Schneier on Security

Page 437

GINSU: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

GINSU

(TS//SI//REL) GINSU provides software application persistence for the CNE implant, KONGUR, on target systems with the PCI bus hardware implant, BULLDOZER.

(TS//SI//REL) This technique supports any desktop PC system that contains at least one PCI connector (for BULLDOZER installation) and Microsoft Windows 9x, 2000, 20003, XP, or Vista.

(TS//SI//REL) Through interdiction, BULLDOZER is installed in the target system as a PCI bus hardware implant. After fielding, if KONGUR is removed from the system as a result of an operation system upgrade or reinstall, GINSU can be set to trigger on the next reboot of the system to restore the software implant.

Unit Cost: $0

Status: Released / Deployed. Ready for Immediate Delivery

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Tags: exploit of the day, implants, NSA, privacy, rootkits, surveillance, Windows

Posted on January 29, 2014 at 2:28 PM • View Comments

Trying to Value Online Privacy

Interesting paper: “The Value of Online Privacy,” by Scott Savage and Donald M. Waldman.

Abstract: We estimate the value of online privacy with a differentiated products model of the demand for Smartphone apps. We study the apps market because it is typically necessary for the consumer to relinquish some personal information through “privacy permissions” to obtain the app and its benefits. Results show that the representative consumer is willing to make a one-time payment for each app of $2.28 to conceal their browser history, $4.05 to conceal their list of contacts, $1.19 to conceal their location, $1.75 to conceal their phone’s identification number, and $3.58 to conceal the contents of their text messages. The consumer is also willing to pay $2.12 to eliminate advertising. Valuations for concealing contact lists and text messages for “more experienced” consumers are also larger than those for “less experienced” consumers. Given the typical app in the marketplace has advertising, requires the consumer to reveal their location and their phone’s identification number, the benefit from consuming this app must be at least $5.06.

Interesting analysis, though we know that the point of sale is not the best place to capture the privacy preferences of people. There are too many other factors at play, and privacy isn’t the most salient thing going on.

Tags: academic papers, cell phones, cost-benefit analysis, privacy

Posted on January 29, 2014 at 12:26 PM • View Comments

The Politics of Fear

This is very good:

…one might suppose that modern democratic states, with the lessons of history at hand, would seek to minimize fear or at least minimize its effect on deliberative decision-making in both foreign and domestic policy.

But today the opposite is frequently true. Even democracies founded in the principles of liberty and the common good often take the path of more authoritarian states. They don’t work to minimize fear, but use it to exert control over the populace and serve the government’s principle aim: consolidating power.

[…]

However, since 9/11 leaders of both political parties in the United States have sought to consolidate power by leaning not just on the danger of a terrorist attack, but on the fact that the possible perpetrators are frightening individuals who are not like us. As President George W. Bush put it before a joint session of Congress in 2001: “They hate our freedoms: our freedom of religion, our freedom of speech, our freedom to vote and assemble and disagree with each other.” Last year President Obama brought the enemy closer to home, arguing in a speech at the National Defense University that “we face a real threat from radicalized individuals here in the United States“—radicalized individuals who were “deranged or alienated individuals - often U.S. citizens or legal residents.”

The Bush fear-peddling is usually considered the more extreme, but is it? The Obama formulation puts the “radicalized individuals” in our midst. They could be American citizens or legal residents. And the subtext is that if we want to catch them we need to start looking within. The other is among us. The pretext for the surveillance state is thus established.

Tags: fear, national security policy, power, privacy, surveillance, terrorism

Posted on January 29, 2014 at 6:24 AM • View Comments

TAWDRYYARD: NSA Exploit of the Day

Back in December, Der Spiegel published a lot of information about the NSA’s Tailored Access Operations (TAO) group, including a 2008 catalog of hardware and software “implants.” Because there were so many items in the catalog, the individual items didn’t get a lot of discussion. By highlighting an individual implant every day, my goal is to fix that.

Today’s item:

TAWDRYYARD

(TS//SI//REL TO USA,FVEY) Beacon RF retro-reflector. Provides return when illuminated with radar to provide rough positional location.

(U) Capabilities
(TS//SI//REL TO USA,FVEY) TAWDRYYARD is used as a beacon, typically to assist in locating and identifying deployed RAGEMASTER units. Current design allos it to be detected and located quite easily within a 50′ radius of the radar system being used to illuminate it. TAWDRYYARD draws as 8 mu;A at 2.5V (20mu;W) allowing a standard lithium coin cell to power it for months or years. The simplicity of the dsign allows the form factor to be tailored for specific operational requirements. Future capabilities being considered are return of GPS coordinates and a unique target identifier and automatic processing to scan a target area for presence of TWDRYYARDs. All components are COTS and so are non-attributable to NSA.

Concept of Operation
(TS//SI//REL TO USA,FVEY) The board generates a square wave operating at a preset frequency. This square wave is used to turn a FET (field effect transistor) on and off. When the unit is illuminated with a CW signal, the illuminating signal is amplitude-modulated (AM) with the square wave. This signal is re-radiated, where it is picked up by the radar, then processed to recover the clock signal. Typically, the fundamental is used to indicate the unit’s presence, and is simply displayed on a low frequency spectrum analyzer. TAWDRYYARD is part of the ANGRYNEIGHBOR family of radar retro-reflectors.

Unit Cost: $30

Status: End processing still in development.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Tags: exploit of the day, hardware, implants, NSA, privacy, surveillance

Posted on January 28, 2014 at 2:13 PM • View Comments

US Privacy and Civil Liberties Oversight Board (PCLOB) Condemns NSA Mass Surveillance

Now we know why the president gave his speech on NSA surveillance last week; he wanted to get ahead of the Privacy and Civil Liberties Oversight Board.

