thewayne: (Cyranose)
This is interesting, and I hadn't considered it. I would have thought that, while I am typing this email, that nothing gets sent across my WiFi connection until I hit Send. But obviously email programs, if they're web-based, save draft copies. In the case of email, I think it would be negated by using a PC-based email client, but I'm not certain about that as email server internals are terra incognita for me.

Obviously a Cat 5 cable from your computer to your internet router should defeat this, but how many people do that on a regular basis. We use laptops because of their convenience, my laptop isn't wired because the router is in the living room and my desktop is in the far corner of the kitchen. I could get a router to allow me to hard-cable, then a second router to connect to my main router, and set up a wireless bridge between them, but that seems like a lot of work (and expensive) to try to thwart an attack that is unlikely to be used against me.

There has been tech to sniff the signal from wireless keyboard and mice forever, very few such devices encrypt the signal. I've heard Apple does, but I haven't seen independent information on that. And there's tech to allow sniffing your screen display, though it has limited range. Add them all together and you can get a heck of a read as to what some people do online.

From Bruce Schneier's blog:
Keystroke Recognition from Wi-Fi Distortion

This is interesting research: "Keystroke Recognition Using WiFi Signals." Basically, the user's hand positions as they type distorts the Wi-Fi signal in predictable ways.

Abstract: Keystroke privacy is critical for ensuring the security of computer systems and the privacy of human users as what being typed could be passwords or privacy sensitive information. In this paper, we show for the first time that WiFi signals can also be exploited to recognize keystrokes. The intuition is that while typing a certain key, the hands and fingers of a user move in a unique formation and direction and thus generate a unique pattern in the time-series of Channel State Information (CSI) values, which we call CSI-waveform for that key. In this paper, we propose a WiFi signal based keystroke recognition system called WiKey. WiKey consists of two Commercial Off-The-Shelf (COTS) WiFi devices, a sender (such as a router) and a receiver (such as a laptop). The sender continuously emits signals and the receiver continuously receives signals. When a human subject types on a keyboard, WiKey recognizes the typed keys based on how the CSI values at the WiFi signal receiver end. We implemented the WiKey system using a TP-Link TL-WR1043ND WiFi router and a Lenovo X200 laptop. WiKey achieves more than 97.5% detection rate for detecting the keystroke and 96.4% recognition accuracy for classifying single keys. In real-world experiments, WiKey can recognize keystrokes in a continuously typed sentence with an accuracy of 93.5%.
thewayne: (Cyranose)
Excellent article by Bruce Schneier. "Last year, two Swiss artists programmed a Random Botnot Shopper, which every week would spend $100 in bitcoin to buy a random item from an anonymous Internet black market...all for an art project on display in Switzerland. It was a clever concept, except there was a problem. Most of the stuff the bot purchased was benign­ -- fake Diesel jeans, a baseball cap with a hidden camera, a stash can, a pair of Nike trainers -- but it also purchased ten ecstasy tablets and a fake Hungarian passport."

Artificial Intelligence has been getting a lot of press recently with Elon Musk and Bill Gates talking about the danger of AI running wild. They have some valid points, but I'm not too worried about it: how long does your Windows machine go without crashing? ;-) Anyway, there's no way to implement Asimov's Laws of Robotics, it's debatable if we'll ever have an AI along the likes seen in HAL or Terminator. But who knows.

But I have to wonder: what would a computer do with a fake Hungarian passport?
thewayne: (Cyranose)
The FBI is saying that the Sony hack was definitely the work of North Korea, based on evidence of NK attacks on South Korea, such as samples of the code that was preserved, encryption techniques, etc. So I guess I have to revise my previous opinion.

