yon Leveron blog

John's musings on the Interknot cowpath

Ever wonder what a bot net looks like?

Posted by John on 27th August 2010

Here you go :)   Hits from around the world, in a few minutes time, all using the exact same browser version.

Yes, obviously there’s a new vulnerability in the package they were trying to reach.  It’s how the Borg – make more Borg ! (click pic to open full size)

bot net display

That url has now been added to the “deny” statements, which’ll drop further messages from an attacker at that IP  into the bit-bucket for a week, at least for my domain . . .
—————-
Now playing: john lee hooker – 1 bourbon, 1 scotch, 1 beer
via FoxyTunes

Technorati FavoritesShare

Tags: ,
Posted in Security - Crypto, Tech | No Comments »

HTTPS everywhere : good stuff !

Posted by John on 25th July 2010

(and of course, your humble site here supports SSL as well :) )

HTTPS Everywhere

HTTPS Everywhere is in Beta!

HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites.

Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site.

The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.

Encrypt the Web: Install HTTPS Everywhere

The plugin currently works for:

  • Google Search
  • Wikipedia
  • Twitter
  • Facebook
  • most of Amazon
  • GMX
  • WordPress.com blogs
  • The New York Times
  • The Washington Post
  • Paypal
  • EFF
  • Tor
  • Ixquick

(and many other sites)

Note that some of those sites still include a lot of content from third party domains that is not available over HTTPS. As always, if the browser’s lock icon is broken or carries an exclamation mark, you may remain vulnerable to some adversaries that use active attacks or traffic analysis. However, the effort required to monitor your browsing should still be usefully increased.

Answers to common questions may be on the frequently asked questions page.

You can help us test forthcoming rulesets and features by installing the development branch of the extension.

Send feedback on this project to the https-everywhere AT eff.org mailing list. You can also subscribe.

(more info at their site, linked from the pictures above, and what not!)

—————-
Now playing: Modettes – Paint It Black
via FoxyTunes

Technorati FavoritesShare

Tags: , ,
Posted in General, Security - Crypto | No Comments »

System Encryption: BitLocker And TrueCrypt Compared

Posted by John on 6th May 2010

System Encryption: BitLocker And TrueCrypt Compared

2:00 AM – April 28, 2010 by Patrick Schmid and Achim Roos
Table of contents
  • 1 – A Bit-Locking And Cryptography Exercise
  • 2 – BitLocker On Windows 7 Ultimate x64
  • 3 – TrueCrypt 6.3a On Windows 7 Ultimate x64
  • 4 – TrueCrypt, Continued
  • 5 – Test Setup And Settings
  • 6 – Benchmark Results: Archiving Tools
  • 7 – Benchmark Results: PCMark Vantage
  • 8 – Benchmark Results: SYSmark 2007 Preview
  • 9 – Conclusion

Now that Intel offers hardware-based AES acceleration in a number of its mainstream processors, it’s time to take a look at two of the most popular system encryption tools, BitLocker and TruCrypt, both of which are able to harness the hardware feature.

Microsoft has been shipping BitLocker drive encryption tool with Windows Vista and Windows 7 operating systems, but it’s only available on the two highest-end editions, Enterprise and Ultimate. Fortunately, there is a powerful alternative to BitLocker for everyone else. TrueCrypt is open source and offers even more flexibility. We decided to compare the features and performance of both solutions.

We published a comprehensive article on TrueCrypt 6.1 just over a year ago. That story looked at the process of how to encrypt a Windows system partition, and we ran benchmarks, in addition to battery runtime tests on a notebook. The conclusion was promising: TrueCrypt 6 lets you encrypt and password-protect your entire system on the fly with only minor performance and battery life penalties.

By now, there’s really no need to rehash the merits of encrypting user data, especially for the folks who handle sensitive information. Losing information to a failed drive is one thing, and it can typically be addressed, even if it’s an expensive proposition (then again, you already know you should be running regular backups, right?). But data falling into the wrong hands can be an even more dire problem for businesses.

This time around, we wanted to double-check our findings with TrueCrypt against Microsoft’s value-added BitLocker. Does it make sense to pay up for a higher-end Windows version to get this extra functionality, or will TrueCrypt do the exact same thing at no cost? Another reason to revisit encryption solutions is the availability of AES new instructions (AES-NI) in Intel’s Core i5 mainstream dual-core processors (Clarkdale) and the top-end, six-core Core i7 (Gulftown). Can BitLocker and TrueCrypt truly showcase the benefits of hardware-based AES acceleration? Let’s find out.

(catch the full article @ http://www.tomshardware.com/reviews/bitlocker-truecrypt-encryption,2587.html)

—————-
Now playing: Strontium 90 – 3 O’Clock Shot – Live
via FoxyTunes

Technorati FavoritesShare

Tags: , , , ,
Posted in General, Security - Crypto, Tech | No Comments »

Apply 100% of the important kernel security updates released by your Linux vendor without rebooting

Posted by John on 14th April 2010

Fascinating stuff, and free for Ubuntu ! http://www.ksplice.com/

What is Ksplice Uptrack? Ksplice Uptrack is a subscription service that lets you apply 100% of the important kernel security updates released by your Linux vendor without rebooting.

