tool. The very thing that gives you plausible deniability also makes you the most likely suspect. The FBI didn't have to break Tor; they just used conventional police mechanisms to get Kim to confess.

Tor didn't break; Kim did.

Posted on December 18, 2013 at 9:59 AM99 Comments

Security Vulnerabilities of Legacy Code

An interesting research paper documents a "honeymoon effect" when it comes to software and vulnerabilities: attackers are more likely to find vulnerabilities in older and more familiar code. It's a few years old, but I haven't seen it before now. The paper is by Sandy Clark, Stefan Frei, Matt Blaze, and Jonathan Smith: "Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities," Annual Computer Security Applications Conference 2010.

Abstract: Work on security vulnerabilities in software has primarily focused on three points in the software life-cycle: (1) finding and removing software defects, (2) patching or hardening software after vulnerabilities have been discovered, and (3) measuring the rate of vulnerability exploitation. This paper examines an earlier period in the software vulnerability life-cycle, starting from the release date of a version through to the disclosure of the fourth vulnerability, with a particular focus on the time from release until the very first disclosed vulnerability.

Analysis of software vulnerability data, including up to a decade of data for several versions of the most popular operating systems, server applications and user applications (both open and closed source), shows that properties extrinsic to the software play a much greater role in the rate of vulnerability discovery than do intrinsic properties such as software quality. This leads us to the observation that (at least in the first phase of a product's existence), software vulnerabilities have different properties from software defects.

We show that the length of the period after the release of a software product (or version) and before the discovery of the first vulnerability (the 'Honeymoon' period) is primarily a function of familiarity with the system. In addition, we demonstrate that legacy code resulting from code re-use is a major contributor to both the rate of vulnerability discovery and the numbers of vulnerabilities found; this has significant implications for software engineering principles and practice.

Posted on December 17, 2013 at 7:10 AM16 Comments

Attacking Online Poker Players

This story is about how at least two professional online poker players had their hotel rooms broken into and their computers infected with malware.

I agree with the conclusion:

So, what's the moral of the story? If you have a laptop that is used to move large amounts of money, take good care of it. Lock the keyboard when you step away. Put it in a safe when you're not around it, and encrypt the disk to prevent off-line access. Don't surf the web with it (use another laptop/device for that, they're relatively cheap). This advice is true whether you're a poker pro using a laptop for gaming or a business controller in a large company using the computer for wiring a large amount of funds.

Posted on December 16, 2013 at 6:09 AM18 Comments

President Obama and the Intelligence Community

Really good article from the New Yorker.

Posted on December 13, 2013 at 1:24 PM38 Comments

World War II Anecdote about Trust and Security

This is an interesting story from World War II about trust:

Jones notes that the Germans doubted their system because they knew the British could radio false orders to the German bombers with no trouble. As Jones recalls, "In fact we did not do this, but it seemed such an easy countermeasure that the German crews thought that we might, and they therefore began to be suspicious about the instructions that they received."

The implications of this are perhaps obvious but worth stating nonetheless: a lack of trust can exist even if an adversary fails to exploit a weakness in the system. More importantly, this doubt can become a shadow adversary. According to Jones, "...it was not long before the crews found substance to their theory [that is, their doubt]." In support of this, he offers the anecdote of a German pilot who, returning to base after wandering off course, grumbled that "the British had given him a false order."

I think about this all the time with respect to our IT systems and the NSA. Even though we don't know which companies the NSA has compromised -- or by what means -- knowing that they could have compromised any of them is enough to make us mistrustful of all of them. This is going to make it hard for large companies like Google and Microsoft to get back the trust they lost. Even if they succeed in limiting government surveillance. Even if they succeed in improving their own internal security. The best they'll be able to say is: "We have secured ourselves from the NSA, except for the parts that we either don't know about or can't talk about."

Posted on December 13, 2013 at 11:20 AM32 Comments

How the NSA Tracks Mobile Phone Data

Last week the Washington Post reported on how the NSA tracks mobile phones worldwide, and this week they followed up with source documents and more detail.

Barton Gellman and Ashkan Soltani are doing some fantastic reporting on the Snowden NSA documents. I hope to be able to do the same again, once Pierre Omidyar's media venture gets up and running.

Posted on December 12, 2013 at 12:55 PM10 Comments

NSA Tracks People Using Google Cookies

The Washington Post has a detailed article on how the NSA uses cookie data to track individuals. The EFF also has a good post on this.

I have been writing and saying that surveillance is the business model of the Internet, and that government surveillance largely piggy backs on corporate capabilities. This is an example of that. The NSA doesn't need the cooperation of any Internet company to use their cookies for surveillance purposes, but they do need their capabilities. And because the Internet is largely unencrypted, they can use those capabilities for their own purposes.

