security

Arguments against the Web’s ungovernability

From Technology Review‘s “Taming the Web“:

Nonetheless, the claim that the Internet is ungovernable by its nature is more of a hope than a fact. It rests on three widely accepted beliefs, each of which has become dogma to webheads. First, the Net is said to be too international to oversee: there will always be some place where people can set up a server and distribute whatever they want. Second, the Net is too interconnected to fence in: if a single person has something, he or she can instantly make it available to millions of others. Third, the Net is too full of hackers: any effort at control will invariably be circumvented by the world’s army of amateur tinkerers, who will then spread the workaround everywhere.

Unfortunately, current evidence suggests that two of the three arguments for the Net’s uncontrollability are simply wrong; the third, though likely to be correct, is likely to be irrelevant. In consequence, the world may well be on the path to a more orderly electronic future-one in which the Internet can and will be controlled. If so, the important question is not whether the Net can be regulated and monitored, but how and by whom. …

As Swaptor shows, the Net can be accessed from anywhere in theory, but as a practical matter, most out-of-the-way places don’t have the requisite equipment. And even if people do actually locate their services in a remote land, they can be easily discovered. …

Rather than being composed of an uncontrollable, shapeless mass of individual rebels, Gnutella-type networks have identifiable, centralized targets that can easily be challenged, shut down or sued. Obvious targets are the large backbone machines, which, according to peer-to-peer developers, can be identified by sending out multiple searches and requests. By tracking the answers and the number of hops they take between computers, it is possible not only to identify the Internet addresses of important sites but also to pinpoint their locations within the network.

Once central machines have been identified, companies and governments have a potent legal weapon against them: their Internet service providers. …

In other words, those who claim that the Net cannot be controlled because the world’s hackers will inevitably break any protection scheme are not taking into account that the Internet runs on hardware – and that this hardware is, in large part, the product of marketing decisions, not technological givens.

Arguments against the Web’s ungovernability Read More »

Security will retard innovation

From Technology Review‘s “Terror’s Server“:

Zittrain [Jonathan Zittrain, codirector of the Berkman Center for Internet and Society at Harvard Law School] concurs with Neumann [Peter Neumann, a computer scientist at SRI International, a nonprofit research institute in Menlo Park, CA] but also predicts an impending overreaction. Terrorism or no terrorism, he sees a convergence of security, legal, and business trends that will force the Internet to change, and not necessarily for the better. “Collectively speaking, there are going to be technological changes to how the Internet functions — driven either by the law or by collective action. If you look at what they are doing about spam, it has this shape to it,” Zittrain says. And while technologi­cal change might improve online security, he says, “it will make the Internet less flexible. If it’s no longer possible for two guys in a garage to write and distribute killer-app code without clearing it first with entrenched interests, we stand to lose the very processes that gave us the Web browser, instant messaging, Linux, and e-mail.”

Security will retard innovation Read More »

The botnet hunters

From The Washington Post‘s “Bringing Botnets Out of the Shadows“:

Nicholas Albright’s first foray into some of the darkest alleys of the Internet came in November 2004, shortly after his father committed suicide. About a month following his father’s death, Albright discovered that online criminals had broken into his dad’s personal computer and programmed it to serve as part of a worldwide, distributed network for storing pirated software and movies. …

From that day forward, Albright poured all of his free time and pent-up anger over his father’s death into assembling “Shadowserver,” a group of individuals dedicated to battling large, remote-controlled herds of hacked personal PCs, also known as “botnets.” …

Each “bot” is a computer on which the controlling hacker has installed specialized software that allows him to commandeer many of its functions. Hackers use bots to further their online schemes or as collection points for users’ personal and financial information.

“I take my [handheld computer] everywhere so I can keep tabs on the botnets when I’m not at home,” Albright said …

On a Sunday afternoon in late February, Albright was lurking in an online channel that a bot herder uses to control a network of more than 1,400 hacked computers running Microsoft Windows software. The hacker controlling this botnet was seeding infected machines with “keyloggers,” …

Albright had already intercepted and dissected a copy of the computer worm that the attacker uses to seize control of computers — an operation that yielded the user name and password the hacker uses to run the control channel. By pretending to be just another freshly hacked bot reporting for duty, Albright passively monitors what the hackers are doing with their botnets and collects information that an Internet service provider would need to get the channel shut down.

Albright spied one infected PC reporting data about the online activities of its oblivious owner — from the detailed information flowing across the wire, it was clear that one of the infected computers belongs to a physician in Michigan.