How it works :

  1. Your Linux vendor releases an update.
  2. Ksplice converts the update into a rebootless update.
  3. You download and install the update seamlessly, without rebooting.
  4. These updates can be completely automated if you desire.

Ksplice

—————-
Now playing: Matthew Sweet – Girlfriend
via FoxyTunes

Technorati FavoritesShare

Tags: ,
Posted in Tech | No Comments »

More cross platform crypto – javascript hashing functions

Posted by John on 31st January 2010

Technorati FavoritesShare

Tags: , , , ,
Posted in Security - Crypto | No Comments »

Javascript for advanced functions

Posted by John on 30th January 2010

Pretty nifty use in javascript : http://point-at-infinity.org/jsaes/

Also nice : http://point-at-infinity.org/ssss/ and http://point-at-infinity.org/seccure/ (also both crypto related . . .)

Edgan Allen Poe - cryptoN.B.  I was sorely tempted to post an image relating to the futility of trying to contain crypto / ideas that was penned on flesh, in an image titled “howto-export-crypto-system-from-usa.jpg” (!)

But I resisted, as I try to keep this site friendly even to the most prudish families, etc.
—————-
Now playing: System of a Down – BYOB (Bring your own Bombs)
via FoxyTunes

Technorati FavoritesShare

Tags: , ,
Posted in Security - Crypto | No Comments »

Insurgents Hack U.S. Drones

Posted by John on 17th December 2009

Sad, really.


Insurgents Hack U.S. Drones

$26 Software Is Used to Breach Key Weapons in Iraq; Iranian Backing Suspected

DECEMBER 17, 2009

By SIOBHAN GORMAN, YOCHI J. DREAZEN and AUGUST COLE

WASHINGTON — Militants in Iraq have used $26 off-the-shelf software to intercept live video feeds from U.S. Predator drones, potentially providing them with information they need to evade or monitor U.S. military operations.

Senior defense and intelligence officials said Iranian-backed insurgents intercepted the video feeds by taking advantage of an unprotected communications link in some of the remotely flown planes’ systems. Shiite fighters in Iraq used software programs such as SkyGrabber — available for as little as $25.95 on the Internet — to regularly capture drone video feeds, according to a person familiar with reports on the matter.

U.S. officials say there is no evidence that militants were able to take control of the drones or otherwise interfere with their flights. Still, the intercepts could give America’s enemies battlefield advantages by removing the element of surprise from certain missions and making it easier for insurgents to determine which roads and buildings are under U.S. surveillance.

The drone intercepts mark the emergence of a shadow cyber war within the U.S.-led conflicts overseas. They also point to a potentially serious vulnerability in Washington’s growing network of unmanned drones, which have become the American weapon of choice in both Afghanistan and Pakistan.

The Obama administration has come to rely heavily on the unmanned drones because they allow the U.S. to safely monitor and stalk insurgent targets in areas where sending American troops would be either politically untenable or too risky.

The stolen video feeds also indicate that U.S. adversaries continue to find simple ways of counteracting sophisticated American military technologies.

U.S. military personnel in Iraq discovered the problem late last year when they apprehended a Shiite militant whose laptop contained files of intercepted drone video feeds. In July, the U.S. military found pirated drone video feeds on other militant laptops, leading some officials to conclude that militant groups trained and funded by Iran were regularly intercepting feeds.

In the summer 2009 incident, the military found “days and days and hours and hours of proof” that the feeds were being intercepted and shared with multiple extremist groups, the person said. “It is part of their kit now.”

A senior defense official said that James Clapper, the Pentagon’s intelligence chief, assessed the Iraq intercepts at the direction of Defense Secretary Robert Gates and concluded they represented a shortcoming to the security of the drone network.

“There did appear to be a vulnerability,” the defense official said. “There’s been no harm done to troops or missions compromised as a result of it, but there’s an issue that we can take care of and we’re doing so.”

Senior military and intelligence officials said the U.S. was working to encrypt all of its drone video feeds from Iraq, Afghanistan and Pakistan, but said it wasn’t yet clear if the problem had been completely resolved.

U.S. enemies in Iraq and Afghanistan have used off-the-shelf programs to intercept video feeds from Predator unmanned aircraft.

U.S. Air Force U.S. enemies in Iraq and Afghanistan have used off-the-shelf programs to intercept video feeds from Predator unmanned aircraft.

Some of the most detailed evidence of intercepted feeds has been discovered in Iraq, but adversaries have also intercepted drone video feeds in Afghanistan, according to people briefed on the matter. These intercept techniques could be employed in other locations where the U.S. is using pilotless planes, such as Pakistan, Yemen and Somalia, they said.

The Pentagon is deploying record numbers of drones to Afghanistan as part of the Obama administration’s troop surge there. Lt. Gen. David Deptula, who oversees the Air Force’s unmanned aviation program, said some of the drones would employ a sophisticated new camera system called “Gorgon Stare,” which allows a single aerial vehicle to transmit back at least 10 separate video feeds simultaneously.

Gen. Deptula, speaking to reporters Wednesday, said there were inherent risks to using drones since they are remotely controlled and need to send and receive video and other data over great distances. “Those kinds of things are subject to listening and exploitation,” he said, adding the military was trying to solve the problems by better encrypting the drones’ feeds.

The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn’t know how to exploit it, the officials said.

