As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
I have a new book. It’s Carry On: Sound Advice from Schneier on Security, and it’s my second collection of essays. This book covers my writings from March 2008 to June 2013. (My first collection of essays, Schneier on Security, covered my writings from April 2002 to February 2008.)
There’s nothing in this book that hasn’t been published before, and nothing you can’t get free off my website. But if you’re looking for my recent writings in a convenient-to-carry hardcover-book format, this is the book for you.
I’m also happy with the cover.
Unfortunately, the paper book isn’t due in stores — either online or brick-and-mortar — until 12/27, which makes it a pretty lousy Christmas gift, though Amazon and B&N both claim it’ll be in stock there on December 16. And if you don’t mind waiting until after the new year, I will sell you a signed copy of the book here.
Suggestions for a title of my third collection of essays, to be published in five-ish years, are appreciated.
Telepathwords is a pretty clever research project that tries to evaluate password strength. It’s different from normal strength meters, and I think better.
Telepathwords tries to predict the next character of your passwords by using knowledge of:
- common passwords, such as those made public as a result of security breaches
- common phrases, such as those that appear frequently on web pages or in common search queries
- common password-selection behaviors, such as the use of sequences of adjacent keys
Password-strength evaluators have generally been pretty poor, regularly assessing weak passwords as strong (and vice versa). I like seeing new research in this area.
Here’s a new biometric I know nothing about:
The wristband relies on authenticating identity by matching the overall shape of the user’s heartwave (captured via an electrocardiogram sensor). Unlike other biotech authentication methods — like fingerprint scanning and iris-/facial-recognition tech — the system doesn’t require the user to authenticate every time they want to unlock something. Because it’s a wearable device, the system sustains authentication so long as the wearer keeps the wristband on.
Some apps are being distributed with secret Bitcoin-mining software embedded in them. Coins found are sent back to the app owners, of course.
And to make it legal, it’s part of the end-user license agreement (EULA):
COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by WBT or our affiliates are the sole property of WBT and our affiliates.
This is a great example of why EULAs are bad. The stunt that resulted in 7,500 people giving Gamestation.co.uk their immortal souls a few years ago was funny, but hijacking users’ computers for profit is actually bad.
It’s not new, though. People have been explaining how to evade airport security for years.
Back in 2006, I — and others — explained how to print your own boarding pass and evade the photo-ID check, a trick that still seems to work. In 2008, I demonstrated carrying two large bottles of liquid through airport security. Here’s a paper about stabbing people with stuff you can take through airport security. And here’s a German video of someone building a bomb out of components he snuck through a full-body scanner. There’s lots more if you start poking around the Internet.
So, what’s the moral here? It’s not like the terrorists don’t know about these tricks. They’re no surprise to the TSA, either. If airport security is so porous, why aren’t there more terrorist attacks? Why aren’t the terrorists using these, and other, techniques to attack planes every month?
I think the answer is simple: airplane terrorism isn’t a big risk. There are very few actual terrorists, and plots are much more difficult to execute than the tactics of the attack itself. It’s the same reason why I don’t care very much about the various TSA mistakes that are regularly reported.
As more and more media outlets from all over the world continue to report on the Snowden documents, it’s harder and harder to keep track of what has been released. The EFF, ACLU, and Cryptome are all trying.
None of them is complete, I believe. Please post additions in the comments, and I will do my best to feed the information back to the compilers.
EDITED TO ADD (12/5): Wikipedia also has an exhaustive list.
One of the things I do is expert witness work in patent litigations. Often, it’s defending companies against patent trolls. One of the patents I have worked on for several defendants is owned by a company called TQP Development. The patent owner claims that it covers SSL and RC4, which it does not. The patent owner claims that the patent is novel, which it is not. Despite this, TQP has managed to make $45 million off the patent, almost entirely as a result of private settlements. One company, Newegg, fought and lost — although they’re planning to appeal. The story is here.
