CRYPTO-GRAM, April 15, 2006
Bruce Schneier
schneier at COUNTERPANE.COM
Fri Apr 14 23:14:09 PDT 2006
CRYPTO-GRAM
April 15, 2006
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier at counterpane.com
http://www.schneier.com
http://www.counterpane.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<http://www.schneier.com/crypto-gram-0604.html>. These same essays
appear in the "Schneier on Security" blog:
<http://www.schneier.com/blog>. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
Movie-Plot Threat Contest
Airport Passenger Screening
80 Cameras for 2,400 People
Crypto-Gram Reprints
VOIP Encryption
Security through Begging
DHS Privacy and Integrity Report
News
KittenAuth
Terrorism Risks of Google Earth
New Kind of Door Lock
Counterpane News
Evading Copyright Through XOR
iJacking
Security Screening for New York Helicopters
Comments from Readers
** *** ***** ******* *********** *************
Movie-Plot Threat Contest
NOTE: If you have a blog, please spread the word.
For a while now, I have been writing about our penchant for "movie-plot
threats": terrorist fears based on very specific attack
scenarios. Terrorists with crop dusters, terrorists exploding baby
carriages in subways, terrorists filling school buses with explosives
-- these are all movie-plot threats. They're good for scaring people,
but it's just silly to build national security policy around them.
But if we're going to worry about unlikely attacks, why can't they be
exciting and innovative ones? If Americans are going to be scared,
shouldn't they be scared of things that are really scary? "Blowing up
the Super Bowl" is a movie plot to be sure, but it's not a very good
movie. Let's kick this up a notch.
It is in this spirit I announce the (possibly First) Movie-Plot Threat
Contest. Entrants are invited to submit the most unlikely, yet still
plausible, terrorist attack scenarios they can come up with.
Your goal: cause terror. Make the American people notice. Inflict
lasting damage on the U.S. economy. Change the political landscape, or
the culture. The more grandiose the goal, the better.
Assume an attacker profile on the order of 9/11: 20 to 30 unskilled
people, and about $500,000 with which to buy skills, equipment, etc.
Post your movie plots here on this blog.
Judging will be by me, swayed by popular acclaim in the blog comments
section. The prize will be an autographed copy of Beyond Fear. And if
I can swing it, a phone call with a real live movie producer.
Entries close at the end of the month -- April 30.
This is not an April Fool's joke, although it's in the spirit of the
season. The purpose of this contest is absurd humor, but I hope it
also makes a point. Terrorism is a real threat, but we're not any
safer through security measures that require us to correctly guess what
the terrorists are going to do next.
Good luck.
Post your entries, and read the others, here:
http://www.schneier.com/blog/archives/2006/04/announcing_movi.html
Movie-plot threats:
http://www.schneier.com/essay-087.html
http://www.time.com/time/nation/article/0,8599,175951,00.html
http://www.schneier.com/blog/archives/2005/10/exploding_baby.html
http://www.schneier.com/blog/archives/2006/02/school_bus_driv.html
http://www.imdb.com/title/tt0075765
There are hundreds of ideas here:
http://cockeyed.com/citizen/terror/plans/terrorwatch.html
** *** ***** ******* *********** *************
Airport Passenger Screening
It seems like every time someone tests airport security, airport
security fails. In tests between November 2001 and February 2002,
screeners missed 70 percent of knives, 30 percent of guns, and 60
percent of (fake) bombs. And recently, testers were able to smuggle
bomb-making parts through airport security in 21 of 21 attempts. It
makes you wonder why we're all putting our laptops in a separate bin
and taking off our shoes. (Although we should all be glad that Richard
Reid wasn't the "underwear bomber.")
The failure to detect bomb-making parts is easier to understand. Break
up something into small enough parts, and it's going to slip past the
screeners pretty easily. The explosive material won't show up on the
metal detector, and the associated electronics can look benign when
disassembled. This isn't even a new problem. It's widely believed that
the Chechen women who blew up the two Russian planes in August 2004
probably smuggled their bombs aboard the planes in pieces.
But guns and knives? That surprises most people.
Airport screeners have a difficult job, primarily because the human
brain isn't naturally adapted to the task. We're wired for visual
pattern matching, and are great at picking out something we know to
look for -- for example, a lion in a sea of tall grass.
But we're much less adept at detecting random exceptions in uniform
data. Faced with an endless stream of identical objects, the brain
quickly concludes that everything is identical and there's no point in
paying attention. By the time the exception comes around, the brain
simply doesn't notice it. This psychological phenomenon isn't just a
problem in airport screening: It's been identified in inspections of
all kinds, and is why casinos move their dealers around so often. The
tasks are simply mind-numbing.
To make matters worse, the smuggler can try to exploit the system. He
can position the weapons in his baggage just so. He can try to disguise
them by adding other metal items to distract the screeners. He can
disassemble bomb parts so they look nothing like bombs. Against a bored
screener, he has the upper hand.
And, as has been pointed out again and again in essays on the
ludicrousness of post-9/11 airport security, improvised weapons are a
huge problem. A rock, a battery for a laptop, a belt, the extension
handle off a wheeled suitcase, fishing line, the bare hands of someone
who knows karate...the list goes on and on.
