Blog: June 2016 Archives

Interview with an NSA Hacker

Peter Maas interviewed the former NSA official who wrote the infamous "I Hunt Sysadmins" memo.

It's interesting, but I wanted to hear less of Peter Maas -- I already know his views -- and more from the NSA hacker.

Posted on June 29, 2016 at 6:29 AM123 Comments

Security Analysis of TSA PreCheck

Interesting research: Mark G. Stewart and John Mueller, "Risk-based passenger screening: risk and economic assessment of TSA PreCheck increased security at reduced cost?"

Executive Summary: The Transportation Security Administration's PreCheck program is risk-based screening that allows passengers assessed as low risk to be directed to expedited, or PreCheck, screening. We begin by modelling the overall system of aviation security by considering all layers of security designed to deter or disrupt a terrorist plot to down an airliner with a passenger-borne bomb. Our analysis suggests that these measures reduce the risk of such an attack by at least 98%. Assuming that the accuracy of Secure Flight may be less than 100% when identifying low and high risk passengers, we then assess the effect of enhanced and expedited (or regular and PreCheck) screening on deterrence and disruption rates. We also evaluate programs that randomly redirect passengers from the PreCheck to the regular lines (random exclusion) and ones that redirect some passengers from regular to PreCheck lines (managed inclusion). We find that, if 50% of passengers are cleared for PreCheck, the additional risk reduction (benefit) due to PreCheck is 0.021% for attacks by lone wolves, and 0.056% for ones by terrorist organisations. If 75% of passengers rather than 50% go through PreCheck, these numbers are 0.017% and 0.044%, still providing a benefit in risk reduction. Under most realistic combinations of parameter values PreCheck actually increases risk reduction, perhaps up to 1%, while under the worst assumptions, it lowers risk reduction only by some 0.1%. Extensive sensitivity analyses suggests that, overall, PreCheck is most likely to have an increase in overall benefit.

The report also finds that adding random exclusion and managed inclusion to the PreCheck program has little effect on the risk reducing capability of PreCheck one way or the other. For example, if 10% of non-PreCheck passengers are randomly sent to the PreCheck line, the program still is delivers a benefit in risk reduction, and provides an additional savings for TSA of $11 million per year by reducing screening costs -- while at the same time improving security outcomes.

There are also other co-benefits, and these are very substantial. Reducing checkpoint queuing times improves in the passenger experience, which would lead to higher airline revenues, can exceed several billion dollars per year. TSA PreCheck thus seems likely to bring considerable efficiencies to the screening process and great benefits to passengers, airports, and airlines while actually enhancing security a bit.

Posted on June 28, 2016 at 2:10 PM31 Comments

Facebook Using Physical Location to Suggest Friends

This could go badly:

"People You May Know are people on Facebook that you might know," a Facebook spokesperson said. "We show you people based on mutual friends, work and education information, networks you're part of, contacts you've imported and many other factors."

One of those factors is smartphone location. A Facebook spokesperson said though that shared location alone would not result in a friend suggestion, saying that the two parents must have had something else in common, such as overlapping networks.

"Location information by itself doesn't indicate that two people might be friends," said the Facebook spokesperson. "That's why location is only one of the factors we use to suggest people you may know."

The article goes on to describe situations where you don't want Facebook to do this: Alcoholics Anonymous meetings, singles bars, some Tinder dates, and so on. But this is part of Facebook's aggressive use of location data in many of its services.

BoingBoing post.

EDITED TO ADD: Facebook backtracks.

Posted on June 28, 2016 at 6:56 AM34 Comments

Crowdsourcing a Database of Hotel Rooms

There's an app that allows people to submit photographs of hotel rooms around the world into a centralized database. The idea is that photographs of victims of human trafficking are often taken in hotel rooms, and the database will help law enforcement find the traffickers.

I can't speak to the efficacy of the database -- in particular, the false positives -- but it's an interesting crowdsourced approach to the problem.

Posted on June 27, 2016 at 6:05 AM44 Comments

Friday Squid Blogging: Bioluminescence as Camouflage

Interesting:

There is one feature of the squid that is not transparent and which could act as a signal to prey ­ the eyes. However, the squid has a developed protection here as well. The large eyes of the squid are camouflaged with bioluminescence.

