Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: CRYPTO-GRAM, February 15, 2004
- From: Howell, Paul
- Date: Sun Feb 15 11:04:19 2004
-----Original Message-----
From: crypto-gram-return-73-grue=merit.edu@chaparraltree.com
[mailto:crypto-gram-return-73-grue=merit.edu@chaparraltree.com] On Behalf Of
Bruce Schneier
Sent: Sunday, February 15, 2004 5:32 AM
To: crypto-gram@chaparraltree.com
Subject: CRYPTO-GRAM, February 15, 2004
CRYPTO-GRAM
February 15, 2004
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@counterpane.com
<http://www.schneier.com>
<http://www.counterpane.com>
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
Back issues are available at
<http://www.schneier.com/crypto-gram.html>. To subscribe, visit
<http://www.schneier.com/crypto-gram.html> or send a blank message to
crypto-gram-subscribe@chaparraltree.com.
** *** ***** ******* *********** *************
In this issue:
Towards Universal Surveillance
The Politicization of Security
News
Counterpane News
Book News
Identification and Security
Crypto-Gram Reprints
The Doghouse: E-mail Readers
The Economics of Spam
Comments from Readers
** *** ***** ******* *********** *************
Toward Universal Surveillance
Last month the Supreme Court let stand the Justice Department's right
to secretly arrest non-citizen residents. Combined with the
government's power to designate foreign prisoners of war as "enemy
combatants" in order to ignore international treaties regulating their
incarceration, and their power to indefinitely detain U.S. citizens
without charge or access to an attorney, the United States is looking
more and more like a police state.
Since 9/11, the Justice Department has asked for, and largely received,
additional powers that allow it to perform an unprecedented amount of
surveillance of American citizens and visitors. The USA PATRIOT Act,
passed in haste after 9/11, started the ball rolling. In December, a
provision slipped into an appropriations bill allowing the FBI to
obtain personal financial information from banks, insurance companies,
travel agencies, real estate agents, stockbrokers, the U.S. Postal
Service, jewelry stores, casinos, and car dealerships without a warrant
-- because they're all construed as financial institutions. Starting
this year, the U.S. government is photographing and fingerprinting
foreign visitors into this country from all but 27 other countries.
The litany continues. CAPPS-II, the government's vast computerized
system for probing the backgrounds of all passengers boarding flights,
will be fielded this year. Total Information Awareness, a program that
would link diverse databases and allow the FBI to collate information
on all Americans, was halted at the federal level after a huge public
outcry, but is continuing at a state level with federal funding. Over
New Year's, the FBI collected the names of 260,000 people staying at
Las Vegas hotels. More and more, at every level of society, the "Big
Brother is Watching You" style of total surveillance is slowly becoming
a reality.
Security is a trade off. It makes no sense to ask whether a particular
security system is effective or not -- otherwise you'd all be wearing
bulletproof vests and staying immured in your home. The proper
question to ask is whether the trade-off is worth it. Is the level of
security gained worth the costs, whether in money, in liberties, in
privacy, or in convenience?
This is a personal decision, and one greatly influenced by the
situation. For most of us, bulletproof vests are not worth the cost
and inconvenience. For some of us, home burglar alarm systems
are. And most of us lock our doors at night.
Terrorism is no different. We need to weigh each security
countermeasure. Is the additional security against the risks worth the
costs? Are there smarter things we can be spending our money on? How
does the risk of terrorism compare with the risks in other aspects of
our lives: automobile accidents, domestic violence, industrial
pollution, and so on? Are there costs that are just too expensive for
us to bear?
Unfortunately, it's rare to hear this level of informed debate. Few
people remind us how minor the terrorist threat really is. Rarely do
we discuss how little identification has to do with security, and how
broad surveillance of everyone doesn't really prevent terrorism. And
where's the debate about what's more important: the freedoms and
liberties that have made America great or some temporary security?
Instead, the DOJ (fueled by a strong police mentality inside the
Administration) is directing our nation's political changes in response
to 9/11. And it's making trade-offs from its own subjective
perspective: trade-offs that benefit it even if they are to the
detriment of others.
From the point of view of the DOJ, judicial oversight is unnecessary
and unwarranted; doing away with it is a better trade off. They think
collecting information on everyone is a good idea, because they are
less concerned with the loss of privacy and liberty. Expensive
surveillance and data mining systems are a good trade-off for them
because more budget means even more power. And from their perspective,
secrecy is better than openness; if the police are absolutely
trustworthy, then there's nothing to be gained from a public process.
If you put the police in charge of security, the trade-offs they make
result in measures that resemble a police state.
This is wrong. The trade-offs are larger than the FBI or the
DOJ. Just as a company would never put a single department in charge
of its own budget, someone above the narrow perspective of the DOJ
needs to be balancing the country's needs and making decisions about
these security trade-offs.
The laws limiting police power were put in place to protect us from
police abuse. Privacy protects us from threats by government,
corporations, and individuals. And the greatest strength of our nation
comes from our freedoms, our openness, our liberties, and our system of
justice. Ben Franklin once said: "Those who would give up essential
liberty for temporary safety deserve neither liberty nor
safety." Since 9/11 Americans have squandered an enormous amount of
liberty, and we didn't even get any temporary safety in return.
