technology

Why airport security fails constantly

From Bruce Schneier’s “Airport Passenger Screening” (Crypto-Gram Newsletter: 15 April 2006):

It seems like every time someone tests airport security, airport security fails. In tests between November 2001 and February 2002, screeners missed 70 percent of knives, 30 percent of guns, and 60 percent of (fake) bombs. And recently, testers were able to smuggle bomb-making parts through airport security in 21 of 21 attempts. …

The failure to detect bomb-making parts is easier to understand. Break up something into small enough parts, and it’s going to slip past the screeners pretty easily. The explosive material won’t show up on the metal detector, and the associated electronics can look benign when disassembled. This isn’t even a new problem. It’s widely believed that the Chechen women who blew up the two Russian planes in August 2004 probably smuggled their bombs aboard the planes in pieces. …

Airport screeners have a difficult job, primarily because the human brain isn’t naturally adapted to the task. We’re wired for visual pattern matching, and are great at picking out something we know to look for — for example, a lion in a sea of tall grass.

But we’re much less adept at detecting random exceptions in uniform data. Faced with an endless stream of identical objects, the brain quickly concludes that everything is identical and there’s no point in paying attention. By the time the exception comes around, the brain simply doesn’t notice it. This psychological phenomenon isn’t just a problem in airport screening: It’s been identified in inspections of all kinds, and is why casinos move their dealers around so often. The tasks are simply mind-numbing.

Why airport security fails constantly Read More »

L.A. police using drones to spy on citizens

From Zachary Slobig’s “Police launch eye-in-the-sky technology above Los Angeles” (AFP: 17 June 2006):

Police launched the future of law enforcement into the smoggy Los Angeles sky in the form of a drone aircraft, bringing technology most commonly associated with combat zones to urban policing.

The unmanned aerial vehicle, which looks like a child’s remote control toy and weighs about five pounds (2.3 kilograms), is a prototype being tested by the Los Angeles County Sheriff’s Department. …

“This technology could be used to find missing children, search for lost hikers, or survey a fire zone,” said Commander Sid Heal, head of the Technology Exploration Project of the Los Angeles County Sheriff’s Department. “The ideal outcome for us is when this technology becomes instrumental in saving lives.”

The SkySeer would also be a helpful tool to nab burglary suspects on rooftops and to chase down suspects fleeing on foot. The drone comes equipped with low-light and infrared capabilities and can fly at speeds up to 30 miles (48 kilometers) per hour for 70 minutes. …

A small camera capable of tilt and pan operations is fixed to the underside of the drone which sends the video directly to a laptop command station. Once launched, the craft is set to fly autonomously with global positioning system (GPS) coordinates and a fixed flight pattern.

As technology improves, the drone will be outfitted with zoom capabilities. For now, the craft simply flies lower to hone in on its target. …

“The plane is virtually silent and invisible,” said Heal. “It will give us a vertical perspective that we have never had.”

The Los Angeles Sheriff’s Department operates a fleet of 18 helicopters, priced between three and five million dollars each. The SkySeer will cost between 25,000 and 30,000 dollars.

L.A. police using drones to spy on citizens Read More »

4 ways to eavesdrop on telephone calls

From Bruce Schneier’s “VOIP Encryption” (Crypto-Gram Newsletter: 15 April 2006):

There are basically four ways to eavesdrop on a telephone call.

One, you can listen in on another phone extension. This is the method preferred by siblings everywhere. If you have the right access, it’s the easiest. While it doesn’t work for cell phones, cordless phones are vulnerable to a variant of this attack: A radio receiver set to the right frequency can act as another extension.

Two, you can attach some eavesdropping equipment to the wire with a pair of alligator clips. It takes some expertise, but you can do it anywhere along the phone line’s path — even outside the home. This used to be the way the police eavesdropped on your phone line. These days it’s probably most often used by criminals. This method doesn’t work for cell phones, either.

