[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Netsec] FW: CRYPTO-GRAM, May 15, 2011




-----Original Message-----
From: Bruce Schneier <schneier@SCHNEIER.COM>
Reply-To: Bruce Schneier <schneier@SCHNEIER.COM>
Date: Sat, 14 May 2011 21:04:28 -0400
To: "CRYPTO-GRAM-LIST@LISTSERV.MODWEST.COM"
<CRYPTO-GRAM-LIST@LISTSERV.MODWEST.COM>
Subject: CRYPTO-GRAM, May 15, 2011

>                  CRYPTO-GRAM
>
>                  May 15, 2011
>
>               by Bruce Schneier
>       Chief Security Technology Officer, BT
>              schneier@schneier.com
>             http://www.schneier.com
>
>
>A free monthly newsletter providing summaries, analyses, insights, and
>commentaries on security: computer and otherwise.
>
>For back issues, or to subscribe, visit
><http://www.schneier.com/crypto-gram.html>.
>
>You can read this issue on the web at
><http://www.schneier.com/crypto-gram-1105.html>.  These same essays and
>news items appear in the "Schneier on Security" blog at
><http://www.schneier.com/blog>, along with a lively comment section.  An
>RSS feed is available.
>
>
>** *** ***** ******* *********** *************
>
>In this issue:
>      Status Report: "The Dishonest Minority"
>      RFID Tags Protecting Hotel Towels
>      News
>      Hijacking the Coreflood Botnet
>      Schneier News
>      Drugging People and Then Robbing Them
>      Interviews with Me About the Sony Hack
>
>
>** *** ***** ******* *********** *************
>
>      Status Report: "The Dishonest Minority"
>
>
>
>Three months ago, I announced that I was writing a book on why security
>exists in human societies.  This is basically the book's thesis statement:
>
>     All complex systems contain parasites.  In any system of
>     cooperative behavior, an uncooperative strategy will be effective
>     -- and the system will tolerate the uncooperatives -- as long as
>     they're not too numerous or too effective. Thus, as a species
>     evolves cooperative behavior, it also evolves a dishonest minority
>     that takes advantage of the honest majority.  If individuals
>     within a species have the ability to switch strategies, the
>     dishonest minority will never be reduced to zero.  As a result,
>     the species simultaneously evolves two things: 1) security systems
>     to protect itself from this dishonest minority, and 2) deception
>     systems to successfully be parasitic.
>
>     Humans evolved along this path.  The basic mechanism can be
>     modeled simply.  It is in our collective group interest for
>     everyone to cooperate. It is in any given individual's short-term
>     self-interest not to cooperate: to defect, in game theory terms.
>     But if everyone defects, society falls apart.  To ensure
>     widespread cooperation and minimal defection, we collectively
>     implement a variety of societal security systems.
>
>     Two of these systems evolved in prehistory: morals and reputation.
>     Two others evolved as our social groups became larger and more
>     formal: laws and technical security systems.  What these security
>     systems do, effectively, is give individuals incentives to act in
>     the group interest.  But none of these systems, with the possible
>     exception of some fanciful science-fiction technologies, can ever
>     bring that dishonest minority down to zero.
>
>     In complex modern societies, many complications intrude on this
>     simple model of societal security. Decisions to cooperate or
>     defect are often made by groups of people -- governments,
>     corporations, and so on -- and there are important differences
>     because of dynamics inside and outside the groups. Much of our
>     societal security is delegated -- to the police, for example --
>     and becomes institutionalized; the dynamics of this are also
>     important.
>
>     Power struggles over who controls the mechanisms of societal
>     security are inherent: "group interest" rapidly devolves to "the
>     king's interest."  Societal security can become a tool for those
>     in power to remain in power, with the definition of "honest
>     majority" being simply the people who follow the rules.
>
>     The term "dishonest minority" is not a moral judgment; it simply
>     describes the minority who does not follow societal norm.  Since
>     many societal norms are in fact immoral, sometimes the dishonest
>     minority serves as a catalyst for social change.  Societies
>     without a reservoir of people who don't follow the rules lack an
>     important mechanism for societal evolution.  Vibrant societies
>     need a dishonest minority; if society makes its dishonest minority
>     too small, it stifles dissent as well as common crime.
>
>At this point, I have most of a first draft: 75,000 words.  The
>tentative title is still "The Dishonest Minority: Security and its Role
>in Modern Society."  I have signed a contract with Wiley to deliver a
>final manuscript in November for February 2012 publication.  Writing a
>book is a process of exploration for me, and the final book will
>certainly be a little different -- and maybe even very different -- from
>what I wrote above.  But that's where I am today.
