bruce_schneier

Bruce Schneier on phishing

From Bruce Schneier’s “Phishing“:

Phishing, for those of you who have been away from the Internet for the past few years, is when an attacker sends you an e-mail falsely claiming to be a legitimate business in order to trick you into giving away your account info — passwords, mostly. When this is done by hacking DNS, it’s called pharming. …

In general, two Internet trends affect all forms of identity theft. The widespread availability of personal information has made it easier for a thief to get his hands on it. At the same time, the rise of electronic authentication and online transactions — you don’t have to walk into a bank, or even use a bank card, in order to withdraw money now — has made that personal information much more valuable. …

The newest variant, called “spear phishing,” involves individually targeted and personalized e-mail messages that are even harder to detect. …

It’s not that financial institutions suffer no losses. Because of something called Regulation E, they already pay most of the direct costs of identity theft. But the costs in time, stress, and hassle are entirely borne by the victims. And in one in four cases, the victims have not been able to completely restore their good name.

In economics, this is known as an externality: It’s an effect of a business decision that is not borne by the person or organization making the decision. Financial institutions have no incentive to reduce those costs of identity theft because they don’t bear them. …

If there’s one general precept of security policy that is universally true, it is that security works best when the entity that is in the best position to mitigate the risk is responsible for that risk.

Bruce Schneier on phishing Read More »

Bruce Schneier on what we should do

From Bruce Schneier’s “Searching Bags in Subways“:

Final note: I often get comments along the lines of “Stop criticizing stuff; tell us what we should do.” My answer is always the same. Counterterrorism is most effective when it doesn’t make arbitrary assumptions about the terrorists’ plans. Stop searching bags on the subways, and spend the money on 1) intelligence and investigation — stopping the terrorists regardless of what their plans are, and 2) emergency response — lessening the impact of a terrorist attack, regardless of what the plans are. Countermeasures that defend against particular targets, or assume particular tactics, or cause the terrorists to make insignificant modifications in their plans, or that surveil the entire population looking for the few terrorists, are largely not worth it.

Bruce Schneier on what we should do Read More »

Trusted Computing: security for whom? from whom?

From Bruce Schneier’s “Trusted Computing Best Practices“:

The language [in the Trusted Computing Group’s best practices document] has too much wiggle room for companies to break interoperability under the guise of security: “Furthermore, implementations and deployments of TCG specifications should not introduce any new interoperability obstacles that are not for the purpose of security.”

That sounds good, but what does “security” mean in that context? Security of the user against malicious code? Security of big media against people copying music and videos? Security of software vendors against competition? The big problem with TCG [Trusted Computing Group] technology is that it can be used to further all three of these “security” goals, and this document is where “security” should be better defined.

Trusted Computing: security for whom? from whom? Read More »

Thieves use Bluetooth to find laptops in cars

From “Phone pirates in seek and steal mission“:

MOBILE phone technology is being used by thieves to seek out and steal laptops locked in cars in Cambridgeshire.

Up-to-date mobiles often have Bluetooth technology, which allows other compatible devices, including laptops, to link up and exchange information, and log on to the internet.

But thieves in Cambridge have cottoned on to an alternative use for the function, using it as a scanner which will let them know if another Bluetooth device is locked in a car boot.

Det Sgt Al Funge, from Cambridge’s crime investigation unit, said: “There have been a number of instances of this new technology being used to identify cars which have valuable electronics, including laptops, inside.

Thieves use Bluetooth to find laptops in cars Read More »

Water that uniquely identifies its owner

From SmartWater Technology:

SmartWater Security Systems are forensic coding systems which can be applied in several ways:

SmartWater Tracer

An aqueous based solution with a unique forensic code.

SmartWater Tracer uniquely codes your property, whilst being virtually invisible to the naked eye, glows under UV light and is practically impossible to remove entirely. Tracer is used in commercial businesses, schools, hospitals and other organisations. Tracer is also used in our Home Coding System so that you can use it safely on jewellery and other sentimental items.

SmartWater Instant

Forensic Coding combined with microdot technology.

SmartWater has been designed to protect household property and motor vehicles. Each bottle of SmartWater solution contains a unique forensic code, which is assigned to a household or vehicle.

An additional feature of SmartWater Instant is the inclusion of tiny micro-dot particles which enable Police to quickly identify the true owner of the property.