Reforming the NSA is not just about government surveillance. It has to address the public-private surveillance partnership. Even as a group of large Internet companies have come together to demand government surveillance reform, they are ignoring their own surveillance activities. But you can't reform one without the other. The Free Software Foundation has written about this as well.

Little has been written about how QUANTUM interacts with cookie surveillance. QUANTUM is the NSA's program for real-time responses to passive Internet monitoring. It's what allows them to do packet injection attacks. The NSA's Tor Stinks presentation talks about a subprogram called QUANTUMCOOKIE: "forces clients to divulge stored cookies." My guess is that the NSA uses frame injection to surreptitiously force anonymous users to visit common sites like Google and Facebook and reveal their identifying cookies. Combined with the rest of their cookie surveillance activities, this can de-anonymize Tor users if they use Tor from the same browser they use for other Internet activities.

Posted on December 12, 2013 at 6:21 AM33 Comments

NSA Spying on Online Gaming Worlds

The NSA is spying on chats in World of Warcraft and other games. There's lots of information -- and a good source document. While it's fun to joke about the NSA and elves and dwarves from World of Warcraft, this kind of surveillance makes perfect sense. If, as Dan Geer has pointed out, your assigned mission is to ensure that something never happens, the only way you can be sure that something never happens is to know everything that does happen. Which puts you in the impossible position of having to eavesdrop on every possible communications channel, including online gaming worlds.

One bit (on page 2) jumped out at me:

The NMDC engaged SNORT, an open source packet-sniffing software, which runs on all FORNSAT survey packet data, to filter out WoW packets. GCHQ provided several WoW protocol parsing scripts to process the traffic and produce Warcraft metadata from all NMDC FORNSAT survey.

NMDC is the New Mission Development Center, and FORNSAT stands for Foreign Satellite Collection. MHS, which also appears in the source document, stands for -- I think -- Menwith Hill Station, a satellite eavesdropping location in the UK.

Since the Snowden documents first started being released, I have been saying that while the US has a bigger intelligence budget than the rest of the world's countries combined, agencies like the NSA are not made of magic. They're constrained by the laws of mathematics, physics, and economics -- just like everyone else. Here's an example. The NSA is using Snort -- an open source product that anyone can download and use -- because that's a more cost-effective tool than anything they can develop in-house.

Posted on December 10, 2013 at 9:08 AM66 Comments

Friday Squid Blogging: Hoax Squid-Like Creature

The weird squid-like creature floating around Bristol Harbour is a hoax.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on December 6, 2013 at 4:33 PM118 Comments

New Book: Carry On

I have a new book. It's Carry On: Sound Advice from Schneier on Security, and it's my second collection of essays. This book covers my writings from March 2008 to June 2013. (My first collection of essays, Schneier on Security, covered my writings from April 2002 to February 2008.)

There's nothing in this book that hasn't been published before, and nothing you can't get free off my website. But if you're looking for my recent writings in a convenient-to-carry hardcover-book format, this is the book for you.

I'm also happy with the cover.

The Kindle and Nook versions are available now, and they're 50% off for some limited amount of time.

Unfortunately, the paper book isn't due in stores -- either online or brick-and-mortar -- until 12/27, which makes it a pretty lousy Christmas gift, though Amazon and B&N both claim it'll be in stock there on December 16. And if you don't mind waiting until after the new year, I will sell you a signed copy of the book here.

Suggestions for a title of my third collection of essays, to be published in five-ish years, are appreciated.

Posted on December 6, 2013 at 2:47 PM38 Comments

Telepathwords: A New Password Strength Estimator

Telepathwords is a pretty clever research project that tries to evaluate password strength. It's different from normal strength meters, and I think better.

Telepathwords tries to predict the next character of your passwords by using knowledge of:

  • common passwords, such as those made public as a result of security breaches
  • common phrases, such as those that appear frequently on web pages or in common search queries
  • common password-selection behaviors, such as the use of sequences of adjacent keys

Password-strength evaluators have generally been pretty poor, regularly assessing weak passwords as strong (and vice versa). I like seeing new research in this area.

Posted on December 6, 2013 at 6:19 AM54 Comments

Heartwave Biometric

Here's a new biometric I know nothing about:

The wristband relies on authenticating identity by matching the overall shape of the user's heartwave (captured via an electrocardiogram sensor). Unlike other biotech authentication methods -- like fingerprint scanning and iris-/facial-recognition tech -- the system doesn't require the user to authenticate every time they want to unlock something. Because it's a wearable device, the system sustains authentication so long as the wearer keeps the wristband on.

