Friday Squid Blogging: Squid Nebula

A nebula that looks like a squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on August 1, 2014 at 4:15 PM • 51 Comments

Comments

Name (required)August 4, 2014 12:04 AM

@Anura - Bruce can decrypt a Family-size box of Alphabits before breakfast without licking the salt off first. Doesn't that tell you how zoned-out your question is? On your knees.

BenniAugust 4, 2014 12:12 AM

Now DER SPIEGEL is getting is grip on the Israeli secret service:

http://www.spiegel.de/international/world/israel-intelligence-eavesdropped-on-phone-calls-by-john-kerry-a-984246.html

"Wiretapped: Israel Eavesdropped on John Kerry in Mideast Talks"
SPIEGEL has learned from reliable sources that Israeli intelligence eavesdropped on US Secretary of State John Kerry during Middle East peace negotiations. In addition to the Israelis, at least one other intelligence service also listened in as Kerry mediated last year between Israel, the Palestinians and the Arab states, several intelligence service sources told SPIEGEL. Revelations of the eavesdropping could further damage already tense relations between the US government and Israel.

Interesting:
http://www.spiegel.de/politik/deutschland/merkels-handy-bundesregierung-erwog-harte-konsequenzen-a-984162.html

After noting that Merkel's mobile was tapped, the government discussed the following measures:

summon the ambassador,
trying to get a no-attack declaration of the US government,
trying to get a no spy agreement

additionally, they thought of stopping consultations with amerikan government employees for several weeks

The question whether the free trade agreement between eu and germany which is now in discussion. should be abandoned was answered by: unlikely, but security of electronic communications should be put on topic.

Additionally they wanted to give the 5000 most important german law makers cryptophones.

Then they thought about filing a lawsuit against US at the prosecutor general, which they did several months afterwards.

And then they even thought about questioning Edward Snowden. They thought that this would only be possible in russia because of security reasons.

Stephen MorleyAugust 4, 2014 1:00 AM

I've always thought the Social Share Privacy widget used on this blog is a nice idea, but the need to click twice is a little annoying and confusing to visitors unfamiliar with the widget. It tempts regular visitors to use the option to permanently enable certain buttons, which leaves them no better off with regards to tacking by those social networks.

Last week's entry about AddThis using canvas fingerprinting to track visitors finally pushed me to create an alternative:

http://code.stephenmorley.org/javascript/social-sharing-that-respects-visitor-privacy/

This code ignores the official sharing buttons altogether, instead taking advantage of the fact that each social network has a sharing URL that can be used instead. The fully standalone version is 1201 bytes.

Anonymous CowardAugust 4, 2014 5:17 AM

The first letters of the warning at the top of the TrueCrypt page spell out "If I want to use NSA" in Latin.

The page in spirit:

"Warning: If I want to use NSA

Use bitlocker. Here's how to install it."

MatijaAugust 4, 2014 6:20 AM

Anonymization technologies such as Tor with addition of randomization mechanisms and/or principles in organizing/drowing scientific work inside predefined network of institutions have great potential in minimising conflict of interest between clients (usually corporations) and researchers (scientific institutions, acredited labs etc.). Even payment could be processed this way.

What do you think, Bruce?

AlanSAugust 4, 2014 8:51 AM

Stewart Baker has a go at Bruce  on the Volokh Conspiracy for quotes in a NPR story which he claims contradict earlier statements on the usefulness of crypto.  Baker's argument is rather weak given that it hinges on a few short quotes from a piece Bruce didn't author contrasted with other quotes taken out of context to misrepresent the argument. Another example of someone who claims to live in the "real world" latching onto almost anything to put the focus on Snowden, his "journalist allies" and "defenders" in order to distract attention from what his pals in the executive and the TLAs are up to behind the curtain.

Clive RobinsonAugust 4, 2014 10:19 AM

@ Alan S,

Stewart Baker is an ass at the best of times, and even more so now, in that he has taken as evidence something that has already been debunked (the time line) and tossed in the trash, something he could have found out with a simple web search.

