Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: CRYPTO-GRAM, March 15, 2004
- From: Howell, Paul
- Date: Mon Mar 15 06:53:03 2004
> -----Original Message-----
> From: crypto-gram-return-74-grue=merit.edu@chaparraltree.com
> [mailto:crypto-gram-return-74-grue=merit.edu@chaparraltree.com
> ] On Behalf Of Bruce Schneier
> Sent: Monday, March 15, 2004 2:15 AM
> To: crypto-gram@chaparraltree.com
> Subject: CRYPTO-GRAM, March 15, 2004
>
>
> CRYPTO-GRAM
>
> March 15, 2004
>
> by Bruce Schneier
> Founder and CTO
> Counterpane Internet Security, Inc.
> schneier@counterpane.com
> <http://www.schneier.com>
> <http://www.counterpane.com>
>
>
> A free monthly newsletter providing summaries, analyses,
> insights, and
> commentaries on security: computer and otherwise.
>
> Back issues are available at
> <http://www.schneier.com/crypto-gram.html>. To subscribe, visit
> <http://www.schneier.com/crypto-gram.html> or send a blank message to
> crypto-gram-subscribe@chaparraltree.com.
>
> Crypto-Gram is also available as an RSS feed:
> <http://www.schneier.com/crypto-gram-rss.xml>
>
>
> ** *** ***** ******* *********** *************
>
> In this issue:
> Microsoft Source Code Leak
> A Social Engineering Virus
> News
> Counterpane News
> Port Knocking
> Crypto-Gram Reprints
> Security Notes from All Over: USPTO
> Password Safe Version 2.0
> The Doghouse: Symbiot Security
> "I am Not a Terrorist" Cards
> Security Risks of Centralization
> Comments from Readers
>
>
> ** *** ***** ******* *********** *************
>
> Microsoft Source Code Leak
>
>
>
> On 13 February, it became known that Windows 2000 and Windows
> NT source
> code was circulating on the Internet. Microsoft soon confirmed the
> leak, saying that "incomplete portions of Windows 2000 and NT 4.0
> source code was illegally made available on the Internet." Microsoft
> downplayed the loss, and said it represented approximately 15% of
> Windows source code. The leak was soon traced to a Microsoft
> partner,
> Mainsoft. The Windows NT code that was leaked consisted of all of NT
> 4.0 Service Pack 3 -- more than 27,000 files. The Windows 2000 code
> only contained select portions of the source code, but did
> include the
> PKI module.
>
> I am stunned that Microsoft didn't immediately know exactly
> who leaked
> the code. There are easy techniques to give each version of the
> Microsoft source code files a unique watermark, such that any
> copy can
> be traced back to its source. The fact that they didn't bother doing
> this says a lot about their own internal security.
>
> It is interesting to speculate who might make use of the code. The
> obvious group are hackers, who could pore through the code
> looking for
> vulnerabilities to exploit. These could be hackers working on their
> own, in the employ of spammers, or maybe as part of organized
> crime. I
> believe that there will be some of this, but not that much. It's not
> as if Microsoft vulnerabilities are hard to find, and that
> people need
> the source code in order to find them.
>
> Another possible group are companies writing compatible software. I
> doubt there's much use here. It's just not worth the money
> for a team
> of programmers to pore through the source code looking for hidden
> system calls and programming tricks, especially since there's no
> guarantee that those tricks will still work in the next
> revision of the
> software.
>
> A third group are attorneys looking for lawsuits. It has long been
> rumored that Windows contains shortcuts that only Microsoft software
> has access to, and that are denied to competing products. It
> might be
> worth it for an attorney to hire a team of programmers to look for a
> smoking gun, code that specifically helps Microsoft Office or hinders
> StarOffice, for example. But even so, my guess is that it's
> too risky
> a gamble.
>
> National intelligence organizations are a fourth group that might be
> interested in the code. It's certainly possible, but I believe that
> any intelligence organization worth its salt that wants a copy of the
> code already has it.
>
> Microsoft's reaction demonstrates that they've thought about this,
> too. According to an Information Week article, "Microsoft said
> Wednesday that it has sent warning letters to people who've illegally
> downloaded Windows source code." If you only think about the hacker
> threat, this is an extraordinarily dumb move. The code is
> already out
> there. It's public. There's no taking it back. Any bad
> guys who want
> the code now have it, and won't be deterred by any lawyer
> letter. The
> only thing Microsoft's lawyers are doing is preventing any good guys
> from looking at the code, and maybe finding vulnerabilities that
> Microsoft can then fix.
>
> But if you realize that Microsoft's primary fear is probably other
> attorneys, then their move makes sense. They want to limit
> the number
> of good guys that can access the code, because they're afraid of what
> might be found.
>
> A company that truly understands data security would respond by
> admitting and trying to fix the security breach that caused the leak,
> and by proactively poring over the released code to quickly patch as
> many of the inevitable bugs as possible. They would realize that the
> hackers have the code and might use it, and not prevent the good guys
> from helping defend themselves.
>
> I even think they would have gotten better PR by doing that than they
> did by calling in the lawyers.
