|
-----Original Message-----
From: Bruce Schneier [mailto:[log in to unmask]]
Sent: 15 June 2006 08:08
To: [log in to unmask]
Subject: CRYPTO-GRAM, June 15, 2006
CRYPTO-GRAM
June 15, 2006
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
[log in to unmask]
http://www.schneier.com
http://www.counterpane.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<http://www.schneier.com/crypto-gram-0606.html>. These same essays appear
in the "Schneier on Security" blog:
<http://www.schneier.com/blog>. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
The Value of Privacy
Movie-Plot Threat Contest Winner
Crypto-Gram Reprints
Diebold Doesn't Understand the Security Threat
News
Hacking Computers Over USB
The Doghouse: KRYPTO 2.0
Counterpane News
Aligning Interest with Capability
Comments from Readers
** *** ***** ******* *********** *************
The Value of Privacy
Last month, revelation of yet another NSA surveillance effort against the
American people rekindled the privacy debate. Those in favor of these
programs have trotted out the same rhetorical question we hear every time
privacy advocates oppose ID checks, video cameras, massive databases, data
mining, and other wholesale surveillance measures: "If you aren't doing
anything wrong, what do you have to hide?"
Some clever answers: "If I'm not doing anything wrong, then you have no
cause to watch me." "Because the government gets to define what's wrong, and
they keep changing the definition." "Because you might do something wrong
with my information." My problem with quips like these
-- as right as they are -- is that they accept the premise that privacy is
about hiding a wrong. It's not. Privacy is an inherent human right, and a
requirement for maintaining the human condition with dignity and respect.
Two proverbs say it best: "Quis custodiet ipsos custodes?" ("Who watches the
watchers?") and "Absolute power corrupts absolutely."
Cardinal Richelieu understood the value of surveillance when he famously
said, "If one would give me six lines written by the hand of the most honest
man, I would find something in them to have him hanged." Watch someone long
enough, and you'll find something to arrest
-- or just blackmail -- him with. Privacy is important because without it,
surveillance information will be abused: to peep, to sell to marketers, and
to spy on political enemies -- whoever they happen to be at the time.
Privacy protects us from abuses by those in power, even if we're doing
nothing wrong at the time of surveillance.
We do nothing wrong when we make love or go to the bathroom. We are not
deliberately hiding anything when we seek out private places for reflection
or conversation. We keep private journals, sing in the privacy of the
shower, and write letters to secret lovers and then burn them. Privacy is a
basic human need.
A future in which privacy would face constant assault was so alien to the
framers of the Constitution that it never occurred to them to call out
privacy as an explicit right. Privacy was inherent to the nobility of their
being and their cause. Of course being watched in your own home was
unreasonable. Watching at all was an act so unseemly as to be inconceivable
among gentlemen in their day. You watched convicted criminals, not free
citizens. You ruled your own home. It's intrinsic to the concept of liberty.
For if we are observed in all matters, we are constantly under threat of
correction, judgment, criticism, even plagiarism of our own uniqueness. We
become children, fettered under watchful eyes, constantly fearful that --
either now or in the uncertain future -- patterns we leave behind will be
brought back to implicate us, by whatever authority has now become focused
upon our once-private and innocent acts. We lose our individuality, because
everything we do is observable and recordable.
How many of us have paused during conversations in the past four-and-a-half
years, suddenly aware that we might be eavesdropped on?
Probably it was a phone conversation, although maybe it was an e-mail or
instant message exchange or a conversation in a public place. Maybe the
topic was terrorism, or politics, or Islam. We stop suddenly, momentarily
afraid that our words might be taken out of context, then we laugh at our
paranoia and go on. But our demeanor has changed, and our words are subtly
altered.
This is the loss of freedom we face when our privacy is taken from us.
This was life in the former East Germany, or life in Saddam Hussein's Iraq.
And it's our future as we allow an ever-intrusive eye into our personal,
private lives.
Too many wrongly characterize the debate as "security versus privacy."
The real choice is liberty versus control. Tyranny, whether it arises under
threat of foreign physical attack or under constant domestic authoritative
scrutiny, is still tyranny. Liberty requires security without intrusion,
security plus privacy. Widespread police surveillance is the very definition
of a police state. And that's why we should champion privacy even when we
have nothing to hide.
