Friday Squid Blogging: "Squid Jiggin' Ground"
Classic song written by Arthur Scammell and performed by Hank Snow.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Page 389
My Superpower
For its “Top Influencers in Security You Should Be Following in 2015” blog post, TripWire asked me: “If you could have one infosec-related superpower, what would it be?” I answered:
Most superpowers are pretty lame: super strength, super speed, super sight, super stretchiness.
Teleportation would probably be the most useful given my schedule, but for subverting security systems, you can’t beat invisibility. You can bypass almost every physical security measure with invisibility, and when you trip an alarm—say, a motion sensor—the guards that respond will conclude that you’re a false alarm.
Oh, you want an “infosec” superpower. Hmmm. The ability to detect the origin of packets? The ability to bypass firewalls without a sound? The ability to mimic anyone’s biometric? Those are all too techy for me. Maybe the ability to translate my thoughts into articles and books without going through the tedious process of writing. But then, what would I do on long airplane flights? So maybe I need teleportation after all.
Common Risks in America: Cars and Guns
I have long said that driving a car is the most dangerous thing regularly do in our lives. Turns out deaths due to automobiles are declining, while deaths due to firearms are on the rise:
Guns and cars have long been among the leading causes of non-medical deaths in the U.S. By 2015, firearm fatalities will probably exceed traffic fatalities for the first time, based on data compiled by Bloomberg.
While motor-vehicle deaths dropped 22 percent from 2005 to 2010, gun fatalities are rising again after a low point in 2000, according to the Atlanta-based Centers for Disease Control and Prevention. Shooting deaths in 2015 will probably rise to almost 33,000, and those related to autos will decline to about 32,000, based on the 10-year average trend.
There’s also this story.
3-1-1 for Encryption
An excellent idea:
311 for encryption. RSA, DSA, and ECDSA must be 3.4 ounces (100bits) or less per container; must be in 1 quart-sized, clear, plastic, zip-top bag; 1 bag per message placed in screening bin. The bag limits the total data volume each traveling message can bring.
The Security of Data Deletion
Thousands of articles have called the December attack against Sony Pictures a wake-up call to industry. Regardless of whether the attacker was the North Korean government, a disgruntled former employee, or a group of random hackers, the attack showed how vulnerable a large organization can be and how devastating the publication of its private correspondence, proprietary data, and intellectual property can be.
But while companies are supposed to learn that they need to improve their security against attack, there’s another equally important but much less discussed lesson here: companies should have an aggressive deletion policy.
One of the social trends of the computerization of our business and social communications tools is the loss of the ephemeral. Things we used to say in person or on the phone we now say in e-mail, by text message, or on social networking platforms. Memos we used to read and then throw away now remain in our digital archives. Big data initiatives mean that we’re saving everything we can about our customers on the remote chance that it might be useful later.
Everything is now digital, and storage is cheap—why not save it all?
Sony illustrates the reason why not. The hackers published old e-mails from company executives that caused enormous public embarrassment to the company. They published old e-mails by employees that caused less-newsworthy personal embarrassment to those employees, and these messages are resulting in class-action lawsuits against the company. They published old documents. They published everything they got their hands on.
Saving data, especially e-mail and informal chats, is a liability.
It’s also a security risk: the risk of exposure. The exposure could be accidental. It could be the result of data theft, as happened to Sony. Or it could be the result of litigation. Whatever the reason, the best security against these eventualities is not to have the data in the first place.
If Sony had had an aggressive data deletion policy, much of what was leaked couldn’t have been stolen and wouldn’t have been published.
An organization-wide deletion policy makes sense. Customer data should be deleted as soon as it isn’t immediately useful. Internal e-mails can probably be deleted after a few months, IM chats even more quickly, and other documents in one to two years. There are exceptions, of course, but they should be exceptions. Individuals should need to deliberately flag documents and correspondence for longer retention. But unless there are laws requiring an organization to save a particular type of data for a prescribed length of time, deletion should be the norm.
This has always been true, but many organizations have forgotten it in the age of big data. In the wake of the devastating leak of terabytes of sensitive Sony data, I hope we’ll all remember it now.
This essay previously appeared on ArsTechnica.com, which has comments from people who strongly object to this idea.
Slashdot thread.
Surveillance Detection for Android Phones
It’s called SnoopSnitch:
SnoopSnitch is an app for Android devices that analyses your mobile radio traffic to tell if someone is listening in on your phone conversations or tracking your location. Unlike standard antivirus apps, which are designed to combat software intrusions or steal personal info, SnoopSnitch picks up on things like fake mobile base stations or SS7 exploits. As such, it’s probably ideally suited to evading surveillance from local government agencies.
The app was written by German outfit Security Research Labs, and is available for free on the Play Store. Unfortunately, you’ll need a rooted Android device running a Qualcomm chipset to take advantage.
Download it here.
David Cameron's Plan to Ban Encryption in the UK
In the wake of the Paris terrorist shootings, David Cameron has said that he wants to ban encryption in the UK. Here’s the quote: “If I am prime minister I will make sure that it is a comprehensive piece of legislation that does not allow terrorists safe space to communicate with each other.”
This is similar to FBI director James Comey’s remarks from last year. And it’s equally stupid.
Cory Doctorow has a good essay on Cameron’s proposal:
For David Cameron’s proposal to work, he will need to stop Britons from installing software that comes from software creators who are out of his jurisdiction. The very best in secure communications are already free/open source projects, maintained by thousands of independent programmers around the world. They are widely available, and thanks to things like cryptographic signing, it is possible to download these packages from any server in the world (not just big ones like Github) and verify, with a very high degree of confidence, that the software you’ve downloaded hasn’t been tampered with.
Cameron is not alone here. The regime he proposes is already in place in countries like Syria, Russia, and Iran (for the record, none of these countries have had much luck with it). There are two means by which authoritarian governments have attempted to restrict the use of secure technology: by network filtering and by technology mandates.
The Risk of Unfounded Ebola Fears
Good essay.
Worry about Ebola (or anything) manifests physically as what’s known as a fight, flight, or freeze response. Biological systems ramp up or down to focus the body’s resources on the threat at hand. Heart rate and blood pressure increase, immune function is suppressed (after an initial burst), brain chemistry changes, and the normal functioning of the digestive system is interrupted, among other effects. Like fear itself, these changes are protective in the short term. But when they persist, the changes prompted by chronic stress—defined as stress beyond the normal hassles of life, lasting at least one to two weeks—are associated with increased risk of cardiovascular disease (the leading cause of death in America); increased likelihood and severity of clinical depression (suicide is the 10th leading cause of death in America); depressed memory formation and recall; impaired fertility; reduced bone growth; and gastrointestinal disorders.
Perhaps most insidious of all, by suppressing our immune systems, chronic stress makes us more likely to catch infectious diseases, or suffer more—or die—from diseases that a healthy immune system would be better able to control. The fear of Ebola may well have an impact on the breadth and severity of how many people get sick, or die, from influenza this flu season. (The CDC reports that, either directly or indirectly, influenza kills between 3,000 and 49,000 people per year.)
There is no question that America’s physical, economic, and social health is far more at risk from the fear of Ebola than from the virus itself.
Viking Runes as Encryption in the 1500s
This is an interesting historical use of Viking runes as a secret code. Yes, the page is all in Finnish. But scroll to the middle. There’s a picture of the Stockholm city police register from 1536, about a married woman who was found with someone who was not her husband. The recording scribe “encrypted” her name and home address using runes.
Sidebar photo of Bruce Schneier by Joe MacInnis.