Crypto-Gram

December 15, 2016

by Bruce Schneier
CTO, Resilient, an IBM Company
schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <https://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <https://www.schneier.com/crypto-gram/archives/2016/…>. These same essays and news items appear in the “Schneier on Security” blog at <http://www.schneier.com/>, along with a lively and intelligent comment section. An RSS feed is available.

In this issue:

My Priorities for the Next Four Years

Like many, I was surprised and shocked by the election of Donald Trump as president. I believe his ideas, temperament, and inexperience represent a grave threat to our country and world. Suddenly, all the things I had planned to work on seemed trivial in comparison. Although Internet security and privacy are not the most important policy areas at risk, I believe he—and, more importantly, his cabinet, administration, and Congress—will have devastating effects in that area, both in the US and around the world.

The election was so close that I’ve come to see the result as a bad roll of the dice. A few minor tweaks here and there—a more enthusiastic Sanders endorsement, one fewer of Comey’s announcements, slightly less Russian involvement—and the country would be preparing for a Clinton presidency and discussing a very different social narrative. That alternative narrative would stress business as usual, and continue to obscure the deep social problems in our society. Those problems won’t go away on their own, and in this alternative future they would continue to fester under the surface, getting steadily worse. This election exposed those problems for everyone to see.

I spent the last month both coming to terms with this reality, and thinking about the future. Here is my new agenda for the next four years:

One, fight the fights. There will be more government surveillance and more corporate surveillance. I expect legislative and judicial battles along several lines: a renewed call from the FBI for backdoors into encryption, more leeway for government hacking without a warrant, no controls on corporate surveillance, and more secret government demands for that corporate data. I expect other countries to follow our lead. (The UK is already more extreme than us.) And if there’s a major terrorist attack under Trump’s watch, it’ll be open season on our liberties. We may lose a lot of these battles, but we need to lose as few as possible and as little of our existing liberties as possible.

Two, prepare for those fights. Much of the next four years will be reactive, but we can prepare somewhat. The more we can convince corporate America to delete their saved archives of surveillance data and to store only what they need for as long as they need it, the safer we’ll all be. We need to convince Internet giants like Google and Facebook to change their business models away from surveillance capitalism. It’s a hard sell, but maybe we can nibble around the edges. Similarly, we need to keep pushing the truism that privacy and security are not antagonistic, but rather are essential for each other.

Three, lay the groundwork for a better future. No matter how bad the next four years get, I don’t believe that a Trump administration will permanently end privacy, freedom, and liberty in the US. I don’t believe that it portends a radical change in our democracy. (Or if it does, we have bigger problems than a free and secure Internet.) It’s true that some of Trump’s institutional changes might take decades to undo. Even so, I am confident—optimistic even—that the US will eventually come around; and when that time comes, we need good ideas in place for people to come around to. This means proposals for non-surveillance-based Internet business models, research into effective law enforcement that preserves privacy, intelligent limits on how corporations can collect and exploit our data, and so on.

And four, continue to solve the actual problems. The serious security issues around cybercrime, cyber-espionage, cyberwar, the Internet of Things, algorithmic decision making, foreign interference in our elections, and so on aren’t going to disappear for four years while we’re busy fighting the excesses of Trump. We need to continue to work towards a more secure digital future. And to the extent that cybersecurity for our military networks and critical infrastructure allies with cybersecurity for everyone, we’ll probably have an ally in Trump.

Those are my four areas. Under a Clinton administration, my list would have looked much the same. Trump’s election just means the threats will be much greater, and the battles a lot harder to win. It’s more than I can possibly do on my own, and I am therefore substantially increasing my annual philanthropy to support organizations like EPIC, EFF, ACLU, and Access Now in continuing their work in these areas.

My agenda is necessarily focused entirely on my particular areas of concern. The risks of a Trump presidency are far more pernicious, but this is where I have expertise and influence.

Right now, we have a defeated majority. Many are scared, and many are motivated—and few of those are applying their motivation constructively. We need to harness that fear and energy to start fixing our society now, instead of waiting four or even eight years, at which point the problems would be worse and the solutions more extreme. I am choosing to proceed as if this were cowpox, not smallpox: fighting the more benign disease today will be much easier than subjecting ourselves to its more virulent form in the future. It’s going to be hard keeping the intensity up for the next four years, but we need to get to work. Let’s use Trump’s victory as the wake-up call and opportunity that it is.