Technology can help. X-ray machines already randomly insert "test" bags
into the stream -- keeping screeners more alert. Computer-enhanced
displays are making it easier for screeners to find contraband items in
luggage, and eventually the computers will be able to do most of the
work. It makes sense: Computers excel at boring repetitive tasks. They
should do the quick sort, and let the screeners deal with the exceptions.
Sure, there'll be a lot of false alarms, and some bad things will still
get through. But it's better than the alternative.
And it's likely good enough. Remember the point of passenger screening.
We're not trying to catch the clever, organized, well-funded
terrorists. We're trying to catch the amateurs and the incompetent.
We're trying to catch the unstable. We're trying to catch the copycats.
These are all legitimate threats, and we're smart to defend against
them. Against the professionals, we're just trying to add enough
uncertainty into the system that they'll choose other targets instead.
The terrorists' goals have nothing to do with airplanes; their goals
are to cause terror. Blowing up an airplane is just a particular attack
designed to achieve that goal. Airplanes deserve some additional
security because they have catastrophic failure properties: If there's
even a small explosion, everyone on the plane dies. But there's a
diminishing return on investments in airplane security. If the
terrorists switch targets from airplanes to shopping malls, we haven't
really solved the problem.
What that means is that a basic cursory screening is good enough. If I
were investing in security, I would fund significant research into
computer-assisted screening equipment for both checked and carry-on
bags, but wouldn't spend a lot of money on invasive screening
procedures and secondary screening. I would much rather have
well-trained security personnel wandering around the airport, both in
and out of uniform, looking for suspicious actions.
When I travel in Europe, I never have to take my laptop out of its case
or my shoes off my feet. Those governments have had far more experience
with terrorism than the U.S. government, and they know when passenger
screening has reached the point of diminishing returns. (They also
implemented checked-baggage security measures decades before the United
States did -- again recognizing the real threat.)
And if I were investing in security, I would invest in intelligence and
investigation. The best time to combat terrorism is before the
terrorist tries to get on an airplane. The best countermeasures have
value regardless of the nature of the terrorist plot or the particular
terrorist target.
In some ways, if we're relying on airport screeners to prevent
terrorism, it's already too late. After all, we can't keep weapons out
of prisons. How can we ever hope to keep them out of airports?
http://archives.cnn.com/2002/US/03/25/airport.security/
http://www.msnbc.msn.com/id/11863165/
http://www.msnbc.msn.com/id/11878391/
A version of this essay originally appeared on Wired.com.
http://www.wired.com/news/columns/0,70470-0.html
** *** ***** ******* *********** *************
80 Cameras for 2,400 People
The remote town of Dillingham, Alaska is probably the most watched town
in the country. There are 80 surveillance cameras for the 2,400
people, which translates to one camera for every 30 people.
The cameras were bought, I assume, because the town couldn't think of
anything else to do with the $202,000 Homeland Security grant they
received. (One of the problems of giving this money out based on
political agenda, rather than by where the actual threats are.)
But they got the money, and they spent it. And now they have to
justify the expense. Here's the movie-plot threat the Dillingham
Police Chief uses to explain why the expense was worthwhile:
"'Russia is about 800 miles that way,' he says, arm extending right.
"'Seattle is about 1,200 miles back that way.' He points behind him.
"'So if I have the math right, we're closer to Russia than we are to
Seattle.'
"Now imagine, he says: What if the bad guys, whoever they are, manage
to obtain a nuclear device in Russia, where some weapons are believed
to be poorly guarded. They put the device in a container and then hire
organized criminals, 'maybe Mafiosi,' to arrange a tramp steamer to
pick it up. The steamer drops off the container at the Dillingham
harbor, complete with forged paperwork to ship it to Seattle. The
container is picked up by a barge.
"'Ten days later,' the chief says, 'the barge pulls into the Port of
Seattle.'
"Thompson pauses for effect.
"'Phoooom," he says, his hands blooming like a flower."
The first problem with the movie plot is that it's just plain
silly. But the second problem, which you might have to look back to
notice, is that those 80 cameras will do nothing to stop his imagined
attack.
We are all security consumers. We spend money, and we expect security
in return. This expenditure was a waste of money, and as a U.S.
taxpayer, I am pissed that I'm getting such a lousy deal.
http://www.latimes.com/news/nationworld/nation/la-na-secure28mar28,0,275
8659,full.story or http://tinyurl.com/ocfan
** *** ***** ******* *********** *************
Crypto-Gram Reprints
Crypto-Gram is currently in its ninth year of publication. Back issues
cover a variety of security-related topics, and can all be found on
<http://www.schneier.com/crypto-gram-back.html>. These are a selection
of articles that appeared in this calendar month in other years.