>
>
> <http://www.informationweek.com/story/showArticle.jhtml?articl
> eID=177013
> 40> or <http://tinyurl.com/3a2w3>
> <http://www.winnetmag.com/windowspaulthurrott/Article/ArticleI
> D/41788/wi
> ndowspaulthurrott_41788.html> or <http://tinyurl.com/26kca>
> <http://www.cnn.com/2004/TECH/internet/02/13/microsoft.code.ap/>
> <http://news.com.com/2100-7349_3-5158496.html>
>
> Report that Mainsoft is the source of the leak:
> <http://www.eweek.com/article2/0,4149,1526831,00.asp>
>
>
> ** *** ***** ******* *********** *************
>
> A Social Engineering Virus
>
>
>
> Years ago I talked about the rise of semantic attacks:
> computer attacks
> that target the user instead of semantics in the computer
> software. One obvious example of this is malicious e-mails
> that try to
> entice the user to click on the attachment. They've been
> around for a
> while, and they continue to get better. This is one I recently
> received. (The attachment is the Bagle.J virus.) Although it still
> has some grammatical errors that seem to be the hallmark of this sort
> of thing--are any virus spreaders competent English
> writers?--it's very
> convincing:
>
> Dear user, the management of DOMAIN.COM mailing system wants
> to let you
> know that,
>
> Some of our clients complained about the spam (negative
> e-mail content)
> outgoing from your e-mail account. Probably, you have been
> infected by
> a proxy-relay Trojan server. In order to keep your computer safe,
> follow the instructions.
>
> Please, read the attach for further details.
>
> Attached file protected with the password for security reasons.
> Password is 64003.
>
> The Management,
> The DOMAIN.COM team
> http://www.DOMAIN.COM
>
> [Attachment called "message.zip"]
>
>
> My essay on semantic attacks:
> <http://www.schneier.com/crypto-gram-0010.html#1>
>
>
> ** *** ***** ******* *********** *************
>
>
> News
>
>
>
> Very good article about the mathematics behind Rijndael, the Advanced
> Encryption Standard. <http://research.sun.com/people/slandau/maa1.pdf>
>
> Here's an obvious twist on the "bad guys smuggle a bomb on an
> airplane"
> story. The bad guys smuggle the bomb on in parts, one at a time,
> through security, and then assemble the device on board. I
> am reminded
> of the MIT group that managed to win millions at casinos by counting
> cards in blackjack. The casinos knew how to spot card counters, but
> the group divided the tasks up among several people, such
> that none of
> them individually was suspicious. This tactic of distributing an
> attack works in several different security domains, and can be very
> difficult to prevent.
> <http://observer.guardian.co.uk/international/story/0,6903,114
> 3524,00.ht
> ml> or <http://tinyurl.com/2jqdg>
>
> Honeypots in wireless networks.
> <http://www.securityfocus.com/infocus/1761>
>
> Exploit code for a recent ASN.1 vulnerability is available:
> <http://searchsecurity.techtarget.com/originalContent/0,289142
> ,sid14_gci
> 950665,00.html> or <http://tinyurl.com/2ssku>
>
> Ben Cohen of Ben & Jerry's Ice Cream has launched "The
> Computer Ate My
> Vote" campaign, to lobby for increased security in electronic voting
> machines. <http://www.wired.com/news/business/0,1367,62294,00.html>
>
> The German police are using SMS to distribute information on missing
> persons and fugitives. Presumably the next step will be
> pictures.
> <http://www.siliconvalley.com/mld/siliconvalley/news/7965775.htm>
>
> There are now automated tools for Bluetooth hacking. This means that
> it'll increasingly be done by people with less skill, and
> fewer ethics.
> <http://www.silicon.com/networks/mobile/0,39024665,39118440,00.htm>
>
> Opinion on the futility of anti-spam laws:
> <http://www.silicon.com/research/specialreports/protectingid/0
> ,380000222
> 0,39118479,00.htm> or <http://tinyurl.com/37ccq>
>
> Meanwhile, AOL, EarthLink, Microsoft, and Yahoo have filed separate
> suits against spammers in the US, under the CAN-SPAM law. They're
> working together to build their case:
> <http://www.internetretailer.com/dailyNews.asp?id=11500>
> <http://seattlepi.nwsource.com/business/127114_spam18.html>
> <http://www.pcworld.com/news/article/0%2Caid%2C112212%2Cpg%2C1
> %2C00.asp>
> or <http://tinyurl.com/2t63a>
>
> A movie industry group is suing a company that sells
> DVD-copying software:
> <http://www.siliconvalley.com/mld/siliconvalley/news/editorial
> /7950558.h
> tm> or <http://tinyurl.com/3aphr>
> <http://news.zdnet.co.uk/business/legal/0,39020651,39146323,00.htm>
> <http://www.usatoday.com/tech/world/2004-02-16-canada-music-sw
> amps_x.htm
> > or <http://tinyurl.com/23lj5>
>
> Sad story of the aftermath of identity theft.
> <http://msnbc.msn.com/id/4264051/>
>
> Low-tech credit-card scam. Restaurant workers steal credit card
> numbers from patrons, and then pass them to others who
> manufacture fake
> credit cards.
> <http://www.mercurynews.com/mld/mercurynews/news/local/7988627.htm>
>
> The courts have ruled that JetBlue did not violate any laws when it
> gave passenger information to U.S. defense contractors. This doesn't
> surprise me. It was a violation of trust, to be sure, but
> not of law.
> <http://www.usatoday.com/tech/news/techpolicy/2004-02-20-jetbl
> ue-privacy
> _x.htm> or <http://tinyurl.com/35axx>
>
> "If hundreds of thousands of people are still blindly clicking on
> attachments in their email, is there any hope of mitigating
> the threat
> of hundreds of thousands of compromised systems with open
> backdoors?" <http://www.securityfocus.com/columnists/221>
>
> More evidence that technology has made photographs unreliable as
> evidence of truth. Someone doctored a photo of John Kerry at an
> anti-war rally to add Jane Fonda.