This essay originally appeared on CNet:
<http://news.com.com/2010-1028-5150325.html>
** *** ***** ******* *********** *************
The Politicization of Security
Since 9/11, security has become an important political issue. The Bush
administration has seized on terrorism as a means to justify its
policies. Bush is running for re-election on a "strong on security"
platform. The Democrats are attacking the administration's record on
security. Congress has voted on, and will continue to vote on,
security countermeasures. And the FBI and the Justice Department are
implementing others, even without Congressional approval.
In the last issue of Crypto-Gram I published a couple of security
essays that had a political component. I was surprised by the number
of e-mails I received from people accusing me of bashing Bush (or
worse). American politics may be getting vitriolic, but I think it's
worth stepping back and looking at the political security landscape.
I believe that the Bush administration is using the fear of terrorism
as a political tool. That being said, I'm not sure a Democrat would do
anything different in Bush's place. Fear is a powerful motivator, and
it takes strong ethics to resist the temptation to abuse it. I believe
the real problem with America's national security policy is that the
police are in charge; that's far more important than which party is in
office.
Some of the Democratic presidential candidates for president have been
more rational about security, but none have discussed security in terms
of trade-offs. On the Republican side, I've read some criticisms of
Bush's heavy-handed security policies. Certainly the traditional
Republican ideals of personal liberty and less government intervention
are in line with smart security. And have the people who accuse me of
hating Republicans forgotten that the Clipper Chip initiative was
spearheaded by the Clinton administration?
The Republicans don't have a monopoly on reducing civil liberties in
the United States.
Rational security is not the sole purview of any political
party. Fighting stupid security does not have to be partisan. Bush's
White House has done more to damage American national security than
they have done to improve it. That's not an indictment of the entire
Republican party; it's a statement about the current President, his
Attorney General, and the Secretary of the Department of Homeland
Security. It's a statement about the current political climate, where
the police -- and I use this term to encompass the FBI, the Justice
Department, the military, and everyone else involved in enforcing order
-- and their interests are put ahead of the interests of the
people. My personal politics on non-security issues are not relevant.
** *** ***** ******* *********** *************
News
Good article on outsourcing computer security:
<http://www.computerworld.com/networkingtopics/networking/story/0,10801,
89100,00.html> or <http://tinyurl.com/22ybs>
Another e-mail scam. This one uses people's fear of terror, and a
month-old Microsoft vulnerability that obscures true URLs.
<http://www.cnn.com/2004/TECH/internet/01/26/email.scam/index.html>
Hacking in Congress. Looks like some Republican staffers hacked a
bunch of Democratic computers and accessed confidential files for about
a year, sometimes leaking them to the press.
<http://www.boston.com/news/nation/articles/2004/01/22/infiltration_of_f
iles_seen_as_extensive/> or <http://tinyurl.com/25pny>
<http://www4.law.cornell.edu/uscode/18/1030.html>
I've read various people asking why this isn't Watergate-II. Watergate
was such a big deal because the direction came directly from the
President. Since then, all politicians have learned not to leave that
kind of evidence lying around. There are always sufficient underlings
available to take the fall when this kind of thing comes to light. And
if you think about it, that is itself a security countermeasure.
Interesting computer-related theft from an Israeli bank. Someone
installed a wireless networking device on a computer rack in the bank,
and then used it to gain surreptitious access into the system. I think
this sort of thing is a harbinger of computer crime to come.
<http://www.math.org.il/post-office.html>
<http://www.math.org.il/post-office2.html>
Cheating during a security drill at a nuclear plant. This is the best
quote: "I understand the perception, but the fact is there was nothing
wrong with what occurred," said Burleson, the Wackenhut executive. "If
we had lost the exercise, it wouldn't have been an issue because they
expected us to lose the exercise."
<http://www.sunherald.com/mld/sunherald/news/nation/7807680.htm>
Regularly I see estimates about the costs of worms and viruses, and
they are invariably complete fabrications. This is the most egregious
estimate yet: according to the BBC, MyDoom cost $26.1 billion. I
wonder which anti-virus company made up that ludicrous number.
<http://news.bbc.co.uk/1/hi/technology/3449931.stm>
Trend Micro estimates $55 billion from all viruses in 2003:
<http://news.com.com/2102-7349_3-5142144.html>
Does anyone believe these numbers anymore?
