Author Archive

Schneier on Security: Identifying Dread Pirate Roberts

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

According to court documents, Dread Pirate Roberts was identified because a CAPTCHA service used on the Silk Road login page leaked the users’ true location.

Schneier on Security: Tracking People From their Cellphones with an SS7 Vulnerability

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

What’s interesting about this story is not that the cell phone system can track your location worldwide. That makes sense; the system has to know where you are. What’s interesting about this story is that anyone can do it. Cyber-weapons arms manufacturers are selling the capability to governments worldwide, and hackers have demonstrated the capability.

Schneier on Security: Tracking People From their Cell Phones with an SS7 Vulnerability

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

What’s interesting about this story is not that the cell phone system can track your location worldwide. That makes sense; the system has to know where you are. What’s interesting about this story is that anyone can do it. Cyber-weapons arms manufacturers are selling the capability to governments worldwide, and hackers have demonstrated the capability.

Schneier on Security: Two New Snowden Stories

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

New Zealand is spying on its citizens. Edward Snowden weighs in personally.

The NSA and GCHQ are mapping the entire Internet, including hacking into Deutsche Telekom.

Schneier on Security: Security of the SHA Family of Hash Functions

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Good article on the insecurity of SHA-1 and the need to replace it sooner rather than later.

Schneier on Security: Friday Squid Blogging: 200-Pound Squid Found in Gulf of Mexico

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

A 200-pound dead giant squid was found near the coast of Matagorda, Texas. This is only the third giant squid ever found in the Gulf of Mexico.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Schneier on Security: The Concerted Effort to Remove Data Collection Restrictions

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Since the beginning, data privacy regulation focused on collection, storage, and use. You can see it in the OECD Privacy Framework from 1980 (see also this proposed update).

Recently, there has been concerted effort to focus all potential regulation on data use, completely ignoring data collection. Microsoft’s Craig Mundie argues this. So does the PCAST report. And the World Economic Forum. This is lobbying effort by US business. My guess is that the companies are much more worried about collection restrictions than use restrictions. They believe that they can slowly change use restrictions once they have the data, but that it’s harder to change collection restrictions and get the data in the first place.

We need to regulate collection as well as use. In a new essay, Chris Hoofnagle explains why.

Schneier on Security: Tabnapping: A New Phishing Attack

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Aza Raskin describes a new phishing attack: taking over a background tab on a browser to trick people into entering in their login credentials. Clever.

Schneier on Security: WikiLeaks Spy Files

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

WikiLeaks has organized the trove of documents about corporations aiding government surveillance around the world. It’s worth wandering around through all this material.

Schneier on Security: Safeplug Security Analysis

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Good security analysis of Safeplug, which is basically Tor in a box. Short answer: not yet.

Schneier on Security: Wi-Fi Jammer

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

A device called Cyborg Unplugged can be configured to prevent any Wi-Fi connection:

Oliver notes on the product’s website that its so-called “All Out Mode” — which prevents surveillance devices from connecting to any Wi-Fi network in the area — is likely illegal, and he advises against its use. Nevertheless, we can imagine activists slipping these little devices into public areas and wreaking a bit of havoc.

Schneier on Security: iPhone Payment Security

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Apple is including some sort of automatic credit-card payment system with the iPhone 6. They’re using some security feature of the phone and system to negotiate a cheaper transaction fee.

Basically, there are two kinds of credit card transactions: card present, and card not present. The former is cheaper because there’s less risk of fraud. The article says that Apple has negotiated the card-present rate for its iPhone payment system (even though the card is not present). Presumably, this is because of some other security features that reduce the risk of fraud.

Not a lot of detail here, but interesting nonetheless.

Schneier on Security: Friday Squid Blogging: Book by One Squid-Obsessed Person About Another

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Preparing the Ghost: An Essay Concerning the Giant Squid and Its First Photographer, by Matthew Gavin Frank.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Schneier on Security: Security of Password Managers

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

At USENIX Security this year there were two papers studying the security of password managers:

It’s interesting work, especially because it looks at security problems in something that is supposed to improve security.

I’ve long recommended a password manager to solve the very real problem that any password that can be easily remembered is vulnerable to a dictionary attack. The world got a visceral reminder of this earlier this week, when hackers posted iCloud photos from celebrity accounts. The attack didn’t exploit a flaw in iCloud; the attack exploited weak passwords.

Security is often a trade-off with convenience, and most password managers automatically fill in passwords on browser pages. This turns out to be a difficult thing to do securely, and opens up the password managers to attack.

My own password manager, PasswordSafe, wasn’t mentioned in either of these papers. I specifically designed it not to automatically fill. I specifically designed it to be stand alone. The fast way to transfer a password from PasswordSafe to a browser page is using the operating system’s cut and paste commands.

I still recommend using a password manager, simply because it allows you to choose longer and stronger passwords. And for the few passwords you should remember, my scheme for generating them is here.