A version of this essay originally appeared on Wired.com.
http://www.wired.com/news/columns/0,70886-0.html
Daniel Solove comments:
http://www.concurringopinions.com/archives/2006/05/is_there_a_good.html
or http://tinyurl.com/nmj3u
** *** ***** ******* *********** *************
Movie-Plot Threat Contest Winner
I can tell you one thing, you guys are really imaginative. The
response to my Movie-Plot Threat Contest was more than I could imagine:
892 comments. I printed them all out -- 195 pages, double sided -- and
spiral bound them, so I could read them more easily. The cover read:
"The Big Book of Terrorist Plots." I tried not to wave it around too
much in airports.
I almost didn't want to pick a winner, because the real point is the
enormous list of them all. And because it's hard to choose. But after
careful deliberation, the winning entry is by Tom Grant. Although
planes filled with explosives is already cliche, destroying the Grand
Coulee Dam is inspired. Here it is:
"Mission: Terrorize Americans. Neutralize American economy, make
America feel completely vulnerable, and all Americans unsafe.
"Scene 1: A rented van drives from Spokane, WA, to a remote setting in
Idaho and loads up with shoulder-mounted rocket launchers and a couple
of people dressed in fatigues.
"Scene 2: Terrorists dressed in 'delivery man' garb take over the UPS
cargo depot at the Spokane, WA, airport. A van full of explosives is
unloaded at the depot.
"Scene 3: Terrorists dressed in 'delivery man' garb take over the UPS
cargo depot at the Kamloops, BC, airport. A van full of explosives is
unloaded at the depot.
"Scene 4: A van with mercenaries drives through the Idaho forests en
route to an unknown destination. Receives cell communiqui that
locations Alpha and Bravo are secured.
"Scene 5: UPS cargo plane lands in Kamloops and is met at the depot by
terrorists who overtake the plane and its crew. Explosives are loaded
aboard the aircraft. The same scene plays out in Spokane moments
later, and that plane is loaded with explosives. Two pilots board
each of the cargo planes and ask for takeoff instructions as night
falls across the West.
"Scene 6: Two cargo jets go airborne from two separate locations. A
van with four terrorists arrives at its destination, parked on an
overlook ridge just after nightfall. They use infrared glasses to scope
the target. The camera pans down and away from the van, exposing the
target. Grand Coulee Dam. The cell phone rings and notification comes
to the leader that 'Nighthawks alpha and bravo have launched.'
"Scene 7: Two radar operators in separate locations note with alarm
that UPS cargo jets they have been tracking have dropped off the radar
and may have crashed. Aboard each craft the pilots have turned off
navigational radios and are flying on 'manual' at low altitude. One
heading South, one heading North.
"Scene 8: Planes are closing in on the 'target' and the rocket
launcher crew goes to work. With precision they strike lookout and
defense positions on the dam, then target the office structures
below. As they finish, a cargo jet approaches from the North at high
velocity, slamming into the back side of the dam just above the
waterline and exploding, shuddering the earth. A large portion of the
center-top of the dam is missing. Within seconds a cargo plane coming
from the South slams into the front face of the dam, closer to the
base, and explodes in a blinding flash, shuddering the earth. In
moments, the dam begins to fail, and a final volley from four rocket
launchers on the hill above helps break open the face of the dam. The
40-mile-long Lake Roosevelt begins to pour down the Columbia River
Valley, uncontrolled. No warning is given to the dams downriver, other
than the generation at G.C. is now offline.
"Scene 9: Through the night, the surging wall of water roars down the
Columbia waterway, overtopping dam after dam and gaining momentum (and
huge amounts of water) along the way. The cities of Wenatchee and
Kennewick are inundated and largely swept away. A van of renegades
retreats to Northern Idaho to hide.
"Scene 10: As day breaks in the West, there is no power from Seattle
to Los Angeles. The Western power grid has failed. Commerce has ground
to a halt west of the Rocky Mountains. Water is sweeping down the
Columbia River gorge, threatening to overtop Bonneville dam and wipe
out the large metro area of Portland, OR.
"Scene 11: Bin Laden releases a video on Al Jazeera that claims
victory over the Americans.
"Scene 12: Pandemonium, as water sweeps into a panicked Portland,
Oregon, washing all away in its path, and surging water well up the
Willamette valley.
"Scene 13: Washington situation room...little input is coming in from
the West. Some military bases have emergency power and sat phones, and
are reporting that the devastation of the dam infrastructure is
complete. Seven major and five minor dams have been destroyed.
Re-powering the West coast will take months, as connections from the
Eastern grid will have to be made through the New Mexico Mountains.
"Scene 14: Worst U.S. market crash in history. America's GNP drops
from the top of the charts to 20th worldwide. Exports and imports cease
on the West coast. Martial law fails to control mass exodus from
Seattle, San Francisco, and L.A. as millions flee to the east. Gas
shortages and vigilante mentality take their toll on the panicked
populace. The West is 'wild' once more. The East is overrun with
millions seeking homes and employment."
