Bruce Schneier

 
 

Schneier on Security

A blog covering security and security technology.

Jury Says it's Okay to Record the TSA

The Seattle man who refused to show ID to the TSA and recorded the whole incident has been cleared of all charges:

[The jury] returned not guilty verdicts for charges that included concealing his identity, refusing to obey a lawful order, trespassing, and disorderly conduct.

Papers, Please! says the acquittal proves what TSA critics have said all along: That checkpoint staff have no police powers, that contrary to TSA claims, passengers have the right to fly without providing ID, and yes, passengers are free to video record checkpoints as long as images on screening monitors aren't captured.

"Annoying the TSA is not a crime," the blog post states. "Photography is not a crime. You have the right to fly without ID, and to photograph, film, and record what happens."

And a recent Dilbert is about the TSA.

Posted on January 31, 2011 at 6:56 AM45 Comments


Trojan Steals Credit Card Numbers

It's only a proof of concept, but it's scary nonetheless. It's a Trojan for Android phones that looks for credit-card numbers, either typed or spoken, and relays them back to its controller.

Software released for Android devices has to request permissions for each system function it accesses—with apps commonly requesting access to the network, phone call functionality, internal and external storage devices, and miscellaneous hardware functions such as the backlight, LED, or microphone. These requests are grouped into categories and presented to the user at the point of installation—helping to minimise the chance of a Trojan slipping by.

Soundminer takes a novel approach to these restrictions, by only requesting access to 'Phone calls,' to read phone state and identity, 'Your personal information,' to read contact data, and 'Hardware controls' to record audio—none of which will ring alarm bells if the app is marketed as a voice recording tool.

Research paper here. YouTube demo. Another blog post. Research paper; section 7.2 describes some defenses, but I'm not really impressed by any of them.

Posted on January 29, 2011 at 7:45 AM25 Comments


Domodedovo Airport Bombing

I haven't written anything about the suicide bombing at Moscow's Domodedovo Airport because I didn't think there was anything to say. The bomber was outside the security checkpoint, in the area where family and friends wait for arriving passengers. From a security perspective, the bombing had nothing to do with airport security. He could have just as easily been in a movie theater, stadium, shopping mall, market, or anywhere else lots of people are crowded together with limited exits. The large death and injury toll indicates the bomber chose his location well.

I've often written that security measures that are only effective if the implementers guess the plot correctly are largely wastes of money -- at best they would have forced this bomber to choose another target -- and that our best security investments are intelligence, investigation, and emergency response. This latest terrorist attack underscores that even more. "Critics say" that the TSA couldn't have detected this sort of attack. Of course; the TSA can't be everywhere. And that's precisely the point.

Many reporters asked me about the likely U.S. reaction. I don't know; it could range from "Moscow is a long way off and that doesn't concern us" to "Oh my god we're all going to die!" The worry, of course, is that we will need to "do something," even though there is no "something" that should be done.

I was interviewed by the Esquire politics blog about this. I'm not terribly happy with the interview; I was rushed and sloppy on the phone.

Posted on January 28, 2011 at 3:15 PM31 Comments


$100 to Put a Bomb on an Airplane

An undercover TSA agent successfully bribed JetBlue ticket agent to check a suitcase under a random passenger's name and put it on an airplane.

As with a lot of these tests, I'm not that worried because it's not a reliable enough tactic to build a plot around. But untrustworthy airline personnel -- or easily bribeable airline personal -- could be used in a smarter and less risky plot.

Posted on January 28, 2011 at 1:40 PM34 Comments


Whitelisting vs. Blacklisting

The whitelist/blacklist debate is far older than computers, and it's instructive to recall what works where. Physical security works generally on a whitelist model: if you have a key, you can open the door; if you know the combination, you can open the lock. We do it this way not because it's easier -- although it is generally much easier to make a list of people who should be allowed through your office door than a list of people who shouldn't--but because it's a security system that can be implemented automatically, without people.

To find blacklists in the real world, you have to start looking at environments where almost everyone is allowed. Casinos are a good example: everyone can come in and gamble except those few specifically listed in the casino's black book or the more general Griffin book. Some retail stores have the same model -- a Google search on "banned from Wal-Mart" results in 1.5 million hits, including Megan Fox -- although you have to wonder about enforcement. Does Wal-Mart have the same sort of security manpower as casinos?