Mitigating Identity Theft:
http://www.schneier.com/crypto-gram-0504.html#2
Hacking the Papal Election:
http://www.schneier.com/crypto-gram-0504.html#8
National ID Cards:
http://www.schneier.com/crypto-gram-0404.html#1
Stealing an Election:
http://www.schneier.com/crypto-gram-0404.html#4
Automated Denial-of-Service Attacks Using the U.S. Post Office:
http://www.schneier.com/crypto-gram-0304.html#1
National Crime Information Center (NCIC) Database Accuracy:
http://www.schneier.com/crypto-gram-0304.html#7
How to Think About Security:
http://www.schneier.com/crypto-gram-0204.html#1
Is 1028 Bits Enough?
http://www.schneier.com/crypto-gram-0204.html#3
Liability and Security
http://www.schneier.com/crypto-gram-0204.html#6
Natural Advantages of Defense: What Military History Can Teach Network
Security, Part 1
http://www.schneier.com/crypto-gram-0104.html#1
UCITA:
http://www.schneier.com/crypto-gram-0004.html#ucita
Cryptography: The Importance of Not Being Different:
http://www.schneier.com/crypto-gram-9904.html#different
Threats Against Smart Cards:
http://www.schneier.com/crypto-gram-9904.html#smartcards
Attacking Certificates with Computer Viruses:
http://www.schneier.com/crypto-gram-9904.html#certificates
** *** ***** ******* *********** *************
VOIP Encryption
There are basically four ways to eavesdrop on a telephone call.
One, you can listen in on another phone extension. This is the method
preferred by siblings everywhere. If you have the right access, it's
the easiest. While it doesn't work for cell phones, cordless phones are
vulnerable to a variant of this attack: A radio receiver set to the
right frequency can act as another extension.
Two, you can attach some eavesdropping equipment to the wire with a
pair of alligator clips. It takes some expertise, but you can do it
anywhere along the phone line's path -- even outside the home. This
used to be the way the police eavesdropped on your phone line. These
days it's probably most often used by criminals. This method doesn't
work for cell phones, either.
Three, you can eavesdrop at the telephone switch. Modern phone
equipment includes the ability for someone to listen in this way.
Currently, this is the preferred police method. It works for both land
lines and cell phones. You need the right access, but if you can get
it, this is probably the most comfortable way to eavesdrop on a
particular person.
Four, you can tap the main trunk lines, eavesdrop on the microwave or
satellite phone links, etc. It's hard to eavesdrop on one particular
person this way, but it's easy to listen in on a large chunk of
telephone calls. This is the sort of big-budget surveillance that
organizations like the National Security Agency do best. They've even
been known to use submarines to tap undersea phone cables.
That's basically the entire threat model for traditional phone calls.
And when most people think about IP telephony -- voice over internet
protocol, or VOIP -- that's the threat model they probably have in
their heads.
Unfortunately, phone calls from your computer are fundamentally
different from phone calls from your telephone. Internet telephony's
threat model is much closer to the threat model for IP-networked
computers than the threat model for telephony.
And we already know the threat model for IP. Data packets can be
eavesdropped on *anywhere* along the transmission path. Data packets
can be intercepted in the corporate network, by the internet service
provider and along the backbone. They can be eavesdropped on by the
people or organizations that own those computers, and they can be
eavesdropped on by anyone who has successfully hacked into those
computers. They can be vacuumed up by nosy hackers, criminals,
competitors and governments.
It's comparable to threat No. 3 above, but with the scope vastly expanded.
My greatest worry is the criminal attacks. We already have seen how
clever criminals have become over the past several years at stealing
account information and personal data. I can imagine them eavesdropping
on attorneys, looking for information with which to blackmail people. I
can imagine them eavesdropping on bankers, looking for inside
information with which to make stock purchases. I can imagine them
stealing account information, hijacking telephone calls, committing
identity theft. On the business side, I can see them engaging in
industrial espionage and stealing trade secrets. In short, I can
imagine them doing all the things they could never have done with the
traditional telephone network.
This is why encryption for VOIP is so important. VOIP calls are
vulnerable to a variety of threats that traditional telephone calls are
not. Encryption is one of the essential security technologies for
computer data, and it will go a long way toward securing VOIP.
The last time this sort of thing came up, the U.S. government tried to
sell us something called "key escrow." Basically, the government likes
the idea of everyone using encryption, as long as it has a copy of the
key. This is an amazingly insecure idea for a number of reasons, mostly
boiling down to the fact that when you provide a means of access into a
security system, you greatly weaken its security.
A recent case in Greece demonstrated that perfectly: Criminals used a
cell-phone eavesdropping mechanism already in place, designed for the
police to listen in on phone calls. Had the call system been designed
to be secure in the first place, there never would have been a backdoor
for the criminals to exploit.
Fortunately, there are many VOIP-encryption products available. Skype
has built-in encryption. Phil Zimmermann is releasing Zfone, an
easy-to-use open-source product. There's even a VOIP Security Alliance.
Encryption for IP telephony is important, but it's not a panacea.
Basically, it takes care of threats No. 2 through No. 4, but not threat
No. 1. Unfortunately, that's the biggest threat: eavesdropping at the
end points. No amount of IP telephony encryption can prevent a Trojan
or worm on your computer -- or just a hacker who managed to get access
to your machine -- from eavesdropping on your phone calls, just as no
amount of SSL or e-mail encryption can prevent a Trojan on your
computer from eavesdropping -- or even modifying -- your data.
