Essays in the Category "Computer and Information Security"

Page 3 of 30

Cryptography after the Aliens Land

  • Bruce Schneier
  • IEEE Security & Privacy
  • September/October 2018

Quantum computing is a new way of computing—one that could allow humankind to perform computations that are simply impossible using today’s computing technologies. It allows for very fast searching, something that would break some of the encryption algorithms we use today. And it allows us to easily factor large numbers, something that would break the RSA cryptosystem for any key length.

This is why cryptographers are hard at work designing and analyzing “quantum-resistant” public-key algorithms. Currently, quantum computing is too nascent for cryptographers to be sure of what is secure and what isn’t. But even assuming aliens have developed the technology to its full potential, quantum computing doesn’t spell the end of the world for cryptography. Symmetric cryptography is easy to make quantum-resistant, and we’re working on quantum-resistant public-key algorithms. If public-key cryptography ends up being a temporary anomaly based on our mathematical knowledge and computational ability, we’ll still survive. And if some inconceivable alien technology can break all of cryptography, we still can have secrecy based on information theory—albeit with significant loss of capability…

Why the FBI Wants You to Reboot Your Router — and Why That Won’t Be Enough Next Time

The security threats will keep getting worse.

  • Bruce Schneier
  • The Washington Post
  • June 6, 2018

On May 25, the FBI asked us all to reboot our routers. The story behind this request is one of sophisticated malware and unsophisticated home-network security, and it’s a harbinger of the sorts of pervasive threats — from nation-states, criminals and hackers — that we should expect in coming years.

VPNFilter is a sophisticated piece of malware that infects mostly older home and small-office routers made by Linksys, MikroTik, Netgear, QNAP and TP-Link. (For a list of specific models, click here.) It’s an impressive piece of work. It can eavesdrop on traffic passing through the router — specifically, log-in credentials and SCADA traffic, which is a networking protocol that controls power plants, chemical plants and industrial systems — attack other targets on the Internet and destructively “kill” its infected device. It is one of a very few pieces of malware that can survive a reboot, even though that’s what the FBI has requested. It has a number of other capabilities, and it can be remotely updated to provide still others. More than 500,000 routers in at least 54 countries have been infected since 2016…

What "Efail" Tells Us About Email Vulnerabilities and Disclosure

  • Bruce Schneier
  • Lawfare
  • May 24, 2018

Last week, researchers disclosed vulnerabilities in a large number of encrypted email clients: specifically, those that use OpenPGP and S/MIME, including Thunderbird and AppleMail. These are serious vulnerabilities: An attacker who can alter mail sent to a vulnerable client can trick that client into sending a copy of the plaintext to a web server controlled by that attacker. The story of these vulnerabilities and the tale of how they were disclosed illustrate some important lessons about security vulnerabilities in general and email security in particular…

Banning Chinese Phones Won't Fix Security Problems with Our Electronic Supply Chain

The real issue is overall trust.

  • Bruce Schneier
  • The Washington Post
  • May 8, 2018

Earlier this month, the Pentagon stopped selling phones made by the Chinese companies ZTE and Huawei on military bases because they might be used to spy on their users.

It’s a legitimate fear, and perhaps a prudent action. But it’s just one instance of the much larger issue of securing our supply chains.

All of our computerized systems are deeply international, and we have no choice but to trust the companies and governments that touch those systems. And while we can ban a few specific products, services or companies, no country can isolate itself from potential foreign interference…

Artificial Intelligence and the Attack/Defense Balance

  • Bruce Schneier
  • IEEE Security & Privacy
  • March/April 2018

Artificial intelligence technologies have the potential to upend the longstanding advantage that attack has over defense on the Internet. This has to do with the relative strengths and weaknesses of people and computers, how those all interplay in Internet security, and where AI technologies might change things.

You can divide Internet security tasks into two sets: what humans do well and what computers do well. Traditionally, computers excel at speed, scale, and scope. They can launch attacks in milliseconds and infect millions of computers. They can scan computer code to look for particular kinds of vulnerabilities, and data packets to identify particular kinds of attacks…

Can Consumers' Online Data Be Protected?