Congratulations, Tom. I'm still trying to figure out what you win.
Contest rules and all entries:
http://www.schneier.com/blog/archives/2006/04/announcing_movi.html
Update, including selection criteria:
http://www.schneier.com/blog/archives/2006/04/movie_plot_thre.html
Winning entry:
http://www.schneier.com/blog/archives/2006/04/announcing_movi.html#c54905
** *** ***** ******* *********** *************
Crypto-Gram Reprints
Crypto-Gram is currently in its ninth year of publication. Back issues
cover a variety of security-related topics, and can all be found on
<http://www.schneier.com/crypto-gram-back.html>. These are a selection
of articles that appeared in this calendar month in other years.
Internet Attack Trends:
http://www.schneier.com/crypto-gram-0506.html#1
U.S. Medical Privacy Law Gutted:
http://www.schneier.com/crypto-gram-0506.html#9
Breaking Iranian Codes:
http://www.schneier.com/crypto-gram-0406.html#1
The Witty Worm:
http://www.schneier.com/crypto-gram-0406.html#9
The Risks Of Cyberterrorism:
http://www.schneier.com/crypto-gram-0306.html#1
Fixing Intelligence Failures:
http://www.schneier.com./crypto-gram-0206.html#1
Honeypots and the Honeynet Project
http://www.schneier.com/crypto-gram-0106.html#1
Microsoft SOAP:
http://www.schneier.com/crypto-gram-0006.html#SOAP
The Data Encryption Standard (DES):
http://www.schneier.com/crypto-gram-0006.html#DES
The internationalization of cryptography policy:
http://www.schneier.com/crypto-gram-9906.html#policy
and products:
http://www.schneier.com/crypto-gram-9906.html#products
The new breeds of viruses, worms, and other malware:
http://www.schneier.com/crypto-gram-9906.html#viruses
Timing attacks, power analysis, and other "side-channel" attacks
against cryptosystems:
http://www.schneier.com/crypto-gram-9806.html#side
** *** ***** ******* *********** *************
Diebold Doesn't Understand the Security Threat
This quote sums up nicely why Diebold should not be trusted to secure
election machines:
"David Bear, a spokesman for Diebold Election Systems, said the
potential risk existed because the company's technicians had
intentionally built the machines in such a way that election officials
would be able to update their systems in years ahead.
"'For there to be a problem here, you're basically assuming a premise
where you have some evil and nefarious election officials who would
sneak in and introduce a piece of software,' he said. 'I don't believe
these evil elections people exist.'"
If you can't get the threat model right, you can't hope to secure the
system.
http://www.nytimes.com/2006/05/12/us/12vote.html?ex=1305086400&en=5b3554
a76aad524a&ei=5090&partner=rssuserland&emc=rss or http://tinyurl.com/q7p4s
** *** ***** ******* *********** *************
News
Consumers are willing to trade privacy for convenience:
http://www.computerworld.com.au/pp.php?id=42605808&eid=-180
Two conferences:
The Workshop on Economics and Information Security, on June 26-28 in
Cambridge (England, not Massachusetts).
http://weis2006.econinfosec.org/
The Workshop on the Economics of Securing the Information
Infrastructure, on October 23-24 in Washington, DC.
http://wesii.econinfosec.org/
WEIS is currently my favorite security conference. I think that
economics has a lot to teach computer security, and it is very
interesting to get economists, lawyers, and computer security experts
in the same room talking about issues.
Online student exams. I'm sure this is a good idea, but I wonder when
the first case of cheating-by-rootkit will occur.
http://news.bbc.co.uk/go/rss/-/1/hi/scotland/4962806.stm
Bundesamt fur Sicherheit in der Informationstechnik, or Federal Office
for Information Security, or BSI, is Germany's equivalent of the
NSA. They have an English-language website that has a number of
English-language security publications.
http://www.bsi.bund.de/english/publications/index.htm
The National Institute of Standards and Technology has released a
document detailing how federal agencies should manage security
logs: NIST Special Publication 800-92: Guide to Computer Security Log
Management.
http://csrc.nist.gov/publications/drafts/DRAFT-SP800-92.pdf
Really good advice, step by step, on how to survive identity theft:
http://www.consumerist.com/consumer/top/how-to-get-through-having-your-i
dentity-stolen-171194.php or http://tinyurl.com/hqksb
A new report from the GAO: GAO-06-385 -- The Federal Government Needs
to Establish Policies and Processes for Sharing Terrorism-Related and
Sensitive but Unclassified Information," March 2006, lists 56 different
sensitive but unclassified security designations.