“The botnet is running a keylogger, and I see patient data,” Albright said. …

“Anything you submit to law enforcement may help later if an investigation occurs,” he said. “Chances are, though, it will just be filed away in a database.”

Botnets are the workhorses of most online criminal enterprises today, allowing hackers to ply their trade anonymously — sending spam, sowing infected PCs with adware from companies that pay for each installation, or hosting fraudulent e-commerce and banking Web sites. …

… in the 13-month period ending in January, more than 13 million PCs around the world were infected with malicious code that turned them into bots.

… Shadowserver locates bot networks by deploying a series of “honeynets” — sensors that mimic computers with known security flaws — in an effort to lure attackers, allowing the group to capture samples of new bot programs. …

Shadowserver submits any new or undetected specimens to the major anti-virus companies. Andrews said he is constantly surprised by the sheer number of bot programs that do not get flagged as malicious by any of the programs. …

In Andrews’s experience, by far the most common reason criminals create botnets these days — other than perhaps to sell or rent them to other criminals — is to install online ad-serving software that earns the attacker a few pennies per install. …

Even after the Shadowserver crew has convinced an ISP to shut down a botmaster’s command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker’s control server, unaware that it no longer exists. …

“Bot hunting can really take over your personal life, because to do this right you really have to stay on top of it — it can’t just be something you do on the weekends,” he said. “I guess it takes a special type of person to be able to sustain botnet hunting. … I don’t know anyone who pays people to do this kind of work.” …

Albright said that while federal law enforcement has recently made concerted efforts to reach out to groups like Shadowserver in hopes of building a more effective partnership, they don’t have the bodies, the technology, or the legal leeway to act directly on the information the groups provide. …

“Sadly, without more law enforcement support this will remain a chase-your-tail type game, because we won’t ever really shut these networks down until the bot master goes to jail, and his drones are cleaned.”

The botnet hunters Read More »

John the Ripper makes password cracking easy

From Federico Biancuzzi’s “John the Ripper 1.7, by Solar Designer“:

John the Ripper 1.7 also improves on the use of MMX on x86 and starts to use AltiVec on PowerPC processors when cracking DES-based hashes (that is, both Unix crypt(3) and Windows LM hashes). To my knowledge, John 1.7 (or rather, one of the development snapshots leading to this release) is the first program to cross the 1 million Unix crypts per second (c/s) boundary on a general-purpose CPU. Currently, John 1.7 achieves up to 1.6M c/s raw performance (that is, with no matching salts) on a PowerPC G5 at 2.7 GHz (or 1.1M c/s on a 1.8 GHz) and touches 1M c/s on the fastest AMD CPUs currently available. Intel P4s reach up to 800k c/s. (A non-public development version making use of SSE also reaches 1M c/s on an Intel P4 at 3.4 and 3.6 GHz. I intend to include that code into a post-1.7 version.)

John the Ripper makes password cracking easy Read More »

Embarassing email story #1056

From MedZilla’s “Emails ‘gone bad’“:

In another example of embarrassing and damaging emails sent during work is an investigation that uncovered 622 emails exchanged between Arapahoe County (Colo.) Clerk and Recorder Tracy K. Baker and his Assistant Chief Deputy Leesa Sale. Of those emails, 570 were sexually explicit. That’s not the only thing Baker’s lawyers are having to explain in court. Seems the emails also revealed Baker might have misused public funds, among other things.

Embarassing email story #1056 Read More »

Bruce Schneier on what we should do

From Bruce Schneier’s “Searching Bags in Subways“:

Final note: I often get comments along the lines of “Stop criticizing stuff; tell us what we should do.” My answer is always the same. Counterterrorism is most effective when it doesn’t make arbitrary assumptions about the terrorists’ plans. Stop searching bags on the subways, and spend the money on 1) intelligence and investigation — stopping the terrorists regardless of what their plans are, and 2) emergency response — lessening the impact of a terrorist attack, regardless of what the plans are. Countermeasures that defend against particular targets, or assume particular tactics, or cause the terrorists to make insignificant modifications in their plans, or that surveil the entire population looking for the few terrorists, are largely not worth it.

Bruce Schneier on what we should do Read More »

Phishing by altering the bank’s server

From Computerworld‘s “Florida banks hacked in new spoofing attack“:

Three Florida banks have had their Web sites compromised by hackers in an attack that security experts are calling the first of its type.

Earlier this month, attackers were able to hack servers run by the Internet service provider that hosted the three banks’ Web sites. They then redirected traffic from the legitimate Web sites to a bogus server, designed to resemble the banking sites, according to Bob Breeden, special agent supervisor with the Florida Department of Law Enforcement’s Computer Crime Center.

