Blog: September 2014 Archives

NSA Patents Available for License

There's a new article on NSA's Technology Transfer Program, a 1990s-era program to license NSA patents to private industry. I was pretty dismissive about the offerings in the article, but I didn't find anything interesting in the catalog. Does anyone see something I missed?

My guess is that the good stuff remains classified, and isn't "transferred" to anyone.

Slashdot thread.

Posted on September 29, 2014 at 6:02 AM32 Comments

Friday Squid Blogging: Squid Fishing Moves North in California

Warmer waters are moving squid fishing up the California coast.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on September 26, 2014 at 4:28 PM162 Comments

Medical Records Theft and Fraud

There's a Reuters article on new types of fraud using stolen medical records. I don't know how much of this is real and how much is hype, but I'm certain that criminals are looking for new ways to monetize stolen data.

Posted on September 26, 2014 at 12:44 PM14 Comments

Security Trade-offs of Cloud Backup

This is a good essay on the security trade-offs with cloud backup:

iCloud backups have not eliminated this problem, but they have made it far less common. This is, like almost everything in tech, a trade-off:

  • Your data is far safer from irretrievable loss if it is synced/backed up, regularly, to a cloud-based service.

  • Your data is more at risk of being stolen if it is synced/backed up, regularly, to a cloud-based service.

Ideally, the companies that provide such services minimize the risk of your account being hijacked while maximizing the simplicity and ease of setting it up and using it. But clearly these two goals are in conflict. There's no way around the fact that the proper balance is somewhere in between maximal security and minimal complexity.

Further, I would wager heavily that there are thousands and thousands more people who have been traumatized by irretrievable data loss (who would have been saved if they'd had cloud-based backups) than those who have been victimized by having their cloud-based accounts hijacked (who would have been saved if they had only stored their data locally on their devices).

It is thus, in my opinion, terribly irresponsible to advise people to blindly not trust Apple (or Google, or Dropbox, or Microsoft, etc.) with "any of your data" without emphasizing, clearly and adamantly, that by only storing their data on-device, they greatly increase the risk of losing everything.

It's true. For most people, the risk of data loss is greater than the risk of data theft.

Posted on September 25, 2014 at 2:17 PM80 Comments

Nasty Vulnerability found in Bash

It's a big and nasty one.

Inevitably we're going to see articles pointing at this and at Heartbleed and claim a trend in vulnerabilities in open-source software. If anyone has any actual data other than these two instances and the natural human tendency to generalize, I'd like to see it.

Posted on September 25, 2014 at 10:31 AM93 Comments

Detecting Robot Handwriting

Interesting article on the arms race between creating robot "handwriting" that looks human, and detecting text that has been written by a robot. Robots will continue to get better, and will eventually fool all of us.

Posted on September 24, 2014 at 7:12 AM26 Comments

Lesson in Successful Disaster Planning

I found the story of the Federal Reserve on 9/11 to be fascinating. It seems they just flipped a switch on all their Y2K preparations, and it worked.

Posted on September 23, 2014 at 1:09 PM44 Comments

Security for Vehicle-to-Vehicle Communications

The National Highway Traffic Safety Administration (NHTSA) has released a report titled "Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application." It's very long, and mostly not interesting to me, but there are security concerns sprinkled throughout: both authentication to ensure that all the communications are accurate and can't be spoofed, and privacy to ensure that the communications can't be used to track cars. It's nice to see this sort of thing thought about in the beginning, when the system is first being designed, and not tacked on at the end.

Posted on September 22, 2014 at 6:03 AM21 Comments

Friday Squid Blogging: Colossal Squid Dissected in New Zealand

Months after it was found in August, scientists have dissected a colossal squid. There's even video.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on September 19, 2014 at 4:29 PM113 Comments

iOS 8 Security

Apple claims that they can no longer unlock iPhones, even if the police show up with a warrant. Of course they still have access to everything in iCloud, but it's a start.

EDITED TO ADD (9/19): Android is doing the same thing.

EDITED TO ADD (9/23): Good analysis of iOS 8 and iCloud security.

Posted on September 19, 2014 at 12:54 PM46 Comments

Fake Cell Phone Towers Across the US

Earlier this month, there were a bunch of stories about fake cell phone towers discovered around the US. These seem to be IMSI catchers, like Harris Corporation's Stingray, and are used to capture location information and potentially phone calls, text messages, and smart-phone Internet traffic. A couple of days ago, the Washington Post ran a story about fake cell phone towers in politically interesting places around Washington DC. In both cases, researchers used security software that's part of CryptoPhone from the German company GSMK. And in both cases, we don't know who is running these fake cell phone towers. Is it the US government? A foreign government? Multiple foreign governments? Criminals?

This is the problem with building an infrastructure of surveillance: you can't regulate who gets to use it. The FBI has been protecting Stingray like it's an enormous secret, but it's not a secret anymore. We are all vulnerable to everyone because the NSA wanted us to be vulnerable to them.

We have one infrastructure. We can't choose a world where the US gets to spy and the Chinese don't. We get to choose a world where everyone can spy, or a world where no one can spy. We can be secure from everyone, or vulnerable to anyone. And I'm tired of us choosing surveillance over security.

Posted on September 19, 2014 at 6:11 AM80 Comments

The Full Story of Yahoo's Fight Against PRISM

In 2008, Yahoo fought the NSA to avoid becoming part of the PRISM program. It eventually lost the court battle, and at one point was threatened with a $250,000 a day fine if it continued to resist. I am continually amazed at the extent of the government coercion.

Posted on September 18, 2014 at 7:13 AM49 Comments

Identifying Dread Pirate Roberts

According to court documents, Dread Pirate Roberts was identified because a CAPTCHA service used on the Silk Road login page leaked the users' true location.