NIST's Computer Incident Handling Guide:
<http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf>
Security through obscurity in public schools:
<http://www.washingtonpost.com/wp-dyn/articles/A7022-2004Feb2.html>
A study finds vulnerabilities in computerized voting machines:
<http://www.wired.com/news/print/0,1294,62109,00.html>
<http://tn01.com/usatoday/sbct.cgi?s=906902457&i=932220&m=1&d=5392237>
RABA's report: <http://www.raba.com/press/TA_Report_AccuVote.pdf>
http://www.epic.org/privacy/voting/mdvote1.04.pdf
More problems with electronic voting machines:
<http://verifiedvoting.org/article_text.asp?articleid=997>
Good list of resources on the economics of privacy:
<http://www.heinz.cmu.edu/~acquisti/economics-privacy.htm>
An interesting international border security story. Great quote: "The
next time you're asked to perform a semi-striptease at an airport X-ray
point (shoes, jacket, belt, wallet), consider the law of diminishing
returns. We're probably now at the point where the world could double
its investment in air-travel controls for no appreciable gain, except
to those in the business of providing security services."
<http://globeandmail.ca/servlet/story/RTGAM.20040129.wlethome0129/BNStor
y/Front/> or <http://tinyurl.com/3h4kx>
Five million names on U.S. terrorism watch list:
<http://www.canoe.ca/NewsStand/TorontoSun/News/2004/01/20/318488.html>
"Biometrics won't catch disposable terrorists." Isn't that a good turn
of phrase?
<http://www.benadorassociates.com/article/1336>
Security outsourcing and how to make it successful. (Counterpane is
mentioned.)
<http://www.computerworld.com/networkingtopics/networking/story/0,10801,
89100,00.html> or <http://tinyurl.com/2tkj6>
Amusing security stories. People are still the weakest link.
<http://www.computerworld.com/printthis/2004/0,4814,88303,00.html>
Only 10% of spam is compliant with the new U.S. law. I'm surprised
it's so high. <http://www.eweek.com/article2/0,4149,1441763,00.asp>
Last month I wrote about the jammers used by Musharraf to prevent
bombings. This article says that the U.S. is using the same technology
in Iraq.
<http://seattletimes.nwsource.com/html/nationworld/2001847947_jammers31.
html>
or <http://tinyurl.com/ytqb9>
Interesting article on the August blackout on the East Coast, and how a
previously unknown software vulnerability contributed:
<http://www.securityfocus.com/news/8016>
The GAO has released a very interesting report on the CAPPS-2 airline
passenger screening program. According to the report, the
Transportation Security Administration has failed to address Congress's
concerns about the program, including whether it will comply with the
Privacy Act. <http://www.epic.org/privacy/airtravel/gao-capps-rpt.pdf>
EPIC's passenger profiling page:
My essay on airline profiling: <http://www.schneier.com/essay-profiles.html>
** *** ***** ******* *********** *************
Counterpane News
RSA 2004, 23-27 February 2004, Moscone Center, San Francisco, CA Counterpane
is exhibiting. Come by our booth #1227 to see what
Counterpane can do to help secure your networks. Contact us in advance
at 888-710-8175 if you'd like to set up a meeting with us. Schneier is
moderating the Cryptographer's Panel on Tuesday at 11:00. Schneier is giving
a talk on security titled "What Works, What Doesn't,
and Why" on Tuesday at 5:15.
<http://www.rsaconference.com/>
Counterpane announces its 2003 performance:
<http://www.counterpane.com/pr-20040129.html>
Counterpane monitors Northeast Utilities:
<http://www.counterpane.com/pr-20040121.html>
Counterpane's monitoring service has been nominated for an award for
Best Security Service from SC Magazine. Anyone can vote, although you
have to give them your personal information.
<http://www.scawards.com/voting/rta_products.asp?Cat_ID=19>
** *** ***** ******* *********** *************
"Beyond Fear" News
Another review of "Beyond Fear":
<http://www.newsobserver.com/front/story/3257833p-2912749c.html>
"'Beyond Fear' is a tour de force, stuffed with more ideas than I have
room to talk about here. It is a timely contribution to our national
debate."
And another review: <http://www.theregister.co.uk/content/55/35499.html>
"Beyond Fear" website:
<http://www.schneier.com/bf.html>
** *** ***** ******* *********** *************
Identification and Security
In recent years there has been an increased use of identification
checks as a security measure. Airlines always demand photo IDs, and
hotels increasingly do so. They're often required for admittance into
government buildings, and sometimes even hospitals. Everywhere, it
seems, someone is checking IDs. The ostensible reason is that ID
checks make us all safer, but that's just not so. In most cases,
identification has very little to do with security.
Let's debunk the myths one by one. First, verifying that someone has a
photo ID is a completely useless security measure. All the 9/11
terrorists had photo IDs. Some of the IDs were real. Some were
fake. Some were real IDs in fake names, bought from a crooked DMV
employee in Virginia for $1,000 each. Fake driver's licenses for all
fifty states, good enough to fool anyone who isn't paying close
attention, are available on the Internet. Or if you don't want to buy
IDs online, just ask any teenager where to get a fake ID.
Harder-to-forge IDs only help marginally, because the problem is not
making sure the ID is valid. This is the second myth of ID checks:
that identification combined with profiling can be an indicator of
intention.
Our goal is to somehow identify the few bad guys scattered in the sea
of good guys. In an ideal world, what we'd want is some kind of ID
that denotes intention. We'd want all terrorists to carry a card that
says "evildoer" and everyone else to carry a card that said "honest
person who won't try to hijack or blow up anything." Then, security
would be easy. We'd just look at people's IDs and, if they were
evildoers, we wouldn't let them on the airplane or into the building.
