March 15, 2007
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at <http://www.schneier.com/crypto-gram-0703.html>. These same essays appear in the "Schneier on Security" blog: <http://www.schneier.com/blog>. An RSS feed is available.
In this issue:
- CYA Security
- U.S Terrorism Arrests/Convictions Significantly Overstated
- Movie Plot Threat in Vancouver
- The Doghouse: Onboard Threat Detection System
- Private Police Forces
- BT Counterpane News
- The Doghouse: Sniffex
- Drive-By Pharming
- Cloning RFID Chips Made by HID
- Comments from Readers
Since 9/11, we've spent hundreds of billions of dollars defending ourselves from terrorist attacks. Stories about the ineffectiveness of many of these security measures are common, but less so are discussions of *why* they are so ineffective. In short: much of our country's counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs.
Boston, January 31: As part of a guerilla marketing campaign, a series of amateur-looking blinking signs depicting characters from Aqua Teen Hunger Force, a show on the Cartoon Network, were placed on bridges, near a medical center, underneath an interstate highway, and in other crowded public places.
Police mistook these signs for bombs and shut down parts of the city, eventually spending over $1M sorting it out. Authorities blasted the stunt as a terrorist hoax, while others ridiculed the Boston authorities for overreacting. Almost no one looked beyond the finger pointing and jeering to discuss exactly why the Boston authorities overreacted so badly. They overreacted because the signs were weird.
If someone left a backpack full of explosives in a crowded movie theater, or detonated a truck bomb in the middle of a tunnel, no one would demand to know why the police hadn't noticed it beforehand. But if a weird device with blinking lights and wires turned out to be a bomb -- what every movie bomb looks like -- there would be inquiries and demands for resignations. It took the police two weeks to notice the Mooninite blinkies, but once they did, they overreacted because their jobs were at stake.
This is "Cover Your Ass" security, and unfortunately it's very common.
Airplane security seems to forever be looking backwards. Pre-9/11, it was bombs, guns, and knives. Then it was small blades and box cutters. Richard Reid tried to blow up a plane, and suddenly we all have to take off our shoes. And after last summer's liquid plot, we're stuck with a series of nonsensical bans on liquids and gels.
Once you think about this in terms of CYA, it starts to make sense. The TSA wants to be sure that if there's another airplane terrorist attack, it's not held responsible for letting it slip through. One year ago, no one could blame the TSA for not detecting liquids. But since everything seems obvious in hindsight, it's basic job preservation to defend against what the terrorists tried last time.
We saw this kind of CYA security when Boston and New York randomly checked bags on the subways after the London bombing, or when buildings started sprouting concrete barriers after the Oklahoma City bombing. We also see it in ineffective attempts to detect nuclear bombs; authorities employ CYA security against the media-driven threat so they can say "we tried."
At the same time, we're ignoring threat possibilities that don't make the news as much -- against chemical plants, for example. But if there were ever an attack, that would change quickly.
CYA also explains the TSA's inability to take anyone off the no-fly list, no matter how innocent. No one is willing to risk his career on removing someone from the no-fly list who might -- no matter how remote the possibility -- turn out to be the next terrorist mastermind.
Another form of CYA security is the overly specific countermeasures we see during big events like the Olympics and the Oscars, or in protecting small towns. In all those cases, those in charge of the specific security don't dare return the money with a message "use this for more effective general countermeasures." If they were wrong and something happened, they'd lose their jobs.
And finally, we're seeing CYA security on the national level, from our politicians. We might be better off as a nation funding intelligence gathering and Arabic translators, but it's a better re-election strategy to fund something visible but ineffective, like a national ID card or a wall between the U.S. and Mexico.
Securing our nation from threats that are weird, threats that either happened before or captured the media's imagination, and overly specific threats are all examples of CYA security. It happens not because the authorities involved -- the Boston police, the TSA, and so on -- are not competent, or not doing their job. It happens because there isn't sufficient national oversight, planning, and coordination.
People and organizations respond to incentives. We can't expect the Boston police, the TSA, the guy who runs security for the Oscars, or local public officials to balance their own security needs against the security of the nation. They're all going to respond to the particular incentives imposed from above. What we need is a coherent antiterrorism policy at the national level: one based on real threat assessments, instead of fear-mongering, re-election strategies, or pork-barrel politics.
