Crypto-Gram

January 15, 2015

by Bruce Schneier
CTO, Co3 Systems, Inc.
schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <https://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <https://www.schneier.com/crypto-gram/archives/2015/...>. These same essays and news items appear in the "Schneier on Security" blog at <http://www.schneier.com/blog>, along with a lively and intelligent comment section. An RSS feed is available.


In this issue:


Lessons from the Sony Hack

Last month, a mysterious group that calls itself Guardians of Peace hacked into Sony Pictures Entertainment's computer systems and began revealing many of the Hollywood studio's best-kept secrets, from details about unreleased movies to embarrassing emails (notably some racist notes from Sony bigwigs about President Barack Obama's presumed movie-watching preferences) to the personnel data of employees, including salaries and performance reviews. The Federal Bureau of Investigation now says it has evidence that North Korea was behind the attack, and Sony Pictures pulled its planned release of "The Interview," a satire targeting that country's dictator, after the hackers made some ridiculous threats about terrorist violence.

Your reaction to the massive hacking of such a prominent company will depend on whether you're fluent in information-technology security. If you're not, you're probably wondering how in the world this could happen. If you are, you're aware that this could happen to any company (though it is still amazing that Sony made it so easy).

To understand any given episode of hacking, you need to understand who your adversary is. I've spent decades dealing with Internet hackers (as I do now at my current firm), and I've learned to separate opportunistic attacks from targeted ones.

You can characterize attackers along two axes: skill and focus. Most attacks are low-skill and low-focus -- people using common hacking tools against thousands of networks world-wide. These low-end attacks include sending spam out to millions of email addresses, hoping that someone will fall for it and click on a poisoned link. I think of them as the background radiation of the Internet.

High-skill, low-focus attacks are more serious. These include the more sophisticated attacks using newly discovered "zero-day" vulnerabilities in software, systems and networks. This is the sort of attack that affected Target, J.P. Morgan Chase and most of the other commercial networks that you've heard about in the past year or so.

But even scarier are the high-skill, high-focus attacks -- the type that hit Sony. This includes sophisticated attacks seemingly run by national intelligence agencies, using such spying tools as Regin and Flame, which many in the IT world suspect were created by the U.S.; Turla, a piece of malware that many blame on the Russian government; and a huge snooping effort called GhostNet, which spied on the Dalai Lama and Asian governments, leading many of my colleagues to blame China. (We're mostly guessing about the origins of these attacks; governments refuse to comment on such issues.) China has also been accused of trying to hack into the New York Times in 2010, and in May, Attorney General Eric Holder announced the indictment of five Chinese military officials for cyberattacks against U.S. corporations.

This category also includes private actors, including the hacker group known as Anonymous, which mounted a Sony-style attack against the Internet-security firm HBGary Federal, and the unknown hackers who stole racy celebrity photos from Apple's iCloud and posted them. If you've heard the IT-security buzz phrase "advanced persistent threat," this is it.

There is a key difference among these kinds of hacking. In the first two categories, the attacker is an opportunist. The hackers who penetrated Home Depot's networks didn't seem to care much about Home Depot; they just wanted a large database of credit-card numbers. Any large retailer would do.

But a skilled, determined attacker wants to attack a specific victim. The reasons may be political: to hurt a government or leader enmeshed in a geopolitical battle. Or ethical: to punish an industry that the hacker abhors, like big oil or big pharma. Or maybe the victim is just a company that hackers love to hate. (Sony falls into this category: It has been infuriating hackers since 2005, when the company put malicious software on its CDs in a failed attempt to prevent copying.)

Low-focus attacks are easier to defend against: If Home Depot's systems had been better protected, the hackers would have just moved on to an easier target. With attackers who are highly skilled and highly focused, however, what matters is whether a targeted company's security is superior to the attacker's skills, not just to the security measures of other companies. Often, it isn't. We're much better at such relative security than we are at absolute security.

That is why security experts aren't surprised by the Sony story. We know people who do penetration testing for a living -- real, no-holds-barred attacks that mimic a full-on assault by a dogged, expert attacker -- and we know that the expert always gets in. Against a sufficiently skilled, funded and motivated attacker, all networks are vulnerable. But good security makes many kinds of attack harder, costlier and riskier. Against attackers who aren't sufficiently skilled, good security may protect you completely.

It is hard to put a dollar value on security that is strong enough to assure you that your embarrassing emails and personnel information won't end up posted online somewhere, but Sony clearly failed here. Its security turned out to be subpar. They didn't have to leave so much information exposed. And they didn't have to be so slow detecting the breach, giving the attackers free rein to wander about and take so much stuff.

For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.

The time to start is before the attack hits: Sony would have fared much better if its executives simply hadn't made racist jokes about Mr. Obama or insulted its stars -- or if their response systems had been agile enough to kick the hackers out before they grabbed everything.

My second piece of advice is for individuals. The worst invasion of privacy from the Sony hack didn't happen to the executives or the stars; it happened to the blameless random employees who were just using their company's email system. Because of that, they've had their most personal conversations -- gossip, medical conditions, love lives -- exposed. The press may not have divulged this information, but their friends and relatives peeked at it. Hundreds of personal tragedies must be unfolding right now.

This could be any of us. We have no choice but to entrust companies with our intimate conversations: on email, on Facebook, by text and so on. We have no choice but to entrust the retailers that we use with our financial details. And we have little choice but to use cloud services such as iCloud and Google Docs.

So be smart: Understand the risks. Know that your data are vulnerable. Opt out when you can. And agitate for government intervention to ensure that organizations protect your data as well as you would. Like many areas of our hyper-technical world, this isn't something markets can fix.

This essay previously appeared on the Wall Street Journal CIO Journal.
http://www.wsj.com/articles/...

FBI statement:
http://www.wsj.com/articles/...