I guess Mr Baker is not the technical sophisticate he pretends to be but a second rate pen pushing ex Gov Service empire builder, with a monumental ego chip on his shoulder.

As for the quote about crypto beating the IC that has been around one way or another quite a while before 9/11 and probably long befor the US administration felt the need to create AQ (in able to prosecute OBL in his absence).

Further it is also more importantly one of the first things Ed Snowden said long before Bruce got involved....

So Mr Baker is either deliberatly stirring it up for reasons not yet clear or he is useless at doing basic web based research. And I would not rule out both, after all Bruce's known political leanings makes him an outsider to Mr Baker and his other beltway cronies / bandits and thus the enemy on the Dubya "With us or against us metric" which the current administration still appears to be running on.

Why the Wash Po house journalists did not fact check the story before publishing it tells a lot about how far the Wash Po has sunk from reputable journalism. In fact I'd be tempted to write to the editor and ask who slipped him a brown envelop to print this Baker nonsense.

mj12August 4, 2014 11:05 AM

@Freezer
I have just run a crude scan (looped ss -ntup; ss is an utility similar to netstat) on one of my machines and haven't noticed anything suspicious.

JaboAugust 4, 2014 11:59 AM

Firefox - "committed to you, your privacy and an open Web" Yeah, right....
Back to Opera.

JacobAugust 4, 2014 1:48 PM

Some tidbits from various news sites reports and public articles re the mini-war between Israel and Hamas in Gaza:

Israel could not pinpoint the whereabouts of Hamas leaders, due to the following reasons:
- They moved underground while ditching their cellphones
- Use landline telephones (I speculate using an isolated PBX) and written-note messengers to pass orders to the field units.

Israel tried the following locator trick: calling from a Gaza number to next of kin, informing him that the targetted Hamas official has died - hoping that the kin would call to verify and thus get a trace.
Didn't work, with Hamas interior ministry publishing a warning against such a trick.

I speculate that the biggest problem of relying upon messengers to pass instructions to field units was that in a fast-changing battle environment, coupled with multiple ceasefires coming in rapid succession, some units were "outside the loop" and continued to attack during a ceasefire.
Hamas spokesman alluded to that fact, saying that they could not contact the group who snatched officer Golding, thus resulting in close to 200 deaths and many hundreds wounded in Rafah due to the "Hanibaal directive" that followed said abduction.

Nick PAugust 4, 2014 5:38 PM

Researchers extract audio from video *imagery*

http://newsoffice.mit.edu/2014/algorithm-recovers-speech-from-vibrations-0804

The researchers essentially convert visible vibration of objects into sound that caused it. This has implications for surveillance and counter-surveillance. Now, one can't merely turn off the audio to prevent such recording. Also, one might be identified merely because they spoke during video. If this capability gets accurate, then it may also be integrated into mass collection and analysis programs for cross-referencing. Facebook already did stuff like that with their image recognition feature, including profiling non-users in photographs.

MatijaAugust 5, 2014 2:59 AM

@Nick P

Principle is old, very old. That's how laser taping device works (AKA laser microphone) when you point it to the vibrating object like window (glass).

JacobAugust 5, 2014 6:59 AM

@ Matija

Laser interferometer and this video acquisition are 2 different things - the first is active, and since it is normally IR in order not to draw attention, I guess that it cannot penetrate a glass window, thus can only hit a window of an outside-facing room.
The video is completely passive, and I guess that with a medium zoom lens one can tap any conversation (with appropriate objects near by) in the line of sight - be it internal room or even an open environment.

Clive RobinsonAugust 5, 2014 8:39 AM

@ Matija,

As Jacob has pointed out there is quite a difference betwee active laser based systems and passive camera based systems.

Whilst a video signal has plenty of bandwidth to carry multiple audio signals the frame rate is usually below the usuall speach audio signal frequencies (0.3KHz-2.5KHz). Which would normaly indicate it would not be a practical system from the ordinary signals side of things. Which is why most engineers would not consider it even if they knew about laser microphones.

I suspect that this may not have been practicle even a few years ago as ADCs and the following DSPs would have either been unavailable or unaffordable.

