Schneier on Security

A blog covering security and security technology.

Making Fake ATMs Using 3D Printers

One group stole $400K.

Posted on September 28, 2011 at 6:03 AM • 21 Comments

Problems with Mac OS X Lion Passwords

Seems like some dumb mistakes.

News article.

Posted on September 27, 2011 at 7:12 AM • 18 Comments

Tor Arms Race

Iran blocks Tor, and Tor releases a workaround on the same day.

How did the filter work technically? Tor tries to make its traffic look like a web browser talking to an https web server, but if you look carefully enough you can tell some differences. In this case, the characteristic of Tor's SSL handshake they looked at was the expiry time for our SSL session certificates: we rotate the session certificates every two hours, whereas normal SSL certificates you get from a certificate authority typically last a year or more. The fix was to simply write a larger expiration time on the certificates, so our certs have more plausible expiry times.

Posted on September 26, 2011 at 6:41 AM • 15 Comments

Friday Squid Blogging: Sex Life of Deep-Sea Squid

There's evidence of indiscriminate fertilization in deep-sea squid. They mate with any other squid the encounter, male or female.

This unusual behaviour, they said, may be explained by the fact the squid is boosting its chances of successfully passing on its genes in the challenging environment it lives in.

In the Royal Society paper the team writes: "In the deep, dark habitat where O. deletron lives, potential mates are few and far between.

"We suggest that same-sex mating behaviour by O. deletron is part of a reproductive strategy that maximises success by inducing males to indiscriminately and swiftly inseminate every [squid] that they encounter."

Basically, they can't tell males from females in the dark waters, so it just makes sense to mate with everybody.

The press is reporting this as homosexuality or bisexuality, but it's not. It's indiscriminate fertilization. PZ Myers explains.

Posted on September 23, 2011 at 4:28 PM • 28 Comments

Man-in-the-Middle Attack Against SSL 3.0/TLS 1.0

It's the Browser Exploit Against SSL/TLS Tool, or BEAST:

The tool is based on a blockwise-adaptive chosen-plaintext attack, a man-in-the-middle approach that injects segments of plain text sent by the target's browser into the encrypted request stream to determine the shared key. The code can be injected into the user's browser through JavaScript associated with a malicious advertisement distributed through a Web ad service or an IFRAME in a linkjacked site, ad, or other scripted elements on a webpage.

Using the known text blocks, BEAST can then use information collected to decrypt the target's AES-encrypted requests, including encrypted cookies, and then hijack the no-longer secure connection. That decryption happens slowly, however; BEAST currently needs sessions of at least a half-hour to break cookies using keys over 1,000 characters long.

The attack, according to Duong, is capable of intercepting sessions with PayPal and other services that still use TLS 1.0­which would be most secure sites, since follow-on versions of TLS aren't yet supported in most browsers or Web server implementations.

While Rizzo and Duong believe BEAST is the first attack against SSL 3.0 that decrypts HTTPS requests, the vulnerability that BEAST exploits is well-known; BT chief security technology officer Bruce Schneier and UC Berkeley's David Wagner pointed out in a 1999 analysis of SSL 3.0 that "SSL will provide a lot of known plain-text to the eavesdropper, but there seems to be no better alternative." And TLS's vulnerability to man-in-the middle attacks was made public in 2009. The IETF's TLS Working Group published a fix for the problem, but the fix is unsupported by SSL.

Another article.

Posted on September 23, 2011 at 1:37 PM • 27 Comments

Three Emerging Cyber Threats

On Monday I participated a panel at the Information Systems Forum in Berlin. The moderator asked us what the top three emerging threats were in cyberspace. I went last, and decided to focus on the top three threats that are not criminal:

1. The Rise of Big Data. By this I mean industries that trade on our data. These include traditional credit bureaus and data brokers, but also data-collection companies like Facebook and Google. They're collecting more and more data about everyone, often without their knowledge and explicit consent, and selling it far and wide: to both other corporate users and to government. Big data is becoming a powerful industry, resisting any calls to regulate its behavior.

2. Ill-Conceived Regulations from Law Enforcement. We're seeing increasing calls to regulate cyberspace in the mistaken belief that this will fight crime. I'm thinking about data retention laws, Internet kill switches, and calls to eliminate anonymity. None of these will work, and they'll all make us less safe.

3. The Cyberwar Arms Race. I'm not worried about cyberwar, but I am worried about the proliferation of cyber weapons. Arms races are fundamentally destabilizing, especially when their development can be so easily hidden. I worry about cyberweapons being triggered by accident, cyberweapons getting into the wrong hands and being triggered on purpose, and the inability to reliably trace a cyberweapon leading to increased distrust. Plus, arms races are expensive.

That's my list, and they all have the potential to be more dangerous than cybercriminals.

Posted on September 23, 2011 at 6:53 AM • 29 Comments

An Interesting Software Liability Proposal

This proposal is worth thinking about.

Clause 1. If you deliver software with complete and buildable source code and a license that allows disabling any functionality or code by the licensee, then your liability is limited to a refund.

This clause addresses how to avoid liability: license your users to inspect and chop off any and all bits of your software they do not trust or do not want to run, and make it practical for them to do so.

The word disabling is chosen very carefully. This clause grants no permission to change or modify how the program works, only to disable the parts of it that the licensee does not want. There is also no requirement that the licensee actually look at the source code, only that it was received.

All other copyrights are still yours to control, and your license can contain any language and restriction you care to include, leaving the situation unchanged with respect to hardware locking, confidentiality, secrets, software piracy, magic numbers, etc. Free and open source software is obviously covered by this clause, and it does not change its legal situation in any way.

