Author Archive

Schneier on Security: The NSA’s Patents

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Here are all the NSA’s patents, in one searchable database.

If you find something good, tell us all in the comments.

Schneier on Security: The Fundamental Insecurity of USB

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is pretty impressive:

Most of us learned long ago not to run executable files from sketchy USB sticks. But old-fashioned USB hygiene can’t stop this newer flavor of infection: Even if users are aware of the potential for attacks, ensuring that their USB’s firmware hasn’t been tampered with is nearly impossible. The devices don’t have a restriction known as “code-signing,” a countermeasure that would make sure any new code added to the device has the unforgeable cryptographic signature of its manufacturer. There’s not even any trusted USB firmware to compare the code against.

The element of Nohl and Lell’s research that elevates it above the average theoretical threat is the notion that the infection can travel both from computer to USB and vice versa. Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it. And likewise, any USB device could silently infect a user’s computer.

These are exactly the sorts of attacks the NSA favors.

Schneier on Security: Debit Card Override Hack

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Clever:

Parrish allegedly visited Apple Stores and tried to buy products with four different debit cards, which were all closed by his respective financial institutions. When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank — except, he wasn’t really calling his bank.

So, the complaint says, he would offer the Apple Store employees a fake authorization code with a certain number of digits, which is normally provided by credit card issuers to create a record of the credit or debit override.

Now that this trick is public, how long before stores stop accepting these authorization codes altogether? I’ll be that fixing the infrastructure will be expensive.

Schneier on Security: The Costs of NSA Surveillance

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

New America Foundation has a new paper on the costs of NSA surveillance: economic costs to US business, costs to US foreign policy, and costs to security.

News article.

Schneier on Security: Conference on Deception

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

There was a conference on deception earlier this month. Sophie Van Der Zee has a summary of the sessions.

Schneier on Security: Russia Paying for a Tor Break

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Russia has put out a tender on its official government procurement website for anyone who can identify Tor users. The reward of $114,000 seems pretty cheap for this capability. And we now get to debate whether 1) Russia cannot currently deaonymize Tor users, or 2) Russia can, and this is a ruse to make us think they can’t.

Schneier on Security: Friday Squid Blogging: Build a Squid

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

An interactive animation from the Museum of New Zealand Te Papa Tongarewa.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Schneier on Security: Building a Legal Botnet in the Cloud

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Two researchers have built a botnet using free anonymous accounts. They only collected 1,000 accounts, but there’s no reason this can’t scale to much larger numbers.

Schneier on Security: Security Vulnerability in the Tails OS

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

I’d like more information on this.

Schneier on Security: Securing the Nest Thermostat

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

A group of hackers are using a vulnerability in the Nest thermostat to secure it against Nest’s remote data collection.

Schneier on Security: Fingerprinting Computers By Making Them Draw Images

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Here’s a new way to identify individual computers over the Internet. The page instructs the browser to draw an image. Because each computer draws the image slightly differently, this can be used to uniquely identify each computer. This is a big deal, because there’s no way to block this right now.

Article. Hacker News thread.

EDITED TO ADD (7/22): This technique was first described in 2012. And it seems that NoScript blocks this. Privacy Badger probably blocks it, too.

EDITED TO ADD (7/23): EFF has a good post on who is using this tracking system — the White House is — and how to defend against it.

And a good story on BoingBoing.

Schneier on Security: Friday Squid Blogging: Squid Dissection

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

A six-hour video of a giant squid dissection from Auckland University of Technology.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Schneier on Security: NASDAQ Hack

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Long article on a sophisticated hacking of the NASDAQ stock exchange.

Schneier on Security: US National Guard is Getting Into Cyberwar

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The Maryland Air National Guard needs a new facility for its cyberwar operations:

The purpose of this facility is to house a Network Warfare Group and ISR Squadron. The Cyber mission includes a set of capabilities, expertise to enable the cyber operational need for an always-on, net-speed awareness and integrated operational response with global reach. It enables operators to drive upstream in pursuit of cyber adversaries, and is informed 24/7 by intelligence and all-source information.

Is this something we want the Maryland Air National Guard to get involved in?

Schneier on Security: Hackers Steal Personal Information of US Security-Clearance Holders

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The article says they were Chinese but offers no evidence:

The intrusion at the Office of Personnel Management was particularly disturbing because it oversees a system called e-QIP, in which federal employees applying for security clearances enter their most personal information, including financial data. Federal employees who have had security clearances for some time are often required to update their personal information through the website.

This is a big deal. If I were a government, trying to figure out who to target for blackmail, bribery, and other coercive tactics, this would be a nice database to have.

Schneier on Security: Security Against Traffic Analysis of Cloud Data Access

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Here’s some interesting research on foiling traffic analysis of cloud storage systems.

Press release.

Schneier on Security: Risks of Keyloggers on Public Computers

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Brian Krebs is reporting that:

The U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests.

It’s actually a very hard problem to solve. The adversary can have unrestricted access to the computer, especially hotel business center computers that are often tucked away where no one else is looking. I assume that if someone has physical access to my computer, he can own it. This is doubly true if he has hardware access.