>
>And it's why my other writings -- and the issues of Crypto-Gram --
>continue to be sparse.
>
>Lots of comments -- over 200 -- to the blog post.  Please comment there;
>I want the feedback.
>http://www.schneier.com/blog/archives/2011/02/societal_securi.html
>
>
>** *** ***** ******* *********** *************
>
>      RFID Tags Protecting Hotel Towels
>
>
>
>The stealing of hotel towels isn't a big problem in the scheme of world
>problems, but it can be expensive for hotels.  Sure, we have moral
>prohibitions against stealing -- that'll prevent most people from
>stealing the towels.  Many hotels put their name or logo on the towels.
>  That works as a reputational societal security system; most people
>don't want their friends to see obviously stolen hotel towels in their
>bathrooms.  Sometimes, though, this has the opposite effect: making
>towels and other items into souvenirs of the hotel and thus more
>desirable to steal.  It's against the law to steal hotel towels, of
>course, but with the exception of large-scale thefts, the crime will
>never be prosecuted.  (This might be different in third world countries.
>  In 2010, someone was sentenced to three months in jail for stealing
>two towels from a Nigerian hotel.)  The result is that more towels are
>stolen than hotels want.  And for expensive resort hotels, those towels
>are expensive to replace.
>
>The only thing left for hotels to do is take security into their own
>hands.  One system that has become increasingly common is to set prices
>for towels and other items -- this is particularly common with bathrobes
>-- and charge the guest for them if they disappear from the rooms.  This
>works with some things, but it's too easy for the hotel to lose track of
>how many towels a guest has in his room, especially if piles of them are
>available at the pool.
>
>A more recent system, still not widespread, is to embed washable RFID
>chips into the towels and track them that way.  The one data point I
>have for this is an anonymous Hawaii hotel that claims they've reduced
>towel theft from 4,000 a month to 750, saving $16,000 in replacement
>costs monthly.
>
>Assuming the RFID tags are relatively inexpensive and don't wear out too
>quickly, that's a pretty good security trade-off.
>
>Blog entry URL:
>http://www.schneier.com/blog/archives/2011/05/rfid_tags_prote.html
>
>Stealing hotel items:
>http://today.msnbc.msn.com/id/31046570
>
>Nigerian case:
>http://travel.usatoday.com/hotels/post/2010/09/woman-faces-jailed-for-stea
>ling-hotel-towels-at-hilton-hotel-/114364/1
>or http://tinyurl.com/3z7p98w
>
>RFID chips in towels:
>http://intransit.blogs.nytimes.com/2011/04/11/gee-how-did-that-towel-end-u
>p-in-my-suitcase/
>or http://tinyurl.com/6bp4lkr
>
>
>** *** ***** ******* *********** *************
>
>      News
>
>
>WikiLeaks cable about Chinese hacking of U.S. networks:
>http://www.schneier.com/blog/archives/2011/04/wikileaks_cable.html
>
>Increasingly, chains of evidence include software steps.  It's not just
>the RIAA suing people -- and getting it wrong -- based on automatic
>systems to detect and identify file sharers.  It's forensic programs
>used to collect and analyze data from computers and smart phones.  It's
>audit logs saved and stored by ISPs and websites.  It's location data
>from cell phones.  It's e-mails and IMs and comments posted to social
>networking sites.  It's tallies from digital voting machines.  It's
>images and meta-data from surveillance cameras.  The list goes on and
>on.  We in the security field know the risks associated with trusting
>digital data, but this evidence is routinely assumed by courts to be
>accurate.  Sergey Bratus is starting to look at this problem.  His
>paper, written with Ashlyn Lembree and Anna Shubina, is "Software on the
>Witness Stand: What Should it Take for Us to Trust it?."
>http://www.schneier.com/blog/archives/2011/04/software_as_evi.html
>
>Interesting blog post on the security costs for the $50B Air Force
>bomber program -- estimated to be $8B.  This isn't all computer
>security, but the original article specifically calls out Chinese
>computer espionage as a primary threat.
>http://taosecurity.blogspot.com/2011/04/apt-drives-up-bomber-cost.html
>
>A criminal gang is stealing truckloads of food.  It's a professional
>operation.  The group knew how wholesale foodstuff trucking worked.
>They set up a bogus trucking company.  They bid for jobs, collected the
>trailers, and disappeared.  Presumably they knew how to fence the goods,
>too.
