Schneier on Security

A blog covering security and security technology.

Open Source Laptop Tracking Service

Adeona. Looks good.

Posted on July 24, 2008 at 11:59 AM • 17 Comments • View Blog Reactions

Anti-Terrorism Stupidity at Yankee Stadium

They're confiscating sunscreen at Yankee Stadium:

The team contends that sunscreen has long been on the list of stadium contraband, but there is no mention of it on the Yankee Web site.

Four weeks ago, Stadium officials decided that sunscreen of all sizes and varieties would not be permitted, a security supervisor told The Post before last night's game.

"There have been a lot of complaints," he said. "We tell them to apply once and then throw it out."

For fans who bring babies or young children to cheer on the home team, the guard had suggested they "beg" to take the sunblock in.

Seeing the giant bag full of confiscated sunscreen Saturday, one steaming Yankee fan asked whether he could take one of the tubes and apply it before heading into the park.

"Absolutely not," the guard told him. "What if you get a rash? You might sue the Yankees."

Next, I suppose, is confiscating liquids at pools.

We've collectively lost our minds.

This story has a happy ending, though. A day after The New York Post published this story, Yankee Stadium reversed its ban. Now, if only the Post had that same effect on airport security.

Posted on July 24, 2008 at 6:50 AM • 35 Comments • View Blog Reactions

Information Security and Liabilities

In my fourth column for the Guardian last Thursday, I talk about information security and liabilities:

Last summer, the House of Lords Science and Technology Committee issued a report on "Personal Internet Security." I was invited to give testimony for that report, and one of my recommendations was that software vendors be held liable when they are at fault. Their final report included that recommendation. The government rejected the recommendations in that report last autumn, and last week the committee issued a report on their follow-up inquiry, which still recommends software liabilities.

Good for them.

I'm not implying that liabilities are easy, or that all the liability for security vulnerabilities should fall on the vendor. But the courts are good at partial liability. Any automobile liability suit has many potential responsible parties: the car, the driver, the road, the weather, possibly another driver and another car, and so on. Similarly, a computer failure has several parties who may be partially responsible: the software vendor, the computer vendor, the network vendor, the user, possibly another hacker, and so on. But we're never going to get there until we start. Software liability is the market force that will incentivise companies to improve their software quality – and everyone's security.

Posted on July 23, 2008 at 3:09 PM • 52 Comments • View Blog Reactions

Speed Cameras Record Every Car

In this article about British speed cameras, and a trick to avoid them that does not work, is this sentence:

As vehicles pass between the entry and exit camera points their number plates are digitally recorded, whether speeding or not.

Without knowing more, I can guarantee that those records are kept forever.

Posted on July 23, 2008 at 5:32 AM • 64 Comments • View Blog Reactions

Washington DC Metro Farecard Hack

Clever:

Thieves took a legitimate paper Farecard with $40 in value, sliced the card's magnetic strip into four lengthwise pieces, and then reattached one piece each to four separate defunct paper Farecards. The thieves then took the doctored Farecards to a Farecard machine and added fare, typically a nickel. By doing so, the doctored Farecard would go into the machine and a legitimate Farecard with the new value, $40.05, would come out.

My guess is that the thieves were caught not through some fancy technology, but because they had to monetize their attack. They sold farecards on the street for half face value.

Posted on July 22, 2008 at 12:29 PM • 27 Comments • View Blog Reactions

The Case of the Stolen Blackberry and the Awesome Chinese Hacking Skills

A high-level British government employee had his Blackberry stolen by Chinese intelligence:

The aide, a senior Downing Street adviser who was with the prime minister on a trip to China earlier this year, had his BlackBerry phone stolen after being picked up by a Chinese woman who had approached him in a Shanghai hotel disco.

The aide agreed to return to his hotel with the woman. He reported the BlackBerry missing the next morning.

That can't look good on your annual employee review.

But it's this part of the article that has me confused:

Experts say that even if the aide’s device did not contain anything top secret, it might enable a hostile intelligence service to hack into the Downing Street server, potentially gaining access to No 10’s e-mail traffic and text messages.

Um, what? I assume the IT department just turned off the guy's password. Was this nonsense peddled to the press by the UK government, or is some "expert" trying to sell us something? The article doesn't say.

