security

Graveyard shifts and torpedo coffins

commonplace book, history, science, security / /

From Atul Gawande’s “Final Cut: Medical arrogance and the decline of the autopsy” (The New Yorker: 19 March 2001):

… in the nineteenth century … [some doctors] waited until burial and then robbed the graves, either personally or through accomplices, an activity that continued into the twentieth century. To deter such autopsies, some families would post nighttime guards at the grave site – hence the term “graveyard shift.” Others placed heavey stones on the coffins. In 1878, one company in Columbus, Ohio, even sold “torpedo cofins,” equipped with pipe bombs designed to blow up if they were tampered with.

Graveyard shifts and torpedo coffins Read More »

Bots on campus!

education, security / /

From Lisa Vaas’ “Are Campuses Flooded with Zombified Student PCs?” (eWeek: 22 October 2007):

Rather, bot herders have sophisticated technology in place that can detect how fast a bot’s connection is. If that connection changes over time – if, say, a student is poking around at her parent’s house with dial-up all summer and then comes back to school and the campus network’s zippy broadband – the herder detects the increased bandwidth, and that zombie PC suddenly becomes a much more useful tool for sending spam or engaging in other nefarious activities, as pointed out by SecureWorks Director of Development Wayne Haber …

“The more significant factor is to take a machine that was the only system, or one of two to three, on a home network, and to move it to an environment of hundreds or thousands of machines on a network in different states of being patched and of running security software,” [Craig Schmugar, threat research manager for McAfee’s Avert Labs] said. “The new students coming in, there’s a greater chance of having new computers, and those might not have firewalls. It’s a more diverse network environment, with a greater opportunity for machines to be attacked. Maybe not successfully, but at least there’s more traffic thrown at machines.”

Another helpful thing about campuses, of course, is that they have loads of systems left on around the clock in their labs. Universities also have the added stickiness of trying to administer security policies for a constantly shifting population, with visiting scholars coming and going and a variable range of access rights necessary for staff and students.

Bots on campus! Read More »

How to open a physicist’s briefcase

security, technology / /

From John D. Barrow and John K. Webb’s "Inconstant Constants: Do the inner workings of nature change with time?" (Scientific American: 23 May 2005):

One ratio of particular interest combines the velocity of light, c, the electric charge on a single electron, e, Planck’s constant, h, and the so-called vacuum permittivity, 0. This famous quantity … called the fine-structure constant, was first introduced in 1916 by Arnold Sommerfeld, a pioneer in applying the theory of quantum mechanics to electromagnetism. It quantifies the relativistic (c) and quantum (h) qualities of electromagnetic (e) interactions involving charged particles in empty space (0). Measured to be equal to 1/137.03599976, or approximately 1/137, has endowed the number 137 with a legendary status among physicists (it usually opens the combination locks on their briefcases).

How to open a physicist’s briefcase Read More »

How to delete stuck files on Amazon’s S3

security, tech help, technology / /

I use Amazon’s S3 (Simple Storage Service) to back up files, and I also use OmniGraffle, a diagramming program, on my Mac. This is a letter I sent to OmniGraffle recently that explains a problem with the interaction of OmniGraffle and S3.

Start letter:

OmniGraffle (OG) is a great app, but it has a serious, showstopping incompatability with Amazon’s S3 (Simple Storage Service).

S3 is an online backup service run by Amazon. Lots & lots of people use it, with more moving to it all the time. You can find out more about S3 here:

http://en.wikipedia.org/wiki/Amazon_S3

I created some documents in OmniGraffle and uploaded them to S3. When I tried to perform another backup, the command-line S3 app I was using crashed. I tried another. Crashed. I tried Interarchy, a GUI app, but while it appeared to work, in reality it simply silently failed. After much trial and error, I finally determined that it was a particular file generated by OG that was causing the problems. But I had no idea how to fix things.

After searching on the Amazon S3 forums, it turns out others are experiencing the exact same problem. I found two entries discussing how an invisible character in the name of the Icon file located in a .graffle folder was causing the crash. Here are those two entries:

http://developer.amazonwebservices.com/connect/thread.jspa?messageID=63273

http://developer.amazonwebservices.com/connect/thread.jspa?messageID=45488

Eventually, after over an hour of trying various combinations with the help of a friend, I was able to delete the offending file using this command.

