You'll want to at least skim through this one.
--Joey
-------- Original Message --------
Subject: CRYPTO-GRAM, January 15, 2014
Date: Wed, 15 Jan 2014 01:52:54 -0600
From: Bruce Schneier <schneier@schneier.com>
To: joey@joeykelly.net
CC: Crypto-Gram Mailing List <crypto-gram@schneier.com>
CRYPTO-GRAM
January 15, 2014
by Bruce Schneier
CTO, Co3 Systems, Inc.
schneier@schneier.com
http://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<http://www.schneier.com/crypto-gram-1401.html>. These same essays and
news items appear in the "Schneier on Security" blog at
<http://www.schneier.com/blog>, along with a lively and intelligent
comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
How the NSA Threatens National Security
NSA Exploit of the Day
Tor User Identified by FBI
News
Security Risks of Embedded Systems
Schneier News
Schneier News: I've Joined Co3 Systems
Twitter Users: Please Make Sure You're Following the Right Feed
** *** ***** ******* *********** *************
How the NSA Threatens National Security
Secret NSA eavesdropping is still in the news. Details about once secret
programs continue to leak. The Director of National Intelligence has
recently declassified additional information, and the President's Review
Group has just released its report and recommendations.
With all this going on, it's easy to become inured to the breadth and
depth of the NSA's activities. But through the disclosures, we've
learned an enormous amount about the agency's capabilities, how it is
failing to protect us, and what we need to do to regain security in the
Information Age.
First and foremost, the surveillance state is robust. It is robust
politically, legally, and technically. I can name three different NSA
programs to collect Gmail user data. These programs are based on three
different technical eavesdropping capabilities. They rely on three
different legal authorities. They involve collaborations with three
different companies. And this is just Gmail. The same is true for cell
phone call records, Internet chats, cell-phone location data.
Second, the NSA continues to lie about its capabilities. It hides behind
tortured interpretations of words like "collect," "incidentally,"
"target," and "directed." It cloaks programs in multiple code names to
obscure their full extent and capabilities. Officials testify that a
particular surveillance activity is not done under one particular
program or authority, conveniently omitting that it is done under some
other program or authority.
Third, US government surveillance is not just about the NSA. The Snowden
documents have given us extraordinary details about the NSA's
activities, but we now know that the CIA, NRO, FBI, DEA, and local
police all engage in ubiquitous surveillance using the same sorts of
eavesdropping tools, and that they regularly share information with each
other.
The NSA's collect-everything mentality is largely a hold-over from the
Cold War, when a voyeuristic interest in the Soviet Union was the norm.
Still, it is unclear how effective targeted surveillance against "enemy"
countries really is. Even when we learn actual secrets, as we did
regarding Syria's use of chemical weapons earlier this year, we often
can't do anything with the information.
Ubiquitous surveillance should have died with the fall of Communism, but
it got a new -- and even more dangerous -- life with the intelligence
community's post-9/11 "never again" terrorism mission. This quixotic
goal of preventing something from happening forces us to try to know
everything that does happen. This pushes the NSA to eavesdrop on online
gaming worlds and on every cell phone in the world. But it's a fool's
errand; there are simply too many ways to communicate.
We have no evidence that any of this surveillance makes us safer. NSA
Director General Keith Alexander responded to these stories in June by
claiming that he disrupted 54 terrorist plots. In October, he revised
that number downward to 13, and then to "one or two." At this point, the
only "plot" prevented was that of a San Diego man sending $8,500 to
support a Somali militant group. We have been repeatedly told that these
surveillance programs would have been able to stop 9/11, yet the NSA
didn't detect the Boston bombings -- even though one of the two
terrorists was on the watch list and the other had a sloppy social media
trail. Bulk collection of data and metadata is an ineffective
counterterrorism tool.
Not only is ubiquitous surveillance ineffective, it is extraordinarily
costly. I don't mean just the budgets, which will continue to skyrocket.
