Author Archive

Schneier on Security: New Snowden Documents Show GCHQ Paying Cable & Wireless for Access

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

A new story based on the Snowden documents and published in the German newspaper Süddeutsche Zeitung shows how the GCHQ worked with Cable & Wireless — acquired by Vodafone in 2012 — to eavesdrop on Internet and telecommunications traffic. New documents on the page, and here.

Ars Technica article. Slashdot thread.

Schneier on Security: FBI Agents Pose as Repairmen to Bypass Warrant Process

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is a creepy story. The FBI wanted access to a hotel guest’s room without a warrant. So agents broke his Internet connection, and then posed as Internet technicians to gain access to his hotel room without a warrant.

From the motion to suppress:

The next time you call for assistance because the internet service in your home is not working, the “technician” who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and — when he shows up at your door, impersonating a technician — let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have “consented” to an intrusive search of your home.

Basically, the agents snooped around the hotel room, and gathered evidence
that they submitted to a magistrate to get a warrant. Of course, they never told the judge that they had engineered the whole outage and planted the fake technicians.

More coverage of the case here.

This feels like an important case to me. We constantly allow repair technicians into our homes to fix this or that technological thingy. If we can’t be sure they are not government agents in disguise, then we’ve lost quite a lot of our freedom and liberty.

Schneier on Security: Regin: Another Military-Grade Malware

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Regin is another military-grade surveillance malware (tech details from Symantec and Kaspersky). It seems to have been in operation between 2008 and 2011. The Intercept has linked it to NSA/GCHQ operations, although I am still skeptical of the NSA/GCHQ hacking Belgian cryptographer Jean-Jacques Quisquater.

Schneier on Security: The Security Underpinnnings of Cryptography

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Nice article on some of the security assumptions we rely on in cryptographic algorithms.

Schneier on Security: New Kryptos Clue

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Jim Sanborn has given he world another clue to the fourth cyphertext in his Kryptos sculpture at the CIA headquarters.

Older posts on Kryptos.

Schneier on Security: Friday Squid Blogging: <i>Cephalopod Cognition</i>

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Tales of cephalopod behavior, including octopuses, squid, cuttlefish and nautiluses.

Cephalopod Cognition, published by Cambridge University Press, is currently available in hardcover, and the paperback edition will be available next week.

Schneier on Security: Pre-Snowden Debate About NSA Call-Records Collection Program

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Reuters is reporting that in 2009, several senior NSA officials objected to the NSA call-records collection program.

The now-retired NSA official, a longtime code-breaker who rose to top management, had just learned in 2009 about the top secret program that was created shortly after the Sept. 11, 2001, attacks. He says he argued to then-NSA Director Keith Alexander that storing the calling records of nearly every American fundamentally changed the character of the agency, which is supposed to eavesdrop on foreigners, not Americans.

Hacker News thread.

Schneier on Security: Citadel Malware Steals Password Manager Master Passwords

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Citadel is the first piece of malware I know of that specifically steals master passwords from password managers. Note that my own Password Safe is a target.

Schneier on Security: A New Free CA

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Announcing Let’s Encrypt, a new free certificate authority. This is a joint project of EFF, Mozilla, Cisco, Akamai, and the University of Michigan.

This is an absolutely fantastic idea.

The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you’re actually talking to is the server you intended to talk to. For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It’s tricky to install correctly. It’s a pain to update.

Let’s Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.

[…]

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain can get a certificate validated for that domain at zero cost.

  • Automatic: The entire enrollment process for certificates occurs painlessly during the server’s native installation or configuration process, while renewal occurs automatically in the background.
  • Secure: Let’s Encrypt will serve as a platform for implementing modern security techniques and best practices.
  • Transparent: All records of certificate issuance and revocation will be available to anyone who wishes to inspect them.
  • Open: The automated issuance and renewal protocol will be an open standard and as much of the software as possible will be open source.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the entire community, beyond the control of any one organization.

SlashDot thread. Hacker News thread.

Schneier on Security: Whatsapp Is Now End-to-End Encrypted

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Whatapp is now offering end-to-end message encryption:

Whatsapp will integrate the open-source software Textsecure, created by privacy-focused non-profit Open Whisper Systems, which scrambles messages with a cryptographic key that only the user can access and never leaves his or her device.

I don’t know the details, but the article talks about perfect forward secrecy. Moxie Marlinspike is involved, which gives me some confidence that it’s a robust implementation.

Schneier on Security: Snarky 1992 NSA Report on Academic Cryptography

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The NSA recently declassified a report on the Eurocrypt ’92 conference. Honestly, I share some of the writer’s opinions on the more theoretical stuff. I know it’s important, but it’s not something I care all that much about.

Schneier on Security: The NSA’s Efforts to Ban Cryptographic Research in the 1970s

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

New article on the NSA’s efforts to control academic cryptographic research in the 1970s. It includes new interviews with public-key cryptography inventor Martin Hellman and then NSA-director Bobby Inman.

Schneier on Security: Friday Squid Blogging: The Story of Inventing the SQUID

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The interesting story of how engineers at Ford Motor Co. invented the superconducting quantum interference device, or SQUID.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Schneier on Security: The Return of Crypto Export Controls?

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Last month, for the first time since US export restrictions on cryptography were relaxed over a decade ago, the US government has fined a company for exporting crypto software without a license.