EDITED TO ADD (7/22): The first commenter makes a good point, which I didn't think of. The article says that it's Chinese intelligence:

A senior official said yesterday that the incident had all the hallmarks of a suspected honeytrap by Chinese intelligence.

But Chinese intelligence would be far more likely to clone the Blackberry and then return it. Much better infomation that way. This is much more likely to be petty theft.

EDITED TO ADD (7/23): The more I think about this story, the less sense it makes. If you're a Chinese intelligence officer and you manage to get an aide to the British Prime Minister to have sex with one of your agents, you're not going to immediately burn him by stealing his Blackberry. That's just stupid.

Posted on July 22, 2008 at 10:05 AM • 39 Comments • View Blog Reactions

Scary Knife Makes for Great Newspaper Headlines

Who can not feel a little chill of fear after reading this: "Britain on alert for deadly new knife with exploding tip that freezes victims' organs."

Yes, it's real. The knife is designed for people who need to drop large animals quickly: sharks, bears, etc.

I have no idea why Britain is on alert for it, though.

EDITED TO ADD (7/24): Knife crime is rising in the UK.

Posted on July 21, 2008 at 6:12 AM • 61 Comments • View Blog Reactions

Cost/Benefit Analysis of Airline Security

This report, "Assessing the risks, costs and benefits of United States aviation security measures" by Mark Stewart and John Mueller, is excellent reading:

The United States Office of Management and Budget has recommended the use of cost-benefit assessment for all proposed federal regulations. Since 9/11 government agencies in Australia, United States, Canada, Europe and elsewhere have devoted much effort and expenditure to attempt to ensure that a 9/11 type attack involving hijacked aircraft is not repeated. This effort has come at considerable cost, running in excess of US$6 billion per year for the United States Transportation Security Administration (TSA) alone. In particular, significant expenditure has been dedicated to two aviation security measures aimed at preventing terrorists from hijacking and crashing an aircraft into buildings and other infrastructure: (i) Hardened cockpit doors and (ii) Federal Air Marshal Service. These two security measures cost the United States government and the airlines nearly $1 billion per year. This paper seeks to discover whether aviation security measures are cost-effective by considering their effectiveness, their cost and expected lives saved as a result of such expenditure. An assessment of the Federal Air Marshal Service suggests that the annual cost is $180 million per life saved. This is greatly in excess of the regulatory safety goal of $1-$10 million per life saved. As such, the air marshal program would seem to fail a cost-benefit analysis. In addition, the opportunity cost of these expenditures is considerable, and it is highly likely that far more lives would have been saved if the money had been invested instead in a wide range of more cost-effective risk mitigation programs. On the other hand, hardening of cockpit doors has an annual cost of only $800,000 per life saved, showing that this is a cost-effective security measure.

From the body:

Hardening cockpit doors has the highest risk reduction (16.67%) at lowest additional cost of $40 million. On the other hand, the Federal Air Marshal Service costs $900 million pa but reduces risk by only 1.67%. The Federal Air Marshal Service may be more cost-effective if it is able to show extra benefit over the cheaper measure of hardening cockpit doors. However, the Federal Air Marshal Service seems to have significantly less benefit which means that hardening cockpit doors is the more cost-effective measure.

Cost-benefit analysis is definitely the way to look at these security measures. It's hard for people to do, because it requires putting a dollar value on a human life -- something we can't possibly do with our own. But as a society, it is something we do again and again: when we raise or lower speed limits, when we ban a certain pesticide, when we enact building codes. Insurance companies do it all the time. We do it implicitly, because we can't talk about it explicitly. I think there is considerable value in talking about it.

(Note the table on page 5 of the report, which lists the cost per lives saved for a variety of safety and security measures.)

The final paper will eventually be published in the Journal of Transportation Security. I never even knew there was such a thing.

Posted on July 21, 2008 at 5:53 AM • 22 Comments • View Blog Reactions

Friday Squid Blogging: Researching the Reproductive Habits of Giant Squids

I sure want to know more:

Giants have very strange sexual behaviour where the male has a metre-long muscular penis that he uses a bit like a nail gun and shoots cords of sperm under the skin of the female's arms and she carries the sperm around with her until she is ready to lay her big jelly mass of a million eggs.

Posted on July 18, 2008 at 4:05 PM • 7 Comments • View Blog Reactions

Funny Radio Skit on Identity Theft

By Mitchell & Webb.