Or the diplomatic costs, as country after country learns of our
surveillance programs against their citizens. I'm also talking about the
cost to our society. It breaks so much of what our society has built. It
breaks our political systems, as Congress is unable to provide any
meaningful oversight and citizens are kept in the dark about what
government does. It breaks our legal systems, as laws are ignored or
reinterpreted, and people are unable to challenge government actions in
court. It breaks our commercial systems, as US computer products and
services are no longer trusted worldwide. It breaks our technical
systems, as the very protocols of the Internet become untrusted. And it
breaks our social systems; the loss of privacy, freedom, and liberty is
much more damaging to our society than the occasional act of random
violence.
And finally, these systems are susceptible to abuse. This is not just a
hypothetical problem. Recent history illustrates many episodes where
this information was, or would have been, abused: Hoover and his FBI
spying, McCarthy, Martin Luther King Jr. and the civil rights movement,
anti-war Vietnam protesters, and -- more recently -- the Occupy
movement. Outside the US, there are even more extreme examples. Building
the surveillance state makes it too easy for people and organizations to
slip over the line into abuse.
It's not just domestic abuse we have to worry about; it's the rest of
the world, too. The more we choose to eavesdrop on the Internet and
other communications technologies, the less we are secure from
eavesdropping by others. Our choice isn't between a digital world where
the NSA can eavesdrop and one where the NSA is prevented from
eavesdropping; it's between a digital world that is vulnerable to all
attackers, and one that is secure for all users.
Fixing this problem is going to be hard. We are long past the point
where simple legal interventions can help. The bill in Congress to limit
NSA surveillance won't actually do much to limit NSA surveillance. Maybe
the NSA will figure out an interpretation of the law that will allow it
to do what it wants anyway. Maybe it'll do it another way, using another
justification. Maybe the FBI will do it and give it a copy. And when
asked, it'll lie about it.
NSA-level surveillance is like the Maginot Line was in the years before
World War II: ineffective and wasteful. We need to openly disclose what
surveillance we have been doing, and the known insecurities that make it
possible. We need to work toward security, even if other countries like
China continue to use the Internet as a giant surveillance platform. We
need to build a coalition of free-world nations dedicated to a secure
global Internet, and we need to continually push back against bad actors
-- both state and non-state -- that work against that goal.
Securing the Internet requires both laws and technology. It requires
Internet technology that secures data wherever it is and however it
travels. It requires broad laws that put security ahead of both domestic
and international surveillance. It requires additional technology to
enforce those laws, and a worldwide enforcement regime to deal with bad
actors. It's not easy, and has all the problems that other international
issues have: nuclear, chemical, and biological weapon non-proliferation;
small arms trafficking; human trafficking; money laundering;
intellectual property. Global information security and anti-surveillance
needs to join those difficult global problems, so we can start making
progress.
The President's Review Group recommendations are largely positive, but
they don't go nearly far enough. We need to recognize that security is
more important than surveillance, and work towards that goal.
This essay previously appeared on TheAtlantic.com.
http://www.theatlantic.com/technology/archive/2014/01/how-the-nsa-threatens-national-security/282822/
Newish Snowden revelations:
http://www.nytimes.com/2013/12/21/world/nsa-dragnet-included-allies-aid-groups-and-business-elite.html
or http://tinyurl.com/or8lz4e
http://www.theguardian.com/uk-news/2013/dec/20/gchq-targeted-aid-agencies-german-government-eu-commissioner
or http://tinyurl.com/pcmqpgm
http://www.spiegel.de/international/world/snowden-documents-show-gchq-targeted-european-and-german-politicians-a-940135.html
Recent DNI declassifications:
http://www.theguardian.com/world/2013/dec/21/national-intelligence-bush-era-nsa-documents