Sony canceling The Interview:
http://www.wsj.com/articles/...

Reaction to the hack:
http://www.wsj.com/articles/...

Sony has had more than 50 security breaches in the past 15 years.
https://www.emptywheel.net/2014/12/13/...

Home Depot attack:
http://www.wsj.com/articles/...

Slashdot thread.
http://it.slashdot.org/story/14/12/19/1856234/...


Reacting to the Sony Hack

First we thought North Korea was behind the Sony cyberattacks. Then we thought it was a couple of hacker guys with an axe to grind. Now we think North Korea is behind it again, but the connection is still tenuous. There have been accusations of cyberterrorism, and even cyberwar. I've heard calls for us to strike back, with actual missiles and bombs. We're collectively pegging the hype meter, and the best thing we can do is calm down and take a deep breath.

First, this is not an act of terrorism. There has been no senseless violence. No innocents are coming home in body bags. Yes, a company is seriously embarrassed -- and financially hurt -- by all of its information leaking to the public. But posting unreleased movies online is not terrorism. It's not even close.

Nor is this an act of war. Stealing and publishing a company's proprietary information is not an act of war. We wouldn't be talking about going to war if someone snuck in and photocopied everything, and it makes equally little sense to talk about it when someone does it over the internet. The threshold of war is much, much higher, and we're not going to respond to this militarily. Over the years, North Korea has performed far more aggressive acts against US and South Korean soldiers. We didn't go to war then, and we're not going to war now.

Finally, we don't know these attacks were sanctioned by the North Korean government. The US government has made statements linking the attacks to North Korea, but hasn't officially blamed the government, nor have officials provided any evidence of the linkage. We've known about North Korea's cyberattack capabilities long before this attack, but it might not be the government at all. This wouldn't be the first time a nationalistic cyberattack was launched without government sanction. We have lots of examples of these sorts of attacks being conducted by regular hackers with nationalistic pride. Kids playing politics, I call them. This may be that, and it could also be a random hacker who just has it out for Sony.

Remember, the hackers didn't start talking about The Interview until the press did. Maybe the NSA has some secret information pinning this attack on the North Korean government, but unless the agency comes forward with the evidence, we should remain skeptical. We don't know who did this, and we may never find out. I personally think it is a disgruntled ex-employee, but I don't have any more evidence than anyone else does.

What we have is a very extreme case of hacking. By "extreme" I mean the quantity of the information stolen from Sony's networks, not the quality of the attack. The attackers seem to have been good, but no more than that. Sony made its situation worse by having substandard security.

Sony's reaction has all the markings of a company without any sort of coherent plan. Near as I can tell, every Sony executive is in full panic mode. They're certainly facing dozens of lawsuits: from shareholders, from companies who invested in those movies, from employees who had their medical and financial data exposed, from everyone who was affected. They're probably facing government fines, for leaking financial and medical information, and possibly for colluding with other studios to attack Google.

If previous major hacks are any guide, there will be multiple senior executives fired over this; everyone at Sony is probably scared for their jobs. In this sort of situation, the interests of the corporation are not the same as the interests of the people running the corporation. This might go a long way to explain some of the reactions we've seen.

Pulling The Interview was exactly the wrong thing to do, as there was no credible threat and it just emboldens the hackers. But it's the kind of response you get when you don't have a plan.

Politically motivated hacking isn't new, and the Sony hack is not unprecedented. In 2011 the hacker group Anonymous did something similar to the internet-security company HBGary Federal, exposing corporate secrets and internal emails. This sort of thing has been possible for decades, although it's gotten increasingly damaging as more corporate information goes online. It will happen again; there's no doubt about that.

But it hasn't happened very often, and that's not likely to change. Most hackers are garden-variety criminals, less interested in internal emails and corporate secrets and more interested in personal information and credit card numbers that they can monetize. Their attacks are opportunistic, and very different from the targeted attack Sony fell victim to.

When a hacker releases personal data on an individual, it's called doxing. We don't have a name for it when it happens to a company, but it's what happened to Sony. Companies need to wake up to the possibility that a whistleblower, a civic-minded hacker, or just someone who is out to embarrass them will hack their networks and publish their proprietary data. They need to recognize that their chatty private emails and their internal memos might be front-page news.

In a world where *everything* happens online, including what we think of as ephemeral conversation, everything is potentially subject to public scrutiny. Companies need to make sure their computer and network security is up to snuff, and their incident response and crisis management plans can handle this sort of thing. But they should also remember how rare this sort of attack is, and not panic.

This essay previously appeared on Vice Motherboard.
https://www.schneier.com/essays/archives/2014/12/...

The case for North Korea:
http://www.nytimes.com/2014/12/18/world/asia/...

Calling it cyberterrorism:
http://www.slate.com/articles/technology/bitwise/...

Calling it cyberwar:
https://twitter.com/newtgingrich/status/...

Other North Korea aggressions:
https://en.wikipedia.org/wiki/Axe_murder_incident
http://news.nationalpost.com/2014/07/14/...
http://en.wikipedia.org/wiki/ROKS_Cheonan_%28PCC-772%29

North Korea's cyberattack capabilities:
http://www.voanews.com/content/...
http://www.aljazeera.com/indepth/features/2011/06/...
http://www.news.com.au/technology/...

Sony's substandard security:
http://www.telegraph.co.uk/technology/sony/11274727/...
http://recode.net/2014/12/12/...
http://mashable.com/2014/12/02/sony-hack-passwords/

Lawsuits:
http://www.wired.com/2014/12/...

Sony colluding with other studios:
http://www.theverge.com/2014/12/12/7382287/...

Sony canceling The Interview:
http://www.cnn.com/2014/12/18/politics/...
http://www.vox.com/2014/12/18/7414405/...
http://www.nationalreview.com/corner/395055/...
http://www.theweek.co.uk/world-news/61845/...