Three, you can eavesdrop at the telephone switch. Modern phone equipment includes the ability for someone to listen in this way. Currently, this is the preferred police method. It works for both land lines and cell phones. You need the right access, but if you can get it, this is probably the most comfortable way to eavesdrop on a particular person.

Four, you can tap the main trunk lines, eavesdrop on the microwave or satellite phone links, etc. It’s hard to eavesdrop on one particular person this way, but it’s easy to listen in on a large chunk of telephone calls. This is the sort of big-budget surveillance that organizations like the National Security Agency do best. They’ve even been known to use submarines to tap undersea phone cables.

4 ways to eavesdrop on telephone calls Read More »

Employees willingly installed CDs handed to them by strangers

From Will Sturgeon’s “Proof: Employees don’t care about security” (silicon.com: 16 February 2006):

CDs were handed out to commuters as they entered the City by employees of IT skills specialist The Training Camp and recipients were told the disks contained a special Valentine’s Day promotion.

However, the CDs contained nothing more than code which informed The Training Camp how many of the recipients had tried to open the CD. Among those who were duped were employees of a major retail bank and two global insurers.

The CD packaging even contained a clear warning about installing third-party software and acting in breach of company acceptable-use policies — but that didn’t deter many individuals who showed little regard for the security of their PC and their company.

Employees willingly installed CDs handed to them by strangers Read More »

A new way to steal from ATMs: blow ’em up

From Bruce Schneier’s “News” (Crypto-Gram Newsletter: 15 March 2006):

In the Netherlands, criminals are stealing money from ATM machines by blowing them up. First, they drill a hole in an ATM and fill it with some sort of gas. Then, they ignite the gas — from a safe distance — and clean up the money that flies all over the place after the ATM explodes. Sounds crazy, but apparently there has been an increase in this type of attack recently. The banks’ countermeasure is to install air vents so that gas can’t build up inside the ATMs.

A new way to steal from ATMs: blow ’em up Read More »

Microsoft’s BitLocker could be used for DRM

From Bruce Schneier’s “Microsoft’s BitLocker” (Crypto-Gram Newsletter: 15 May 2006):

BitLocker is not a DRM system. However, it is straightforward to turn it into a DRM system. Simply give programs the ability to require that files be stored only on BitLocker-enabled drives, and then only be transferable to other BitLocker-enabled drives. How easy this would be to implement, and how hard it would be to subvert, depends on the details of the system.

Microsoft’s BitLocker could be used for DRM Read More »

THE answer to “if you’re not doing anything wrong, why resist surveillance?”

From Bruce Schneier’s “The Eternal Value of Privacy” (Wired News: 18 May 2006):

The most common retort against privacy advocates — by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures — is this line: “If you aren’t doing anything wrong, what do you have to hide?”

Some clever answers: “If I’m not doing anything wrong, then you have no cause to watch me.” “Because the government gets to define what’s wrong, and they keep changing the definition.” “Because you might do something wrong with my information.” My problem with quips like these — as right as they are — is that they accept the premise that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

Two proverbs say it best: Quis custodiet custodes ipsos? (“Who watches the watchers?”) and “Absolute power corrupts absolutely.”

Cardinal Richelieu understood the value of surveillance when he famously said, “If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.” Watch someone long enough, and you’ll find something to arrest — or just blackmail — with. Privacy is important because without it, surveillance information will be abused: to peep, to sell to marketers and to spy on political enemies — whoever they happen to be at the time.

THE answer to “if you’re not doing anything wrong, why resist surveillance?” Read More »

Exploits used for corporate espionage

From Ryan Naraine’s “Microsoft Confirms Excel Zero-Day Attack Under Way” (eWeek: 16 June 2006):

Microsoft June 15 confirmed that a new, undocumented flaw in its widely used Excel spreadsheet program was being used in an attack against an unnamed target.

The company’s warning comes less than a month after a code-execution hole in Microsoft Word was exploited in what is described as a “super, super targeted attack” against business interests overseas.