Last December, U.S. military personnel in Iraq discovered copies of Predator drone feeds on a laptop belonging to a Shiite militant, according to a person familiar with reports on the matter. “There was evidence this was not a one-time deal,” this person said. The U.S. accuses Iran of providing weapons, money and training to Shiite fighters in Iraq, a charge that Tehran has long denied.

The militants use programs such as SkyGrabber, from Russian company SkySoftware. Andrew Solonikov, one of the software’s developers, said he was unaware that his software could be used to intercept drone feeds. “It was developed to intercept music, photos, video, programs and other content that other users download from the Internet — no military data or other commercial data, only free legal content,” he said by email from Russia.

Officials stepped up efforts to prevent insurgents from intercepting video feeds after the July incident. The difficulty, officials said, is that adding encryption to a network that is more than a decade old involves more than placing a new piece of equipment on individual drones. Instead, many components of the network linking the drones to their operators in the U.S., Afghanistan or Pakistan have to be upgraded to handle the changes. Additional concerns remain about the vulnerability of the communications signals to electronic jamming, though there’s no evidence that has occurred, said people familiar with reports on the matter.

Predator drones are built by General Atomics Aeronautical Systems Inc. of San Diego. Some of its communications technology is proprietary, so widely used encryption systems aren’t readily compatible, said people familiar with the matter.

In an email, a spokeswoman said that for security reasons, the company couldn’t comment on “specific data link capabilities and limitations.”

Fixing the security gap would have caused delays, according to current and former military officials. It would have added to the Predator’s price. Some officials worried that adding encryption would make it harder to quickly share time-sensitive data within the U.S. military, and with allies.

“There’s a balance between pragmatics and sophistication,” said Mike Wynne, Air Force Secretary from 2005 to 2008.

The Air Force has staked its future on unmanned aerial vehicles. Drones account for 36% of the planes in the service’s proposed 2010 budget.

Today, the Air Force is buying hundreds of Reaper drones, a newer model, whose video feeds could be intercepted in much the same way as with the Predators, according to people familiar with the matter. A Reaper costs between $10 million and $12 million each and is faster and better armed than the Predator. General Atomics expects the Air Force to buy as many as 375 Reapers.

(via http://online.wsj.com/article/SB126102247889095011.html )


Yes, security lapses like this are unfortunately all too common. It is easy to see why there’s a need for hardware based encryption here. How much would it really cost to add an ASIC with something at least of the level of 256 bit Twofish, or AES, etc. While the tactical value of the drone video may decay pretty quickly, perhaps we don’t want any random folks reviewing an entire day’s video feed in, say, 10 years.

It’s high time that folks consider any public venue to be “compromisable”, whether wireless, or wired (copper, fiber, etc.)  If many business require the use of strong crypto (often via VPN) from your laptop back to the company office before you can even browse to an intranet https-secured site, perhaps this should be a clue for standards in other places, too.

—————-
Now playing: Rob Zombie – Foxy, Foxy
via FoxyTunes

Technorati FavoritesShare

Tags: , , , , ,
Posted in Security - Crypto | 3 Comments »

CRYPTO-GRAM, December 15, 2009 [Bruce Schneier]

Posted by John on 14th December 2009

From: Bruce Schneier <schneier@schneier.com>
Date: Mon, Dec 14, 2009 at 22:41
Subject: CRYPTO-GRAM, December 15, 2009
To: CRYPTO-GRAM-LIST@listserv.modwest.com

CRYPTO-GRAM

December 15, 2009

by Bruce Schneier
Chief Security Technology Officer, BT
schneier@schneier.com
http://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <http://www.schneier.com/crypto-gram-0912.html>.  These same essays appear in the “Schneier on Security” blog: <http://www.schneier.com/blog>.  An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:
Terrorists Targeting High-Profile Events
Eric Schmidt on Privacy
News
A Taxonomy of Social Networking Data
The Psychology of Being Scammed
Schneier News
Reacting to Security Vulnerabilities

** *** ***** ******* *********** *************

Terrorists Targeting High-Profile Events

In an AP story on increased security at major football (the American variety) events, this sentence struck me: “‘High-profile events are something that terrorist groups would love to interrupt somehow,’ said Anthony Mangione, chief of U.S. Immigration and Customs Enforcement’s Miami office.”

This is certainly the conventional wisdom, but is there any actual evidence that it’s true?  The 9/11 terrorists could have easily chosen a different date and a major event — sporting or other — to target, but they didn’t.  The London and Madrid train bombers could have just as easily chosen more high-profile events to bomb, but they didn’t.  The Mumbai terrorists chose an ordinary day and ordinary targets.  Aum Shinrikyo chose an ordinary day and ordinary train lines.  Timothy McVeigh chose the ordinary Oklahoma City Federal Building.  Irish terrorists chose, and Palestinian terrorists continue to choose, ordinary targets.  Some of this can be attributed to the fact that ordinary targets are easier targets, but not a lot of it.

The only examples that come to mind of terrorists choosing high-profile events or targets are the idiot wannabe terrorists who would have been incapable of doing anything unless egged on by a government informant. Hardly convincing evidence.

Yes, I’ve seen the movie Black Sunday.  But is there any reason to believe that terrorists want to target these sorts of events other than us projecting our own fears and prejudices onto the terrorists’ motives?