./s3cmd.rb -v delete “granneclientele:clientele/images/omnigraffle/audacity-toolbar-tools.graffle/Icon”$’\r’

I show that command to you not because I expect you’ll understand it, but because it demonstrates that this is a bear of a problem that many of your customers will be unable to solve on their own. As more of your customers use S3, they’re going to run into this issue.

I understand this all may sound confusing, so please do not hesitate to call or email me for further details.

/End letter

An OmniGraffle support person wrote me back, saying that this issue had been fixed in version 4.2 of the software.

How to delete stuck files on Amazon’s S3 Read More »

Notes on getting into well-guarded events using social engineering

security, writing ideas / /

From Bruce Schneier’s “How to Crash the Oscars” (7 March 2006):

If you want to crash the glitziest party of all, the Oscars, here’s a tip from a professional: Show up at the theater, dressed as a chef carrying a live lobster, looking really concerned. …

“The most important technique is confidence,” he said. “Part of it is being dressed the part, looking the part, and acting the part and then lying to get in the door.”

The biggest hole in the elaborate Oscars security plan, Mamlet said, is that while everyone from stagehands to reporters have to wear official credentials, the celebrities and movie executives attending the event do not.

“If you really act like a celebrity, the security guards will worry that they will get into trouble for not recognizing you,” Mamlet said.

From Bruce Schneier’s “Social Engineering Notes” (15 May 2007):

This is a fantastic story of a major prank pulled off at the Super Bowl this year. Basically, five people smuggled more than a quarter of a ton of material into Dolphin Stadium in order to display their secret message on TV.

Given all the security, it’s amazing how easy it was for them to become part of the security perimeter with all that random stuff. But to those of us who follow this thing, it shouldn’t be. His observations are spot on:

1. Wear a suit.
2. Wear a Bluetooth headset.
3. Pretend to be talking loudly to someone on the other line.
4. Carry a clipboard.
5. Be white.

Notes on getting into well-guarded events using social engineering Read More »

Out now: Microsoft Vista for IT Security Professionals

business, personal, security, technology / /

Microsoft Vista for IT Security Professionals is designed for the professional system administrators who need to securely deploy Microsoft Vista in their networks. Readers will not only learn about the new security features of Vista, but they will learn how to safely integrate Vista with their existing wired and wireless network infrastructure and safely deploy with their existing applications and databases. The book begins with a discussion of Microsoft’s Trustworthy Computing Initiative and Vista’s development cycle, which was like none other in Microsoft’s history. Expert authors will separate the hype from the reality of Vista’s preparedness to withstand the 24 x 7 attacks it will face from malicious attackers as the world’s #1 desktop operating system. The book has a companion CD which contains hundreds of working scripts and utilities to help administrators secure their environments.

This book is written for intermediate to advanced System administrators managing Microsoft networks who are deploying Microsoft’s new flagship desktop operating system: Vista. This book is appropriate for system administrators managing small networks of fewer than 10 machines up to enterprise-class networks with tens of thousands of systems. This book is also appropriate for readers preparing for the Microsoft exam MCDST 70-620.

I contributed two appendices to this book:

  • Appendix A: Microsoft Vista: The International Community
  • Appendix B: Changes to the Vista EULA

Appendix A, “Microsoft Vista: The International Community”, was about Microsoft’s legal troubles in Europe and Asia, and the changes the company had to make to Vista to accommodate those governments. Appendix B, “Changes to the Vista EULA”, explained that the EULA in Vista is even worse than that found in XP, which was worse than any previous EULA. In other words, Vista has a problematic EULA that users need to know about before they buy the OS.

Read excerpts: Front Matter (350 KB PDF) and Chapter 1: Microsoft Vista: An Overview (760 KB PDF). You can flip through the entire book, although you’re limited to the total number of pages you can view (but it’s a pretty high number, like 50 or so).

Out now: Microsoft Vista for IT Security Professionals Read More »

3 problems with electronic voting

law, politics, security, tech in changing society, technology / /

From Avi Rubin’s “Voting: Low-Tech Is the Answer” (Business Week: 30 October 2006):

Unfortunately, there are three problems with electronic voting that have nothing to do with whether or not the system works as intended. They are transparency, recovery, and audit. …

Electronic voting is not transparent – it is not even translucent. There is no way to observe the counting of the votes publicly, and you can’t even tell if the votes are being recorded correctly. …

Now, what do we do if something goes very wrong during the election? What happens if the equipment fails or there is a power outage?