I guess it's a case of if you blink technology passes you by :-)

DeriuAugust 5, 2014 10:32 AM

http://www.cso.com.au/article/550995/firefox_gains_chrome-like_malicious_file_defences/?utm_source=www.cso.com.au&utm_medium=top_multi_promo

"At the moment, Firefox has no way of dealing with files that fall outside its local block and allow lists, however this will change in Firefox 32 and onwards, at least for Windows. In Firefox 32 on Windows, when files don’t have a known good publisher the browser will query Google’s Safe Browsing API with “download metadata” that’s similar to what Chrome uses in its check."

This better be an opt-in service. If my browser dials up Google every time I download a file, I'm not going to be a happy bunny...

mj12August 5, 2014 11:34 AM

@Deriu

It does already, by default, albeit not for file downloads but for site visits. Lurk up "Safebrowsing".

DeriuAugust 5, 2014 1:15 PM

Wow, they slipped this one past me! I can see why some people might find this feature useful, but the fact that Google is receiving a live feed of my browsing history without Mozilla even asking users for permission through a simple prompt is an absolute joke. As far as I see it, this is much, much worse than the brouhaha about Canonical and Amazon (https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks). Goodbye Firefox!

BenniAugust 5, 2014 1:34 PM

Funny twitter account of someone who posts internal documents about the government spyware finfisher http://en.wikipedia.org/wiki/FinFisher:

https://twitter.com/gammagrouppr

documents are for example

Cyber solutions for the fight against crime (17 pages)
https://netzpolitik.org/wp-upload/FF_SolutionBrosch%C3%BCre_RZ_web.pdf
FinSpy 3.00 – User Manual – 2011-06-05, from Stephan Oelkers (127 pages)
https://netzpolitik.org/wp-upload/0F28548C.pdf
FinSpyPC 4.51 (HotFix for 4.50) Release Notes – 2014-04-14 (14 pages)
https://netzpolitik.org/wp-upload/FinSpyPC.4.51.ReleaseNotes.pdf
FinSpyMobile 4.51 Release Notes – 2014-04-14 (15 pages)
https://netzpolitik.org/wp-upload/Release-Notes-FinSpy-Mobile-4.51.pdf
Microsoft Excel:

FinFisher Price list 2014 – 2013-12-16 (updated: 2014-01-24)
https://netzpolitik.org/wp-upload/FinFisher_Price_list_2014_v20131216.xltx
FinFisher Products Extended Antivirus Test (Anti-Virus Results FinSpy PC 4.51) – 2014-04-04
https://netzpolitik.org/wp-upload/Anti-Virus-Results-FinSpy-PC-4.51.xlsm
Device Tests FinSpyMobile 4.51 – 2006-09-16 (updated: 2014-04-15)
https://netzpolitik.org/wp-upload/Device-Tests-FinSpyMobile4.51.xlsx

Oh veyAugust 5, 2014 1:44 PM

"Google is receiving a live feed of my browsing history"

If you are using FF this statement is categorically untrue. Google will only see your data if and when you try to visit a site that the database considers malicious and then the only data Google sees is whatever cookies are on your machine at that time. Now, if a person is practicing safe browsing habits and using other features of FF then the actual data Google will ever see is minimal. Now, I concur that Google seeing anything at all is less than ideal. But the sky isn't falling. As security holes go this is a small one.

BJPAugust 5, 2014 2:21 PM

Throwing this out for everyone's amusement.

Mozilla Firefox bug 345345: https://bugzilla.mozilla.org/show_bug.cgi?id=345345

Those ephemeral "session" cookies you thought were only stored in-memory and expired when your browser closed? Since at least 2006 or so Firefox likes to save them on disk in case the session restore functionality decides Firefox crashed and elects to resume your session, logging you back into sites you thought you were long out of, using your old cookies.

Clive RobinsonAugust 5, 2014 4:28 PM

@ Bruce,

Another one to add to your list of tech-&-human nature,

http://www.itproportal.com/2014/08/01/drone-stuffed-cannabis-crashes-outside-maximum-security-prison/

Oh the same site has an arricle about hacking aircraft avionics that will be presented at Black Hat, from the way it's written we've heard this before, so it's probably best to wait untill after the presentation. However I expect it will be "standing room only" as MH370 has been mentioned by some commentators.

