Category Archives: Security

Cat nabbing

Posted on by

Intriguing column by Danny Westneat in the Seattle Times

The unsettling thing about living in a surveillance society isn’t just that you’re being watched. It’s that you have no idea.

That’s what struck me about a story told last week by a border agent at a meeting of 200 San Juan Islanders. He was there to explain why the federal government is doing citizenship checks on domestic ferry runs.But near the end, while trying to convince the skeptical audience that the point is to root out terrorists, not fish for wrongdoing among the citizenry, deputy chief Joe Giuliano let loose with a tale straight out of “Dr. Strangelove.”

It turns out the feds have been monitoring Interstate 5 for nuclear “dirty bombs.” They do it with radiation detectors so sensitive it led to the following incident.

“Vehicle goes by at 70 miles per hour,” Giuliano told the crowd. “Agent is in the median, a good 80 feet away from the traffic. Signal went off and identified an isotope [in the passing car].”

The agent raced after the car, pulling it over not far from the monitoring spot (near the Bow-Edison exit, 18 miles south of Bellingham). The agent questioned the driver, then did a cursory search of the car, Giuliano said.

Did he find a nuke?

“Turned out to be a cat with cancer that had undergone a radiological treatment three days earlier,” Giuliano said.

He added: “That’s the type of technology we have that’s going on in the background. You don’t see it. If I hadn’t told you about it, you’d never know it was there.”

So you thought encrypting data on government laptops would make them safe?

Posted on by

Think again. Ed Felten has made an interesting discovery:

Today eight colleagues and I are releasing a significant new research result. We show that disk encryption, the standard approach to protecting sensitive data on laptops, can be defeated by relatively simple methods. We demonstrate our methods by using them to defeat three popular disk encryption products: BitLocker, which comes with Windows Vista; FileVault, which comes with MacOS X; and dm-crypt, which is used with Linux. The research team includes J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten.

Our site has links to the paper, an explanatory video, and other materials.

The root of the problem lies in an unexpected property of today’s DRAM memories. DRAMs are the main memory chips used to store data while the system is running. Virtually everybody, including experts, will tell you that DRAM contents are lost when you turn off the power. But this isn’t so. Our research shows that data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system.

Interestingly, if you cool the DRAM chips, for example by spraying inverted cans of “canned air” dusting spray on them, the chips will retain their contents for much longer. At these temperatures (around -50 °C) you can remove the chips from the computer and let them sit on the table for ten minutes or more, without appreciable loss of data. Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power. Just put the chips back into a machine and you can read out their contents.

This is deadly for disk encryption products because they rely on keeping master decryption keys in DRAM…

Bet this won’t stop Gordon Brown & Co confidently asserting that our data are safe in their laptops.

VOIP baffles spooks

Posted on by

From The Register

The head of the UK government’s secret electronic spying and codebreaking agency, GCHQ, has said that his organisation’s ability to intercept conversations and messages is seriously undermined by internet-protocol (IP) communications. The digital spook’s comments may come as a blow to British and European politicians who have sworn to eradicate terrorism from the internet.

The revelations came as part of the annual parliamentary oversight report into the doings of the UK intelligence community, which was released today. The report is compiled by the specially-vetted MPs and lords of the Intelligence and Security Committee (ISC), who are allowed to review secret data and grill important mandarins from the shadowier parts of Whitehall…

Don’t expect UK privacy law reform

Posted on by

Just because the government has been shown to be disgracefully casual in its handling of confidential personal data doesn’t mean that the Brown administration is proposing to do anything radical about it. That’s not just an uninformed, cynical take on what’s happening. It’s also the view
of Rosemary Jay, Head of the Information Law team at Pinsent Masons (the law firm that publishes OUT-LAW.COM)

Germans are planning to eavesdrop on Skype

Posted on by

Interesting documents on Wikileaks. Basically, it seems that the Bavarian authorities have been looking for contractors to install Trojans on target machines which run Skype. Slashdot explains:

The first document is a communication by the Ministry of Justice to the prosecutors office, about the cost splitting for Skype interception. The second document presents the offer made by Digitask, the German company secretly developing Skype interception, and holds information on pricing and license model, high-level technology descriptions and other detail. The document is of global importance because Skype is used by tens or hundreds of millions of people daily to communicate voice calls and Skype (owned by Ebay, Inc) promotes these calls as being encrypted and secure. The technology includes interception boxes, key forwarding trojans and anonymous proxies to hide police communications.

Cyber-attack on Estonia may not have come from Russia

Posted on by

Bah! Looks as though those of us who suspected Vladimir Putin of testing cyberwarfare techniques on plucky little Estonia were wrong. At any rate, this ArsTechnica report says that the DDoS attacks were the work of a single disaffected individual.

