$26 Software Is Used to Breach Key Weapons in Iraq; Iranian Backing Suspected
DECEMBER 17, 2009
By SIOBHAN GORMAN, YOCHI J. DREAZEN and AUGUST COLE
WASHINGTON — Militants in Iraq have used $26 off-the-shelf software to intercept live video feeds from U.S. Predator drones, potentially providing them with information they need to evade or monitor U.S. military operations.
Senior defense and intelligence officials said Iranian-backed insurgents intercepted the video feeds by taking advantage of an unprotected communications link in some of the remotely flown planes’ systems. Shiite fighters in Iraq used software programs such as SkyGrabber — available for as little as $25.95 on the Internet — to regularly capture drone video feeds, according to a person familiar with reports on the matter.
U.S. officials say there is no evidence that militants were able to take control of the drones or otherwise interfere with their flights. Still, the intercepts could give America’s enemies battlefield advantages by removing the element of surprise from certain missions and making it easier for insurgents to determine which roads and buildings are under U.S. surveillance.
The drone intercepts mark the emergence of a shadow cyber war within the U.S.-led conflicts overseas. They also point to a potentially serious vulnerability in Washington’s growing network of unmanned drones, which have become the American weapon of choice in both Afghanistan and Pakistan.
The Obama administration has come to rely heavily on the unmanned drones because they allow the U.S. to safely monitor and stalk insurgent targets in areas where sending American troops would be either politically untenable or too risky.
The stolen video feeds also indicate that U.S. adversaries continue to find simple ways of counteracting sophisticated American military technologies.
U.S. military personnel in Iraq discovered the problem late last year when they apprehended a Shiite militant whose laptop contained files of intercepted drone video feeds. In July, the U.S. military found pirated drone video feeds on other militant laptops, leading some officials to conclude that militant groups trained and funded by Iran were regularly intercepting feeds.
In the summer 2009 incident, the military found “days and days and hours and hours of proof” that the feeds were being intercepted and shared with multiple extremist groups, the person said. “It is part of their kit now.”
A senior defense official said that James Clapper, the Pentagon’s intelligence chief, assessed the Iraq intercepts at the direction of Defense Secretary Robert Gates and concluded they represented a shortcoming to the security of the drone network.
“There did appear to be a vulnerability,” the defense official said. “There’s been no harm done to troops or missions compromised as a result of it, but there’s an issue that we can take care of and we’re doing so.”
Senior military and intelligence officials said the U.S. was working to encrypt all of its drone video feeds from Iraq, Afghanistan and Pakistan, but said it wasn’t yet clear if the problem had been completely resolved.
U.S. Air Force U.S. enemies in Iraq and Afghanistan have used off-the-shelf programs to intercept video feeds from Predator unmanned aircraft.
Some of the most detailed evidence of intercepted feeds has been discovered in Iraq, but adversaries have also intercepted drone video feeds in Afghanistan, according to people briefed on the matter. These intercept techniques could be employed in other locations where the U.S. is using pilotless planes, such as Pakistan, Yemen and Somalia, they said.
The Pentagon is deploying record numbers of drones to Afghanistan as part of the Obama administration’s troop surge there. Lt. Gen. David Deptula, who oversees the Air Force’s unmanned aviation program, said some of the drones would employ a sophisticated new camera system called “Gorgon Stare,” which allows a single aerial vehicle to transmit back at least 10 separate video feeds simultaneously.
Gen. Deptula, speaking to reporters Wednesday, said there were inherent risks to using drones since they are remotely controlled and need to send and receive video and other data over great distances. “Those kinds of things are subject to listening and exploitation,” he said, adding the military was trying to solve the problems by better encrypting the drones’ feeds.
The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn’t know how to exploit it, the officials said.
Last December, U.S. military personnel in Iraq discovered copies of Predator drone feeds on a laptop belonging to a Shiite militant, according to a person familiar with reports on the matter. “There was evidence this was not a one-time deal,” this person said. The U.S. accuses Iran of providing weapons, money and training to Shiite fighters in Iraq, a charge that Tehran has long denied.
The militants use programs such as SkyGrabber, from Russian company SkySoftware. Andrew Solonikov, one of the software’s developers, said he was unaware that his software could be used to intercept drone feeds. “It was developed to intercept music, photos, video, programs and other content that other users download from the Internet — no military data or other commercial data, only free legal content,” he said by email from Russia.
Officials stepped up efforts to prevent insurgents from intercepting video feeds after the July incident. The difficulty, officials said, is that adding encryption to a network that is more than a decade old involves more than placing a new piece of equipment on individual drones. Instead, many components of the network linking the drones to their operators in the U.S., Afghanistan or Pakistan have to be upgraded to handle the changes. Additional concerns remain about the vulnerability of the communications signals to electronic jamming, though there’s no evidence that has occurred, said people familiar with reports on the matter.
Predator drones are built by General Atomics Aeronautical Systems Inc. of San Diego. Some of its communications technology is proprietary, so widely used encryption systems aren’t readily compatible, said people familiar with the matter.
In an email, a spokeswoman said that for security reasons, the company couldn’t comment on “specific data link capabilities and limitations.”