AP story:
http://www.huffingtonpost.com/2009/12/03/orange-bowl-pro-bowl-and-_n_379052.html or http://tinyurl.com/yhc9kpe

Idiot wannabe terrorists:
http://www.schneier.com/essay-174.html

I wrote about protecting the World Series some years ago.
http://www.schneier.com/essay-065.html

** *** ***** ******* *********** *************

Eric Schmidt on Privacy

Schmidt said:

I think judgment matters. If you have something that you don’t
want anyone to know, maybe you shouldn’t be doing it in the first
place. If you really need that kind of privacy, the reality is
that search engines — including Google — do retain this
information for some time and it’s important, for example, that we
are all subject in the United States to the Patriot Act and it is
possible that all that information could be made available to the
authorities.

This, from 2006, is my response:

Privacy protects us from abuses by those in power, even if we’re
doing nothing wrong at the time of surveillance.

We do nothing wrong when we make love or go to the bathroom. We
are not deliberately hiding anything when we seek out private
places for reflection or conversation. We keep private journals,
sing in the privacy of the shower, and write letters to secret
lovers and then burn them. Privacy is a basic human need.

[...]

For if we are observed in all matters, we are constantly under
threat of correction, judgment, criticism, even plagiarism of our
own uniqueness. We become children, fettered under watchful eyes,
constantly fearful that — either now or in the uncertain future
– patterns we leave behind will be brought back to implicate us,
by whatever authority has now become focused upon our once-private
and innocent acts. We lose our individuality, because everything
we do is observable and recordable.

[...]

This is the loss of freedom we face when our privacy is taken from
us. This is life in former East Germany, or life in Saddam
Hussein’s Iraq. And it’s our future as we allow an ever-intrusive
eye into our personal, private lives.

Too many wrongly characterize the debate as “security versus
privacy.” The real choice is liberty versus control. Tyranny,
whether it arises under threat of foreign physical attack or under
constant domestic authoritative scrutiny, is still tyranny.
Liberty requires security without intrusion, security plus
privacy. Widespread police surveillance is the very definition of
a police state. And that’s why we should champion privacy even
when we have nothing to hide.

Schmidt’s remarks:
http://gawker.com/5419271/google-ceo-secrets-are-for-filthy-people

My essay on the value of privacy:
http://www.schneier.com/essay-114.html

See also Daniel Solove’s “‘I’ve Got Nothing to Hide’ and Other Misunderstandings of Privacy.”
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565

** *** ***** ******* *********** *************

News

Interesting research on public reactions to terrorist threats.  Not that it’s surprising: Fear makes people deferential, docile, and distrustful, and both politicians and marketers have learned to take advantage of this.
http://www.schneier.com/blog/archives/2009/11/public_reaction.html
Jennifer Merolla and Elizabeth Zechmeister have written a book, Democracy at Risk: How Terrorist Threats Affect the Public.  I haven’t read it yet.
http://www.amazon.com/gp/product/0226520552/counterpane/

Funny image: anti-malware detection and the original Trojan Horse.
http://www.sampsonuk.net/B3TA/TrojanHorse.jpg

A study in the British Journal of Criminology makes the point that drink-spiking date-raping is basically an urban legend.  The hypothesis is that perpetuating the fear of drug-based rape allows parents and friends to warn young women off excessive drinking without criticizing their personal choices.  The fake bogeyman lets people avoid talking about the real issues.
http://www.schneier.com/blog/archives/2009/11/a_useful_side-e.html

Door locks that open if you tap a particular rhythm.
http://www.engadget.com/2009/11/04/secret-knock-door-lock-defends-home-from-rhythmically-impaired/ or http://tinyurl.com/yes7sy5
http://spritesmods.com/?art=knock2open
http://www.taplock.com/

Neat research in “quantum ghost imaging.”  Despite its name, it has nothing to do with quantum mechanics; it’s a way to use a camera and a light source to produce images of objects that the camera cannot see.
http://www.newscientist.com/article/dn13825
http://www.globalsecurity.org/military/library/news/2009/11/mil-091102-afps05.htm or http://tinyurl.com/yzo22l8
http://arxiv1.library.cornell.edu/PS_cache/arxiv/pdf/0807/0807.2614v1.pdf or http://tinyurl.com/y9cxzvb

How smart are Islamic terrorists?  According to “Organizational Learning and Islamic Militancy,” written by Michael Kenney for the U.S. Department of Justice in May, not very.
http://www.schneier.com/blog/archives/2009/11/how_smart_are_i.html

Research on stabbing people with stuff you can get through airport security.
http://www.ncbi.nlm.nih.gov/pubmed/17325460?itool=EntrezSystem2.PEntrez.Pubmed.Pubmed_ResultsPanel.Pubmed_RVDocSum&ordinalpos=257 or http://tinyurl.com/ybgvnec

Denial-of-service attacks against CALEA:
http://www.schneier.com/blog/archives/2009/11/denial-of-servi.html

Funny: career fair fail.
http://failblog.org/2009/11/07/career-fair-fail/
See the caption on the original photo for the real story.
http://www.flickr.com/photos/paperghost/776598575/in/set-72157600761788702/ or http://tinyurl.com/ykrxc8o

