Going Through the Security Motions

The Associated Press profiles security guru Bruce Schneier. Bruce writes clearly and well, and apparently got a mention in “The Da Vinci Code”. He’s also very critical of Post 9–11 overreaction: “Eventually we will all come to our senses about security,” he says. “I think it’s 10 to 20 years. A generation.” His argument: less showmanship, more cost-effectivenesss. Amen.

To that I’d add consistency. Those implementing security need to apply the same level of alertness whether it’s 1 am or 1 pm. They also need to be involved in the decision making and planning process — at least enough to understand that looking under a car for a bomb is not just about going through the motions of looking under the car. (My favorite example of this is when security guards in Asia make a great song and dance of inspecting the inside and underside of an SUV, but then entirely ignore the external hard cover for the spare wheel stuck on the vehicle’s rear door.)

Security is a process, but it’s not just a procedure.

Getting Data Past Borders

Bruce Schneier uses reports that Sudan is searching all laptops being brought into the country to sound a warning: “Your privacy rights when trying to enter a country are minimal, and this kind of thing could happen anywhere… If you’re bringing a laptop across an international border, you should clean off all unnecessary files and encrypt the rest.”

Some commenters take the discussion a bit further, pointing out this may not be enough. Officials may demand you decrypt your files, so a better way would be to encrypt your data in an unpartitioned portion of your hard drive using something called TrueCrypt, which creates a “virtual encrypted disk” within a file (for Windows and Linux.)

Others suggest that this might not be enough, and that it may be better to use some kind of steganography (hiding data within innocent data, like a photo or music file.) It goes without saying that whatever you do encrypt you should have backed up somewhere safe back home. Another option is not to have anything on your laptop and to download what you need once you’re in country, but unless you have a private network you can do this on, chances are your downloads will be monitored.

This is all not as fanciful or infrequent as it sounds. One poster, Abbas Halai, said he had on three occasions entering the U.S. been asked to login to his laptop and then leave the room.

Let Your Fingers Do the Remembering

Maybe I’ve missed something, but why isn’t more work dedicated to understanding the link between passwords and memory? Given that we’re supposed to remember our passwords (as opposed to writing them down on Post-it notes and sticking them somewhere prominent) why don’t we look more closely at the process whereby we remember stuff — and forget it?

Danah of apophenia wrote recently about the somewhat lame password recovery system some websites use whereby “you have to choose three questions and answer them. The problem is that they are all “What is your favorite n” where n is restaurant, band, movie, song, actor, book, drink, food, place, past-time…” As she points out, favorites tend to change over time, and if they were stable, such information is likely to be available “all over the web on their profiles for dating and social network sites.”

One commenter says Bruce Schneier has written that such password recovery systems are less secure than your password, so advises against using them. Here’s the original link, I believe: Bruce concludes that “The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.”

This is all a roundabout way of writing about a recent experience: one password I have to enter is actually a four digit PIN as part of a SecurID token (one of those readouts that give a different number every few minutes). Four digits I’ve used since 2000, and yet, after two weeks off, I couldn’t remember. It was only when I stopped trying to remember, that I remembered, if you know what I mean. It’s not that I had forgotten the number, it’s that I could retrieve the number from my memory. (This is getting way to existential – Ed). The way I “remembered” the PIN was to stop thinking and just type it. My fingers, if you will, remembered it better than my memory did.

I haven’t looked hard, and perhaps there’s data on this kind of thing. But this kind of memory must be way more useful than favorite colors and books and all that kind of thing, which requires thought, which in turn is vulnerable to forgetfulness, or changing habits.

Hang On, I’m Just Calling My Getaway Car

A bank in Chicago has banned use of cellphones in five of its branches, hoping to prevent the bad guys from communicating with each other during a robbery, according to UPI:

“We ban cell phone use in the lobby because you don’t know what people are doing,” Ralph Oster, a senior vice president [of the First National Bank], told the Chicago Tribune. Cell phone cameras are also a worry.

Oster said there have been holdups in which bandits were on the phone with lookouts outside while committing bank robberies.

As the piece points out, this isn’t the first such ban: West Suburban Bank, based in Lombard, Ill., barred customers wearing hats in January but has not moved to silence cell phones.

