Schneier on Security

Page 501

Another Liars and Outliers Review

I was reviewed in Science:

Thus it helps to have a lucid and informative account such as Bruce Schneier’s Liars and Outliers. The book provides an interesting and entertaining summary of the state of play of research on human social behavior, with a special emphasis on trust and trustworthiness.

[…]

Free from preoccupations and personal attachments to any of the scientific disciplines working on the topic, he has compiled a well-structured overview of what research can tell us about how trust and trustworthiness accumulate (although some academic readers may find their publications presented in an unexpected context). This he enlivens by adding real-life experiences on how to build trust and keep trustworthiness alive.

I am amused by the parenthetical comment.

Tags: books, Liars and Outliers, trust

Posted on October 13, 2012 at 7:28 AM • View Comments

Friday Squid Blogging: Squid Car

A squid art car.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Tags: squid

Posted on October 12, 2012 at 4:17 PM • View Comments

"Ask Nicely" Doesn't Work as a Security Mechanism

Apple’s map application shows more of Taiwan than Google Maps:

The Taiwanese government/military, like many others around the world, requests that satellite imagery providers, such as Google Maps, blur out certain sensitive military installations. Unfortunately, Apple apparently didn’t get that memo.

[…]

According to reports the Taiwanese defence ministry hasn’t filed a formal request with Apple yet but thought it would be a great idea to splash this across the media and bring everyone’s attention to the story. Obviously it would terribly embarrassing if some unscrupulous person read the story and then found various uncensored military installations around Taiwan and posted photos of them.

Photos at the link.

Tags: Apple, geolocation, Google, Taiwan

Posted on October 11, 2012 at 7:03 AM • View Comments

The Insecurity of Networks

Not computer networks, networks in general:

Findings so far suggest that networks of networks pose risks of catastrophic danger that can exceed the risks in isolated systems. A seemingly benign disruption can generate rippling negative effects. Those effects can cost millions of dollars, or even billions, when stock markets crash, half of India loses power or an Icelandic volcano spews ash into the sky, shutting down air travel and overwhelming hotels and rental car companies. In other cases, failure within a network of networks can mean the difference between a minor disease outbreak or a pandemic, a foiled terrorist attack or one that kills thousands of people.

Understanding these life-and-death scenarios means abandoning some well-established ideas developed from single-network studies. Scientists now know that networks of networks don’t always behave the way single networks do. In the wake of this insight, a revolution is under way. Researchers from various fields are rushing to figure out how networks link up and to identify the consequences of those connections.

[…]

Efforts by Havlin and colleagues have yielded other tips for designing better systems. Selectively choosing which nodes in one network to keep independent from the second network can prevent “poof” moments. Looking back to the blackout in Italy, the researchers found that they could defend the system by decoupling just four communications servers. “Here, we have some hope to make a system more robust,” Havlin says.

This promise is what piques the interest of governments and other agencies with money to fund deeper explorations of network-of-networks problems. It’s probably what attracted the attention of the Defense Threat Reduction Agency in the first place. Others outside the United States are also onboard. The European Union is spending millions of euros on Multiplex, putting together an all-star network science team to create a solid theoretical foundation for interacting networks. And an Italian-funded project, called Crisis Lab, will receive 9 million euros over three years to evaluate risk in real-world crises, with a focus on interdependencies among power grids, telecommunications systems and other critical infrastructures.

Eventually, Dueñas-Osorio envisions that a set of guidelines will emerge not just for how to simulate and study networks of networks, but also for how to best link networks up to begin with. The United States, along with other countries, have rules for designing independent systems, he notes. There are minimum requirements for constructing buildings and bridges. But no one says how networks of networks should come together.

It’s a pretty good primer of current research into the risks involved in networked systems, both natural and artificial.

Tags: network security

Posted on October 10, 2012 at 8:18 AM • View Comments

This is a fascinating story of a CIA burglar, who worked for the CIA until he tried to work against the CIA. The fact that he stole code books and keys from foreign embassies makes it extra interesting, and the complete disregard for the Constitution at the end makes it extra scary.

Tags: CIA, espionage, intelligence, theft

Posted on October 9, 2012 at 6:31 AM • View Comments

New Developments in Captchas

In the never-ending arms race between systems to prove that you’re a human and computers that can fake it, here’s a captcha that tests whether you have human feelings.