Al Qaeda secret code broken: maybe this is a real story, and maybe not.
http://www.schneier.com/blog/archives/2009/11/al_qaeda_secret.html

Decertifying “terrorist” pilots:
http://www.schneier.com/blog/archives/2009/11/decertifying_te.html

Norbt (no robot) is a low-security web application to encrypt web pages.  You can create and encrypt a webpage.  The key is an answer to a question; anyone who knows the answer can see the page.  I’m not sure this is very useful.
https://norbt.com/

This paper, on users rationally rejecting security advice, by Cormac Herley at Microsoft Research, sounds like me:
http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf or http://tinyurl.com/ygwsxno
Related article on usable security:
http://cacm.acm.org/magazines/2009/11/48419-usable-security-how-to-get-it/fulltext or http://tinyurl.com/yklgwfb

If you allow players in an online world to penalize each other, you open the door to extortion.
http://www.schneier.com/blog/archives/2009/11/virtual_mafia_i.html

Long, detailed, and very good story of the Mumbai terrorist attacks of last year.
http://www.vqronline.org/webexclusive/2009/11/19/motlagh-mumbai-attacks/ or http://tinyurl.com/yknrgun
My own short commentary in the aftermath of the attacks.
http://www.schneier.com/blog/archives/2008/12/lessons_from_mu.html

Wikileaks has published pager intercepts from New York on 9/11. It’s disturbing to realize that someone, possibly not even a government, was routinely intercepting most (all?) of the pager data in lower Manhattan as far back as 2001.  Who was doing it?  For that purpose?  That, we don’t know.
http://www.schneier.com/blog/archives/2009/11/leaked_911_text.html

This 1996 interview with psychiatrist Robert DuPont was part of a Frontline program called “Nuclear Reaction.”  He’s talking about the role fear plays in the perception of nuclear power.  It’s a lot of the sorts of things I say, but particularly interesting is his comments on familiarity and how it reduces fear.
http://www.pbs.org/wgbh/pages/frontline/shows/reaction/interviews/dupont.html or http://tinyurl.com/ygxbfvz
So, among other reasons, terrorism is scary because it’s so rare.  When it’s more common — England during the Troubles, Israel today — people have a more rational reaction to it.
http://www.schneier.com/blog/archives/2009/11/fear_and_overre.html

Long blog post of mine on cyberwarfare policy; lots of links.
http://www.schneier.com/blog/archives/2009/12/cyberwarfare_po.html

This research centers on looking at the radio characteristics of individual RFID chips and creating a “fingerprint.”  It makes sense; fingerprinting individual radios based on their transmission characteristics is as old as WW II.  But while the research centers on using this as an anti-counterfeiting measure, I think it would much more likely be used as an identification and surveillance tool.  Even if the communication is fully encrypted, this technology could be used to uniquely identify the chip.
http://dailyheadlines.uark.edu/16260.htm

With Windows Volume Shadow Copy, it can be impossibly to securely delete a file.
http://blog.szynalski.com/2009/11/23/volume-shadow-copy-system-restore/ or http://tinyurl.com/yleobxl

Sprint provides U.S. law enforcement with cell phone customer location data:
http://www.schneier.com/blog/archives/2009/12/sprint_provides.html

Using fake documents to get a valid U.S. passport:
http://www.schneier.com/blog/archives/2009/12/using_fake_docu.html
No credential can be more secure than its breeder documents and issuance procedures.

Article on “Emotional epidemiology” from the New England Journal of Medicine.  It sounds familiar.
http://www.schneier.com/blog/archives/2009/12/emotional_epide.html

The TSA accidentally published its standard operating procedures:
http://www.schneier.com/blog/archives/2009/12/tsa_publishes_s.html
It might have compromised an intelligence program:
http://politics.theatlantic.com/2009/12/did_the_tsa_compromise_an_intelligence_program.php or http://tinyurl.com/y96ngm5

No real news on Obama’s cybersecurity czar:
http://www.schneier.com/blog/archives/2009/12/obamas_cybersec_1.html
For the record — as the rumors circulate occasionally — I don’t want the job.

Wondermark on passwords:
http://wondermark.com/576/

U.S./Russia cyber arms control talks:
http://www.schneier.com/blog/archives/2009/12/usrussia_cyber.html

** *** ***** ******* *********** *************

A Taxonomy of Social Networking Data

At the Internet Governance Forum in Sharm El Sheikh this week, there was a conversation on social networking data.  Someone made the point that there are several different types of data, and it would be useful to separate them.  This is my taxonomy of social networking data.

1. Service data.  Service data is the data you need to give to a social networking site in order to use it.  It might include your legal name, your age, and your credit card number.

2. Disclosed data.  This is what you post on your own pages: blog entries, photographs, messages, comments, and so on.

3. Entrusted data.  This is what you post on other people’s pages.  It’s basically the same stuff as disclosed data, but the difference is that you don’t have control over the data — someone else does.

4. Incidental data.  Incidental data is data the other people post about you.  Again, it’s basically the same stuff as disclosed data, but the difference is that 1) you don’t have control over it, and 2) you didn’t create it in the first place.

5. Behavioral data.  This is data that the site collects about your habits by recording what you do and who you do it with.