HBGary Federal story:
http://arstechnica.com/tech-policy/2011/02/...

doxing:
http://www.wired.com/2014/03/doxing/

Reddit thread.
https://www.reddit.com/r/privacy/comments/2qe5fl/...


Did North Korea Really Attack Sony?

I am deeply skeptical of the FBI's announcement on December 19 that North Korea was behind last month's Sony hack. The agency's evidence is tenuous, and I have a hard time believing it. But I also have trouble believing that the US government would make the accusation this formally if officials didn't believe it.

Clues in the hackers' attack code seem to point in all directions at once. The FBI points to reused code from previous attacks associated with North Korea, as well as similarities in the networks used to launch the attacks. Korean language in the code also suggests a Korean origin, though not necessarily a North Korean one, since North Koreans use a unique dialect. However you read it, this sort of evidence is circumstantial at best. It's easy to fake, and it's even easier to interpret it incorrectly. In general, it's a situation that rapidly devolves into storytelling, where analysts pick bits and pieces of the "evidence" to suit the narrative they already have worked out in their heads.

In reality, there are several possibilities to consider:

* This is an official North Korean military operation. We know that North Korea has extensive cyberattack capabilities.

* This is the work of independent North Korean nationals. Many politically motivated hacking incidents in the past have not been government-controlled. There's nothing special or sophisticated about this hack that would indicate a government operation. In fact, reusing old attack code is a sign of a more conventional hacker being behind this.

* This is the work of hackers who had no idea that there was a North Korean connection to Sony until they read about it in the media. Sony, after all, is a company that hackers have loved to hate for a decade. The most compelling evidence for this scenario is that the explicit North Korean connection -- threats about the movie The Interview -- were only made by the hackers *after* the media picked up on the possible links between the film release and the cyberattack. There is still the very real possibility that the hackers are in it just for the lulz, and that this international geopolitical angle simply makes the whole thing funnier.

* It could have been an insider -- Sony's Snowden -- who orchestrated the breach. I doubt this theory, because an insider wouldn't need all the hacker tools that were used. I've also seen speculation that the culprit was a disgruntled ex-employee. It's possible, but that employee or ex-employee would have also had to possess the requisite hacking skills, which seems unlikely.

* The initial attack was not a North Korean government operation, but was co-opted by the government. There's no reason to believe that the hackers who initially stole the information from Sony are the same ones who threatened the company over the movie. Maybe there are several attackers working independently. Maybe the independent North Korean hackers turned their work over to the government when the job got too big to handle. Maybe the North Koreans hacked the hackers.

I'm sure there are other possibilities that I haven't thought of, and it wouldn't surprise me if what's really going on isn't even on my list. North Korea's offer to help with the investigation doesn't clear matters up at all.

Tellingly, the FBI's press release says that the bureau's conclusion is only based "in part" on these clues. This leaves open the possibility that the government has classified evidence that North Korea is behind the attack. The NSA has been trying to eavesdrop on North Korea's government communications since the Korean War, and it's reasonable to assume that its analysts are in pretty deep. The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong Un's sign-off on the plan.

On the other hand, maybe not. I could have written the same thing about Iraq's weapons of mass destruction program in the run-up to the 2003 invasion of that country, and we all know how wrong the government was about that.

Allan Friedman, a research scientist at George Washington University's Cyber Security Policy Research Institute, told me that, from a diplomatic perspective, it's a smart strategy for the US to be overconfident in assigning blame for the cyberattacks. Beyond the politics of this particular attack, the long-term US interest is to discourage other nations from engaging in similar behavior. If the North Korean government continues denying its involvement, no matter what the truth is, and the real attackers have gone underground, then the US decision to claim omnipotent powers of attribution serves as a warning to others that they will get caught if they try something like this.

Sony also has a vested interest in the hack being the work of North Korea. The company is going to be on the receiving end of a dozen or more lawsuits -- from employees, ex-employees, investors, partners, and so on. Harvard Law professor Jonathan Zittrain opined that having this attack characterized as an act of terrorism or war, or the work of a foreign power, might earn the company some degree of immunity from these lawsuits.

I worry that this case echoes the "we have evidence -- trust us" story that the Bush administration told in the run-up to the Iraq invasion. Identifying the origin of a cyberattack is very difficult, and when it *is* possible, the process of attributing responsibility can take months. While I am confident that there will be no US military retribution because of this, I think the best response is to calm down and be skeptical of tidy explanations until more is known.

This essay originally appeared on the Atlantic.
http://www.theatlantic.com/international/archive/...

FBI's announcement:
http://www.fbi.gov/news/pressrel/press-releases/...

Good breakdown of the Sony hack:
https://www.riskbasedsecurity.com/2014/12/...

North Korea's unique dialect:
http://marcrogers.org/2014/12/18/...

Discounting North Korea:
http://www.wired.com/2014/12/...

North Korea's cyberattack capabilities:
http://www.voanews.com/content/...
http://www.aljazeera.com/indepth/features/2011/06/...
http://www.news.com.au/technology/...

Hackers love to hate Sony:
http://gizmodo.com/...

Anonymous hacking for the lulz:
http://www.theatlantic.com/technology/archive/2011/...

Inside job evidence:
http://www.infowars.com/...
http://www.networkworld.com/article/2851927/...
http://www.tomsguide.com/us/...
http://www.bbc.com/news/technology-30530361

North Korea offering to help with the investigation:
http://www.bbc.com/news/world-us-canada-30560712

Sony lawsuits:
http://www.usatoday.com/story/life/movies/2014/12/...

Zittrain comment:
http://www.wsvn.com/story/27657560/...

The US is not going to respond militarily:
http://motherboard.vice.com/read/...

We should all calm down about this:
http://motherboard.vice.com/read/...