This is, of course, ridiculous, so we rely on identity as a
substitute. In theory, if we know who you are, and if we have enough
information about you, we can somehow predict whether you're likely to
be an evildoer. This is the basis behind CAPPS-2, the government's new
airline passenger profiling system. People are divided into two
categories based on various criteria: the traveler's address, credit
history, and police and tax records; flight origin and destination;
whether the ticket was purchased by cash, check, or credit card;
whether the ticket is one way or round trip; whether the traveler is
alone or with a larger party; how frequently the traveler flies; and
how long before departure the ticket was purchased.
Profiling has two very dangerous failure modes. The first one is
obvious. The intent of profiling is to divide people into two
categories: people who may be evildoers and need to be screened more
carefully, and people who are less likely to be evildoers and can be
screened less carefully. But any such system will create a third, and
very dangerous, category: evildoers who don't fit the profile.
Oklahoma City bomber Timothy McVeigh, DC sniper John Allen Muhammed,
and many of the 9/11 terrorists had no previous links to
terrorism. The Unabomber taught mathematics at Berkeley. The
Palestinians have demonstrated that they can recruit suicide bombers
with no previous record of anti-Israeli activities. Even the 9/11
hijackers went out of their way to establish a normal-looking profile;
frequent-flier numbers, a history of first-class travel,
etc. Evildoers can also engage in identity theft, and steal the
identity-and profile-of an honest person. Profiling can actually
result in less security by giving certain people an easy way to skirt
security.
There's another, even more dangerous, failure mode for these systems:
honest people who fit the evildoer profile. Because actual evildoers
are so rare, almost everyone who fits the profile will turn out to be a
false alarm. This not only wastes investigative resources that might
be better spent elsewhere, but it causes grave harm to those innocents
who fit the profile. Whether it's something as simple as "driving
while black" or "flying while Arab," or something more complicated like
taking scuba lessons or protesting the current administration,
profiling harms society because it causes us all to live in fear...not
from the evildoers, but from the police.
Security is a trade-off; we have to weigh the security we get against
the price we pay for it. Better trade-offs are to spend money on
intelligence and analysis, investigation, and making ourselves less of
a pariah on the world stage. And to spend money on the other,
non-terrorist, security issues that affect far more Americans every year.
Identification and profiling don't provide very good security, and they
do so at an enormous cost. Dropping ID checks completely, and engaging
in random screening where appropriate, is a far better security
trade-off. People who know they're being watched, and that their
innocent actions can result in police scrutiny, are people who become
scared to step out of line. They know that they can be put on a "bad
list" at any time. People living in this kind of society are not free,
despite any illusionary security they receive. It's contrary to all
the ideals that went into founding the United States.
This essay originally appeared in the San Francisco Chronicle:
<http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2004/
02/03/EDGSI4M3171.DTL> or <http://tinyurl.com/yvbnz>
** *** ***** ******* *********** *************
Crypto-Gram Reprints
Crypto-Gram is currently in its seventh year of publication. Back
issues cover a variety of security-related topics, and can all be found
on <http://www.schneier.com/crypto-gram.html>. These are a selection
of articles that appeared in this calendar month in other years.
Militaries and Cyber-War: <http://www.schneier.com/crypto-gram-0301.html#1>
The RMAC Authentication Mode:
<http://www.schneier.com/crypto-gram-0301.html#7>
Microsoft and "Trustworthy Computing":
<http://www.schneier.com./crypto-gram-0202.html#1>
Judging Microsoft: <http://www.schneier.com./crypto-gram-0202.html#2>
Hard-drive-embedded copy protection:
<http://www.schneier.com/crypto-gram-0102.html#1>
A semantic attack on URLs: <http://www.schneier.com/crypto-gram-0102.html#7>
E-mail filter idiocy: <http://www.schneier.com/crypto-gram-0102.html#8>
Air gaps:
<http://www.schneier.com/crypto-gram-0102.html#9>
Internet voting vs. large-value e-commerce:
<http://www.schneier.com/crypto-gram-0102.html#10>
Distributed denial-of-service attacks:
<http://www.schneier.com/crypto-gram-0002.html#DistributedDenial-of-Serv
iceAttacks> or <http://tinyurl.com/2vep4>
Recognizing crypto snake-oil:
<http://www.schneier.com/crypto-gram-9902.html#snakeoil>
** *** ***** ******* *********** *************
The Doghouse: E-mail Readers
Security vulnerabilities aren't like the weather; they don't just
happen. They are the result of mistakes: mistakes in the code,
mistakes in design, or mistakes in specification. MyDoom spread across
the Internet because of an enormous vulnerability in e-mail software:
users are allowed to execute arbitrary e-mail attachments.
This is a bug. I know it's generally called a feature, but it's
not. It's a design flaw. It's a huge security vulnerability. And I
think it's high time we started calling it that.
