Schneier on Security

Blog

Page 46

Friday Squid Blogging: Squid Sculpture in Massachusetts Building

Great blow-up sculpture.

Blog moderation policy.

Tags: squid

Posted on November 1, 2024 at 5:04 PM •

Roger Grimes on Prioritizing Cybersecurity Advice

This is a good point:

Part of the problem is that we are constantly handed lists…list of required controls…list of things we are being asked to fix or improve…lists of new projects…lists of threats, and so on, that are not ranked for risks. For example, we are often given a cybersecurity guideline (e.g., PCI-DSS, HIPAA, SOX, NIST, etc.) with hundreds of recommendations. They are all great recommendations, which if followed, will reduce risk in your environment.

What they do not tell you is which of the recommended things will have the most impact on best reducing risk in your environment. They do not tell you that one, two or three of these things…among the hundreds that have been given to you, will reduce more risk than all the others.

[…]

The solution?

Here is one big one: Do not use or rely on un-risk-ranked lists. Require any list of controls, threats, defenses, solutions to be risk-ranked according to how much actual risk they will reduce in the current environment if implemented.

[…]

This specific CISA document has at least 21 main recommendations, many of which lead to two or more other more specific recommendations. Overall, it has several dozen recommendations, each of which individually will likely take weeks to months to fulfill in any environment if not already accomplished. Any person following this document is…rightly…going to be expected to evaluate and implement all those recommendations. And doing so will absolutely reduce risk.

The catch is: There are two recommendations that WILL DO MORE THAN ALL THE REST ADDED TOGETHER TO REDUCE CYBERSECURITY RISK most efficiently: patching and using multifactor authentication (MFA). Patching is listed third. MFA is listed eighth. And there is nothing to indicate their ability to significantly reduce cybersecurity risk as compared to the other recommendations. Two of these things are not like the other, but how is anyone reading the document supposed to know that patching and using MFA really matter more than all the rest?

Tags: cybersecurity, patching, two-factor authentication

Posted on October 31, 2024 at 11:43 AM • View Comments

Tracking World Leaders Using Strava

Way back in 2018, people noticed that you could find secret military bases using data published by the Strava fitness app. Soldiers and other military personal were using them to track their runs, and you could look at the public data and find places where there should be no people running.

Six years later, the problem remains. Le Monde has reported that the same Strava data can be used to track the movements of world leaders. They don’t wear the tracking device, but many of their bodyguards do.

Tags: data privacy, tracking

Posted on October 31, 2024 at 11:16 AM • View Comments

Simson Garfinkel on Spooky Cryptographic Action at a Distance

Excellent read. One example:

Consider the case of basic public key cryptography, in which a person’s public and private key are created together in a single operation. These two keys are entangled, not with quantum physics, but with math.

When I create a virtual machine server in the Amazon cloud, I am prompted for an RSA public key that will be used to control access to the machine. Typically, I create the public and private keypair on my laptop and upload the public key to Amazon, which bakes my public key into the server’s administrator account. My laptop and that remove server are thus entangled, in that the only way to log into the server is using the key on my laptop. And because that administrator account can do anything to that server—read the sensitivity data, hack the web server to install malware on people who visit its web pages, or anything else I might care to do—the private key on my laptop represents a security risk for that server.

Here’s why it’s impossible to evaluate a server and know if it is secure: as long that private key exists on my laptop, that server has a vulnerability. But if I delete that private key, the vulnerability goes away. By deleting the data, I have removed a security risk from the server and its security has increased. This is true entanglement! And it is spooky: not a single bit has changed on the server, yet it is more secure.

Read it all.

Tags: cryptography, quantum cryptography

Posted on October 30, 2024 at 10:48 AM • View Comments

Law Enforcement Deanonymizes Tor Users

The German police have successfully deanonymized at least four Tor users. It appears they watch known Tor relays and known suspects, and use timing analysis to figure out who is using what relay.

Tor has written about this.

Hacker News thread.

Tags: de-anonymization, law enforcement, Tor

Posted on October 29, 2024 at 7:02 AM • View Comments

Criminals Are Blowing up ATMs in Germany

It’s low tech, but effective.

Why Germany? It has more ATMs than other European countries, and—if I read the article right—they have more money in them.

EDITED TO ADD (11/14): Blog readers commented that countries like the Netherlands have laws requiring ATMs to have better security features. One that I thought particularly clever is a small “glue explosion” inside the safe that’s triggered when the ATM safe is breached. The glue renders the currency worthless.

Tags: ATMs, banking, bombs, theft

Posted on October 28, 2024 at 12:12 PM • View Comments

Friday Squid Blogging: Giant Squid Found on Spanish Beach

A giant squid has washed up on a beach in Northern Spain.

Blog moderation policy.

Tags: squid

Posted on October 25, 2024 at 5:01 PM •

Watermark for LLM-Generated Text

Researchers at Google have developed a watermark for LLM-generated text. The basics are pretty obvious: the LLM chooses between tokens partly based on a cryptographic key, and someone with knowledge of the key can detect those choices. What makes this hard is (1) how much text is required for the watermark to work, and (2) how robust the watermark is to post-generation editing. Google’s version looks pretty good: it’s detectable in text as small as 200 tokens.

Tags: academic papers, AI, cryptography, Google, identification, LLM

Posted on October 25, 2024 at 9:56 AM • View Comments

Are Automatic License Plate Scanners Constitutional?

An advocacy groups is filing a Fourth Amendment challenge against automatic license plate readers.

“The City of Norfolk, Virginia, has installed a network of cameras that make it functionally impossible for people to drive anywhere without having their movements tracked, photographed, and stored in an AI-assisted database that enables the warrantless surveillance of their every move. This civil rights lawsuit seeks to end this dragnet surveillance program,” the lawsuit notes. “In Norfolk, no one can escape the government’s 172 unblinking eyes,” it continues, referring to the 172 Flock cameras currently operational in Norfolk. The Fourth Amendment protects against unreasonable searches and seizures and has been ruled in many cases to protect against warrantless government surveillance, and the lawsuit specifically says Norfolk’s installation violates that.”

Tags: cars, courts, privacy, scanners, searches, surveillance

Posted on October 23, 2024 at 2:16 PM • View Comments

No, the Chinese Have Not Broken Modern Encryption Systems with a Quantum Computer

The headline is pretty scary: “China’s Quantum Computer Scientists Crack Military-Grade Encryption.”

No, it’s not true.

This debunking saved me the trouble of writing one. It all seems to have come from this news article, which wasn’t bad but was taken wildly out of proportion.

Cryptography is safe, and will be for a long time

EDITED TO ADD (11/3): Really good explainer from Dan Goodin.

Tags: China, encryption, quantum computing

Posted on October 22, 2024 at 7:03 AM • View Comments

← Earlier Entries Later Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.