Schneier on Security: JackPair Encrypted Phone Add-On

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

JackPair is a clever device encrypts your voice between your headset and the audio jack. The crypto looks competent, and the design looks well-thought-out. I’d use it.

Schneier on Security: Electromagnetic Weapons

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Long article in IEEE Spectrum.

Schneier on Security: Pencil-and-Paper Codes Used by Central American Criminal Gangs

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

No mention of how good the codes are. My guess is not very.

Schneier on Security: Squid Skin Inspires Eye-Like Photodetector

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Squid are color-blind, but may detect color directly through their skin. A researcher is working on a system to detect colored light the way squid do.

Schneier on Security: Cell Phone Kill Switches Mandatory in California

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

California passed a kill-switch law, meaning that all cell phones sold in California must have the capability to be remotely turned off. It was sold as an antitheft measure. If the phone company could remotely render a cell phone inoperative, there would be less incentive to steal one.

I worry more about the side effects: once the feature is in place, it can be used by all sorts of people for all sorts of reasons.

The law raises concerns about how the switch might be used or abused, because it also provides law enforcement with the authority to use the feature to kill phones. And any feature accessible to consumers and law enforcement could be accessible to hackers, who might use it to randomly kill phones for kicks or revenge, or to perpetrators of crimes who might — depending on how the kill switch is implemented — be able to use it to prevent someone from calling for help.

“It’s great for the consumer, but it invites a lot of mischief,” says Hanni Fakhoury, staff attorney for the Electronic Frontier Foundation, which opposes the law. “You can imagine a domestic violence situation or a stalking context where someone kills [a victim's] phone and prevents them from calling the police or reporting abuse. It will not be a surprise when you see it being used this way.”

I wrote about this in 2008, more generally:

The possibilities are endless, and very dangerous. Making this work involves building a nearly flawless hierarchical system of authority. That’s a difficult security problem even in its simplest form. Distributing that system among a variety of different devices — computers, phones, PDAs, cameras, recorders — with different firmware and manufacturers, is even more difficult. Not to mention delegating different levels of authority to various agencies, enterprises, industries and individuals, and then enforcing the necessary safeguards.

Once we go down this path — giving one device authority over other devices — the security problems start piling up. Who has the authority to limit functionality of my devices, and how do they get that authority? What prevents them from abusing that power? Do I get the ability to override their limitations? In what circumstances, and how? Can they override my override?

The law only affects California, but phone manufacturers won’t sell two different phones. So this means that all cell phones will eventually have this capability. And, of course, the procedural controls and limitations written into the California law don’t apply elsewhere.

Schneier on Security: ISIS Threatens US with Terrorism

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

They’re openly mocking our profiling.

But in several telephone conversations with a Reuters reporter over the past few months, Islamic State fighters had indicated that their leader, Iraqi Abu Bakr al-Baghdadi, had several surprises in store for the West.

They hinted that attacks on American interests or even U.S. soil were possible through sleeper cells in Europe and the United States.

“The West are idiots and fools. They think we are waiting for them to give us visas to go and attack them or that we will attack with our beards or even Islamic outfits,” said one.

“They think they can distinguish us these days ­ they are fools and more than that they don’t know we can play their game in intelligence. They infiltrated us with those who pretend to be Muslims and we have also penetrated them with those who look like them.”

I am reminded of my debate on airport profiling with Sam Harris, particularly my initial response to his writings.

Schneier on Security: Hacking Traffic Lights

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

New paper: “Green Lights Forever: Analyzing the Security of Traffic Infrastructure,” Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman.

Abstract: The safety critical nature of traffic infrastructure requires that it be secure against computer-based attacks, but this is not always the case. We investigate a networked traffic signal system currently deployed in the United States and discover a number of security flaws that exist due to systemic failures by the designers. We leverage these flaws to create attacks which gain control of the system, and we successfully demonstrate them on the deployment in coordination with authorities. Our attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage. We make recommendations on how to improve existing systems and discuss the lessons learned for embedded systems security in general.

News article.

Schneier on Security: Security Flaws in Rapiscan Full-Body Scanners

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Security researchers have finally gotten their hands on a Rapiscan backscatter full-body scanner. The results aren’t very good.

Website with paper and images. News articles and commentary.

Note that these machines have been replaced in US airports with millimeter wave full-body scanners.

Schneier on Security: Security by Obscurity at Healthcare.gov Site

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The White House is refusing to release details about the security of healthcare.gov because it might help hackers. What this really means is that the security details would embarrass the White House.

Schneier on Security: Eavesdropping Using Smart Phone Gyroscopes

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The gyroscopes are sensitive enough to pick up acoustic vibrations. It’s crude, but it works. Paper. Wired article. Hacker News thread.

Schneier on Security: The Problems with PGP

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Matthew Green has a good post on what’s wrong with PGP and what should be done about it.