National borders certainly have that kind of manpower, and Marcus is correct to point to passport control as a system with both a whitelist and a blacklist. There are people who are allowed in with minimal fuss, people who are summarily arrested with as minimal a fuss as possible, and people in the middle who receive some amount of fussing. Airport security works the same way: the no-fly list is a blacklist, and people with redress numbers are on the whitelist.

Computer networks share characteristics with your office and Wal-Mart: sometimes you only want a few people to have access, and sometimes you want almost everybody to have access. And you see whitelists and blacklists at work in computer networks. Access control is whitelisting: if you know the password, or have the token or biometric, you get access. Antivirus is blacklisting: everything coming into your computer from the Internet is assumed to be safe unless it appears on a list of bad stuff. On computers, unlike the real world, it takes no extra manpower to implement a blacklist -- the software can do it largely for free.

Traditionally, execution control has been based on a blacklist. Computers are so complicated and applications so varied that it just doesn't make sense to limit users to a specific set of applications. The exception is constrained environments, such as computers in hotel lobbies and airline club lounges. On those, you're often limited to an Internet browser and a few common business applications.

Lately, we're seeing more whitelisting on closed computing platforms. The iPhone works on a whitelist: if you want a program to run on the phone, you need to get it approved by Apple and put in the iPhone store. Your Wii game machine works the same way. This is done primarily because the manufacturers want to control the economic environment, but it's being sold partly as a security measure. But in this case, more security equals less liberty; do you really want your computing options limited by Apple, Microsoft, Google, Facebook, or whoever controls the particular system you're using?

Turns out that many people do. Apple's control over its apps hasn't seemed to hurt iPhone sales, and Facebook's control over its apps hasn't seemed to affect Facebook's user numbers. And honestly, quite a few of us would have had an easier time over the Christmas holidays if we could have implemented a whitelist on the computers of our less-technical relatives.

For these two reasons, I think the whitelist model will continue to make inroads into our general purpose computers. And those of us who want control over our own environments will fight back -- perhaps with a whitelist we maintain personally, but more probably with a blacklist.

This essay previously appeared in Information Security as the first half of a point-counterpoint with Marcus Ranum. You can read Marcus's half there as well.

Posted on January 28, 2011 at 5:02 AM47 Comments


Security Theater, Illustrated

Security theater, illustrated.

Posted on January 27, 2011 at 1:11 PM38 Comments


U.S. Strategy to Prevent Leaks is Leaked

As the article says, it doesn't get any more ironic than that.

More importantly, it demonstrates how hard it is to keep secrets in the age of the Internet.

Me:

I think the government is learning what the music and movie industries were forced to learn years ago: it's easy to copy and distribute digital files. That's what's different between the 1970s and today. Amassing and releasing that many documents was hard in the paper and photocopier era; it's trivial in the Internet era. And just as the music and movie industries are going to have to change their business models for the Internet era, governments are going to have to change their secrecy models. I don't know what those new models will be, but they will be different.

The more I think about it, the more I see this as yet another example of the Internet making information available. It's done that to the music and movie industry. It's done that to corporations and other organizations. And it's doing that to government as well. This is the world we live in; the sooner the U.S. government realizes its secrecy paradigm has irrevocably changed, the sooner it will figure out how to thrive in this new paradigm.

Shutting WikiLeaks down won't stop government secrets from leaking any more than shutting Napster down stopped illegal filesharing.

EDITED TO ADD (1/27): The story turned out to be too good to be true; it's been retracted.

Posted on January 27, 2011 at 6:22 AM40 Comments


Security Theater in the Theater

This is a bit surreal:

Additional steps are needed to prepare Broadway theaters in New York City for a potential WMD attack or other crisis, a New York state legislature subcommittee said yesterday.

[...]

Broadway district personnel did not know "what to do in case of an emergency as well as the unique problems that a theater workplace poses in the event of a fire or evacuation," according to the report, which drew on interviews with theater employees following the attempted bombing.

"Taking the May 1, 2010, car bomb as an example, theater employees expressed how unprepared they were in dealing with the situation," the report reads. "They were given misinformation, and they were directed to exit through portals they did not even know existed, indicating their lack of knowledge of the building they work in and exit routes. In the event of another attack, the same issues would arise."

Posted on January 26, 2011 at 1:42 PM39 Comments


Unsecured IP Security Cameras

It's amazing how many security cameras are on the Internet, accessible by anyone.

And it's not just for viewing; a lot of these cameras can be reprogrammed by anyone.

