Page 17 of 22
The idea is simple: prevent the machine from completing an action and place it in an error state, and then exploit that state. In this instance, the hacker prevents the machine from dispensing the drink bottle. The machine refunds the money, but the bottle stays on the conveyor belt. Then the hacker purchases a second bottle, and receives them both.
A specialized printer used to print Missouri driver’s licenses was stolen and recovered.
It’s a funny story, actually. Turns out the thief couldn’t get access to the software needed to run the printer; a lockout on the control computer apparently thwarted him. When he called tech support, they tipped off the Secret Service.
On the one hand, this probably won’t deter a more sophisticated thief. On the other hand, you can make pretty good forgeries with off-the-shelf equipment.
A New Yorker article on light pollution has a paragraph on light and crime:
Much so-called security lighting is designed with little thought for how eyes—or criminals—operate. Marcus Felson, a professor at the School of Criminal Justice at Rutgers University, has concluded that lighting is effective in preventing crime mainly if it enables people to notice criminal activity as it’s taking place, and if it doesn’t help criminals to see what they’re doing. Bright, unshielded floodlights—one of the most common types of outdoor security lighting in the country—often fail on both counts, as do all-night lights installed on isolated structures or on parts of buildings that can’t be observed by passersby (such as back doors). A burglar who is forced to use a flashlight, or whose movement triggers a security light controlled by an infrared motion sensor, is much more likely to be spotted than one whose presence is masked by the blinding glare of a poorly placed metal halide “wall pack.” In the early seventies, the public-school system in San Antonio, Texas, began leaving many of its school buildings, parking lots, and other property dark at night and found that the no-lights policy not only reduced energy costs but also dramatically cut vandalism.
It’s easy. Find a fast-food restaurant with two drive-through windows: one where you order and pay, and the other where you receive your food. This won’t work at the more-common U.S. configuration: a microphone where you order, and a single window where you both pay for and receive your food. The video demonstrates the attack at a McDonald’s in—I assume—France.
Wait until there is someone behind you and someone in front of you. Don’t order anything at the first window. Tell the clerk that you forgot your money and didn’t order anything. Then drive to the second window, and take the food that the person behind you ordered.
It’s a clever exploit. Basically, it’s a synchronization attack. By exploiting the limited information flow between the two windows, you can insert yourself into the pay-receive queue.
It’s relatively easy to fix. The restaurant could give the customer a numbered token upon ordering and paying, which he would redeem at the next window for his food. Or the second window could demand to see the receipt. Or the two windows could talk to each other more, maybe by putting information about the car and driver into the computer. But, of course, these security solutions reduce the system’s optimization.
So if not a lot of people do this, the vulnerability will remain open.
EDITED TO ADD (9/20): The video has been removed from YouTube. It’s available here.
Okay; this is clever:
Rex IV, a highly trained Belgian Malinois sheepdog with a string of drug hauls behind him, was checked on to a flight from Mexico City this week with seven other police dogs bound for an operation in the northern state of Sinaloa.
But when the dogs arrived at Mazatlan airport, Sinaloa, their police handlers discovered a small black mongrel puppy inside Rex IV’s cage, with the sniffer dog nowhere to be seen.
Whatever drug lord ordered that hit probably saved himself a whole lot of grief.
EDITED TO ADD (8/29): The dog was found in a park:
Working on a tip, federal police found Rex IV—a highly trained Belgian Malinois sheepdog with a string of drug hauls to its name—tied to a tree in a park in the gritty Iztapalapa neighborhood, a Public Security Ministry spokesman said.
“When they realized the police were onto them, they abandoned him in a park,” the spokesman told Reuters, adding that the dog’s identity was confirmed by scanning an embedded electronic chip.
Why didn’t they just slit the dog’s throat? I take it back: not so clever.
Interesting article on security-aware consumer items.
I especially liked the chair design with a place to hang a purse. Seems like a better idea than the “Chelsea clip.”
Excellent story of security by obscurity:
Feigenbaum put the dime, encased in a 3-inch-square block of plastic, in his pocket and, accompanied by a security guard, drove in an ordinary sedan directly to San Jose airport to catch the red-eye to Newark.
The overnight flight, he said, was the only way to make sure the dime would be in New York by the time the buyer’s bank opened in the morning. People who pay $1.9 million for dimes do not like to be kept waiting for them.
Feigenbaum had purchased a coach ticket, to avoid suspicion, but found himself upgraded to first class. That was a worry, because people in flip-flops, T-shirts and grubby jeans do not regularly ride in first class. But it would have been more suspicious to decline a free upgrade. So Feigenbaum forced himself to sit in first class, where he found himself to be the only passenger in flip-flops.