The back-to-back zero-day attacks closely resemble each other and suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers.

Exploits used for corporate espionage Read More »

Ways different cultures view technology

From Spare me the details (The Economist: 28 October 2004):

Genevieve Bell, an anthropologist who works for Intel, the world’s biggest semiconductor-maker, has been travelling around Asia for three years to observe how Asians use, or choose not to use, technology. She was especially struck by the differences in how westerners and Asians view their homes. Americans tended to say things like “my home is my castle” and furnish it as a self-contained playground, says Ms Bell. Asians were more likely to tell her that “my home is a place of harmony”, “grace”, “simplicity” or “humility”. These Asians recoiled from gadgets that made noises or looked showy or intrusive.

Even within western cultures, Ms Bell, who is Australian, has found startling differences in the way people view technology. When she recently opened her laptop in a café in Sydney to check her e-mail on the local wireless network, using a fast-spreading technology called Wi-Fi, she immediately got a mocking “Oi, what do you think you are, famous?” from the next table. “For Americans, adopting technology is an expression of American-ness, part of the story of modernity and progress,” says Ms Bell. For many other people, it may be just a hassle, or downright pretentious.

Ways different cultures view technology Read More »

Change the AMD K8 CPU without authentication checks

From Bruce Schneier’s Crypto-Gram Newsletter (15 August 2004):

Here’s an interesting hardware security vulnerability. Turns out that it’s possible to update the AMD K8 processor (Athlon64 or Opteron) microcode. And, get this, there’s no authentication check. So it’s possible that an attacker who has access to a machine can backdoor the CPU.

[See http://www.realworldtech.com/forums/index.cfm?action=detail&id=35446&threadid=35446&roomid=11]

Change the AMD K8 CPU without authentication checks Read More »

1st 2 questions AOL tech support asks

From Spare me the details (The Economist: 28 October 2004):

LISA HOOK, an executive at AOL, one of the biggest providers of traditional (“dial-up”) internet access, has learned amazing things by listening in on the calls to AOL’s help desk. Usually, the problem is that users cannot get online. The help desk’s first question is: “Do you have a computer?” Surprisingly often the answer is no, and the customer was trying to shove the installation CD into the stereo or TV set. The help desk’s next question is: “Do you have a second telephone line?” Again, surprisingly often the answer is no, which means that the customer cannot get on to the internet because he is on the line to the help desk. And so it goes on. …

1st 2 questions AOL tech support asks Read More »

Quick ‘n dirty explanation of onion routing

From Ann Harrison’s Onion Routing Averts Prying Eyes (Wired News: 5 August 2004):

Computer programmers are modifying a communications system, originally developed by the U.S. Naval Research Lab, to help Internet users surf the Web anonymously and shield their online activities from corporate or government eyes.

The system is based on a concept called onion routing. It works like this: Messages, or packets of information, are sent through a distributed network of randomly selected servers, or nodes, each of which knows only its predecessor and successor. Messages flowing through this network are unwrapped by a symmetric encryption key at each server that peels off one layer and reveals instructions for the next downstream node. …

The Navy is financing the development of a second-generation onion-routing system called Tor, which addresses many of the flaws in the original design and makes it easier to use. The Tor client behaves like a SOCKS proxy (a common protocol for developing secure communication services), allowing applications like Mozilla, SSH and FTP clients to talk directly to Tor and route data streams through a network of onion routers, without long delays.

Quick ‘n dirty explanation of onion routing Read More »

Unix specs vs. Windows specs

From Peter Seebach’s Standards and specs: Not by UNIX alone (IBM developerWorks: 8 March 2006):

In the past 20 years, developers for “the same” desktop platform (“whatever Microsoft ships”) have been told that the API to target is (in this order):

* DOS
* Win16
* OS/2
* Win32
* WinNT
* WinXP
* and most recently .NET.

Of course, that list is from last year, and now the “stable” target that you should be developing for, if you have an eye for the future, is Vista.