> <http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2004/02/20/MNG4S
> 54RGO1.DTL
> > or <http://tinyurl.com/2p9vp>
>
> The Department of Homeland Security's (DHS) Protected Critical
> Infrastructure Information (PCII) program causes security
> problems. By
> allowing corporations to submit details about security
> vulnerabilities
> and keep that information secret from the public, it can be used to
> hide negligence or criminal behavior.
> <http://www.securityfocus.com/news/8090>
>
> Another idea for Web surfing privacy:
> <http://zdnet.com.com/2100-1104_2-5164413.html>
>
> There's a new lobbying group in the U.S.: the Cyber Security Industry
> Alliance (CSIA) was formed by eleven security companies.
> <http://www.washingtonpost.com/wp-dyn/articles/A3455-2004Feb24.html>
>
> Patching is still much too difficult, and too many network
> owners still
> don't do it.
> <http://news.zdnet.co.uk/internet/security/0,39020375,39147340,00.htm>
>
> More cyber-terrorism fear mongering
> <http://www.latimes.com/technology/la-na-cyber24feb25,1,7457295.story>
>
> Risks of using hotel networks:
> <http://edition.cnn.com/2004/TRAVEL/02/25/biz.trav.security>
>
> Freeware password recovery utilities for Windows:
> <http://freehost14.websamba.com/nirsoft/utils/index.html>
>
> Interesting IDS research:
> <http://www.gcn.com/vol1_no1/daily-updates/25155-1.html>
>
> Another commentary on the open-source vs. closed-source
> security debate. <http://www.theregister.co.uk/content/55/36029.html>
>
> Some companies are trying to limit their liability in the event that
> your personal information gets stolen.
> <http://www.washingtonpost.com/wp-dyn/articles/A31874-2004Mar4
> .html?refe
> rrer%3Demail> or <http://tinyurl.com/2rbuc>
>
> How anonymous cell phones used by terrorists were tracked by
> police: <http://www.iht.com/articles/508783.html>
> <http://www.theregister.co.uk/content/28/36060.html>
>
>
> ** *** ***** ******* *********** *************
>
> Counterpane News
>
>
>
> NEW: Crypto-Gram now has an RSS feed:
> <http://www.schneier.com/crypto-gram-rss.xml>
> Anyone who's having trouble getting Crypto-Gram through a spam filter
> might want to consider this option.
>
> Schneier's essay on security and terrorism appeared in the
> March issue
> of Wired:
> <http://www.schneier.com/essay-wired.html>
>
> Schneier is speaking at PC Forum on March 22nd in Scottsdale.
> <http://www.edventure.com/pcforum/index.cfm>
>
> Schneier is speaking, and will be signing books, at Stacy's Bookstore
> in San Francisco.
>
> Another "Beyond Fear" review:
> <http://www.nwfusion.com/newsletters/sec/2004/0216sec1.html>
>
>
> ** *** ***** ******* *********** *************
>
> Port Knocking
>
>
>
> Port knocking is a clever new computer security trick. It's a way to
> configure a system so that only systems who know the "secret
> knock" can
> access a certain port. For example, you could build a port-knocking
> defensive system that would not accept any SSH connections (port 22)
> unless it detected connection attempts to closed ports 1026, 1027,
> 1029, 1034, 1026, 1044, and 1035 in that sequence within five
> seconds,
> then listened on port 22 for a connection within ten
> seconds. Otherwise, the system would completely ignore port 22.
>
> It's a clever idea, and one that could easily be built into
> VPN systems
> and the like. Network administrators could create unique knocks for
> their networks -- family keys, really -- and only give them to
> authorized users. It's no substitute for good access
> control, but it's
> a nice addition. And it's an addition that's invisible to those who
> don't know about it.
>
>
> <http://www.linuxjournal.com/article.php?sid=6811>
> <http://www.portknocking.org/>
>
>
> ** *** ***** ******* *********** *************
>
> Crypto-Gram Reprints
>
>
>
> Crypto-Gram is currently in its seventh year of publication. Back
> issues cover a variety of security-related topics, and can
> all be found
> on <http://www.schneier.com/crypto-gram.html>. These are a selection
> of articles that appeared in this calendar month in other years.
>
> Practical Cryptography:
> <http://www.schneier.com/crypto-gram-0303.html#1>
>
> SSL flaw:
> <http://www.schneier.com/crypto-gram-0303.html#3>
>
> SSL patent infringement:
> <http://www.schneier.com/crypto-gram-0303.html#8>
>
> SNMP vulnerabilities:
> <http://www.schneier.com./crypto-gram-0203.html#1>
>
> Bernstein's factoring breakthrough?
> <http://www.schneier.com./crypto-gram-0203.html#6>
>
> Richard Clarke on 9/11's Lessons
> <http://www.schneier.com./crypto-gram-0203.html#7>
>
> Security patch treadmill:
> <http://www.schneier.com/crypto-gram-0103.html#1>
>
> Insurance and the future of network security:
> <http://www.schneier.com/crypto-gram-0103.html#3>
>
> The "death" of IDSs: <http://www.schneier.com/crypto-gram-0103.html#9>
>
> 802.11 security: <http://www.schneier.com/crypto-gram-0103.html#10>
>
> Software complexity and security:
> <http://www.schneier.com/crypto-gram-0003.html#SoftwareComplex
> ityandSecu
> rity>
>
> Why the worst cryptography is in systems that pass initial
> cryptanalysis: <http://www.schneier.com/crypto-gram-9903.html#initial>
>
>
> ** *** ***** ******* *********** *************
>
> Security Notes from All Over: USPTO
>
>
>
> The ricin patent is no longer available from the U.S. Patent Office
> website.