Fixing the security gap would have caused delays, according to current and former military officials. It would have added to the Predator’s price. Some officials worried that adding encryption would make it harder to quickly share time-sensitive data within the U.S. military, and with allies.
“There’s a balance between pragmatics and sophistication,” said Mike Wynne, Air Force Secretary from 2005 to 2008.
The Air Force has staked its future on unmanned aerial vehicles. Drones account for 36% of the planes in the service’s proposed 2010 budget.
Today, the Air Force is buying hundreds of Reaper drones, a newer model, whose video feeds could be intercepted in much the same way as with the Predators, according to people familiar with the matter. A Reaper costs between $10 million and $12 million each and is faster and better armed than the Predator. General Atomics expects the Air Force to buy as many as 375 Reapers.
Yes, security lapses like this are unfortunately all too common. It is easy to see why there’s a need for hardware based encryption here. How much would it really cost to add an ASIC with something at least of the level of 256 bit Twofish, or AES, etc. While the tactical value of the drone video may decay pretty quickly, perhaps we don’t want any random folks reviewing an entire day’s video feed in, say, 10 years.
It’s high time that folks consider any public venue to be “compromisable”, whether wireless, or wired (copper, fiber, etc.) If many business require the use of strong crypto (often via VPN) from your laptop back to the company office before you can even browse to an intranet https-secured site, perhaps this should be a clue for standards in other places, too.
From: Bruce Schneier<schneier@schneier.com>
Date: Mon, Dec 14, 2009 at 22:41
Subject: CRYPTO-GRAM, December 15, 2009
To: CRYPTO-GRAM-LIST@listserv.modwest.com
In this issue:
Terrorists Targeting High-Profile Events
Eric Schmidt on Privacy
News
A Taxonomy of Social Networking Data
The Psychology of Being Scammed
Schneier News
Reacting to Security Vulnerabilities
** *** ***** ******* *********** *************
Terrorists Targeting High-Profile Events
In an AP story on increased security at major football (the American variety) events, this sentence struck me: “‘High-profile events are something that terrorist groups would love to interrupt somehow,’ said Anthony Mangione, chief of U.S. Immigration and Customs Enforcement’s Miami office.”
This is certainly the conventional wisdom, but is there any actual evidence that it’s true? The 9/11 terrorists could have easily chosen a different date and a major event — sporting or other — to target, but they didn’t. The London and Madrid train bombers could have just as easily chosen more high-profile events to bomb, but they didn’t. The Mumbai terrorists chose an ordinary day and ordinary targets. Aum Shinrikyo chose an ordinary day and ordinary train lines. Timothy McVeigh chose the ordinary Oklahoma City Federal Building. Irish terrorists chose, and Palestinian terrorists continue to choose, ordinary targets. Some of this can be attributed to the fact that ordinary targets are easier targets, but not a lot of it.
The only examples that come to mind of terrorists choosing high-profile events or targets are the idiot wannabe terrorists who would have been incapable of doing anything unless egged on by a government informant. Hardly convincing evidence.
Yes, I’ve seen the movie Black Sunday. But is there any reason to believe that terrorists want to target these sorts of events other than us projecting our own fears and prejudices onto the terrorists’ motives?
I think judgment matters. If you have something that you don’t
want anyone to know, maybe you shouldn’t be doing it in the first
place. If you really need that kind of privacy, the reality is
that search engines — including Google — do retain this
information for some time and it’s important, for example, that we
are all subject in the United States to the Patriot Act and it is
possible that all that information could be made available to the
authorities.
This, from 2006, is my response:
Privacy protects us from abuses by those in power, even if we’re
doing nothing wrong at the time of surveillance.
We do nothing wrong when we make love or go to the bathroom. We
are not deliberately hiding anything when we seek out private
places for reflection or conversation. We keep private journals,
sing in the privacy of the shower, and write letters to secret
lovers and then burn them. Privacy is a basic human need.
[...]
For if we are observed in all matters, we are constantly under
threat of correction, judgment, criticism, even plagiarism of our
own uniqueness. We become children, fettered under watchful eyes,
constantly fearful that — either now or in the uncertain future
– patterns we leave behind will be brought back to implicate us,
by whatever authority has now become focused upon our once-private
and innocent acts. We lose our individuality, because everything
we do is observable and recordable.
[...]
This is the loss of freedom we face when our privacy is taken from
us. This is life in former East Germany, or life in Saddam
Hussein’s Iraq. And it’s our future as we allow an ever-intrusive
eye into our personal, private lives.
Too many wrongly characterize the debate as “security versus
privacy.” The real choice is liberty versus control. Tyranny,
whether it arises under threat of foreign physical attack or under
constant domestic authoritative scrutiny, is still tyranny.
Liberty requires security without intrusion, security plus
privacy. Widespread police surveillance is the very definition of
a police state. And that’s why we should champion privacy even
when we have nothing to hide.