Underneath the eyes of the squid are silvery patches of cells called photophores. These provide under surface bioluminescence which adds to the camouflage. The cells leak put light in multiple directions that effectively make the squid invisible when viewed from above. The resultant glowing blur makes the eyes of the glass squid less conspicuous to predator approaching from a variety of angles.

Research paper.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on June 24, 2016 at 4:39 PM177 Comments

Using Social Media to Discover Hidden Wealth

Stories of burglars using social media to figure out who's on vacation are old hat. Now financial investigators are using social media to find hidden wealth.

Posted on June 24, 2016 at 6:29 AM10 Comments

Comparing Messaging Apps

Micah Lee has a nice comparison among Signal, WhatsApp, and Allo.

In this article, I'm going to compare WhatsApp, Signal, and Allo from a privacy perspective.

While all three apps use the same secure-messaging protocol, they differ on exactly what information is encrypted, what metadata is collected, and what, precisely, is stored in the cloud ­- and therefore available, in theory at least, to government snoops and wily hackers.

In the end, I'm going to advocate you use Signal whenever you can -­ which actually may not end up being as often as you would like.

EDITED TO ADD (6/25): Don't use Telegram.

Posted on June 23, 2016 at 6:54 AM89 Comments

Fraudsters are Buying IPv4 Addresses

IPv4 addresses are valuable, so criminals are figuring out how to buy or steal them.

Hence criminals' interest in ways to land themselves IP addresses, some of which were detailed this week by ARIN's senior director of global registry knowledge, Leslie Nobile, at the North American Network Operators Group's NANOG 67 conference.

Nobile explained that criminals look for dormant ARIN records and try to establish themselves as the rightful administrator. ARIN has 30,556 legacy network records, she said, but a validated point of contact for only 54 per cent of those networks. The remaining ~14,000 networks are ripe for targeting by hijackers who Nobile said are only interested in establishing legitimacy with ARIN so they can find a buyer for unused IPv4 addresses possessed by dormant legacy networks.

Criminals do so by finding dormant ARIN records and Whois data to see if there is a valid contact, then ascertaining if IPv4 allocations are currently routed. If the assigned addresses are dark and no active administrator exists, hijackers can revive dormant domain names or even re-register the names of defunct companies in order to establish a position as legitimate administrators of an address space. If all goes well, the hijackers end up with addresses to sell.

Video presentation here.

Posted on June 22, 2016 at 1:15 PM12 Comments

Situational Awareness and Crime Prevention

Ronald V. Clarke argues for more situational awareness in crime prevention. Turns out if you make crime harder, it goes down. And this has profound policy implications.

Whatever the benefits for Criminology, the real benefits of a greater focus on crime than criminality would be for crime policy. The fundamental attribution error is the main impediment to formulating a broader set of policies to control crime. Nearly everyone believes that the best way to control crime is to prevent people from developing into criminals in the first place or, failing that, to use the criminal justice system to deter or rehabilitate them. This has led directly to overuse of the system at vast human and economic cost.

Hardly anyone recognizes--whether politicians, public intellectuals, government policy makers, police or social workers--that focusing on the offender is dealing with only half the problem. We need also to deal with the many and varied ways in which society inadvertently creates the opportunities for crime that motivated offenders exploit by (i) manufacturing crime-prone goods, (ii) practicing poor management in many spheres of everyday life, (iii) permitting poor layout and design of places, (iv) neglecting the security of the vast numbers of electronic systems that regulate our everyday lives and, (v) enacting laws with unintended benefits for crime.

Situational prevention has accumulated dozens of successes in chipping away at some of the problems created by these conditions, which attests to the principles formulated so many years ago in Home Office research. Much more surprising, however, is that the same thing has been happening in every sector of modern life without any assistance from governments or academics. I am referring to the security measures that hundreds, perhaps thousands, of private and public organizations have been taking in the past 2-3 decades to protect themselves from crime.

Posted on June 21, 2016 at 12:16 PM31 Comments

Security Behavior of Pro-ISIS Groups on Social Media

Interesting:

Since the team had tracked these groups daily, researchers could observe the tactics that pro-ISIS groups use to evade authorities. They found that 15 percent of groups changed their names during the study period, and 7 percent flipped their visibility from public to members only. Another 4 percent underwent what the researchers called reincarnation. That means the group disappeared completely but popped up later under a new name and earned more than 60 percent of its original followers back.