Different social networking sites give users different rights for each data type.  Some are always private, some can be made private, and some are always public.  Some can be edited or deleted — I know one site that allows entrusted data to be edited or deleted within a 24-hour period — and some cannot. Some can be viewed and some cannot.

And people *should* have different rights with respect to each data type.  It’s clear that people should be allowed to change and delete their disclosed data.  It’s less clear what rights they have for their entrusted data.  And far less clear for their incidental data.  If you post pictures of a party with me in them, can I demand you remove those pictures — or at least blur out my face?  And what about behavioral data?  It’s often a critical part of a social networking site’s business model.  We often don’t mind if they use it to target advertisements, but are probably less sanguine about them selling it to third parties.

As we continue our conversations about what sorts of fundamental rights people have with respect to their data, this taxonomy will be useful.

Lots of discussion at the blog entry:
http://www.schneier.com/blog/archives/2009/11/a_taxonomy_of_s.html

Another categorization centered on destination instead of trust level:
http://mechpoe.blogspot.com/2009/11/another-categorization-of-social.html or http://tinyurl.com/y9q5exr

** *** ***** ******* *********** *************

The Psychology of Being Scammed

This is a very interesting paper: “Understanding scam victims: seven principles for systems security, by Frank Stajano and Paul Wilson.” Paul Wilson produces and stars in the British television show The Real Hustle, which does hidden camera demonstrations of con games.  (There’s no DVD of the show available, but there are bits of it on YouTube.) Frank Stajano is at the Computer Laboratory of the University of Cambridge.

The paper describes a dozen different con scenarios — entertaining in itself — and then lists and explains six general psychological principles that con artists use:

1. The distraction principle.  While you are distracted by what retains your interest, hustlers can do anything to you and you won’t notice.

2. The social compliance principle.  Society trains people not to question authority. Hustlers exploit this “suspension of suspiciousness” to make you do what they want.

3. The herd principle. Even suspicious marks will let their guard down when everyone next to them appears to share the same risks. Safety in numbers? Not if they’re all conspiring against you.

4. The dishonesty principle. Anything illegal you do will be used against you by the fraudster, making it harder for you to seek help once you realize you’ve been had.

5. The deception principle. Things and people are not what they seem. Hustlers know how to manipulate you to make you believe that they are.

6. The need and greed principle. Your needs and desires make you vulnerable. Once hustlers know what you really want, they can easily manipulate you.

It all makes for very good reading.

The paper:
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-754.html

The Real Hustle:
http://www.imdb.com/title/tt0791615/

Two previous posts on the psychology of conning and being conned.
http://www.schneier.com/blog/archives/2009/06/the_psychology_3.html
http://www.schneier.com/blog/archives/2008/10/the_psychology_1.html

** *** ***** ******* *********** *************

Schneier News

Interview with me conducted in Rotterdam in October.
http://risky.biz/RB2-schneier

Interview with me from Gulf News:
http://gulfnews.com/business/technology/cloud-computing-is-here-to-stay-1.532744 or http://tinyurl.com/y8jnskv

Video of the talk on “The Future of Privacy” that I gave to the Open Rights Group in early December:
http://www.openrightsgroup.org/blog/2009/Bruce-Schneier-video-and-book-giveaway or http://tinyurl.com/ya92ksc

** *** ***** ******* *********** *************

Reacting to Security Vulnerabilities

Last month, researchers found a security flaw in the SSL protocol, which is used to protect sensitive web data. The protocol is used for online commerce, webmail, and social networking sites. Basically, hackers could hijack an SSL session and execute commands without the knowledge of either the client or the server. The list of affected products is enormous.

If this sounds serious to you, you’re right. It is serious. Given that, what should you do now? Should you not use SSL until it’s fixed, and only pay for internet purchases over the phone? Should you download some kind of protection? Should you take some other remedial action? What?

If you read the IT press regularly, you’ll see this sort of question again and again. The answer for this particular vulnerability, as for pretty much any other vulnerability you read about, is the same: do nothing. That’s right, nothing. Don’t panic. Don’t change your behavior. Ignore the problem, and let the vendors figure it out.

There are several reasons for this. One, it’s hard to figure out which vulnerabilities are serious and which are not. Vulnerabilities such as this happen multiple times a month. They affect different software, different operating systems, and different web protocols. The press either mentions them or not, somewhat randomly; just because it’s in the news doesn’t mean it’s serious.

Two, it’s hard to figure out if there’s anything you can do. Many vulnerabilities affect operating systems or Internet protocols. The only sure fix would be to avoid using your computer. Some  vulnerabilities have surprising consequences. The SSL vulnerability mentioned above could be used to hack Twitter. Did you expect that? I sure didn’t.

Three, the odds of a particular vulnerability affecting you are small. There are a lot of fish in the Internet, and you’re just one of billions.

Four, often you can’t do anything. These vulnerabilities affect clients and servers, individuals and corporations. A lot of your data isn’t under your direct control — it’s on your web-based email servers, in some corporate database, or in a cloud computing application. If a vulnerability affects the computers running Facebook, for example, your data is at risk, whether you log in to Facebook or not.

It’s much smarter to have a reasonable set of default security practices and continue doing them. This includes:

1. Install an antivirus program if you run Windows, and configure it to update daily. It doesn’t matter which one you use; they’re all about the same. For Windows, I like the free version of AVG Internet Security. Apple Mac and Linux users can ignore this, as virus writers target the operating system with the largest market share.