Interesting research on public reactions to terrorist threats. Not that it’s surprising: Fear makes people deferential, docile, and distrustful, and both politicians and marketers have learned to take advantage of this. http://www.schneier.com/blog/archives/2009/11/public_reaction.html
Jennifer Merolla and Elizabeth Zechmeister have written a book, Democracy at Risk: How Terrorist Threats Affect the Public. I haven’t read it yet. http://www.amazon.com/gp/product/0226520552/counterpane/
A study in the British Journal of Criminology makes the point that drink-spiking date-raping is basically an urban legend. The hypothesis is that perpetuating the fear of drug-based rape allows parents and friends to warn young women off excessive drinking without criticizing their personal choices. The fake bogeyman lets people avoid talking about the real issues. http://www.schneier.com/blog/archives/2009/11/a_useful_side-e.html
Norbt (no robot) is a low-security web application to encrypt web pages. You can create and encrypt a webpage. The key is an answer to a question; anyone who knows the answer can see the page. I’m not sure this is very useful. https://norbt.com/
Wikileaks has published pager intercepts from New York on 9/11. It’s disturbing to realize that someone, possibly not even a government, was routinely intercepting most (all?) of the pager data in lower Manhattan as far back as 2001. Who was doing it? For that purpose? That, we don’t know. http://www.schneier.com/blog/archives/2009/11/leaked_911_text.html
This research centers on looking at the radio characteristics of individual RFID chips and creating a “fingerprint.” It makes sense; fingerprinting individual radios based on their transmission characteristics is as old as WW II. But while the research centers on using this as an anti-counterfeiting measure, I think it would much more likely be used as an identification and surveillance tool. Even if the communication is fully encrypted, this technology could be used to uniquely identify the chip. http://dailyheadlines.uark.edu/16260.htm
At the Internet Governance Forum in Sharm El Sheikh this week, there was a conversation on social networking data. Someone made the point that there are several different types of data, and it would be useful to separate them. This is my taxonomy of social networking data.
1. Service data. Service data is the data you need to give to a social networking site in order to use it. It might include your legal name, your age, and your credit card number.
2. Disclosed data. This is what you post on your own pages: blog entries, photographs, messages, comments, and so on.
3. Entrusted data. This is what you post on other people’s pages. It’s basically the same stuff as disclosed data, but the difference is that you don’t have control over the data — someone else does.
4. Incidental data. Incidental data is data the other people post about you. Again, it’s basically the same stuff as disclosed data, but the difference is that 1) you don’t have control over it, and 2) you didn’t create it in the first place.
5. Behavioral data. This is data that the site collects about your habits by recording what you do and who you do it with.
Different social networking sites give users different rights for each data type. Some are always private, some can be made private, and some are always public. Some can be edited or deleted — I know one site that allows entrusted data to be edited or deleted within a 24-hour period — and some cannot. Some can be viewed and some cannot.
And people *should* have different rights with respect to each data type. It’s clear that people should be allowed to change and delete their disclosed data. It’s less clear what rights they have for their entrusted data. And far less clear for their incidental data. If you post pictures of a party with me in them, can I demand you remove those pictures — or at least blur out my face? And what about behavioral data? It’s often a critical part of a social networking site’s business model. We often don’t mind if they use it to target advertisements, but are probably less sanguine about them selling it to third parties.
As we continue our conversations about what sorts of fundamental rights people have with respect to their data, this taxonomy will be useful.
This is a very interesting paper: “Understanding scam victims: seven principles for systems security, by Frank Stajano and Paul Wilson.” Paul Wilson produces and stars in the British television show The Real Hustle, which does hidden camera demonstrations of con games. (There’s no DVD of the show available, but there are bits of it on YouTube.) Frank Stajano is at the Computer Laboratory of the University of Cambridge.
The paper describes a dozen different con scenarios — entertaining in itself — and then lists and explains six general psychological principles that con artists use:
1. The distraction principle. While you are distracted by what retains your interest, hustlers can do anything to you and you won’t notice.
2. The social compliance principle. Society trains people not to question authority. Hustlers exploit this “suspension of suspiciousness” to make you do what they want.
3. The herd principle. Even suspicious marks will let their guard down when everyone next to them appears to share the same risks. Safety in numbers? Not if they’re all conspiring against you.
4. The dishonesty principle. Anything illegal you do will be used against you by the fraudster, making it harder for you to seek help once you realize you’ve been had.
5. The deception principle. Things and people are not what they seem. Hustlers know how to manipulate you to make you believe that they are.
6. The need and greed principle. Your needs and desires make you vulnerable. Once hustlers know what you really want, they can easily manipulate you.
Last month, researchers found a security flaw in the SSL protocol, which is used to protect sensitive web data. The protocol is used for online commerce, webmail, and social networking sites. Basically, hackers could hijack an SSL session and execute commands without the knowledge of either the client or the server. The list of affected products is enormous.
If this sounds serious to you, you’re right. It is serious. Given that, what should you do now? Should you not use SSL until it’s fixed, and only pay for internet purchases over the phone? Should you download some kind of protection? Should you take some other remedial action? What?
If you read the IT press regularly, you’ll see this sort of question again and again. The answer for this particular vulnerability, as for pretty much any other vulnerability you read about, is the same: do nothing. That’s right, nothing. Don’t panic. Don’t change your behavior. Ignore the problem, and let the vendors figure it out.