SmartWater SuperLabel

Forensic Coding is embedded into the adhesive of tamper resistant labels – combines effective asset management with the protection of Tracer.

The SuperLabel is designed to be tamper resistant making it extremely difficult to remove. Should the label be removed, ownership of the asset can be established from the smallest speck of adhesive, as it contains the forensic code. As with the other SmartWater products this is also designed to glow under Ultra Violet light. Your company logo can also be incorporated into the adhesive, providing quick identification of the true owner of the property.

Water that uniquely identifies its owner Read More »

Brandeis on openness in business, society, & government

From Bruce Schneier’s “Brandeis Quote on Openness“:

Louis D. Brandeis, Other People’s Money and How the Bankers Use It 92 (1914): “Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.”

[Note: Also in Harper’s Weekly, Dec 20 1913]

Brandeis on openness in business, society, & government Read More »

How to fake an anthrax scare

From Bruce Schneier’s “White Powder Anthrax Hoaxes“:

Earlier this month, there was an anthrax scare at the Indonesian embassy in Australia. Someone sent them some white powder in an envelope, which was scary enough. Then it tested positive for bacillus. The building was decontaminated, and the staff was quarantined for twelve hours. By then, tests came back negative for anthrax.

A lot of thought went into this false alarm. The attackers obviously knew that their white powder would be quickly tested for the presence of a bacterium of the bacillus family (of which anthrax is a member), but that the bacillus would have to be cultured for a couple of days before a more exact identification could be made. So even without any anthrax, they managed to cause two days of terror.

… In an interesting side note, the media have revealed for the first time that 360 “white powder” incidents have taken place since 11 September 2001. This news had been suppressed by the government, which had issued D notices to the media for all such incidents. So there has been one such incident approximately every four days — an astonishing number, given Australia’s otherwise low crime rate.

How to fake an anthrax scare Read More »

How to know if you should worry

From Bruce Schneier’s “Should Terrorism be Reported in the News?” in Crypto-Gram (15 May 2005):

One of the things I routinely tell people is that if it’s in the news, don’t worry about it. By definition, “news” means that it hardly ever happens. If a risk is in the news, then it’s probably not worth worrying about. When something is no longer reported — automobile deaths, domestic violence — when it’s so common that it’s not news, then you should start worrying.

How to know if you should worry Read More »

Confidential, Secret, Top Secret … and SSI

From Bruce Schneier’s “Sensitive Security Information (SSI)” in Crypto-Gram (15 March 2005):

For decades, the U.S. government has had systems in place for dealing with military secrets. Information is classified as either Confidential, Secret, Top Secret, or one of many “compartments” of information above Top Secret. Procedures for dealing with classified information were rigid: classified topics could not be discussed on unencrypted phone lines, classified information could not be processed on insecure computers, classified documents had to be stored in locked safes, and so on. The procedures were extreme because the assumed adversary was highly motivated, well-funded, and technically adept: the Soviet Union. …

In 1993, the U.S. government created a new classification of information — Sensitive Security Information. The information under this category, as defined by a D.C. court, was limited to information related to the safety of air passengers. This was greatly expanded in 2002, when Congress deleted two words, “air” and “passengers,” and changed “safety” to “security.” Currently, there’s a lot of information covered under this umbrella. …

The rules for SSI information are much more relaxed than the rules for traditional classified information. Before someone can have access to classified information, he must get a government clearance. Before someone can have access to SSI, he simply must sign an NDA. If someone discloses classified information, he faces criminal penalties. If someone discloses SSI, he faces civil penalties.

SSI can be sent unencrypted in e-mail; a simple password-protected attachment is enough. A person can take SSI home with him, read it on an airplane, and talk about it in public places. People entrusted with SSI information shouldn’t disclose it to those unauthorized to know it, but it’s really up to the individual to make sure that doesn’t happen. It’s really more like confidential corporate information than government military secrets. …

The U.S. government really had no choice but to establish this classification level, given the kind of information they needed to work with. For example, the terrorist “watch” list is SSI. If the list falls into the wrong hands, it would be bad for national security. But think about the number of people who need access to the list. Every airline needs a copy, so they can determine if any of their passengers are on the list. That’s not just domestic airlines, but foreign airlines as well — including foreign airlines that may not agree with American foreign policy. Police departments, both within this country and abroad, need access to the list.

Confidential, Secret, Top Secret … and SSI Read More »