Most people have no need to execute e-mail attachments. Some do -- I
receive software updates in e-mail pretty regularly -- but most do
not. Why can't this "feature" be turned off by default? Or turn it
off for everyone; I'm willing to accept a URL to a webpage where I can
download the software updates I need.
I don't think the solution is to educate users. This is a case where
overall security is determined by the stupidest user. If 1,000 people
in your corporate network know enough not to click on the attachment
and only one does not, you're still infected.
Microsoft isn't alone in the doghouse on this one. I use Eudora, and
that e-mail program also allows the user, by default, to execute e-mail
attachments. I don't know about other e-mail programs, but I assume
that others have the same security vulnerability.
** *** ***** ******* *********** *************
The Economics of Spam
Last month Bill Gates talked about spam at the World Economic
Forum. He said, "Two years from now, spam will be solved."
He listed three technologies he claims will solve spam. The first is
based on positively identifying the sender of any e-mail. The second
involves a computational puzzle, something that a computer must do for
each message that becomes prohibitively expensive for any bulk
mailing. The third involves forcing the sender to pay for
e-mail. Gates feels that this is the most promising technology to kill
spam once and for all.
Spam is an interesting problem, because it's an economic one. Spam is
prevalent because -- as bizarre as it may seem -- it is profitable. If
spam were not profitable, it wouldn't be done.
Gates is right that the best way to deal with the problem is to change
the economics. If spammers had to pay money for each message, as paper
bulk mailers do, they would spam a lot less. They would only spam
interesting and effective messages. Because spam is nearly free, even
messages with marginal rates of return are profitable.
Today, accounts that spam are shut down pretty quickly. Or, at least,
large ISPs block e-mail from those addresses. In retaliation, spammers
are more likely to use stolen accounts to send spam, and to change
those accounts regularly. Spammers are also willing to pay for hacker
exploits in order to more efficiently break into systems.
This means that anti-spam security that relies on positive
identification isn't likely to work. It'll mean that more spam will
rely on stolen accounts. It'll change the tactics of spammers, but not
the amount of spam. E-mail recipients could decide to only accept mail
from people they already know -- so called white lists -- but those
solutions are available and effective today. But most people want to
get e-mail from people they don't expect to get e-mail from, so most
people don't use white lists. Enforcing strong identification won't
make this issue any different.
Computational puzzles are an interesting idea, and one that has been
talked about in the security community for a while. The basic idea is
that Alice sends Bob an e-mail. Bob's computer responds with a
mathematical puzzle for Alice's computer to solve. Alice's computer
does so and sends the result to Bob's computer, which in turn delivers
the mail to Bob.
You can see how this deals with spam. Alice's computer has no trouble
solving the puzzle, but it takes time. If Alice's computer has to
solve millions of these a day, it won't be able to. So spam is reduced.
It's an economic solution; it makes the sending of e-mail more
expensive. Spammers will respond by breaking into a lot more accounts
and send a lot less spam out of each of them. My guess is that no real
spam reduction will result.
Gates's third solution is the direct economic solution: charge for
e-mail. This one has also been talked about a lot in the security
community. It is also a very difficult one to implement. Overlaying a
fee structure on top of the existing e-mail system will be
complicated. It will have to deal with the fact that spam comes from
every country, and not just the economically sophisticated ones. The
best solution is for fees to be collected close to the sender -- so
spam doesn't clog the network -- but the easiest solution is for fees
to be collected by the recipient. And we'll all have to get beyond the
expectation that e-mail is free.
But this solution won't necessarily solve the problem of spammers
breaking into other people's accounts, either. You'd have to add some
additional controls inside the network: how much e-mail a person can
send in a day, maximum charges that can be accrued, that sort of
thing. Again, extremely difficult to implement in practice. But at
least it's thinking along the right lines.
In general, I think that Gates is being overly optimistic. Some of
these ideas are promising, but most of the anti-spam ideas are more
likely to change the tactics of spammers than reduce the overall rate
of spam. What's interesting to me is that his optimism comes largely
from ignoring the problem of insecure computers on the Internet,
primarily insecure Windows computers on the Internet.
Right now the best solution is a spam filter. I use one, and I get
almost no spam. There are a few false positives, but I find those when
I clean out the filter every week.
Now I just have to convince a bunch of filters that Crypto-Gram is not
spam.
Gates's talk: <http://www.nytimes.com/cnet/CNET_2100-1028_3-5147491.html>
<http://www.eweek.com/article2/0,4149,1457701,00.asp>
** *** ***** ******* *********** *************
Comments from Readers
From: Mark Moss <MMoss@reptron.com>
Subject: President Musharraf and Signal Jammers
I have some experience in military radio jammers, and I find the story
of Pakistani security jamming a bomb detonator signal very
unlikely. We had two possible methods to jam a field radio (voice
signals, and usually some version of AM). One was to obviously jam
whatever frequencies the enemy might be using, with a much stronger
signal than the radio transmitters you wanted to block. This took a
lot of power, and it invited countermeasures -- from changing the
channel to destroying the jamming transmitter -- so it's not very
effective and is apt to get you killed.