There are several reasons for this. One, it’s hard to figure out which vulnerabilities are serious and which are not. Vulnerabilities such as this happen multiple times a month. They affect different software, different operating systems, and different web protocols. The press either mentions them or not, somewhat randomly; just because it’s in the news doesn’t mean it’s serious.
Two, it’s hard to figure out if there’s anything you can do. Many vulnerabilities affect operating systems or Internet protocols. The only sure fix would be to avoid using your computer. Some vulnerabilities have surprising consequences. The SSL vulnerability mentioned above could be used to hack Twitter. Did you expect that? I sure didn’t.
Three, the odds of a particular vulnerability affecting you are small. There are a lot of fish in the Internet, and you’re just one of billions.
Four, often you can’t do anything. These vulnerabilities affect clients and servers, individuals and corporations. A lot of your data isn’t under your direct control — it’s on your web-based email servers, in some corporate database, or in a cloud computing application. If a vulnerability affects the computers running Facebook, for example, your data is at risk, whether you log in to Facebook or not.
It’s much smarter to have a reasonable set of default security practices and continue doing them. This includes:
1. Install an antivirus program if you run Windows, and configure it to update daily. It doesn’t matter which one you use; they’re all about the same. For Windows, I like the free version of AVG Internet Security. Apple Mac and Linux users can ignore this, as virus writers target the operating system with the largest market share.
2. Configure your OS and network router properly. Microsoft’s operating systems come with a lot of security enabled by default; this is good. But have someone who knows what they’re doing check the configuration of your router, too.
3. Turn on automatic software updates. This is the mechanism by which your software patches itself in the background, without you having to do anything. Make sure it’s turned on for your computer, OS, security software, and any applications that have the option. Yes, you have to do it for everything, as they often have separate mechanisms.
4. Show common sense regarding the Internet. This might be the hardest thing, and the most important. Know when an email is real, and when you shouldn’t click on the link. Know when a website is suspicious. Know when something is amiss.
5. Perform regular backups. This is vital. If you’re infected with something, you may have to reinstall your operating system and applications. Good backups ensure you don’t lose your data — documents, photographs, music — if that becomes necessary.
That’s basically it. I could give a longer list of safe computing practices, but this short one is likely to keep you safe. After that, trust the vendors. They spent all last month scrambling to fix the SSL vulnerability, and they’ll spend all this month scrambling to fix whatever new vulnerabilities are discovered. Let that be their problem.
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers “Schneier on Security,” “Beyond Fear,” “Secrets and Lies,” and “Applied Cryptography,” and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT.
Alas, this is going to be a challenging Tech week, I can tell. All I can report for now is that the current revision of Acronis Trueimage Home 2010 (version number 13.0.6053) doesn’t seem to work well with my TrueCrypt’d boot partition setup, under Windows 7 x64 [Version 6.1.7600].
Back to the drawing board – I’d really like to upgrade from DriveImage XML at some point [ahem] but at least it works!
My simple solution, for detachable external storage (i.e. it shouldn’t fry from the same power surge, if not cabled up in any way at the time of the electrical havoc . . .)
Some of these models require a port-multiplier eSata / e-sas type port, but usually include at least a software-raid sort of PciE card with the package – check to make sure, or you’ll only get one drive showing up instead of 4 or more . . .
If I were to go with the more expensive option (still relatively affordable, above – compared to a true NAS, etc.) I might consider some of the 1 terabyte or > “Green” SATA drives. This is due to me wanting to have a good backup locally (c.f. Acronis) as well as remotely (expect an article this coming week on more discoveries here). Yes, having been around the corporate world, I tend to back up like an OCD person washes hands – once you’ve been bitten, you understand the data is worth a lot more than the hardware.
The ability to configure selected volumes as ‘system favorite volumes’. This is useful, for example, when you have volumes that need to be mounted before system and application services start and before users start logging on. It is also useful when there are network-shared folders located on a TrueCrypt volume and you need to ensure that the network shares will be restored by the system each time it is restarted. For more information, see the chapter ‘Main Program Window‘, section ‘Program Menu‘, subsection ‘Volumes -> Save Currently Mounted Volumes as Favorite‘ in the documentation. (Windows)
Improvements and bug fixes:
‘Favorite’ volumes residing within partitions or dynamic volumes will no longer be affected by changes in disk device numbers, which may occur, e.g., when a drive is removed or added. (Windows)
Many other minor improvements and bug fixes. (Windows, Mac OS X, and Linux)
In this issue:
Eighth Anniversary of 9/11
Skein News
Real-World Access Control
News
File Deletion
On London’s Surveillance Cameras
Robert Sawyer’s Alibis
Schneier News
Stealing 130 Million Credit Card Numbers
“The Cult of Schneier”
Comments from Readers
** *** ***** ******* *********** *************
Eighth Anniversary of 9/11
On September 30, 2001, I published a special issue of Crypto-Gram discussing the terrorist attacks. I wrote about the novelty of the attacks, airplane security, diagnosing intelligence failures, the potential of regulating cryptography — because it could be used by the terrorists — and protecting privacy and liberty. Much of what I wrote is still relevant today.
Skein is one of the 14 SHA-3 candidates chosen by NIST to advance to the second round. As part of the process, NIST allowed the algorithm designers to implement small “tweaks” to their algorithms. We’ve tweaked the rotation constants of Skein.