Users were then asked to enter credit card numbers, PINs and other types of sensitive information, he said.

According to Breeden, the affected banks are Premier Bank, Wakulla Bank and Capital City Bank, all small, regional banks based in Florida.

This attack was similar to phishing attacks that are commonly used against online commerce sites, but in this case hackers had actually made changes to legitimate Web sites, making the scam much harder for regular users to detect.

… Though Breeden said the scam was operational for only “a matter of hours” and probably affected fewer than 20 banking customers, the technique appeared to be very effective at extracting sensitive information.

Phishing by altering the bank’s server Read More »

How much does stolen identity info cost?

From The New York Times‘ “Countless Dens of Uncatchable Thieves“:

In the online world, he operates under the pseudonym Zo0mer, according to American investigators, and he smugly hawks all manner of stolen consumer information alongside dozens of other peddlers at a Web site he helps manage.

“My prices are lowers then most of other vendors have and I will deliver them in real time,” reads a typically fractured Zo0mer post.

At the same forum, another user, “tabbot,” offers “any U.S. bank accounts” for sale.

“Balance from 3K and above: $40,” he writes. “Regular brokerage accounts from 3K and above: $70.”

Tabbot also offers full access to hacked accounts from credit unions. One, with a $31,000 balance, is being sold for $400. “I can try search specific info such as signature, ssn, dob, email access,” tabbot writes. “Account with an extra info will be more expensive.”

How much does stolen identity info cost? Read More »

Trusted Computing: security for whom? from whom?

From Bruce Schneier’s “Trusted Computing Best Practices“:

The language [in the Trusted Computing Group’s best practices document] has too much wiggle room for companies to break interoperability under the guise of security: “Furthermore, implementations and deployments of TCG specifications should not introduce any new interoperability obstacles that are not for the purpose of security.”

That sounds good, but what does “security” mean in that context? Security of the user against malicious code? Security of big media against people copying music and videos? Security of software vendors against competition? The big problem with TCG [Trusted Computing Group] technology is that it can be used to further all three of these “security” goals, and this document is where “security” should be better defined.

Trusted Computing: security for whom? from whom? Read More »

Thieves use Bluetooth to find laptops in cars

From “Phone pirates in seek and steal mission“:

MOBILE phone technology is being used by thieves to seek out and steal laptops locked in cars in Cambridgeshire.

Up-to-date mobiles often have Bluetooth technology, which allows other compatible devices, including laptops, to link up and exchange information, and log on to the internet.

But thieves in Cambridge have cottoned on to an alternative use for the function, using it as a scanner which will let them know if another Bluetooth device is locked in a car boot.

Det Sgt Al Funge, from Cambridge’s crime investigation unit, said: “There have been a number of instances of this new technology being used to identify cars which have valuable electronics, including laptops, inside.

Thieves use Bluetooth to find laptops in cars Read More »

Hear someone typing & know what was written

From Edward Felten’s “Acoustic Snooping on Typed Information“:

Li Zhuang, Feng Zhou, and Doug Tygar have an interesting new paper showing that if you have an audio recording of somebody typing on an ordinary computer keyboard for fifteen minutes or so, you can figure out everything they typed. The idea is that different keys tend to make slightly different sounds, and although you don’t know in advance which keys make which sounds, you can use machine learning to figure that out, assuming that the person is mostly typing English text. (Presumably it would work for other languages too.) …

The algorithm works in three basic stages. First, it isolates the sound of each individual keystroke. Second, it takes all of the recorded keystrokes and puts them into about fifty categories, where the keystrokes within each category sound very similar. Third, it uses fancy machine learning methods to recover the sequence of characters typed, under the assumption that the sequence has the statistical characteristics of English text. …

The only advantage you have is that English text has persistent regularities. For example, the two-letter sequence “th” is much more common that “rq”, and the word “the” is much more common than “xprld”. This turns out to be enough for modern machine learning methods to do the job, despite the difficulties I described in the previous paragraph. The recovered text gets about 95% of the characters right, and about 90% of the words. It’s quite readable.

Hear someone typing & know what was written Read More »

Tracking terrorists with Unintended Information Revelation

From “New search engine to help thwart terrorists“:

With news that the London bombers were British citizens, radicalised on the streets of England and with squeaky-clean police records, comes the realisation that new mechanisms for hunting terrorists before they strike must be developed.

Researchers at the University of Buffalo, US, believe they have discovered a technique that will reveal information on public web sites that was not intended to be published.

The United States Federal Aviation Administration (FAA) and the National Science Foundation (NSF) are supporting the development of a new search engine based on Unintended Information Revelation (UIR), and designed for anti-terrorism applications.