So the usual approach was to listen to the enemy communications and try
to interfere with them so subtly that they don't realize it is
jamming. E.g., an officer is trying to call in an artillery strike on
your forces. Just when he gives the coordinates, you hit a button to
transmit a short burst of "static." Static is pretty common with these
radios, so they'll think it's just too bad that it happened to block a
critical number and ask for it to be repeated. Pop some static into
the "say again" response also, and continue to sow confusion without
making it too obvious. If you can imitate voices sufficiently well,
you might even inject a few words here and there. Meanwhile, your
buddy calls up the troops being targeted to see if they can move or
eliminate the enemy observer.
The subtle approach obviously won't work to block a detonator. It's a
one-time transmission, exact time unknown, and nothing is going to
detect it before it's too late. Assuming the detonation signal is
coded so random noise and transmissions on the right channel won't set
off the bomb, you could block it by overt jamming. Continuously
transmit noise on all possible channels at a sufficiently high power
level to drown out the detonator. It might take a truck with a big
generator trailer, but it's possible.
But what if instead of a complex circuit to receive and detect one
particular code sequence, the terrorist or assassin just uses a simple
circuit that will trigger whenever the RF power at one frequency
exceeds a threshold? Then if he knows you will be jamming, he doesn't
even have to stick around with the detonator; he just sets the
threshold quite high and your jamming will detonate it.
From: "John Faulkner" <J.Faulkner@etc.unsw.edu.au>
Subject: President Musharraf and Signal Jammers
There is no mystery about the jamming device used to protect Musharraf
s convoy from the recent assassination attempt and thus no point in
keeping it secret. It was a jammer for GSM mobile phones (cell phones
to North Americans); these jammers are in use worldwide by government
security agencies following the almost universal adoption of the GSM
standard.
The bomb itself seems to have been five 50kg packages of explosive
positioned to bring down the central part of the bridge and linked by a
central control device, probably a GSM modem or modem-phone. It cannot
have been a trivial or quick exercise to put this in place. The police
who were assigned to guard the bridge have explained their absence as
due to the bad weather.
The use of a mobile phone suggests al-Qaeda or one of their
allies. The truck bomb used by Jemaah Islamiah in their attack on the
Sari nightclub in Bali, Indonesia, in 2002 was triggered by a mobile
phone. This is the most notorious example but there have been similar
incidents throughout Asia.
Mobiles are a good choice for an intending bomber. They are readily
available and are inconspicuous in use. The supporting infrastructure
is already in place. The triggering transmission is lost in the vast
number of innocent messages. Using a pre-paid SIM card in the phone
would render its user untraceable.
GSM modems are readily available and are widely used for industrial
process control. Every vending machine is Australia is fitted with
one, for example. They are password protected and are addressable by
SMS (text messages). They can usually switch a connected device on or
off immediately, or at any time using their inbuilt
calendar/clock. They can use their RS-232 port for serial data input
and output.
If obtaining a GSM modem leaves too much of a paper trail, a
modem-phone could be used instead like the one used in the Bali
bomb. The model reportedly used on this occasion is one that has an
inbuilt modem that responds to Hayes (AT) commands and has an RS-232
port. It is a popular model and readily available.
GSM signals are, however, readily susceptible to jamming because, like
other forms of digital radio, a certain signal-to-noise threshold must
be achieved. GSM mobiles sample the nearest base station's signals to
check that they are above this threshold. If they are not, then the
mobile shuts down. In operation, a jammer would transmit an
interfering signal within the control channel. This lowers the
signal-to-noise ratio for any GSM mobile within a small radius around
the jammer. The mobile then shuts down temporarily.
When the vehicle carrying the jammer has passed by, the GSM mobile in
the bomb would reconnect with the base station and download any waiting
SMS messages. In this case, the message would be the command to
explode, but now received too late to do any harm to the target. This
is why the bomb exploded some seconds after the convoy had passed.
Mobile phone networks in the U.S. make use of a hotch-potch of older
technology and WCDMA with a little GSM penetration. This does not make
the U.S. immune from such an attack. On the contrary, this mixture of
technologies makes it just that more difficult to use protective measures.
In particular, WCDMA is well-known for its strong immunity to jamming
and this seems to be the technology chosen to replace the older analog
system in the U.S. and the technology that will be imposed on Iraq by
the U.S. The existence of GSM jammers are an example of the benefits
of a global standard. For a known vulnerability, there is a known
response and jammers were available as soon as the first GSM mobile
appeared.
From: <alexcole@verizon.net>
Subject: President Musharraf and Signal Jammers
Another possible explanation on the Musharraf story -- Pakistani
security officials may have found and disabled the bomb through human
intelligence channels and published the story in an attempt to preserve
the life of their source.
From: "WJK" <wjk@corvetsys.com>
Subject: New Credit Card Scam
I could just slap you (OK I will cut you some slack).... Why did you
not reveal a counter-measure to this kind of credit card attack? The
"victim" could play along with the scammer and provide false
information for the digits on the back of the credit card.