Bruce Schneier has an interesting editorial that appeared in the Wall Street Journal. He said that attacks should be viewed along two axis: skill and focus. Spam attacks are low focus and low skill: they blast out millions of email knowing that someone, somewhere, will open the mail and click on a link to a poisoned web site. Malware writers are high skill, low focus. Script kiddies are low skill, but higher focus. The attackers of Target and Home Depot were high skill low focus: they didn't care who they hit, they just wanted a big enough retailer to result in a big credit card theft, which is why they don't target Bob's Pizzaria. The Sony hack? High skill, high focus. Schneier liked it unto the Anonymous attack on HBGary Federal, an internet security firm.

The FBI went on to say that 90% of corporations could not have withstood the attack. Which is not encouraging, and should greatly concern them.

The worst thing about this attack is that so much personal employee information was violated. In fact, there are two class-action law suits against Sony Pictures for not sufficiently safeguarding their information. The result of those will be quite interesting. But my take on this is DON'T SEND PERSONAL INFORMATION OR GOSSIP THROUGH WORK EMAIL SYSTEMS IF YOU DON'T HAVE TO! If you're going to gossip, do it face-to-face or over the phone. If you're going to send rude jokes, DON'T. Sony executives are looking like idiots for doing this, and deservedly so.

The full article:
thewayne: (Cyranose)
It was revealed that Target's internal software for detecting malware et al did its job and detected the malware that resulted in the theft of all those cards and information. Alerts were raised in India and North America. And nothing was done about it. And the alerts popped up BEFORE the stolen data was exfiltrated. If they'd acted on the alerts, it's likely that none of the data would have gotten out.

I can imagine the attorneys for Visa and Mastercard are sharpening their knives. It costs card issuers lots of money to remake cards when they've been compromised, and with this proving Target's negligence, they now have a target they can recover costs from.

In other news, Sally Beauty Supply confirmed that they were hacked. It looks like it was probably the same group that did Target, but in an interesting twist the site that was selling all the credit card and customer info was hacked and the user registration databases was posted publicly online, so I'll bet international law enforcement is having a happy day today.
thewayne: (Cyranose)
Both from Bruce Schneier.

The paper purports that you can read a 4096 bit GnuPG RSA key through acoustic monitoring of the computer that's doing a decryption. It also talks about measuring the electrical potential of the actual computer chassis as a low-bandwidth attack. Strange stuff.

The other day a Harvard student emailed in multiple bomb threats to avoid taking a final exam. Idiot. He was mildly clever in that he used an anonymous email account and used Tor, his epic fail was that he used Tor within the Harvard campus network, so they could easily identify IP addresses and locations of people using Tor and at what time, so it wasn't difficult to nab him.

If he had used Tor from coffee shops off-campus, they would have had a much tougher time tracking him down.

Schneier has a great comment: "This is one of the problems of using a rare security tool. The very thing that gives you plausible deniability also makes you the most likely suspect. The FBI didn't have to break Tor; they just used conventional police mechanisms to get Kim to confess."

I think this might adversely affect his academic standing.
thewayne: (Cyranose)
The system is known as badBIOS, and it can spread from an infected computer to a clean computer with no network connection via the infected computer's speakers and microphone. Basically it's a reversion to modem technology where digital data was sent using audio coding, only in this case it's using frequencies above human hearing (I hesitate to use the term ultrasonic) to transmit the infection.

Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected machine that had no obvious network connection with -- but was in close proximity to -- another badBIOS-infected computer. The packets were transmitted even when one of the machines had its Wi-Fi and Bluetooth cards removed. Ruiu also disconnected the machine's power cord to rule out the possibility it was receiving signals over the electrical connection. Even then, forensic tools showed the packets continued to flow over the airgapped machine. Then, when Ruiu removed internal speaker and microphone connected to the airgapped machine, the packets suddenly stopped.

With the speakers and mic intact, Ruiu said, the isolated computer seemed to be using the high-frequency connection to maintain the integrity of the badBIOS infection as he worked to dismantle software components the malware relied on.

"The airgapped machine is acting like it's connected to the Internet," he said. "Most of the problems we were having is we were slightly disabling bits of the components of the system. It would not let us disable some things. Things kept getting fixed automatically as soon as we tried to break them. It was weird."