Sadly, though, there might not be a solution. All the money is in fear-mongering, re-election strategies, and pork-barrel politics. And, like so many things, security follows the money.
Searching bags in subways:
More CYA security:
This essay originally appeared on Wired.com.
It's called "splash-and-grab," and it's a new way to rob convenience stores. (Okay; it's not really new. It was used on the TV show "The Shield" in 2005. But it's back in the news.) Two guys walk into a store, and one comes up to the counter with a cup of hot coffee or cocoa. He pays for it, and when the clerk opens the cash drawer, he throws the coffee in the clerk's face. The other one grabs the cash drawer, and they both run.
Crimes never change, but tactics do. This tactic is new; someone just invented it. But now that it's in the news, copycats are repeating the trick. There have been at least 19 such robberies in Delaware, Pennsylvania and New Jersey. (Some arrests have been made since then.)
Here's another example: On Nov. 24, 1971, someone with the alias Dan Cooper invented a new way to hijack an aircraft. Claiming he had a bomb, he forced a plane to land and then exchanged the passengers and flight attendants for $200,000 and four parachutes. (I leave it as exercise for the reader to explain why asking for more than one parachute is critical to the plan's success.) Taking off again, he told the pilots to fly to 10,000 feet. He then lowered the plane's back stairs and parachuted away. He was never caught, and the FBI still doesn't know who he is or whether he survived.
After this story hit the press, there was an epidemic of copycat attacks. In 31 hijackings the following year, half of the hijackers demanded parachutes. It got so bad that the FAA required Boeing to install a special latch -- the Cooper Vane -- on the back staircases of its 727s so they couldn't be lowered in the air.
The internet is filled with copycats. Green-card lawyers invented spam; now everyone does it. Other people invented phishing, pharming, spear phishing. The virus, the worm, the Trojan: It's hard to believe that these ubiquitous internet attack tactics were, until comparatively recently, tactics that no one had thought of.
Most attackers are copycats. They aren't clever enough to invent a new way to rob a convenience store, use the web to steal money, or hijack an airplane. They try the same attacks again and again, or read about a new attack in the newspaper and decide they can try it, too.
In combating threats, it makes sense to focus on copycats when there is a population of people already willing to commit the crime, who will migrate to a new tactic once it has been demonstrated to be successful. In instances where there aren't many attacks or attackers, and they're smarter -- al-Qaeda-style terrorism comes to mind -- focusing on copycats is less effective because the bad guys will respond by modifying their attacks accordingly.
Compare that to suicide bombings in Israel, which are mostly copycat attacks. The authorities basically know what a suicide bombing looks like, and do a pretty good job defending against the particular tactics they tend to see again and again. It's still an arms race, but there is a lot of security gained by defending against copycats.
But even so, it's important to understand which aspect of the crime will be adopted by copycats. Splash-and-grab crimes have nothing to do with convenience stores; copycats can target any store where hot coffee is easily available and there is only one clerk on duty. And the tactic doesn't necessarily need coffee; one copycat used bleach. The new idea is to throw something painful and damaging in a clerk's face, grab the valuables and run.
Similarly, when a suicide bomber blows up a restaurant in Israel, the authorities don't automatically assume the copycats will attack other restaurants. They focus on the particulars of the bomb, the triggering mechanism and the way the bomber arrived at his target. Those are the tactics that copycats will repeat. The next target may be a theater or a hotel or any other crowded location.
The lesson for counterterrorism in America: Stay flexible. We're not threatened by a bunch of copycats, so we're best off expending effort on security measures that will work regardless of the tactics or the targets: intelligence, investigation and emergency response. By focusing too much on specifics -- what the terrorists did last time -- we're wasting valuable resources that could be used to keep us safer.
Dan Cooper and the Cooper Vane:
This essay originally appeared on Wired.com.
Blog entry URL:
A new report (long, but at least read the Executive Summary) from the U.S. Department of Justice's Inspector General says, basically, that all the U.S. terrorism statistics since 9/11 -- arrests, convictions, and so on -- have been grossly inflated.
The report gives a series of reasons why the statistics were so bad. Here's one: "The number of terrorism-related convictions was overstated because the FBI initially coded the investigative cases as terrorism-related when the cases were opened, but did not recode cases when no link to terrorism was established."