>
> In October 1962, the U.S. Patent Office granted patent 3,060,165
> regarding the use of ricin as a biological weapon. Published patents
> are, of course, publicly available. That's the whole point of the
> patent process.
>
> All U.S. patents are available from the USPTO website. As the site
> says: "full-text since 1976, full-page images since 1790."
>
> However, this particular patent is no longer in the database. Search
> for it, and you'll get a "Patent not found" image.
>
> <http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HI
> TOFF&d=PAL
> L&p=1&u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1=3,060,165.WKU.&O
> S=PN/3,060
> ,165&RS=PN/3,060,165> or <http://tinyurl.com/38vbt>
>
> The obvious reason for its removal is fear that it would fall
> into the
> wrong hands. But the patent is still available in foreign databases,
> so this seems like a rather pointless exercise. You can
> still get the
> patent from the European Patent Office. The German Patent
> Office also
> has a version.
>
> More and more, we're seeing the U.S. government take public
> information
> and try to hide it. Sometimes there are pretty obvious reasons why,
> like this one. Sometimes there are no obvious reasons why, and
> terrorism looks like an excuse. There's resilient security in
> openness, and brittle security in secrecy.
>
>
> European Patent Office copy:
> <http://v3.espacenet.com/textdoc?DB=EPODOC&IDX=US3060165>
>
> German Patent Office:
> <http://depatisnet.dpma.de/>
> Search for it manually: pick a language, choose beginner's search and
> enter the patent number without commas.
>
>
> ** *** ***** ******* *********** *************
>
> Password Safe Version 2.0
>
>
>
> The new version of Password Safe is ready for download.
>
> For those of you who don't know, Password Safe is my free Windows
> password-storage utility. The problem Password Safe
> addresses is that
> anyone who uses the Web regularly needs too many passwords, and it's
> impossible to remember them all. The solution is a small
> program that
> secures all of your passwords using one passphrase. Password Safe is
> easy to use, and isn't bogged down by lots of unnecessary
> features. Simplicity equals security. The website has details on
> what's new in Version 2.0.
>
> Password Safe is an open-source project at SourceForge, and is run by
> Rony Shapiro. Thank you to him and to all the other programmers who
> worked on the project. And we're still looking for people willing to
> translate the program to Mac or Palm OS.
>
>
> Project's homepage:
> <http://passwordsafe.sourceforge.net/>
>
> URL for this release:
> <https://sourceforge.net/project/showfiles.php?group_id=41019&;
> package_id
> =33169&release_id=217889> or <http://tinyurl.com/2qnc3>
> Note that most users will want to download the bin.zip file, not the
> bin.src file.
>
> Release notes:
> <https://sourceforge.net/project/shownotes.php?release_id=217889>
>
> Linux version of Password Safe: <http://www.semanticgap.com/myps/>
>
>
> ** *** ***** ******* *********** *************
>
> The Doghouse: Symbiot Security
>
>
>
> Symbiot Security claims to have a product that identifies attackers,
> and then attacks back. Kind of scary, especially since many
> attacking
> computers are victims themselves and there are all sorts of ways to
> disguise the origin of an attack.
>
> I know that vigilante justice is emotionally satisfying, but it's
> unbecomming of a civilized society. This kind of thing could
> certainly
> get the user sued, and may be illegal. It certainly is immoral.
>
> <http://www.symbiot.com>
>
> My essay on "strike back" technologies:
> <http://www.schneier.com/crypto-gram-0212.html#1>
>
>
> ** *** ***** ******* *********** *************
>
> "I am Not a Terrorist" Cards
>
>
>
> Journalist and entrepreneur Steve Brill is developing a voluntary,
> fingerprint-based ID card with a background check attached. The
> company is called Verified Identity Card, Inc., and the card
> is called
> a V-ID.
>
> The idea is for people who are not on a set of government watch lists
> to be able to subscribe to the service (or for organizations
> to buy it
> for their employees, customers, etc.), and then get faster
> treatment at
> security checkpoints around the country. Guards would be able to
> divide people into two categories: more-trusted people with a
> card and
> less-trusted people without a card -- and concentrate their screening
> resources on the less-trusted category.
>
> This topic has so many facets that it's hard to keep them
> straight. There are actually two parallel systems here. The two
> systems use the same card and the same infrastructure, but
> the security
> analysis is different. The first is an outsourced corporate ID. I
> think this is a fine idea, and a pretty good business model. Better
> security at a cheaper cost -- how could you not like that?
>
> The second system is essentially a voluntary national ID
> card. This is
> the system I want to talk about in this essay. It's a bad idea, both
> as a security countermeasure and as social policy. It's bad for
> complicated reasons. There's the question of whether the system will
> actually work -- whether the identity card would reduce the risk of
> terrorism. There's the question of whether the two categories of
> people -- cardholders and everyone else -- is a useful
> categorization,
> and why the government would trust a private company with the
> terrorist
> watch list. (Brill has presented this system as a solution to the
> problem of innocent people with names similar or identical to that of
> people on the terrorist watch list.) There's the question of whether
> we as a nation want a system that divides people based on
> whether they
> can afford a card. And there's the larger question of what in the
> world identity has to do with security.
>
> First, let's look at how the system works.