Let’s compare electronic voting machines to paper ballots. If an e-voting machine crashes, it is possible that the memory cards containing the votes could be corrupted. Something as unexpected as someone spilling coffee on the machine could cause it to fail.

There are dozens of ways one could imagine that an electronic voting machine could be rendered a paperweight. Imagine, for example, a widespread power outage on Election Day. How do you continue the election? What can you do to recover votes already cast? …

I don’t feel very good about the only copies of all of the votes in a precinct existing in electronic form on flash memory cards. … If we have paper ballots and the power goes out, we can get some flashlights and continue voting.

Electronic voting is vulnerable to all sorts of problems, many of which cannot be anticipated. For example, in Maryland’s September primary, voting systems were delivered to the precincts in Montgomery County without the smart cards needed to activate the votes. As a result, the polls opened hours late, and thousands of voters were affected.

There was no quick and easy recovery mechanism. It is true that the problem was due to human error, but that does not change the fact that there was no way to recover. Paper ballot systems are much less fragile and can withstand many of the unexpected problems that might arise on Election Day. …

Finally, and I believe most seriously, there is no way to independently audit a fully electronic voting system. While it is true that many of the machines keep multiple copies of the votes, these copies are not independent. If the machines are rigged, or if they suffer from unknown software bugs …, the election results might not reflect the votes that were cast, despite all of the copies of the votes being identical.

On the other hand, electronic counting of paper ballots can be audited by manually counting the paper and comparing the results to the electronic tally. It is imperative, in fact, that every software-based system be audited in a manner that is independent from the data that are the subject of the audit.

3 problems with electronic voting Read More »

Microsoft executive sets self up for hubristic fall

security, technology / /

From Scott M. Fulton, III’s “Allchin Suggests Vista Won’t Need Antivirus” (BetaNews: 9 November 2006):

During a telephone conference with reporters yesterday, outgoing Microsoft co-president Jim Allchin, while touting the new security features of Windows Vista, which was released to manufacturing yesterday, told a reporter that the system’s new lockdown features are so capable and thorough that he was comfortable with his own seven-year-old son using Vista without antivirus software installed.

Microsoft executive sets self up for hubristic fall Read More »

Take over a computer network with an iPod or USB stick

business, security, tech in changing society, technology / /

From Bruce Schneier’s “Hacking Computers Over USB” (Crypto-Gram: 15 June 2005):

From CSO Magazine:

“Plug an iPod or USB stick into a PC running Windows and the device can literally take over the machine and search for confidential documents, copy them back to the iPod or USB’s internal storage, and hide them as “deleted” files. Alternatively, the device can simply plant spyware, or even compromise the operating system. Two features that make this possible are the Windows AutoRun facility and the ability of peripherals to use something called direct memory access (DMA). The first attack vector you can and should plug; the second vector is the result of a design flaw that’s likely to be with us for many years to come.” …

Recently I’ve been seeing more and more written about this attack. The Spring 2006 issue of 2600 Magazine, for example, contains a short article called “iPod Sneakiness” (unfortunately, not online). The author suggests that you can innocently ask someone at an Internet cafe if you can plug your iPod into his computer to power it up — and then steal his passwords and critical files.

And about someone used this trick in a penetration test:

“We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

“The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.

“Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.

“I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software.”

Take over a computer network with an iPod or USB stick Read More »

Spimes, objects trackable in space and time

business, security, social software, tech in changing society, technology / /

From Bruce Sterling’s “Viridian Note 00459: Emerging Technology 2006” (The Viridian Design Movement: March 2006):

When it comes to remote technical eventualities, you don’t want to freeze the language too early. Instead, you need some empirical evidence on the ground, some working prototypes, something commercial, governmental, academic or military…. Otherwise you are trying to freeze an emergent technology into the shape of today’s verbal descriptions. This prejudices people. It is bad attention economics. It limits their ability to find and understand the intrinsic advantages of the technology. …

If you look at today’s potent, influential computer technologies, say, Google, you’ve got something that looks Artificially Intelligent by the visionary standards of the 1960s. Google seems to “know” most everything about you and me, big brother: Google is like Colossus the Forbin Project. But Google is not designed or presented as a thinking machine. Google is not like Ask Jeeves or Microsoft Bob, which horribly pretend to think, and wouldn’t fool a five-year-old child. Google is a search engine. It’s a linking, ranking and sorting machine. …

Even if there’s like, Boolean logic going on here, this machine has got nothing to do with any actual thinking. This machine is clearly a big card shuffler. It’s a linker, a stacker and a sorter. …

In the past, they just didn’t get certain things. For instance:

1. the digital devices people carry around with them, such as laptops, media players, camera phones, PDAs.
2. wireless and wired local and global networks that serve people in various locations as they and their objects and possessions move about the world.
3. the global Internet and its socially-generated knowledge and Web-based, on-demand social applications.