More doubters:
http://gawker.com/...

Ed Felten on the topic:
https://freedom-to-tinker.com/blog/felten/...

Nicholas Weaver analyzes how the NSA could determine if North Korea was behind the Sony hack:
http://mashable.com/2014/12/18/...

Jack Goldsmith discusses the US government's legal and policy confusion surrounding the attack:
http://www.lawfareblog.com/2014/12/...

Interesting article by DEFCON's director of security operations:
http://www.thedailybeast.com/articles/2014/12/24/...
Slashdot thread:
http://it.slashdot.org/story/14/12/24/1757224/...

Hacker News thread:
https://news.ycombinator.com/item?id=8792778


Attributing the Sony Attack

No one has admitted taking down North Korea's Internet. It could have been an act of retaliation by the US government, but it could just as well have been an ordinary DDoS attack. The follow-on attack against Sony PlayStation definitely seems to be the work of hackers unaffiliated with a government.

Not knowing who did what isn't new. It's called the "attribution problem," and it plagues Internet security. But as governments increasingly get involved in cyberspace attacks, it has policy implications as well. Last year, I wrote:

Ordinarily, you could determine who the attacker was by the weaponry. When you saw a tank driving down your street, you knew the military was involved because only the military could afford tanks. Cyberspace is different. In cyberspace, technology is broadly spreading its capability, and everyone is using the same weaponry: hackers, criminals, politically motivated hacktivists, national spies, militaries, even the potential cyberterrorist. They are all exploiting the same vulnerabilities, using the same sort of hacking tools, engaging in the same attack tactics, and leaving the same traces behind. They all eavesdrop or steal data. They all engage in denial-of-service attacks. They all probe cyberdefences and do their best to cover their tracks.
Despite this, knowing the attacker is vitally important. As members of society, we have several different types of organizations that can defend us from an attack. We can call the police or the military. We can call on our national anti-terrorist agency and our corporate lawyers. Or we can defend ourselves with a variety of commercial products and services. Depending on the situation, all of these are reasonable choices.
The legal regime in which any defense operates depends on two things: who is attacking you and why. Unfortunately, when you are being attacked in cyberspace, the two things you often do not know are who is attacking you and why. It is not that everything can be defined as cyberwar; it is that we are increasingly seeing warlike tactics used in broader cyberconflicts. This makes defence and national cyberdefence policy difficult.

In 2007, the Israeli Air Force bombed and destroyed the al-Kibar nuclear facility in Syria. The Syrian government immediately knew who did it, because airplanes are hard to disguise. In 2010, the US and Israel jointly damaged Iran's Natanz nuclear facility. But this time they used a cyberweapon, Stuxnet, and no one knew who did it until details were leaked years later. China routinely denies its cyberespionage activities. And a 2009 cyberattack against the United States and South Korea was blamed on North Korea even though it may have originated from either London or Miami.

When it's possible to identify the origins of cyberattacks -- like forensic experts were able to do with many of the Chinese attacks against US networks -- it's as a result of months of detailed analysis and investigation. That kind of time frame doesn't help at the moment of attack, when you have to decide within milliseconds how your network is going to react and within days how your country is going to react. This, in part, explains the relative disarray within the Obama administration over what to do about North Korea. Officials in the US government and international institutions simply don't have the legal or even the conceptual framework to deal with these types of scenarios.

The blurring of lines between individual actors and national governments has been happening more and more in cyberspace. What has been called the first cyberwar, Russia vs. Estonia in 2007, was partly the work of a 20-year-old ethnic Russian living in Tallinn, and partly the work of a pro-Kremlin youth group associated with the Russian government. Many of the Chinese hackers targeting Western networks seem to be unaffiliated with the Chinese government. And in 2011, the hacker group Anonymous threatened NATO.

It's a strange future we live in when we can't tell the difference between random hackers and major governments, or when those same random hackers can credibly threaten international military organizations.

This is why people around the world should care about the Sony hack. In this future, we're going to see an even greater blurring of traditional lines between police, military, and private actions as technology broadly distributes attack capabilities across a variety of actors. This attribution difficulty is here to stay, at least for the foreseeable future.

If North Korea is responsible for the cyberattack, how is the situation different than a North Korean agent breaking into Sony's office, photocopying a lot of papers, and making them available to the public? Is Chinese corporate espionage a problem for governments to solve, or should we let corporations defend themselves? Should the National Security Agency defend US corporate networks, or only US military networks? How much should we allow organizations like the NSA to insist that we trust them without proof when they claim to have classified evidence that they don't want to disclose? How should we react to one government imposing sanctions on another based on this secret evidence? More importantly, when we don't know who is launching an attack or why, who is in charge of the response and under what legal system should those in charge operate?

We need to figure all of this out. We need national guidelines to determine when the military should get involved and when it's a police matter, as well as what sorts of proportional responses are available in each instance. We need international agreements defining what counts as cyberwar and what does not. And, most of all right now, we need to tone down all the cyberwar rhetoric. Breaking into the offices of a company and photocopying their paperwork is not an act of war, no matter who did it. Neither is doing the same thing over the Internet. Let's save the big words for when it matters.

This essay previously appeared on the Atlantic.
http://www.theatlantic.com/international/archive/...

Taking down North Korea's Internet:
http://www.washingtontimes.com/news/2014/dec/22/...
http://www.computerworld.com/article/2862652/...

Attacking Sony PlayStation:
http://www.cnet.com/news/...
http://www.bbc.co.uk/newsbeat/30306319
http://thedesk.matthewkeys.net/2015/01/...

My essay from last year:
https://www.schneier.com/essays/archives/2013/07/...

Syria attack by Israel:
http://www.newyorker.com/magazine/2012/09/17/...