Does this make sense? Well, in some ways it does. If there’s a guy hanging around the bank on the phone, it could be that he’s coordinating his getaway car, and you would want to try to nip that kind of thing in the bud. It does happen. By stopping him (or her) from using a cellphone he may decide not to rob your bank, but the one next door instead, where cellphones aren’t banned.

However, where does it stop? Would someone texting/SMSing be told to stop? And how would a security guard, however many PhDs he has, be able to tell the difference between someone jabbing away on a cellphone and jabbing away on a PDA? How about people using handsfree devices? Are they just singing/talking to themselves?

On the other hand, isn’t there an easier way? I would have thought a cellphone blocker would be a better idea (check out this excellent Google Answer on the difference between jammers (illegal in the U.S., since it involves actually interfering with the signal) and blockers (which build a shield around the location to block signals from penetrating it).

Of course, there are downsides. How many times have you been in a bank and then realized you needed to contact a friend/colleague/family member to discuss how much money you should take out/deposit/borrow? As Bruce Schneier would say, devices can be used for both good and ill and if the good outweighs the ill, as it usually does, banning is stooopid:

We don’t ban cars because bank robbers can use them to get away faster. We don’t ban cell phones because drug dealers use them to arrange sales. We don’t ban money because kidnappers use it. And finally, we don’t ban cryptography because the bad guys it to keep their communications secret. In all of these cases, the benefit to society of having the technology is much greater than the benefit to society of controlling, crippling, or banning the technology.

The Smell of Sterile Burning

There’s a growing noise about Sony’s apparent attempt to install digital rights management software usually associated with bad guys trying to maintain control of a compromised computer: Mark’s Sysinternals Blog: Sony, Rootkits and Digital Rights Management Gone Too Far:

The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.

While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far.

The comments below Mark Russinovich’s post reveal not only growing frustration with such clumsy attempts to control what users do with CDs they buy from legitimate sources, but it may also prompt a class-action suit against the company in the U.S. since early versions of the End User Licence Agreement on the software may not have covered such software installation. A representative of SF-based Green Welling LLP has posted a comment asking to hear from “any California residents that have experienced this problem before the EULA was changed. We have looked at many DRM cases and Sony went too far with this particular scheme”. (The End User License Agreement originally, according to Russinovich, made “no mention of the fact that I was agreeing to have software put on my system that I couldn’t uninstall”.) Bruce Schneier asks whether Sony may have “violated the the Computer Misuse Act in the UK? If this isn’t clearly in the EULA, they have exceeded their privilege on the customer’s system by installing a rootkit to hide their software.”

Sony deny that their software is malware or spyware: Their FAQ says “the protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution. It is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system. Also, the protection components are never installed without the consumer first accepting the End User License Agreement.”

According to eWeek, the technology has a name: ‘sterile burning’. And it’s built by a British company called First 4 Internet, whose CEO, Mathew Gilliat-Smith, is quoted as saying it’s not a rootkit but part of a copy protection system designed to balance security and ease of use for the CD buyer. First 4 Internet call it XCP for Extended Copy Protection which “aims to provide effective levels of protection against the unauthorised copying of digital audio and data files without compromising sound quality and playability. XCP helps to protect the rights of Artists and Record Labels while accommodating consumer needs for ‘fair use’ copying.” More specifically, it

protects the content of an audio disc without compromising playability or quality. By using a range of methodologies, including the construction of multiple protection layers, limiting the ROM player accessibility to the provided player software and encapsulating the Red Book audio content, XCP can be used by content owners to help protect digital content from unauthorised copying.

It was first shipped by Sony BMG in March. A new version has been developed with features which, eWeek says, “respond to many of the questions Russinovich raised in his analysis” and will be available in new Sony BMG CDs. But will it be too late by then? Who in their right mind would risk buying a Sony BMG CD?

Bruce on Phishing: It’s the Banks, Stupid

Bruce Schneier again talks sense, this time about phishing: Schneier on Security: Phishing

Financial companies have until now avoided taking on phishers in a serious way, because it’s cheaper and simpler to pay the costs of fraud. That’s unacceptable, however, because consumers who fall prey to these scams pay a price that goes beyond financial losses, in inconvenience, stress and, in some cases, blots on their credit reports that are hard to eradicate. As a result, lawmakers need to do more than create new punishments for wrongdoers — they need to create tough new incentives that will effectively force financial companies to change the status quo and improve the way they protect their customers’ assets.

(Here’s the full column at Wired, and here’s a discussion on Slashdot.)