Since we learned that the NSA has surreptitiously weakened Internet security so it could more easily eavesdrop, we’ve been wondering if it’s done anything to antivirus products. Given that it engages in offensive cyberattacks — and launches cyberweapons like Stuxnet and Flame — it’s reasonable to assume that it’s asked antivirus companies to ignore its malware. (We know that antivirus companies have previously done this for corporate malware.)
My guess is that the NSA has not done this, nor has any other government intelligence or law enforcement agency. My reasoning is that antivirus is a very international industry, and while a government might get its own companies to play along, it would not be able to influence international companies. So while the NSA could certainly pressure McAfee or Symantec — both Silicon Valley companies — to ignore NSA malware, it could not similarly pressure Kaspersky Labs (Russian), F-Secure (Finnish), or AVAST (Czech). And the governments of Russia, Finland, and the Czech Republic will have comparable problems.
Even so, I joined a group of security experts to ask antivirus companies explicitly if they were ignoring malware at the behest of a government. Understanding that the companies could certainly lie, this is the response so far: no one has admitted to doing so.
Up until this moment, only a handful of the vendors have replied ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro. All of the responding companies have confirmed the detection of state sponsored malware, e.g. R2D2 and FinFisher. Furthermore, they claim they have never received a request to not detect malware. And if they were asked by any government to do so in the future, they said they would not comply. All the aforementioned companies believe there is no such thing as harmless malware.
Stuxnet is not really one weapon, but two. The vast majority of the attention has been paid to Stuxnet’s smaller and simpler attack routine — the one that changes the speeds of the rotors in a centrifuge, which is used to enrich uranium. But the second and “forgotten” routine is about an order of magnitude more complex and stealthy. It qualifies as a nightmare for those who understand industrial control system security. And strangely, this more sophisticated attack came first. The simpler, more familiar routine followed only years later — and was discovered in comparatively short order.
Stuxnet also provided a useful blueprint to future attackers by highlighting the royal road to infiltration of hard targets. Rather than trying to infiltrate directly by crawling through 15 firewalls, three data diodes, and an intrusion detection system, the attackers acted indirectly by infecting soft targets with legitimate access to ground zero: contractors. However seriously these contractors took their cybersecurity, it certainly was not on par with the protections at the Natanz fuel-enrichment facility. Getting the malware on the contractors’ mobile devices and USB sticks proved good enough, as sooner or later they physically carried those on-site and connected them to Natanz’s most critical systems, unchallenged by any guards.
Any follow-up attacker will explore this infiltration method when thinking about hitting hard targets. The sober reality is that at a global scale, pretty much every single industrial or military facility that uses industrial control systems at some scale is dependent on its network of contractors, many of which are very good at narrowly defined engineering tasks, but lousy at cybersecurity. While experts in industrial control system security had discussed the insider threat for many years, insiders who unwittingly helped deploy a cyberweapon had been completely off the radar. Until Stuxnet.
And while Stuxnet was clearly the work of a nation-state — requiring vast resources and considerable intelligence — future attacks on industrial control and other so-called “cyber-physical” systems may not be. Stuxnet was particularly costly because of the attackers’ self-imposed constraints. Damage was to be disguised as reliability problems. I estimate that well over 50 percent of Stuxnet’s development cost went into efforts to hide the attack, with the bulk of that cost dedicated to the overpressure attack which represents the ultimate in disguise — at the cost of having to build a fully-functional mockup IR-1 centrifuge cascade operating with real uranium hexafluoride. Stuxnet-inspired attackers will not necessarily place the same emphasis on disguise; they may want victims to know that they are under cyberattack and perhaps even want to publicly claim credit for it.
Safeplug is an easy-to-use Tor appliance. I like that it can also act as a Tor exit node.
EDITED TO ADD: I know nothing about this appliance, nor do I endorse it. In fact, I would like it to be independently audited before we start trusting it. But it’s a fascinating proof-of-concept of encapsulating security so that normal Internet users can use it.
This is a long article about the FBI’s Data Intercept Technology Unit (DITU), which is basically its own internal NSA.
It carries out its own signals intelligence operations and is trying to collect huge amounts of email and Internet data from U.S. companies — an operation that the NSA once conducted, was reprimanded for, and says it abandoned.