So now if you need an air-gapped machine, you need to yank the sound card and microphone. Oh: it can infect Windows, Mac, BSD, and Linux machines. And it's been around for around three years. The Ars Technica article is quite interesting, I recommend reading it.
thewayne: (Cyranose)
The NSA, PRISM, and trying to keep your information private and secure

This is a whole bunch of links that I've been accumulating that talks about a lot of different facets of what's been going on since Edward Snowden blew the lid off of the PRISM spying and what the NSA and federal government has been doing.

First up, my fav security guy, Bruce Schneier. In this article “How to Remain Secure Against the NSA”, Bruce talks about precautions that you can take to improve your security, while acknowledging that if the NSA et al wants information about you, there's precious little that you can do about it.

Here we have a story by a man who was Microsoft's privacy chief from 2002 to 2011 who says he no longer trusts the company since the existence of PRISM was revealed. ”In the two years since leaving Microsoft, Bowden has ceased carrying a cell phone and become a staunch open source user, claiming that he no longer trusts a program unless he can see the source.”

There's only one problem with that: 99%+ of people can't read source code or really have the expertise to understand it and to also understand all of the other source code that it ties in to, as you have to evaluate every single part of the system to know whether or not it's secure. So we have to rely on others to tell us that this code is secure. Linux is probably secure, but lots of its code that relates to cryptography and communications is being reevaluated to look for back doors and a lot of the crypto code is being replaced with code that is more public and not backed by NIST.

MUCH more under the cut
Read more... )
thewayne: (Cyranose)
Bruce Schneier, as I've written many times before, is quite a practical expert on computer security. He's run an experiment recently where he bought a new computer from a big box store and configured it for no external connections: no internet, no WiFi, very carefully controlled transfers on and off it. And this article offers his opinions on how practical this is.

And that's the nut of the matter: it isn't really practical. We live in a connected society, the last time I worked on a computer in a work situation that wasn't networked was probably around 1985, and we started networking them not long after that. If you absolutely must have security, an air gap is the only way to go, but then you have to worry about the physical security of such a system and other spying techniques such as recording your keystrokes from your smart phone sitting on the same desk or an electronic technique whose name I can't remember that can read your monitor remotely.

Schneier also points out that the Iranian nuclear program that was compromised by Stuxnet was airgapped, as was the American military computers that were compromised by a worm that was believed to be Chinese in origin.
thewayne: (Cyranose)
From Bruce Schneier's blog:

Lavabit E-Mail Service Shut Down

Lavabit, the more-secure e-mail service that Edward Snowden -- among others -- used, has abruptly shut down. From the message on their homepage:

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot....
This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.

In case something happens to the homepage, the full message is recorded here.

More about the public/private surveillance partnership. And another news article.

Also yesterday, Silent Circle shut down its email service:

We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.
More news stories.

This illustrates the difference between a business owned by a person, and a public corporation owned by shareholders. Ladar Levison can decide to shutter Lavabit -- a move that will personally cost him money -- because he believes it's the right thing to do. I applaud that decision, but it's one he's only able to make because he doesn't have to answer to public shareholders. Could you imagine what would happen if Mark Zuckerberg or Larry Page decided to shut down Facebook or Google rather than answer National Security Letters? They couldn't. They would be fired.

When the small companies can no longer operate, it's another step in the consolidation of the surveillance society.

In related news, Deutsche Telekom announced that they're moving all of their email servers in to Germany to try to avoid PRISM spying.