Russian involvement in the US election:
http://www.nytimes.com/2016/12/13/us/politics/…

Latest UK surveillance law:
http://www.wired.co.uk/article/…

Convincing surveillance companies to change their business models:
http://www.theverge.com/2016/11/10/13581314/…

Hacking and the 2016 Presidential Election

Was the 2016 presidential election hacked? It’s hard to tell. There were no obvious hacks on Election Day, but new reports have raised the question of whether voting machines were tampered with in three states that Donald Trump won: Wisconsin, Michigan and Pennsylvania.

The researchers behind these reports include voting rights lawyer John Bonifaz and J. Alex Halderman, the director of the University of Michigan Center for Computer Security and Society, both respected in the community. They have been talking with Hillary Clinton’s campaign, but their analysis is not yet public.

According to a report in New York magazine, the share of votes received by Clinton was significantly lower in precincts that used a particular type of voting machine: The magazine story suggested that Clinton had received 7 percent fewer votes in Wisconsin counties that used electronic machines, which could be hacked, than in counties that used paper ballots. That is exactly the sort of result we would expect to see if there had been some sort of voting machine hack. There are many different types of voting machines, and attacks against one type would not work against the others. So a voting anomaly correlated to machine type could be a red flag, although Trump did better across the entire Midwest than pre-election polls expected, and there are also some correlations between voting machine type and the demographics of the various precincts. Even Halderman wrote early Wednesday morning that “the most likely explanation is that the polls were systematically wrong, rather than that the election was hacked.”

What the allegations, and the ripples they’re causing on social media, really show is how fundamentally untrustworthy our hodgepodge election system is.

Accountability is a major problem for US elections. The candidates are the ones required to petition for recounts, and we throw the matter into the courts when we can’t figure it out. This all happens after an election, and because the battle lines have already been drawn, the process is intensely political. Unlike many other countries, we don’t have an independent body empowered to investigate these matters. There is no government agency empowered to verify these researchers’ claims, even if it would be merely to reassure voters that the election count was accurate.

Instead, we have a patchwork of voting systems: different rules, different machines, different standards. I’ve seen arguments that there is security in this setup—an attacker can’t broadly attack the entire country—but the downsides of this system are much more critical. National standards would significantly improve our voting process.

Further investigation of the claims raised by the researchers would help settle this particular question. Unfortunately, time is of the essence—underscoring another problem with how we conduct elections. For anything to happen, Clinton has to call for a recount and investigation. She has until Friday to do it in Wisconsin, until Monday in Pennsylvania and until next Wednesday in Michigan. I don’t expect the research team to have any better data before then. Without changes to the system, we’re telling future hackers that they can be successful as long as they’re able to hide their attacks for a few weeks until after the recount deadlines pass.

Computer forensics investigations are not easy, and they’re not quick. They require access to the machines. They involve analysis of Internet traffic. If we suspect a foreign country like Russia, the National Security Agency will analyze what they’ve intercepted from that country. This could easily take weeks, perhaps even months. And in the end, we might not even get a definitive answer. And even if we do end up with evidence that the voting machines were hacked, we don’t have rules about what to do next.

Although winning those three states would flip the election, I predict Clinton will do nothing (her campaign, after all, has reportedly been aware of the researchers’ work for nearly a week). Not because she does not believe the researchers—although she might not—but because she doesn’t want to throw the post-election process into turmoil by starting a highly politicized process whose eventual outcome will have little to do with computer forensics and a lot to do with which party has more power in the three states.

But we only have two years until the next national elections, and it’s time to start fixing things if we don’t want to be wondering the same things about hackers in 2018. The risks are real: Electronic voting machines that don’t use a paper ballot are vulnerable to hacking.

Clinton supporters are seizing on this story as their last lifeline of hope. I sympathize with them. When I wrote about vote-hacking the day after the election, I said: “Elections serve two purposes. First, and most obvious, they are how we choose a winner. But second, and equally important, they convince the loser—and all the supporters—that he or she lost.” If the election system fails to do the second, we risk undermining the legitimacy of our democratic process. Clinton’s supporters deserve to know whether this apparent statistical anomaly is the result of a hack against our election system or a spurious correlation. They deserve an election that is demonstrably fair and accurate. Our patchwork, ad hoc system means they may never feel confident in the outcome. And that will further erode the trust we have in our election systems.