or http://tinyurl.com/lxufd23
http://icontherecord.tumblr.com/post/70683717031/dni-announces-the-declassification-of-the
President's Review Group report:
http://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf
or http://tinyurl.com/lj4azsg
http://www.nytimes.com/2013/12/20/opinion/protecting-citizens-and-their-privacy.html
The three different GMail collection programs:
http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html
or http://tinyurl.com/mm3ttqt
http://www.washingtonpost.com/world/national-security/nsa-collects-millions-of-e-mail-address-books-globally/2013/10/14/8e58b5be-34f9-11e3-80c6-7e6dd8d22d8f_story.html
or http://tinyurl.com/kn8ld96
http://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html
Cell-phone location data collection:
http://www.washingtonpost.com/world/national-security/nsa-tracking-cellphone-locations-worldwide-snowden-documents-show/2013/12/04/5492873a-5cf2-11e3-bc56-c6ca94801fac_story.html
or http://tinyurl.com/nu4h5s9
http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/10/new-documents-show-how-the-nsa-infers-relationships-based-on-mobile-location-data/
NSA redefining words:
https://www.eff.org/deeplinks/2013/06/director-national-intelligences-word-games-explained-how-government-deceived
or http://tinyurl.com/ma7dk5j
http://www.newyorker.com/online/blogs/closeread/2013/12/how-to-tell-when-the-nsa-is-lying.html
NSA hiding behind particular programs:
http://www.theatlantic.com/politics/archive/2013/12/how-americans-were-deceived-about-cell-phone-location-data/282239/
All the Snowden documents released so far:
https://www.eff.org/nsa-spying/nsadocs
https://www.aclu.org/nsa-documents-released-public-june-2013
http://cryptome.org/2013/11/snowden-tally.htm
http://www.mindmeister.com/326632176/nsa-css
http://www.tedgioia.com/nsa_facts.html
Other law-enforcement organizations that engage in national surveillance:
http://online.wsj.com/news/article_email/SB10001424052702303559504579198370113163530-lMyQjAxMTAzMDEwNDExNDQyWj
or http://tinyurl.com/q434yn7
http://arstechnica.com/tech-policy/2013/12/new-us-spy-satellite-features-world-devouring-octopus/
or http://tinyurl.com/no7yzbx
http://www.foreignpolicy.com/articles/2013/11/21/the_obscure_fbi_team_that_does_the_nsa_dirty_work
or http://tinyurl.com/mozzoyp
http://www.nytimes.com/2013/09/02/us/drug-agents-use-vast-phone-trove-eclipsing-nsas.html
or http://tinyurl.com/k2qd45z
http://www.usatoday.com/story/news/nation/2013/12/08/cellphone-data-spying-nsa-police/3902809/
Sharing of intelligence information between organizations:
http://www.reuters.com/article/2013/08/05/us-dea-sod-idUSBRE97409R20130805
or http://tinyurl.com/kbsc4k9
http://www.reuters.com/article/2013/08/07/us-dea-irs-idUSBRE9761AZ20130807
or http://tinyurl.com/modr5rz
The limitations of intelligence:
https://www.schneier.com/blog/archives/2013/09/the_limitations.html
The NSA's Quixotic goal:
https://www.schneier.com/blog/archives/2013/11/dan_geer_explai.html
NSA spying on online gaming worlds:
http://www.nytimes.com/2013/12/10/world/spies-dragnet-reaches-a-playing-field-of-elves-and-trolls.html
No evidence that NSA bulk surveillance makes us safer:
http://www.theguardian.com/commentisfree/2013/oct/08/nsa-bulk-metadata-surveillance-intelligence
Alexander's 54 terrorist plots:
http://usnews.nbcnews.com/_news/2013/06/27/19175466-nsa-chief-says-surveillance-programs-helped-foil-54-plots
Alexander's 13 terrorist plots:
http://www.salon.com/2013/10/02/nsa_director_admits_to_misleading_public_on_terror_plots/
Alexander's one remaining plot:
http://www.huffingtonpost.com/2013/10/23/nsa-attacks-thwarted_n_4148811.html
Arguments that NSA surveillance could have stopped 9/11:
http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/30/heres-why-nsa-officials-never-seem-to-stop-talking-about-911/
Boston bombers:
http://www.reuters.com/article/2013/04/24/us-usa-explosions-boston-suspect-idUSBRE93N06720130424
or http://tinyurl.com/kk7vrwb
http://storify.com/MacleansMag/the-social-media-trail-of-tsarnaev-brothers
or http://tinyurl.com/klvz899
NSA surveillance is ineffective:
http://www.cnn.com/2013/12/30/opinion/bergen-nsa-surveillance-september-11/index.html
U.S. intelligence budgets:
http://articles.washingtonpost.com/2013-08-29/world/41709796_1_intelligence-community-intelligence-spending-national-intelligence-program
Lack of Congressional oversight:
https://www.youtube.com/watch?v=JPnfgUkcvOk
http://www.theguardian.com/commentisfree/2013/oct/25/nsa-no-congress-oversight