Stuxnet:
http://www.wired.com/2014/11/...
http://www.nytimes.com/2012/06/01/world/middleeast/...

China denies cyberattacks:
http://www.washingtonpost.com/world/asia_pacific/...

Attributing the 2009 cyberattack:
http://www.wired.com/2009/07/brits-attack-us/

Attributing Chinese cyberattacks:
http://intelreport.mandiant.com/...
http://www.nytimes.com/2014/05/20/us/...

US policy reactions:
http://www.nytimes.com/2014/12/21/world/asia/...
http://www.nytimes.com/2014/12/24/world/asia/...
http://www.lawfareblog.com/2014/12/...

Estonian cyberattacks:
http://news.bbc.co.uk/2/hi/technology/7208511.stm
http://www.themoscowtimes.com/news/article/...

Chinese attackers unaffiliated with the government:
https://www.schneier.com/essays/archives/2008/07/...

Anonymous threatened NATO:
http://blogs.wsj.com/tech-europe/2011/06/10/...

Chinese corporate espionage:
http://www.businessweek.com/articles/2012-03-14/...

NSA defending US corporate networks:
http://www.nytimes.com/2013/08/13/us/...

Imposing government sanctions based on secret evidence:
http://www.bbc.com/news/world-asia-30670884

Cyberwar rhetoric:
https://www.schneier.com/essays/archives/2013/03/...

Jack Goldsmith responded to this essay.
http://www.lawfareblog.com/2015/01/...


News

In yet another example of what happens when you build an insecure communications infrastructure, fake cell phone towers have been found in Oslo. No one knows who has been using them to eavesdrop.
http://www.aftenposten.no/nyheter/iriks/...
http://www.aftenposten.no/nyheter/iriks/...
http://www.newsinenglish.no/2014/12/13/...
This is happening in the US, too. Remember the rule: we're all using the same infrastructure, so we can either keep it insecure so we -- and everyone else -- can use it to spy, or we can secure it so that no one can use it to spy.
https://www.schneier.com/blog/archives/2014/09/...

Kevin Poulson has a good article up on Wired about how the FBI used a Metasploit variant to identify Tor users.
http://www.wired.com/2014/12/fbi-metasploit-tor/

Citizen Lab has a new report on a probable ISIS-launched cyberattack.
https://citizenlab.org/2014/12/...
http://bigstory.ap.org/article/...

There are security vulnerabilities in the telephone routing protocol called SS7.
http://www.washingtonpost.com/blogs/the-switch/wp/...

North Korea has been knocked off the Internet by a distributed denial-of-service (DDoS) attack. Maybe the US did it, and maybe not. This whole incident is a perfect illustration of how technology is equalizing capability. In both the original attack against Sony, and this attack against North Korea, we can't tell the difference between a couple of hackers and a government.
http://www.nytimes.com/2014/12/23/world/asia/...
http://www.washingtontimes.com/news/2014/dec/22/...
http://www.computerworld.com/article/2862652/...

Interesting article on the subconscious visual tricks used in PowerPoint to manipulate juries and affect verdicts.
http://www.wired.com/2014/12/...

This interesting article talks about the 2008 cyberattack against a Turkish oil pipeline. Kurdish separatists in Turkey claimed that they did it. The whole article is worth reading.
http://www.bloomberg.com/news/2014-12-10/...

"The Elf of the Shelf" and surveillance acceptance.
http://www.theatlantic.com/technology/archive/2014/...
https://www.policyalternatives.ca/publications/...
http://religiondispatches.org/...

On Christmas Eve, the NSA released a bunch of audit reports on illegal spying using EO 12333 from 2001 to 2013. The documents were released in response to an ACLU lawsuit.
https://www.nsa.gov/public_info/declass/...
http://www.bloomberg.com/news/2014-12-24/...
https://www.nsa.gov/public_info/_files/IOB/...
https://firstlook.org/theintercept/2014/12/26/...
Remember Edward Snowden's comment that he could eavesdrop on anybody? "I, sitting at my desk, certainly had the authorities to wiretap anyone, from you, or your accountant, to a federal judge, to even the President if I had a personal email." Lots of people have accused him of lying. Here's former NSA General Counsel Stewart Baker: "All that makes Snowden's claim about being able to wiretap anyone extremely unlikely -- and certainly not demonstrated by the latest disclosures, despite Glenn Greenwald's claims to the contrary." These documents demonstrate that Snowden is probably correct. In these documents, NSA agents target all sorts of random Americans.
https://www.techdirt.com/articles/20130609/...
http://volokh.com/2013/08/04/...

Der Spiegel published a long article today on the NSA's analysis capabilities against encrypted systems, with *a lot* of new documents from the Snowden archive. This is in conjunction with a presentation by Laura Poitras and Jake Appelbaum at the Chaos Communication Congress.
http://www.spiegel.de/international/germany/...
http://media.ccc.de/browse/congress/2014/...
https://www.youtube.com/watch?v=0SgGMj3Mf88
Matthew Green's comments on these documents:
http://blog.cryptographyengineering.com/2014/12/...

Other evidence for the Sony attacks: insiders, Russians, etc.
https://www.schneier.com/blog/archives/2014/12/...

Hacking attack causes physical damage at a German steel mill. This sort of thing is still very rare, but I fear it will become more common
http://www.wired.com/2015/01/...

"Smart Pipe": pretty impressive surveillance-economy satire.
https://www.youtube.com/watch?...
MIT has a $4M grant to study sewage in aggregate.
http://www.bostonglobe.com/ideas/2015/01/09/...

A worldwide survey of writers affiliated with PEN shows a significant level of self-censoring because of NSA surveillance.
http://www.pen.org/sites/default/files/...
http://pen.org/global-chill
http://www.nytimes.com/2015/01/05/arts/...
https://news.ycombinator.com/item?id=8838721
http://yro.slashdot.org/story/15/01/05/1445202/...

