Schneier on Security: Tagged New Zealand

Entries Tagged "New Zealand"

Page 1 of 1

New Zealand's XKEYSCORE Use

The Intercept and the New Zealand Herald have reported that New Zealand spied on communications about the World Trade Organization director-general candidates. I’m not sure why this is news; it seems like a perfectly reasonable national intelligence target. More interesting to me is that the Intercept published the XKEYSCORE rules. It’s interesting to see how primitive the keyword targeting is, and how broadly it collects e-mails.

The second really important point is that Edward Snowden’s name is mentioned nowhere in the stories. Given how scrupulous the Intercept is about identifying him as the source of his NSA documents, I have to conclude that this is from another leaker. For a while, I have believed that there are at least three leakers inside the Five Eyes intelligence community, plus another CIA leaker. What I have called Leaker #2 has previously revealed XKEYSCORE rules. Whether this new disclosure is from Leaker #2 or a new Leaker #5, I have no idea. I hope someone is keeping a list.

Posted on March 26, 2015 at 9:46 AM • View Comments

Two New Snowden Stories

New Zealand is spying on its citizens. Edward Snowden weighs in personally.

The NSA and GCHQ are mapping the entire Internet, including hacking into Deutsche Telekom and other companies.

EDITED TO ADD (9/18): Marcy Wheeler comments on the second story, noting that the NSA uses this capability to map MAC addresses.

Posted on September 15, 2014 at 2:25 PM • View Comments

U.S. Exports Terrorism Fears

To New Zealand:

United States Secretary of Homeland Security Janet Napolitano has warned the New Zealand Government about the latest terrorist threat known as “body bombers.”

[…]

“Do we have specific credible evidence of a [body bomb] threat today? I would not say that we do, however, the importance is that we all lean forward.”

Why the headline of this article is “NZ warned over ‘body bombers,'” and not “Napolitano admits ‘no credible evidence’ of body bomber threat” is beyond me.

Posted on May 15, 2012 at 6:17 AM • View Comments

Hijacking in New Zealand

There are a couple of interesting things about the hijacking in New Zealand two weeks ago. First, it was a traditional hijacking. Remember after 9/11 when people said that the era of airplane hijacking was over, that it would no longer be possible to hijack an airplane and demand a ransom or demand passage to some exotic location? Turns out that’s just not true; there still can be traditional non-terrorist hijackings.

And even more interesting, the media coverage reflected that. Read the links above. They’re calm and reasoned. There’s no mention of the T-word. We’re not all cautioned that we’re going to die. If anything, they’re recommending that everyone not overreact.

Refreshing, really.

EDITED TO ADD (2/25): And this:

Mr Williamson today said the idea behind anything involving transport was “safety at reasonable cost”.

He said the Government needed to weigh up the cost of x-ray screening every passenger on a small plane against the risk of such an attempted hijacking happening again.

“I just think it’s over the top, sledgehammer to crack a nut stuff and my advice to the Cabinet this morning is just make sure you’re very careful. . .to consider what the costs are.”

Posted on February 20, 2008 at 7:26 AM • View Comments

Continuing Battles in the War on the Unexpected

A suitcase in New Zealand.

An American photographing all 50 state capitols.

Maybe this would be a good idea.

Posted on January 25, 2008 at 6:03 AM • View Comments

New Zealand Espionage History

This is fascinating:

Among the personal papers bequeathed to the nation by former Prime Minister David Lange is a numbered copy of a top secret report from the organisation that runs the ‘spy domes’ at Waihopai and Tangimoana. It provides an unprecedented insight into how espionage was conducted 20 years ago.

[…]

Much of the GCSB’s work involved translating and analysing communications intercepted by other agencies, “most of the raw traffic used … (coming) from GCHQ/NSA sources”, the British and US signals intelligence agencies.

Its report says “reporting on items of intelligence derived from South Pacific telex messages on satellite communications links was accelerated during the year.

“A total of 171 reports were published, covering the Solomons, Fiji, Tonga and international organisations operating in the Pacific. The raw traffic for this reporting provided by NSA the US National Security Agency).”