NSA's lawbreaking:
https://www.aclu.org/national-security/nsa-collating-data-americans-facebook-gps-tax-other-records
or http://tinyurl.com/mqs3mwf
http://www.theguardian.com/commentisfree/2013/oct/16/nsa-fbi-endrun-weak-oversight
or http://tinyurl.com/kp3t92s
http://www.nationalreview.com/corner/356159/sensenbrenner-nsa-surveillance-abuse-patriot-act-john-fund
or http://tinyurl.com/l5deldt
http://www.theatlantic.com/politics/archive/2013/07/mission-creep-when-everything-is-terrorism/277844/
Current Congressional bills:
https://www.aclu.org/blog/national-security/usa-freedom-act-real-spying-reform
or http://tinyurl.com/mzjlyns
https://www.eff.org/deeplinks/2013/11/floor-not-ceiling-supporting-usa-freedom-act-step-towards-less-surveillance
Transparency and oversight:
https://www.schneier.com/essay-447.html
https://www.schneier.com/essay-435.html
Security is more important than surveillance:
http://www.schneier.com/essay-452.html
** *** ***** ******* *********** *************
NSA Exploit of the Day
One of the top secret NSA documents published by Der Spiegel is a
50-page catalog of "implants" from the NSA's Tailored Access Group.
Because the individual implants are so varied and we saw so many at
once, most of them were never discussed in the security community.
(Also, the pages were images, which makes them harder to index and
search.) To rectify this, I am publishing an exploit a day on my blog.
In the blog comments, feel free to discuss how the exploit works, how we
might detect it, how it has probably been improved since the catalog
entry in 2008, and so on.
"DEITYBOUNCE provides software application persistence on Dell PowerEdge
servers by exploiting the motherboard BIOS and utilizing System
Management Mode (SMM) to gain periodic execution while the Operating
System loads."
https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html
"IRONCHEF provides access persistence to target systems by exploiting
the motherboard BIOS and utilizing System Management Mode (SMM) to
communicate with a hardware implany that provides two-way RF
communication." It works on the HP Proliant 380DL G5 server.
https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of_1.html
"FEEDTROUGH is a persistence technique for two software implants, DNT's
BANANAGLEE and CES's ZESTYLEAK used against Juniper Netscreen firewalls."
https://www.schneier.com/blog/archives/2014/01/feedtrough_nsa.html
"GOURMETTROUGH is a user configurable implant for certain Juniper
firewalls. It persists DNT's BANANAGLEE implant across reboots and OS
upgrades. For some platforms, it supports a minimal implant with
beaconing for OS's unsupported by BANANAGLEE."
https://www.schneier.com/blog/archives/2014/01/gourmettrough_n.html
"The HALLUXWATER Persistence Back Door implant is installed on a target
Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots,
the PBD installer software will find the needed patch points and install
the back door in the inbound packet processing routine."
https://www.schneier.com/blog/archives/2014/01/halluxwater_nsa.html
"JETPLOW is a firmware persistence implant for Cisco PIX Series and ASA
(Adaptive Security Appliance) firewalls. It persists DNT's BANANAGLEE
software implant. JETPLOW also has a persistent back-door capability."
https://www.schneier.com/blog/archives/2014/01/jetplow_nsa_exp.html
"SOUFFLETROUGH is a BIOS persistence implant for Juniper SSG 500 and SSG
300 firewalls. It persists DNT's BANANAGLEE software implant.
SOUFFLETROUGH also has an advanced persistent back-door capability."
https://www.schneier.com/blog/archives/2014/01/souffletrough_n.html
"HEADWATER is a Persistent Backdoor (PDB) software implant for selected
Huawei routers. The implant will enable covert functions to be remotely
executed within the router via an Internet connection."
https://www.schneier.com/blog/archives/2014/01/headwater_nsa_e.html
"SCHOOLMONTANA provides persistence for DNT implants. The DNT implant
will survive an upgrade or replacement of the operating system --
including physically replacing the router's compact flash card."
https://www.schneier.com/blog/archives/2014/01/schoolmontana_n.html
A U.S. government employee e-mailed me, asking me not to post these on
my blog. The government has a weird policy that exposed secrets are
still secret, and government employees without clearances are prohibited
from reading the classified paragraphs. I've heard this before.