The revised Skein paper contains the new rotation constants, as well as information about how we chose them and why we changed them, the results of some new cryptanalysis, plus new IVs and test vectors.
Tweaks were due today, September 15. Now the SHA-3 process moves into the second round. According to NIST’s timeline, they’ll choose a set of final round candidate algorithms in 2010, and then a single hash algorithm in 2012. Between now and then, it’s up to all of us to evaluate the algorithms and let NIST know what we want. Cryptanalysis is important, of course, but so is performance.
The second-round algorithms are: BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. You can find details on all of them, as well as the current state of their cryptanalysis, at the SHA-3 Zoo.
In other news, we’re making Skein shirts available to the public. Those of you who attended the First Hash Function Candidate Conference in Leuven, Belgium, earlier this year might have noticed the stylish black Skein polo shirts worn by the Skein team. Anyone who wants one is welcome to buy it, at cost. All orders must be received before 1 October, and then we’ll have all the shirts made in one batch.
Access control is difficult in an organizational setting. On one hand, every employee needs enough access to do his job. On the other hand, every time you give an employee more access, there’s more risk: he could abuse that access, or lose information he has access to, or be socially engineered into giving that access to a malfeasant. So a smart, risk-conscious organization will give each employee the exact level of access he needs to do his job, and no more.
Over the years, there’s been a lot of work put into role-based access control. But despite the large number of academic papers and high-profile security products, most organizations don’t implement it — at all — with the predictable security problems as a result.
Regularly we read stories of employees abusing their database access-control privileges for personal reasons: medical records, tax records, passport records, police records. NSA eavesdroppers spy on their wives and girlfriends. Departing employees take corporate secrets
A spectacular access control failure occurred in the UK in 2007. An employee of Her Majesty’s Revenue & Customs had to send a couple of thousand sample records from a database on all children in the country to National Audit Office. But it was easier for him to copy the entire database of 25 million people onto a couple of disks and put it in the mail than it was to select out just the records needed. Unfortunately, the discs got lost in the mail and the story was a huge embarrassment for the government.
Eric Johnson at Dartmouth’s Tuck School of Business has been studying the problem, and his results won’t startle anyone who has thought about it at all. RBAC is very hard to implement correctly. Organizations generally don’t even know who has what role. The employee doesn’t know, the boss doesn’t know — and these days the employee might have more than one boss — and senior management certainly doesn’t know. There’s a reason RBAC came out of the military; in that world, command structures are simple and well-defined.
Even worse, employees’ roles change all the time — Johnson chronicled one business group of 3,000 people that made 1,000 role changes in just three months — and it’s often not obvious what information an employee needs until he actually needs it. And information simply isn’t that granular. Just as it’s much easier to give someone access to an entire file cabinet than to only the particular files he needs, it’s much easier to give someone access to an entire database than only the particular records he needs.
This means that organizations either over-entitle or under-entitle employees. But since getting the job done is more important than anything else, organizations tend to over-entitle. Johnson estimates that 50 percent to 90 percent of employees are over-entitled in large organizations. In the uncommon instance where an employee needs access to something he normally doesn’t have, there’s generally some process for him to get it. And access is almost never revoked once it’s been granted. In large formal organizations, Johnson was able to predict how long an employee had worked there based on how much access he had.
Clearly, organizations can do better. Johnson’s current work involves building access-control systems with easy self-escalation, audit to make sure that power isn’t abused, violation penalties (Intel, for example, issues “speeding tickets” to violators), and compliance rewards. His goal is to implement incentives and controls that manage access without making people too risk-averse.
In the end, a perfect access control system just isn’t possible; organizations are simply too chaotic for it to work. And any good system will allow a certain number of access control violations, if they’re made in good faith by people just trying to do their jobs. The “speeding ticket” analogy is better than it looks: we post limits of 55 miles per hour, but generally don’t start ticketing people unless they’re going over 70.
The sorts of crimes we’ve been seeing perpetrated against individuals are starting to be perpetrated against small businesses. The problem will get much worse, and the security externalities means that the banks care much less. http://www.schneier.com/blog/archives/2009/08/small_business.html
There is a movement in the U.K. to replace the pint glasses in pubs with plastic because too many of them are being used as weapons. I don’t think this will go anywhere, but the sheer idiocy is impressive. Reminds me of the call to ban pointy knives. That recommendation also came out of the UK. What’s going on over there? http://www.schneier.com/blog/archives/2009/08/banning_beer_gl.html
Hacking swine flu: ”So it takes about 25 kilobits — 3.2 Kbytes — of data to code for a virus that has a non-trivial chance of killing a human. This is more efficient than a computer virus, such as MyDoom, which rings in at around 22 Kbytes. It’s humbling that I could be killed by 3.2 Kbytes of genetic data. Then again, with 850 Mbytes of data in my genome, there’s bound to be an exploit or two.” http://www.bunniestudios.com/blog/?p=353
Nils Gilman’s lecture on the global illicit economy Malware is one of Nils Gilman’s examples, at about the nine-minute mark. http://video.google.com/videoplay?docid=3173247273890946684#
The seven rules of the illicit global economy (he seems to use “illicit” and “deviant” interchangeably in the talk):