It hasn’t been quite as bad in the Macintosh world, where the number of major API changes has been limited: classic single-tasking Mac OS, classic multitasking Mac OS (System 7), Carbon (System 8/9 and preview of OS X), and Cocoa (OS X), but even there, the cost of migration has been significant. At least OS X finally offers a stable UNIX API for the back-end part of programs, allowing developers to ignore the API creep except in GUI code.

By contrast, twenty-year-old UNIX utilities still compile and run. A new desktop computing API will come and everyone will have to rewrite for it, but mountains will erode away before read() and write() stop working. This is the reason that all the hassle of formal UNIX standards has had so little effect on practical UNIX software development; the core API is simple, clean, and well-designed, and there is no need to change it significantly.

… UNIX users have been switching hardware platforms since the 1970s; it’s no big deal. …

Just as there are many varieties of UNIX, there are many UNIX standards:

* Probably the oldest standard that people still refer to is AT&T’s 1985 System V Interface Definition (SVID). This standard shows up, for instance, in man pages describing the standards compliance of functions that have been in the C library “forever.”
* Meanwhile, X/Open (now the Open Group) was developing “portability guides” with names like XPG2, XPG3, and so on. XPG1 was actually released in 1995. The XPG guides are largely subsumed into newer specs, but once again, are still referred to sometimes in documentation.
* The IEEE’s POSIX standard showed up in 1990 with updates in 1992 and 1993 and a second edition in 1996. It’s still a viable standard, although it has suffered from poor accessibility. POSIX specs have names like 1003.x; for instance, 1003.1 and 1003.2, which refer to different parts of the standard, or 1003.1-1988 and 1003.1-1990, which refer to two versions of the standard.
* The fairly ominous sounding “Spec 1170” (also known as “UNIX 98” or “Single Unix Specification”) is probably the most complete specification; it is produced by the Open Group, and is effectively a descendant of the XPG series. In practice, this is “the” UNIX standard these days, although it’s a little large; this has had an impact on conformance testing.
* The Linux Standards Base is not strictly a UNIX standard, but it’s a standardization effort relevant to a very large number of developers working with code designed to run “on UNIX.” …

You can look at OS specifications in two very different ways: one is from the point of view of a developer trying to port an application, and the other is from the point of view of the user trying to interact with the system.

UNIX conveniently blurs this distinction. The primary user interface is also one of the primary development environments; therefore, UNIX specifications often cover not only the C language API, but also the shell environment and many of the core utilities shell programmers rely on. …

From the perspective of a developer who’s seen many Unix-like systems, Linux is probably mostly sort of similar to System V. The heavy focus on GNU utilities gives a sort of surreal combination of Berkeley and System V features, but if you have to guess whether Linux does something the Berkeley way or the System V way, go with System V. This is especially true of system startup; nearly all Linux systems use the System V /etc/inittab and /etc/rc.d structure, or something very close to it. …

Unix specs vs. Windows specs Read More »

AT&T’s security tv station

From Stephen Lawson & Robert McMillan’s AT&T plans CNN-syle security channel (InfoWorld: 23 June 2005):

Security experts at AT&T are about to take a page from CNN’s playbook. Within the next year they will begin delivering a video streaming service that will carry Internet security news 24 hours a day, seven days a week, according to the executive in charge of AT&T Labs.

The service, which currently goes by the code name Internet Security News Network, (ISN) is under development at AT&T Labs, but it will be offered as an additional service to the company’s customers within the next nine to 12 months, according to Hossein Eslambolchi, president of AT&T’s Global Networking Technology Services and AT&T Labs

ISN will look very much like Time Warner’s Cable News Network, except that it will be broadcast exclusively over the Internet, Eslambolchi said. “It’s like CNN,” he said. “When a new attack is spotted, we’ll be able to offer constant updates, monitoring, and advice.”