http://www.gao.gov/htext/d06385.html
The list is here:
http://www.schneier.com/blog/archives/2006/05/us_government_s.html
I've already written about SSI (Sensitive Security Information).
http://www.schneier.com/blog/archives/2005/03/sensitive_secur.html
The U.S. Coast Guard solicits Hollywood screenwriters to help them with
movie-plot threats. No, really.
http://www.signonsandiego.com/uniontrib/20060520/news_1n20ships.html
Anyone who's watched Hollywood's output in recent years knows that
screenwriters aren't the most creative bunch of people on the planet.
Smart profiling from the DHS and the TSA: "Select TSA employees will be
trained to identify suspicious individuals who raise red flags by
exhibiting unusual or anxious behavior, which can be as simple as
changes in mannerisms, excessive sweating on a cool day, or changes in
the pitch of a person's voice." About time.
http://www.time.com/time/nation/article/0,8599,1195330,00.html
Russian spammers have been attacking the company Blue Security, and
Blue Security has given up.
http://www.washingtonpost.com/wp-dyn/content/article/2006/05/16/AR200605
1601873.html or http://tinyurl.com/kbrwc
http://www.techweb.com/headlines_week/showArticle.jhtml?articleId=187900
260 or http://tinyurl.com/p9fb5
http://news.bbc.co.uk/2/hi/technology/4990622.stm
Marcus Ranum on Blue Security's idea:
http://www.ranum.com/security/computer_security/editorials/bluesecurity/
index.html or http://tinyurl.com/qrhcf
El Al doesn't trust the TSA, and wants to do security themselves:
http://www.haaretz.com/hasen/spages/714988.html
Great op-ed on why data mining won't find terrorists:
http://www.nytimes.com/2006/05/16/opinion/16farley.html?ex=1305432000&en
=64f96c12ae69c068&ei=5088&partner=rssnyt&emc=rss or
http://tinyurl.com/nod9s
The author is Jonathan Farley, math professor at Harvard
http://www.math.buffalo.edu/mad/PEEPS/farley_jonathan.html
Winning my award for dumb movie-plot threat of the month, here's
someone who thinks that counterfeit electronics are a terrorist tool.
http://spectrum.ieee.org/may06/3423/boguf4
http://www.cyberdefenseagency.com/news-20060531.php
First runner up for dumb movie-plot threat of the month, here's someone
who thinks that a public aviation tracking system is a "terrorist's dream."
http://dailytelegraph.news.com.au/story/0,20281,19000724-5001028,00.html
or http://tinyurl.com/rkytk
Under the present system, a terrorist can locate the position of an
aircraft by looking up. And if a terrorist is smart enough to perform
this intelligence-gathering exercise near an airport, he can locate the
position of aircraft that are low to the ground, and easier to shoot at
with missiles. Why are we worrying about telling terrorists where all
the high-altitude hard-to-hit planes are? Of course, I can invent a
movie plot that has the terrorists needing to shoot down a particular
plane because this or that famous personage is on it, but that's a bit
much.
A clip from the movie "Team America: World Police," was mistaken for an
al Qaeda video at a Congressional committee. Oops.
http://gamepolitics.livejournal.com/285129.html
Ira Winkler on why NSA spying hurts security:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&
articleId=9000515 or http://tinyurl.com/nkbam
How to cheat at writing papers for class:
http://alex.halavais.net/?p=1427
You too can spy on the Internet, just like the NSA.
http://www.wired.com/news/technology/0,70914-0.html
(And while we're on the topic, you really should read about the
equipment the NSA installed at the AT&T switches. Wow.)
http://blog.wired.com/27BStroke6/att_klein_wired.pdf
This essay makes the case that there no way to safely report a computer
vulnerability. Whatever you do opens you up to prosecution.
http://www.cerias.purdue.edu/weblogs/pmeunier/policies-law/post-38
Robert Lemos on "Ethics and the Eric McCarty Case."
http://www.robertlemos.com/2006/04/26/ethics-and-the-eric-mccarty-case/
or http://tinyurl.com/s8vyt
A robotic bill of rights:
http://www.schneier.com/blog/archives/2006/05/a_robotic_bill.html
TrueCrypt: On-the-fly encryption with plausible deniability:
http://www.truecrypt.org/
From Charlie Stross: "A report on the state of the National Identity
Register, May 2016." Note the date; it's fiction.
http://www.antipope.org/charlie/blog-static/2006/05/17/#id-card-3
Great quote by Alexander Solzhenitsyn (1968) on data and privacy: "As
every man goes through life he fills in a number of forms for the
record, each containing a number of questions... There are thus
hundreds of little threads radiating from every man, millions of
threads in all. If these threads were suddenly to become visible, the
whole sky would look like a spider's web, and if they materialized as
rubber bands, buses; trams and even people would all lose the ability
to move, and the wind would be unable to carry torn-up newspapers or
autumn leaves along the streets of the city. They are not visible, they
are not material, but every man is constantly aware of their
existence.... Each man, permanently aware of his own invisible threads,
naturally develops a respect for the people who manipulate the threads."