And here's an example of a problem: "For example, Operation Tarmac was a worksite enforcement operation launched in November 2001 at the nation's airports. During this operation, Department and other federal agents went into regional airports and checked the immigration papers of airport workers. The agents then arrested any individuals who used falsified documents, such as social security numbers, drivers' licenses, and other identification documents, to gain employment. EOUSA officials told us they believe these defendants are properly coded under the anti-terrorism program activity. We do not agree that law enforcement efforts such as these should be counted as "anti-terrorism" unless the subject or target is reasonably linked to terrorist activity."
("EOUSA" is the Executive Office for United States Attorneys, part of the U.S. Department of Justice.)
There's an enormous amount of detail in the report, if you want to wade through the 80 or so pages of report and another 80ish of appendices.
The idiocy of this is impressive: "A Vancouver Police computer crime investigator has warned the city that plans for a citywide wireless Internet system put the city at risk of terrorist attack during the 2010 Winter Olympic Games."
The problem? Well, the problem seems to be that terrorists might attend the Olympic games and use the Internet while they're there.
"'If you have an open wireless system across the city, as a bad guy I could sit on a bus with a laptop and do global crime,' Fenton explained. 'It would be virtually impossible to find me.'"
There's also some scary stuff about SCADA systems, and the city putting some of its own service on the Internet. Clearly this guy has thought about the risks a lot, just not with any sense. He's overestimating cyberterrorism. He's overestimating how important this one particular method of wireless Internet access is. He's overestimating how important the 2010 Winter Olympics are.
But the newspaper was happy to play along and spread the fear. The photograph accompanying the article is captioned: "Anyone with a laptop and wireless access could commit a terrorist act, police warn."
According to a new report, the FBI has lost 160 laptops, including at least ten with classified information, in the past four years. But it's not all bad news. A similar audit in 2002 found that 317 laptops were lost or stolen at the FBI over about two years. The FBI: Now losing fewer laptops!
There's a UAC security hole in Vista. What's interesting is that Microsoft is positioning this as a trade-off between security and ease-of-use. That's correct, of course, but it seems that someone made a bad decision in this regard.
Slowly, AACS -- the security in both Blu-ray and HD DVD -- has been cracked. Now, it has been cracked even further. As I have said before, what will be interesting to watch is how well HD DVD and Blu-ray recover. Both were built expecting these sorts of cracks, and both have mechanisms to recover security for future movies. It remains to be seen how well these recovery systems will work.
Was the TSA website hacked, or was it just incredibly bad webpage design and coding?
Real-world back doors: a social engineering test where the attackers entered the building through a back-door left open for smokers.
OpenSSL is now FIPS 140-2 certified. The process took five years. This is a major problem with long certification cycles; software development cycles are faster.
Is everything a bomb these days? In New Mexico, a bomb squad blew up two CD players, duct-taped to the bottoms of church pews, that played pornographic messages during Mass. This is a pretty funny high school prank and I hope the kids that did it get suitably punished. But they're not terrorists. And I have a hard time believing that the police actually thought CD players were bombs.
Meanwhile, the British Police Force blew up a tape dispenser left outside a police station in Northern Ireland.
And not to be outdone, the Dutch police mistook one of their own transmitters for a bomb. At least they didn't blow anything up.
Okay, everyone. We need some ideas, here. If we're going to think everything weird is a bomb, then the false alarms are going to kill any hope of security.
If you're having trouble identifying bombs, this quiz should help.
And here's a relevant cartoon.
The Boston police blew up a traffic counter. I'm beginning to think that something is seriously wrong with the police chain of command in Boston. Boston PD: Putting the "error" in "terror."
"Windows for Warships." I'm not sure this is a good idea.
A related article from 1998, involving Windows NT and the USS Yorktown.
There's a rumor about a software bug in the F-22 Raptor stealth fighter. It seems that the computer systems had problems flying west across the International Date Line. No word as to what operating system the computers were running.
With all the attention on foreign money laundering, we're ignoring the problem in the U.S.
Faking hardware memory access:
There's good news regarding Canada's anti-terrorism laws. First, security certificates were declared unconstitutional.
And second, the House of Commons voted against extending two provisions of a 2001 anti-terrorism law. They expired at the end of February.
Xbox 360 privilege escalation attack:
Very interesting article about Apple's DRM system, which they call "FairPlay."
The cost-effectiveness of sky marshals in Australia is being debated. I have not seen any similar cost analysis from the United States.