Last May, the web sites of a number of high-ranking Estonian politicians and businesses were attacked over a period of several weeks. At the time, relations between Russia and Estonia were chillier than usual, due in part to the Estonian government’s plans to move a World War II-era memorial known as the Bronze Soldier (pictured below at its original location) away from the center of the city and into a cemetery. The country’s plan was controversial, and led to protests that were often led by the country’s ethnic Russian minority. When the cyberattacks occurred, Estonia claimed that Russia was either directly or indirectly involved—an allegation that the Russian government denied. Almost a year later, the Russian government appears to have been telling the truth about its involvement (or lack thereof) in the attacks against Estonia. As InfoWorld reports, an Estonian youth has been arrested for the attacks, and current evidence suggests he was acting independently—prosecutors in Estonia have stated they have no other suspects. Because the attacks were botnet-driven and launched from servers all over the globe, however, it’s impossible to state definitively that only a single individual was involved…

Charles Arthur has a rueful post on this too.

Has AT&T lost its marbles?

Posted on by

Tim Wu has an intriguing piece in Slate Magazine in which he ponders the implications of AT&T’s announcement that it is seriously considering plans to examine all the traffic it carries for potential violations of U.S. intellectual property laws. (A similar idea is about to be foisted on UK ISPs by Gordon Broon & Co.)

“No one knows exactly what AT&T is proposing to build”, he writes. “But if the company means what it says, we’re looking at the beginnings of a private police state. That may sound like hyperbole, but what else do you call a system designed to monitor millions of people’s Internet consumption? That’s not just Orwellian; that’s Orwell.”

That’s just the civil libertarian aspect of the idea. The interesting thing is that the commercial downsides could be catastrophic — for AT&T.

The most serious problems for AT&T may be legal. Since the beginnings of the phone system, carriers have always wanted to avoid liability for what happens on their lines, be it a bank robbery or someone’s divorce. Hence the grand bargain of common carriage: The Bell company carried all conversations equally, and in exchange bore no liability for what people used the phone for. Fair deal.

AT&T’s new strategy reverses that position and exposes it to so much potential liability that adopting it would arguably violate AT&T’s fiduciary duty to its shareholders. Today, in its daily Internet operations, AT&T is shielded by a federal law that provides a powerful immunity to copyright infringement. The Bells know the law well: They wrote and pushed it through Congress in 1998, collectively spending six years and millions of dollars in lobbying fees to make sure there would be no liability for “Transitory Digital Network Communications”—content AT&T carries over the Internet. And that’s why the recording industry sued Napster and Grokster, not AT&T or Verizon, when the great music wars began in the early 2000s.

Here’s the kicker: To maintain that immunity, AT&T must transmit data “without selection of the material by the service provider” and “without modification of its content.” Once AT&T gets in the business of picking and choosing what content travels over its network, while the law is not entirely clear, it runs a serious risk of losing its all-important immunity. An Internet provider voluntarily giving up copyright immunity is like an astronaut on the moon taking off his space suit. As the world’s largest gatekeeper, AT&T would immediately become the world’s largest target for copyright infringement lawsuits….

Tim Wu is a great commentator on this stuff, and this is an especially good piece.

How not to get eaten by a lion

Posted on by

Intriguing essay by Bruce Schneier, with extrapolations from his experience on Safari to Homeland Security…

If you encounter an aggressive lion, stare him down. But not a leopard; avoid his gaze at all costs. In both cases, back away slowly; don’t run. If you stumble on a pack of hyenas, run and climb a tree; hyenas can’t climb trees. But don’t do that if you’re being chased by an elephant; he’ll just knock the tree down. Stand still until he forgets about you.

I spent the last few days on safari in a South African game park, and this was just some of the security advice we were all given. What’s interesting about this advice is how well-defined it is. The defenses might not be terribly effective — you still might get eaten, gored or trampled — but they’re your best hope. Doing something else isn’t advised, because animals do the same things over and over again. These are security countermeasures against specific tactics.

Lions and leopards learn tactics that work for them, and I was taught tactics to defend myself. Humans are intelligent, and that means we are more adaptable than animals. But we’re also, generally speaking, lazy and stupid; and, like a lion or hyena, we will repeat tactics that work. Pickpockets use the same tricks over and over again. So do phishers, and school shooters. If improvised explosive devices didn’t work often enough, Iraqi insurgents would do something else.

So security against people generally focuses on tactics as well.