>
> Any American can apply for a card. When you do, your name is
> compared
> against certain lists: "presence on any government watch list,
> citizenship or legal immigrant status, and the absence of any
> significant, relevant criminal record." As long as your name
> isn't on
> one of those lists, you are eligible for a card.
>
> (It is not at all clear whether Brill will have access to the
> terrorist
> watch lists. He has said that the law mandates that he have
> access. He has said that the law mandates that he be able to pass
> names to the government, who will give a "yes or no"
> response. He has
> said all sorts of things, but the proof will be in the
> deployment. I'm
> not at all convinced that, at the end of the day, he will have any
> ability to check names against the list.)
>
> To ensure that you are who you say you are, the system uses
> information
> from the Choicepoint database (Choicepoint is a for-profit
> company that
> does background checks) to construct a series of questions that only
> you can answer. "Which of these five banks did you get a loan
> from?" "Which of these addresses did you live at once?" You have to
> apply in person, and answer these questions on computer in front of a
> proctor. If you can answer these questions, the system assumes that
> you're not an imposter.
>
> Assuming everything checks out, the proctor records the fingerprints
> (some number of them) of the person and he is issued a V-ID
> card. This
> is a card that has information about the person; maybe a
> picture, maybe
> the fingerprint information, and definitely an identification number.
>
> (Presumably the outsourced ID system is similar, with some added
> requirement about the corporation deciding who gets the card,
> and some
> corporate logo on the card itself. But corporate cards can
> be used in
> the general system, something Brill hopes will bootstrap that
> system. I'm not sure, though, about what happens when a person on a
> company's payroll is determined to be on a terrorist watch
> list. Presumably the card will work as a corporate ID, but not as a
> national ID.)
>
> Security checkpoints that accept the card have some kind of reader
> device. This device may or may not have the complete database of
> fingerprints. The list of valid cards is definitely updated
> daily, as
> people get on to (or off, I suppose) the various government
> lists. It
> has a fingerprint reader and a slot for the card, and some kind of
> visual indicator to let the guards know that the cardholder is okay.
>
> This card is meant to be multi-use. Brill envisions that airports,
> government buildings, stadiums, national monuments, and office
> buildings will screen entrants. People with a card can go into a
> special lane at any of these locations, verify their fingerprint, and
> go through security with less hassle. People without the card would
> have to go through the "unverified" lane, and presumably be more
> extensively screened.
>
> That's how the system is supposed to work. Let's look at how
> likely it
> is to actually work.
>
> The system hasn't been fully designed yet, but it looks as if the
> fingerprint will be used to authenticate the cardholder, not identify
> him. That's a good thing. I also assume that any data on the card
> will be well-protected. There are, of course, many ways to defeat
> fingerprint readers, but having a guard watch the person put
> his finger
> on the reader is the best way to ensure its proper use. My
> worries are
> not about how the system is used, but in the registration and the
> administration of the back-end database.
>
> It certainly would be possible to get a card in a fake name,
> just as it
> is possible to get any other kind of ID card -- including a
> passport --
> in a fake name. While the V-ID system won't deliberately issue cards
> to people who should not have them, it will be designed to
> make is easy
> for people to get cards. The Choicepoint questions are a
> clever idea,
> but the database was developed to be secure against a very different
> sort of attacker. Someone needs to do a lot of thinking about the
> Choicepoint database as it relates to this new kind of attacker.
>
> Trusted people within Choicepoint and V-ID are, of course, a
> potential
> problem. Several of the 9/11 terrorists had real Virginia driver's
> licenses in fake names, issued by dishonest state employees. This
> system will not be immune to that sort of problem, although I'm sure
> the creators will take pains to minimize the risk.
>
> I worry about the back-end system. Somewhere there will be a
> computer
> that generates the questions, matches identity information with
> government databases, and generally administers the system. The
> fingerprint database will be stored somewhere, possibly on every
> reader. These databases would be vulnerable to attack, from insiders
> and outsiders.
>
> One counter-argument to this analysis is that most people
> won't be able
> to subvert the system, either by defeating the card or the
> fingerprint
> reader or the back-end database, or by manipulating the system into
> giving them a card in a false name. Most people will either
> get a card
> (or not) honestly, and use the system correctly. And while a
> few might
> be able to successfully attack the system, that's no reason
> to throw it
> out entirely. But the whole point of the system is to work
> in the face
> of a dedicated and well-funded adversary. Even the argument
> that most
> terrorists are stupid misses the point. It doesn't matter whether or
> not average people can subvert the system; we want security systems
> that protect us against smart people, especially smart terrorists.
>
> The system is designed to be decentralized, so that someone cannot be
> tracked through the use of the card. It is an open question as to
> whether law enforcement could force the company to change that design
> and use the system to track people. The infrastructure is
> all there to
> do that: software on the reader and a communications system
> between the
> readers and some central point. Brill has said that it would be
> impossible, but from his description of the system, that's
> clearly not
> true. He has also said that this couldn't happen because it
> would be a
> violation of the contract the V-ID company has with its customers,
> which makes no sense to me.