Good information on how Internet Explorer, Chrome, and Firefox store user passwords.
http://raidersec.blogspot.com/2013/06/...

In Kyoto, taxi drivers are encouraged to loiter around convenience stores late at night. Their presence reduces crime.
http://en.rocketnews24.com/2015/01/02/...
https://news.ycombinator.com/item?id=8836428

New paper: "Attributing Cyber Attacks," by Thomas Rid and Ben Buchanan:
http://www.tandfonline.com/doi/abs/10.1080/...

The FBI has provided more evidence linking North Korea to the Sony hack:
http://www.wired.com/2015/01/...
http://fortune.com/2015/01/07/fbi-director-sony/
http://www.washingtonpost.com/world/...
http://www.nytimes.com/2015/01/08/business/...
http://justsecurity.org/18946/...
http://news.slashdot.org/story/15/01/08/0244210/...
https://news.ycombinator.com/item?id=8852884
Marc Rogers responds.
http://marcrogers.org/2015/01/07/...

The NSA admits involvement in identifying North Korea as the attacker:
https://firstlook.org/theintercept/2015/01/09/...

Sophie Van Der Zee and colleagues have a new paper on using body movement as a lie detector. This is a first research study, and the results might not be robust. But it certainly is interesting.
http://www.cl.cam.ac.uk/~rja14/Papers/...
https://www.lightbluetouchpaper.org/2015/01/04/...
http://www.theguardian.com/science/2015/jan/04/...
http://news.slashdot.org/story/15/01/06/0032220/...

This is an interesting historical use of Viking runes as a secret code. Yes, the page is all in Finnish. But scroll to the middle. There's a picture of the Stockholm city police register from 1536, about a married woman who was found with someone who was not her husband. The recording scribe "encrypted" her name and home address using runes.
http://www.jyu.fi/gammalsvenska/runkunskap.htm

The risk of unfounded Ebola fears.
http://thebulletin.org/...

In the wake of the Paris terrorist shootings, David Cameron has said that he wants to ban encryption in the UK. Here's the quote: "If I am prime minister I will make sure that it is a comprehensive piece of legislation that does not allow terrorists safe space to communicate with each other."
http://www.independent.co.uk/life-style/...
http://www.telegraph.co.uk/technology/...
http://www.bbc.com/news/uk-politics-30778424
This is similar to FBI director James Comey's remarks from last year. And it's equally stupid.
https://www.schneier.com/blog/archives/2014/10/...
https://www.schneier.com/blog/archives/2014/10/...
Cory Doctorow has a good essay on the realities of Cameron's proposal.
http://boingboing.net/2015/01/13/...

Keystroke logger disguised as a USB charger. It's called KeySweeper.
http://www.theregister.co.uk/2015/01/13/...
http://boingboing.net/2015/01/12/...
http://samy.pl/keysweeper/
http://threatpost.com/...
http://it.slashdot.org/story/15/01/13/183226/...
https://github.com/samyk/keysweeper

SnoopSnitch detects surveillance in Android phones. It's free, but requires a rooted Android device running the Qualcomm chipset to work.
http://gizmodo.com/...
https://play.google.com/store/apps/details?...

3-1-1 for Encryption:
https://medium.com/@leppert/the-3-1-1-6ca2cf805405


The Limits of Police Subterfuge

"The next time you call for assistance because the Internet service in your home is not working, the 'technician' who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and -- when he shows up at your door, impersonating a technician -- let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have 'consented' to an intrusive search of your home."

This chilling scenario is the first paragraph of a motion to suppress evidence gathered by the police in exactly this manner, from a hotel room. Unbelievably, this isn't a story from some totalitarian government on the other side of an ocean. This happened in the United States, and by the FBI. Eventually -- I'm sure there will be appeals -- higher U.S. courts will decide whether this sort of practice is legal. If it is, the country will slide even further into a society where the police have even more unchecked power than they already possess.

The facts are these. In June, Two wealthy Macau residents stayed at Caesar's Palace in Las Vegas. The hotel suspected that they were running an illegal gambling operation out of their room. They enlisted the police and the FBI, but could not provide enough evidence for them to get a warrant. So instead they repeatedly cut the guests' Internet connection. When the guests complained to the hotel, FBI agents wearing hidden cameras and recorders pretended to be Internet repair technicians and convinced the guests to let them in. They filmed and recorded everything under the pretense of fixing the Internet, and then used the information collected from that to get an actual search warrant. To make matters even worse, they lied to the judge about how they got their evidence.

The FBI claims that their actions are no different from any conventional sting operation. For example, an undercover policeman can legitimately look around and report on what he sees when he invited into a suspect's home under the pretext of trying to buy drugs. But there are two very important differences: one of consent, and the other of trust. The former is easier to see in this specific instance, but the latter is much more important for society.

You can't give consent to something you don't know and understand. The FBI agents did not enter the hotel room under the pretext of making an illegal bet. They entered under a false pretext, and relied on that for consent of their true mission. That makes things different. The occupants of the hotel room didn't realize who they were giving access to, and they didn't know their intentions. The FBI knew this would be a problem. According to the New York Times, "a federal prosecutor had initially warned the agents not to use trickery because of the 'consent issue.' In fact, a previous ruse by agents had failed when a person in one of the rooms refused to let them in." Claiming that a person granting an Internet technician access is consenting to a police search makes no sense, and is no different than one of those "click through" Internet license agreements that you didn't read saying one thing and while meaning another. It's not consent in any meaningful sense of the term.

Far more important is the matter of trust. Trust is central to how a society functions. No one, not even the most hardened survivalists who live in backwoods log cabins, can do everything by themselves. Humans need help from each other, and most of us need a lot of help from each other. And that requires trust. Many Americans' homes, for example, are filled with systems that require outside technical expertise when they break: phone, cable, Internet, power, heat, water. Citizens need to trust each other enough to give them access to their hotel rooms, their homes, their cars, their person. Americans simply can't live any other way.

