October 15, 2011
by Bruce Schneier
Chief Security Technology Officer, BT
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at <http://www.schneier.com/crypto-gram-1110.html>. These same essays and news items appear in the "Schneier on Security" blog at <http://www.schneier.com/blog>, along with a lively comment section. An RSS feed is available.
In this issue:
- Three Emerging Cyber Threats
- Status Report: Liars and Outliers
- Official Malware from the German Police
- Domain-in-the-Middle Attacks
- Schneier News
- Insider Attack Against Diebold Voting Machines
- National Cybersecurity Awareness Month
Last month, I participated in a panel at the Information Systems Forum in Berlin. The moderator asked us what the top three emerging threats were in cyberspace. I went last, and decided to focus on the top three threats that are not criminal:
* The Rise of Big Data. By this I mean industries that trade on our data. These include traditional credit bureaus and data brokers, but also data-collection companies like Facebook and Google. They're collecting more and more data about everyone, often without their knowledge and explicit consent, and selling it far and wide: to both other corporate users and to government. Big data is becoming a powerful industry, resisting any calls to regulate its behavior.
* Ill-Conceived Regulations from Law Enforcement. We're seeing increasing calls to regulate cyberspace in the mistaken belief that this will fight crime. I'm thinking about data retention laws, Internet kill switches, and calls to eliminate anonymity. None of these will work, and they'll all make us less safe.
* The Cyberwar Arms Race. I'm not worried about cyberwar, but I am worried about the proliferation of cyber weapons. Arms races are fundamentally destabilizing, especially when their development can be so easily hidden. I worry about cyberweapons being triggered by accident, cyberweapons getting into the wrong hands and being triggered on purpose, and the inability to reliably trace a cyberweapon leading to increased distrust. Plus, arms races are expensive.
That's my list, and they all have the potential to be more dangerous than cybercriminals.
Internet kill switches:
Calls to eliminate anonymity:
At the beginning of the month, I completely reframed the book. I realized that the book isn't about security. It's about trust. I'm writing about how society induces people to behave in the group interest instead of some competing personal interest. It's obvious that society needs to do this; otherwise, it can never solve collective action problems. And as a social species, we have developed both moral systems and reputational systems that encourage people behave in the group interest. I called these systems "societal security," along with more recent developments: institutional (read "legal") systems and technological systems.
That phrasing strained the definition of "security." Everything, from the Bible to your friends treating you better if you were nice to them, was a security system. In my reframing, those are all trust pressures. It's a language that's more intuitive. We already know about moral pressure, peer pressure, and legal pressure. Reputational pressure, institutional pressure, and security pressure is much less of a stretch. And it puts security back in a more sensible place. Security is a mechanism; trust is the goal.
This reframing lets me more easily talk directly about the central issues of the book: how these various pressures scale to larger societies, and how security technologies are necessary for them to scale. Trust changes focus as society scales, too. In smaller societies (a family, for example), trust is more about intention and less about actions. In larger societies, trust is all about actions. It's more like compliance. And as things scale even further, trust becomes less about people and more about systems. I don't need to trust any particular banker, as long as I trust the banking system. And as we scale up, security becomes more important.
Possibly the book's thesis statement: "Security is a set of constructed systems that extend the naturally occurring systems that humans have always used to induce trust and enable society. This extension became necessary when society began to operate at a scale and complexity where the naturally occurring mechanisms started to break down, and is more necessary as society continues to grow in scale."
So the phrase "societal security" is completely gone from the book. (Like the phrase "dishonest minority," it only exists in old blog posts.) There's more talk about the role of trust in society. There's more talk about how security, real security this time, enables trust. It felt like a major change when I embarked on it, but the fact that I did it in three days says how this framing was always there under the surface. And the fact that the book reads a lot more cleanly now says this framing is the right one.
The title remains the same: "Liars and Outliers." The cover remains the same. The table of contents is the same, although some chapters have different names. The subtitle has changed to "How Security Enables the Trust that Holds Society Together."
The manuscript is still due to the publisher at the end of the month, and publication is still set for mid-February. I am enjoying writing it, but I am also looking forward to it being done.
Previous status reports:
I've already written how it is possible to detect words and phrases in encrypted VoIP calls. Turns out it's possible to detect speakers as well.