"Germany's leading telecom provider announced on Friday that it will only use German servers to handle any email traffic over its systems, citing privacy concerns arising from the recent PRISM leak and its 'public outrage over U.S. spy programs accessing citizens' private messages.' In a related move, DT has also announced that they will be providing email services over SSL to further secure their customers' communications. Sandro Gaycken, a professor of cyber security at Berlin's Free University, said 'This will make a big difference...Of course the NSA could still break in if they wanted to, but the mass encryption of emails would make it harder and more expensive for them to do so.'"
thewayne: (Cyranose)

Edward Snowden broke the law by releasing classified information. This isn't under debate; it's something everyone with a security clearance knows. It's written in plain English on the documents you have to sign when you get a security clearance, and it's part of the culture. The law is there for a good reason, and secrecy has an important role in military defense.

But before the Justice Department prosecutes Snowden, there are some other investigations that ought to happen.

We need to determine whether these National Security Agency programs are themselves legal. The administration has successfully barred anyone from bringing a lawsuit challenging these laws, on the grounds of national secrecy. Now that we know those arguments are without merit, it's time for those court challenges. ...

Do I think Schneier's investigations will happen? Sadly, no. I think Snowden will be pilloried and then we'll end up in an extradition tussle, not unlike Julian Asange. It'll take years, and perhaps there will be enough change in politics that such an investigation can happen.
thewayne: (Cyranose)
User passwords, particularly on Unix/Linus servers, are stored in a single file. The user name is typically stored in clear text, then the password is run through an encryption algorithm, usually with a value called a salt added to the password. But the salt is not always added, which makes passwords more vulnerable. One method of attacking such a password list is known as a dictionary attack. There are files available online that contain a BILLION passwords that have been shunt through the encryption algorithm, then it's just a matter of matching them against entries in the password file that you stole.

Ars Technica submitted a file of 16,000 passwords to three security experts, "and asked them to break them. The winner got 90% of them, the loser 62% -- in a few hours."

The attackers are now using a multiple dictionary attack. If you use a strong root word plus a designator word, you're not as strong as you thought. "Steube was able to crack "momof3g8kids" because he had "momof3g" in his 111 million dict and "8kids" in a smaller dict.
"The combinator attack got it! It's cool," he said."

Schneier goes on to suggest what appears to still be a strong password system: making up a sentence that is significant to you. It's a simple method and he explains it in the article.
thewayne: (Cyranose)
I picked up this interesting bit of tid from Bruce Schneier's blog, actually his LJ feed from his blog:

The term "elite panic" was coined by Caron Chess and Lee Clarke of Rutgers. From the beginning of the field in the 1950s to the present, the major sociologists of disaster -- Charles Fritz, Enrico Quarantelli, Kathleen Tierney, and Lee Clarke -- proceeding in the most cautious, methodical, and clearly attempting-to-be-politically-neutral way of social scientists, arrived via their research at this enormous confidence in human nature and deep critique of institutional authority. It’s quite remarkable.

Elites tend to believe in a venal, selfish, and essentially monstrous version of human nature, which I sometimes think is their own human nature. I mean, people don't become incredibly wealthy and powerful by being angelic, necessarily. They believe that only their power keeps the rest of us in line and that when it somehow shrinks away, our seething violence will rise to the surface -- that was very clear in Katrina. Timothy Garton Ash and Maureen Dowd and all these other people immediately jumped on the bandwagon and started writing commentaries based on the assumption that the rumors of mass violence during Katrina were true. A lot of people have never understood that the rumors were dispelled and that those things didn't actually happen; it's tragic.

But there's also an elite fear -- going back to the 19th century -- that there will be urban insurrection. It's a valid fear. I see these moments of crisis as moments of popular power and positive social change. The major example in my book is Mexico City, where the '85 earthquake prompted public disaffection with the one-party system and, therefore, the rebirth of civil society.
thewayne: (Default)
Bruce Schneier collected many links of interest on the issue. Included are some t-shirts, I wouldn't mind having a couple of them and may be placing an order.

One of the links is from a TSA officer who surveyed 20 colleagues at various airports. 17 responded, all of them do not like the procedure or the increase in abuse that they are receiving.