Schneier on Security: Legal Attacks Against Tor

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Last week, we learned that the NSA targets people who look for information about Tor. A few days later, the operator of a Tor exit node in Austria has been found guilty as an accomplice, because someone used his computer to transmit child porn. Even more recently, Tor has been named as a defendant in a revenge-porn suit in Texas because it provides web-porn operators with privacy.

Here’s the EFF: “Seven Things You Should Know About Tor.”

EDITED TO ADD (7/16): It seems that article about Tor in Austria was wrong.

Schneier on Security: GCHQ Catalog of Exploit Tools

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The latest Snowden story is a catalog of exploit tools from JTRIG (Joint Threat Research Intelligence Group), a unit of the British GCHQ, for both surveillance and propaganda. It’s a list of code names and short descriptions, such as these:

GLASSBACK: Technique of getting a targets IP address by pretending to be a spammer and ringing them. Target does not need to answer.

MINIATURE HERO: Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.

MOUTH: Tool for collection for downloading a user’s files from Archive.org.

PHOTON TORPEDO: A technique to actively grab the IP address of MSN messenger user.

SILVER SPECTOR: Allows batch Nmap scanning over Tor.

SPRING BISHOP: Find private photographs of targets on Facebook.

ANGRY PIRATE: is a tool that will permanently disable a target’s account on their computer.

BUMPERCAR+: is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror videos or other materials. The techniques employs the services provided by upload providers to report offensive materials.

BOMB BAY: is the capacity to increase website hits/rankings.

BURLESQUE: is the capacity to send spoofed SMS messages.

CLEAN SWEEP: Masquerade Facebook Wall Posts for individuals or entire countries.

CONCRETE DONKEY: is the capacity to scatter an audio message to a large number of telephones, or repeatedely bomb a target number with the same message.

GATEWAY: Ability to artificially increase traffic to a website.

GESTATOR: amplification of a given message, normally video, on popular multimedia websites (Youtube).

SCRAPHEAP CHALLENGE: Perfect spoofing of emails from Blackberry targets.

SUNBLOCK: Ability to deny functionality to send/receive email or view material online.

SWAMP DONKEY: is a tool that will silently locate all predefined types of file and encrypt them on a targets machine

UNDERPASS: Change outcome of online polls (previously known as NUBILO).

WARPATH: Mass delivery of SMS messages to support an Information Operations campaign.

HAVLOCK: Real-time website cloning techniques allowing on-the-fly alterations.

HUSK: Secure one-on-one web based dead-drop messaging platform.

There’s lots more. Go read the rest. This is a big deal, as big as the TAO catalog from December.

I would like to post the entire list. If someone has a clever way of extracting the text, or wants to retype it all, please send it to me.

EDITED TO ADD (7/16): HTML of the entire catalog is here.

Schneier on Security: Studying Network Incident Response Teams Using Anthropological Methods

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is an interesting paper: “An Anthropological Approach to Studying CSIRTs.” A researcher spent 15 months at a university’s SOC conducting “ethnographic fieldwork.” Right now it’s more about the methodology than any results, but I’ll bet the results will be fascinating.

And here’s some information about the project.

Schneier on Security: Friday Squid Blogging: This Unmanned Drone Footage Will Blow Your Mind

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Neat video shot from a remote-operated vehicle.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Schneier on Security: “Tips For Crafting A Strong Password That Really Pops”

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Funny, and the inspiration for this week’s headlines. (Note that the image shows Password Safe on the screen.)

And marginally related, here’s an odd essay about using a password as a mantra for personal change.

Schneier on Security: This Leaked NSA Memo Will Restore Your Faith in Humanity

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Okay, it’s a parody:

The Russian Federation is more complex. At a political level there’s a lot of grandstanding. Operationally though, we share intelligence with Russia on anyone who is a mutual target (and that, ironically, includes most of the Russian Federation). China is our main mutual target because it refuses to share the economic intelligence data it gathers about either Russia or America. All of us, however, have agreed to share intelligence data on the French.

Schneier on Security: How Google Glass Snoops Steal Your Passcode

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Researchers are refining the techniques of surreptitiously videoing people as they type in their passwords.

Other hackers have shown it’s possible to perform automated over-the-shoulder password stealing. But Fu notes that older video tools had to actually see the display, which often is impossible from a distance or from indirect angles. (See UMass’s PIN-capturing footage taken by Glass in the GIF below.) His team’s video recognition software can spot passcodes even when the screen is unreadable, based on its understanding of an iPad’s geometry and the position of the user’s fingers. It maps its image of the angled iPad onto a “reference” image of the device, then looks for the abrupt down and up movements of the dark crescents that represent the fingers’ shadows.

Slashdot thread.

Schneier on Security: This Common Home Appliance Can Compromise Your Entire Security

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

LIFX is a smart light bulb that can be controlled with your smart phone via your home’s Wi-Fi network. Turns out that anyone within range can obtain the Wi-Fi password from the light bulb. It’s a problem with the communications protocol.