He was too nervous to sleep, he said. He did not watch the in-flight movie, which was “Firehouse Dog.” He turned down a Reuben sandwich and sensibly declined all offers of alcoholic beverages.
Shortly after boarding the plane, he transferred the dime from his pants pocket to his briefcase.
“I was worried that the dime might fall out of my pocket while I was sitting down,” Feigenbaum said.
All across the country, Feigenbaum kept checking to make sure the dime was safe by reaching into his briefcase to feel for it. Feigenbaum did not actually take the dime out of his briefcase, as it is suspicious to stare at dimes.
This isn’t the first time security through obscurity was employed to transport a very small and very valuable object. From Beyond Fear, pp 211-212:
At 3,106 carats, a little under a pound and a half, the Cullinan Diamond was the largest uncut diamond ever discovered. It was extracted from the earth at the Premier Mine, near Pretoria, South Africa, in 1905. Appreciating the literal enormity of the find, the Transvaal government bought the diamond as a gift for King Edward VII. Transporting the stone to England was a huge security problem, of course, and there was much debate on how best to do it. Detectives were sent from London to guard it on its journey. News leaked that a certain steamer was carrying it, and the presence of the detectives confirmed this. But the diamond on that steamer was a fake. Only a few people knew of the real plan; they packed the Cullinan in a small box, stuck a three-shilling stamp on it, and sent it to England anonymously by unregistered parcel post.
Like all security measures, security by obscurity has its place. I wrote a lot more about the general concepts in this 2002 essay.
Ask anybody who’s made money robbing houses, and they’ll tell you straight up: you can get away with a lot of loot in the 10 minutes before the cops come.
But the crooks won’t find their way out of the foyer if you hit ’em with the FogSHIELD—an add-on to your home security system that releases a blinding blanket of fog to stop thieves in their tracks. When an intruder triggers the alarm, water mixes in the FogSHIELD’s glycol canister to generate enough dry, non-toxic fog to cover 2,000 square feet in less than 15 seconds. It dissipates 45 minutes later, leaving your furniture unsullied and your electronics intact.
The website appears not to be a joke.
EDITED TO ADD (6/23): In the comments, a lot of people have taken me to task for calling this security silly. I stand by my statement: not because it’s not effective, but because it’s not a good trade-off. I can certainly imagine scenarios where filling your house with vision-impairing fog is just the thing to foil a would-be burglar, but it seems awfully specific a countermeasure to me.
Home security—like all security, really—is a combination of protection, detection, and response. Locks and bars are the protection system, and the alarm is the detection/response system. Fogshield is a protection system: after the locks and bars have failed, Fogshield 1) makes it harder for the burglar to navagate around the house, and 2) potentially delays him until the response system (police or whomever) arrives.
But it has problems as a protection system. For one, false alarms are way worse than before. It’s one thing to have a loud bell annoy the neighbors until you turn it off, it’s another to fill your house with fog in less than 15 seconds (plus the cost to replace the canister).
This whole thing feels real “movie-plot threat” to me: great special effect in a movie, but not really a good security trade-off for home use. An alarm system is going to make an average burglar go to the house next door instead, and a dedicated burglar isn’t going to be deterred by this.
Watch this video very carefully; it’s President Bush working the crowds in Albania. At 0.50 minutes into the clip, Bush has a watch. At 1.04 minutes into the clip, he had a watch.
The U.S. is denying that his watch was stolen:
Photographs showed Bush, surrounded by five bodyguards, putting his hands behind his back so one of the bodyguards could remove his watch.
I simply don’t see that in the video. Bush’s arm is out in front of him during the entire nine seconds between those stills.
Another denial:
An Albanian bodyguard who accompanied Bush in the town told The Associated Press he had seen one of his U.S. colleagues close to Bush bend down and pick up the watch.
That’s certainly possible; it may have fallen off.
But possibly the pickpocket of the century. (Although would anyone actually be stupid enough to try? There must be a zillion easier-to-steal watches in that crowd, many of them nicer than Bush’s.)
EDITED TO ADD (6/12): This article says that he wears ar $50 Timex. It also has some more odd denials.
EDITED TO ADD (6/13): In this video, from another angle, it seems clear that Bush removes the watch himself.
If you encounter an aggressive lion, stare him down. But not a leopard; avoid his gaze at all costs. In both cases, back away slowly; don’t run. If you stumble on a pack of hyenas, run and climb a tree; hyenas can’t climb trees. But don’t do that if you’re being chased by an elephant; he’ll just knock the tree down. Stand still until he forgets about you.