Representative Ron Paul has introduced a bill that says the following:


No law of the United States shall be construed to confer any immunity for a Federal employee or agency or any individual or entity that receives Federal funds, who subjects an individual to any physical contact (including contact with any clothing the individual is wearing), x-rays, or millimeter waves, or aids in the creation of or views a representation of any part of a individual's body covered by clothing as a condition for such individual to be in an airport or to fly in an aircraft. The preceding sentence shall apply even if the individual or the individual's parent, guardian, or any other individual gives consent."

A link to the bill is in Schneier's post.

And finally, an interview with a security expert who describes how airline passenger screening is handled in ISRAEL. They move a passenger through security in 25 MINUTES. SAFELY. It's a very good story, and it is based on sensible procedures. And Israeli security hasn't been breached in 8 years.


Time to contact our Congresscritters and TSA officials, actually it's past-time. You can get their addresses, both snail and email, at and
thewayne: (Default)
Bruce Schneier is an internationally-recognized expert in cryptography and computer security. He has an interesting proposal. First, you get a whole-disk encryption program and encrypt the entire disk. You create a normal key that you would remember. Then you create a massively random key: pound on the keyboard for a few minutes. Email the hash to a friend, preferably to one with whom you have a high level of privacy/protection with, your attorney or priest, for example. When you land wherever you're going, before you hit Customs, you delete your normal key, leaving only the highly random one. When they ask to inspect your laptop, you tell them truthfully that you cannot boot it as you do not have the key. Once you get through, email your friend from an internet cafe and get the key back.

A commenter said that this would not be a legal defense in England and could potentially lead to your arrest.

It occurs to me a similar technique, if you're traveling with your spouse, would be to send it to their webmail account and vice versa, assuming you do not have direct access to your spouse's account, since your spouse cannot be compelled to testify against you (at least last time I checked, I could be totally wrong).

There are those who say, well, if you have nothing to hide, why should you do something like this? I finally found a good response to that: just because I have nothing to hide doesn't give you the right to go poking around me. Privacy may not be a Constitutionally-protected right, that doesn't mean we can't get some every now and then.
thewayne: (Default)
Yep, your tax dollars hard at work.

First, TSA employee caught hording with $200,000 worth of stolen goods to be sold on eBay. And as of right now, you can't even demand a receipt if they seize your laptop at the border, but there is a possibility of a new bill forcing DHS to receipt seized equipment and return them in a reasonable time frame. I can find the links if anyone is interested.

"... a search of his house found a great deal of property pilfered from the un-witnessed searches that occurred after luggage had been checked, where the rightful owner was not allowed. 'Among the items seized were 66 cameras, 31 laptop computers, 20 cell phones, 17 sets of electronic games, 13 pieces of jewelry, 12 GPS devices, 11 MP3 players, eight camera lenses, six video cameras and two DVD players, the affidavit said.'"

So if you've flown through Newark in the last year or so and lost something electronic...

Second, Bruce Schneier and a reporter play games with airport security, including wearing Osama Bin Laden t-shirts, carrying books on jihad, not carrying ID, and splashing water on their face to make it look like they're sweating. TSA security's response? "Don't let it happen again."

Now don't you feel much safer?
thewayne: (Default)
His premise is that they (California) have security backwards and are arguing that the machines are secure until they're proven not to be, then a patch makes them all better until they are once-again compromised. The full story is that the Californian In Charge of Voting Machine Stuff, after having a hasty report published proving that the machines tested were riddled with bad security, decided that once the uncovered vulnerabilities are patched that the machines can once again be used.

Schneier's point is that security must be built from the ground up, not added on later. Some excellent examples from the NSA.
thewayne: (Default)
Part 1 of 5. I've read the first two, good stuff. The TSA head has a good sense of humor!

(and the Slashdot Thread)

September 2017

3 4 5678 9
101112 1314 15 16
1718 19 20212223


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 22nd, 2017 01:32 pm
Powered by Dreamwidth Studios