EDITED TO ADD (12/13): A more technical explanation.

Posted on December 5, 2013 at 1:16 PM29 Comments

The Problem with EULAs

Some apps are being distributed with secret Bitcoin-mining software embedded in them. Coins found are sent back to the app owners, of course.

And to make it legal, it's part of the end-user license agreement (EULA):

COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by WBT or our affiliates are the sole property of WBT and our affiliates.

This is a great example of why EULAs are bad. The stunt that resulted in 7,500 people giving Gamestation.co.uk their immortal souls a few years ago was funny, but hijacking users' computers for profit is actually bad.

Posted on December 5, 2013 at 6:58 AM25 Comments

Evading Airport Security

The news is reporting about Evan Booth, who builds weaponry out of items you can buy after airport security. It's clever stuff.

It's not new, though. People have been explaining how to evade airport security for years.

Back in 2006, I -- and others -- explained how to print your own boarding pass and evade the photo-ID check, a trick that still seems to work. In 2008, I demonstrated carrying two large bottles of liquid through airport security. Here's a paper about stabbing people with stuff you can take through airport security. And here's a German video of someone building a bomb out of components he snuck through a full-body scanner. There's lots more if you start poking around the Internet.

So, what's the moral here? It's not like the terrorists don't know about these tricks. They're no surprise to the TSA, either. If airport security is so porous, why aren't there more terrorist attacks? Why aren't the terrorists using these, and other, techniques to attack planes every month?

I think the answer is simple: airplane terrorism isn't a big risk. There are very few actual terrorists, and plots are much more difficult to execute than the tactics of the attack itself. It's the same reason why I don't care very much about the various TSA mistakes that are regularly reported.

Posted on December 4, 2013 at 6:28 AM49 Comments

Keeping Track of All the Snowden Documents

As more and more media outlets from all over the world continue to report on the Snowden documents, it's harder and harder to keep track of what has been released. The EFF, ACLU, and Cryptome are all trying.

None of them is complete, I believe. Please post additions in the comments, and I will do my best to feed the information back to the compilers.

EDITED TO ADD (12/4): Here's another compilation. And this mind map of the NSA leaks is very comprehensive.

EDITED TO ADD (12/5): Wikipedia also has an exhaustive list.

EDITED TO ADD (12/13): This is also good.

Posted on December 3, 2013 at 6:14 AM29 Comments

The TQP Patent

One of the things I do is expert witness work in patent litigations. Often, it's defending companies against patent trolls. One of the patents I have worked on for several defendants is owned by a company called TQP Development. The patent owner claims that it covers SSL and RC4, which it does not. The patent owner claims that the patent is novel, which it is not. Despite this, TQP has managed to make $45 million off the patent, almost entirely as a result of private settlements. One company, Newegg, fought and lost -- although they're planning to appeal. The story is here.

There is legislation pending in the U.S. to help stop patent trolls. Help support it.

Posted on December 2, 2013 at 12:48 PM49 Comments

How Antivirus Companies Handle State-Sponsored Malware

Since we learned that the NSA has surreptitiously weakened Internet security so it could more easily eavesdrop, we've been wondering if it's done anything to antivirus products. Given that it engages in offensive cyberattacks -- and launches cyberweapons like Stuxnet and Flame -- it's reasonable to assume that it's asked antivirus companies to ignore its malware. (We know that antivirus companies have previously done this for corporate malware.)

My guess is that the NSA has not done this, nor has any other government intelligence or law enforcement agency. My reasoning is that antivirus is a very international industry, and while a government might get its own companies to play along, it would not be able to influence international companies. So while the NSA could certainly pressure McAfee or Symantec -- both Silicon Valley companies -- to ignore NSA malware, it could not similarly pressure Kaspersky Labs (Russian), F-Secure (Finnish), or AVAST (Czech). And the governments of Russia, Finland, and the Czech Republic will have comparable problems.

Even so, I joined a group of security experts to ask antivirus companies explicitly if they were ignoring malware at the behest of a government. Understanding that the companies could certainly lie, this is the response so far: no one has admitted to doing so.

Up until this moment, only a handful of the vendors have replied ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro. All of the responding companies have confirmed the detection of state sponsored malware, e.g. R2D2 and FinFisher. Furthermore, they claim they have never received a request to not detect malware. And if they were asked by any government to do so in the future, they said they would not comply. All the aforementioned companies believe there is no such thing as harmless malware.

Posted on December 2, 2013 at 6:05 AM72 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..