Posted on July 18, 2008 at 1:21 PM • 18 Comments • View Blog Reactions

Midazolam as a Non-Lethal Weapon

Did you know that, in some jurisdictions, police can inject midazolam into suspects to subdue them?

"There is no research guideline. There is no validated protocol for this. There's not even a clear set of indications for when this is to be used except when people are agitated. By saying that it's done by the emergency medical personnel, they basically are trying to have it both ways. That is, they’re trying to use a medical protocol that is not validated, not for a police function, arrest and detention," Miles said.

"The decision to administer Versed is based purely on a paramedic decision, not a police decision," Slovis said.

It's up to the officer to call an ambulance and determine if a person is in a condition called excited delirium.

"I don't know if I would use the word diagnosing, but they are assessing the situation and saying, 'This person is not acting rationally. This is something I've been trained to recognize, this seems like excited delirium.' I don't view delirium in the field as a police function. It is a medical emergency. We're giving the drug Versed that's routinely used in thousands of health care settings across the country in the field by trained paramedics. I view what we're doing as the best possible medical practice to a medical emergency," Slovis said.

The biggest side effect is amnesia, which makes it harder for any defendent to defend himself in court.

Posted on July 18, 2008 at 11:28 AM • 65 Comments • View Blog Reactions

TrueCrypt's Deniable File System

Together with Tadayoshi Kohno, Steve Gribble, and three of their students at the University of Washington, I have a new paper that breaks the deniable encryption feature of TrueCrypt version 5.1a. Basically, modern operating systems leak information like mad, making deniability a very difficult requirement to satisfy.

ABSTRACT: We examine the security requirements for creating a Deniable File System (DFS), and the efficacy with which the TrueCrypt disk-encryption software meets those requirements. We find that the Windows Vista operating system itself, Microsoft Word, and Google Desktop all compromise the deniability of a TrueCrypt DFS. While staged in the context of TrueCrypt, our research highlights several fundamental challenges to the creation and use of any DFS: even when the file system may be deniable in the pure, mathematical sense, we find that the environment surrounding that file system can undermine its deniability, as well as its contents. Finally, we suggest approaches for overcoming these challenges on modern operating systems like Windows.

The students did most of the actual work. I helped with the basic ideas, and contributed the threat model. Deniability is a very hard feature to achieve.

There are several threat models against which a DFS could potentially be secure:

• One-Time Access. The attacker has a single snapshot of the disk image. An example would be when the secret police seize Alice’s computer.
• Intermittent Access. The attacker has several snapshots of the disk image, taken at different times. An example would be border guards who make a copy of Alice’s hard drive every time she enters or leaves the country.
• Regular Access. The attacker has many snapshots of the disk image, taken in short intervals. An example would be if the secret police break into Alice’s apartment every day when she is away, and make a copy of the disk each time.

Since we wrote our paper, TrueCrypt released version 6.0 of its software, which claims to have addressed many of the issues we've uncovered. In the paper, we said:

We analyzed the most current version of TrueCrypt available at the writing of the paper, version 5.1a. We shared a draft of our paper with the TrueCrypt development team in May 2008. TrueCrypt version 6.0 was released in July 2008. We have not analyzed version 6.0, but observe that TrueCrypt v6.0 does take new steps to improve TrueCrypt’s deniability properties (e.g., via the creation of deniable operating systems, which we also recommend in Section 5). We suggest that the breadth of our results for TrueCrypt v5.1a highlight the challenges to creating deniable file systems. Given these potential challenges, we encourage the users not to blindly trust the deniability of such systems. Rather, we encourage further research evaluating the deniability of such systems, as well as research on new yet light-weight methods for improving deniability.

So we cannot break the deniability feature in TrueCrypt 6.0. But, honestly, I wouldn't trust it.

There have been two news articles (and a SlashDot thread) about the paper.

One talks about a generalization to encrypted partitions. If you don't encrypt the entire drive, there is the possibility -- and it seems very probable -- that information about the encrypted partition will leak onto the unencrypted rest of the drive. Whole disk encryption is the smartest option.

Our paper will be presented at the 3rd USENIX Workshop on Hot Topics in Security (HotSec '08). I've written about deniability before.

Posted on July 18, 2008 at 6:56 AM • 62 Comments • View Blog Reactions

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.