The unit works closely with the “big three” U.S. telecommunications companies — AT&T, Verizon, and Sprint — to ensure its ability to intercept the telephone and Internet communications of its domestic targets, as well as the NSA’s ability to intercept electronic communications transiting through the United States on fiber-optic cables.
After Prism was disclosed in the Washington Post and the Guardian, some technology company executives claimed they knew nothing about a collection program run by the NSA. And that may have been true. The companies would likely have interacted only with officials from the DITU and others in the FBI and the Justice Department, said sources who have worked with the unit to implement surveillance orders.
Recently, the DITU has helped construct data-filtering software that the FBI wants telecom carriers and Internet service providers to install on their networks so that the government can collect large volumes of data about emails and Internet traffic.
The software, known as a port reader, makes copies of emails as they flow through a network. Then, in practically an instant, the port reader dissects them, removing only the metadata that has been approved by a court.
The FBI has built metadata collection systems before. In the late 1990s, it deployed the Carnivore system, which the DITU helped manage, to pull header information out of emails. But the FBI today is after much more than just traditional metadata — who sent a message and who received it. The FBI wants as many as 13 individual fields of information, according to the industry representative. The data include the route a message took over a network, Internet protocol addresses, and port numbers, which are used to handle different kinds of incoming and outgoing communications. Those last two pieces of information can reveal where a computer is physically located — perhaps along with its user — as well as what types of applications and operating system it’s running. That information could be useful for government hackers who want to install spyware on a suspect’s computer — a secret task that the DITU also helps carry out.
Some federal prosecutors have gone to court to compel port reader adoption, the industry representative said. If a company failed to comply with a court order, it could be held in contempt.
It’s not clear how many companies have installed the port reader, but at least two firms are pushing back, arguing that because it captures an entire email, including content, the government needs a warrant to get the information. The government counters that the emails are only copied for a fraction of a second and that no content is passed along to the government, only metadata. The port reader is designed also to collect information about the size of communications packets and traffic flows, which can help analysts better understand how communications are moving on a network. It’s unclear whether this data is considered metadata or content; it appears to fall within a legal gray zone, experts said.
The Operational Technology Division also specializes in so-called black-bag jobs to install surveillance equipment, as well as computer hacking, referred to on the website as “covert entry/search capability,” which is carried out under law enforcement and intelligence warrants.
But having the DITU act as a conduit provides a useful public relations benefit: Technology companies can claim — correctly — that they do not provide any information about their customers directly to the NSA, because they give it to the DITU, which in turn passes it to the NSA.
There is an enormous amount of information in the article, which exposes yet another piece of the vast US government surveillance infrastructure. It’s good to read that “at least two” companies are fighting at least a part of this. Any legislation aimed at restoring security and trust in US Internet companies needs to address the whole problem, and not just a piece of it.
Google recently announced that it would start including individual users’ names and photos in some ads. This means that if you rate some product positively, your friends may see ads for that product with your name and photo attached—without your knowledge or consent. Meanwhile, Facebook is eliminating a feature that allowed people to retain some portions of their anonymity on its website.
These changes come on the heels of Google’s move to explore replacing tracking cookies with something that users have even less control over. Microsoft is doing something similar by developing its own tracking technology.
It shouldn’t come as a surprise that big technology companies are tracking us on the Internet even more aggressively than before.
If these features don’t sound particularly beneficial to you, it’s because you’re not the customer of any of these companies. You’re the product, and you’re being improved for their actual customers: their advertisers.
This is nothing new. For years, these sites and others have systematically improved their “product” by reducing user privacy. This excellent infographic, for example, illustrates how Facebook has done so over the years.
The “Do Not Track” law serves as a sterling example of how bad things are. When it was proposed, it was supposed to give users the right to demand that Internet companies not track them. Internet companies fought hard against the law, and when it was passed, they fought to ensure that it didn’t have any benefit to users. Right now, complying is entirely voluntary, meaning that no Internet company has to follow the law. If a company does, because it wants the PR benefit of seeming to take user privacy seriously, it can still track its users.
