Saturday, June 18, 2005

New Crypto-Gram Newsletter

“In this issue:
  • 2005 Internet Attack Trends
  • Stupid People Buy Fake Concert Tickets

    Only an idiot would buy a printout from a scalper, because there's no way to verify that he will only sell it once. This is probably obvious to anyone reading this, but it turns out that it's not obvious to everyone.

  • Backscatter X-Ray Technology

    Backscatter X-ray technology is a method of using X rays to see inside objects. The science is complicated, but the upshot is that you can see people naked.

  • Crypto-Gram Reprints
  • Insider Attacks
  • Accuracy of Commercial Data Brokers

    From the press release: "100% of the eleven participants in the study discovered errors in background check reports provided by ChoicePoint. The majority of participants found errors in even the most basic biographical information: name, social security number, address and phone number (in 67% of Acxiom reports, 73% of ChoicePoint reports). Moreover, over 40% of participants did not receive their reports from Acxiom -- and the ones who did had to wait an average of three months from the time they requested their information until they received it."

  • News
  • Eric Schmidt on Secrecy and Security

    "Schmidt: Transparency is not necessarily the only way you achieve security. For example, part of the encryption algorithms are not typically made available to the open source community, because you don't want people discovering flaws in the encryption."

    Actually, he's wrong. Everything about an encryption algorithm should always be made available to everyone

  • U.S. Medical Privacy Law Gutted

    The civil penalties have long been viewed as irrelevant by the healthcare industry. Now the criminal penalties have been gutted. The Justice Department has ruled that the criminal penalties apply to insurers, doctors, hospitals, and other providers -- but not necessarily their employees or outsiders who steal personal health data. This means that if an employee mishandles personal data, he cannot be prosecuted under HIPAA unless his boss told him to do it. And the provider cannot be prosecuted unless it is official organization policy.

  • Risks of Cell Phones on Airplanes
  • Billions Wasted on Anti-Terrorism Security

    "Among the problems:

    "Radiation monitors at ports and borders that cannot differentiate between radiation emitted by a nuclear bomb and naturally occurring radiation from everyday material like cat litter or ceramic tile.

    "Air-monitoring equipment in major cities that is only marginally effective because not enough detectors were deployed and were sometimes not properly calibrated or installed. They also do not produce results for up to 36 hours -- long after a biological attack would potentially infect thousands of people.

    "Passenger-screening equipment at airports that auditors have found is no more likely than before federal screeners took over to detect whether someone is trying to carry a weapon or a bomb aboard a plane.

    "Postal Service machines that test only a small percentage of mail and look for anthrax but no other biological agents."

    The Washington Post had a series of articles. The first lists some more problems:

    "The contract to hire airport passenger screeners grew to $741 million from $104 million in less than a year. The screeners are failing to detect weapons at roughly the same rate as shortly after the attacks.

    "The contract for airport bomb-detection machines ballooned to at least $1.2 billion from $508 million over 18 months. The machines have been hampered by high false-alarm rates.

    "A contract for a computer network called US-VISIT to screen foreign visitors could cost taxpayers $10 billion. It relies on outdated technology that puts the project at risk.

    "Radiation-detection machines worth a total of a half-billion dollars deployed to screen trucks and cargo containers at ports and borders have trouble distinguishing between highly enriched uranium and common household products. The problem has prompted costly plans to replace the machines.

  • Counterpane News
  • Attack on the Bluetooth Pairing Process

    According to the Bluetooth specification, PINs can be up to 128 bits long. Unfortunately, most manufacturers have standardized on a four decimal-digit PIN. This attack can crack that 4-digit PIN in less than 0.3 sec on an old Pentium III 450MHz computer, and in 0.06 sec on a Pentium IV 3Ghz HT computer.

    And it's not just the PIN; the entire protocol was badly designed.

    At first glance, this attack isn't a big deal. It only works if you can eavesdrop on the pairing process. Pairing is something that occurs rarely, and generally in the safety of your home or office. But the authors have figured out how to force a pair of Bluetooth devices to repeat the pairing process, allowing them to eavesdrop on it. They pretend to be one of the two devices, and send a message to the other claiming to have forgotten the link key. This prompts the other device to discard the key, and the two then begin a new pairing session.

    Taken together, this is an impressive result. I can't be sure, but I believe it would allow an attacker to take control of someone's Bluetooth devices. Certainly it allows an attacker to eavesdrop on someone's Bluetooth network.

    Combined with the long-range Bluetooth "sniper rifle," Bluetooth has a serious security problem.

  • Password Safe 2.11
  • Public Disclosure of Personal Data Loss
  • Holding Computer Files Hostage
  • White Powder Anthrax Hoaxes
  • Comments from Readers
http://www.schneier.com/crypto-gram-0506.html
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)