AT&T’s security tv station Read More »

DIY worm kits

From Jose Nazario’s Anatomy of a worm (Computerworld: 15 September 2004):

Now imagine a world where worm attacks frequently occur because hackers and rogue developers have access to “worm kits” or development tools that provide the basic building blocks for rapid worm development.

Historically, worms were basic clones of one another that didn’t change after their original development. Simple mechanisms were used to propagate them, such as mass-mailing worms using a single subject line.

Today’s worms are more sophisticated. They have the ability to mutate after development based on knowledge of how to thwart new security processes. For instance, an early worm, Code Red, attacked only Internet Information Server servers. The Nimda worm, which came later, expanded to include at least three additional attack methodologies: mail-based attacks, file-sharing-based attacks, and attacks against the Internet Explorer Web browser.

The potential for this worm-a-day nightmare comes from several factors: the dozens of vulnerabilities that are ready to be exploited, the availability of worm source code, recycled exploits and the ease of editing existing worms.

DIY worm kits Read More »

Why Microsoft is threatened by open source

From How Microsoft played the patent card, and failed (The Register: 23 December 2004):

… the joint lead on the Samba project, Jeremy Allison …: “Microsoft has bought off and paid off every competitor it has, except open source. Every single player they could buy out, they did. That leaves Real, and FOSS. And they can’t buy us out, because you can’t buy off a social movement.”

Why Microsoft is threatened by open source Read More »

Search for Microsoft Money data files on P2P networks

From Greg Brooks’s more on DIY phishing kits hit the Net (Interesting People: 21 August 2004):

Turn on Kazaa or your p2p app of choice and search for .mny files — the data stores for Microsoft Money.

Most of these files won’t be password protected — just download, open and you’ve got a trove of personal financial data to work with. Stumble across a protected file? There are inexpensive utilities for recovering the password.

Search for Microsoft Money data files on P2P networks Read More »

Remote fingerprinting of devices connected to the Net

Anonymous Internet access is now a thing of the past. A doctoral student at the University of California has conclusively fingerprinted computer hardware remotely, allowing it to be tracked wherever it is on the Internet.

In a paper on his research, primary author and Ph.D. student Tadayoshi Kohno said: “There are now a number of powerful techniques for remote operating system fingerprinting, that is, remotely determining the operating systems of devices on the Internet. We push this idea further and introduce the notion of remote physical device fingerprinting … without the fingerprinted device’s known cooperation.”

The potential applications for Kohno’s technique are impressive. For example, “tracking, with some probability, a physical device as it connects to the Internet from different access points, counting the number of devices behind a NAT even when the devices use constant or random IP identifications, remotely probing a block of addresses to determine if the addresses correspond to virtual hosts (for example, as part of a virtual honeynet), and unanonymising anonymised network traces.” …

Another application for Kohno’s technique is to “obtain information about whether two devices on the Internet, possibly shifted in time or IP addresses, are actually the same physical device.”

The technique works by “exploiting small, microscopic deviations in device hardware: clock skews.” In practice, Kohno’s paper says, his techniques “exploit the fact that most modern TCP stacks implement the TCP timestamps option from RFC 1323 whereby, for performance purposes, each party in a TCP flow includes information about its perception of time in each outgoing packet. A fingerprinter can use the information contained within the TCP headers to estimate a device’s clock skew and thereby fingerprint a physical device.”

Kohno goes on to say: ” Our techniques report consistent measurements when the measurer is thousands of miles, multiple hops, and tens of milliseconds away from the fingerprinted device, and when the fingerprinted device is connected to the Internet from different locations and via different access technologies. Further, one can apply our passive and semi-passive techniques when the fingerprinted device is behind a NAT or firewall.”

And the paper stresses that “For all our methods, we stress that the fingerprinter does not require any modification to or cooperation from the fingerprintee.” Kohno and his team tested their techniques on many operating systems, including Windows XP and 2000, Mac OS X Panther, Red Hat and Debian Linux, FreeBSD, OpenBSD and even Windows for Pocket PCs 2002.