Basically, before exposure only people with a TOP SECRET clearance could
read these paragraphs. After exposure, only people without any
clearance at all can read these paragraphs. No, it doesn't make any sense.
** *** ***** ******* *********** *************
Tor User Identified by FBI
Eldo Kim sent an e-mail bomb threat to Harvard so he could skip a final
exam. (It's just a coincidence that I was on the Harvard campus that
day.) Even though he used an anonymous account and Tor, the FBI
identified him. Reading the criminal complaint, it seems that the FBI
got itself a list of Harvard users that accessed the Tor network, and
went through them one by one to find the one who sent the threat.
This is one of the problems of using a rare security tool. The very
thing that gives you plausible deniability also makes you the most
likely suspect. The FBI didn't have to break Tor; they just used
conventional police mechanisms to get Kim to confess.
Tor didn't break; Kim did.
or http://tinyurl.com/oud3x95
http://www.thecrimson.com/article/2013/12/17/eldo-threats-experts-sentencing/
or http://tinyurl.com/lvok7nm
http://www.wbur.org/2013/12/18/pdf-criminal-complaint-harvard-bomb-threat or
** *** ***** ******* *********** *************
News
This story is about how at least two professional online poker players
had their hotel rooms broken into and their computers infected with
malware. I agree with the conclusion: "So, what's the moral of the
story? If you have a laptop that is used to move large amounts of money,
take good care of it. Lock the keyboard when you step away. Put it in a
safe when you're not around it, and encrypt the disk to prevent off-line
access. Don't surf the web with it (use another laptop/device for that,
they're relatively cheap). This advice is true whether you're a poker
pro using a laptop for gaming or a business controller in a large
company using the computer for wiring a large amount of funds." Cheap
laptops are very cheap, especially if you buy old models off the
remainder tables at big box stores. There's no reason not to have
special purpose machines.
http://www.f-secure.com/weblog/archives/00002647.html
An interesting research paper documents a "honeymoon effect" when it
comes to software and vulnerabilities: attackers are more likely to find
vulnerabilities in older and more familiar code. It's a few years old,
but I haven't seen it before now. The paper is by Sandy Clark, Stefan
Frei, Matt Blaze, and Jonathan Smith: "Familiarity Breeds Contempt: The
Honeymoon Effect and the Role of Legacy Code in Zero-Day
Vulnerabilities," Annual Computer Security Applications Conference 2010.
http://www.acsac.org/2010/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=69&type=2
Acoustic cryptanalysis "can extract full 4096-bit RSA decryption keys
from laptop computers (of various models), within an hour, using the
sound generated by the computer during the decryption of some chosen
ciphertexts."
http://www.cs.tau.ac.il/~tromer/acoustic/
Two long blog posts on the NSA. The first is about RSA entering into a
secret agreement with the NSA to make the backdoored DUAL_EC_PRNG the
default random number generator in their BSAFE toolkit. The real story
here is how the NSA has corroded the trust on the Internet.
https://www.schneier.com/blog/archives/2013/12/nsa_spying_who.html
The second is about the NSA Tailored Access Operations (TAO) group and
their capabilities, based on new NSA top secret documents released by
Der Spiegel. Jacob Appelbaum did a great job reporting on this stuff.
https://www.schneier.com/blog/archives/2013/12/more_about_the.html
If you read nothing else from this issue of Crypto-Gram, read those two
links.
Here is the list of NSA documents from the Der Spiegel article:
https://www.schneier.com/blog/archives/2014/01/nsa_documents_f.html
Fascinating report from Citizen Lab on the use of malware in the current
Syrian conflict.
https://www.eff.org/document/quantum-surveillance-familiar-actors-and-possible-false-flags-syrian-malware-campaigns
or http://tinyurl.com/nx3vtwu
https://www.eff.org/deeplinks/2013/12/social-engineering-and-malware-syria-eff-and-citizen-labs-latest-report-digital
or http://tinyurl.com/my7dd9j
http://www.wired.com/threatlevel/2013/12/syria-report/
Amusing Christmas comic.