The researchers compared these behaviors in the pro-ISIS groups to the behaviors of other social groups made up of protestors or social activists (the entire project began in 2013 with a focus on predicting periods of social unrest). The pro-ISIS groups employed more of these strategies, presumably because the groups were under more pressure to evolve as authorities sought to shut them down.

Research paper.

Posted on June 21, 2016 at 6:01 AM15 Comments

CIA Director John Brennan Pretends Foreign Cryptography Doesn't Exist

Last week, CIA director John Brennan told a Senate committee that there wasn't any strong cryptography outside of the US.

CIA director John Brennan told US senators they shouldn't worry about mandatory encryption backdoors hurting American businesses.

And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use US-based technology because it's been forced to use weakened cryptography, they'll be out of luck because non-American solutions are simply "theoretical."

Here's the quote:

"US companies dominate the international market as far as encryption technologies that are available through these various apps, and I think we will continue to dominate them," Brennan said.

"So although you are right that there's the theoretical ability of foreign companies to have those encryption capabilities available to others, I do believe that this country and its private sector are integral to addressing these issues."

Is he actually lying there? I suppose it is possible that he's simply that ignorant. Strong foreign cryptography hasn't been "theoretical" for decades. And earlier this year, I released a survey of foreign cryptography products, listing 546 non-theoretical products from 54 countries outside the US.

I know Sen. Wyden knows about my survey. I hope he asks Brennan about it.

Slashdot thread. HackerNews thread.

EDITED TO ADD (6/22): Herb Lin comments.

Posted on June 20, 2016 at 12:24 PM89 Comments

Nude Photos as Loan Collateral

The New York Times is reporting that some women in China are being forced to supply nude photos of themselves as collateral for getting a loan. Aside from the awfulness of this practice, it's really bad collateral because it's impossible to ever get it back.

Posted on June 20, 2016 at 6:01 AM27 Comments

Friday Squid Blogging: Not Finding a Giant Squid on Google Earth

The Internet is buzzing -- at least, my little corner of the Internet -- about finding a 120-meter-long giant squid on Google Earth. It's a false alarm.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on June 17, 2016 at 4:05 PM212 Comments

Computer Science Education Is Security Education

This essay argues that teaching computer science at the K-12 level is a matter of national security.

I think the argument is even broader. Computers, networks, and algorithms are at the heart of all of our complex social and political issues. We need broader literacy for all sorts of political and social reasons.

Posted on June 17, 2016 at 6:33 AM28 Comments

Apple's Differential Privacy

At the Apple Worldwide Developers Conference earlier this week, Apple talked about something called "differential privacy." We know very little about the details, but it seems to be an anonymization technique designed to collect user data without revealing personal information.

What we know about anonymization is that it's much harder than people think, and it's likely that this technique will be full of privacy vulnerabilities. (See, for example, the excellent work of Latanya Sweeney.) As expected, security experts are skeptical. Here's Matt Green trying to figure it out.

So while I applaud Apple for trying to improve privacy within its business models, I would like some more transparency and some more public scrutiny.

EDITED TO ADD (6/17): Adam Shostack comments. And more commentary from Tom's Guide.

EDITED TO ADD (6/17): Here's a slide deck on privacy from the WWDC.

Posted on June 16, 2016 at 9:30 PM15 Comments

Infecting Systems by Typosquatting Programming Language Libraries

Typosquatting is an old trick of registering a domain name a typo away from a popular domain name and using it for various nefarious purposes. Nikolai Philipp Tschacher just published a bachelor's thesis where he does the same trick with the names of popular code libraries, and tricks 17,000 computers into running arbitrary code.

Ars Technica article.

Posted on June 15, 2016 at 6:47 AM23 Comments

Russians Hacking DNC Computers

The Washington Post is reporting that Russian hackers penetrated the network of the Democratic National Committee and stole opposition research on Donald Trump. The evidence is from CrowdStrike:

The firm identified two separate hacker groups, both working for the Russian government, that had infiltrated the network, said Dmitri Alperovitch, CrowdStrike co-founder and chief technology officer. The firm had analyzed other breaches by both groups over the last two years.