UIR supposes that snippets of information – that by themselves appear to be innocent – may be linked together to reveal highly sensitive data.

… “A concept chain graph will show you what’s common between two seemingly unconnected things,” said Srihari. “With regular searches, the input is a set of key words, the search produces a ranked list of documents, any one of which could satisfy the query.

“UIR, on the other hand, is a composite query, not a keyword query. It is designed to find the best path, the best chain of associations between two or more ideas. It returns to you an evidence trail that says, ‘This is how these pieces are connected.'”

Tracking terrorists with Unintended Information Revelation Read More »

Unpatched Linux, 3 months; unpatched Windows, 20 minutes

From Bruce Schneier’s “Linux Security“:

I’m a big fan of the Honeynet Project … Basically, they wire computers up with sensors, put them on the Internet, and watch hackers attack them.

They just released a report about the security of Linux:

Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. …

This is much greater than that of Windows systems, which have average life expectancies on the order of a few minutes.

… That’s the real story: the hackers aren’t bothering with Linux. Two years ago, a vulnerable Linux system would be hacked in less than three days; now it takes three months.

Why? My guess is a combination of two reasons. One, Linux is that much more secure than Windows. Two, the bad guys are focusing on Windows — more bang for the buck.

Unpatched Linux, 3 months; unpatched Windows, 20 minutes Read More »

Water that uniquely identifies its owner

From SmartWater Technology:

SmartWater Security Systems are forensic coding systems which can be applied in several ways:

SmartWater Tracer

An aqueous based solution with a unique forensic code.

SmartWater Tracer uniquely codes your property, whilst being virtually invisible to the naked eye, glows under UV light and is practically impossible to remove entirely. Tracer is used in commercial businesses, schools, hospitals and other organisations. Tracer is also used in our Home Coding System so that you can use it safely on jewellery and other sentimental items.

SmartWater Instant

Forensic Coding combined with microdot technology.

SmartWater has been designed to protect household property and motor vehicles. Each bottle of SmartWater solution contains a unique forensic code, which is assigned to a household or vehicle.

An additional feature of SmartWater Instant is the inclusion of tiny micro-dot particles which enable Police to quickly identify the true owner of the property.

SmartWater SuperLabel

Forensic Coding is embedded into the adhesive of tamper resistant labels – combines effective asset management with the protection of Tracer.

The SuperLabel is designed to be tamper resistant making it extremely difficult to remove. Should the label be removed, ownership of the asset can be established from the smallest speck of adhesive, as it contains the forensic code. As with the other SmartWater products this is also designed to glow under Ultra Violet light. Your company logo can also be incorporated into the adhesive, providing quick identification of the true owner of the property.

Water that uniquely identifies its owner Read More »

Don’t fly where we won’t tell you not to fly

From Bruce Schneier’s “The Silliness of Secrecy“, quoting The Wall Street Journal:

Ever since Sept. 11, 2001, the federal government has advised airplane pilots against flying near 100 nuclear power plants around the country or they will be forced down by fighter jets. But pilots say there’s a hitch in the instructions: aviation security officials refuse to disclose the precise location of the plants because they consider that “SSI” — Sensitive Security Information.

“The message is; ‘please don’t fly there, but we can’t tell you where there is,'” says Melissa Rudinger of the Aircraft Owners and Pilots Association, a trade group representing 60% of American pilots.

Determined to find a way out of the Catch-22, the pilots’ group sat down with a commercial mapping company, and in a matter of days plotted the exact geographical locations of the plants from data found on the Internet and in libraries. It made the information available to its 400,000 members on its Web site — until officials from the Transportation Security Administration asked them to take the information down. “Their concern was that [terrorists] mining the Internet could use it,” Ms. Rudinger says.

Don’t fly where we won’t tell you not to fly Read More »

Brandeis on openness in business, society, & government

From Bruce Schneier’s “Brandeis Quote on Openness“:

Louis D. Brandeis, Other People’s Money and How the Bankers Use It 92 (1914): “Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.”

[Note: Also in Harper’s Weekly, Dec 20 1913]

Brandeis on openness in business, society, & government Read More »

How to fake an anthrax scare

From Bruce Schneier’s “White Powder Anthrax Hoaxes“:

Earlier this month, there was an anthrax scare at the Indonesian embassy in Australia. Someone sent them some white powder in an envelope, which was scary enough. Then it tested positive for bacillus. The building was decontaminated, and the staff was quarantined for twelve hours. By then, tests came back negative for anthrax.