It cannot be that every time someone allows one of those technicians into our homes they are consenting to a police search. Again from the motion to suppress: "Our lives cannot be private -- and our personal relationships intimate -- if each physical connection that links our homes to the outside world doubles as a ready-made excuse for the government to conduct a secret, suspicionless, warrantless search." The resultant breakdown in trust would be catastrophic. People would not be able to get the assistance they need. Legitimate servicemen would find it much harder to do their job. Everyone would suffer.

It all comes back to the warrant. Through warrants, Americans legitimately grant the police an incredible level of access into our personal lives. This is a reasonable choice because the police need this access in order to solve crimes. But to protect ordinary citizens, the law requires the police to go before a neutral third party and convince them that they have a legitimate reason to demand that access. That neutral third party, a judge, then issues the warrant when he or she is convinced. This check on the police's power is for Americans' security, and is an important part of the Constitution.

In recent years, the FBI has been pushing the boundaries of its warrantless investigative powers in disturbing and dangerous ways. It collects phone-call records of millions of innocent people. It uses hacking tools against unknown individuals without warrants. It impersonates legitimate news sites. If the lower court sanctions this particular FBI subterfuge, the matter needs to be taken up -- and reversed -- by the Supreme Court.

This essay previously appeared in the Atlantic.
http://www.theatlantic.com/national/archive/2014/12/...

The motion to suppress:
https://ia902307.us.archive.org/34/items/...

The case:
http://arstechnica.com/tech-policy/2014/10/...

The issue:
http://www.npr.org/2014/10/29/359725475/...
http://www.nytimes.com/2014/11/01/opinion/...

My book on trust:
https://www.schneier.com/book-lo.html

FBI pushing the boundaries:
http://www.theguardian.com/world/2013/jun/06/...
http://www.wired.com/2014/10/feds-silk-road-hack-legal/
http://seattletimes.com/html/localnews/...


Leaked CIA Documents

I haven't seen much press mention about the leaked CIA documents that have appeared on WikiLeaks last month.

There are three:

* The CIA review of high-value target assassination programs, classified SECRET, from 2009.

* The CIA's advice for agents going through airport security and surviving secondary screening, classified SECRET, from 2011.

* The CIA's advice for agents traveling into the Schengen area of the EU, classified SECRET, dated 2012.

These documents are more general than what we've seen from Snowden, but -- assuming they're real -- these are still national-security leaks. You'd think there would be more news about this, and more reaction from the US government.

https://wikileaks.org/cia-hvt-counterinsurgency/
https://wikileaks.org/cia-travel/


Doxing as an Attack

Those of you unfamiliar with hacker culture might need an explanation of "doxing."

The word refers to the practice of publishing personal information about people without their consent. Usually it's things like an address and phone number, but it can also be credit card details, medical information, private e-mails -- pretty much anything an assailant can get his hands on.

Doxing is not new; the term dates back to 2001 and the hacker group Anonymous. But it can be incredibly offensive. In 2014, several women were doxed by male gamers trying to intimidate them into keeping silent about sexism in computer games.

Companies can be doxed, too. In 2011, Anonymous doxed the technology firm HBGary Federal. In the past few weeks we've witnessed the ongoing doxing of Sony.

Everyone from political activists to hackers to government leaders has now learned how effective this attack is. Everyone from common individuals to corporate executives to government leaders now fears this will happen to them. And I believe this will change how we think about computing and the Internet.

This essay previously appeared on BetaBoston, who asked about a trend for 2015.
http://betaboston.com/news/2014/12/31/...

Doxing:
https://en.wikipedia.org/wiki/Doxing

Gamergate doxing:
http://gawker.com/...
https://storify.com/DavidJCobb/...
http://www.dailydot.com/geek/...
http://arstechnica.com/tech-policy/2011/02/...

Doxing of Sony:
https://www.riskbasedsecurity.com/2014/12/...

Slashdot thread:
http://yro.slashdot.org/story/15/01/03/0537251/...


Schneier News

I'm speaking at FIC 2015 (7eme Forum International de la Cybersecurite) on January 21, in Lille, France.
https://www.forum-fic.com/2015/

I'm speaking at ICS 2015 (International Cyber Security Strategy Congress:
Cyber Security and Forensic Readiness) on February 4, in Leuven, Belgium.
https://www.icss2015.eu/

I'm speaking at IT-Defense 2015 on February 5, in Leipzig, Germany.
https://www.it-defense.de/en/it-defense-2015/program/

I'll be talking with Edward Snowden (via video) at the Fourth Annual Symposium on the Future of Computation in Science and Engineering on January 23 at Harvard University.
http://computefest.seas.harvard.edu/symposium

Two interviews on the Sony hack:
http://www.wsj.com/video/...
http://www.msnbc.com/all-in/watch/...

I was interviewed on "Science for the People" on passwords:
http://www.scienceforthepeople.ca/episodes/technocreep


Attack Attribution in Cyberspace

When you're attacked by a missile, you can follow its trajectory back to where it was launched from. When you're attacked in cyberspace, figuring out who did it is much harder. The reality of international aggression in cyberspace will change how we approach defense.

Many of us in the computer-security field are skeptical of the US government's claim that it has positively identified North Korea as the perpetrator of the massive Sony hack in November 2014. The FBI's evidence is circumstantial and not very convincing. The attackers never mentioned the movie that became the centerpiece of the hack until the press did. More likely, the culprits are random hackers who have loved to hate Sony for over a decade, or possibly a disgruntled insider.