In the long term, corporate data mining efforts are more of a privacy
risk than government data mining efforts. And here's an off-the-shelf
product from IBM:
http://www-306.ibm.com/common/ssi/fcgi-bin/ssialias?subtype=ca&infotype=
an&appname=iSource&supplier=649&letternum=ENUSA06-0519 or
http://tinyurl.com/q29er
The UK Intelligence and Security Committee has issued a report on the
July 7 terrorist bombings in London:
http://www.cabinetoffice.gov.uk/publications/reports/intelligence/isc_7j
uly_report.pdf or http://tinyurl.com/hazzn
The UK government has issued a response:
http://www.cabinetoffice.gov.uk/publications/reports/intelligence/govres
_7july.pdf or http://tinyurl.com/j8q5x
About the Intelligence and Security Committee:
http://www.cabinetoffice.gov.uk/intelligence/index.asp
From a list of 100,000 passwords for a German dating site, we learn
that "123456" works 1.4% of the time and that 2.5% of all passwords
begin with "1234." Interesting.
http://www.heise.de/newsticker/meldung/73396
Bank defends its bad security by saying that everyone else does it, too.
http://blogs.zdnet.com/Ou/?p=226
Interesting essay about how EU law would treat the NSA's collection of
everyone's phone records.
http://www.concurringopinions.com/archives/2006/05/the_nsa_phone_c.html
or http://tinyurl.com/mpv6d
Animated political cartoon on NSA eavesdropping. And a song, too.
http://www.newsday.com/news/opinion/ny-wh-nsawiretapping,0,1906650.flash
or http://tinyurl.com/rg57v
You can audit "Welcome to Practical Aspects of Modern Cryptography":
University of Washington, Winter 2006, by Josh Benaloh, Brian
LaMacchia, and John Manferdelli. The course materials and videos of
the lectures are online.
http://www.cs.washington.edu/education/courses/csep590/06wi/
http://www.cs.washington.edu/education/courses/csep590/06wi/lectures/
Fascinating interview with a debit card scammer. Moral: securing this
system isn't going to be easy.
http://smallworldpodcast.com/?p=391
And some comments from a fake ID salesman, in case you thought
hard-to-forge national ID cards would solve the problem:
http://www.cbsnews.com/stories/2006/06/02/ap/national/mainD8I07PHG0.shtm
l or http://tinyurl.com/rafve
"How to Avoid Going to Jail under 18 U.S.C. Section 1001 for Lying to
Government Agents."
http://library.findlaw.com/2004/May/11/147945.html
Nice article discussing the hype, and reality, over the threat of
homebrew chemical weapons.
http://www.theregister.co.uk/2006/06/04/chemical_bioterror_analysis/
Just hide this gadget in someone's car or briefcase -- or maybe sew it
into his coat -- and then track his every move using GPS. You have to
recover the device to play it back, but presumably the next generation
will be queryable remotely.
http://www.thinkgeek.com/gadgets/security/8212/?cpg=cj
The U.S. government is asking ISPs to save personal data about you, in
case they need access to it.
http://www.latimes.com/technology/la-fi-internet2jun02,0,622125.story?co
ll=la-home-headlines or http://tinyurl.com/zpzvz
Note that the Justice Department invoked two of the Four Horsemen of
the Internet Apocalypse: child pornographers and terrorists. If they
can figure out how to work kidnappers and drug dealers in, they can
probably do anything they want.