Posted on January 26, 2011 at 6:28 AM38 Comments


Bioencryption

A group of students at the Chinese University in Hong Kong have figured out how to store data in bacteria. The article talks about how secure it is, and the students even coined the term "bioencryption," but I don't see any encryption. It's just storage.

Another article:

They have also developed a three-tier security fence to encode the data, which may come as welcome news to U.S. diplomats, who have seen their thoughts splashed over the Internet thanks to WikiLeaks.

"Bacteria can't be hacked," points out Allen Yu, another student instructor.

"All kinds of computers are vulnerable to electrical failures or data theft. But bacteria are immune from cyber attacks. You can safeguard the information."

The team have even coined a word for this field -- biocryptography -- and the encoding mechanism contains built-in checks to ensure that mutations in some bacterial cells do not corrupt the data as a whole.

Why can't bacteria be hacked? If the storage system is attached to a network, it's just as vulnerable as anything else attached to a network. And if it's disconnected from any network, then it's just as secure as anything else disconnected from a network. The problem the U.S. diplomats had was authorized access to the WikiLeaks cables by someone who decided to leak them. No cryptography helps against that.

There is cryptography in the project:

In addition we have created an encryption module with the R64 Shufflon-Specific Recombinase to further secure the information.

If the group is smart, this will be some conventional cryptography algorithm used to encrypt the data before it is stored on the bacteria.

In any case, this is fascinating and interesting work. I just don't see any new form of encryption, or anything inherently unhackable.

Posted on January 25, 2011 at 1:40 PM61 Comments


REAL-ID Implementation

According to this study, REAL-ID has not only been cheaper to implement than the states estimated, but also helpful in reducing fraud.

States are finding that implementation of the 2005 REAL ID Act is much easier and less expensive than previously thought, and is a significant factor in reducing fraud. In cases like Indiana, REAL ID has significantly improved customer satisfaction, resulting in that state receiving AAMVA’s “customer satisfaction” award of the year. This is not just a win-win for national and economic security, but a win (less expensive) -win (doable) -win (fraud reduction) -win (improved customer satisfaction) for federal and state governments as well as individuals.

Moreover, 11 states are already in full compliance, well ahead of the May 2011 deadline for the 18 benchmarks. Another eight are close behind. Some states, like Delaware and Maryland, have achieved REAL ID compliance within a year. Washington State refuses REAL ID compliance, but has already implemented the most difficult benchmarks.

Perhaps most astonishing is that from the cost numbers currently available, it looks like implementation of the 18 REAL ID benchmarks in all the states may end up costing somewhere between $350 million and $750 million, significantly less than the $1 billion projected by those still seeking to change the law.

Legal presence is being checked in all but two states, up 28 states from 2006. Only Washington and New Mexico still do not require legal presence to obtain a license, but Washington so significantly upgraded its license issuance in 2010 that the fraudulent attempts to garner licenses in that state are now significantly reduced. Every state is now checking Social Security numbers.

This might be the first government IT project ever that came in under initial cost estimates. Perhaps the reason is that the states did not want to implement REAL-ID in 2005, so they overstated the costs.

As to fraud reduction -- I'm not so sure. As the difficulty of getting a fraudulent ID increases, so does its value. I think we'll have to wait a while longer and see how criminals adapt.

Posted on January 25, 2011 at 6:16 AM41 Comments


Hacking Tamper-Evident Devices

At the Black Hat conference lasts week, Jamie Schwettmann and Eric Michaud presented some great research on hacking tamper-evident seals.

Jamie Schwettmann and Eric Michaud of i11 Industries went through a long list of tamper evident devices at the conference here and explained, step-by-step, how each seal can be circumvented with common items, such as various solvents, hypodermic needles, razors, blow driers, and in more difficult cases with the help of tools such as drills.

Tamper-evident devices may be as old as civilization, and today are used in everyday products such as aspirin containers' paper seals. The more difficult devices may be bolt locks designed to secure shipping containers, or polycarbonate locks designed to shatter if cut.

But they all share something in common: They can be removed and the anti-tampering device reassembled.

Here's their paper, and here are the slides from their presentation. (These two direct download links from GoogleDocs also work.) There was more information in the presentation than in either the paper or the PowerPoint slides. If the video ever gets online, I'll link to it in this post.

Posted on January 24, 2011 at 1:20 PM26 Comments


Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier