Friday Squid Blogging: Squid Nebula
A nebula that looks like a squid.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Page 409
The NSA's Patents
Here are all the NSA’s patents, in one searchable database.
If you find something good, tell us all in the comments.
The Fundamental Insecurity of USB
This is pretty impressive:
Most of us learned long ago not to run executable files from sketchy USB sticks. But old-fashioned USB hygiene can’t stop this newer flavor of infection: Even if users are aware of the potential for attacks, ensuring that their USB’s firmware hasn’t been tampered with is nearly impossible. The devices don’t have a restriction known as “code-signing,” a countermeasure that would make sure any new code added to the device has the unforgeable cryptographic signature of its manufacturer. There’s not even any trusted USB firmware to compare the code against.
The element of Nohl and Lell’s research that elevates it above the average theoretical threat is the notion that the infection can travel both from computer to USB and vice versa. Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it. And likewise, any USB device could silently infect a user’s computer.
These are exactly the sorts of attacks the NSA favors.
EDITED TO ADD (8/14): Good writeup. Slides from BlackHat talk.
Debit Card Override Hack
Parrish allegedly visited Apple Stores and tried to buy products with four different debit cards, which were all closed by his respective financial institutions. When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank—except, he wasn’t really calling his bank.
So, the complaint says, he would offer the Apple Store employees a fake authorization code with a certain number of digits, which is normally provided by credit card issuers to create a record of the credit or debit override.
Now that this trick is public, how long before stores stop accepting these authorization codes altogether? I’ll be that fixing the infrastructure will be expensive.
The Costs of NSA Surveillance
New America Foundation has a new paper on the costs of NSA surveillance: economic costs to US business, costs to US foreign policy, and costs to security.
News article.
Conference on Deception
There was a conference on deception earlier this month. Sophie Van Der Zee has a summary of the sessions.
Russia Paying for a Tor Break
Russia has put out a tender on its official government procurement website for anyone who can identify Tor users. The reward of $114,000 seems pretty cheap for this capability. And we now get to debate whether 1) Russia cannot currently deaonymize Tor users, or 2) Russia can, and this is a ruse to make us think they can’t.
Friday Squid Blogging: Build a Squid
An interactive animation from the Museum of New Zealand Te Papa Tongarewa.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Building a Legal Botnet in the Cloud
Two researchers have built a botnet using free anonymous accounts. They only collected 1,000 accounts, but there’s no reason this can’t scale to much larger numbers.
Security Vulnerability in the Tails OS
I’d like more information on this.
EDITED TO ADD (8/13): Response from Tails.
Sidebar photo of Bruce Schneier by Joe MacInnis.