http://www.onthefastrack.com/?webcomic1=december-22-2013
"Talking to Vula" is the story of a 1980s secret communications channel
between black South African leaders and others living in exile in the
UK. The system used encrypted text encoded into DTMF "touch tones" and
transmitted from pay phones.
http://www.anc.org.za/show.php?id=4693
Joseph Stiglitz has an excellent essay on the value of trust, and the
lack of it in today's society.
http://opinionator.blogs.nytimes.com/2013/12/21/in-no-one-we-trust/
It has amazed me that the NSA doesn't seem to do any cost/benefit
analyses on any of its surveillance programs. This seems particularly
important for bulk surveillance programs, as they have significant costs
aside from the obvious monetary costs. In this paper, John Mueller and
Mark G. Stewart have done the analysis on one of these programs. Worth
reading.
http://politicalscience.osu.edu/faculty/jmueller/NSAshane3.pdf
Matt Blaze on TAO's methods, pointing out that targeted surveillance is
better than bulk surveillance.
http://www.theguardian.com/commentisfree/2014/jan/06/nsa-tailored-access-operations-privacy
or http://tinyurl.com/m8s74no
This is important. As scarily impressive as TAO's implant catalog is,
it's targeted. We can argue about how it should be targeted -- who
counts as a "bad guy" and who doesn't -- but it's much better than the
NSA's collecting cell phone location data on everyone on the planet. The
more we can deny the NSA the ability to do broad wholesale surveillance
on everyone, and force them to do targeted surveillance in individuals
and organizations, the safer we all are.
The failure of privacy notices and consumer choice.
http://firstmonday.org/ojs/index.php/fm/article/view/4838/3802
Interesting story of a 1971 burglary of an FBI office.
http://www.nytimes.com/2014/01/07/us/burglars-who-took-on-fbi-abandon-shadows.html
or http://tinyurl.com/n62lf4d
http://www.nytimes.com/video/us/100000002635482/stealing-j-edgar-hoovers-secrets.html
or http://tinyurl.com/kqwjuvm
It's also a book:
http://www.amazon.com/The-Burglary-Discovery-Hoovers-Secret/dp/0307962954/
or http://tinyurl.com/mjlt3xm
** *** ***** ******* *********** *************
Security Risks of Embedded Systems
We're at a crisis point now with regard to the security of embedded
systems, where computing is embedded into the hardware itself -- as with
the Internet of Things. These embedded computers are riddled with
vulnerabilities, and there's no good way to patch them.
It's not unlike what happened in the mid-1990s, when the insecurity of
personal computers was reaching crisis levels. Software and operating
systems were riddled with security vulnerabilities, and there was no
good way to patch them. Companies were trying to keep vulnerabilities
secret, and not releasing security updates quickly. And when updates
were released, it was hard -- if not impossible -- to get users to
install them. This has changed over the past twenty years, due to a
combination of full disclosure -- publishing vulnerabilities to force
companies to issue patches quicker -- and automatic updates: automating
the process of installing updates on users' computers. The results
aren't perfect, but they're much better than ever before.
But this time the problem is much worse, because the world is different:
All of these devices are connected to the Internet. The computers in our
routers and modems are much more powerful than the PCs of the mid-1990s,
and the Internet of Things will put computers into all sorts of consumer
devices. The industries producing these devices are even less capable of
fixing the problem than the PC and software industries were.
If we don't solve this soon, we're in for a security disaster as hackers
figure out that it's easier to hack routers than computers. At a recent
Def Con, a researcher looked at thirty home routers and broke into half
of them -- including some of the most popular and common brands.
To understand the problem, you need to understand the embedded systems
market.
Typically, these systems are powered by specialized computer chips made
by companies such as Broadcom, Qualcomm, and Marvell. These chips are
cheap, and the profit margins slim. Aside from price, the way the
manufacturers differentiate themselves from each other is by features
and bandwidth. They typically put a version of the Linux operating
system onto the chips, as well as a bunch of other open-source and
proprietary components and drivers. They do as little engineering as
possible before shipping, and there's little incentive to update their
"board support package" until absolutely necessary.