Regular readers of this column will know this is similar to what I’ve been harping on about for a while although this is much better written and argued than anything I’ve said. Banks have got to accept responsibility for the problem, and devise solutions. To be fair, some are: My bank has finally gotten around to issuing SecurID-type number pads, and secondary authorisation for online credit card transactions.

OK, That’s Enough Bluetooth Monday Jokes

One of my favourite bands from the early 1980s, New Order, are promoting their upcoming album, Waiting for the Sirens Call, (due to be launched this coming week) via Bluetooth. They are displaying, in the words of Engadget:

digital interactive posters offering song clips, ringtones and photos that can be beamed directly to fans’ cellphones. The posters use both infrared and Bluetooth to send the data directly to phones, bypassing network charges to fans or to the band’s label, and making New Order to first group to hand out free music clips direct to cellphones.

The service is, I believe, provided by a company called Hypertag which spells out its vision on its website:  We have a vision that every advertising poster or marketing display will be tagged with a Hypertag. This will enable consumers to engage and interact with your brand. The company tried the tags out last November on London Transport posters that allowed users to get a phone number for safe travel information beamed direct to their mobile phones.

As Forrester Research points outthis innovative promotion underlines the opportunities that connected devices present; gives another (temporary) boost to the Bluetooth standard; and demonstrates that operators are continuing to struggle to drive network data traffic.

There’s an account of how well it works by Robert Price here, along with a picture. An interesting feature of this, and a reason why I don’t think this kind of thing will catch on, is in the message on the bottom of the poster: Please be vigilant when using your mobile phone in public places. For it to work via Bluetooth, you have to stand near the poster and switch Bluetooth on. Then you’ll get a message asking if you want to receive an incoming Bluetooth connection. Say yes and you get the ringtone, but you don’t need to be Bruce Schneier to figure out how this could be abused.

Bluetooth seems like a good way of doing this kind of thing, but the security implications are stronger than the commercial benefits, I believe. Set your Bluetooth to ‘always available’ at your peril.

Do Passports Plus RFID Tags Make Us Walking Targets?

RFID tags? Sinister chip or harmless piece of plastic and wire?

I’ve been on the side of the former for some time, but in the face of some objection from readers. A listener to a piece I did on the BBC World Service a few weeks back about the danger that RFID tags would give up too much information to anyone interested — shops, sleazeballs, governments, terrorists — wrote in to say:

Your correspondent seemed in danger of propagating the fiction that RFID tags can be read from a distance.

A RFID tag contains no power source. The read head, the device that interrogates the tag, actually transmits power to it to enable it in turn to transmit the information it contains. With most tags the range over which this will work is much less than a metre – in general the smaller the tag the smaller the range.

In other words when I am walking down the street it will not be possible for MI5 to determine where or when I bought the tagged pack of tomatoes I am carrying…

This prompted me to do a bit more digging, and I concluded thus in a reply I prepared at the time:

  • First off, distance is not really the issue. The reader, the machine that reads the RFID tag, could be placed anywhere — at entrances to shops, buildings, carparks, subways — to pick up information on those tags. The reader, therefore would simply pick up the information as a person passes it. In short, it’s not necessarily a question of whether MI5 is remotely trying to figure out the origin of your tomatoes from a rooftop, but that sensors placed around cities, installed for commercial, retail or government use, could easily gather this information without your knowledge.
  • Secondly, while it’s true that until recently RFID tags may only be readable by a normal reader within a few feet, many tags now can be read from further away. Others are already being developed that would be read over longer distances: Japanese manufacturer Toppan, for example, has just created an RFID chip that can be read 5 metres away. That’s across the room or street.
  • Thirdly, while it’s true that most RFID tags are passive (without a battery) some are active (with a battery inside) meaning that they can be read over much longer distances — between 100 and 300 ft (up to 100 metres) at present, I believe.
  • Fourthly, it’s quite possible to incorporate a reader with a high-gain antenna, in which case tags can be read at much greater distances; in some extreme cases, according to the online encyclopedia Wikipedia, up to several kilometres away.

Some of these items may not be commercially available yet, but it’s shortsighted to suggest that RFID technology is not improving so quickly that it will not reach the point where it becomes an important social issue, including MI5’s ability to gain access to your tomatoes.