From "Assassination in the United States: An Operational Study of
Recent Assassins, Attackers, and Near-Lethal Approachers," (a 1999
article published in the "Journal of Forensic Sciences"): "Few
attackers or near-lethal approachers possessed the cunning or the
bravado of assassins in popular movies or novels. The reality of
American assassination is much more mundane, more banal than
assassinations depicted on the screen. Neither monsters nor martyrs,
recent American assassins, attackers, and near-lethal approachers
engaged in pre-incident patterns of thinking and behaviour." The quote
is from the last page. The whole thing is interesting reading.
http://www.secretservice.gov/ntac/ntac_jfs.pdf
Interesting law review article by Helen Nissenbaum: "Privacy as
Contextual Integrity."
http://crypto.stanford.edu/portia/papers/RevnissenbaumDTP31.pdf
New directions in chemical warfare: chemicals that make enemy soldiers
sexually irresistible to each other, attract swarms of enraged wasps,
or cause "severe and lasting halitosis":
http://www.newscientist.com/article.ns?id=mg18524823.800
Technology always gets better; it never gets worse. There will be a
time, probably in our lifetimes, when weapons like these will be real.
NSA surveillance cartoon:
http://www.ibiblio.org/Dave/Dr-Fun/df200605/df20060517.jpg
Interesting paper on the security of contactless smartcards:
http://www.chi-publishing.com/samples/ISB0903HH.pdf
Wireless surveillance camera detector:
http://www.brickhousesecurity.com/dd9000.html
Great article comparing the barrier Israel is erecting to protect
itself from the West Bank with the hypothetical barrier the U.S. would
build to protect itself from Mexico: "No wonder the [Israeli] fence is
considered a good deal by those living on its western side. But
applying this model to the U.S.-Mexico border will not be easy. U.S.
citizens will find it hard to justify such tough measures when their
only goal is to stop people coming in for work -- rather than
preventing them from trying to commit murder. And the cost will be more
important. It's much easier to open your wallet when someone is
threatening to blow up your local cafe."
http://www.slate.com/id/2143104/
$1M VoIP scam:
http://www.networkingpipeline.com/news/188702745
NIST has just published "Recommendation for Random Number Generation
Using Deterministic Random Bit Generators."
http://csrc.nist.gov/publications/nistpubs/index.html
The NSA is combing through MySpace:
http://www.newscientisttech.com/article/mg19025556.200-pentagon-sets-its
-sights-on-social-networking-websites.html or http://tinyurl.com/fk3z6
** *** ***** ******* *********** *************
Hacking Computers Over USB
I've previously written about the risks of small portable computing
devices; how more and more data can be stored on them, and then lost or
stolen. But there's another risk: if an attacker can convince you to
plug his USB device into your computer, he can take it over. From CSO
Magazine:
"Plug an iPod or USB stick into a PC running Windows and the device can
literally take over the machine and search for confidential documents,
copy them back to the iPod or USB's internal storage, and hide them as
"deleted" files. Alternatively, the device can simply plant spyware, or
even compromise the operating system. Two features that make this
possible are the Windows AutoRun facility and the ability of
peripherals to use something called direct memory access (DMA). The
first attack vector you can and should plug; the second vector is the
result of a design flaw that's likely to be with us for many years to
come."
The article has the details, but basically you can configure a file on
your USB device to automatically run when it's plugged into a
computer. That file can, of course, do anything you want it to.
Recently I've been seeing more and more written about this attack. The
Spring 2006 issue of 2600 Magazine, for example, contains a short
article called "iPod Sneakiness" (unfortunately, not online). The
author suggests that you can innocently ask someone at an Internet cafe
if you can plug your iPod into his computer to power it up -- and then
steal his passwords and critical files.
And about someone used this trick in a penetration test:
"We figured we would try something different by baiting the same
employees that were on high alert. We gathered all the worthless vendor
giveaway thumb drives collected over the years and imprinted them with
our own special piece of software. I had one of my guys write a Trojan
that, when run, would collect passwords, logins and machine-specific
information from the user's computer, and then email the findings back
to us.
"The next hurdle we had was getting the USB drives in the hands of the
credit union's internal users. I made my way to the credit union at
about 6 a.m. to make sure no employees saw us. I then proceeded to
scatter the drives in the parking lot, smoking areas, and other areas
employees frequented.
"Once I seeded the USB drives, I decided to grab some coffee and watch
the employees show up for work. Surveillance of the facility was worth
the time involved. It was really amusing to watch the reaction of the
employees who found a USB drive. You know they plugged them into their
computers the minute they got to their desks.
"I immediately called my guy that wrote the Trojan and asked if
anything was received at his end. Slowly but surely info was being
mailed back to him. I would have loved to be on the inside of the
building watching as people started plugging the USB drives in,
scouring through the planted image files, then unknowingly running our
piece of software."
