- 2005 Internet Attack Trends
- Stupid People Buy Fake Concert Tickets
Only an idiot would buy a printout from a scalper, because there's no way to verify that he will only sell it once. This is probably obvious to anyone reading this, but it turns out that it's not obvious to everyone.
- Backscatter X-Ray Technology
Backscatter X-ray technology is a method of using X rays to see inside objects. The science is complicated, but the upshot is that you can see people naked.
- Crypto-Gram Reprints
- Insider Attacks
- Accuracy of Commercial Data Brokers
From the press release: "100% of the eleven participants in the study discovered errors in background check reports provided by ChoicePoint. The majority of participants found errors in even the most basic biographical information: name, social security number, address and phone number (in 67% of Acxiom reports, 73% of ChoicePoint reports). Moreover, over 40% of participants did not receive their reports from Acxiom -- and the ones who did had to wait an average of three months from the time they requested their information until they received it."
- News
- Eric Schmidt on Secrecy and Security
"Schmidt: Transparency is not necessarily the only way you achieve security. For example, part of the encryption algorithms are not typically made available to the open source community, because you don't want people discovering flaws in the encryption."
Actually, he's wrong. Everything about an encryption algorithm should always be made available to everyone
- U.S. Medical Privacy Law Gutted
The civil penalties have long been viewed as irrelevant by the healthcare industry. Now the criminal penalties have been gutted. The Justice Department has ruled that the criminal penalties apply to insurers, doctors, hospitals, and other providers -- but not necessarily their employees or outsiders who steal personal health data. This means that if an employee mishandles personal data, he cannot be prosecuted under HIPAA unless his boss told him to do it. And the provider cannot be prosecuted unless it is official organization policy.
- Risks of Cell Phones on Airplanes
- Billions Wasted on Anti-Terrorism Security
"Among the problems:
"Radiation monitors at ports and borders that cannot differentiate between radiation emitted by a nuclear bomb and naturally occurring radiation from everyday material like cat litter or ceramic tile.
"Air-monitoring equipment in major cities that is only marginally effective because not enough detectors were deployed and were sometimes not properly calibrated or installed. They also do not produce results for up to 36 hours -- long after a biological attack would potentially infect thousands of people.
"Passenger-screening equipment at airports that auditors have found is no more likely than before federal screeners took over to detect whether someone is trying to carry a weapon or a bomb aboard a plane.
"Postal Service machines that test only a small percentage of mail and look for anthrax but no other biological agents."
The Washington Post had a series of articles. The first lists some more problems:
"The contract to hire airport passenger screeners grew to $741 million from $104 million in less than a year. The screeners are failing to detect weapons at roughly the same rate as shortly after the attacks.
"The contract for airport bomb-detection machines ballooned to at least $1.2 billion from $508 million over 18 months. The machines have been hampered by high false-alarm rates.
"A contract for a computer network called US-VISIT to screen foreign visitors could cost taxpayers $10 billion. It relies on outdated technology that puts the project at risk.
"Radiation-detection machines worth a total of a half-billion dollars deployed to screen trucks and cargo containers at ports and borders have trouble distinguishing between highly enriched uranium and common household products. The problem has prompted costly plans to replace the machines.
- Counterpane News
- Attack on the Bluetooth Pairing Process
According to the Bluetooth specification, PINs can be up to 128 bits long. Unfortunately, most manufacturers have standardized on a four decimal-digit PIN. This attack can crack that 4-digit PIN in less than 0.3 sec on an old Pentium III 450MHz computer, and in 0.06 sec on a Pentium IV 3Ghz HT computer.
And it's not just the PIN; the entire protocol was badly designed.
At first glance, this attack isn't a big deal. It only works if you can eavesdrop on the pairing process. Pairing is something that occurs rarely, and generally in the safety of your home or office. But the authors have figured out how to force a pair of Bluetooth devices to repeat the pairing process, allowing them to eavesdrop on it. They pretend to be one of the two devices, and send a message to the other claiming to have forgotten the link key. This prompts the other device to discard the key, and the two then begin a new pairing session.
Taken together, this is an impressive result. I can't be sure, but I believe it would allow an attacker to take control of someone's Bluetooth devices. Certainly it allows an attacker to eavesdrop on someone's Bluetooth network.
Combined with the long-range Bluetooth "sniper rifle," Bluetooth has a serious security problem.
- Password Safe 2.11
- Public Disclosure of Personal Data Loss
- Holding Computer Files Hostage
- White Powder Anthrax Hoaxes
- Comments from Readers”
Saturday, June 18, 2005
New Crypto-Gram Newsletter
Encrypted Lockbox Aims to Clean Up Password Clutter
According to Schneier's PasswordSafe documentation, users normally write their passwords on pieces of paper, leaving accounts vulnerable to thieves or internal snoops.
In some cases, users work around the confusion by choosing the same password for different applications, which presents a bigger risk if that password gets hijacked.
PasswordSafe uses the popular Blowfish encryption algorithm and appeals to users with a simple, user-friendly interface.
“Bruce Schneier's PasswordSafe lockbox, which provides a free utility for users to encrypt and manage multiple passwords on a computer, is ready for a new phase of open-source development.
The celebrated cryptographer, who is credited with designing or co-designing several widely used encryption algorithms, announced the release of Version 2.1 of the database utility as a full-fledged open-source project at SourceForge.
In a blog entry, Schneier said the project is now being managed by Rony Shapiro, a British programmer specializing in network security.
Schneier, who is founder and chief technology officer of Counterpane Internet Security Inc., said the tool is perfect for Web users who struggle to remember all their usernames and passwords.
"I have long advocated writing them all down on a piece of paper and putting it in your wallet, [but] I designed PasswordSafe as another solution," he explained.
He said the tool offers "security through simplicity" by encrypting all of a user's passwords using a single passphrase.…”
Currently, Password Safe is an open source project at SourceForge, and is run by Rony Shapiro. Thank you to him and to all the other programmers who worked on the project.
Note that my Password Safe is not the same as this, this, this, or this PasswordSafe. (I should have picked a more obscure name for the program.)
It is the same as this, for the PocketPC.
http://www.schneier.com/blog/archives/2005/06/password_safe.html
http://www.eweek.com/article2/0,1759,1828954,00.asp?kc=ewnws061705dtx1k0000599Friday, June 17, 2005
Contrary Brin: Networks and Netwar
http://www.rand.org/publications/RP/RP1169/.
This paper--written in 2002 and now a chapter in a new book (Environmentalism and the Technologies of Tomorrow, Island Press, 2005) -- speculates about the future of the environmental movement as a function of its increasing use of network forms of organization and related strategies and technologies attuned to the information age. The paper does so by nesting the movement's potential in a theoretical framework about social evolution.
This framework holds that people have developed four major forms for organizing their societies: first tribes, then hierarchical institutions, then markets, and now networks. The emergence of a new, network-based realm augurs a major rebalancing in relations among government, market, and civil-society actors. In the near term (years), there will be continuing episodes of social conflict as some environmental groups press their case, often by using netwar and swarming strategies.… ”
Posts