This essay previously appeared in the Washington Post.
https://www.washingtonpost.com/posteverything/wp/…

http://nymag.com/daily/intelligencer/2016/11/…
http://www.cnn.com/2016/11/22/politics/…
https://twitter.com/Nate_Cohn/status/801226924156719104

Center for Computer Security and Society:
http://security.engin.umich.edu/

Trump in the Midwest:
http://www.vox.com/2016/11/22/13721426/…

Halderman’s essay:
https://medium.com/@jhalderm/…

Green Party candidate Jill Stein is calling for a recount in the three states. I have no idea if a recount includes forensic analysis to ensure that the machines were not hacked, but I doubt it. It would be funny if it wasn’t all so horrible.

Also, here’s an article from 538.com arguing that demographics explains all the discrepancies.
https://fivethirtyeight.com/features/…

News

Mass spectrometry of the devices you carry: yet another way to collect personal data on people without their knowledge or consent.
http://www.telegraph.co.uk/science/2016/11/14/…
http://www.pnas.org/content/early/2016/11/08/1610019113

PoisonTap is an impressive hacking tool that can compromise computers via the USB port, even when they are password-protected. What’s interesting is the chain of vulnerabilities the tool exploits. No individual vulnerability is a problem, but together they create a big problem.
https://www.wired.com/2016/11/…
http://arstechnica.com/security/2016/11/…

This is impressive research. “When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals.”
http://www.ibtimes.co.uk/…
http://dl.acm.org/citation.cfm?id=2978397

A smartphone that secretly sends private data to China.
http://www.nytimes.com/2016/11/16/us/politics/…
On one hand, the phone secretly sends private user data to China. On the other hand, it only costs $50.

John Scott-Railton on securing the high-risk user.
https://www.johnscottrailton.com/…

Vice Motherboard has an interesting article about governments using social-media platforms for propaganda and surveillance, and the companies that are supporting this.
https://motherboard.vice.com/read/…

Surprising no one who has been following this sort of thing, headphones can be used as microphones.
https://www.wired.com/2016/11/…

Susan Landau has an excellent essay on why it’s more important than ever to have backdoor-free encryption on our computer and communications systems.
https://www.lawfareblog.com/…

The San Francisco transit system is the target of ransomware; the ticket machines were hacked. Over the next couple of years, I believe we are going to see the downside of our headlong rush to put everything on the Internet.
http://arstechnica.com/security/2016/11/…
http://www.theverge.com/2016/11/27/13758412/…
http://www.forbes.com/sites/thomasbrewster/2016/11/…
https://krebsonsecurity.com/2016/11/…
https://news.slashdot.org/story/16/11/27/1819205/…

You can rent a 400,000-computer Murai botnet and DDoS anyone you like.
http://www.bleepingcomputer.com/news/security/…
https://boingboing.net/2016/11/28/…
https://it.slashdot.org/story/16/11/27/2230215/…

Ross Anderson describes DigiTally, a secure payments system for use in areas where there is little or no network connectivity.
https://www.lightbluetouchpaper.org/2016/10/31/…

Citizen Lab has analyzed how censorship works in the Chinese chat app WeChat.
https://citizenlab.org/2016/11/…

Excellent essay pointing out that election security is a national security issue, and that we need to perform random ballot audits on every future election.
https://s.scientificamerican.com/guest-blog/…

Another essay along similar lines.
https://www.lawfareblog.com/…

There is some information about Russian political hacking this election cycle that is classified. My guess is that it has nothing to do with hacking the voting machines—the NSA was on high alert for anything, and I have it on good authority that they found nothing—but something related to either the political-organization hacking, the propaganda machines, or something else before Election Day.
http://digbysblog.blogspot.com/2016/12/…

Researchers have found that they can guess various credit-card-number security details by spreading their guesses around multiple websites so as not to trigger any alarms.
https://www.schneier.com/blog/archives/2016/12/…

Yale University Press has published a facsimile of the Voynich Manuscript.
https://www.amazon.com/dp/0300217234/?…
http://hyperallergic.com/335505/…
http://www.bibliotecapleyades.net/ciencia/…