There is a partial defense. From the first article:
"AutoRun is just a bad idea. People putting CD-ROMs or USB drives into
their computers usually want to see what's on the media, not have
programs automatically run. Fortunately you can turn AutoRun off. A
simple manual approach is to hold down the "Shift" key when a disk or
USB storage device is inserted into the computer. A better way is to
disable the feature entirely by editing the Windows Registry. There are
many instructions for doing this online (just search for 'disable
autorun') or you can download and use Microsoft's TweakUI program,
which is part of the Windows XP PowerToys download. With Windows XP you
can also disable AutoRun for CDs by right-clicking on the CD drive icon
in the Windows explorer, choosing the AutoPlay tab, and then selecting
'Take no action' for each kind of disk that's listed. Unfortunately,
disabling AutoPlay for CDs won't always disable AutoPlay for USB
devices, so the registry hack is the safest course of action."
In the 1990s, the Macintosh operating system had this feature, which
was removed after a virus made use of it in 1998. Microsoft needs to
remove this feature as well.
But it's only a partial defense. In the penetration test, they didn't
use AutoRun. They just created a sufficiently enticing file, and the
people who found the USB drives manually invoked the executable.
http://www.csoonline.com/read/050106/ipods.html
http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1
http://www.darkreading.com/boards/message.asp?msg_id=134658
My previous essay:
http://www.schneier.com/blog/archives/2005/07/risks_of_losing.html
** *** ***** ******* *********** *************
The Doghouse: KRYPTO 2.0
The website is hysterical:
"Proof of the Krypto security !
Which would be, if one would try one of Krypto coded file unauthorized
to decode.
A coded file with the length of 18033 indications has therefore
according to computation, 256 bits highly 18033 indications =
6,184355814363201353319227173630k+43427
file possibilities. Each file possibility has exactly 18033 indications
byte.
Multiplied by the number of file possibilities then need results in the
memory.
Those are then: 1,1152248840041161000440562362208e+43432 byte.
Those are then: 1,038634110245961789082788150963h+43423 Giga byte data
quantity.
That is a number with 43424 places.
I can surely maintain as much memory place give it in the whole world
not never.
And the head problem now is, which is now the correctly decoded file.
Who it does not know can only say there. That does not know so exactly !
They can code naturally naturally also still successively several
times, even up to
the infinity."
Machine translated (on the website; not by me) from German into
English. My head hurts just trying to read that.
http://kryptochef.net/index2e.htm
** *** ***** ******* *********** *************
Counterpane News
Schneier is speaking at the FIRST Conference in Baltimore on June 30:
http://www.first.org/conference/2006/
Interview with Bruce Schneier:
http://www.sevendaysvt.com/features/2006/tales-from-the-cryptographer.html
Counterpane announced two pretty cool service agreements:
http://www.counterpane.com/pr-20060605.html
Network World wrote about Counterpane at the Gartner Security Conference:
http://www.networkworld.com/news/2006/060506-gartner-security.html
** *** ***** ******* *********** *************
Aligning Interest with Capability
Have you ever been to a retail store and seen this sign on the
register: "Your purchase free if you don't get a receipt"? You almost
certainly didn't see it in an expensive or high-end store. You saw it
in a convenience store, or a fast-food restaurant, or maybe a liquor
store. That sign is a security device, and a clever one at that. And
it illustrates a very important rule about security: it works best when
you align interests with capability.
If you're a store owner, one of your security worries is employee
theft. Your employees handle cash all day, and dishonest ones will
pocket some of it for themselves. The history of the cash register is
mostly a history of preventing this kind of theft. Early cash
registers were just boxes with a bell attached. The bell rang when an
employee opened the box, alerting the store owner -- who was presumably
elsewhere in the store -- that an employee was handling money.
The register tape was an important development in security against
employee theft. Every transaction is recorded in write-only media, in
such a way that it's impossible to insert or delete transactions. It's
an audit trail. Using that audit trail, the store owner can count the
cash in the drawer, and compare the amount with the register tape. Any
discrepancies can be docked from the employee's paycheck.
If you're a dishonest employee, you have to keep transactions off the
register. If someone hands you money for an item and walks out, you
can pocket that money without anyone being the wiser. And, in fact,
that's how employees steal cash in retail stores.
What can the store owner do? He can stand there and watch the
employee, of course. But that's not very efficient; the whole point of
having employees is so that the store owner can do other things. The
customer is standing there anyway, but the customer doesn't care one
way or another about a receipt.
So here's what the employer does: he hires the customer. By putting up
a sign saying "Your purchase free if you don't get a receipt," the
employer is getting the customer to guard the employee. The customer
makes sure the employee gives him a receipt, and employee theft is
reduced accordingly.
There is a general rule in security to align interest with
capability. The customer has the capability of watching the employee;
the sign gives him the interest.