This is a new technosocial substrate. It’s not about intelligence, yet it can change our relationship with physical objects in the three-dimensional physical world. Not because it’s inside some box trying to be smart, but because it’s right out in the world with us, in our hands and pockets and laps, linking and tracking and ranking and sorting.

Doing this work, in, I think, six important ways:

1. with interactive chips, objects can be labelled with unique identity – electronic barcoding or arphids, a tag that you can mark, sort, rank and shuffle.
2. with local and precise positioning systems – geolocative systems, sorting out where you are and where things are.
3. with powerful search engines – auto-googling objects, more sorting and shuffling.
4. with cradle to cradle recycling – sustainability, transparent production, sorting and shuffling the garbage.

Then there are two other new factors in the mix.

5. 3d virtual models of objects – virtual design – cad-cam, having things present as virtual objects in the network before they become physical objects.
6. rapid prototyping of objects – fabjects, blobjects, the ability to digitally manufacture real-world objects directly or almost directly from the digital plans.

If objects had these six qualities, then people would interact with objects in an unprecedented way, a way so strange and different that we’d think about it better if this class of object had its own name. I call an object like this a “spime,” because an object like this is trackable in space and time. …

“Spimes are manufactured objects whose informational support is so overwhelmingly extensive and rich that they are regarded as material instantiations of an immaterial system. Spimes begin and end as data. They’re virtual objects first and actual objects second.” …

“The primary advantage of an Internet of Things is that I no longer inventory my possessions inside my own head. They’re inventoried through an automagical inventory voodoo, work done far beneath my notice by a host of machines. So I no longer to bother to remember where I put things. Or where I found them. Or how much they cost. And so forth. I just ask. Then I am told with instant real-time accuracy. …

It’s [spimes] turning into what Julian Bleecker calls a “Theory Object,” which is an idea which is not just a mental idea or a word, but a cloud of associated commentary and data, that can be passed around from mouse to mouse, and linked-to. Every time I go to an event like this, the word “spime” grows as a Theory Object. A Theory Object is a concept that’s accreting attention, and generating visible, searchable, rankable, trackable trails of attention. …

Spimes, objects trackable in space and time Read More »

Russian bot herders behind massive increase in spam

business, security, tech in changing society, technology / /

From Ryan Naraine’s “‘Pump-and-Dump’ Spam Surge Linked to Russian Bot Herders” (eWeek: 16 November 2006):

The recent surge in e-mail spam hawking penny stocks and penis enlargement pills is the handiwork of Russian hackers running a botnet powered by tens of thousands of hijacked computers.

Internet security researchers and law enforcement authorities have traced the operation to a well-organized hacking gang controlling a 70,000-strong peer-to-peer botnet seeded with the SpamThru Trojan. …

For starters, the Trojan comes with its own anti-virus scanner – a pirated copy of Kaspersky’s security software – that removes competing malware files from the hijacked machine. Once a Windows machine is infected, it becomes a peer in a peer-to-peer botnet controlled by a central server. If the control server is disabled by botnet hunters, the spammer simply has to control a single peer to retain control of all the bots and send instructions on the location of a new control server.

The bots are segmented into different server ports, determined by the variant of the Trojan installed, and further segmented into peer groups of no more than 512 bots. This allows the hackers to keep the overhead involved in exchanging information about other peers to a minimum, Stewart explained.

… the attackers are meticulous about keeping statistics on bot infections around the world.

For example, the SpamThru controller keeps statistics on the country of origin of all bots in the botnet. In all, computers in 166 countries are part of the botnet, with the United States accounting for more than half of the infections.

The botnet stats tracker even logs the version of Windows the infected client is running, down to the service pack level. One chart commandeered by Stewart showed that Windows XP SP2 … machines dominate the makeup of the botnet, a clear sign that the latest version of Microsoft’s operating system is falling prey to attacks.

