May 15, 2016

by Bruce Schneier
CTO, Resilient, an IBM Company

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <>.

You can read this issue on the web at <>. These same essays and news items appear in the "Schneier on Security" blog at <>, along with a lively and intelligent comment section. An RSS feed is available.

In this issue:

Credential Stealing as an Attack Vector

Traditional computer security concerns itself with vulnerabilities. We employ antivirus software to detect malware that exploits vulnerabilities. We have automatic patching systems to fix vulnerabilities. We debate whether the FBI should be permitted to introduce vulnerabilities in our software so it can get access to systems with a warrant. This is all important, but what's missing is a recognition that software vulnerabilities aren't the most common attack vector: credential stealing is.

The most common way hackers of all stripes, from criminals to hacktivists to foreign governments, break into networks is by stealing and using a valid credential. Basically, they steal passwords, set up man-in-the-middle attacks to piggy-back on legitimate logins, or engage in cleverer attacks to masquerade as authorized users. It's a more effective avenue of attack in many ways: it doesn't involve finding a zero-day or unpatched vulnerability, there's less chance of discovery, and it gives the attacker more flexibility in technique.

Rob Joyce, the head of the NSA's Tailored Access Operations (TAO) group -- basically the country's chief hacker -- gave a rare public talk at a conference in January. In essence, he said that zero-day vulnerabilities are overrated, and credential stealing is how he gets into networks: "A lot of people think that nation states are running their operations on zero days, but it's not that common. For big corporate networks, persistence and focus will get you in without a zero day; there are so many more vectors that are easier, less risky, and more productive."

This is true for us, and it's also true for those attacking us. It's how the Chinese hackers breached the Office of Personnel Management in 2015. The 2014 criminal attack against Target Corporation started when hackers stole the login credentials of the company's HVAC vendor. Iranian hackers stole US login credentials. And the hacktivist that broke into the cyber-arms manufacturer Hacking Team and published pretty much every proprietary document from that company used stolen credentials.

As Joyce said, stealing a valid credential and using it to access a network is easier, less risky, and ultimately more productive than using an existing vulnerability, even a zero-day.

Our notions of defense need to adapt to this change. First, organizations need to beef up their authentication systems. There are lots of tricks that help here: two-factor authentication, one-time passwords, physical tokens, smartphone-based authentication, and so on. None of these is foolproof, but they all make credential stealing harder.

Second, organizations need to invest in breach detection and -- most importantly -- incident response. Credential-stealing attacks tend to bypass traditional IT security software. But attacks are complex and multi-step. Being able to detect them in process, and to respond quickly and effectively enough to kick attackers out and restore security, is essential to resilient network security today.

Vulnerabilities are still critical. Fixing vulnerabilities is still vital for security, and introducing new vulnerabilities into existing systems is still a disaster. But strong authentication and robust incident response are also critical. And an organization that skimps on these will find itself unable to keep its networks secure.

This essay originally appeared on Xconomy.

Joye's talk:

OPM breach:

Target breach:

Iranian attack:

Hacking Team attack:

Helen Nissenbaum on Regulating Data Collection and Use

NYU professor Helen Nissenbaum gave an excellent lecture at Brown University last month, where she rebutted those who think that we should not regulate data collection, only data use: something she calls "big data exceptionalism." Basically, this is the idea that collecting the "haystack" isn't the problem; it what is done with it that is. (I discuss this same topic in "Data and Goliath," on pages 197-9.)

In her talk, she makes a very strong argument that the problem is one of domination. Contemporary political philosopher Philip Pettit has written extensively about a republican conception of liberty. He defines domination as the extent one person has the ability to interfere with the affairs of another.

Under this framework, the problem with wholesale data collection is not that it is used to curtail your freedom; the problem is that the collector has the power to curtail your freedom. Whether they use it or not, the fact that they have that power over us is itself a harm.


Shortened URLs, produced by services like and, can be brute-forced. And searching random shortened URLs yields all sorts of secret documents. Plus, many of them can be edited, and can be infected with malware.

There's a new law in Kuwait that will enforce DNA testing for everyone: citizens, expatriates, and visitors. They promise that the program "does not include genealogical implications or affects personal freedoms and privacy." I assume that "visitors" includes tourists, so presumably the entry procedure at passport control will now include a cheek swab. And there is nothing preventing the Kuwaiti government from sharing that information with any other government.

Last year, we learned about a backdoor in Juniper firewalls, one that seems to have been added into the code base. There's now some good research: "A Systematic Analysis of the Juniper Dual EC Incident," by Stephen Checkoway, Shaanan Cohney, Christina Garman, Matthew Green, Nadia Heninger, Jacob Maskiewicz, Eric Rescorla, Hovav Shacham, and Ralf-Philipp Weinmann.

GCHQ detected a potential pre-publication leak of a Harry Potter book, and alerted the publisher. Is this what British national intelligence is supposed to be doing?

The hacker who hacked Hacking Team posted a lengthy description of how he broke into the company and stole everything.

If doping weren't enough, cyclists are cheating in races by hiding tiny motors in their bicycles. There are many detection techniques.

Dilbert has a series of cartoon strips on government backdoors.

Another cartoon:

Three more cartoons that make it clear this is a security vs. surveillance debate.

Another cartoon:

Last month, there was a big news story about the BlackBerry encryption key. The news was that all BlackBerry devices share a global encryption key, and that the Canadian RCMP has a copy of it.
Stupid design, certainly, but it's not news. As the Register points out, this has been repeatedly reported on since 2010.
And note that this only holds for individual users. If your organization uses a BlackBerry Enterprise Server (BES), you have your own unique key.

Drones can graffiti walls that no person can reach. (Note that blocks ad blockers. My trick is to copy the page and then paste it into my text editor.)