Clive RobinsonAugust 5, 2014 4:54 PM

OFF Topic :

Speaking of Black Hat... Did you buy a new car this year?

Did you consider what's under the hood?

Is it lots of horses or is it just a pownie?

If it's an Infiniti Q50 you might be hacked off to know it's possibly the easiest to be hacked, according to some researchers,

http://www.darkreading.com/vulnerabilities---threats/advanced-threats/the-worlds-most-hackable-cars/d/d-id/1297753

All jokes aside it appears auto manufacturers are starting to take these vulnerability issues on board. Now if only the IoT and Smart meter evangelists would take note. Oh and let's not forget the medical implant and other medical devices manufacturers do you realy want your heart to be twitching to the beat of a drive by hacker...

BenniAugust 5, 2014 5:03 PM

What makes the NSA a bit sympathetic is that there is not only Snowden, but others who release documents crafted in august 2013, long after snowden left Hawaii...

http://www.spiegel.de/politik/ausland/edward-snowden-zweiter-whistleblower-gibt-us-geheimnisse-preis-a-984651.html

Interestingly, If you fly to US
https://firstlook.org/theintercept/article/2014/08/05/watch-commander/

According to the documents, the government does much more than simply stop watchlisted people at airports. It also covertly collects and analyzes a wide range of personal information about those individuals –including facial images, fingerprints, and iris scans.

DTI’s efforts in Boston and Chicago are part of a broader push to obtain biometric information on the more than one million people targeted in its secret database. This includes hundreds of thousands of people who are not watchlisted.

Note that "—more than 40 percent are described by the government as having “no recognized terrorist group affiliation.” That category—280,000 people—dwarfs the number of watchlisted people suspected of ties to al Qaeda, Hamas, and Hezbollah combined."

Mike the goatAugust 5, 2014 8:59 PM

Hey guys - just a 'ping' - have had a death in the family and been away from work and computers for a week or so. To add insult to injury our landlord appears to not have been paying their bank and we've been asked to leave, so we are in the middle of moving ourselves about five mile down the road. I just wanted to check in and assure everyone that I am still alive and the CIA hasn't taken me out (yet ;-)..

WaelAugust 5, 2014 9:14 PM

@Mike the goat,
Sorry to hear that bud. We're all heading there...
Glad you're ok. I should expect you to be horn equipped for the next few days then...

BenniAugust 6, 2014 9:11 AM

More from finfisher:
https://netzpolitik.org/2014/gamma-finfisher-twitter-account-veroeffentlicht-interne-dokumente-ueber-weltweit-eingesetzten-staatstrojaner/

The site of the malware developers was hacked, and the hackers have put a torrent of this online. netzpolitik.org says the data would show attacks on people in Bahrein and other things but I have not downloaded it yet.

If you want in-dept information on a government malware (note that the german authorities have bought some of the malwares from this company) then the link above is the way to go. The text is german, but it contains the downloadlinks for the data.


I think this is great news. Similar companies like vupen should be hacked too....

Gerard van VoorenAugust 7, 2014 12:20 AM

About the *very disturbing* news of the Gamma / Finfisher hack.

If this news is true than I would like to repeat that these guys are selling software that if being used by an ordinary user, that ordinary user can face 35 years behind bars. Yet governments use this kind of tools on a daily professional basis.

They are selling Big Brother.

And they sell it to a selected few.

Another *very annoying* thing is that commonly used software is seemingly on such a level of security that it is not existing.

BenniAugust 7, 2014 12:41 AM

In this article on Russia:

http://www.spiegel.de/politik/ausland/russland-putins-propaganda-wird-dreister-und-funktioniert-a-984074.html

DER SPIEGEL writes that

"the reality is: The russian intercontinental missile SS-18 consists of parts where over 2/3 come from Ukraine. The turbines of the transport airoplane AN-124 and the russian army helicopters come from the Ukrainian city Saporischja and 90% of the machines from which Russia creates material for its army are bought from western countries."