1. Perfectly legitimate forms of demand can produce perfectly deviant forms of supply.
2. Uneven global regulatory structures create arbitrage opportunities for deviant entrepreneurs.
3. Pathways for legitimate globalization are always also pathways for deviant globalization.
4. Once a deviant industry professionalizes, crackdowns merely promote innovation.
5. States themselves undermine the distinction between legitimate and deviant economics.
6. Unchecked, deviant entrepreneurs will overtake the legitimate economy.
7. Deviant globalization presents an existential challenge to state legitimacy.
File deletion is all about control. This used to not be an issue. Your data was on your computer, and you decided when and how to delete a file. You could use the delete function if you didn’t care about whether the file could be recovered or not, and a file erase program — I use BCWipe for Windows — if you wanted to ensure no one could ever recover the file.
As we move more of our data onto cloud computing platforms such as Gmail and Facebook, and closed proprietary platforms such as the Kindle and the iPhone, deleting data is much harder.
You have to trust that these companies will delete your data when you ask them to, but they’re generally not interested in doing so. Sites like these are more likely to make your data inaccessible than they are to physically delete it. Facebook is a known culprit: actually deleting your data from its servers requires a complicated procedure that may or may not work. And even if you do manage to delete your data, copies are certain to remain in the companies’ backup systems. Gmail explicitly says this in its privacy notice.
Online backups, SMS messages, photos on photo sharing sites, smartphone applications that store your data in the network: you have no idea what really happens when you delete pieces of data or your entire account, because you’re not in control of the computers that are storing the data.
This notion of control also explains how Amazon was able to delete a book that people had previously purchased on their Kindle e-book readers. The legalities are debatable, but Amazon had the technical ability to delete the file because it controls all Kindles. It has designed the Kindle so that it determines when to update the software, whether people are allowed to buy Kindle books, and when to turn off people’s Kindles entirely.
Vanish is a research project by Roxana Geambasu and colleagues at the University of Washington. They designed a prototype system that automatically deletes data after a set time interval. So you can send an e-mail, create a Google Doc, post an update to Facebook, or upload a photo to Flickr, all designed to disappear after a set period of time. And after it disappears, no one — not anyone who downloaded the data, not the site that hosted the data, not anyone who intercepted the data in transit, not even you — will be able to read it. If the police arrive at Facebook or Google or Flickr with a warrant, they won’t be able to read it.
The details are complicated, but Vanish breaks the data’s decryption key into a bunch of pieces and scatters them around the web using a peer-to-peer network. Then it uses the natural turnover in these networks — machines constantly join and leave — to make the data disappear. Unlike previous programs that supported file deletion, this one doesn’t require you to trust any company, organization, or website. It just happens.
Of course, Vanish doesn’t prevent the recipient of an e-mail or the reader of a Facebook page from copying the data and pasting it into another file, just as Kindle’s deletion feature doesn’t prevent people from copying a book’s files and saving them on their computers. Vanish is just a prototype at this point, and it only works if all the people who read your Facebook entries or view your Flickr pictures have it installed on their computers as well; but it’s a good demonstration of how control affects file deletion. And while it’s a step in the right direction, it’s also new and therefore deserves further security analysis before being adopted on a wide scale.
We’ve lost the control of data on some of the computers we own, and we’ve lost control of our data in the cloud. We’re not going to stop using Facebook and Twitter just because they’re not going to delete our data when we ask them to, and we’re not going to stop using Kindles and iPhones because they may delete our data when we don’t want them to. But we need to take back control of data in the cloud, and projects like Vanish show us how we can.
Now we need something that will protect our data when a large corporation decides to delete it.
A recent report has concluded that the London’s surveillance cameras have solved one crime per thousand cameras per year.
I haven’t seen the report, but I know it’s hard to figure out when a crime has been “solved” by a surveillance camera. To me, the crime has to have been unsolvable without the cameras. Repeatedly I see pro-camera lobbyists pointing to the surveillance-camera images that identified the 7/7 London Transport bombers, but it is obvious that they would have been identified even without the cameras.
And it would really help my understanding of the report’s per-crime cost-to-detect of £20,000 (I assume it is calculated from £200 million for the cameras times 1 in 1000 cameras used to solve a crime per year divided by ten years) if I knew what sorts of crimes the cameras “solved.” If the £200 million solved 10,000 murders, it might very well be a good security trade-off. But my guess is that most of the crimes were of a much lower level.
Back in 2002, science fiction author Robert J. Sawyer wrote an essay about the trade-off between privacy and security. I’ve never forgotten the first sentence: ”Whenever I visit a tourist attraction that has a guest register, I always sign it. After all, you never know when you’ll need an alibi.”
Since I read that, whenever I see a tourist attraction with a guest register, I do the same thing. I sign “Robert J. Sawyer, Toronto, ON” — because you never know when he’ll need an alibi.
Here’s a video of a talk, “The Future of the Security Industry,” I gave at an OWASP meeting in August in Minneapolis. http://vimeo.com/6495257
** *** ***** ******* *********** *************
Stealing 130 Million Credit Card Numbers
Someone has been charged with stealing 130 million credit card numbers.