I spent the last few days on safari in a South African game park, and this was just some of the security advice we were all given. What’s interesting about this advice is how well-defined it is. The defenses might not be terribly effective—you still might get eaten, gored or trampled—but they’re your best hope. Doing something else isn’t advised, because animals do the same things over and over again. These are security countermeasures against specific tactics.
Lions and leopards learn tactics that work for them, and I was taught tactics to defend myself. Humans are intelligent, and that means we are more adaptable than animals. But we’re also, generally speaking, lazy and stupid; and, like a lion or hyena, we will repeat tactics that work. Pickpockets use the same tricks over and over again. So do phishers, and school shooters. If improvised explosive devices didn’t work often enough, Iraqi insurgents would do something else.
So security against people generally focuses on tactics as well.
A friend of mine recently asked me where she should hide her jewelry in her apartment, so that burglars wouldn’t find it. Burglars tend to look in the same places all the time—dresser tops, night tables, dresser drawers, bathroom counters—so hiding valuables somewhere else is more likely to be effective, especially against a burglar who is pressed for time. Leave decoy cash and jewelry in an obvious place so a burglar will think he’s found your stash and then leave. Again, there’s no guarantee of success, but it’s your best hope.
The key to these countermeasures is to find the pattern: the common attack tactic that is worth defending against. That takes data. A single instance of an attack that didn’t work—liquid bombs, shoe bombs—or one instance that did—9/11—is not a pattern. Implementing defensive tactics against them is the same as my safari guide saying: “We’ve only ever heard of one tourist encountering a lion. He stared it down and survived. Another tourist tried the same thing with a leopard, and he got eaten. So when you see a lion….” The advice I was given was based on thousands of years of collective wisdom from people encountering African animals again and again.
Compare this with the Transportation Security Administration’s approach. With every unique threat, TSA implements a countermeasure with no basis to say that it helps, or that the threat will ever recur.
Furthermore, human attackers can adapt more quickly than lions. A lion won’t learn that he should ignore people who stare him down, and eat them anyway. But people will learn. Burglars now know the common “secret” places people hide their valuables—the toilet, cereal boxes, the refrigerator and freezer, the medicine cabinet, under the bed—and look there. I told my friend to find a different secret place, and to put decoy valuables in a more obvious place.
This is the arms race of security. Common attack tactics result in common countermeasures. Eventually, those countermeasures will be evaded and new attack tactics developed. These, in turn, require new countermeasures. You can easily see this in the constant arms race that is credit card fraud, ATM fraud or automobile theft.
The result of these tactic-specific security countermeasures is to make the attacker go elsewhere. For the most part, the attacker doesn’t particularly care about the target. Lions don’t care who or what they eat; to a lion, you’re just a conveniently packaged bag of protein. Burglars don’t care which house they rob, and terrorists don’t care who they kill. If your countermeasure makes the lion attack an impala instead of you, or if your burglar alarm makes the burglar rob the house next door instead of yours, that’s a win for you.
Tactics matter less if the attacker is after you personally. If, for example, you have a priceless painting hanging in your living room and the burglar knows it, he’s not going to rob the house next door instead—even if you have a burglar alarm. He’s going to figure out how to defeat your system. Or he’ll stop you at gunpoint and force you to open the door. Or he’ll pose as an air-conditioner repairman. What matters is the target, and a good attacker will consider a variety of tactics to reach his target.
This approach requires a different kind of countermeasure, but it’s still well-understood in the security world. For people, it’s what alarm companies, insurance companies and bodyguards specialize in. President Bush needs a different level of protection against targeted attacks than Bill Gates does, and I need a different level of protection than either of them. It would be foolish of me to hire bodyguards in case someone was targeting me for robbery or kidnapping. Yes, I would be more secure, but it’s not a good security trade-off.
Al-Qaida terrorism is different yet again. The goal is to terrorize. It doesn’t care about the target, but it doesn’t have any pattern of tactic, either. Given that, the best way to spend our counterterrorism dollar is on intelligence, investigation and emergency response. And to refuse to be terrorized.
These measures are effective because they don’t assume any particular tactic, and they don’t assume any particular target. We should only apply specific countermeasures when the cost-benefit ratio makes sense (reinforcing airplane cockpit doors) or when a specific tactic is repeatedly observed (lions attacking people who don’t stare them down). Otherwise, general countermeasures are far more effective a defense.
This essay originally appeared on Wired.com.
EDITED TO ADD (6/14): Learning behavior in tigers.
Sidebar photo of Bruce Schneier by Joe MacInnis.