So, as always, it boils down to this: We need secure computers and
secure operating systems even more than we need secure transmission.
Why key escrow is a bad idea:
http://www.schneier.com/paper-key-escrow.html
Greek wiretapping story:
http://www.schneier.com/blog/archives/2006/02/phone_tapping_i.html
Zfone:
http://www.philzimmermann.com/EN/zfone/index.html
http://www.wired.com/news/technology/0,70524-0.html
VOIP Security Alliance:
http://www.voipsa.org/
This essay originally appeared on Wired.com.
http://www.wired.com/news/columns/1,70591-0.html
** *** ***** ******* *********** *************
Security through Begging
>From TechDirt: "Last summer, the surprising news came out that
Japanese nuclear secrets leaked out, after a contractor was allowed to
connect his personal virus-infested computer to the network at a
nuclear power plant. The contractor had a file sharing app on his
laptop as well, and suddenly nuclear secrets were available to plenty
of kids just trying to download the latest hit single. It's only taken
about nine months for the government to come up with its suggestion on
how to prevent future leaks of this nature: begging all Japanese
citizens not to use file sharing systems -- so that the next time this
happens, there won't be anyone on the network to download such documents."
Even if their begging works, it solves the wrong problem. Sad.
Article:
http://techdirt.com/articles/20060316/0052241.shtml
Original article:
http://www.techdirt.com/articles/20050623/0251255.shtml
Government suggestion:
http://mdn.mainichi-msn.co.jp/national/news/20060315p2a00m0na017000c.htm
l or http://tinyurl.com/pejx2
Another article:
http://www.latimes.com/news/nationworld/world/la-fg-computer21mar21,0,51
59274.story or http://tinyurl.com/fmvlb
** *** ***** ******* *********** *************
DHS Privacy and Integrity Report
Last year, the Department of Homeland Security finally got around to
appointing its DHS Data Privacy and Integrity Advisory Committee. It
was mostly made up of industry insiders instead of anyone with any real
privacy experience. (Lance Hoffman from George Washington University
was the most notable exception.)
And now, we have something from that committee. On March 7th they
published their Framework for Privacy Analysis of Programs,
Technologies, and Applications.
It's surprisingly good.
I like that it is a series of questions a program manager has to
answer: about the legal basis for the program, its efficacy against the
threat, and its effects on privacy. I am particularly pleased that
their questions on pages 3-4 are very similar to the "five steps" I
wrote about in Beyond Fear. I am thrilled that the document takes a
"trade-off" approach; the last question asks: "Should the program
proceed? Do the benefits of the program...justify the costs to privacy
interests....?"
I think this is a good starting place for any technology or program
with respect to security and privacy. And I hope the DHS actually
follows the recommendations in this report.
Committee:
http://www.dhs.gov/dhspublic/interapp/editorial/editorial_0512.xml
http://www.dhs.gov/dhspublic/interapp/editorial/editorial_0598.xml
Framework for Privacy Analysis of Programs, Technologies, and Applications
http://www.privacilla.org/releases/DHS_Privacy_Framework.pdf
My five steps:
http://www.schneier.com/crypto-gram-0204.html#1
** *** ***** ******* *********** *************
News
Of course RFID chips can carry viruses. They're just little computers.
http://arstechnica.com/news.ars/post/20060315-6386.html
I thought the attack vector was interesting: a Trojan RFID attacks the
central database, rather than attacking other RFID chips
directly. Metaphorically, it's a lot closer to biological viruses,
because it actually requires the more powerful host to be subverted,
and there's no way an infected tag can propagate directly to another
tag. The coverage is more than a tad sensationalist, though.
http://www.computerworld.com/mobiletopics/mobile/story/0,10801,109560,00
.html or http://tinyurl.com/mwz88
Movie theaters want to jam cell phones.
http://www.mobiletracker.net/archives/2006/03/15/movie-theater-jamming
http://www.csmonitor.com/2006/0324/p11s01-almo.html
Massive surveillance in an online gaming world.
http://terranova.blogs.com/terra_nova/2006/03/confessions_of_.html
Yossi Oren and Adi Shamir have written a paper describing a power
attack against RFID tags. This is great work by Yossi Oren and Adi
Shamir. From the abstract: "Power Analysis of RFID Tags: Compared to
standard power analysis attacks, this attack is unique in that it
requires no physical contact with the device under attack. While the
specific attack described here requires the attacker to actually
transmit data to the tag under attack, the power analysis part itself
requires only a receive antenna. This means that a variant of this
attack can be devised such that the attacker is completely passive
while it is acquiring the data, making the attack very hard to
detect." My prediction of the industry's response: downplay the
results and pretend it's not a problem.
http://www.wisdom.weizmann.ac.il/%7Eyossio/rfid/
The 3rd Annual Nigerian E-mail Conference. Funny.
http://j-walk.com/other/conf/index.htm
The chairman of Qantas was stopped at airport security. She had
airplane blueprints. Oh, and she was a woman -- which cast immediate
suspicion on her story.
http://www.aero-news.net/Community/DiscussTopic.cfm?TopicID=2648&Refresh=1
Really good article by a reporter who has been covering improvised
explosive devices in Iraq:
http://www.defensetech.org/archives/002238.html
There are some deliberately fake 300, 600, and 1000 euro notes being
made in Germany as an advertisement. They're being passed as real:
http://www.ananova.com/news/story/sm_1760580.html
This is why security is so hard: people.