Yes, it’s a lot, but that’s the sort of quantities credit card numbers come in. They come by the millions, in large database files. Even if you only want ten, you have to steal millions. I’m sure every one of us has a credit card in our wallet whose number has been stolen. It’ll probably never be used for fraudulent purposes, but it’s in some stolen database somewhere.
Years ago, when giving advice on how to avoid identity theft, I would tell people to shred their trash. Today, that advice is completely obsolete. No one steals credit card numbers one by one out of the trash when they can be stolen by the millions from merchant databases.
If there’s actually a cult out there, I want to hear about it. In an essay by that name, John Viega writes about the dangers of relying on Applied Cryptography to design cryptosystems:
But, after many years of evaluating the security of software
systems, I’m incredibly down on using the book that made Bruce
famous when designing the cryptographic aspects of a system. In
fact, I can safely say I have never seen a secure system come out
the other end, when that is the primary source for the crypto
design. And I don’t mean that people forget about the buffer
overflows. I mean, the crypto is crappy.
My rule for software development teams is simple: Don’t use
Applied Cryptography in your system design. It’s fine and
fun to read it, just don’t build from it.
[...]
The book talks about the fundamental building blocks of
cryptography, but there is no guidance on things like, putting
together all the pieces to create a secure, authenticated
connection between two parties.
Plus, in the nearly 13 years since the book was last revised, our
understanding of cryptography has changed greatly. There are
things in it that were thought to be true at the time that turned
out to be very false….
I agree. And, to his credit, Viega points out that I agree:
But in the introduction to Bruce Schneier’s book, Practical
Cryptography, he himself says that the world is filled with
broken systems built from his earlier book. In fact, he wrote
Practical Cryptography in hopes of rectifying the problem.
This is all true.
Designing a cryptosystem is hard. Just as you wouldn’t give a person — even a doctor — a brain-surgery instruction manual and then expect him to operate on live patients, you shouldn’t give an engineer a cryptography book and then expect him to design and implement a cryptosystem. The patient is unlikely to survive, and the cryptosystem is unlikely to be secure.
Even worse, security doesn’t provide immediate feedback. A dead patient on the operating table tells the doctor that maybe he doesn’t understand brain surgery just because he read a book, but an insecure cryptosystem works just fine. It’s not until someone takes the time to break it that the engineer might realize that he didn’t do as good a job as he thought. Remember: Anyone can design a security system that he himself cannot break. Even the experts regularly get it wrong. The odds that an amateur will get it right are extremely low.
For those who are interested, a second edition of Practical Cryptography will be published in early 2010, renamed Cryptography Engineering and featuring a third author: Tadayoshi Kohno.
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers “Schneier on Security,” “Beyond Fear,” “Secrets and Lies,” and “Applied Cryptography,” and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT.
I’ve been looking at various cameras and systems to do a bit of home monitoring while I’m away, based on motion and audio detection.
I’ve broken this new project down into two sections : Hardware, and Software.
The Hardware :
I settled on one “good” camera for now, where it is fairly close to the computer; the Logitech QuickCam Orbit AF will cover the office, and a couple of storage closets off of that room. I have used this model before at a business, and while not perfect, it’s pretty good. Made for desktop use, it does include a reasonable built-in microphone. The drawbacks : it’s USB only, which typically limits the max length to about 16 feet from the computer (per USB spec). It’s not designed to be “stealthy” in any way, and since it is not originally designed for security work, it doesn’t work well in very low / no light.
I chose the Orbit based on experience (prior 1.3 megapixel model), as well as reviews. Frankly, most of the IP “security” cameras just don’t look very good to me, either in performance or within a semi-reasonable price. I am sure there are going to be some negatives with the “do it yourself” route I’ve chosen, as well. The Orbit AF has Pan / Tilt / Zoom (PTZ) and pretty good optics for it’s class. The PTZ can also be set to automatic tracking, and has a wide field of view for both panning left/right and tilting up and down.
I am planning to extend one other Orbit AF (and hopefully two) to close rooms using a usb over cat5 type extender. We’ll have to see how that goes, as there is sure to be a performance penalty in there, as we are not at USB2 speeds (unless you want to plunk down a ton of money). Luckily, I can repurpose the extender if it doesn’t work out well. Wireless USB just looked too short range and not quite ready for the data speeds we’d be looking at, based on some net research. Fall back plan – investigate other USB extension types.
I also chose a small, fixed focus model : the Linksys WVC54GCA Webcam 640×480 802.11G Wireless Internet Camera and a review of same. We are definitely stepping down in “camera” level / capability here, but the point was to gain wireless access to cover a small, somewhat distant room (not attractive to run CAT5 to). Since I was only looking at about an eight foot room depth there, I really wasn’t concerned with super high resolution or the limit of fixed focus / no automatic PTZ.
I would dearly love for someone to come out with something akin to an Orbit (camera wise) that sported a gigabit copper ethernet port. While I don’t have good figures, I can’t imagine the incremental cost per port is much of an upcharge in moving from 10/100 up to 10/100/1000 gauging by current 5 port consumer desktop switch cost for those two types.