>http://www.nytimes.com/2011/04/15/business/15bandits.html
>
>The CIA has just declassified six documents about World War I security
>techniques.  (The media is reporting they're CIA documents, but the CIA
>didn't exist before 1947.)  Lots of stuff about secret writing and
>pre-computer tradecraft.
>http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-one.pdf
>http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-two.pdf
>http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-three.pdf
>http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-four.pdf
>http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-five.pdf
>http://www.foia.cia.gov/CIAsOldest/Secret-writing-document-six.pdf
>http://www.fas.org/blog/secrecy/2011/04/cia_wwi.html
>http://www.huffingtonpost.com/2011/04/19/cia-world-war-one-documents-decla
>ssified_n_851281.html
>or http://tinyurl.com/6h5e6zg
>
>Hard-drive steganography through fragmentation:
>http://www.newscientist.com/article/mg21028095.200-covert-hard-drive-fragm
>entation-embeds-a-spys-secrets.html
>or http://tinyurl.com/4xz4vc5
>http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V8G-51BBKRS-1&_
>user=10&_coverDate=01%2F31%2F2011&_rdoc=1&_fmt=high&_orig=gateway&_origin=
>gateway&_sort=d&_docanchor=&view=c&_acct=C000050221&_version=1&_urlVersion
>=0&_userid=10&md5=ee913861b3d05b46b905bd4d52ca9380&searchtype=a
>or http://tinyurl.com/3cyhves
>
>As I've written before, I run an open wi-fi network.  After the stories
>of people being arrested and their homes being invaded based on other
>people using their networks to download child porn, I rethought that
>position -- and decided I *still* want to run an open wireless network.
>http://arstechnica.com/tech-policy/news/2011/04/fbi-child-porn-raid-a-stro
>ng-argument-for-locking-down-wifi-networks.ars
>or http://tinyurl.com/3nvokkh
>http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html
>The EFF is calling for an open wireless movement.
>https://www.eff.org/deeplinks/2011/04/open-wireless-movement
>
>It's standard sociological theory that a group experiences social
>solidarity in response to external conflict.  This paper studies the
>phenomenon in the United States after the 9/11 terrorist attacks.
>http://septembereleven2001.files.wordpress.com/2010/06/collins_2004_ritual
>s_of_solidarity.pdf
>or http://tinyurl.com/3oxwkm5
>http://onlinelibrary.wiley.com/doi/10.1111/j.1467-9558.2004.00204.x/abstra
>ct
>or http://tinyurl.com/3moz2en
>
>Good paper:  "Loving the Cyber Bomb? The Dangers of Threat Inflation in
>Cybersecurity Policy," by Jerry Brito and Tate Watkins.
>http://mercatus.org/publication/loving-cyber-bomb-dangers-threat-inflation
>-cybersecurity-policy
>or http://tinyurl.com/3dcahg3
>http://arstechnica.com/security/news/2011/04/are-we-talking-cyber-war-like
>-the-bush-admin-talked-wmds.ars
>or http://tinyurl.com/3pdmlou
>Also worth reading is an earlier paper by Sean Lawson: "Beyond Cyber
>Doom."
>http://mercatus.org/publication/beyond-cyber-doom
>
>"ReallyVirtual" tweeted the bin Laden assassination without realizing it.
>http://chirpstory.com/li/1288
>
>The Nikon image authentication has been cracked.
>http://blog.crackpassword.com/2011/04/nikon-image-authentication-system-co
>mpromised/
>or http://tinyurl.com/4yv49pw
>http://www.theregister.co.uk/2011/04/28/nikon_image_faking_hack/
>Canon's system is just as bad, by the way.
>http://www.elcomsoft.com/canon.html
>Fifteen years ago, I co-authored a paper on the problem.  The idea was
>to use a hash chain to better deal with the possibility of a secret-key
>compromise.
>http://www.schneier.com/paper-camera.html
>
>According to this article, students are no longer learning how to write
>in cursive.  And, if they are learning it, they're forgetting how.
>Certainly the ubiquity of keyboards is leading to a decrease in writing
>by hand.  Relevant to security, the article claims that this is making
>signatures easier to forge.  I'm skeptical.  Everyone has a scrawl of
>some sort; mine has been completely illegible for years.  But I don't
>see document forgery as a big risk; far bigger is the automatic
>authentication systems that don't have anything to do with traditional
>forgery.
>http://www.nytimes.com/2011/04/28/us/28cursive.html
>
>Unintended security consequences of the new Pyrex recipe: because it's
>no longer useful in cooking crack cocaine, drug makers now have to steal
>better stuff from laboratories.