Another sign of the complexity of the operation, Stewart found, was a database hacking component that signaled the ability of the spammers to target its pump-and-dump scams to victims most likely to be associated with stock trading.

Stewart said about 20 small investment and financial news sites have been breached for the express purpose of downloading user databases with e-mail addresses matched to names and other site registration data. On the bot herder’s control server, Stewart found a MySQL database dump of e-mail addresses associated with an online shop. …

The SpamThru spammer also controls lists of millions of e-mail addresses harvested from the hard drives of computers already in the botnet. …

“It’s a very enterprising operation and it’s interesting that they’re only doing pump-and-dump and penis enlargement spam. That’s probably because those are the most lucrative,” he added.

Even the spam messages come with a unique component. The messages are both text- and image-based and a lot of effort has been put into evading spam filters. For example, each SpamThru client works as its own spam engine, downloading a template containing the spam and random phrases to use as hash-busters, random “from” names, and a list of several hundred e-mail addresses to send to.

Stewart discovered that the image files in the templates are modified with every e-mail message sent, allowing the spammer to change the width and height. The image-based spam also includes random pixels at the bottom, specifically to defeat anti-spam technologies that reject mail based on a static image.

All SpamThru bots – the botnet controls about 73,000 infected clients – are also capable of using a list of proxy servers maintained by the controller to evade blacklisting of the bot IP addresses by anti-spam services. Stewart said this allows the Trojan to act as a “massive distributed engine for sending spam,” without the cost of maintaining static servers.

With a botnet of this size, the group is theoretically capable of sending a billion spam e-mails in a single day.

Russian bot herders behind massive increase in spam Read More »

Bad passwords for SSH

security, technology / /

From Christian Seifert’s “Analyzing malicious SSH login attempts” (SecurityFocus: 11 September 2006):

First, we analyzed the login names that were used on the login attempts. During the sample period, there were 2741 unique account names ranging from common first names, system account names, and common accounts to short alphabetical strings captured by the system logger. Of those, the 15 account names used most often are shown in Table 1. This table shows accounts that usually exist on a system (root, mysql), accounts that are likely to exist on a system (guest, test), as well as common first names (paul). Then Figure 1 shows the distribution of valid and invalid account names that were used.

Account Name Number of login attempts
root 1049
admin 97
test 87
guest 40
mysql 31
info 30
oracle 27
postgres 27
testing 27
webmaster 27
paul 25
web 24
user 23
tester 22
pgsql 21

Table 1. Top 15 account names among 2741 attempts.

Next, we looked at the passwords used in the login attempts. The attackers tried a range of passwords with most of the account names. In total during our analysis, they attempted to access 2741 different accounts and used 3649 different passwords. Not all passwords were used with all accounts. The passwords ranged from account names, account names with number sequences, number sequences, and keyboard sequences (like ‘qwerty’). There were a few more complex passwords used with seemingly random letter and number sequences or common substitution passwords (like r00t or c@t@lin).

Table 2 shows the top 15 passwords used in malicious login attempts.

Password Number of login attempts
123456 331
Password 106
Admin 47
Test 46
111111 36
12345 34
administrator 28
Linux 23
Root 22
test123 22
1234 21
123 20
Mysql 19
Apache 18
Master 18

Table 2. Top 15 passwords attempted.

Bad passwords for SSH Read More »

My reply to those “You sent a virus to me!” emails

security, tech in changing society, technology / /

On Saturday 17 April 2004, I received the following email from someone I didn’t know:

> Hello,
>
> I am not sure who you are but our security detected a Netsky virus in an
> email that you sent. Whether a personal message or a spam, please make
> attention to the fact that you are spreading viruses and have your systems
> checked. Also, when a virus is detected the message does not get through so
> we have no idea who you are or the nature of your message.

My reply

I really wouldn’t bother sending these messages out, or you will find yourself with a full-time job.

Virtually every modern virus spoofs the sender of the email address of the sender. In other words, the virus scans the infected computer for email addresses, and then picks one for the TO field and one for the FROM field. Someone that has both of our email addresses on their computer is infected, and the virus chose your email address for TO and my email address for FROM. That is the extent of it. Unfortunately, we have no way to knowing who really is infected, so emailing the person who appears to have sent the email is a complete waste of your time.