In Beyond Fear, I wrote about ATM fraud; you can see the same mechanism
at work:
"When ATM cardholders in the US complained about phantom withdrawals
from their accounts, the courts generally held that the banks had to
prove fraud. Hence, the banks' agenda was to improve security and keep
fraud low, because they paid the costs of any fraud. In the UK, the
reverse was true: The courts generally sided with the banks and assumed
that any attempts to repudiate withdrawals were cardholder fraud, and
the cardholder had to prove otherwise. This caused the banks to have
the opposite agenda; they didn't care about improving security, because
they were content to blame the problems on the customers and send them
to jail for complaining. The result was that in the US, the banks
improved ATM security to forestall additional losses--most of the fraud
actually was not the cardholder's fault -- while in the UK, the banks
did nothing."
The banks had the capability to improve security. In the US, they also
had the interest. But in the UK, only the customer had the
interest. It wasn't until the UK courts reversed themselves and
aligned interest with capability that ATM security improved.
Computer security is no different. For years I have argued in favor of
software liabilities. Software vendors are in the best position to
improve software security; they have the capability. But,
unfortunately, they don't have much interest. Features, schedule, and
profitability are far more important. Software liabilities will change
that. They'll align interest with capability, and they'll improve
software security.
One last story. In Italy, tax fraud used to be a national hobby. (It
may still be; I don't know.) The government was tired of retail stores
not reporting sales and paying taxes, so they passed a law regulating
the customers. Any customer having just purchased an item and stopped
within a certain distance of a retail store, had to produce a receipt
or they would be fined. Just as in the "Your purchase free if you
don't get a receipt" story, the law turned the customers into tax
inspectors. They demanded receipts from merchants, which in turn
forced the merchants to create a paper audit trail for the purchase and
pay the required tax.
This was a great idea, but it didn't work very well. Customers,
especially tourists, didn't like to be stopped by police. People
started demanding that the police prove they just purchased the
item. Threatening people with fines if they didn't guard merchants
wasn't as effective an enticement as offering people a reward if they
didn't get a receipt.
Interest must be aligned with capability, but you need to be careful
how you generate interest.
This essay originally appeared on Wired.com.
http://www.wired.com/news/columns/0,71032-0.html
** *** ***** ******* *********** *************
Comments from Readers
There are hundreds of comments -- many of them interesting -- on these
topics on my blog. Search for the story you want to comment on, and
join in.
http://www.schneier.com/blog
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on security: computer and otherwise. You
can subscribe, unsubscribe, or change your address on the Web at
<http://www.schneier.com/crypto-gram.html>. Back issues are also
available at that URL.
Comments on CRYPTO-GRAM should be sent to
[log in to unmask] Permission to print comments is assumed
unless otherwise stated. Comments may be edited for length and clarity.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who
will find it valuable. Permission is granted to reprint CRYPTO-GRAM,
as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of
the best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish
algorithms. He is founder and CTO of Counterpane Internet Security
Inc., and is a member of the Advisory Board of the Electronic Privacy
Information Center (EPIC). He is a frequent writer and lecturer on
security topics. See <http://www.schneier.com>.
Counterpane is the world's leading protector of networked information -
the inventor of outsourced security monitoring and the foremost
authority on effective mitigation of emerging IT threats. Counterpane
protects networks for Fortune 1000 companies and governments
world-wide. See <http://www.counterpane.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of Counterpane Internet Security, Inc.
Copyright (c) 2006 by Bruce Schneier.
--
This message has been scanned for viruses and dangerous
content by the NorMAN MailScanner Service and is believed
to be clean.
The NorMAN MailScanner Service is operated by Information
Systems and Services, University of Newcastle upon Tyne.
====
This e-mail is intended solely for the addressee. It may contain private and
confidential information. If you are not the intended addressee, please take
no action based on it nor show a copy to anyone. Please reply to this e-mail
to highlight the error. You should also be aware that all electronic mail
from, to, or within Northumbria University may be the subject of a request
under the Freedom of Information Act 2000 and related legislation, and
therefore may be required to be disclosed to third parties.
This e-mail and attachments have been scanned for viruses prior to leaving
Northumbria University. Northumbria University will not be liable for any
losses as a result of any viruses being passed on.
************************************************************************************
Distributed through Cyber-Society-Live [CSL]: CSL is a moderated discussion
list made up of people who are interested in the interdisciplinary academic
study of Cyber Society in all its manifestations.To join the list please visit:
http://www.jiscmail.ac.uk/lists/cyber-society-live.html
*************************************************************************************
|