A lot of thought went into this false alarm. The attackers obviously knew that their white powder would be quickly tested for the presence of a bacterium of the bacillus family (of which anthrax is a member), but that the bacillus would have to be cultured for a couple of days before a more exact identification could be made. So even without any anthrax, they managed to cause two days of terror.

… In an interesting side note, the media have revealed for the first time that 360 “white powder” incidents have taken place since 11 September 2001. This news had been suppressed by the government, which had issued D notices to the media for all such incidents. So there has been one such incident approximately every four days — an astonishing number, given Australia’s otherwise low crime rate.

How to fake an anthrax scare Read More »

Zombies from China attack Internet

From Computerworld‘s “Army of zombies invades China“:

China’s rapid Internet growth has brought with it a somewhat disturbing side effect: multiplying zombies up to no good.

Zombies, or Internet-connected computers infected by worms or viruses and under the control of a hacker, are used to launch denial-of-service (DoS) attacks, or send spam or phishing e-mails. An average of 157,000 new zombies are identified each day, and 20% of these are in China, security company CipherTrust Inc. reported this week.

… “Criminals look for a weaker link, so places like China, or anywhere behind the U.S. in terms of computer literacy, are a good target,” Stanley said.

China’s fast-growing Internet population is also an attraction, he said. As of January, there were 94 million Internet users in the China, up 18% from the year before, according to the China Internet Network Information Center (CNNIC).

Zombies from China attack Internet Read More »

Global secrets are poor security

From Bruce Schneier’s “The Keys to the Sydney Subway“:

Global secrets are generally considered poor security. The problems are twofold. One, you cannot apply any granularity to the security system; someone either knows the secret or does not. And two, global secrets are brittle. They fail badly; if the secret gets out, then the bad guys have a pretty powerful secret.

This is the situation right now in Sydney, where someone stole the master key that gives access to every train in the metropolitan area, and also starts them. …

Another problem with global secrets is that it’s expensive to recover from a security failure. …

A final problem with global secrets is that it’s simply too easy to lose control of them.

Global secrets are poor security Read More »

Interesting way to acquire someone’s signature

From Simson Garfinkel’s “Absolute Identification“, chapter 3 of Database Nation:

Already, the United Parcel Service, the nation’s largest package delivery service, is also the nation’s leader in biometric piracy. For most packages, UPS requires that a signature be written to serve as proof of delivery. In 1987, UPS started scanning the pen-and-ink signatures recorded for each package delivery. These images were stored in a database and faxed to any person who called UPS’s 800 number and asked for a ‘proof of delivery’ receipt. In 1990, UPS improved its piracy technology by equipping its drivers with portable electronic computers called DIADs (Delivery Information Acquisition Devices). Each computer has a built-in bar code reader and a signature pad. When a delivery is made, the UPS driver scans the bar code on each package and then has the person receiving the delivery sign for the package. The bar code number and the handwritten signature are recorded inside the DIAD, and ultimately uploaded to the company’s databanks.

The push to make signatures available in electronic form came from UPS customers, Pat Steffen, a spokesperson for UPS, told me when I called the company to complain about the practices. Signatures are considered proof of delivery. Digitizing that proof allows UPS to manipulate it like any other digital data. The faxed proof-of-delivery certificates are sent automatically from UPS computers, she explained. It’s also possible for UPS customers to download tracking software and view the signatures directly on their personal computers.

Ironically, by making a person’s written signature widely available, UPS is helping to dilute the written signature’s very value. Once the signature is digitized, it’s easy to manipulate it further with a computer–for example, you can paste it at the bottom of a contract. UPS’s system is particularly vulnerable: any package can be tracked as long as you know the package’s airbill, and UPS issues its preprinted airbills in sequential order–for example, ‘0930 8164 904,’ ‘0930 8164 913,’ and ‘0930 8164 922.’ An attacker can easily learn a company’s UPS airbill, use that airbill to obtain a comprehensive list of every delivery recipient–and then make a copy of every recipient’s signature.

UPS understands the vulnerability, but it can’t address the problem very well. A note on the company’s web site says:

UPS authorizes you to use UPS tracking systems solely to track shipments tendered by or for you to UPS for delivery and for no other purpose. Any other use of UPS tracking systems and information is strictly prohibited.

But, realistically speaking, UPS can do little to prevent this kind of attack. ‘If someone wants to go out of their way to get package numbers, it can be done. If someone wants to go out of their way to do anything, I suppose that’s possible. It is not an easy thing to do,’ said Steffen. Guessing would be harder, of course, if UPS used longer airbill numbers and didn’t issue them in a predictable sequence.

Interesting way to acquire someone’s signature Read More »