Posted on September 17, 2014 at 2:30 PM37 Comments

Tracking People From their Cell Phones with an SS7 Vulnerability

What's interesting about this story is not that the cell phone system can track your location worldwide. That makes sense; the system has to know where you are. What's interesting about this story is that anyone can do it. Cyber-weapons arms manufacturers are selling the capability to governments worldwide, and hackers have demonstrated the capability.

Posted on September 17, 2014 at 7:15 AM22 Comments

Two New Snowden Stories

New Zealand is spying on its citizens. Edward Snowden weighs in personally.

The NSA and GCHQ are mapping the entire Internet, including hacking into Deutsche Telekom and other companies.

EDITED TO ADD (9/18): Marcy Wheeler comments on the second story, noting that the NSA uses this capability to map MAC addresses.

Posted on September 15, 2014 at 2:25 PM36 Comments

Security of the SHA Family of Hash Functions

Good article on the insecurity of SHA-1 and the need to replace it sooner rather than later.

Posted on September 15, 2014 at 9:26 AM46 Comments

Friday Squid Blogging: 200-Pound Squid Found in Gulf of Mexico

A 200-pound dead giant squid was found near the coast of Matagorda, Texas. This is only the third giant squid ever found in the Gulf of Mexico.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on September 12, 2014 at 4:26 PM131 Comments

The Concerted Effort to Remove Data Collection Restrictions

Since the beginning, data privacy regulation has focused on collection, storage, and use. You can see it in the OECD Privacy Framework from 1980 (see also this proposed update).

Recently, there has been concerted effort to focus all potential regulation on data use, completely ignoring data collection. Microsoft's Craig Mundie argues this. So does the PCAST report. And the World Economic Forum. This is lobbying effort by US business. My guess is that the companies are much more worried about collection restrictions than use restrictions. They believe that they can slowly change use restrictions once they have the data, but that it's harder to change collection restrictions and get the data in the first place.

We need to regulate collection as well as use. In a new essay, Chris Hoofnagle explains why.

Posted on September 12, 2014 at 6:41 AM53 Comments

Tabnapping: A New Phishing Attack

Aza Raskin describes a new phishing attack: taking over a background tab on a browser to trick people into entering in their login credentials. Clever.

EDITED TO ADD (9/12): This is not a new attack. The link above is from 2010. Here's another article from 2010.

Posted on September 11, 2014 at 6:15 AM26 Comments

WikiLeaks Spy Files

WikiLeaks has organized the trove of documents about corporations aiding government surveillance around the world. It's worth wandering around through all this material.

EDITED TO ADD (9/12): I made a mistake. WikiLeaksdidn't do the organizing; Silk did.

Posted on September 10, 2014 at 2:08 PM8 Comments

Wi-Fi Jammer

A device called Cyborg Unplugged can be configured to prevent any Wi-Fi connection:

Oliver notes on the product's website that its so-called "All Out Mode" -- which prevents surveillance devices from connecting to any Wi-Fi network in the area -- is likely illegal, and he advises against its use. Nevertheless, we can imagine activists slipping these little devices into public areas and wreaking a bit of havoc.

Posted on September 9, 2014 at 2:07 PM35 Comments

iPhone Payment Security

Apple is including some sort of automatic credit card payment system with the iPhone 6. It's using some security feature of the phone and system to negotiate a cheaper transaction fee.

Basically, there are two kinds of credit card transactions: card-present, and card-not-present. The former is cheaper because there's less risk of fraud. The article says that Apple has negotiated the card-present rate for its iPhone payment system, even though the card is not present. Presumably, this is because of some other security features that reduce the risk of fraud.

Not a lot of detail here, but interesting nonetheless.

Posted on September 8, 2014 at 7:21 AM41 Comments

Friday Squid Blogging: Book by One Squid-Obsessed Person About Another

Preparing the Ghost: An Essay Concerning the Giant Squid and Its First Photographer, by Matthew Gavin Frank.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on September 5, 2014 at 4:06 PM222 Comments

Security of Password Managers

At USENIX Security this year, there were two papers studying the security of password managers:

It's interesting work, especially because it looks at security problems in something that is supposed to improve security.

I've long recommended a password manager to solve the very real problem that any password that can be easily remembered is vulnerable to a dictionary attack. The world got a visceral reminder of this earlier this week, when hackers posted iCloud photos from celebrity accounts. The attack didn't exploit a flaw in iCloud; the attack exploited weak passwords.

Security is often a trade-off with convenience, and most password managers automatically fill in passwords on browser pages. This turns out to be a difficult thing to do securely, and opens up password managers to attack.

My own password manager, Password Safe, wasn't mentioned in either of these papers. I specifically designed it not to automatically fill. I specifically designed it to be a standalone application. The fast way to transfer a password from Password Safe to a browser page is by using the operating system's cut and paste commands.

I still recommend using a password manager, simply because it allows you to choose longer and stronger passwords. And for the few passwords you should remember, my scheme for generating them is here.

EDITED TO ADD (9/12): The second paper was updated to include PasswordSafe. And this 2012 paper on password managers does include PasswordSafe.

Posted on September 5, 2014 at 5:18 AM91 Comments

JackPair Encrypted Phone Add-On

JackPair is a clever device encrypts your voice between your headset and the audio jack. The crypto looks competent, and the design looks well-thought-out. I'd use it.

Posted on September 3, 2014 at 6:53 AM124 Comments

Pencil-and-Paper Codes Used by Central American Criminal Gangs

No mention of how good the codes are. My guess is not very.

EDITED TO ADD (9/12): It's a simple substitution cipher.

Posted on September 1, 2014 at 9:30 AM21 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.