Really interesting article by Robert X. Cringely on the lack of federal
funding for security technologies. I think his analysis is dead on.
http://www.pbs.org/cringely/pulpit/pulpit20060309.html
Australian bank fraud: I really wish this article had more details
about the crime. Basically, a criminal ring used an authentication
failure with fax transmissions to steal (unsuccessfully, as it turned
out) $150 million Australian dollars.
http://www.smh.com.au/articles/2006/03/17/1142582520870.html
Rare outbreak of security common sense in London. They're rejecting
passenger screening in their subways.
http://www.kablenet.com/kd.nsf/Frontpage/85C58F53F411521180257132005EF49
F?OpenDocument or http://tinyurl.com/nrmpr
Who needs terrorists? We can cause terror all by ourselves.
http://www.postgazette.com/pg/06081/674773.stm
The story is about a huge security overreaction because some worker in
a downtown building was using a pellet gun to scare pigeons.
"Terrorist with Nuke" movie plot. It sounds like this New Scientist
writer is trying to write a novel.
http://archinect.com/news/article.php?id=35501_0_24_15_M
Enigma? I don't know what this is, but it sure looks a lot like an
Enigma. And it's beautiful.
http://www.tatjavanvark.nl/tvv1/pht10.html
A couple -- living together, I assume -- and engaged to be married
shared a computer. He used Firefox to visit a bunch of dating sites,
being smart enough not to have the browser save his password. But
Firefox did save the names of the sites it was told never to save the
password for. She happened to stumble on this list. The details are
left to the imagination, but they broke up.
https://bugzilla.mozilla.org/show_bug.cgi?id=330884
Most interesting bug report I've ever read.
Creative Home Engineering can make secret doors and hidden passageways
for your home. "Pull a favorite book from your library shelf and watch
a cabinet section recess to reveal a hidden passageway. Twist a
candlestick and your fireplace rotates, granting access to a hidden
room." Who cares about the security properties? I want one.
http://www.hiddenpassageway.com/
Encryption using quasars:
http://www.theinquirer.net/?article=30553
http://www.schneier.com/blog/archives/2006/03/quasar_encrypti.html
A hacker working for al Qaeda, called Irhabi 007, has been
captured. Assuming the British authorities are to be believed, he
definitely was a terrorist. And he used the Internet, both as a
communication tool and to break into networks. But this does not make
him a cyberterrorist.
http://www.washingtonpost.com/wp-dyn/content/article/2006/03/25/AR200603
2500020.html or http://tinyurl.com/rtlda
http://it.slashdot.org/article.pl?sid=06/03/26/0530206
The police used profiles on MySpace to identify six suspects in a
rape/robbery.
http://www.cnn.com/2006/US/03/25/my.space.ap/index.html
Chameleon weapons: you can't detect them, because they look normal:
http://www.defensetech.org/archives/002265.html
An Economic Analysis of Airport Security Screening. The authors use
game theory to investigate the optimal screening policy, in a scenario
when there are different social groups (separated by felons, race,
religion, etc.) with different preferences for crime and/or terrorism.
http://www.econ.upenn.edu/~persico/research/Papers/airportaea11.pdf
Cubicle Farms are a Terrorism Risk
The British security service MI5 is warning business leaders that their
offices are probably badly designed against terrorist bombs. The
common modern office consists of large rooms without internal walls,
which puts employees at greater risk in the event of terrorist bombs.
http://news.scotsman.com/index.cfm?id=419082006
I don't know if this "Internet Hash Project" is an April Fool's Day
joke, but it's funny all the same.
http://www.nethash.org/
Last month the Government Accounting Office released three new reports
on homeland security.
"Cargo Container Inspections: Preliminary Observations on the Status of
Efforts to Improve the Automated Targeting System."
http://www.gao.gov/cgi-bin/getrpt?GAO-06-591T
Highlights: http://www.gao.gov/highlights/d06591thigh.pdf
"Homeland Security: The Status of Strategic Planning in the National
Capital Region."
http://www.gao.gov/cgi-bin/getrpt?GAO-06-559T
Highlights: http://www.gao.gov/highlights/d06559thigh.pdf
"Homeland Security: Progress Continues, but Challenges Remain on
Department's Management of Information Technology."
http://www.gao.gov/cgi-bin/getrpt?GAO-06-598T
Highlights: http://www.gao.gov/highlights/d06598thigh.pdf
It's a really clever idea: bolts and latches that fasten and unfasten
in response to remote computer commands. But the security comment is
funny: "But everything is locked down with codes, and the radio signals
are scrambled, so this is fully secured against hackers." Clearly this
guy knows nothing about computer security.
http://www.chicagotribune.com/business/chi-0603300225mar30,1,7805363.sto
ry or http://tinyurl.com/rtoxc
http://it.slashdot.org/article.pl?sid=06/04/03/0624225
Interesting paper on phishing, and why it works.