>http://www.popsci.com/science/article/2011-03/gray-matter-cant-take-heat
>or http://tinyurl.com/6967a22
>
>"Operation Pumpkin":  Wouldn't it have been great if this were not a
>joke: the security contingency in place if Kate Middleton tried to run
>away just before the wedding.
>http://www.theregister.co.uk/2011/04/28/operation_pumpkin/
>
>Bin Laden's death causes spike in suspicious package reports.  It's not
>that the risk is greater, it's that the fear is greater.
>http://www.schneier.com/blog/archives/2011/05/osamas_death_ca.html
>
>Exactly how did they confirm it was bin Laden's body?
>http://www.newscientist.com/article/dn20439-osama-bin-laden-how-dna-identi
>fied-his-body.html
>or http://tinyurl.com/3vrate8
>http://www.cnn.com/2011/HEALTH/05/02/bin.laden.body.id/index.html
>
>Here's a clever Web app that locates your stolen camera by searching the
>EXIF data on public photo databases for your camera's serial number.
>http://www.stolencamerafinder.com/
>
>Forged memory: a scary development in rootkits.
>http://www.techrepublic.com/blog/security/forged-memory-fools-antimalware-
>a-new-development-in-rootkits/5443
>or http://tinyurl.com/3dpxsyk
>
>New vulnerability in online payment system: the connection between the
>merchant site and PayPal.
>http://www.newscientist.com/article/mg21028095.600-hackers-trick-goods-out
>-of-online-shopping-sites.html
>or http://tinyurl.com/3q3j4ob
>http://research.microsoft.com/pubs/145858/caas-oakland-final.pdf
>
>In online hacking, we've moved to the world of "steal everything."  As
>both data storage and data processing becomes cheaper, more and more
>data is collected and stored.  An unanticipated effect of this is that
>more and more data can be stolen and used.  As the article says, data
>minimization is the most effective security tool against this sort of
>thing.  But -- of course -- it's not in the database owner's interest to
>limit the data it collects; it's in the interests of those whom the data
>is about.
>http://www.bbc.co.uk/news/technology-13213632
>
>Medieval tally stick discovered in Germany.  Note the security built
>into this primitive contract system.  Neither side can cheat -- alter
>the notches -- because if they do, the two sides won't match.
>http://www.schneier.com/blog/archives/2011/05/medieval_tally.html
>
>"Resilience of the Internet Interconnection Ecosystem," by Richard
>Clayton -- worth reading.
>http://www.lightbluetouchpaper.org/2011/04/12/resilience-of-the-internet-i
>nterconnection-ecosystem/
>or http://tinyurl.com/69fcyql
>http://www.enisa.europa.eu/act/res/other-areas/inter-x/report/interx-repor
>t/at_download/fullReport
>or http://tinyurl.com/3kkzdmq
>http://www.enisa.europa.eu/act/res/other-areas/inter-x/report/interx-repor
>t/at_download/execSummary
>or http://tinyurl.com/3fmskr7
>
>FBI surveillance tools:
>https://www.eff.org/deeplinks/2011/04/CIPAV_Post
>
>
>** *** ***** ******* *********** *************
>
>      Hijacking the Coreflood Botnet
>
>
>
>Earlier this month, the FBI seized control of the Coreflood botnet and
>shut it down:  "According to the filing, ISC, under law enforcement
>supervision, planned to replace the servers with servers that it
>controlled, then collect the IP addresses of all infected machines
>communicating with the criminal servers, and send a remote 'stop'
>command to infected machines to disable the Coreflood malware operating
>on them."
>
>This is a big deal; it's the first time the FBI has done something like
>this.  My guess is that we're going to see a lot more of this sort of
>thing in the future; it's the obvious solution for botnets.
>
>Not that the approach is without risks:  "'Even if we could absolutely
>be sure that all of the infected Coreflood botnet machines were running
>the exact code that we reverse-engineered and convinced ourselves that
>we understood,' said Chris Palmer, technology director for the
>Electronic Frontier Foundation, 'this would still be an extremely
>sketchy action to take. It's other people's computers and you don't know
>what's going to happen for sure. You might blow up some important
>machine.'"
>
>I just don't see this argument convincing very many people.  Leaving
>Coreflood in place could blow up some important machine.  And leaving
>Coreflood in place not only puts the infected computers at risk; it puts
>the whole Internet at risk.  Minimizing the collateral damage is
>important, but this feels like a place where the interest of the
>Internet as a whole trumps the interest of those affected by shutting
>down Coreflood.
