Crypto-Gram

August 15, 2014

by Bruce Schneier
CTO, Co3 Systems, Inc.
schneier@schneier.com
http://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <http://www.schneier.com/crypto-gram-1408.html>. These same essays and news items appear in the "Schneier on Security" blog at <http://www.schneier.com/blog>, along with a lively and intelligent comment section. An RSS feed is available.


In this issue:


New Snowden Interview in Wired

There's a new article on Edward Snowden in Wired. It's written by longtime NSA watcher James Bamford, who interviewed Snowden in Moscow.

There's lots of interesting stuff in the article, but I want to highlight two new revelations. One is that the NSA was responsible for a 2012 Internet blackout in Syria:

One day an intelligence officer told him that TAO -- a division of NSA hackers -- had attempted in 2012 to remotely install an exploit in one of the core routers at a major Internet service provider in Syria, which was in the midst of a prolonged civil war. This would have given the NSA access to email and other Internet traffic from much of the country. But something went wrong, and the router was bricked instead -- rendered totally inoperable. The failure of this router caused Syria to suddenly lose all connection to the Internet -- although the public didn't know that the US government was responsible....
Inside the TAO operations center, the panicked government hackers had what Snowden calls an "oh shit" moment. They raced to remotely repair the router, desperate to cover their tracks and prevent the Syrians from discovering the sophisticated infiltration software used to access the network. But because the router was bricked, they were powerless to fix the problem.
Fortunately for the NSA, the Syrians were apparently more focused on restoring the nation’s Internet than on tracking down the cause of the outage. Back at TAO's operations center, the tension was broken with a joke that contained more than a little truth: "If we get caught, we can always point the finger at Israel."

The other is something called MONSTERMIND, which is an automatic strike-back system for cyberattacks.

The program, disclosed here for the first time, would automate the process of hunting for the beginnings of a foreign cyberattack. Software would constantly be on the lookout for traffic patterns indicating known or suspected attacks. When it detected an attack, MonsterMind would automatically block it from entering the country -- a "kill" in cyber terminology.
Programs like this had existed for decades, but MonsterMind software would add a unique new capability: Instead of simply detecting and killing the malware at the point of entry, MonsterMind would automatically fire back, with no human involvement.

http://www.wired.com/2014/08/edward-snowden/

Other articles on Syria:
http://www.theverge.com/2014/8/13/5998237/...
http://www.theguardian.com/world/2014/aug/13/...
http://www.nationaljournal.com/tech/...

Other articles on MASTERMIND:
http://www.wired.com/2014/08/...
http://arstechnica.com/tech-policy/2014/08/...
http://www.popsci.com/article/technology/...
http://www.rawstory.com/rs/2014/08/13/...
http://thehill.com/policy/technology/...

And there's this 2011 photo of Snowden and former NSA Director Michael Hayden.
https://twitter.com/daveweigel/status/...


The US Intelligence Community has a Third Leaker

Ever since the Intercept published this story about the US government's Terrorist Screening Database, the press has been writing about a "second leaker." Everyone's miscounting. This is the third leaker:

Leaker #1: Edward Snowden.

Leaker #2: The person who is passing secrets to Jake Appelbaum, Laura Poitras and others in Germany: the Angela Merkel surveillance story, the TAO catalog, the X-KEYSCORE rules. My guess is that this is either an NSA employee or contractor working in Germany, or someone from German intelligence who has access to NSA documents. Snowden has said that he is not the source for the Merkel story, and Greenwald has confirmed that the Snowden documents are not the source for the X-KEYSCORE rules. I have also heard privately that the NSA knows that this is a second leaker.

Leaker #3: This new leaker, with access to a different stream of information (the NCTC is not the NSA), whom the Intercept calls "a source in the intelligence community."

https://firstlook.org/theintercept/article/2014/08/...

Article speculating on second leaker:
http://www.cnn.com/2014/08/05/politics/...

Harvard Law School professor Yochai Benkler has written an excellent law-review article on the need for a whistleblower defense.
http://benkler.org/...

Columbia Law School professor David Pozen has written another excellent article on why government leaks are, in general, a good thing:
http://harvardlawreview.org/2013/12/...


News

Brian Krebs is reporting on the risks of keyloggers on public computers in hotels:
https://krebsonsecurity.com/2014/07/...
It's actually a very hard problem to solve. The adversary can have unrestricted access to the computer, especially hotel business center computers that are often tucked away where no one else is looking. I assume that if someone has physical access to my computer, he can own it. This is doubly true if he has hardware access.

Here's some interesting research on foiling traffic analysis of cloud storage systems.
http://arxiv.org/abs/1402.5524
http://www.eurekalert.org/pub_releases/2014-07/...

Hackers stole personal information of US security clearance holders. The article says they were Chinese but offers no evidence.
http://www.nytimes.com/2014/07/10/world/asia/...
This is a big deal. If I were a government, trying to figure out who to target for blackmail, bribery, and other coercive tactics, this would be a nice database to have.