http://www.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf
Undercover investigators were able to smuggle radioactive materials
into the U.S. It set off alarms at border checkpoints, but the
smugglers had forged import licenses from the Nuclear Regulatory
Commission, based on an image of the real document they found on the
Internet. Unfortunately, the border agents had no way to confirm the
validity of import licenses. I've written about this problem before,
and it's one I think will get worse in the future. Verification
systems are often the weakest link of authentication. Improving
authentication tokens won't improve security unless the verification
systems improve as well.
http://www-tech.mit.edu/V125/N1/long4_1.1w.html
http://www.schneier.com/blog/archives/2006/01/forged_credenti.html
Security applications of time-reversed acoustics. I simply don't have
the science to evaluate this.
http://www.physorg.com/news12093.html
Iowa lawmakers are proposing "I'm Not the Criminal You're Looking For"
card, for victims of identity theft. I think it's a great idea, and it
reminds me of something I wrote about in Beyond Fear: "In Singapore,
some names are so common that the police issue
He's-not-the-guy-we're-looking-for documents exonerating innocent
people with the same names as wanted criminals." It's not perfect. Of
course it will be forged; all documents are forged. This is a still
good idea, even though it's not perfect.
http://news.com.com/Iowa+proposes+ID+theft+passport/2100-7348_3-6052308.
html or http://tinyurl.com/qq8dj
Good information from EPIC on the security of tax data in the IRS.
http://www.epic.org/privacy/surveillance/spotlight/0306/
A man in the UK was detained for singing along with a Clash
song. Basically, his taxi driver turned him in.
http://today.reuters.co.uk/news/newsArticle.aspx?type=entertainmentNews&
storyID=2006-04-05T134826Z_01_L05785309_RTRUKOC_0_UK-CLASH.xml or
http://tinyurl.com/e6nr6
http://news.bbc.co.uk/1/hi/england/4879918.stm
I was in New York earlier this month, and I saw a sign at the entrance
to the Midtown Tunnel that said: "See something? Say something." The
problem with a nation of amateur spies is that it results in these
sorts of results. "I know he's a terrorist because he's dressing funny
and he always has white wires hanging out of his pocket." "They all
talk in a funny language and their cooking smells bad." Amateur spies
perform amateur spying. If everybody does it, the false alarms will
overwhelm the police.
You've all heard of the "No Fly List." Did you know that there's a
"No-Buy List" as well?
http://www.washingtonpost.com/wp-dyn/content/article/2006/04/08/AR200604
0800157.html or http://tinyurl.com/ofz2y
The list:
http://www.ustreas.gov/offices/enforcement/ofac/sdn/t11sdn.pdf
Last week the San Francisco Chronicle broke the story that Air Force
One's defenses were exposed on a public Internet site:
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/04/08/MNGESI5U6C1.
DTL&hw=Air+Force+One&sn=002&sc=217 or http://tinyurl.com/pbro5
http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/04/11/MNGK3I7A6
41.DTL or http://tinyurl.com/r46g7
Despite all the breathless reporting, turns out this is no big deal:
http://www.defensetech.org/archives/002315.html
The Air Force removed the document, but I'm not sure it didn't do more
harm than good.
Another news report:
http://www.upi.com/NewsTrack/view.php?StoryID=20060411-013024-5870r
Several conservative blogs criticized the Chronicle for publishing
this, because it gives the terrorists more information. I think they
should be criticized for publishing this, because there's no story here.
Much of the document is here.
http://cryptome.org/af1-rescue.htm
Stolen military goods are being sold in the markets in Afghanistan,
including hard drives filled with classified data.
http://www.latimes.com/news/nationworld/world/la-fg-disks10apr10,0,58549
05,full.story or http://tinyurl.com/nhzgz
http://www.npr.org/templates/story/story.php?storyId=5338506
What if your vendor won't sell you a security upgrade? Good article:
http://www.networkworld.com/columnists/2006/041006snyder.html
Really nice social engineering example. Watch an escaped convict
convince a police officer he's not that guy. Note his repeated efforts
to ensure that if he's stopped again, he can rely on the cop to vouch
for him.
http://www.salon.com/ent/video_dog/media/2006/04/10/escaped_murderer/ind
ex.html or http://tinyurl.com/nv6u2
Intersting technical details about NSA's warrantless surveillance, and
AT&T's help:
http://www.wired.com/news/technology/1,70619-0.html
http://dailykos.com/storyonly/2006/4/8/14724/28476/
http://amygdalagf.blogspot.com/2006/04/hepting-vs.html
** *** ***** ******* *********** *************
KittenAuth
You've all seen CAPTCHAs. Those are those distorted pictures of
letters and numbers you sometimes see on web forms. The idea is that
it's hard for computers to identify the characters, but easy for people
to do. The goal of CAPTCHAs is to authenticate that there's a person
sitting in front of the computer.
KittenAuth works with images. The system shows you nine pictures of
cute little animals, and the person authenticates himself by clicking
on the three kittens. A computer clicking at random has only a 1 in 84
chance of guessing correctly.