Der Spiegel has tha largest fact checking department of a newspaper worldwide, with over 50 full time fact checkers going over each article before it gets published.

In order to determine that 2/3 of the parts of an intercontinental missile comes from Ukrain, you need to know how much parts this rocket consists of and who delivers which parts. Similarly, in order to know how many percent of the machines that build russian army gear come from the west you need to have detailed insight how these things are produced.

I hereby ask DER SPIEGEL: if it has blueprints and instructions on how russian intercontinental missiles, army helicopters, and russian army gear is made, please release all this to Wikileaks for immediate publication.

Blueprints of intercontinental missiles should be completely open source.

Since only if everyone can build them, they will get banned.

BenniAugust 7, 2014 5:44 AM

Snowdens permission to stay in russia was extended to three years. He can even travel abroad for not longer than three months:

http://rt.com/news/178680-snowden-stay-russia-residence/

The question is whether he can travel to germany with that.

Snowden really should say hello on german ground to the friends at the NSA investigation comission of the german parliament

Nick PAugust 7, 2014 7:08 AM

@ Benni

They already said they'd grab him the moment he stepped on German soil. It was even more astonishing that they talked about the benefit of his information for Germany and them turning him over for prosecution in same story. I think you posted that. So, with that said, he should never enter Germany if he wants to be free.

Jan DoggenAugust 7, 2014 8:30 AM

Hey, I suddenly notice that the comment option on the blog has a 'fill in the blank' antispam measure. The first word that came to mind for filling in there was 'steroids', but that would probably not get this comment through the filter...

BenniAugust 7, 2014 8:44 AM

@Nick_P
Regarding Snowden:
"They already said they'd grab him the moment he stepped on German soil."

At the moment, this would not be legal. Snowden is, according to the german police, not on the wanted list in germany.

The german government instead sent further questions regarding the letter of the US government which wanted an extradition. The german government said that the information provided by the US is, until now, not sufficient to provide reasons for an extradition. German law forbids extraditions because of political crimes. For Snowden, extradition from germany is completely off the table.

The problem would be illegal kidnapping by CIA. But for a short stay for a hearing in parliament, there would not be any danger of this.


BenniAugust 7, 2014 8:46 AM

Funny article http://goo.gl/it68lr on the backdoor of 2 billion android, blackberry and iphone mobiles, where an attacker can remotely do man in the middle, collect the conversations, and manipulate the software and the settings of the phone with 1000$ equipment, and all remotely

(setting the mic on and start a transmission must be a really wanted feature for our NSA friends. Especially since with access on this level, it is questionable, whether encryption cards like those in these Merkel phones are still of use, as long as they are using blackberry, Ios or android. It maybe that they simply remotely install a surveillance software with this method which can capture the content that the mic recieves and sends this afterwards to the listening station, bypassing the card that encrypts the communication to the mobile provider. Perhaps this is why german NSA agents claimed in a german tabloid that these crypto cards in the blackberries of german parliamentarians do not affect their work)

IncredulousAugust 7, 2014 8:47 AM

Re: Firefox

The only way to know what your computer is up to is to sniff your connection. If you are not sniffing your connection you have no reason to think that all sorts of information is not being leaked. Do you load software, add-ons, antivirus? Do you have a smart phone? If you are not checking it is absurd to think you know where they are connecting. Skype? Crap I removed it when I found it talking all over Easter Europe when I thought it was idle.

You could put an outbound firewall on your system but I've never found one that is usable. The one I tried appeared to be leaking more data than the system it was supposedly protecting.

The firefox/google connection was one of the first things I sniffed. But it is hardly a secret. There is plenty of information on removing google from firefox, which I do, although it appears to revert occasionally with updates. The answer: sniff sniff sniff.

I wrote a network monitor which runs all the time, consolidating and storing the information in a big data database. It pays particular attention to every dns query. It can also search for specific triggers and then initiate active responses like iptables updates and scans of suspicious systems connecting to mine. Since it runs off a database I can break scans down and do them over long periods, obfuscating my response. It also helps to change your ip address daily, if you can.