Fascinating article about changing generational notions of privacy:
The FBI issued illegal National Security Letters under the USA PATRIOT Act
"Digital Security and Privacy for Human Rights Defenders":
Cloning a UK RFID passport:
Nothing I haven't said before, only a demonstration of how insecure they are.
Some airport baggage handlers used their official credentials to bypass security and smuggle guns and marijuana onto an airplane. This kind of thing is inevitable. Whenever you have a system that requires trusted people -- that is, every security system -- there is the possibility that those trusted people will not behave in a trustworthy manner. But there are ways of minimizing this risk.
Find out if you're on the "no fly" list:
Vista activation security cracked by brute force:
I'm tired of headlines like this: "New autopilot 'will make another 9/11 impossible.'" Why are people so narrowly focused? The goal isn't to protect against another 9/11. The goal is to protect against another horrific terrorist incident.
Stop focusing on the tactics, people. Look at the broad threats.
I've written about this particular countermeasure before.
Insurance and risk cartoon:
Interesting article on the difficulty of profiling terrorists:
It's almost too absurd to even write about seriously -- this plan to spot terrorists in airplane seats:
"Cameras fitted to seat-backs will record every twitch, blink, facial expression or suspicious movement before sending the data to onboard software which will check it against individual passenger profiles."
"They say that rapid eye movements, blinking excessively, licking lips or ways of stroking hair or ears are classic symptoms of somebody trying to conceal something."
"A separate microphone will hear and record even whispered remarks. Islamic suicide bombers are known to whisper texts from the Koran in the moments before they explode bombs."
"The software being developed by the scientists will be so sophisticated that it will be able to take account of nervous flyers or people with a natural twitch, helping to ensure there are no false alarms."
The only thing I can think of is that some company press release got turned into real news without a whole lot of thinking.
In Raleigh, N.C., employees of Capitol Special Police patrol apartment buildings, a bowling alley and nightclubs, stopping suspicious people, searching their cars and making arrests.
Sounds like a good thing, but Capitol Special Police isn't a police force at all -- it's a for-profit security company hired by private property owners.
This isn't unique. Private security guards outnumber real police more than 5 to 1, and increasingly act like them.
They wear uniforms, carry weapons and drive lighted patrol cars on private properties like banks and apartment complexes and in public areas like bus stations and national monuments. Sometimes they operate as ordinary citizens and can only make citizen's arrests, but in more and more states they're being granted official police powers.
This trend should greatly concern citizens. Law enforcement should be a government function, and privatizing it puts us all at risk.
Most obviously, there's the problem of agenda. Public police forces are charged with protecting the citizens of the cities and towns over which they have jurisdiction. Of course, there are instances of policemen overstepping their bounds, but these are exceptions, and the police officers and departments are ultimately responsible to the public.
Private police officers are different. They don't work for us; they work for corporations. They're focused on the priorities of their employers or the companies that hire them. They're less concerned with due process, public safety and civil rights.
Also, many of the laws that protect us from police abuse do not apply to the private sector. Constitutional safeguards that regulate police conduct, interrogation and evidence collection do not apply to private individuals. Information that is illegal for the government to collect about you can be collected by commercial data brokers, then purchased by the police.
We've all seen policemen "reading people their rights" on television cop shows. If you're detained by a private security guard, you don't have nearly as many rights.
For example, a federal law known as Section 1983 allows you to sue for civil rights violations by the police but not by private citizens. The Freedom of Information Act allows us to learn what government law enforcement is doing, but the law doesn't apply to private individuals and companies. In fact, most of your civil rights protections apply only to real police.
Training and regulation is another problem. Private security guards often receive minimal training, if any. They don't graduate from police academies. And while some states regulate these guard companies, others have no regulations at all: anyone can put on a uniform and play policeman. Abuses of power, brutality, and illegal behavior are much more common among private security guards than real police.
A horrific example of this happened in South Carolina in 1995. Ricky Coleman, an unlicensed and untrained Best Buy security guard with a violent criminal record, choked a fraud suspect to death while another security guard held him down.
This trend is larger than police. More and more of our nation's prisons are being run by for-profit corporations. The IRS has started outsourcing some back-tax collection to debt-collection companies that will take a percentage of the money recovered as their fee. And there are about 20,000 private police and military personnel in Iraq, working for the Defense Department.
Throughout most of history, specific people were charged by those in power to keep the peace, collect taxes and wage wars. Corruption and incompetence were the norm, and justice was scarce. It is for this very reason that, since the 1600s, European governments have been built around a professional civil service to both enforce the laws and protect rights.