On the other hand, most people believe that the FBI would not sound so sure unless it was convinced. And President Obama would not have imposed sanctions against North Korea if he weren't convinced. This implies that there's classified evidence as well. A couple of weeks ago, I wrote for the Atlantic, "The NSA has been trying to eavesdrop on North Korea's government communications since the Korean War, and it's reasonable to assume that its analysts are in pretty deep. The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong Un's sign-off on the plan. On the other hand, maybe not. I could have written the same thing about Iraq's weapons-of-mass-destruction program in the run-up to the 2003 invasion of that country, and we all know how wrong the government was about that."

The NSA is extremely reluctant to reveal its intelligence capabilities -- or what it refers to as "sources and methods" -- against North Korea simply to convince all of us of its conclusion, because by revealing them, it tips North Korea off to its insecurities. At the same time, we rightly have reason to be skeptical of the government's unequivocal attribution of the attack without seeing the evidence. Iraq's mythical weapons of mass destruction is only the most recent example of a major intelligence failure. American history is littered with examples of claimed secret intelligence pointing us toward aggression against other countries, only for us to learn later that the evidence was wrong.

Cyberspace exacerbates this in two ways. First, it is very difficult to attribute attacks in cyberspace. Packets don't come with return addresses, and you can never be sure that what you think is the originating computer hasn't itself been hacked. Even worse, it's hard to tell the difference between attacks carried out by a couple of lone hackers and ones where a nation-state military is responsible. When we do know who did it, it's usually because a lone hacker admitted it or because there was a months-long forensic investigation.

Second, in cyberspace, it is much easier to attack than to defend. The primary defense we have against military attacks in cyberspace is counterattack and the threat of counterattack that leads to deterrence.

What this all means is that it's in the US's best interest to claim omniscient powers of attribution. More than anything else, those in charge want to signal to other countries that they cannot get away with attacking the US: If they try something, we will know. And we will retaliate, swiftly and effectively. This is also why the US has been cagey about whether it caused North Korea's Internet outage in late December.

It can be an effective bluff, but only if you get away with it. Otherwise, you lose credibility. The FBI is already starting to equivocate, saying others might have been involved in the attack, possibly hired by North Korea. If the real attackers surface and can demonstrate that they acted independently, it will be obvious that the FBI and NSA were overconfident in their attribution. Already, the FBI has lost significant credibility.

The only way out of this, with respect to the Sony hack and any other incident of cyber-aggression in which we're expected to support retaliatory action, is for the government to be much more forthcoming about its evidence. The secrecy of the NSA's sources and methods is going to have to take a backseat to the public's right to know. And in cyberspace, we're going to have to accept the uncomfortable fact that there's a lot we don't know.

This essay previously appeared in Time.
http://time.com/3653625/...

The FBI's classified evidence:
http://www.thedailybeast.com/articles/2015/01/02/...

Attribution is difficult:
http://www.tandfonline.com/doi/full/10.1080/...

Attack is easier than defense:
http://www.v3.co.uk/v3-uk/news/2348532/...

The FBI's equivocations:
http://www.politico.com/story/2014/12/...

Did North Korea hire the hackers?
http://www.reuters.com/article/2014/12/30/...

FBI has lost credibility:
http://www.lawfareblog.com/2014/12/...
http://www.moonofalabama.org/2014/12/...


The Security of Data Deletion

Thousands of articles have called the December attack against Sony Pictures a wake-up call to industry. Regardless of whether the attacker was the North Korean government, a disgruntled former employee, or a group of random hackers, the attack showed how vulnerable a large organization can be and how devastating the publication of its private correspondence, proprietary data, and intellectual property can be.

But while companies are supposed to learn that they need to improve their security against attack, there's another equally important but much less discussed lesson here: companies should have an aggressive deletion policy.

One of the social trends of the computerization of our business and social communications tools is the loss of the ephemeral. Things we used to say in person or on the phone we now say in e-mail, by text message, or on social networking platforms. Memos we used to read and then throw away now remain in our digital archives. Big data initiatives mean that we're saving everything we can about our customers on the remote chance that it might be useful later.

Everything is now digital, and storage is cheap -- why not save it all?

Sony illustrates the reason why not. The hackers published old e-mails from company executives that caused enormous public embarrassment to the company. They published old e-mails by employees that caused less-newsworthy personal embarrassment to those employees, and these messages are resulting in class-action lawsuits against the company. They published old documents. They published everything they got their hands on.

Saving data, especially e-mail and informal chats, is a liability.

It's also a security risk: the risk of exposure. The exposure could be accidental. It could be the result of data theft, as happened to Sony. Or it could be the result of litigation. Whatever the reason, the best security against these eventualities is not to have the data in the first place.

If Sony had had an aggressive data deletion policy, much of what was leaked couldn't have been stolen and wouldn't have been published.

An organization-wide deletion policy makes sense. Customer data should be deleted as soon as it isn't immediately useful. Internal e-mails can probably be deleted after a few months, IM chats even more quickly, and other documents in one to two years. There are exceptions, of course, but they should be exceptions. Individuals should need to deliberately flag documents and correspondence for longer retention. But unless there are laws requiring an organization to save a particular type of data for a prescribed length of time, deletion should be the norm.

This has always been true, but many organizations have forgotten it in the age of big data. In the wake of the devastating leak of terabytes of sensitive Sony data, I hope we'll all remember it now.

This essay previously appeared on ArsTechnica.com, which has comments from people who strongly object to this idea.
http://arstechnica.com/security/2015/01/...

Slashdot thread:
http://it.slashdot.org/story/15/01/13/0548233/...


Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <https://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 12 books -- including "Liars and Outliers: Enabling the Trust Society Needs to Survive" -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Chief Technology Officer at Co3 Systems, Inc. See <https://www.schneier.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Co3 Systems, Inc.

Copyright (c) 2015 by Bruce Schneier.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.