After hanging up, the "victim" can call their credit card company and
alert the fraud branch to be on the look out for this card. At the
same time, to be safe, another card could be issued.
The upside of this is that the fraud could be caught by the next
merchant and ended much sooner. Instead, with no positive action the
scam continues and merchants and card holder are harmed. Anyone
"in-the-know" could be a good influence on catching these thieves, and
they are thieves.
From: "Clive Robinson" <crob235@hotmail.com>
Subject: Diverting Aircraft and National Intelligence
I live and work in London and the "Cancellation of the flights by the
FBI" was very newsworthy in the UK and was covered repeatedly by the
BBC on television. (It was only later pointed out that it was BA that
had made the decision not to fly on the advice of the UK government
based on information provided by the FBI.)
On one news item, the presenter specifically asked the reporter at
Heathrow Airport if "The cancellation had anything to do with the BA
pilots saying no to sky marshals." The reply was a simple "I don't
know" but was said in a very doubtful voice.
On another program the presenter actually asked a UK politician if the
"U.S. were crying wolf" the reply was unsurprisingly not very
convincing, especially when he tried to explain that the threat had
been that a woman was going to swallow a bomb before boarding the flight.
A view that has been voiced more than once is that the terrorists know
how to "jerk the FBI's strings" and deliberately provide misleading
intelligence that causes the FBI to make a "knee jerk reaction." The
view is each canceled flight is yet another propaganda victory for the
terrorists, in the information war. Although the later observation is
true, I doubt the former, since providing any intelligence to the
opposition is dangerous for the terrorist, as it provides a link no
matter how tenuous, back to them.
On speaking socially to a friend in France, he said that the French
take was different. Apparently a French reporter had noted that no
U.S. aircraft had been affected and that there was no credible evidence
of any threat. Apparently the reporter then indicated that perhaps the
U.S. was trying to start economic warfare on Europe by making non-U.S.
airlines appear at risk, and therefore make business travelers switch
to U.S. carriers. On trying to make light of it with him, my friend
stopped me and pointed out that the U.S. had just been very silly over
steel and bananas and now BSE.
I get the feeling that in Britain support for the U.S. "war on terror"
was at best marginal even amongst politicians. However the news that a
man boarded an aircraft in the U.S. with five rounds of live ammunition
in his pocket and was only detected in the UK has probably diminished
the view to the point that it is now "U.S. security is incompetent and
ineffectual."
In the rest of Europe the view is decidedly less friendly, in that they
see the war as being run by an "unelected incompetent trying to buy
America out of a recession."
The BA pilots saying no to sky marshals appears to be based on two
fairly sensible grounds,
1: A gun that would be safe to use on an aircraft would be of too low a
power to be effective against somebody wearing a stab-proof vest
(these, by the way, being made of Kevlar and ceramic, do not show up on
a lot of metal detectors and X-ray equipment). Therefore a gun is only
a threat to passengers and crew, and the terrorists know this already.
2: Division of responsibility. Under international law the pilot is
responsible for the aircraft and the passengers, A sky marshal would be
unlikely to have the training to understand fully what behavior would
endanger the aircraft and would in an emergency be very unlikely to
defer to the pilot's judgment, even if they had the time to ask.
Also a UK politician (who should have known better) tried to make a
joke out of "Sky Marshals" whilst political point scoring. He said
that there was too much jargon coming from the U.S., The inference was
however that the "Texas Rangers would be shooting from the hip" on all
U.S.-bound aircraft.
Overall, I think that the U.S. security measures have had a very bad
effect on the credibility of the U.S. outside of the U.S., and that
this is actually detrimental to the U.S. overall. Perhaps it is time
for the three letter agencies to reassess the way they are currently
doing things, before the damage is to great.
From: Steve Loughran <steve_loughran@hpl.hp.com>
Subject: Diverting Aircraft and National Intelligence
The goal of terrorism is to spread terror, usually in the (mistaken)
belief that this will force your opponent to change some aspect of
their behavior. While physical acts of terrorism are the core way to
achieve this, if terror can be spread without actually going to any
risk, then all the better.
The IRA used to do this here in the UK; there was one period in 1993
when they started attacking bits of road infrastructure (like the
Staples Corner M1/North Circular junction in North London). After a
few of these, sometimes they would phone up a news source, give their
identification keywords and name a few popular motorway
intersections. The end result was transport chaos, as the police
essentially shut down the main road backbone of the country. The IRA
didn't plant the bombs, but there was no way of knowing that without
checking. And so the country had its roads shut down at no risk
whatsoever to the active IRA members. Terrorism without effort or
risk: all you need is a payphone and knowledge of the expected
behaviors of the security forces. Best yet, because the feigned
attacks can be achieved without loss of life, it does not incur any
moral doubts by your supporters (in this case, anyone in the U.S. who
donated money to "the cause," the population of Crossmaglen, County
Armagh, etc.).