>
> My primary security concerns surrounding this system stem from what
> it's trying to do. In his writings and speaking, Brill is
> very careful
> to explain that these are not "trusted traveler cards." He
> calls them
> "verified identity cards." But the only purpose of his card is to
> divide people into two lines -- a fast line and a slow line,
> a "search
> less" line and a "search more" line, or whatever. (Each security
> checkpoint that uses the card would develop its own
> procedures.) This
> division only makes sense if it's based on a degree of trust. If you
> didn't believe that people with the card were more trusted, you
> wouldn't let them go in the fast lane. Here's an example: if I
> designed a card that verified a person's dental hygiene, you wouldn't
> divide people into two security lines based on that card, because you
> know that people with good dental hygiene aren't more trusted than
> people without. On the other hand, it would be valid to use
> that card
> to divide people into dental service lines based on the
> assumption that
> the people with good dental hygiene would be able to be treated
> faster. Brill's plan is that people who have the card get a more
> lenient security treatment than people without. Call it what
> you will,
> but it means that people with the card are more trusted than people
> without.
>
> The reality is that the existence of the card creates a
> third, and very
> dangerous, category: bad guys with the card. Timothy McVeigh would
> have been able to get one of these cards. The DC sniper and the
> Unabomber would have been able to get this card. Any terrorist mole
> who hasn't done anything yet and is being saved for something
> big would
> be able to get this card. Some of the 9/11 terrorists would
> have been
> able to get this card. These are people who are deemed
> trustworthy by
> the system even though they are not.
>
> And even worse, the system lets terrorists test the system
> beforehand. Imagine you're in a terrorist cell. Twelve of you apply
> for the card, but only four of you get it. Those four not
> only have a
> card that lets them go through the easy line at security checkpoints;
> they also know that they're not on any terrorist watch lists. Which
> four do you think will be going on the mission? By "pre-approving"
> trust, you're building a system that is easier to exploit.
>
> Moreover, any break in the system is much more serious because it has
> so many applications. The company's literature considers it
> a problem
> that "Americans now need several identification/security cards." But
> that is actually a security feature. If a terrorist can subvert the
> V-ID system, he can use it to gain access to any facility
> that uses the
> system. It's a large single point of failure. Contrast that with a
> company ID, which only grants access to a company's
> facilities. Subverting that system would only allow the attacker
> access to those facilities, and nothing else.
>
> This brings up another fundamental question: Why should any security
> checkpoint accept a V-ID card? This system costs money to install in
> airports, sports stadiums, etc. -- they have to buy the card
> readers --
> so there needs to be some benefit. The claimed benefit is customer
> service; people with the card can get better treatment.
> Airlines have
> long recognized the problem of forcing their best customers
> to wait in
> long security lines, and have implemented special lines for
> first-class
> passengers and high-tier frequent fliers. But for the owner of a
> sports stadium, a person with a V-ID card isn't a higher-tier
> customer,
> he's just a customer who paid for a V-ID card. What benefit does it
> give to the stadium to separate people on that basis? The only one I
> can think of is liability: by using the V-ID system, they
> receive some
> kind of shielding from liability issues if someone with the card does
> something nasty.
>
> This is a big deal, and one that is very important to
> Verified Identity
> Card's business. The company wants to be a voluntary
> national ID card,
> but it doesn't want to accept any liability for being one.
> This is why
> they try very hard not to call people with the card "trusted" in any
> way. But why would a business accept the card if, when
> someone with a
> card caused a problem, the business was liable? The business trusted
> the card and the company backing it to tell it who is trusted and who
> is not. The reason businesses accept government-issued
> identification
> is that the courts consider it a reasonable check. A liquor store
> owner can stand up in court and say: "He had a driver's
> license." What
> does "he had a V-ID card" mean, unless the V-ID company is willing to
> accept liability?
>
> From their point of view, I think the V-ID company is smart not to
> want to accept liability. The company is 100% correct when they say
> that a person with a card isn't more trusted than a person without a
> card, even though by saying so they are exposing the huge
> hole in their
> business model. If a building's management decides that it
> is going to
> run people through a metal detector, it makes no sense for
> them to only
> screen people without a V-ID card. If an airport wants to implement
> "extra" screening procedures on a few passengers, it makes no
> sense for
> them to make that decision based on whether or not a passenger has a
> V-ID card. Terrorists come in all shapes and sizes, and the
> last thing
> we want is a terrorist with a V-ID card to be able to operate with
> impunity.
>
> Security is always a trade-off. The question to ask is not
> "Does this
> system make us safer?" Otherwise we'd all be wearing
> bulletproof vests
> and locking ourselves in our bedrooms. The question to ask is: "Is
> this system worth the trade-offs?" The V-ID system has some pretty
> serious trade-offs. The system collects a fingerprint database on
> everyone who applies for the card -- a database that can be used and
> abused by anyone with access, legitimate or illegitimate.
>
> The system creates a social division of haves and have-nots
> based on an
> ability to pay for the card. The system puts an infrastructure in
> place for surveillance; even though the proposed system takes
> pains to
> ensure that no information is collected about how people use
> the card,
> it's not unreasonable to assume that this kind of data
> collection might
> be added in the future. And it's expensive. The cost of the system
> won't just be borne by those willing to pay for preferential
> treatment;
> infrastructure costs will be passed on to all consumers somehow.
>
> And what do we get for those costs? We get a security system with
> built-in flaws. We get a system that divides people into two
> categories that don't correlate very well with how dangerous they
> are. We get a system that's a single point of failure, and one that
> terrorists can use to their advantage. We get a system that collects
> data on all users, innocent or not, with all the potential security
> problems that can cause.
>
> And we get a system that concentrates security resources on
> terrorism,
> when the more serious problems are criminal. On 24 July
> 1998, Russell
> Weston Jr. walked into the U.S. Capitol and started shooting, killing
> two. Despite being known to the Secret Service and having been
> investigated previously, he was not a "terrorist" threat. He would
> likely have been able to get a V-ID card.