Of course you could increase the security by adding more images or
requiring the person to choose more images. Another worry -- which I
didn't see mentioned -- is that the computer could brute-force a static
database. If there are only a small fixed number of actual kittens,
the computer could be told -- by a person -- that they're
kittens. Then, the computer would know that whenever it sees that
image it's a kitten.
Still, it's an interesting idea that warrants more research.
KittenAuth:
http://www.thepcspy.com/articles/security/the_cutest_humantest_kittenaut
h or http://tinyurl.com/o2585
CAPTCHAs:
http://en.wikipedia.org/wiki/Captcha
** *** ***** ******* *********** *************
Terrorism Risks of Google Earth
Sometimes I wonder about "security experts." Here's one who thinks
Google Earth is a terrorism risk because it allows people to learn the
GPS coordinates of soccer stadiums.
Basically, Klaus Dieter Matschke is worried because Google Earth
provides the location of buildings within 20 meters, whereas before
coordinates had an error range of one kilometer. He's worried that
this information will provide terrorists with the exact target
coordinates for missile attacks.
I have no idea how anyone could print this drivel. Anyone can attend a
football game with a GPS receiver in his pocket and get the coordinates
down to one meter. Or buy a map.
Google Earth is not the problem; the problem is the availability of
short-range missiles on the black market.
http://www.heise.de/newsticker/meldung/71784
English blog entry on the topic:
http://www.ministryofpropaganda.co.uk/2006propaganda/20060409-googleeart
h.shtml or http://tinyurl.com/lpay3
** *** ***** ******* *********** *************
New Kind of Door Lock
There's a new kind of door lock from the Israeli company E-Lock. It
responds to sound. Instead of carrying a key, you carry a small device
that makes a series of quick knocking sounds. Just touching it to the
door causes the door to open; there's no keyhole. The device, called a
"KnocKey," has a keypad and can be programmed to require a PIN before
operation -- for even greater security.
Clever idea, but there's the usual security hyperbole: "Since there is
no keyhole or contact point on the door, this unique mechanism offers a
significantly higher level of security than existing technology."
More accurate would be to say that the security vulnerabilities are
different from existing technology. We know a lot about the
vulnerabilities of conventional locks, but we know very little about
the security of this system. But don't confuse this lack of knowledge
with increased security.
http://www.elock.co.il/tech-english.asp
** *** ***** ******* *********** *************
Counterpane News
Bruce Schneier is speaking at the Symposium on Business Information
Security, on April 21 in Minneapolis:
https://www.minneapolis.edu/sobis/files_pdf/SoBIS2006-Flyer.pdf
Bruce Schneier is speaking at CardTech/SecureTech, on May 3rd, in San
Francisco.
http://www.ctst.com/conferences/CTST06/
Bruce Schneier and Toby Weir-Jones spoke at the InfoWorld Webcast
entitled Managed Compliance Reporting: Best Practices to Streamline
Device Management & Demonstrate Compliance. Rebroadcast is available.
http://w.on24.com/r.htm?e=21082&s=1&k=9A69DBFE212400FB9B547D40A596F856&p
artnerref=CIS1 or http://tinyurl.com/lzxab
Counterpane is hiring. Among other things, we're looking for a
database and systems analyst, a senior Java software engineer, and a
SOC intelligence officer.
http://www.counterpane.com/jobs.html
** *** ***** ******* *********** *************
Evading Copyright Through XOR
Monolith is an open-source program that can XOR two files together to
create a third file, and -- of course -- can XOR that third file with
one of the original two to create the other original file.
The website wonders about the copyright implications of all of
this: "Things get interesting when you apply Monolith to copyrighted
files. For example, munging two copyrighted files will produce a
completely new file that, in most cases, contains no information from
either file. In other words, the resulting Mono file is not "owned" by
the original copyright holders (if owned at all, it would be owned by
the person who did the munging). Given that the Mono file can be
combined with either of the original, copyrighted files to reconstruct
the other copyrighted file, this lack of Mono ownership may be seem
hard to believe."
The website then postulates this as a mechanism to get around copyright
law:
"What does this mean? This means that Mono files can be freely
distributed.
"So what? Mono files are useless without their corresponding Basis
files, right? And the Basis files are copyrighted too, so they cannot
be freely distributed, right? There is one more twist to this idea.
What happens when we use Basis files that are freely distributable? For
example, we could use a Basis file that is in the public domain or one
that is licensed for free distribution. Now we are getting somewhere.
"None of the aforementioned properties of Mono files change when we use
freely distributable Basis files, since the same arguments hold. Mono
files are still not copyrighted by the people who hold the copyrights
over the corresponding Element files. Now we can freely distribute Mono
files and Basis files.
"Interesting? Not really. But what you can do with these files, in the
privacy of your own home, might be interesting, depending on your
proclivities. For example, you can use the Mono files and the Basis
files to reconstruct the Element files."
Clever, but it won't hold up in court. In general, technical hair
splitting is not an effective way to get around the law. My guess is
that anyone who distributes that third file -- they call it a "Mono"
file -- along with instructions on how to recover the copyrighted file
is going to be found guilty of copyright violation.