The GCSB also produced 238 intelligence reports on Japanese diplomatic cables, using “raw traffic from GCHQ/NSA sources”. This was down from the previous year: “The Japanese government implementation of a new high grade cypher system seriously reduced the bureau’s output.” For French government communications, the GCSB “relied heavily on (British) GCHQ acquisition and forwarding of French Pacific satellite intercept”.

The report lists the Tangimoana station’s targets in 1985-86 as “French South Pacific civil, naval and military; French Antarctic civil; Vietnamese diplomatic; North Korean diplomatic; Egyptian diplomatic; Soviet merchant and scientific research shipping; Soviet Antarctic civil. Soviet fisheries; Argentine naval; Non-Soviet Antarctic civil; East German diplomatic; Japanese diplomatic; Philippine diplomatic; South African Armed Forces; Laotian diplomatic (and) UN diplomatic.”

The station intercepted 165,174 messages from these targets, “an increase of approximately 37,000 on the 84/85 figure. Reporting on the Soviet target increased by 20% on the previous year”.

Posted on January 25, 2006 at 12:58 PM • View Comments

Scandinavian Attack Against Two-Factor Authentication

I’ve repeatedly said that two-factor authentication won’t stop phishing, because the attackers will simply modify their techniques to get around it. Here’s an example where that has happened:

Scandinavian bank Nordea was forced to shut down part of its Web banking service for 12 hours last week following a phishing attack that specifically targeted its paper-based one-time password security system.

According to press reports, the scam targeted customers that access the Nordea Sweden Web banking site using a paper-based single-use password security system.

A blog posting by Finnish security firm F-Secure says recipients of the spam e-mail were directed to bogus Web sites but were also asked to enter their account details along with the next password on their list of one-time passwords issued to them by the bank on a “scratch sheet”.

From F-Secure’s blog:

The fake mails were explaining that Nordea is introducing new security measures, which can be accessed at www.nordea-se.com or www.nordea-bank.net (fake sites hosted in South Korea).

The fake sites looked fairly real. They were asking the user for his personal number, access code and the next available scratch code. Regardless of what you entered, the site would complain about the scratch code and asked you to try the next one. In reality the bad boys were trying to collect several scratch codes for their own use.

The Register also has a story.

Two-factor authentication won’t stop identity theft, because identity theft is not an authentication problem. It’s a transaction-security problem. I’ve written about that already. Solutions need to address the transactions directly, and my guess is that they’ll be a combination of things. Some transactions will become more cumbersome. It will definitely be more cumbersome to get a new credit card. Back-end systems will be put in place to identify fraudulent transaction patterns. Look at credit card security; that’s where you’re going to find ideas for solutions to this problem.

Unfortunately, until financial institutions are liable for all the losses associated with identity theft, and not just their direct losses, we’re not going to see a lot of these solutions. I’ve written about this before as well.

We got them for credit cards because Congress mandated that the banks were liable for all but the first $50 of fraudulent transactions.

EDITED TO ADD: Here’s a related story. The Bank of New Zealand suspended Internet banking because of phishing concerns. Now there’s a company that is taking the threat seriously.

Posted on October 25, 2005 at 12:49 PM • View Comments

Terrorism False Positives

Security systems fail in two different ways. The first is the obvious one: they fail to detect, stop, catch, or whatever, the bad guys. The second is more common, and often more important: they wrongly detect, stop, catch, or whatever, an innocent person. This story is from the New Zealand Herald:

A New Zealand resident who sent $5000 to his ill uncle in India had the money frozen for nearly a month because his name matched that of several men on a terrorist watch list.

Because there are far more innocent people than guilty ones, this second type of error is far more common than the first type. Security is always a trade-off, and when you’re trading off positives and negatives, you have to look at these sorts of things.

Posted on January 8, 2005 at 8:00 AM • View Comments

Sensible Security from New Zealand

I like the way this guy thinks about security as a trade-off:

In the week United States-led forces invaded Iraq, the service was receiving a hoax bomb call every two or three hours, but not one aircraft was delayed. Security experts decided the cost of halting flights far outweighed the actual risk to those on board.

It’s a short article, and in it Mark Everitt, General Manager of the New Zealand Aviation Security Service, says that small knives should be allowed on flights, and that sky marshals should not.

Before 9/11, New Zealand domestic flights had no security at all, because there simply wasn’t anywhere to hijack a flight to.

Posted on December 3, 2004 at 10:00 AM • View Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.