Remote fingerprinting of devices connected to the Net Read More »

A profile of phishers & their jobs

From Lee Gomes’s Phisher Tales: How Webs of Scammers Pull Off Internet Fraud (The Wall Street Journal: 20 June 2005):

The typical phisher, he discovered, isn’t a movie-style villain but a Romanian teenager, albeit one who belongs to a social and economic infrastructure that is both remarkably sophisticated and utterly ragtag.

If, in the early days, phishing scams were one-person operations, they have since become so complicated that, just as with medicine or law, the labor has become specialized.

Phishers with different skills will trade with each other in IRC chat rooms, says Mr. Abad. Some might have access to computers around the world that have been hijacked, and can thus be used in connection with a phishing attack. Others might design realistic “scam pages,” which are the actual emails that phishers send. …

But even if a phisher has a “full,” the real work has yet to begin. The goal of most phishers is to use the information they glean to withdraw money from your bank account. Western Union is one way. Another is making a fake ATM card using a blank credit card and a special magnetic stripe reader/writer, which is easy to purchase online.

A phisher, though, may not have the wherewithal to do either of those. He might, for instance, be stuck in a small town where the Internet is his only connection to the outside world. In that case, he’ll go into an IRC chat room and look for a “casher,” someone who can do the dirty work of actually walking up to an ATM. Cashers, says Mr. Abad, usually take a cut of the proceeds and then wire the rest back to the phisher.

Certain chat rooms are thus full of cashers looking for work. “I cash out,” advertised “CCPower” last week on an IRC channel that had 80 other people logged onto it. “Msg me for deal. 65% your share.”

The average nonphisher might wonder what would prevent a casher from simply taking the money and running. It turns out, says Mr. Abad, that phishers have a reputation-monitoring system much like eBay’s. If you rip someone off, your rating goes down. Not only that, phishers post nasty notices about you on IRC. “Sox and Bagzy are rippers,” warned a message posted last week.

Phishers, not surprisingly, are savvy about their targets. For instance, it wasn’t just a coincidence that Washington Mutual was a phisher favorite. Mr. Abad says it was widely known in the phishing underground that a flaw in the communications between the bank’s ATM machines and its mainframe computers made it especially easy to manufacture fake Washington Mutual ATM cards. The bank fixed the problem a few months ago, Mr. Abad says, and the incidence of Washington Mutual-related phishing quickly plummeted. …

Mr. Abad himself is just 23 years old, but he has spent much of the past 10 years hanging out in IRC chat rooms, encountering all manner of hackers and other colorful characters. One thing that’s different about phishers, he says, is how little they like to gab.

“Real hackers will engage in conversation,” he says. “With phishers, it’s a job.”

A profile of phishers & their jobs Read More »

Spammers causing problems to DNS

From Dennis Fisher’s Spammers’ New Tactic Upends DNS (eWeek: 10 January 2005):

One troublesome technique finding favor with spammers involves sending mass mailings in the middle of the night from a domain that has not yet been registered. After the mailings go out, the spammer registers the domain early the next morning.

By doing this, spammers hope to avoid stiff CAN-SPAM fines through minimal exposure and visibility with a given domain. The ruse, they hope, makes them more difficult to find and prosecute.

The scheme, however, has unintended consequences of its own. During the interval between mailing and registration, the SMTP servers on the recipients’ networks attempt Domain Name System look-ups on the nonexistent domain, causing delays and timeouts on the DNS servers and backups in SMTP message queues.

“Anti-spam systems have become heavily dependent on DNS for looking at all kinds of blacklists, looking at headers, all of that,” said Paul Judge, a well-known anti-spam expert and chief technology officer at CipherTrust Inc., a mail security vendor based in Atlanta. “I’ve seen systems that have to do as many as 30 DNS calls on each message. Even in large enterprises, it’s becoming very common to see a large spam load cripple the DNS infrastructure.”

Spammers causing problems to DNS Read More »