>
> Identification has minimal security value, but it does have some. On
> the other hand, freedom, privacy, and liberty are all values we
> cherish, and they are the values that give our country its greatest
> security. Citizens have rightly refused a national ID card because
> they realize that the costs are simply not worth the security. A
> system that issues ID cards to only those wealthy enough to
> afford them
> is even worse.
>
> Brill said that he doesn't believe in democratizing security, that it
> doesn't make sense to apply the same security scrutiny to
> everyone. I
> think that, at core, is the problem here. He thinks that he
> should be
> able to get into a building without waiting in line because
> he is more
> trustworthy. But by building a system that allows him to do so, we
> runs the risk of infringing on the rights of convicted felons
> who have
> already paid their debt to society. We move from an "innocent until
> proven guilty" society to a "treat some people as guilty,
> just in case"
> one. It's a dangerous road to travel.
>
>
> Press release:
> <http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=SVBIZINK3.s
> tory&STORY
> =/www/story/10-23-2003/0002042658&EDATE=THU+Oct+23+2003,+09:05+AM> or
> <http://tinyurl.com/s1nt>
>
> News articles: <http://209.157.64.200/focus/f-news/1006499/posts>
> <http://www.wired.com/news/business/0,1367,60965,00.html>
>
>
> ** *** ***** ******* *********** *************
>
> Security Risks of Centralization
>
>
>
> In discussions with Brill, he regularly said things like: "It's
> obviously better to do something than nothing." Actually, it's not
> obvious. Replacing several decentralized security systems with a
> single centralized security system can actually reduce the overall
> security, even though the new system is more secure than the systems
> being replaced.
>
> An example will make this clear. I'll postulate piles of
> money secured
> by individual systems. The systems are characterized by the cost to
> break them. A $100 pile of money secured by a $200 system is secure,
> since it's not worth the cost to break. A $100 pile of money secured
> by a $50 system is insecure, since an attacker can make $50 profit by
> breaking the security and stealing the money.
>
> Here's my example. There are 10 $100 piles, each secured by
> individual
> $200 security systems. They're all secure. There are
> another 10 $100
> piles, each secured by individual $50 systems. They're all insecure.
>
> Clearly something must be done.
>
> One suggestion is to replace all the individual security systems by a
> single centralized system. The new system is much better
> than the ones
> being replaced; it's a $500 system.
>
> Unfortunately, the new system won't provide more security. Under the
> old systems, 10 piles of money could be stolen at a cost of $50 per
> pile; an attacker would realize a total profit of $500.
> Under the new
> system, we have 20 $100 piles all secured by a single $500
> system. An
> attacker now has an incentive to break that more-secure system, since
> he can steal $2000 by spending $500 -- a profit of $1500.
>
> The problem is centralization. When individual security systems are
> combined in one centralized system, the incentive to break that new
> system is generally higher. Even though the centralized
> system may be
> harder to break than any of the individual systems, if it is
> easier to
> break than ALL of the individual systems, it may result in less
> security overall.
>
> There is a security benefit to decentralized security.
>
>
> ** *** ***** ******* *********** *************
>
> Comments from Readers
>
>
>
> From: "Ryan Malayter" <rmalayter@bai.org>
> Subject: Identification and Security
>
> I agree IDs are easy to forge, and don't offer any real
> assurance as to
> the identity or intent of those being screened, for the reasons you
> mention.
>
> However, I always assumed that the authorities knew this, and
> identification checks were designed to do something else: allow
> security officers to study the behavior of those while being screened.
>
> I knew a guy who used to check IDs at a bar in college, and he was
> almost unbeatable. Some of the fakes were very good. Some were even
> real state-issued IDs obtained with false documents. He could still
> spot most of the would-be underage patrons, though, because of their
> behavior while they handed him the ID. Sweaty palms, looking at the
> ground, an overconfident smile, or an inane "cover conversation" gave
> many of the kids away.
>
> Even a well-trained trained terrorist would have a hard time not
> showing *any* signs of anxiety while his ID was being checked by a
> uniformed security official. Unfortunately, I suspect many TSA
> employees have little or no training in identifying this type of
> behavior. In the bar example, such training was obtained
> only through
> years of observation and experience.
>
> Of course, this "behavioral observation" is certainly an error-prone
> process, but it could be very useful for identifying a pool of people
> who might need further screening. Is it too much to hope that
> providing a forum for such "behavior study" is the real
> reason for the
> proliferation of ID checkpoints in our post-9/11 society, and
> not some
> mass delusion on the part of security officials?
>
>
>
> From: DV Henkel-Wallace <gumby@henkel-wallace.org>
> Subject: Identification and Security
>
> ID checks are more useless and pernicious than you state. In most
> cases you don't need a false ID -- a legitimate ID will do.
> These "ID
> checks" at hospitals, government buildings, trade shows (!) and the
> like usually don't even involve any check to see if you're on
> any list
> of any sort.
>
> They merely check to see that you are carrying a document that looks
> like legitimate identification. I've successfully used my
> now-obsolete
> Price Club card, my National Shooting Club photo ID (a handwritten
> document, although it _is_ laminated) and the like to get into office
> buildings. And why not? The "check" doesn't verify anything
> about me
> anyway.
>
> What this DOES accomplish is 1) keep homeless people out of
> courthouses, 2) keep those who wish to be anonymous from leaving a
> message for their senator and 3) build a culture that accepts
> a routine
> request for "Your papers, please."
>
> Personally, I don't consider any of those useful
> accomplishments. But
> perhaps I'm in the minority.