Finally, I could not be infected, as I do not use Windows. I use Linux, which is impervious to the glut of viruses and worms that infect Microsoft’s poorly-coded operating system.

My reply to those “You sent a virus to me!” emails Read More »

Imagining a future of warring balloons

art, history, language & literature, science, security, tech in changing society, technology / /

From Tom Reiss’s “Imagining the Worst: How a literary genre anticipated the modern world” (The New Yorker [28 November 2005]: 108):

… the first mini-boom in invasion fiction began in the seventeen-eighties, when the French developed the hot-air balloon. Soon, French poems and plays were depicting hot-air-propelled flying armies destined for England, and an American poem from 1784 warned, “At sea let the British their neighbors defy– / The French shall have frigates to traverse the sky. … If the English should venture to sea with their fleet, / A host of balloons in a trice they shall meet.” A German story published in 1810, and set in the twenty-first century, describes human populations living in deep underground shelters, with shops and churches, while balloon warfare between Europeans and invading Asian armies rages in the skies above.

Imagining a future of warring balloons Read More »

The escape of Mr. Flitcraft

commonplace book, language & literature, security / /

From Claudia Roth Pierpont’s “Tough Guy: The mystery of Dashiell Hammett” (The New Yorker [11 February 2002]: 70):

There is one section of “The Maltese Falcon” that could not be filmed, and for many readers it is the most important story Hammett ever told. A dreamlike interruption in events, it is a parable that Spade relates to Brigid about a man called Flitcraft, dutiful husband and father of two, who was nearly hit by a falling beam while walking to lunch one day. Instead of going back to work, Flitcraft disappeared. “He went like that,” Spade says, in what may be Hammett’s most unexpected and beautiful phrase, “like a fist when you open your hand.” His narrow escape had taught this sane and orderly man that life is neither orderly nor sane, that all our human patterns are merely imposed, and he went away in order to fall in step with life. He was not unkind; the love he bore his family “was not of the sort that would make absence painful,” and he left plenty of money behind. He travelled for a while, Spade relates, but he ended up living in a city near the one he’d fled, selling cars and playing golf, with a second wife hardly different from the first. The moral: one can attempt to adjust one’s life to falling beams but will readjust as soon as the shock wears off.

The escape of Mr. Flitcraft Read More »

A prison completely run by the inmates

business, law, security, weird / /

From Mica Rosenberg’s “Guatemala forces end 10-year prisoner rule at jail” (The Washington Post: 25 September 2006):

Guatemalan security forces took over a jail run for over 10 years by inmates who built their own town on prison grounds complete with restaurants, churches and hard-drug laboratories.

Seven prisoners died when 3,000 police and soldiers firing automatic weapons stormed the Pavon prison just after dawn on Monday.

Corrupt guards would only patrol the prison’s perimeter and run the administration section while an “order committee” of hardened inmates controlled the rest. They smuggled in food, drink and luxury goods.

“The people who live here live better than all of us on the outside. They’ve even got pubs,” said soldier Tomas Hernandez, 25.

Pet dogs, including a whining puppy, roamed the deserted prison grounds after the raid. One inmate kept a spider monkey captive, national prison officials said.

But with army helicopters clattering overhead, police backed up by armored cars transferred Pavon’s 1,600 inhabitants to another prison, ending their lives of ease.

The inmates who died were killed in a shootout at the two-story wooden chalet of a convicted Colombian drug trafficker knows as “El Loco,” or “The Madman.”

Blood was splattered on the house’s walls and floor. The Colombian had a widescreen television and high-speed Internet.

Pavon was one of the worst prisons in Guatemala’s penitentiary system, where common criminals, rival “mara” street gangs and drug traffickers often battle for control.

Police had not been into Pavon, on the edge of the town of Fraijanes, since 1996.

It was originally built for 800 inmates as a farm prison where prisoners could grow their own food. But the prison population grew over time and inmates began to construct their own homes on the grounds.

Guards let prisoners bring in whatever they wanted and inmates set up laboratories to produce cocaine, crack and liquor inside Pavon. …

Inmates extorted and kidnapped victims on the outside by giving orders via cell phone. …

They also killed Luis Alfonso Zepeda, a convicted murderer who headed the “order committee.”

Zepeda earned around $25,000 a month from extortion, renting out prison grounds to other inmates and drug trafficking, police said.