One group, which CrowdStrike had dubbed Cozy Bear, had gained access last summer and was monitoring the DNC's email and chat communications, Alperovitch said.

The other, which the firm had named Fancy Bear, broke into the network in late April and targeted the opposition research files. It was this breach that set off the alarm. The hackers stole two files, Henry said. And they had access to the computers of the entire research staff -- an average of about several dozen on any given day.

This seems like standard political espionage to me. We certainly don't want it to happen, but we shouldn't be surprised when it does.

Slashdot thread.

EDITED TO ADD (6/16): From the Washington Post article, the Republicans were also hacked:

The intrusion into the DNC was one of several targeting American political organizations. The networks of presidential candidates Hillary Clinton and Donald Trump were also targeted by Russian spies, as were the computers of some Republican political action committees, U.S. officials said. But details on those cases were not available.

EDITED TO ADD (6/16): These leaks might be from this hack, or from another unrelated hack. They don't seem to be related to the Russian government at all.

EDITED TO ADD (6/12): Another view.

Posted on June 14, 2016 at 12:50 PM40 Comments

NSA Using Insecure Word Macros

There's an interesting message in the documents about Snowden that Vice magazine got out of the NSA with a FOIA request. At least in 2012, the NSA was using Word macros internally.

Posted on June 13, 2016 at 7:01 AM29 Comments

Friday Squid Blogging: Beautiful Squid Sculpture

Two years ago, I posted a photograph of a beautiful giant bronze squid sculpture by Kirk McGuire. He has a new sculpture: a squid table base. it's also beautiful.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on June 10, 2016 at 4:38 PM198 Comments

Financial Cyber Risk Is Not Systemic Risk

This interesting essay argues that financial risks are generally not systemic risks, and instead are generally much smaller. That's certainly been our experience to date:

While systemic risk is frequently invoked as a key reason to be on guard for cyber risk, such a connection is quite tenuous. A cyber event might in extreme cases result in a systemic crisis, but to do so needs highly fortuitous timing.

From the point of view of policymaking, rather than simply asserting systemic consequences for cyber risks, it would be better if the cyber discussion were better integrated into the existing macroprudential dialogue. To us, the overall discussion of cyber and systemic risk seems to be too focused on IT considerations and not enough on economic consequences.

After all, if there are systemic consequences from cyber risk, the chain of causality will be found in the macroprudential domain.

Posted on June 10, 2016 at 12:56 PM10 Comments

1944 OSS Sabotage Manual

It makes for interesting reading.

Someone noticed that parts of it read like standard modern office procedures.

EDITED TO ADD: I originally called this a CIA manual, but the CIA had not been formed yet. And, yes, I seem to have blogged this before -- in 2010.

Posted on June 10, 2016 at 9:54 AM23 Comments

Waze Data Poisoning

People who don't want Waze routing cars through their neighborhoods are feeding it false data.

It was here that Connor learned that some Waze warriors had launched concerted campaigns to fool the app. Neighbors filed false reports of blockages, sometimes with multiple users reporting the same issue to boost their credibility. But Waze was way ahead of them.

It's not possible to fool the system for long, according to Waze officials. For one thing, the system knows if you're not actually in motion. More important, it constantly self-corrects, based on data from other drivers.

"The nature of crowdsourcing is that if you put in a fake accident, the next 10 people are going to report that it's not there," said Julie Mossler, Waze's head of communications. The company will suspend users they suspect of "tampering with the map," she said.

Posted on June 9, 2016 at 6:17 AM45 Comments

Long Article on Snowden's Attempts to Raise His Concerns Inside the NSA

Lots of details that demonstrate that Snowden did try to raise his concerns internally before going public, and that the NSA lied about this.

Posted on June 8, 2016 at 6:44 AM49 Comments

Another Side-Channel Attack on PC Encryption

New paper: "Physical Key Extraction Attacks on PCs," by Daniel Genkin, Lev Pachmanov, Itamar Pipman, Adi Shamir, and Eran Tromer. They recover keys acoustically, from the high-frequency "coil whine" from the circuits, from a distance of about ten meters.