  • Bruce Schneier
  • CQ Researcher
  • February 9, 2018

This essay appeared as half of a point/counterpoint with Priscilla Regan, in a CQ Researcher report on Privacy and the Internet.

Con

Everything online is hackable. This is true for Equifax’s data and the federal Office of Personal Management’s data, which was hacked in 2015. If information is on a computer connected to the internet, it is vulnerable.

But just because everything is hackable doesn’t mean everything will be hacked. The difference between the two is complex, and filled with defensive technologies, security best practices, consumer awareness, the motivation and skill of the hacker and the desirability of the data. The risks will be different if an attacker is a criminal who just wants credit-card details — and doesn’t care where he gets them from — or the Chinese military looking for specific data from a specific place…

The New Way Your Computer Can Be Attacked

Unprecedented computer-chip vulnerabilities exposed this month paint a grim picture of the future of cybersecurity.

  • Bruce Schneier
  • The Atlantic
  • January 22, 2018

Portuguese translation

On January 3, the world learned about a series of major security vulnerabilities in modern microprocessors. Called Spectre and Meltdown, these vulnerabilities were discovered by several different researchers last summer, disclosed to the microprocessors’ manufacturers, and patched—at least to the extent possible.

This news isn’t really any different from the usual endless stream of security vulnerabilities and patches, but it’s also a harbinger of the sorts of security problems we’re going to be seeing in the coming years. These are vulnerabilities in computer hardware, not software. They affect virtually all high-end microprocessors produced in the last 20 years. Patching them requires large-scale coordination across the industry, and in some cases drastically affects the performance of the computers. And sometimes patching isn’t possible; the vulnerability will remain until the computer is discarded…

The Security of Pretty Much Every Computer on the Planet Has Just Gotten a Lot Worse

  • Bruce Schneier
  • CNN
  • January 5, 2018

The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution—which,of course, is not a solution—is to throw them all away and buy new ones that may be available in a few years.

On Wednesday, researchers announced a series of major security vulnerabilities in the microprocessors at the heart of the world’s computers for the past 15 to 20 years. They’ve been named Spectre and Meltdown, and they operate by manipulating different ways processors optimize performance by rearranging the order of instructions or performing different instructions in parallel. An attacker who controls one process on a system can use the vulnerabilities to steal secrets from elsewhere on the computer…

Testimony Before the House Subcommittee on Digital Commerce and Consumer Protection

  • Bruce Schneier
  • November 1, 2017

Testimony and Statement for the Record of Bruce Schneier
Fellow and Lecturer, Belfer Center for Science and International Affairs, Harvard Kennedy School

Fellow, Berkman Center for Internet and Society at Harvard Law School

Hearing on “Securing Consumers’ Credit Data in the Age of Digital Commerce”

Before the

Subcommittee on Digital Commerce and Consumer Protection
Committee on Energy and Commerce
United States House of Representatives

1 November 2017
2125 Rayburn House Office Building

Washington, DC 20515

Mister Chairman and Members of the Committee, thank you for the opportunity to testify today concerning the security of credit data. My name is Bruce Schneier, and I am a security technologist. For over 30 years I have studied the technologies of security and privacy. I have authored 13 books on these subjects, including …

Don't Waste Your Breath Complaining to Equifax about Data Breach

  • Bruce Schneier
  • CNN
  • September 11, 2017

Last Thursday, Equifax reported a data breach that affects 143 million US customers, about 44% of the population. It’s an extremely serious breach; hackers got access to full names, Social Security numbers, birth dates, addresses, driver’s license numbers — exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, and other businesses vulnerable to fraud.

Many sites posted guides to protecting yourself now that it’s happened. But if you want to prevent this kind of thing from happening again, your only solution is government regulation (as …

Sidebar photo of Bruce Schneier by Joe MacInnis.