Which brings me to the airlines. If all you need to do to bring
high-profile disruption is to have the government intercept a phone
call that names a flight, or a city and a key word "dirty-bomb," then
all you need to do is make such phone calls in a way that strives for
"interception." Or you predict what criteria passenger profiling will
be using, and buy one-way tickets under suspicious names -- with no
intention of turning up at all.
I am not sure al-Qaeda have adopted such tactics yet -- perhaps a
belief in the glory of martyrdom has obscured their minds to the joy of
survival -- but given how massively the orange-alert governments are
being seen to overreact, I would expect them to pick up the technique.
From: Mike Stay <staym@clear.net.nz>
Subject: Cryptogram: MS Word Forms Password
Eric Thompson of AccessData wrote a program more than ten years ago to
reverse that particular hash on MS Word files; Microsoft never changed
that protection. There's almost identical functionality in Excel, with
the same weakness. I wrote almost all the rest of the password
crackers found at
<http://www.accessdata.com/Product00_Overview.htm#Modules>. Of the 50
listed there, more than half work exactly the same way as the attack
described on SecurityFocus; if you overwrite a few bytes with a hex
editor, the password protection is gone, and can be restored just as
easily.
From: Paul Schumacher <psch@optonline.net>
Subject: Security can be Terrorism's Best Ally
Having worked in Psyops (psychological warfare) in the Army many years
ago, I learned about the tactical use of psychology. One of my
programs was about land crabs, and how they stripped the flesh from the
bones of shipwrecked sailors too weak to crawl up off the beach. The
night this was delivered to a battalion of Marines on the
land-crab-infested beaches of Viaques, none of them got much sleep.
The point is that the real target of terrorism is the mind of the
victim, not their body or property. Like a perverse form of jujitsu,
the very security we put in place to protect us from terror attacks can
be used as a key part of the attack.
For example, airports have dogs and devices for detecting the chemical
emissions from explosives. If I took a small perfume sprayer and
filled it with nitrobenzene (used in firearm bore cleaning solvents)
and sprayed people's luggage with it as they awaited security
screening, the airport would soon be shut down due to the threat
perceived by security. Or if I sprayed the seats in the airports
lounge or restaurant, the bomb-sniffing dogs would become butt-sniffing
dogs, to the major embarrassment of security. This last, while
humorous, would go a long way toward discrediting the security force.
With both of these, I have both terrorized and inconvenienced the
public. They have been kept from a timely departure, and reminded that
they are vulnerable to terrorism. I have taken from the credibility of
the security force by having them react, appropriately, to a situation
that was a threat, but to the general public was not. How were they to
know that my spray was just a physically harmless terror attack, and
not a mask to cover a real attack? I have successfully attacked and
terrorized the minds of everyone involved.
From: Tim Goudy <packrat42@earthlink.net>
Subject: Voting booths and Camera phones
In the January 15th issue one of your readers, Andrew Odlyzko, stated
that "The voting booth does provide some security against bribery and
coercion, but only as long as we can stop camera phones from being used
in them!" The implication is that camera-equipped cell phones will
increase the risk of bribery and coercion by allowing the briber and/or
coercer a means of verifying that a vote has been cast in accordance
with their wishes. This is not, in fact, a significant risk.
Consider a hypothetical situation: Alice is going to her polling place
to vote. On the way, she is approached by Bob, who wishes to bribe her
to vote for a particular candidate. Alice is to send Bob an image of
the completed ballot via her camera phone in order to verify that she
has completed her part of the scheme. Inside the privacy of the voting
booth, Alice marks her ballot as Bob has specified, photographs it, and
sends Bob the image. Alice then approaches a poll worker and says
"Excuse me, but I've mismarked my ballot. I need another one, please."
Alice then proceeds to vote for the candidate of her choice and also
collect her bribe money from Bob. The risk of Bob discovering this is
minimal, since there is no way to link Alice to a particular vote once
it is cast.
** *** ***** ******* *********** *************
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on security: computer and otherwise. Back
issues are available on <http://www.schneier.com/crypto-gram.html>.
To subscribe, visit <http://www.schneier.com/crypto-gram.html> or send
a blank message to crypto-gram-subscribe@chaparraltree.com. To
unsubscribe, visit <http://www.schneier.com/crypto-gram-faq.html>.
Comments on CRYPTO-GRAM should be sent to
schneier@counterpane.com. Permission to print comments is assumed
unless otherwise stated. Comments may be edited for length and clarity.
Please feel free to forward CRYPTO-GRAM to colleagues and friends who
will find it valuable. Permission is granted to reprint CRYPTO-GRAM,
as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of
the best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish
algorithms. He is founder and CTO of Counterpane Internet Security
Inc., and is a member of the Advisory Board of the Electronic Privacy
Information Center (EPIC). He is a frequent writer and lecturer on
security topics. See <http://www.schneier.com>.
Counterpane Internet Security, Inc. is the world leader in Managed
Security Monitoring. Counterpane's expert security analysts protect
networks for Fortune 1000 companies world-wide. See
<http://www.counterpane.com>.
Copyright (c) 2004 by Bruce Schneier.
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
