November 15, 2011

by Bruce Schneier
Chief Security Technology Officer, BT

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <>.

You can read this issue on the web at <>. These same essays and news items appear in the "Schneier on Security" blog at <>, along with a lively comment section. An RSS feed is available.

In this issue:

Advanced Persistent Threat (APT)

It's taken me a few years, but I've come around to this buzzword. It highlights an important characteristic of a particular sort of Internet attacker.

A conventional hacker or criminal isn't interested in any particular target. He wants a thousand credit card numbers for fraud, or to break into an account and turn it into a zombie, or whatever. Security against this sort of attacker is relative; as long as you're more secure than almost everyone else, the attackers will go after other people, not you. An APT is different; it's an attacker who -- for whatever reason -- wants to attack you. Against this sort of attacker, the absolute level of your security is what's important. It doesn't matter how secure you are compared to your peers; all that matters is whether you're secure enough to keep him out.

APT attackers are more highly motivated. They're likely to be better skilled, better funded, and more patient. They're likely to try several different avenues of attack. And they're much more likely to succeed.

This is why APT is a useful buzzword.


Interesting article on the criminal use of crowdsourcing.
Discovering what Facebook knows about you: interesting developments from Europe.

A newly discovered piece of malware, Duqu, seems to be a precursor to the next Stuxnet-like worm and uses some of the same techniques as the original.
A contrary view:
Interesting analysis of random passwords in the wild.
It turns out that "2bon2btitq" is not a strong password.
Google enables SSL by default for search. This is a good thing.

There's a patent application from Facebook that seems to cover tracking people even when they're not logged in to Facebook.

Blue Coat products enable web censorship in Syria. It's illegal for Blue Coat to sell its technology for this purpose, but there are lots of third parties who are willing to act as middlemen. Bet you anything that the Syrian Blue Coat products are registered, and that they receive all the normal code and filter updates.
The Wall Street Journal confirms it: "The appliances do have Blue Coat service and support contracts. The company says it has now cut off contracts for the devices."

The second document in this file is the recently unclassified "Guide to Historical Cryptologic Acronyms and Abbreviations, 1940-1980," from the NSA. Note that there are still some redactions.

The Twofish encryption algorithm is mentioned in the book "Abuse of Power."

Google releases statistics on law-enforcement demands for Google's data. I'm sure they have an office full of attorneys versed in the laws of various countries.

I don't follow historical cryptography, so all of this comes as a surprise to me. But something called the Copiale Cipher from the 18th Century has been cracked.

EFF reports on the security of SSL:

Secret codes in bacteria.
This XKCD is a good one. Be sure to read the hover-over text.

Brian Krebs has done some analysis on the attack that compromised RSA in March; it's something like 760 companies that were compromised.

I was not surprised that police forces are buying this cell phone surveillance system, but at its capabilities.
Company website:

Two articles from The Economist on lying:
And this is the cited work:

I note that the three "industry leaders" speaking at the DARPA Cyber Colloquium next week have about 75 years of government experience among them.

Interesting research on how parents help their children lie about their age to get onto Facebook.
Media coverage:

>From the "Journal of Strategic Studies": "Cyber War Will Not Take Place":

Here's another article: "The Non-Existent 'Cyber War' Is Nothing More Than A Push For More Government Control."
Weaponized UAV drones in the hands of local police:

Cutting wallets out of drunks' pockets on New York City subways: it's a crime with finesse.
Pickpockets of all kinds may be a dying breed in New York.
Unlocking any iPad2 using a Smart Cover.
The bug has been patched.

More SSL woes from Mikko Hypponen: "We found a malware sample. Which was signed. With a valid certificate. Belonging to the Government of Malaysia."!/mikko/status/136090183857745920

There's a group who charges to make social engineering calls to obtain missing personal information for identity theft. This doesn't surprise me at all. Fraud is a business, too.

Another ATM Theft Tactic

This brazen tactic is from Malaysia. Robbers sabotage the machines, and then report the damage to the bank. When the banks send repair technicians to open and repair the machines, the robbers take the money at gunpoint.

It's hardly a technology-related attack. But from what I know about ATMs, the security of the money safe inside the machine is separate from the security of the rest of the machine. So it seems that the repair technicians might be given access to only the machine but not the safe inside.

Remotely Opening Prison Doors

Researchers have found a vulnerability in computer-controlled prison-door systems that allows them to be remotely opened over the Internet. This assumes that they're connected to the Internet in the first place, which some of them are.

The weirdest part of the article was this last paragraph.

"You could open every cell door, and the system would be telling
the control room they are all closed," Strauchs, a former CIA
operations officer, told the Times. He said that he thought
the greatest threat was that the system would be used to create
the conditions needed for the assassination of a target prisoner.

I guess that's a threat. But the *greatest* threat?
The original paper:

Schneier News

I'm speaking at Internetdagarna in Stockholm on November 21.

I'm speaking at The Register and Intel Live in London on November 22.

And I'm speaking at the CISO Executive Summit in Chicago on December 1.

Fake Documents that Alarm if Opened

Creating fake documents that alarm if opened seems like a decent approach to the problem of insider information theft, but it has a lot of practical problems.

In the wake of Wikileaks, the Department of Defense has stepped up
its game to stop leaked documents from making their way into the
hands of undesirables -- be they enemy forces or concerned
citizens. A new piece of software has created a way to do this by
generating realistic, fake documents that phone home when they're
accessed, serving the dual purpose of providing false intelligence
and helping identify the culprit.

Details aside, this kind of thing falls into the general category of data tracking. It doesn't even have to be fake documents; you could imagine some sort of macro embedded into Word or pdf documents that phones home when the document is opened. (I have no idea if you actually can do it with those formats, but the concept is plausible.) This allows the owner of a document to track when, and possibly by what computer, a document is opened.

But by far the biggest drawback from this tech is the possibility
of false positives. If you seed a folder full of documents with a
large number of fakes, how often do you think an authorized user
will accidentally double click on the wrong file? And what if they
act on the false information? Sure, this will prevent hackers from
blindly trusting that every document on a server is correct, but
we bet it won't take much to look into the code of a document and
spot the fake, either.

I'm less worried about false positives, and more concerned by how easy it is to get around this sort of thing. Detach your computer from the Internet, and the document no longer phones home. A fix is to combine the system with an encryption scheme that requires a remote key. Now the document *has* to phone home before it can be viewed. Of course, once someone is authorized to view the document, it would be easy to create an unprotected copy -- screen captures, if nothing else -- to forward along,

While potentially interesting, this sort of technology is not going to prevent large data leaks. But it's good to see research.

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT.

Copyright (c) 2011 by Bruce Schneier.

Sidebar photo of Bruce Schneier by Joe MacInnis.