2. Configure your OS and network router properly. Microsoft’s operating systems come with a lot of security enabled by default; this is good. But have someone who knows what they’re doing check the configuration of your router, too.

3. Turn on automatic software updates. This is the mechanism by which your software patches itself in the background, without you having to do anything. Make sure it’s turned on for your computer, OS, security software, and any applications that have the option. Yes, you have to do it for everything, as they often have separate mechanisms.

4. Show common sense regarding the Internet. This might be the hardest thing, and the most important. Know when an email is real, and when you shouldn’t click on the link. Know when a website is suspicious. Know when something is amiss.

5. Perform regular backups. This is vital. If you’re infected with something, you may have to reinstall your operating system and applications. Good backups ensure you don’t lose your data — documents, photographs, music — if that becomes necessary.

That’s basically it. I could give a longer list of safe computing practices, but this short one is likely to keep you safe. After that, trust the vendors. They spent all last month scrambling to fix the SSL vulnerability, and they’ll spend all this month scrambling to fix whatever new vulnerabilities are discovered. Let that be their problem.

SSL flaw:
http://www.eweekeurope.co.uk/news/security-researchers-uncover-ssl-vulnerability-2355 or http://tinyurl.com/yge9not
http://www.linuxtoday.com/news_story.php3?ltsn=2009-11-06-008-35-NW-DV-NT or http://tinyurl.com/yb9pxsa
http://isc.sans.org/diary.html?storyid=7534
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1373678,00.html or http://tinyurl.com/yhw7vhb
http://www.tombom.co.uk/blog/?p=85
http://www.securityfocus.com/bid/36935/info

SSL flaw used to hack Twitter:
http://www.techworld.com.au/article/326496/ssl_flaw_could_been_used_hack_twitter or http://tinyurl.com/yevj4uv
http://www.eweek.com/c/a/Security/Researcher-Demonstrates-SSL-Vulnerability-on-Twitter-291904/ or http://tinyurl.com/yejjhkz

AVG Anti-virus:
http://lifehacker.com/5401255/best-antivirus-application-avg

My 2004 article on safe personal computing:
http://www.schneier.com/blog/archives/2004/12/safe_personal_c.html

** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.  You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>.  Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable.  Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is the author of the best sellers “Schneier on Security,” “Beyond Fear,” “Secrets and Lies,” and “Applied Cryptography,” and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms.  He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC).  He is a frequent writer and lecturer on security topics.  See <http://www.schneier.com>.

Crypto-Gram is a personal newsletter.  Opinions expressed are not necessarily those of BT.

Copyright (c) 2009 by Bruce Schneier.

—————-
Now playing: David Bowie – Modern Love
via FoxyTunes

Technorati FavoritesShare

Tags: ,
Posted in Security - Crypto | No Comments »

Information Security and You . . .

Posted by John on 8th December 2009

Obviously another set of folks needs some Information Security (InfoSec) training . . .


TSA Leaks Sensitive Airport Screening Manual

By Kim Zetter Email Author December 7, 2009  3:12 pm

Who needs anonymous sources when the government is perfectly capable of leaking its own secrets?

Government workers preparing the release of a Transportation Security Administration manual that details airport screening procedures badly bungled their redaction of the .pdf file. Result: The full text of a document considered “sensitive security information” was inadvertently leaked.

cia_id

Anyone who’s interested can read about which passengers are more likely to be targeted for secondary screening, who is exempt from screening, TSA procedures for screening foreign dignitaries and CIA-escorted passengers, and extensive instructions for calibrating Siemens walk-through metal detectors.

The 93-page document also includes sample images of DHS, CIA (see above) and congressional identification cards, with instructions on what to look for to verify an authentic pass.

The manual, titled Screening Management Standard Operating Procedure, is dated May 28, 2008. It contains this warning: “NO PART OF THIS RECORD MAY BE DISCLOSED TO PERSONS WITHOUT A ‘NEED TO KNOW.’”

Notwithstanding that disclaimer, the document appeared on FedBizOpps, a government clearinghouse that lists federal contracting opportunities for vendors. It has since been removed from the site, but not before someone grabbed it and submitted it to the whistleblower site Cryptome, where the formerly-redacted portions are highlighted in red boxes. The discovery was first made by a blogger at Wandering Aramean.

TSA spokeswoman Sterling Payne told Threat Level that the document was an “outdated version” of its operating procedures, and that the administration “took swift action when this was discovered.” She said “a full review” is underway to discover why the redacted material was not properly protected.

“TSA has many layers of security to keep the traveling public safe and to constantly adapt to evolving threats,” added Payne in an e-mail. “TSA has appropriate measures in place to effectively screen passengers at airport security checkpoints nationwide.”

The manual was posted as a redacted .pdf document, with sensitive sections blacked out. But the government apparently hasn’t learned from past redaction flubs and merely overlaid black rectangles on the sensitive text in the .pdf, instead of cutting the text itself. Anyone can uncover the hidden text by simply copying and pasting the blacked out portions into another document.