His son Samuel lived illegally inside the prison to help run the crime empire, even though he was never sent there by a court. …

Inmates ran at least two churches, one Catholic and the other Evangelical, and restaurants serving typical fare like stews and tortillas.

Stores controlled by the prisoners sold soft drinks and potato chips brought in from the outside.

A prison completely run by the inmates Read More »

The real solution to identity theft: bank liability

business, law, security, tech in changing society, technology / /

From Bruce Schneier’s “Mitigating Identity Theft” (Crypto-Gram: 15 April 2005):

The very term “identity theft” is an oxymoron. Identity is not a possession that can be acquired or lost; it’s not a thing at all. …

The real crime here is fraud; more specifically, impersonation leading to fraud. Impersonation is an ancient crime, but the rise of information-based credentials gives it a modern spin. A criminal impersonates a victim online and steals money from his account. He impersonates a victim in order to deceive financial institutions into granting credit to the criminal in the victim’s name. …

The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. …

The second issue is the ease with which a criminal can use personal data to commit fraud. …

Proposed fixes tend to concentrate on the first issue — making personal data harder to steal — whereas the real problem is the second. If we’re ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.

… That leaves only one reasonable answer: financial institutions need to be liable for fraudulent transactions. They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions.

… The bank must be made responsible, regardless of what the user does.

If you think this won’t work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They’re not hurting for business; and they’re not drowning in fraud, either. They’ve developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions.

The real solution to identity theft: bank liability Read More »

Two-factor authentication: the good & the bad

security / /

From Bruce Schneier’s “More on Two-Factor Authentication” (Crypto-Gram: 15 April 2005):

Passwords just don’t work anymore. As computers have gotten faster, password guessing has gotten easier. Ever-more-complicated passwords are required to evade password-guessing software. At the same time, there’s an upper limit to how complex a password users can be expected to remember. About five years ago, these two lines crossed: It is no longer reasonable to expect users to have passwords that can’t be guessed. For anything that requires reasonable security, the era of passwords is over.

Two-factor authentication solves this problem. It works against passive attacks: eavesdropping and password guessing. It protects against users choosing weak passwords, telling their passwords to their colleagues or writing their passwords on pieces of paper taped to their monitors. For an organization trying to improve access control for its employees, two-factor authentication is a great idea. Microsoft is integrating two-factor authentication into its operating system, another great idea.

What two-factor authentication won’t do is prevent identity theft and fraud. It’ll prevent certain tactics of identity theft and fraud, but criminals simply will switch tactics. We’re already seeing fraud tactics that completely ignore two-factor authentication. As banks roll out two-factor authentication, criminals simply will switch to these new tactics.

One way to think about this is that two-factor authentication solves security problems involving authentication. The current wave of attacks against financial systems are not exploiting vulnerabilities in the authentication system, so two-factor authentication doesn’t help.

Two-factor authentication: the good & the bad Read More »

The HOLLYWOOD sign as multi-user access-control system

business, security / /

From Bruce Schneier’s “Hollywood Sign Security” (Crypto-Gram: 15 January 2005):

In Los Angeles, the “HOLLYWOOD” sign is protected by a fence and a locked gate. Because several different agencies need access to the sign for various purposes, the chain locking the gate is formed by several locks linked together. Each of the agencies has the key to its own lock, and not the key to any of the others. Of course, anyone who can open one of the locks can open the gate.

This is a nice example of a multiple-user access-control system. It’s simple, and it works. You can also make it as complicated as you want, with different locks in parallel and in series.

The HOLLYWOOD sign as multi-user access-control system Read More »

When people feel secure, they’re easier targets

business, security, technology / /

From Bruce Schneier’s “Burglars and “Feeling Secure” (Crypto-Gram: 15 January 2005):

This quote is from “Confessions of a Master Jewel Thief,” by Bill Mason (Villard, 2003): “Nothing works more in a thief’s favor than people feeling secure. That’s why places that are heavily alarmed and guarded can sometimes be the easiest targets. The single most important factor in security — more than locks, alarms, sensors, or armed guards — is attitude. A building protected by nothing more than a cheap combination lock but inhabited by people who are alert and risk-aware is much safer than one with the world’s most sophisticated alarm system whose tenants assume they’re living in an impregnable fortress.”

The author, a burglar, found that luxury condos were an excellent target. Although they had much more security technology than other buildings, they were vulnerable because no one believed a thief could get through the lobby.

When people feel secure, they’re easier targets Read More »