This article outlines two different types of international phone fraud, and explains why it’s so hard to combat.
https://www.theatlantic.com/technology/archive/2016/…

There’s new malware toolkit that uses steganography to hide in images.
https://www.bleepingcomputer.com/news/security/…
https://slashdot.org/story/16/12/06/2324213/…

Le Monde and the Intercept are reporting about NSA spying in Africa, and NSA spying on in-flight mobile phone calls—both from the Snowden documents.
https://theintercept.com/2016/12/08/…
https://theintercept.com/2016/12/07/…

A fully functional four-rotor Enigma machine sold for $463,500.
http://newatlas.com/enigma-auction-record/46841/

There’s a cybersecurity fantasy role-playing game called Cryptomancer. Think computer hacking plus magic. I know nothing about it, but it feels reminiscent of Shadowrun.
http://cryptorpg.com/
https://www.reddit.com/r/RPGdesign/comments/4uwea3/…
https://forum.rpg.net/showthread.php?…
https://ageofravens.blogspot.com/2016/12/…

A new ransomware, Popcorn Time, gives users the option of infecting others in lieu of paying the ransom.
https://threatpost.com/…
https://it.slashdot.org/story/16/12/12/0457218/…
Related: a good general article on ransomware.
https://www.wired.com/2015/09/…

Hiding information in silver and carbon ink.
http://phys.org/news/…

According to a new research paper, Let’s Encrpyt is making web encryption easier.
https://arxiv.org/abs/1612.03005

In this impressive social-engineering display, a hacker convinces a cell-phone tech support person to change an account password without being verified in any way.
https://www.youtube.com/watch?v=lc7scxvKQOo

Schneier News

Last month, I testified about security and the Internet of Things at a joint hearing of the Subcommittee on Communications and Technology, and the Subcommittee on Commerce, Manufacturing, and Trade—both part of the Committee on Energy and Commerce of the US House of Representatives.

The topic was the Dyn attacks and the Internet of Things. I talked about different market failures that will affect security on the Internet of Things. One of them was this problem of emergent vulnerabilities. I worry that as we continue to connect things to the Internet, we’re going to be seeing a lot of these sorts of attacks: chains of tiny vulnerabilities that combine into a massive security risk. It’ll be hard to defend against these types of attacks. If no one product or process is to blame, no one has responsibility to fix the problem. So I gave a mostly Republican audience a pro-regulation message. They were surprisingly polite and receptive.

https://threatpost.com/…
https://yro.slashdot.org/story/16/11/16/202240/…
https://www.onthewire.io/…
http://www.dailydot.com/layer8/…
http://www.theregister.co.uk/2016/11/16/…
http://www.computerworld.com/article/3141803/…
http://www.law360.com/privacy/articles/863178/…
http://.cybersecuritylaw.us/2016/11/15/…

Here’s the video; my testimony starts around 1:10:10.
https://energycommerce.house.gov/hearings-and-votes/…

Dumb Security Survey Questions

According to a Harris poll, 39% of Americans would give up sex for a year in exchange for perfect computer security:

According to an online survey among over 2,000 U.S. adults conducted by Harris Poll on behalf of Dashlane, the leader in online identity and password management, nearly four in ten Americans (39%) would sacrifice sex for one year if it meant they never had to worry about being hacked, having their identity stolen, or their accounts breached. With a new hack or breach making news almost daily, people are constantly being reminded about the importance of secure passwords, yet some are still not following proper password protocol.

Does anyone think that this hypothetical survey question means anything? What, are they bored at Harris? Oh, I see. This is a paid survey by a computer company looking for some publicity.

Four in 10 people (41%) would rather give up their favorite food for a month than go through the password reset process for all their online accounts.

I guess it’s more fun to ask these questions than to poll the election.

https://.dashlane.com/…

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <https://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally renowned security technologist, called a “security guru” by The Economist. He is the author of 13 books—including his latest, “Data and Goliath”—as well as hundreds of articles, essays, and academic papers. His influential newsletter “Crypto-Gram” and his blog “Schneier on Security” are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation’s Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Chief Technology Officer at Resilient, an IBM Company. See <https://www.schneier.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Resilient, an IBM Company.

Copyright (c) 2016 by Bruce Schneier.

Sidebar photo of Bruce Schneier by Joe MacInnis.