Still, there’s clearly a lot of debate about this, and I was speaking to some RFID folk in Australia who say the security concerns are too far down the track to worry about, since RFID is still too young a technology to be really deployable. Reading a tag is still too tricky, apparently, for it to work properly in a commercial setting.

With all this in mind, it’s interesting to read Bruce Schneier in today’s IHT warning in no uncertain terms of the dangers inherent in the U.S. demand that countries issue passports with RFID tags in them. He points out the absurdity of arguing that RFID tags can only be read from a few centimetres away:

Proponents of the system claim that the chips can be read only from within a distance of a few centimeters, so there is no potential for abuse. This is a spectacularly naïve claim. All wireless protocols can work at much longer ranges than specified. In tests, RFID chips have been read by receivers 20 meters away. Improvements in technology are inevitable.

Bruce’s point is that this means the passports can be read by anyone who gets even vaguely close, leaving the holder vulnerable to anyone with an interest: “It means that pickpockets, kidnappers and terrorists can easily – and surreptitiously – pick Americans or nationals of other participating countries out of a crowd.”

His conclusion is unusually forthright:

The [Bush] administration wants surreptitious access themselves. It wants to be able to identify people in crowds. It wants to surreptitiously pick out the Americans, and pick out the foreigners. It wants to do the very thing that it insists, despite demonstrations to the contrary, can’t be done.

Normally I am very careful before I ascribe such sinister motives to a government agency. Incompetence is the norm, and malevolence is much rarer. But this seems like a clear case of the Bush administration putting its own interests above the security and privacy of its citizens, and then lying about it.

I have no idea whether that bit about the Bush administration is true or not. It’s scary if it is, because it indicates that RFID is just the kind of technology we should be worried about. But for present purposes it doesn’t matter much: What matters is that we establish whether or not it’s possible to ‘snarf’ data from RFID tags in the same way Bluetooth experts have successfully showed the inherent dangers in Bluetooth-enabled phones. If someone can show that grabbing data from RFID tags at a reasonable distance is not just an academic exercise, maybe voices like Bruce’s will be heard in time to do something about it, whether it’s someone knowing my shoe size or my nationality.

Behind the Akamai DDoS Attack

A bit late (my apologies) but it’s interesting to look at the recent Distributed Denial of Service attack on Akamai, an Internet infrastructure provider.

The attack blocked nearly all access to Apple Computer, Google, Microsoft and Yahoo’s Web sites for two hours on Tuesday by bringing down Akamai’s domain name system, or DNS, servers. These servers translate domain names — www.microsoft.com — into numerical addresses. The attack was made possible by harnessing a bot net — thousands of compromised Internet-connected computers, or zombies, which are instructed to flood the DNS servers with data at the same time. This is called Distributed Denial of Service, of DDoS.

But there’s still something of a mystery here: How was the attacker able to make the DDoS attack so surgical, taking out just the  main Yahoo, Google, Microsoft and Apple sites? As CXOtoday points outAkamai is an obvious target, since “it has created the world’s largest and most widely used distributed computing platform, with more than 14,000 servers in 1,100 networks in 65 countries.”

Indeed, before Akamai admitted the nature and scale of the attack there was some skepticism that this could have been a DDoS: ComputerWorld quoted security expert Bruce Schneier as saying “My guess is that it’s some kind of an internal failure within Akamai, or maybe a targeted attack against them by someone with insider knowledge and access.”

The Ukrainian Computer Crime Research Center says it believes the attack was a demonstration of capabilities by a Russian hacker network. As evidence they point to an earlier posting by Dmitri Kramarenko, which describes a recent offer by a Russian hacker to “pull any website, say Microsoft” for not less than $80,000. The story appeared four days before the DDoS attack.

The Price Of Democracy

An interesting essay by security guru Bruce Schneier (via the brianstorms weblog) on the economics of fixing an election. Put simply: How much is it worth a party to fix an election, and so how much would they be willing to spend on doing it? Put another way, how much should the folk designing an electronic voting system assume will be spent on trying to get past the security software?

Bruce does the math and concludes ”that affecting the balance of power in the House of Representatives is worth at least $100M to the party who would otherwise be losing. So when designing the security behind the software, one must assume an attacker with a $100M budget. Conclusion: The risks to electronic voting machine software are even greater than first appears.”

Scary stuff. Although much of the emphasis of such articles has been on how this might be done in established democracies (and there’s still plenty to worry about there) my worry is how about how voting systems may be exported to the developing world.