Interesting research that shows that people trust robots, even when they don't inspire trust:
Our notions of trust depend on all sorts of cues that have nothing to do with actual trustworthiness. I would be interested in seeing where the robot fits in in the continuum of authority figures. Is it trusted more or less than a man in a hazmat suit? A woman in a business suit? An obviously panicky student? How do different looking robots fare?

Testimonies of Matt Blaze and Danny Weitzner on the "Going Dark" debate, both on April 19 before the House Energy and Commerce Committee. And the hearing.

In Data and Goliath, I talk about the self-censorship that comes along with broad surveillance. This interesting research documents this phenomenon in Wikipedia: "Chilling Effects: Online Surveillance and Wikipedia Use," by Jon Penney.

Interesting research outlining vulnerabilities in Samsung's SmartThings: Earlence Fernandes, Jaeyeon Jung, and Atul Prakash, "Security Analysis of Emerging Smart Home Applications":

Turns out there are two different conferences with the title International Conference on Cyber Security (ICCS 2016), one real and one fake. Richard Clayton has the story.

Julian Sanchez of CATO has two excellent posts on the Feinstein-Burr Bill that would outlaw strong encryption.
It's such a badly written bill that I wonder if it's just there to anchor us to an extreme, so we're relieved when the actual bill comes along. This is what I said in an interview: "'This is the most braindead piece of legislation I've ever seen,' Schneier -- who has just been appointed a Fellow of the Kennedy School of Government at Harvard -- told The Reg. 'The person who wrote this either has no idea how technology works or just doesn't care.'"

Forbes estimates that football player Laremy Tunsil lost $7 million in salary because of an ill-advised personal video made public.

The White House has released a report on big-data discrimination.

Dilbert on electronic voting machines:

Last year, the NSA announced its plans for transitioning to cryptography that is resistant to a quantum computer. Now, it's NIST's turn. Its just-released report talks about the importance of algorithm agility and quantum resistance. Sometime soon, it's going to have a competition for quantum-resistant public-key algorithms

An economics professor was detained when he was spotted doing math on an airplane:

Fascinating story of Tim and Alex Foley, the children of Russian spies Donald Heathfield and Tracey Foley.

A criminal ring was arrested in Malaysia for a new type of credit card fraud:

It's a known truth that most Android vulnerabilities don't get patched. It's not Google's fault. It releases the patches, but the phone carriers don't push them down to their smartphone users. Now the Federal Communications Commission and the Federal Trade Commission are investigating, sending letters to major carriers and device makers. I think this is a good thing. This is a long-existing market failure, and a place where we need government regulation to make us all more secure.

Interesting research on hacking gesture-based security systems:

Amazon Unlimited Fraud

Amazon Unlimited is an all-you-can-read service. You pay one price and can read anything that's in the program. Amazon pays authors out of a fixed pool, on the basis of how many people read their books. More interestingly, it pays by the page. An author makes more money if someone reads his book through to page 200 than if they give up at page 50, and even more if they make it through to the end. This makes sense; it doesn't pay authors for books people download but don't read, or read the first few pages of and then decide not to read the rest.

This payment structure requires surveillance, and the Kindle does watch people as they read. The problem is that the Kindle doesn't know if the reader actually reads the book -- only what page they're on. So Kindle Unlimited records the furthest page the reader synched, and pays based on that.

This opens up the possibility for fraud. If an author can create a thousand-page book and trick the reader into reading page 1,000, he gets paid the maximum. Scam authors are doing this through a variety of tricks.

What's interesting is that while Amazon is definitely concerned about this kind of fraud, it doesn't affect its bottom line. The fixed payment pool doesn't change; just who gets how much of it does.

Schneier News

I was interviewed in the April issue of Computer.

I'm speaking remotely via Skype at ISMS Forum Spain on May 26, 2016.

I'm speaking at Infosecurity Europe in London on June 8, 2016.

I'm Writing a Book on Security

I'm writing a book on security in the highly connected Internet-of-Things world. Tentative title:

Click Here to Kill Everybody Peril and Promise in a Hyper-Connected World

There are two underlying metaphors in the book. The first is what I have called the World-Sized Web, which is that combination of mobile, cloud, persistence, personalization, agents, cyber-physical systems, and the Internet of Things. The second is what I'm calling the "war of all against all," which is the recognition that security policy is a series of "wars" between various interests, and that any policy decision in any one of the wars affects all the others. I am not wedded to either metaphor at this point.

This is the current table of contents, with three of the chapters broken out into sub-chapters:

The World-Sized Web
The Coming Threats
Privacy Threats
Availability and Integrity Threats
Threats from Software-Controlled Systems
Threats from Interconnected Systems
Threats from Automatic Algorithms
Threats from Autonomous Systems
Other Threats of New Technologies
Catastrophic Risk
The Current Wars
The Copyright Wars
The Crypto Wars
The US/EU Data Privacy Wars
The War for Control of the Internet
The War of Secrecy
The Coming Wars
The War for Your Data
The War Against Your Computers
The War for Your Embedded Computers
The Militarization of the Internet
The Powerful vs. the Powerless
The Rights of the Individual vs. the Rights of Society
The State of Security
Near-Term Solutions
Security for an Empowered World

That will change, of course. If the past is any guide, everything will change.

Current schedule is for me to finish writing this book by the end of September, and have it published at the end of April 2017. I hope to have pre-publication copies available for sale at the RSA Conference next year. As with my previous book, Norton is the publisher.

So if you notice me blogging less this summer, this is why.

And if you have any comments on the outline, leave them here.

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 13 books -- including his latest, "Data and Goliath" -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Chief Technology Officer at Resilient, an IBM Company. See <>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Resilient: an IBM Company.

Copyright (c) 2016 by Bruce Schneier.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.