Clause 2. In any other case, you are liable for whatever damage your software causes when used normally.

If you do not want to accept the information sharing in Clause 1, you would fall under Clause 2 and have to live with normal product liability, just as manufacturers of cars, blenders, chainsaws, and hot coffee do.

Posted on September 23, 2011 at 5:22 AM • 54 Comments

U.S.-Australia Cyberwar Treaty

The long-standing ANZUS military treaty now includes cyberspace attacks:

According to Reuters, the decision was made in discussions between the two countries this week. The extension of the treaty would mean that a cyber-attack on either country would be considered an attack on both.

Exactly what this means in practice is less clear: practically every government with a connection to the Internet is subject to pretty much constant attack, and both Australia and America regularly accuse China and North Korea of playing host to many such attacks (China just as regularly denies any government involvement in Internet-borne attacks).

According to Reuters, it's the first time any non-NATO defense pact has extended to the Internet. US Defence Secretary Leon Panetta is quoted as saying "cyber is the battlefield of the future."

Posted on September 22, 2011 at 7:09 AM • 27 Comments

Shifting Risk Instead of Reducing Risk

Risks of teen driving:

For more than a decade, California and other states have kept their newest teen drivers on a tight leash, restricting the hours when they can get behind the wheel and whom they can bring along as passengers. Public officials were confident that their get-tough policies were saving lives.

Now, though, a nationwide analysis of crash data suggests that the restrictions may have backfired: While the number of fatal crashes among 16- and 17-year-old drivers has fallen, deadly accidents among 18-to-19-year-olds have risen by an almost equal amount. In effect, experts say, the programs that dole out driving privileges in stages, however well-intentioned, have merely shifted the ranks of inexperienced drivers from younger to older teens.

Posted on September 21, 2011 at 6:58 AM • 57 Comments

Complex Electronic Banking Fraud in Malaysia

The interesting thing about this attack is how it abuses a variety of different security systems.

Investigations revealed that the syndicate members had managed to retrieve personal particulars including the usernames, passwords from an online banking kiosk at a bank in Petaling Jaya and even obtained the transaction authorisation code (TAC) which is sent out by the bank to the registered handphones of online banking users to execute cash transfers from their victims' accounts.

Federal CCID director, Commissioner Datuk Syed Ismail Syed Azizan told a press conference today that the syndicate had skimmed the personal online details of those who had used the kiosk by secrets attaching a thumbdrive with a spy software which downloaded and stored the usernames and passwords when the bank customers logged into their online accounts.

He said the syndicate members would discreetly remove the thumbdrive and later downloaded the confidential information into their computer from where they logged on to user accounts to find out the registered handphone numbers of the bank customers.

Then, using fake MyKad, police report or authorisation letters from the target customers, the crooks would report the handphones lost and applied for new SIM cards from the unsuspecting telecommunications companies.

"This new tactic is a combination of phishing and hijacking SIM cards. Obviously when a new SIM card is issued, the one used by the victim will be cancelled and this will raise their suspicions," Syed Ismail said.

"To counter this, a syndicate member on the pretext of being a telco staff, will call up their victims a day ahead to inform them that they will face interruptions in their mobilephone services for about two hours.

It is during this two hours that the syndicate would get the new simcard and obtains the TAC numbers with which they can transfer all available cash in his victims account to another account of an accomplice. The biggest single loss was RM50,000." he said.

MyKad is the Malaysian national ID card.

The criminals use a fake card to get a new cell phone SIM, which they then use to authenticate a fraudulent bank transfer made with stolen credentials.

Posted on September 20, 2011 at 6:36 AM • 30 Comments

Pretty Creepy Type of Cyberstalking

Luis "Guicho" Mijangos, "sextortionist."

Posted on September 19, 2011 at 1:35 PM • 18 Comments

The Effectiveness of Plagiarism Detection Software

As you'd expect, it's not very good:

But this measure [Turnitin] captures only the most flagrant form of plagiarism, where passages are copied from one document and pasted unchanged into another. Just as shoplifters slip the goods they steal under coats or into pocketbooks, most plagiarists tinker with the passages they copy before claiming them as their own. In other words, they cloak their thefts by scrambling the passages and right-clicking on words to find synonyms. This isn't writing; it is copying, cloaking and pasting; and it's plagiarism.

Kerry Segrave is a right-clicker, changing "cellar of store" to "basement of shop." Similarly, he changes goods to items, articles to goods, accomplice to confederate, neighborhood to area, and women to females. He is also a scrambler, changing "accidentally fallen" to "fallen accidentally;" "only with" to "with only;" and, "Leon and Klein," to "Klein and Leon." And, he scrambles phrases within sentences; in other words, the phases of his sentences are sometimes scrambled.

[...]

Turnitin offers another product called WriteCheck that allows students to "check [their] work against the same database as Turnitin." I signed up and submitted the early pages of Shoplifting. WriteCheck matched many of Shoplifting's phrases to those of the i>New York Times articles in its library of student papers. Remember, I submitted them as a student paper to help Turnitin find them; now WriteCheck has them too! WriteCheck warned me that "a significant amount of this paper is unoriginal" and advised me to revise it. After a few hours of right-clicking and scrambling, I resubmitted it and WriteCheck said it was okay, being cleansed of easily recognizable plagiarism.

Turnitin is playing both sides of the fence, helping instructors identify plagiarists while helping plagiarists avoid detection. It is akin to selling security systems to stores while allowing shoplifters to test whether putting tagged goods into bags lined with aluminum thwart the detectors.

Posted on September 19, 2011 at 6:35 AM • 35 Comments

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.