The Maryland Air National Guard needs a new facility for its cyberwar operations:
https://www.fbo.gov/index?...
Is this something we want the Maryland Air National Guard to get involved in?

Long article on a sophisticated hacking of the NASDAQ stock exchange.
http://www.businessweek.com/articles/2014-07-17/...

Here's a way to fingerprint computers remotely by having their browser draw an image. Because each computer draws the image slightly differently, this can be used to uniquely identify each computer.
https://www.schneier.com/blog/archives/2014/07/...

A group of hackers are using a vulnerability in the Nest thermostat to secure it against Nest's remote data collection.
http://www.forbes.com/sites/kashmirhill/2014/07/16/...

Security vulnerability in the Tails OS.
http://www.theverge.com/2014/7/22/5927917/...
http://fas.org/irp/doddir/dod/jp3_0.pdf

Two researchers have built a botnet using free anonymous accounts. They only collected 1,000 accounts, but there's no reason this can't scale to much larger numbers.
http://www.wired.com/2014/07/...

Russia has put out a tender on its official government procurement website for anyone who can identify Tor users. The reward of $114,000 seems pretty cheap for this capability. And we now get to debate whether 1) Russia cannot currently deanonymize Tor users, or 2) Russia can, and this is a ruse to make us think they can't.
http://www.themoscowtimes.com/news/article/...
http://therunet.com/news/...
http://www.pcworld.com/article/2458420/...
http://zakupki.gov.ru/epz/order/notice/zkk44/view/...

There was a conference on deception earlier this month. Sophie Van Der Zee has a summary of the sessions.
https://www.lightbluetouchpaper.org/2014/07/28/...

New America Foundation has a new paper on the costs of NSA surveillance: economic costs to US business, costs to US foreign policy, and costs to security.
http://oti.newamerica.net/sites/newamerica.net/...
http://www.wired.com/2014/07/...

The fundamental insecurity of USB devices.
http://www.wired.com/2014/07/usb-security/
http://theinvisiblethings.blogspot.com/2011/06/...
https://srlabs.de/blog/wp-content/uploads/2014/07/...

Here are all the NSA's patents, in one searchable database.
http://complex.foreignpolicy.com/posts/2014/07/30/...
If you find something good, tell us all in my blog.
https://www.schneier.com/blog/archives/2014/08/...

Former NSA Director Keith Alexander is patenting a variety of techniques to protect computer networks. We're supposed to believe that he developed these on his own time and they have nothing to do with the work he did at the NSA, except for the parts where they obviously did and therefore are worth $1 million per month for companies to license. No, nothing fishy here.
http://www.foreignpolicy.com/articles/2014/07/29/...
http://www.emptywheel.net/2014/07/29/...
http://www.theatlantic.com/politics/archive/2014/07/...
https://www.techdirt.com/articles/20140729/...

Network-attached storage devices made by Synology are being attacked, and their data encrypted, by ransomware that demands $350 in bitcoins (payable anonymously via Tor) for the decryption key. As of this moment, there's no patch.
http://www.cso.com.au/article/551527/...

Good essay on ubiquitous surveillance in Singapore.
http://www.foreignpolicy.com/articles/2014/07/29/...

Social-engineering a telemarketer:
https://plus.google.com/+ChrisBlasko/posts/GzCuzTyUXNq

Researchers are able to recover sound through soundproof glass by recording the vibrations of a rigid plastic bag.
http://newsoffice.mit.edu/2014/...
http://www.cnn.com/2014/08/06/tech/innovation/...
This isn't a new idea. I remember military security policies requiring people to close the window blinds to prevent someone from shining a laser on the window and recovering the sound from the vibrations. But both the camera and processing technologies are getting better.

Automatic scanning for highly stressed individuals.
https://www.schneier.com/blog/archives/2014/08/...

Clever debit card override attack.
http://www.businessinsider.com/...
Now that this trick is public, how long before stores stop accepting these authorization codes altogether? I'll bet that fixing the infrastructure will be expensive.


Over a Billion Passwords Stolen?

I've been doing way too many media interviews this month over a weird New York Times story that a Russian criminal gang has stolen over 1.2 billion passwords.

As expected, the hype is pretty high over this. But from the beginning, the story didn't make sense to me. There are obvious details missing: are the passwords in plaintext or encrypted, what sites are they for, how did they end up with a single criminal gang?

The Milwaukee company that pushed this story is Hold Security. Brian Krebs vouches for them, but I have never heard of the company before. (I was with Howard Schmidt when this story broke. He lives in Wisconsin, and he had never heard of the company before, either.) The New York Times writes that "a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic," but we're not given any details. This felt more like a PR story from the company than anything real.

Also, there's a strong self-serving aspect. For a short time after the story broke, Hold Security had a webpage up that announced that the company was charging people $120 to tell them if they're in the stolen-password database. That page is currently down.