Really: if you tell a “Do Not Track”-enabled company that you don’t want to be tracked, it will stop showing you personalized ads. But your activity will be tracked — and your personal information collected, sold and used — just like everyone else’s. It’s best to think of it as a “track me in secret” law.
Of course, people don’t think of it that way. Most people aren’t fully aware of how much of their data is collected by these sites. And, as the “Do Not Track” story illustrates, Internet companies are doing their best to keep it that way.
The result is a world where our most intimate personal details are collected and stored. I used to say that Google has a more intimate picture of what I’m thinking of than my wife does. But that’s not far enough: Google has a more intimate picture than I do. The company knows exactly what I am thinking about, how much I am thinking about it, and when I stop thinking about it: all from my Google searches. And it remembers all of that forever.
As the Edward Snowden revelations continue to expose the full extent of the National Security Agency’s eavesdropping on the Internet, it has become increasingly obvious how much of that has been enabled by the corporate world’s existing eavesdropping on the Internet.
The public/private surveillance partnership is fraying, but it’s largely alive and well. The NSA didn’t build its eavesdropping system from scratch; it got itself a copy of what the corporate world was already collecting.
There are a lot of reasons why Internet surveillance is so prevalent and pervasive.
One, users like free things, and don’t realize how much value they’re giving away to get it. We know that “free” is a special price that confuses peoples’ thinking.
Google’s 2013 third quarter profits were nearly $3 billion; that profit is the difference between how much our privacy is worth and the cost of the services we receive in exchange for it.
Two, Internet companies deliberately make privacy not salient. When you log onto Facebook, you don’t think about how much personal information you’re revealing to the company; you’re chatting with your friends. When you wake up in the morning, you don’t think about how you’re going to allow a bunch of companies to track you throughout the day; you just put your cell phone in your pocket.
And three, the Internet’s winner-takes-all market means that privacy-preserving alternatives have trouble getting off the ground. How many of you know that there is a Google alternative called DuckDuckGo that doesn’t track you? Or that you can use cut-out sites to anonymize your Google queries? I have opted out of Facebook, and I know it affects my social life.
There are two types of changes that need to happen in order to fix this. First, there’s the market change. We need to become actual customers of these sites so we can use purchasing power to force them to take our privacy seriously. But that’s not enough. Because of the market failures surrounding privacy, a second change is needed. We need government regulations that protect our privacy by limiting what these sites can do with our data.
Surveillance is the business model of the Internet — Al Gore recently called it a “stalker economy.: All major websites run on advertising, and the more personal and targeted that advertising is, the more revenue the site gets for it. As long as we users remain the product, there is minimal incentive for these companies to provide any real privacy.
This essay previously appeared on CNN.com.
Renesys is reporting that Internet traffic is being manipulatively rerouted, presumably for eavesdropping purposes. The attacks exploit flaws in the Border Gateway Protocol (BGP). Ars Technica has a good article explaining the details.
The odds that the NSA is not doing this sort of thing are basically zero, but I’m sure that their activities are going to be harder to discover.
Nicholas Weaver has a great essay explaining how the NSA’s QUANTUM packet injection system works, what we know it does, what else it can possibly do, and how to defend against it. Remember that while QUANTUM is an NSA program, other countries engage in these sorts of attacks as well. By securing the Internet against QUANTUM, we protect ourselves against any government or criminal use of these sorts of techniques.
My talk at the IETF Vancouver meeting on NSA and surveillance. I’m the first speaker after the administrivia.
The US government sets up secure tents for the president and other officials to deal with classified material while traveling abroad.
Even when Obama travels to allied nations, aides quickly set up the security tent — which has opaque sides and noise-making devices inside — in a room near his hotel suite. When the president needs to read a classified document or have a sensitive conversation, he ducks into the tent to shield himself from secret video cameras and listening devices.
Following a several-hundred-page classified manual, the rooms are lined with foil and soundproofed. An interior location, preferably with no windows, is recommended.