BenniAugust 7, 2014 8:56 AM

Every mobile phone gets upon connection a temporary mobile subscriber identity (TMSI). This identifies the phone together with the so called location area (LA). According to the GSM standard, the TMSI and the LA are used to initiate the connection. Whenever an SMS is sent, the provider must first find the LA of the phone. This is information is transmitted by the phone to the provider and saved in the visitor location register. To the stations in the LA of the phone, the provider broadcasts the TMSI and then the phone answers in order to identify itself to the provider and to receive the SMS. This connection process is not encrypted (that was likely a brilliant Idea of the hard working GCHQ/NSA/BND spies). Moreover, in the GSM standard we can find the following funny specification: http://goo.gl/CYN8Cd
"The SMS Relay Layer shall discard the message without further processing if any of the following is true:
MSG_NUMBER field is set to a value other than 1
NUM_MSGS field is set to a value other than 1
NUM_FIELDS field is set to zero"
This means that an SMS can be sent such that it is discarded by the phone and the user is not notified. However, the sms is recieved nevertheless, and a secret service or a police force can use this to determine the location area from which the phone connected to the provider without the user being notified.
In a new answer, http://goo.gl/h5ZRJj the german government wrote on the question whether they use wlan catchers that information on this is classified. So one unfortunately has to assume they indeed use these devices. However, in the same reply, the government revealed that the german domestic intelligence service "Bundesamt für Verfassungsschutz" used the SMS method described above for locating mobile phone users in 52.978 cases just in the first six months of 2014. Apart from the fact that they apparently think germany is full of terrorists, it is disturbing that one can not really determine whether one is under such kind of surveillance. There is, however, an information freedom law in germany http://goo.gl/dvyys9 and in fact some people had success http://goo.gl/T2HsJv in getting their file from the intelligence service based on that law

Nick PAugust 7, 2014 10:28 AM

@ Benni

CIA is a huge risk because they mainly do it at (or through) airports. A previous story showed a rendition plane was waiting in Germany for Snowden where he would've had to go to turn himself in. Unless Germany officially rejects extradition (unconditionally) and provides security, then Snowden is still at risk if he shows up.

ScaredAugust 7, 2014 1:10 PM

TSA Checkpoints Vulnerable to Hacks Through Backdoors
http://www.businessweek.com/articles/2014-08-07/tsa-checkpoints-vulnerable-to-hacks-through-backdoors#r=hpt-ls

The Transportation Security Administration, that guardian of airports for whom we have all shed shoes, jackets, and loose change, has a worrisome safety issue of its own, according to a cyber researcher for Qualys.

Two devices that may be used at airport and other security checkpoints have “backdoors”—usernames and passwords hard-coded into the equipment that a hacker could use to get into the machines, says Billy Rios, in findings he discussed yesterday at the Black Hat security conference in Las Vegas.

The time-tracking system, made by Kronos, had two back doors via hardcoded usernames and passwords. Worse, Rios found about 6,000 of the devices connected to the Internet, including one at San Francisco International Airport—which Rios says he worked with the Department of Homeland Security to get taken offline.

Ross Feinstein, a spokesman for TSA, says the agency has a rigorous certification and accreditation process for technology: “This process ensures information technology security risks are identified and mitigation plans put in place, as necessary. A majority of the equipment we utilize is not available for sale commercially or to any other entity.”

BenniAugust 8, 2014 10:53 AM

Now germany has sent a note to all foreign embassies in germany:

http://www.spiegel.de/politik/deutschland/spionage-bundesregierung-aufdeckung-aller-agenten-in-deutschland-a-985199.html

this comes after SPIEGEl revealed that there are 200 NSA spies working undercover in germany. germanys domestic secret service has asked for a list of all NSA spies in germany before, and he did not get any answer from the US.

Now the foreign ministry of germany send an official note to all foreign embassies that they should give a list of all secret service personnel to the german foreign ministry.

That is typically german. In future, before a spy will be allowed to deploy his radar bugs in germany, he will have to sign some paper, getting accredited as an official NSA spy in germany. Just that everything is in order.....

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.