The effectiveness of plagiarism detection software. As you'd expect, it's not very good.
Luis "Guicho" Mijangos, "sextortionist." It's a pretty creepy story of cyber-stalking.
The interesting thing about this electronic banking fraud from Malaysia is how it abuses a variety of different security systems. The criminals use a fake ID card to get a new cell phone SIM, which they then use to authenticate a fraudulent bank transfer made with stolen credentials.
Interesting story of shifting risk. By raising the driving age, California just moved automobile deaths to a different age group.
The long-standing U.S.-Australia ANZUS military treaty now includes cyberspace attacks:
An interesting software liability proposal.
Man-in-the-middle attack against SSL 3.0/TLS 1.0. It's the Browser Exploit Against SSL/TLS Tool, or BEAST.
Iran blocks Tor, and Tor releases a workaround on the same day.
Problems with Mac OS X Lion passwords. Seems like some dumb mistakes.
Faking ATM fronts using 3D printers. One group stole $400K.
An analysis of extensions to the Chrome browser shows that 25% of them are insecure.
Custom HTC Android firmware breaks standard permissions and allows rogue apps to access location, address book, and account info without authorization.
Isaac Asimov on security theater:
Nice cartoon on the problems of content filtering.
Security seals on voting machines.
U.S. drones have a computer virus. You'd think we would be more careful than this.
No one bothered to tell the Air Force's IT department for two weeks:
New attacks on CAPTCHAs.
Weird World War II security puzzle.
Two California burglars tip off the police after they find child porn on CDs they stole from someone's house.
The Chaos Computer Club has disassembled and analyzed the Trojan used by the German police for legal intercept. In its default mode, it takes regular screenshots of the active window and sends it to the police. It encrypts data in AES Electronic Codebook mode with -- are you ready? -- a fixed key across all versions. There's no authentication built in, so it's easy to spoof. It sends data to a command-and-control server in the U.S., which is almost certainly against German law. There's code to allow the controller to install additional software onto the target machine, but that's not authenticated either, so it would be easy to fool the Trojan into installing anything.
F-Secure has announced it will treat the Trojan as malware. I hope all the other anti-virus companies will do the same.
EDITED TO ADD (10/12): Another story. And some good information on the malware. Germany's Justice Minister is calling for an investigation.
It's an easy attack. Register a domain that's like your target except for a typo. So it would be countrpane.com instead of counterpane.com, or mailcounterpane.com instead of mail.counterpane.com. Then, when someone mistypes an e-mail address to someone at that company and you receive it, just forward it on as if nothing happened. These are called "doppelganger domains," and they're already being used to spy on companies.
Defenses are few. I suppose you can buy up the most common typos, but there will always be ones you didn't think about -- especially if you use a lot of subdomains.
I will be speaking at the Hacker Halted conference on October 25 in Miami.
I will be speaking at the Pennsylvania I.T. and Security Conference in King of Prussia, PA, on November 2.
I will be speaking at the AISA National Conference on November 9 in Sydney.
I will be speaking at the American Society of Consultant Pharmacists Technology Summit on November 15, in Phoenix.
This is both news and not news:
Indeed, the Argonne team's attack required no modification, reprogramming, or even knowledge, of the voting machine's proprietary source code. It was carried out by inserting a piece of inexpensive "alien electronics" into the machine.
It's not news because we already know that if you have access to the internals of a voting machine, you can make it do whatever you want.
It is news because it's so easy. The entire hack took two hours, start to finish. The attacker doesn't have to know how the machine works, he just needs physical access. (And we know that voting machines are routinely left unguarded, and have locks that are easily bypassed.)
I find this all so frustrating because there are a gazillion ways to hack electronic voting machines. Specific attacks get the headlines, and the voting machine companies counter with reasons why those attacks are not "valid." And in the noise and counter-noise, no one hears the general truth: these systems are insecure, and should not be used in elections.
October is National Cybersecurity Awareness Month, sponsored by the Department of Homeland Security. The website has some sample things you can do to celebrate, but they're all pretty boring. Surely we can do better. Post your suggestions in the comments section of the blog post.
Blog entry URL:
National Cybersecurity Awareness Month:
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT.
Copyright (c) 2011 by Bruce Schneier.