Schneier on Security

Page 504

The NSA and the Risk of Off-the-Shelf Devices

Interesting article on how the NSA is approaching risk in the era of cool consumer devices. There’s a discussion of the president’s network-disabled iPad, and the classified cell phone that flopped because it took so long to develop and was so clunky. Turns out that everyone wants to use iPhones.

Levine concluded, “Using commercial devices to process classified phone calls, using commercial tablets to talk over wifi—that’s major game-changer for NSA to put classified information over wifi networks, but that’s what we’re going to do.” One way that would be done, he said, was by buying capability from cell carriers that have networks of cell towers in much the way small cell providers and companies like Onstar do.

Interestingly, Levine described an agency that is being forced to adopt a more realistic and practical attitude toward risk. “It used to be that the NSA squeezed all risk out of everything,” he said. Even lower-levels of sensitivity were covered by Top Secret-level crypto. “We don’t do that now—it’s levels of risk. We say we can give you this, but can ensure only this level of risk.” Partly this came about, he suggested, because the military has an inherent understanding that nothing is without risk, and is used to seeing things in terms of tradeoffs: “With the military, everything is a risk decision. If this is the communications capability I need, I’ll have to take that risk.”

Tags: consumerization, iPhone, NSA, risks

Posted on September 20, 2012 at 6:02 AM • View Comments

Analysis of PIN Data

An analysis of 3.4 million four-digit PINs. (“1234” is the most common: 10.7% of all PINs. The top 20 PINs are 26.8% of the total. “8068” is the least common PIN—that’ll probably change now that the fact is published.)

Tags: passwords, PINs

Posted on September 19, 2012 at 12:31 PM • View Comments

Recent Developments in Password Cracking

A recent Ars Technica article made the point that password crackers are getting better, and therefore passwords are getting weaker. It’s not just computing speed; we now have many databases of actual passwords we can use to create dictionaries of common passwords, or common password-generation techniques. (Example: dictionary word plus a single digit.)

This really isn’t anything new. I wrote about it in 2007. Even so, the article has caused a bit of a stir since it was published. I didn’t blog about it then, because I was waiting for Joe Bonneau to comment. He has, in a two–part blog post that’s well worth reading.

Password cracking can be evaluated on two nearly independent axes: power (the ability to check a large number of guesses quickly and cheaply using optimized software, GPUs, FPGAs, and so on) and efficiency (the ability to generate large lists of candidate passwords accurately ranked by real-world likelihood using sophisticated models). It’s relatively simple to measure cracking power in units of hashes evaluated per second or hashes per second per unit cost. There are details to account for, like the complexity of the hash being evaluated, but this problem is generally similar to cryptographic brute force against unknown (random) keys and power is generally increasing exponentially in tune with Moore’s law. The move to hardware-based cracking has enabled well-documented orders-of-magnitude speedups.

Cracking efficiency, by contrast, is rarely measured well.

Finally, there are two basic schemes for choosing secure passwords: the Schneier scheme and the XKCD scheme.

Tags: academic papers, comics, passwords

Posted on September 19, 2012 at 4:41 AM • View Comments

Diamond Swallowing as a Ruse

It’s a known theft tactic to swallow what you’re stealing. It works for food at the supermarket, and it also can work for diamonds. Here’s a twist on that tactic:

Police say he could have swallowed the stone in an attempt to distract the diamond’s owner, Suresh de Silva, while his accomplice stole the real gem.

Mr de Silva told the BBC that the Chinese men had visited the stall twice and he believed the diamond theft occurred during the first visit and not the second one, when the man swallowed the stone.

He insisted the man was trying to swap a fake stone for the real one and only swallowed the stone when he panicked after Mr de Silva apprehended him and alerted police.

This reminds me of group pickpocket tactics against tourists: the person who steals the wallet quickly passes it to someone else, so if the victim grabs the attacker, the wallet is long gone.

Tags: pickpocketing, theft

Posted on September 17, 2012 at 7:03 AM • View Comments

Friday Squid Blogging: Giant Squid Museum

In Valdés, Spain.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Tags: squid

Posted on September 14, 2012 at 4:15 PM • View Comments

Schneier on Security on Elementary

Two of my books can be seen in the background in CBS’ new Sherlock Holmes drama, Elementary. Copies of Schneier on Security and Secrets & Lies are prominently displayed on Sherlock Holmes’ bookshelf. You can see them in the first few minutes of the pilot episode. The show’s producers contacted me early on to ask permission to use my books, so it didn’t come as a surprise, but it’s still a bit of a thrill.
Sherlock's bookshelf

Here’s a listing of all the books visible on the bookshelf.

Tags: books, Schneier news, Schneier on Security (book), Secrets & Lies, television

Posted on September 14, 2012 at 2:20 PM • View Comments

Man-in-the-Middle Bank Fraud Attack

This sort of attack will become more common as banks require two-factor authentication:

Tatanga checks the user account details including the number of accounts, supported currency, balance/limit details. It then chooses the account from which it could steal the highest amount.

Next, it initiates a transfer.

At this point Tatanga uses a Web Inject to trick the user into believing that the bank is performing a chipTAN test. The fake instructions request that the user generate a TAN for the purpose of this “test” and enter the TAN.

Note that the attack relies on tricking the user, which isn’t very hard.

Tags: authentication, banking, man-in-the-middle attacks, two-factor authentication, web

Posted on September 14, 2012 at 11:23 AM • View Comments

UGNazi

Good article on the hacker group UGNazi.

Tags: hacking

Posted on September 14, 2012 at 6:47 AM • View Comments

Estimating the Probability of Another 9/11

This statistical research says once per decade:

Abstract: Quantities with right-skewed distributions are ubiquitous in complex social systems, including political conflict, economics and social networks, and these systems sometimes produce extremely large events. For instance, the 9/11 terrorist events produced nearly 3000 fatalities, nearly six times more than the next largest event. But, was this enormous loss of life statistically unlikely given modern terrorism’s historical record? Accurately estimating the probability of such an event is complicated by the large fluctuations in the empirical distribution’s upper tail. We present a generic statistical algorithm for making such estimates, which combines semi-parametric models of tail behavior and a non-parametric bootstrap. Applied to a global database of terrorist events, we estimate the worldwide historical probability of observing at least one 9/11-sized or larger event since 1968 to be 11-35%. These results are robust to conditioning on global variations in economic development, domestic versus international events, the type of weapon used and a truncated history that stops at 1998. We then use this procedure to make a data-driven statistical forecast of at least one similar event over the next decade.

Article about the research.

Tags: 9/11, risk assessment, risks, terrorism

Posted on September 13, 2012 at 1:20 PM • View Comments