Instead of your run-of-the-mill alphanumeric gibberish, or random selection of words, the Civil Rights Captcha presents you with a short blurb about a Civil Rights violation and asks you how you feel about it. Ostensibly robots (and trolls) won’t make it through because they’ll remark that a human rights activist’s murder makes them feel “aroused” instead of “upset.” And bots will still have to make it past standard Captcha hurdles before they can even pick one of the choices.

The easy way to attack this system is to create a library with all the correct answers.

How soon before Deckard has to come to our house to administer a test?

Tags: captchas

Posted on October 8, 2012 at 8:12 AM • View Comments

Friday Squid Blogging: Giant Squid Engraving from the 1870s

Neat book illustration.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Tags: squid

Posted on October 5, 2012 at 4:38 PM • View Comments

When Will We See Collisions for SHA-1?

On a NIST-sponsored hash function mailing list, Jesse Walker (from Intel; also a member of the Skein team) did some back-of-the-envelope calculations to estimate how long it will be before we see a practical collision attack against SHA-1. I’m reprinting his analysis here, so it reaches a broader audience.

According to E-BASH, the cost of one block of a SHA-1 operation on already deployed commodity microprocessors is about 2¹⁴ cycles. If Stevens’ attack of 2⁶⁰ SHA-1 operations serves as the baseline, then finding a collision costs about 2¹⁴ * 2⁶⁰ ~ 2⁷⁴ cycles.

A core today provides about 2³¹ cycles/sec; the state of the art is 8 = 2³ cores per processor for a total of 2³ * 2³¹ = 2³⁴ cycles/sec. A server typically has 4 processors, increasing the total to 2² * 2³⁴ = 2³⁶ cycles/sec. Since there are about 2²⁵ sec/year, this means one server delivers about 2²⁵ * 2³⁶ = 2⁶¹ cycles per year, which we can call a “server year.”

There is ample evidence that Moore’s law will continue through the mid 2020s. Hence the number of doublings in processor power we can expect between now and 2021 is:

3/1.5 = 2 times by 2015 (3 = 2015 – 2012)

6/1.5 = 4 times by 2018 (6 = 2018 – 2012)

9/1.5 = 6 times by 2021 (9 = 2021 – 2012)

So a commodity server year should be about:

2⁶¹ cycles/year in 2012

2² * 2⁶¹ = 2⁶³ cycles/year by 2015

2⁴ * 2⁶¹ = 2⁶⁵ cycles/year by 2018

2⁶ * 2⁶¹ = 2⁶⁷ cycles/year by 2021

Therefore, on commodity hardware, Stevens’ attack should cost approximately:

2⁷⁴ / 2⁶¹ = 2¹³ server years in 2012

2⁷⁴ / 2⁶³ = 2¹¹ server years by 2015

2⁷⁴ / 2⁶⁵ = 2⁹ server years by 2018

2⁷⁴ / 2⁶⁷ = 2⁷ server years by 2021

Today Amazon rents compute time on commodity servers for about $0.04 / hour ~ $350 /year. Assume compute rental fees remain fixed while server capacity keeps pace with Moore’s law. Then, since log₂(350) ~ 8.4 the cost of the attack will be approximately:

2¹³ * 2^8.4 = 2^21.4 ~ $2.77M in 2012

2¹¹ * 2^8.4 = 2^19.4 ~ $700K by 2015

2⁹ * 2^8.4 = 2^17.4 ~ $173K by 2018

2⁷ * 2^8.4 = 2^15.4 ~ $43K by 2021

A collision attack is therefore well within the range of what an organized crime syndicate can practically budget by 2018, and a university research project by 2021.

Since this argument only takes into account commodity hardware and not instruction set improvements (e.g., ARM 8 specifies a SHA-1 instruction), other commodity computing devices with even greater processing power (e.g., GPUs), and custom hardware, the need to transition from SHA-1 for collision resistance functions is probably more urgent than this back-of-the-envelope analysis suggests.

Any increase in the number of cores per CPU, or the number of CPUs per server, also affects these calculations. Also, any improvements in cryptanalysis will further reduce the complexity of this attack.

The point is that we in the community need to start the migration away from SHA-1 and to SHA-2/SHA-3 now.

Tags: cryptanalysis, cryptography, hashes, NIST, SHA-1

Posted on October 5, 2012 at 1:24 PM • View Comments

Maps Showing Spread of ZeroAccess Botnet

The folks at F-Secure have plotted ZeroAccess infections across the U.S. and across Europe. It’s interesting to see, but I’m curious to see the data normalized to the number of computers on the Internet.

Tags: botnets, F-Secure, Internet, malware

Posted on October 5, 2012 at 7:44 AM • View Comments