Last week, it issued a report saying that NSA mass surveillance of Americans is illegal and should end. Both EPIC and EFF have written about this.

What frustrates me about all of this—this report, the president’s speech, and so many other things—is that they focus on the bulk collection of cell phone call records. There’s so much more bulk collection going on—phone calls, e-mails, address books, buddy lists, text messages, cell phone location data, financial documents, calendars, etc.—and we really need legislation and court opinions on it all. But because cell phone call records were the first disclosure, they’re what gets the attention.

EDITED TO ADD (1/28): I should add links to yesterday’s story that the NSA is collecting data from leaky smart phone apps.

Tags: cell phones, EFF, EPIC, national security policy, NSA, privacy, surveillance

Posted on January 28, 2014 at 12:39 PM • View Comments

EU Might Raise Fines for Data Breaches

This makes a lot of sense.

Viviane Reding dismissed recent fines for Google as “pocket money” and said the firm would have had to pay $1bn under her plans for privacy failings.

Ms Reding said such punishments were necessary to ensure firms took the use of personal data seriously.

And she questioned how Google was able to take so long to getting round to changing its policy.

“Is it surprising to anyone that two whole years after the case emerged, it is still unclear whether Google will amend its privacy policy or not?” she said in a speech.

Ms Reding, who is also vice-president of the European Commission, wants far tougher laws that would introduce fines of up to 5% of the global annual turnover of a company for data breaches.

If fines are intended to change corporate behavior, they need to be large enough so that avoiding them is a smarter business strategy than simply paying them.

Tags: courts, data breaches, EU, Google, incentives

Posted on January 28, 2014 at 6:47 AM • View Comments

SPARROW II: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

SPARROW II

(TS//SI//REL) An embedded computer system running BLINDDATE tools. Sparrow II is a fully functional WLAN collection system with integrated Mini PCI slots for added functionality such as GPS and multiple Wireless Network Interface Cards.

(U//FOUO) System Specs

Processor: IBM Power PC 405GPR

Memory: 64MB (SDRAM), 16MB (FLASH)

Expansion: Mini PCI (Up to 4 devices) supports USB, Compact Flash, and 802.11 B/G

OS: Linux (2.4 Kernel)

Application SW: BLINDDATE

Battery Time: At least two hours

(TS//SI//REL) The Sparrow II is a capable option for deployment where small size, minimal weight and reduced power consumption are required. PCI devices can be connected to the Sparrow II to provide additional functionality, such as wireless command and control or a second or third 802.11 card. The Sparrow is shipped with Linux and runs the BLINDDATE software suite.

Unit Cost: $6K

Status: (S//SI//REL) Operational Restrictions exist for equipment deployment.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Tags: exploit of the day, hardware, implants, NSA, privacy, surveillance

Posted on January 27, 2014 at 8:06 PM • View Comments

New Security Risks for Windows XP Systems

Microsoft is trying to stop supporting Windows XP. The problem is that a majority of ATMs still use that OS. And once Microsoft stops issuing security updates to XP, those machines will become increasingly vulnerable.

Although I have to ask the question: how many of those ATMs have been keeping up with their patches so far?

We have far to go with our security of embedded systems.

Tags: banking, computer security, embedded systems, operating systems, Windows

Posted on January 27, 2014 at 6:32 AM • View Comments

Friday Squid Blogging: Giant Squid Caught by Japanese Fisherman

It’s big: 13 feet long.

The fisherman was stunned to discover the giant squid trapped in his net, having been caught at a depth of around 70m, about two-thirds of a mile from the coast.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Tags: squid

Posted on January 24, 2014 at 4:15 PM • View Comments

PHOTOANGLO: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

PHOTOANGLO

(TS//SI//REL TO USA,FVEY) PHOTOANGLO is a joint NSA/GCHQ project to develop a new radar system to take the place of the CTX4000.

(U) Capabilities
(TS//SI//REL TO USA,FVEY) The planned capabilities for this system are:

Frequency range: 1 – 2 GHz, which will be later extended to 1 – 4 GHz
Maximum bandwidth: 450 MHz.
Size: Small enough to fit into a slim briefcase.
Weight: Less than 10 lbs.
Maximum Output Power: 2W
Output:
Video
Transmit antenna
Inputs:
External oscillator
Receive antenna

(U) Concept of Operation
(TS//SI//REL TO USA,FVEY) TS//SI//REL TO USA,FVEY) The radar unit generates an un-modulated, continuous wave (CW) signal. The oscillator is either generated internally, or externally through a signal generator or cavity oscillator. The unit amplifies the signal and sends it out to an RF connector, where it is directed to some form of transmission antenna (horn, parabolic dish, LPA, spiral). The signal illuminates the target system and is re-radiated. The receive antenna picks up the re-radiated signal and directs the signal to the receive input. The signal is amplified, filtered, and mixed with the transmit antenna. The result is a homodyne receiver in which the RF signal is mixed directly to baseband. The baseband video signal is ported to an external BNC connector. This connects to a processing system, such as NIGHTWATCH, an LFS-2, or VIEWPLATE, to process the signal and provide the intelligence.

Unit Cost: $40k (planned)

Status: Development. Planned IOC is 1st QTR FY09.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Tags: exploit of the day, hardware, implants, NSA, privacy, surveillance

Posted on January 24, 2014 at 2:09 PM • View Comments

← Earlier Entries Later Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.