A friend of mine recently asked me where she should hide her jewelry in her apartment, so that burglars wouldn’t find it. Burglars tend to look in the same places all the time — dresser tops, night tables, dresser drawers, bathroom counters — so hiding valuables somewhere else is more likely to be effective, especially against a burglar who is pressed for time. Leave decoy cash and jewelry in an obvious place so a burglar will think he’s found your stash and then leave. Again, there’s no guarantee of success, but it’s your best hope.

The key to these countermeasures is to find the pattern: the common attack tactic that is worth defending against. That takes data. A single instance of an attack that didn’t work — liquid bombs, shoe bombs — or one instance that did — 9/11 — is not a pattern. Implementing defensive tactics against them is the same as my safari guide saying: “We’ve only ever heard of one tourist encountering a lion. He stared it down and survived. Another tourist tried the same thing with a leopard, and he got eaten. So when you see a lion….” The advice I was given was based on thousands of years of collective wisdom from people encountering African animals again and again.

Compare this with the Transportation Security Administration’s approach. With every unique threat, TSA implements a countermeasure with no basis to say that it helps, or that the threat will ever recur.

Furthermore, human attackers can adapt more quickly than lions. A lion won’t learn that he should ignore people who stare him down, and eat them anyway. But people will learn. Burglars now know the common “secret” places people hide their valuables — the toilet, cereal boxes, the refrigerator and freezer, the medicine cabinet, under the bed — and look there. I told my friend to find a different secret place, and to put decoy valuables in a more obvious place…

Apple sells DRM-free music. Throws in your personal data for free

Posted on by

Well, well. I’d been wondering about this, and now ArsTechnica confirms it

With great power comes great responsibility, and apparently with DRM-free music comes files embedded with identifying information. Such is the situation with Apple’s new DRM-free music: songs sold without DRM still have a user’s full name and account e-mail embedded in them, which means that dropping that new DRM-free song on your favorite P2P network could come back to bite you.

We started examining the files this morning and noticed our names and e-mail addresses in the files, and we’ve found corroboration of the find at TUAW, as well. But there’s more to the story: Apple embeds your account information in all songs sold on the store, not just DRM-free songs. Previously it wasn’t much of a big deal, since no one could imagine users sharing encrypted, DRMed content. But now that DRM-free music from Apple is on the loose, the hidden data is more significant since it could theoretically be used to trace shared tunes back to the original owner. It must also be kept in mind that this kind of information could be spoofed.

Concerned users could convert selections to MP3, but there will be a generational loss in quality resulting from the transcoding. We also have to wonder: who is buying DRM-free music with the plans of slapping it up on a P2P share, anyway? It’s not like there aren’t dozens of other ways to get access to music without paying for it…

The real Web 2.0

Posted on by

Nick Carr has an interesting post about what’s going on under the hood, as it were. It’s started me brooding…

Web 2.0 isn’t about applications. It’s about bricks and mortar. It’s about capital assets. It’s about infrastructure.

Yesterday, Google formally announced that, in addition to building a big utility computing plant in Lenoir, it will also build one a little to the south, at a 520-acre site in Mt. Holly, South Carolina, near Charleston. The company will be reimbursed by the state for some of its building expenses, and, the governor reports, legislators have “updated the state tax code to exempt the electricity and the capital investment in equipment necessary for this kind of a facility … from sales tax,” an exemption similar to one granted manufacturers. Google expects to invest $600 million in the facility and hire a modest 200 workers to man the largely automated plant. Google may also build yet another data center in Columbia, South Carolina.

At a pork barbecue celebrating the announcement of the data center deal, Google held a question and answer session with local dignitaries, but it was characteristically closed-mouthed about the details of its operation. Asked how it uses water and electricity at its sites, Google executive Rhett Weiss said, “We’re in a highly competitive industry and, frankly, one or two little pieces of information like that in the hands of our competitors can do us considerable damage. So we can’t discuss it.”

He goes on to discuss what Microsoft is doing in the infrastructure line too.

The local paper’s account of the Google deal is hilarious. Sample:

The company hopes to open its first building by December and the second building 18 months later.

It plans to begin advertising for the leadership positions on its Web site by next week at the latest.

Chris Kerrigan, president of the Trident United Way, said Google and Alcoa donated the money from the timber sale to Links to Success, a program that tries to keep children in schools in Dorchester and Berkeley counties.

Berkeley County Supervisor Dan Davis also praised the company for writing the county a check for $4.34 million for the right to tap into the water system.

Davis said the company could have spread the payment out over 30 years if it had wanted to.

John Scarborough, the county’s director of economic development, said the company’s annual payroll in Berkeley County will be about $12 million to $15 million, much of which will be spent in the area.

He said luring Google will be a major status symbol for Berkeley County.

“It shows companies that in Berkeley County we can handle the big projects, we can handle them professionally and confidentially, and we can solve problems that need to be solved,” he said.