>
>
>
> From: "Bruce Ediger" <eballen1@qwest.net>
> Subject: The Economics of Spam
>
> Hi. I read your Feb 15th "Crypto-Gram" newsletter with some
> interest,
> in particular your "Economics of Spam" article.
>
> I like that you treated spamming as an economic fact, but I think you
> missed two points:
>
> 1. Of course Gates would decide that someone should pay for
> e-mails. That's the only way that Microsoft can turn e-mail into a
> profit center. They already have plans in progress to put copy
> protection (DRM) on all Windows boxes, so Gates probably figures that
> the DRM infrastructure could have a second use in e-mail. Imposing a
> fee structure and copy protection on e-mails also allows them to
> overthrow the current open standard SMTP transport of e-mail. Gates
> has a keen awareness that commodity protocols get copied very rapidly.
>
> 2. The profitability of spam as advertising depends on very
> weak market
> forces on that form of advertising. Spam has the unique
> property that
> each and every recipient helps pay for the advertising (on-line time,
> CPU cycles, disk space, etc) *before* the spam victim gets a
> chance to
> decide to buy the advertised product or not. This differs completely
> from any other form of advertising except telemarketing and
> junk-faxing. Billboards, radio and TV spots, magazine and newspaper
> ads, and direct mailings all require the advertiser to bear
> 100% of the
> ad's costs. Of course, the small percentage that decide to buy the
> advertised product end up paying for the advertising, but the key
> aspect of buyer's choice remains. A conventional ad has to
> not offend
> almost all potential buyers. Otherwise, the Invisible Hand
> spanks the
> people who make the advertised product. The Invisible Hand of the
> Marketplace only weakly affects spammers, as some or most of the ad's
> cost has already been borne by the advertised-to.
>
>
>
> From: Ralf Holzer <rholzer@cmu.edu>
> Subject: US-VISIT Exemptions and Error Rates
>
> You repeatedly mentioned that all but 27 countries are subject to the
> fingerprinting and photographing measures (US-VISIT) now in effect at
> most American ports of entry. I just wanted to point out that these
> exemptions are mostly for tourists. I am a graduate student from
> Germany with an F-1 visa and I have to go through the same
> fingerprinting and photographing procedures. Tourists from
> Germany and
> other European countries are only exempt because all European
> passports
> will be required to have biometric identification in order to be able
> to enter the U.S. beginning this fall.
>
> A fellow student from a country requiring special
> registration has told
> me that he now has several different profiles registered with
> US-VISIT,
> because the system keeps falsely identifying his fingerprint. The
> immigration officer seemed to be clueless about how to correct
> this. Such a high error rate really makes me wonder about the
> effectiveness of US-VISIT.
>
>
>
> From: rfleming@cultdeadcow.com
> Subject: Supermarket Club Card Databases
>
> About a week ago, some junk mail arrived at my home from Albertson's
> supermarket, announcing the creation of their new club card. The ad
> copy declares: "The labor dispute has been tough on
> everyone. But one
> thing we know for sure -- the day it's over, you're going to
> save like
> never before. Great low prices and extra special values will be
> yours... with the new Albertsons Sav-on Preferred Savings
> Card. Sign up
> today!"
>
> It got me thinking. Safeway and Ralph's (the other two supermarkets
> affected by the strike) already have club cards. And one
> thing THEY now
> know for sure is which of their customers are willing to cross picket
> lines to buy groceries, and which aren't.
>
> In other words, the purchase patterns contained in the Safeway and
> Ralph's club card databases could be EASILY mined for individual
> customers' sympathies to organized labor.
>
> Think about that. The next time somebody applies for a job at his
> neighborhood Safeway or Ralph's, should he expect them to check his
> 2003-2004 shopping habits for hints that he might be pro- or
> antiunion?
> And what's keeping the supermarkets from offering this data to other
> employers, or even the custodians of the Total Information Awareness
> program?
>
>
> ** *** ***** ******* *********** *************
>
> CRYPTO-GRAM is a free monthly newsletter providing summaries,
> analyses,
> insights, and commentaries on security: computer and otherwise. Back
> issues are available on <http://www.schneier.com/crypto-gram.html>.
>
> To subscribe, visit
> <http://www.schneier.com/crypto-gram.html> or > send
> a blank
> message to
> crypto-gram-subscribe@chaparraltree.com. To
> unsubscribe, visit <http://www.schneier.com/crypto-gram-faq.html>.
>
> Comments on CRYPTO-GRAM should be sent to
> schneier@counterpane.com. Permission to print comments is assumed
> unless otherwise stated. Comments may be edited for length
> and clarity.
>
> Please feel free to forward CRYPTO-GRAM to colleagues and friends who
> will find it valuable. Permission is granted to reprint CRYPTO-GRAM,
> as long as it is reprinted in its entirety.
>
> CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of
> the best sellers "Beyond Fear," "Secrets and Lies," and "Applied
> Cryptography," and an inventor of the Blowfish and Twofish
> algorithms. He is founder and CTO of Counterpane Internet Security
> Inc., and is a member of the Advisory Board of the Electronic Privacy
> Information Center (EPIC). He is a frequent writer and lecturer on
> security topics. See <http://www.schneier.com>.
>
> Counterpane Internet Security, Inc. is the world leader in Managed
> Security Monitoring. Counterpane's expert security analysts protect
> networks for Fortune 1000 companies world-wide. See
> <http://www.counterpane.com>.
>
> Copyright (c) 2004 by Bruce Schneier.
>
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