News article.

Posted on June 7, 2016 at 2:59 PM25 Comments

Hijacking the PC Update Process

There's a new report on security vulnerabilities in the PC initialization/update process, allowing someone to hijack it to install malware:

One of the major things we found was the presence of third-party update tools. Every OEM we looked at included one (or more) with their default configuration. We also noticed that Microsoft Signature Edition systems also often included OEM update tools, potentially making their distribution larger than other OEM software.

Updaters are an obvious target for a network attacker, this is a no-brainer. There have been plenty of attacks published against updaters and package management tools in the past, so we can expect OEM's to learn from this, right?

Spoiler: we broke all of them (some worse than others). Every single vendor had at least one vulnerability that could allow for a man-in-the-middle (MITM) attacker to execute arbitrary code as SYSTEM. We'd like to pat ourselves on the back for all the great bugs we found, but the reality is, it's far too easy.

News article.

Posted on June 6, 2016 at 6:10 AM51 Comments

Security and Human Behavior (SHB 2016)

Earlier this week, I was at the ninth Workshop on Security and Human Behavior, hosted at Harvard University.

SHB is a small invitational gathering of people studying various aspects of the human side of security. The fifty or so people in the room include psychologists, economists, computer security researchers, sociologists, political scientists, philosophers, political scientists, neuroscientists, lawyers, anthropologists, business school professors, and a smattering of others. It's not just an interdisciplinary event; most of the people here are individually interdisciplinary.

These are the most intellectually stimulating two days of my year; this year someone called it "Bruce's brain in conference form."

The goal is maximum interaction and discussion. We do that by putting everyone on panels. There are eight six-person panels over the course of the two days. Everyone gets to talk for ten minutes about their work, and then there's half an hour of discussion in the room. Then there are lunches, dinners, and receptions -- all designed so people meet each other and talk.

This page lists the participants and gives links to some of their work. As usual, Ross Anderson liveblogged the talks.

Here are my posts on the first, second, third, fourth, fifth, sixth, seventh, and eighth SHB workshops. Follow those links to find summaries, papers, and audio recordings of the workshops.

Posted on June 3, 2016 at 1:36 PM10 Comments

Stealth Falcon: New Malware from (Probably) the UAE

Citizen Lab has the details:

This report describes a campaign of targeted spyware attacks carried out by a sophisticated operator, which we call Stealth Falcon. The attacks have been conducted from 2012 until the present, against Emirati journalists, activists, and dissidents. We discovered this campaign when an individual purporting to be from an apparently fictitious organization called "The Right to Fight" contacted Rori Donaghy. Donaghy, a UK-based journalist and founder of the Emirates Center for Human Rights, received a spyware-laden email in November 2015, purporting to offer him a position on a human rights panel. Donaghy has written critically of the United Arab Emirates (UAE) government in the past, and had recently published a series of articles based on leaked emails involving members of the UAE government.

Circumstantial evidence suggests a link between Stealth Falcon and the UAE government. We traced digital artifacts used in this campaign to links sent from an activist's Twitter account in December 2012, a period when it appears to have been under government control. We also identified other bait content employed by this threat actor. We found 31 public tweets sent by Stealth Falcon, 30 of which were directly targeted at one of 27 victims. Of the 27 targets, 24 were obviously linked to the UAE, based on their profile information (e.g., photos, "UAE" in account name, location), and at least six targets appeared to be operated by people who were arrested, sought for arrest, or convicted in absentia by the UAE government, in relation to their Twitter activity.

The attack on Donaghy -- and the Twitter attacks -- involved a malicious URL shortening site. When a user clicks on a URL shortened by Stealth Falcon operators, the site profiles the software on a user's computer, perhaps for future exploitation, before redirecting the user to a benign website containing bait content. We queried the URL shortener with every possible short URL, and identified 402 instances of bait content which we believe were sent by Stealth Falcon, 73% of which obviously referenced UAE issues. Of these URLs, only the one sent to Donaghy definitively contained spyware. However, we were able to trace the spyware Donaghy received to a network of 67 active command and control (C2) servers, suggesting broader use of the spyware, perhaps by the same or other operators.

News story.

Posted on June 2, 2016 at 7:49 AM37 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.