The correct way to solve this problem is through law, not technology.
http://monolith.sourceforge.net/
** *** ***** ******* *********** *************
iJacking
It's called iJacking: grabbing laptops out of their owners' hands and
then run away. There seems to be a wave of this type of crime at
Internet cafes in San Francisco.
It's obvious why these thefts are occurring. Laptops are valuable,
easy to steal, and easy to fence. If we want to "solve" this problem,
we need to modify at least one of those characteristics. Some Internet
cafes are providing locking cables for their patrons, in an attempt to
make them harder to steal. But that will only mean that the muggers
will follow their victims out of the cafes. Laptops will become less
valuable over time, but that really isn't a good solution. The only
thing left is to make them harder to fence.
This isn't an easy problem. There are a bunch of companies that make
solutions that help people recover stolen laptops. There are programs
that "phone home" if a laptop is stolen. There are programs that hide
a serial number on the hard drive somewhere. There are non-removable
tags users can affix to their computers with ID information. But until
this kind of thing becomes common, the crimes will continue.
Reminds me of the problem of bicycle thefts.
http://www.sfbg.com/40/25/news_ijacked.html
** *** ***** ******* *********** *************
Security Screening for New York Helicopters
There's a helicopter shuttle that runs from Lower Manhattan to Kennedy
Airport. It's basically a luxury item: for $139 you can avoid the
drive to the airport. But, of course, security screeners are required
for passengers, and that's causing some concern:
"At the request of U.S. Helicopter's executives, the federal
Transportation Security Administration set up a checkpoint, with X-ray
and bomb-detection machines, to screen passengers and their luggage at
the heliport.
"The security agency is spending $560,000 this year to operate the
checkpoint with a staff of eight screeners and is considering adding a
checkpoint at the heliport at the east end of 34th Street. The agency's
involvement has drawn criticism from some elected officials.
"'The bottom line here is that there are not enough screeners to go
around, ' said Senator Charles E. Schumer, Democrat of New York. 'The
fact that we are taking screeners that are needed at airports to
satisfy a luxury market on the government's dime is a problem. '"
This is not a security problem; it's an economics problem. And it's a
good illustration of the concept of "externalities." An externality is
an effect of a decision not borne by the decision-maker. In this
example, U.S. Helicopter made a business decision to offer this service
at a certain price. And customers will make a decision about whether
or not the service is worth the money. But there is more to the cost
than the $139. The cost of that checkpoint is an externality to both
U.S. Helicopter and its customers, because the $560,000 spent on the
security checkpoint is paid for by taxpayers. Taxpayers are
effectively subsidizing the true cost of the helicopter trip.
The only way to solve this is for the government to bill the airline
passengers for the cost of security screening. It wouldn't be much per
ticket, maybe $15. And it would be much less at major airports,
because the economies of scale are so much greater.
The article even points out that customers would gladly pay the extra
$15 because of another externality: the people who decide whether or
not to take the helicopter trip are not the people actually paying for it.
"Bobby Weiss, a self-employed stock trader and real estate broker who
was U.S. Helicopter's first paying customer yesterday, said he would
pay $300 for a round trip to Kennedy, and he expected most corporate
executives would, too.
"'It's $300, but so what? It goes on the expense account, ' said Mr.
Weiss, adding that he had no qualms about the diversion of federal
resources to smooth the path of highfliers. 'Maybe a richer guy may
save a little time at the expense of a poorer guy who spends a little
more time in line. '"
What Mr. Weiss is saying is that the costs -- both the direct cost and
the cost of the security checkpoint -- are externalities to him, so he
really doesn't care. Exactly.
http://www.nytimes.com/2006/02/06/nyregion/06chopper.html?ex=1296882000&
en=1e835454a0fea1c9&ei=5088&partner=rssnyt&emc=rss or
http://tinyurl.com/lebvf
** *** ***** ******* *********** *************
Comments from Readers
There are hundreds of comments -- many of them interesting -- on these
topics on my blog. Search for the story you want to comment on, and
join in.
http://www.schneier.com/blog
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on security: computer and otherwise. You
can subscribe, unsubscribe, or change your address on the Web at
<http://www.schneier.com/crypto-gram.html>. Back issues are also
available at that URL.
Comments on CRYPTO-GRAM should be sent to
schneier at counterpane.com. Permission to print comments is assumed
unless otherwise stated. Comments may be edited for length and clarity.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who
will find it valuable. Permission is granted to reprint CRYPTO-GRAM,
as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of
the best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish
algorithms. He is founder and CTO of Counterpane Internet Security
Inc., and is a member of the Advisory Board of the Electronic Privacy
Information Center (EPIC). He is a frequent writer and lecturer on
security topics. See <http://www.schneier.com>.
Counterpane is the world's leading protector of networked information -
the inventor of outsourced security monitoring and the foremost
authority on effective mitigation of emerging IT threats. Counterpane
protects networks for Fortune 1000 companies and governments
world-wide. See <http://www.counterpane.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of Counterpane Internet Security, Inc.
Copyright (c) 2006 by Bruce Schneier.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
More information about the cypherpunks-legacy
mailing list