For the wireless side of this new “dreamcam”, please integrate something recent such as draft 802.11n – and of course make sure like with most modern net cams that we can flash it to a new bios, which would include the “final” spec, due in November I believe. I do not mind hooking up a camera via ethernet or USB to flash it; I’ve never met anyone who really trusted a flash process over wireless
This could potentially just have a small wall power converter if you wanted to run it wireless. I think USB availability would not really be needed if there was a gig-E port there, but that’s just me.
In fairness, I am not expecting the maturity of a serious network security camera setup, like an Axis. I’m pretty sure it would both have cost less, and been a lot easier to have a professional friend hook me up. But since I’m comfortable with packet analysis and writing code, I took this as a learning challenge as well.
To go with the wireless, I opted to step up to N. My old “b” wireless just wasn’t quite up to what I was looking for here, so I went with another “D” product, the D-Link DGL-4500 Xtreme N Selectable Dual Band Draft 802.11n Router. It wasn’t the least expensive option, but the reviews were pretty good, and it has wireless range and speed, as well as QoS tagging on the LAN and WAN side, and integrated gigabit ports. Goodbye, extra switch at the office desk. The were no reasonable AP’s anymore, so I’ll put the older DLink DSL-2540B into bridge mode and let the newer system route.
The Software :
Important considerations for me were compatibility with Windows 7 (x64 Utlimate, 6.1.7600 RTM) as well as the ability to record to local disk, and to upload to either an off-site location, or to stream if (rarely) needed.
I quickly learned that there was no Santa Claus with the Orbit’s bundled software. Not that I really expected to get that lucky Third party time.
After a bit of navigation through this thread I was not overjoyed yet. Time to utilize the Google-Fu . . . ah, yes, here’s a likely candidate.
I’ve downloaded the software from http://www.webcamxp.com/ - specifically, Webcam 7 Pro; while it’s “beta” compared to their established product line, it looks stable so far. They again were a smart software company; they allow a limited use (one camera) system for FREE; not a trial, but ongoing. And a standard tiered software expense based on how much or little you need beyond that.
Since I was looking for more than one, they had a solution there too : 21 days free on the premiere product, no other limits. Check! Confidence in their own products ability to sell itself is always a good sign.
So far, it looks great. I’ve been testing it out under VMWare workstation 6.5.3, guest OS is Win7 64 bit Pro. (I know the host OS is Ult, but I don’t need that in every VM). Good feature set, even without hooking a cam to it yet.
These screenshots are from an older version of the software; I think the new version is even better, from what I’ve been able to tell so far.
They have a detailed list of supported cameras at http://www.webcamxp.com/ipcams.aspx as well, and they were prompt in replying to my pre-sales email :
“Hello, webcam 7 is intended for such purposes however Logitech drivers aren’t much suitable to use more than one of those camera at the same time. If you use only one sphere then there is no problem (drivers 11.5 suggested to be able to use all available resolutions). The logitech camera is not in the IP camera list because it’s not a network camera. Only the network cameras are listed, all USB cameras with a WDM driver are natively supported. Btw i have one of those AF camera as well as the older models too, it’s really one of the best usb camera available but the problem with usb camera is always where you don’t want the camera near the computer. Regards”
I understand this, and generally expect I’m probably not going to plop 6 cameras on there at 2 megapixel, hah. Understandable. I don’t really need that level of resolution for my purposes, so we’ll experiment with the software; there’s a ton of options there, but it seems to be laid out well so it’s not a problem if you don’t want to go into the heavy details.
Between the new toys of Software and Hardware, this will not only be useful but a good learning experience. UPS should be arriving with goodies on Thursday, so we’ll see how it goes, and I’ll post as I progress. Cheers!
A friend is affiliated with this company; they have experience from home systems to a Federal Reserve Bank and Las Vegas casinos; I expect the new branch company will do tremendous business.
One thing many neglect : a true benefit of running your hard disks as FDE / Full Disk Encryption is that when you are done, there should be nothing to erase; the data is useless without your high-quality key.
Excerpt :
We discussed the importance of backing up the data stored on your computer’s hard drive in a previous story. But what happens if your computer is lost or stolen? Notebooks are particularly vulnerable. A thoroughly executed back-up plan will alleviate data loss, but do you want strangers perusing the highly personal information you’ve stored on that machine? We didn’t think so; that’s why we put together this guide to keeping your electronic data secure.
First, we’ll take you through the process of encrypting the data on your hard drive, so that you can use passwords to control who can see it. And since no computer lasts forever, we’ll show you how to scrub your hard drive so that no one will ever be able to retrieve anything from it when you decide it’s time to put it out to pasture.
Of course, I’ve enjoying watching many a hard drive scrub, and then sleep with the fishes. Commercial hard drive shredding is a fun day at the office
RT @securitypro2009: PHPSecInfo – Security Information About PHP Environment | Web … http://bit.ly/NYyHb
PHP Security Consortium (PHPSC) is an international group of PHP experts dedicated to promoting secure programming practices within the PHP community. Members of the PHPSC seek to educate PHP developers about security through a variety of resources, including documentation, tools, and standards. You can read the PHP Security Guide they have published.
. This is due to me wanting to have a good backup locally (c.f. 
Third party time.