I don't know how much of this story is true, but what I was saying to reporters over the past two days is that it's evidence of how secure the Internet actually is. We're not seeing massive fraud or theft. We're not seeing massive account hijacking. A gang of Russian hackers has 1.2 billion passwords -- they've probably had most of them for a year or more -- and everything is still working normally. This sort of thing is pretty much universally true. You probably have a credit card in your wallet right now whose number has been stolen. There are zero-day vulnerabilities being discovered right now that can be used to hack your computer. Security is terrible everywhere, and it it's all okay. This is a weird paradox that we're used to by now.

http://www.nytimes.com/2014/08/06/technology/...
http://www.holdsecurity.com/news/cybervors/
http://blogs.wsj.com/digits/2014/08/05/...

Brian Krebs story:
http://krebsonsecurity.com/2014/08/...

Hold Security had no web presence until the story broke:
https://www.schneier.com/blog/archives/2014/08/...

Here's an article about Hold Security from February with suspiciously similar numbers.
http://www.slate.com/blogs/future_tense/2014/02/28/...

Another skeptical take.
http://www.youarenotpayingattention.com/2014/08/08/...

If you want to change your passwords, here's my advice.
https://www.schneier.com/blog/archives/2014/03/...


Schneier News

I'm speaking at ArchCON in St. Louis on September 6:
http://www.archc0n.org/


Irrational Fear of Risks Against Our Children

There's a horrible story of a South Carolina mother arrested for letting her 9-year-old daughter play alone at a park while she was at work. The article linked to another article about a woman convicted of "contributing to the delinquency of a minor" for leaving her 4-year-old son in the car for a few minutes. That article contains some excellent commentary by the very sensible Free Range Kids blogger Lenore Skenazy:

"Listen," she said at one point. "Let's put aside for the moment that by far, the most dangerous thing you did to your child that day was put him in a car and drive someplace with him. About 300 children are injured in traffic accidents every day -- and about two die. That’s a real risk. So if you truly wanted to protect your kid, you'd never drive anywhere with him. But let’s put that aside. So you take him, and you get to the store where you need to run in for a minute and you’re faced with a decision. Now, people will say you committed a crime because you put your kid 'at risk.' But the truth is, there’s some risk to either decision you make.” She stopped at this point to emphasize, as she does in much of her analysis, how shockingly rare the abduction or injury of children in non-moving, non-overheated vehicles really is. For example, she insists that statistically speaking, it would likely take 750,000 years for a child left alone in a public space to be snatched by a stranger. "So there is some risk to leaving your kid in a car," she argues. It might not be statistically meaningful but it’s not nonexistent. The problem is," she goes on, "there's some risk to every choice you make. So, say you take the kid inside with you. There’s some risk you'll both be hit by a crazy driver in the parking lot. There’s some risk someone in the store will go on a shooting spree and shoot your kid. There’s some risk he'll slip on the ice on the sidewalk outside the store and fracture his skull. There’s some risk no matter what you do. So why is one choice illegal and one is OK? Could it be because the one choice inconveniences you, makes your life a little harder, makes parenting a little harder, gives you a little less time or energy than you would have otherwise had?"
Later on in the conversation, Skenazy boils it down to this. "There’s been this huge cultural shift. We now live in a society where most people believe a child can not be out of your sight for one second, where people think children need constant, total adult supervision. This shift is not rooted in fact. It’s not rooted in any true change. It’s imaginary. It’s rooted in irrational fear."

Skenazy has some choice words about the South Carolina story as well:

But, "What if a man would've come and snatched her?" said a woman interviewed by the TV station.
To which I must ask: In broad daylight? In a crowded park? Just because something happened on Law & Order doesn't mean it's happening all the time in real life. Make "what if?" thinking the basis for an arrest and the cops can collar anyone. "You let your son play in the front yard? What if a man drove up and kidnapped him?" "You let your daughter sleep in her own room? What if a man climbed through the window?" etc.
These fears pop into our brains so easily, they seem almost real. But they're not. Our crime rate today is back to what it was when gas was 29 cents a gallon, according to The Christian Science Monitor. It may feel like kids are in constant danger, but they are as safe (if not safer) than we were when our parents let us enjoy the summer outside, on our own, without fear of being arrested.

Yes.

http://www.theatlantic.com/national/archive/2014/07/...

Woman who left her child in a car:
http://www.salon.com/2014/06/03/...

Skenazy on the woman who let her child play in the park:
http://reason.com/blog/2014/07/14/...

Skenazy's blog:
http://www.freerangekids.com/


Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 12 books -- including "Liars and Outliers: Enabling the Trust Society Needs to Survive" -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Chief Technology Officer at Co3 Systems, Inc. See <http://www.schneier.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Co3 Systems, Inc.

Copyright (c) 2014 by Bruce Schneier.



Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.