One of the redacted sections, for example, indicates that an armed law enforcement officer in or out of uniform may pass beyond the checkpoint without screening after providing a U.S. government-issued photo ID and “Notice of LEO Flying Armed Document.”

Some commercial airline pilots receive training by the U.S. Marshals Service and are allowed to carry TSA-issued firearms on planes. They can pass through without screening only after presenting “bonafide credentials and aircraft operator photo ID,” the document says.

Foreign dignitaries equivalent to cabinet rank and above, accompanying a spouse, their children under the age of 12, and a State Department escort are exempt from screening.

There are also references to a CIA program called WOMAP, the Worldwide Operational Meet and Assist Program. As part of WOMAP, foreign dignitaries and their escorts — authorized CIA representatives — are exempt from screening, provided they’re approved in advance by TSA’s Office of Intelligence.

Passengers carrying passports from Cuba, Iran, North Korea, Libya, Syria, Sudan, Afghanistan, Lebanon, Somalia, Iraq, Yemen or Algeria are to be designated for selective screening.

Although only a few portions of the document were redacted, the manual contains other tidbits that weren’t redacted, such as a thorough description of diplomatic pouches that are exempt from screening.

A. Diplomatic pouches are exempt from any form of screening. A diplomatic pouch can be a bag, pouch, or container holding diplomatic correspondence, documents, or articles. Although an individual transporting a diplomatic pouch may have diplomatic immunity, that individual and his or her nondiplomatic accessible property and checked baggage must undergo screening and all alarms must be resolved.

B. The diplomatic pouch must have visible external markings in English that state “Diplomatic Pouch” or “Diplomatic Bag”. The pouch must bear an official seal of the sending government or international organization. For example, a seal could be a lead seal attached to a tie that closes the pouch, a printed seal on the fabric of the pouch, or an ink seal impressed on a detachable tag. The pouch must be addressed to an office of the government or international organization whose seal the pouch bears. For unaccompanied pouches tendered as checked baggage, a detachable certificate will be affixed to the outside of the pouch that describes the pouch and certifies the contents as diplomatic materials. The Department of State (DOS) encourages diplomatic couriers to notify the aircraft operator that they are carrying a diplomatic pouch.

C. When a diplomatic pouch is presented by a diplomatic courier to TSA at a screening checkpoint or screening location, the STSO must check that the diplomatic courier is carrying an official or diplomatic passport and a courier document or letter on their person for identification. A courier letter must be on appropriate letterhead stationary and must bear a seal of the sending state, embassy, consulate, or international organization. The courier letter must be signed by the relevant Ambassador or Chief of Mission serving in the United States. The courier document must clearly identify the bearer and his or her status as a diplomatic courier and must contain information sufficient to identify the pouch(es), to include the number of pouches being escorted.

This is not the first time that redacted documents have leaked sensitive data.

AT&T lawyers defending their company in a spying suit made the same mistake three years ago in a redacted court filing. Confidential details discussed during a closed-door settlement hearing in a lawsuit against Facebook were revealed earlier this year when parts of the hearing transcript were insufficiently redacted. Federal prosecutors also made redaction errors in court documents they filed against two San Francisco reporters who covered the BALCO steroids story.

In 2003, the Justice Department botched the redaction of a controversial workplace diversity report, and in 2000 the New York Times inadvertently leaked the names of CIA collaborators when it published an improperly redacted CIA file on its website that documented American and British officials’ engineering of the 1953 Iranian coup.

Adobe provides extensive guidelines for properly redacting (.pdf) information in .pdfs.

Updated 5:15 p.m with comments from TSA.

(via http://www.wired.com/threatlevel/2009/12/tsa-leak)

—————-
Now playing: Johnny Cash – Hurt
via FoxyTunes

Technorati FavoritesShare

Tags:
Posted in General | 1 Comment »

possible relatively low cost external storage

Posted by John on 23rd November 2009

My simple solution, for detachable external storage (i.e. it shouldn’t fry from the same power surge, if not cabled up in any way at the time of the electrical havoc . . .)

eSATA USB to SATA External HDD Dock for Dual 2.5 or 3.5in Hard Drive (one of the least expensive options, to reuse some of those older SATA disks lazing about your cube-farm)

SATADOCK22UE.Elarge

This may be a little specific, but for the user who needs potentially more than one or two drives :

Digital Tower Raid enclosures

tr8m_2

Some of these models require a port-multiplier eSata / e-sas type port, but usually include at least a software-raid sort of PciE card with the package – check to make sure, or you’ll only get one drive showing up instead of 4 or more . . .

If I were to go with the more expensive option (still relatively affordable, above – compared to a true NAS, etc.) I might consider some of the 1 terabyte or > “Green” SATA drives. This is due to me wanting to have a good backup locally (c.f. Acronis) as well as remotely (expect an article this coming week on more discoveries here). Yes, having been around the corporate world, I tend to back up like an OCD person washes hands – once you’ve been bitten, you understand the data is worth a lot more than the hardware.


Random security bit : Usb Pin Pad – for a little more security via smartcard access. Useful for both Windows 7 and TrueCrypt / PGP WDE, etc.

—————-
Now playing: The Hollies – He Ain’t Heavy, He’s My Brother (1969)
via FoxyTunes

Technorati FavoritesShare

Tags: , ,
Posted in Security - Crypto, Tech | No Comments »