Private security guards turn this bedrock principle of modern government on its head. Whether it's FedEx policemen in Tennessee who can request search warrants and make arrests; a privately funded surveillance helicopter in Jackson, Miss., that can bypass constitutional restrictions on aerial spying; or employees of Capitol Special Police in North Carolina who are lobbying to expand their jurisdiction beyond the specific properties they protect -- privately funded policemen are not protecting us or working in our best interests.
This op-ed originally appeared in the "Minneapolis Star-Tribune":
When I posted this on my blog, I got a lot of negative comments from Libertarians who believe that somehow, the market makes private policemen more responsible to the public than government policemen. I'm sorry, but this is nonsense. Best Buy is going to be responsive to its customers; an apartment complex is going to be responsive to its renters. Petty criminals who prey on those businesses are an economic externality; they're not going to enter into the economic arguments. After all, people might be more likely to shop at Best Buy if their security guards save them money by keeping crime down -- who cares if they crack a few non-customer heads while doing it.
None of this is meant to imply that public police forces are magically honorable and ethical; just that the economic forces are different. So people can consider carefully which is the lesser of two evils, here's Radley Balko's paper "Overkill: The Rise of Paramilitary Police Raids in America":
And an interactive map of public police raids gone bad:
Schneier is a recipient of the 2007 EFF Pioneer Award, together with Yochai Benkler and Cory Doctorow.
PC World named Schneier the 31st most influential person on the Web:
Article on Schneier from the Hindustan Times:
As part of BT's Big Thinkers series, Esther Dyson interviewed Schneier and two other people (Risto Siilasmaa, Chairman of F-Secure Corporation; and Michael Barrett, PayPal's CISO) on network security issues.
The other interviews in the series are here.
Schneier is giving a public lecture in London on March 21:
Schneier is speaking at Temple Sharey Tefilo-Israel in South Orange, NJ on March 25th.
Schneier is speaking at NIST in Gaithersburg, MD, on April 10th:
Schneier is speaking at the Security and Liberty Forum at UNC Chapel Hill on April 14:
It's nothing more than a homeland security scam: a dowsing rod for explosives. That, and a pump-and-dump stock scam. The Sniffex site is down, but Google has a cache, and they seem to be back as Homeland Safety International. They also have a patent.
Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson have developed a clever, and potentially devastating, attack against home routers, something they call "drive-by pharming."
And then the attacker basically owns the victim's web connection.
The main condition for the attack to be successful is that the attacker can guess the router password. This is surprisingly easy, since home routers come with a default password that is uniform and often never changed.
They've written proof of concept code that can successfully carry out the steps of the attack on Linksys, D-Link, and NETGEAR home routers. If users change their home broadband router passwords to something difficult to guess, they are safe from this attack.
Cisco says that 77 of its routers are vulnerable.
Blog comment: "The attack is called 'CSRF' Cross-Site Request-Forgeries. It's been documented for several years, I remember stumbling on it myself 2-3 years ago, and being very surprised that it doesn't get wider publicity -- that has luckily changed in the past year. It's not only routers, but all sorts of intranet-web applications are open to this line of attack (especially when it's standard-software, or someone has insider-knowledge; and users stay logged in for most for most of the time)."
Remember the Cisco fiasco from BlackHat 2005? Next in the stupid box is RFID-card manufacturer HID, who has prevented Chris Paget from presenting research on how to clone those cards. The ACLU presented in his place.
Won't these companies ever learn? HID won't prevent the public from learning about the vulnerability, and it will end up looking like heavy handed goons. And it's not even secret; Paget demonstrated the attack to me and others at the RSA Conference last month.
There's a difference between a security flaw and information about a security flaw; HID needs to fix the first and not worry about the second. Full disclosure benefits us all.
There are hundreds of comments -- many of them interesting -- on these topics on my blog. Search for the story you want to comment on, and join in.
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish and Twofish algorithms. He is founder and CTO of BT Counterpane, and is a member of the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.
BT Counterpane is the world's leading protector of networked information - the inventor of outsourced security monitoring and the foremost authority on effective mitigation of emerging IT threats. BT Counterpane protects networks for Fortune 1000 companies and governments world-wide. See <http://www.counterpane.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT or BT Counterpane.
Copyright (c) 2007 by Bruce Schneier.