>
>The problem as I see it is the slippery slope.  Because next, the RIAA
>is going to want to remotely disable computers they feel are engaged in
>illegal file sharing.  And the FBI is going to want to remotely disable
>computers they feel are encouraging terrorism.  And so on.  It's
>important to have serious legal controls on this counterattack sort of
>defense.
>
>http://www.wired.com/threatlevel/2011/04/coreflood/
>http://baylinks.com/blogs/?p=181
>http://krebsonsecurity.com/2011/04/u-s-government-takes-down-coreflood-bot
>net/
>or http://tinyurl.com/63qupg8
>http://garwarner.blogspot.com/2011/04/bold-fbi-move-shutters-coreflood-bot
>.html
>or http://tinyurl.com/3koydsp
>
>
>** *** ***** ******* *********** *************
>
>      Schneier News
>
>
>
>Last year, I spoke last year at a regional TED event: TEDxPSU.  The talk
>is now on the TED website.
>http://on.ted.com/Schneier
>
>
>** *** ***** ******* *********** *************
>
>Interviews with Me About the Sony Hack
>
>
>
>These two interviews are what I get for giving interviews when I'm in a
>bad mood. For the record, I think Sony did a terrible job with its
>customers' security. I also think that most companies do a terrible job
>with customers' security, simply because there isn't a financial
>incentive to do better. And that most of us are pretty secure, despite
>that.
>
>One of my biggest complaints with these stories is how little actual
>information we have. We often don't know if any data was actually
>stolen, only that hackers had access to it. We rarely know how the data
>was accessed: what sort of vulnerability was used by the hackers. We
>rarely know the motivations of the hackers: were they criminals, spies,
>kids, or someone else? We rarely know if the data is actually used for
>any nefarious purposes; it's generally impossible to connect a data
>breach with a corresponding fraud incident. Given all of that, it's
>impossible to say anything useful or definitive about the attack. But
>the press always wants definitive statements.
>
>
>http://m.kotaku.com/5797602/dont-blame-sony-you-cant-trust-any-networks
>http://www.20minutes.fr/article/718918/bruce-schneier-une-intrusion-inform
>atique-comme-meurtre-impossible-proteger-100
>
>
>** *** ***** ******* *********** *************
>
>      Drugging People and Then Robbing Them
>
>
>
>This is a pretty scary criminal tactic from Turkey.  Burglars dress up
>as doctors, and ring doorbells handing out pills under some pretense or
>another.  They're actually powerful sedatives, and when people take them
>they pass out, and the burglars can ransack the house.
>
>According to the article, when the police tried the same trick with
>placebos, they got an 86% compliance rate.
>
>Kind of like a real-world version of those fake anti-virus programs that
>actually contain malware.
>
>http://au.news.yahoo.com/odd/a/-/odd/9268075/police-dress-up-as-doctors-to
>-test-citizens/
>or http://tinyurl.com/3flomba
>
>
>** *** ***** ******* *********** *************
>
>Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
>summaries, analyses, insights, and commentaries on security: computer
>and otherwise.  You can subscribe, unsubscribe, or change your address
>on the Web at <http://www.schneier.com/crypto-gram.html>.  Back issues
>are also available at that URL.
>
>Please feel free to forward CRYPTO-GRAM, in whole or in part, to
>colleagues and friends who will find it valuable.  Permission is also
>granted to reprint CRYPTO-GRAM, as long as it is reprinted in its
>entirety.
>
>CRYPTO-GRAM is written by Bruce Schneier.  Schneier is the author of the
>best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies,"
>and "Applied Cryptography," and an inventor of the Blowfish, Twofish,
>Threefish, Helix, Phelix, and Skein algorithms.  He is the Chief
>Security Technology Officer of BT BCSG, and is on the Board of Directors
>of the Electronic Privacy Information Center (EPIC).  He is a frequent
>writer and lecturer on security topics.  See <http://www.schneier.com>.
>
>Crypto-Gram is a personal newsletter.  Opinions expressed are not
>necessarily those of BT.
>
>Copyright (c) 2011 by Bruce Schneier.
>
>** *** ***** ******* *********** *************
>
>To unsubscribe, click this link:
>
>http://listserv.modwest.com/cgi-bin/wa?TICKET=NzM0MzAxIGdydWVATUVSSVQuRURV
>IENSWVBUTy1HUkFNLUxJU1QgIDn3Wwd6gdpx&c=SIGNOFF