News article.

No one knows what this means.

Schneier on Security: Pew Research Survey on Privacy Perceptions

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Pew Research has released a new survey on American’s perceptions of privacy. The results are pretty much in line with all the other surveys on privacy I’ve read. As Cory Doctorow likes to say, we’ve reached “peak indifference to surveillance.”

Schneier on Security: ISPs Blocking TLS Encryption

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

It’s not happening often, but it seems that some ISPs are blocking STARTTLS messages and causing web encryption to fail. EFF has the story.

Schneier on Security: Narrowly Constructing National Surveillance Law

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Orin Kerr has a new article that argues for narrowly constructing national security law:

This Essay argues that Congress should adopt a rule of narrow construction of the national security surveillance statutes. Under this interpretive rule, which the Essay calls a “rule of lenity,” ambiguity in the powers granted to the executive branch in the sections of the United States Code on national security surveillance should trigger a narrow judicial interpretation in favor of the individual and against the State. A rule of lenity would push Congress to be the primary decision maker to balance privacy and security when technology changes, limiting the rulemaking power of the secret Foreign Intelligence Surveillance Court. A rule of lenity would help restore the power over national security surveillance law to where it belongs: The People.

This is certainly not a panacea. As Jack Goldsmith rightly points out, more Congressional oversight over NSA surveillance during the last decade would have gained us more NSA surveillance. But it’s certainly better than having secret courts make the rules after only hearing one side of the argument.

Schneier on Security: Hacking Internet Voting from Wireless Routers

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Good paper, and layman’s explanation.

Internet voting scares me. It gives hackers the potential to seriously disrupt our democratic processes.

Schneier on Security: Sophisticated Targeted Attack Via Hotel Networks

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Kaspersky Labs is reporting (detailed report here, technical details here) on a sophisticated hacker group that is targeting specific individuals around the world. “Darkhotel” is the name the group and its techniques has been given.

This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crew’s most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world. These travelers are often top executives from a variety of industries doing business and outsourcing in the APAC region. Targets have included CEOs, senior vice presidents, sales and marketing directors and top R&D staff. This hotel network intrusion set provides the attackers with precise global scale access to high value targets. From our observations, the highest volume of offensive activity on hotel networks started in August 2010 and continued through 2013, and we are investigating some 2014 hotel network events.

Good article. This seems pretty obviously a nation-state attack. It’s anyone’s guess which country is behind it, though.

Targets in the spear — phishing attacks include high-profile executives — among them a media executive from Asia­as well as government agencies and NGOs and U.S. executives. The primary targets, however, appear to be in North Korea, Japan, and India. “All nuclear nations in Asia,” Raiu notes. “Their targeting is nuclear themed, but they also target the defense industry base in the U.S. and important executives from around the world in all sectors having to do with economic development and investments.” Recently there has been a spike in the attacks against the U.S. defense industry.

We usually infer the attackers from the target list. This one isn’t that helpful. Pakistan? China? South Korea? I’m just guessing.

Schneier on Security: Friday Squid Blogging: Dried Squid Sold in Korean Baseball Stadiums

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

I’m not sure why this is news, except that it makes for a startling headline. (Is the New York Times now into clickbait?) It’s not as if people are throwing squid onto the field, as Detroit hockey fans do with octopus.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Schneier on Security: Co3 Systems Is Hiring

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

My company, Co3 Systems, is hiring both technical and nontechnical positions. If you live in the Boston area, click through and take a look.

Schneier on Security: Testing for Explosives in the Chicago Subway

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Chicago is doing random explosives screenings at random L stops in the Chicago area. Compliance is voluntary:

Police made no arrests but one rider refused to submit to the screening and left the station without incident, Maloney said.

[…]

Passengers can decline the screening, but will not be allowed to board a train at that station. Riders can leave that station and board a train at a different station.

I have to wonder what would happen if someone who looks Arab refused to be screened. And what possible value this procedure has. Anyone who has a bomb in their bag would see the screening point well before approaching it, and be able to walk to the next stop without potentially arousing suspicion.

Schneier on Security: Why Hyping Cyber Threats is Counterproductive

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Robert Lee and Thomas Rid have a new paper: “OMG Cyber! Thirteen Reasons Why Hype Makes for Bad Policy.”

Schneier on Security: How the Internet Affects National Sovereignty

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Interesting paper by Melissa Hathaway: “Connected Choices: How the Internet Is Challenging Sovereign Decisions.”

Abstract: Modern societies are in the middle of a strategic, multidimensional competition for money, power, and control over all aspects of the Internet and the Internet economy. This article discusses the increasing pace of discord and the competing interests that are unfolding in the current debate concerning the control and governance of the Internet and its infrastructure. Some countries are more prepared for and committed to winning tactical battles than are others on the road to asserting themselves as an Internet power. Some are acutely aware of what is at stake; the question is whether they will be the master or the victim of these multilayered power struggles as subtle and not-so-subtle connected choices are being made. Understanding this debate requires an appreciation of the entangled economic, technical, regulatory, political, and social interests implicated by the Internet. Those states that are prepared for and understand the many facets of the Internet will likely end up on top.

Schneier on Security: Verizon Tracking Mobile Internet Use

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Verizon is tracking the Internet use of its phones by surreptitiously modifying URLs. This is a good description of how it works.