The system manufacturers -- usually original device manufacturers (ODMs)
who often don't get their brand name on the finished product -- choose a
chip based on price and features, and then build a router, server, or
whatever. They don't do a lot of engineering, either. The brand-name
company on the box may add a user interface and maybe some new features,
make sure everything works, and they're done, too.
The problem with this process is that no one entity has any incentive,
expertise, or even ability to patch the software once it's shipped. The
chip manufacturer is busy shipping the next version of the chip, and the
ODM is busy upgrading its product to work with this next chip.
Maintaining the older chips and products just isn't a priority.
And the software is old, even when the device is new. For example, one
survey of common home routers found that the software components were
four to five years older than the device. The minimum age of the Linux
operating system was four years. The minimum age of the Samba file
system software: six years. They may have had all the security patches
applied, but most likely not. No one has that job. Some of the
components are so old that they're no longer being patched. This
patching is especially important because security vulnerabilities are
found "more easily" as systems age.
To make matters worse, it's often impossible to patch the software or
upgrade the components to the latest version. Often, the complete source
code isn't available. Yes, they'll have the source code to Linux and any
other open-source components. But many of the device drivers and other
components are just "binary blobs" -- no source code at all. That's the
most pernicious part of the problem: No one can possibly patch code
that's just binary.
Even when a patch is possible, it's rarely applied. Users usually have
to manually download and install relevant patches. But since users never
get alerted about security updates, and don't have the expertise to
manually administer these devices, it doesn't happen. Sometimes the ISPs
have the ability to remotely patch routers and modems, but this is also
rare.
The result is hundreds of millions of devices that have been sitting on
the Internet, unpatched and insecure, for the last five to ten years.
Hackers are starting to notice. Malware DNS Changer attacks home routers
as well as computers. In Brazil, 4.5 million DSL routers were
compromised for purposes of financial fraud. Last month, Symantec
reported on a Linux worm that targets routers, cameras, and other
embedded devices.
This is only the beginning. All it will take is some easy-to-use hacker
tools for the script kiddies to get into the game.
And the Internet of Things will only make this problem worse, as the
Internet -- as well as our homes and bodies -- becomes flooded with new
embedded devices that will be equally poorly maintained and unpatchable.
But routers and modems pose a particular problem, because they're: (1)
between users and the Internet, so turning them off is increasingly not
an option; (2) more powerful and more general in function than other
embedded devices; (3) the one 24/7 computing device in the house, and
are a natural place for lots of new features.
We were here before with personal computers, and we fixed the problem.
But disclosing vulnerabilities in an effort to force vendors to fix the
problem won't work the same way as with embedded systems. The last time,
the problem was computers, ones mostly not connected to the Internet,
and slow-spreading viruses. The scale is different today: more devices,
more vulnerability, viruses spreading faster on the Internet, and less
technical expertise on both the vendor and the user sides. Plus
vulnerabilities that are impossible to patch.
Combine full function with lack of updates, add in a pernicious market
dynamic that has inhibited updates and prevented anyone else from
updating, and we have an incipient disaster in front of us. It's just a
matter of when.
We simply have to fix this. We have to put pressure on embedded system
vendors to design their systems better. We need open-source driver
software -- no more binary blobs! -- so third-party vendors and ISPs can
provide security tools and software updates for as long as the device is
in use. We need automatic update mechanisms to ensure they get installed.
The economic incentives point to large ISPs as the driver for change.
Whether they're to blame or not, the ISPs are the ones who get the
service calls for crashes. They often have to send users new hardware
because it's the only way to update a router or modem, and that can
easily cost a year's worth of profit from that customer. This problem is
only going to get worse, and more expensive. Paying the cost up front
for better embedded systems is much cheaper than paying the costs of the
resultant security disasters.
This essay originally appeared on Wired.com.
http://www.wired.com/opinion/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem/
Security vulnerabilities in routers:
https://www.defcon.org/images/defcon-18/dc-18-presentations/Heffner/DEFCON-18-Heffner-Routers.pdf
or http://tinyurl.com/mycykl7
http://www.youtube.com/watch?v=stnJiPBIM6o
Security vulnerabilities of older systems:
http://www.acsac.org/2010/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=69&type=2
Embedded malware:
http://news.cnet.com/8301-10784_3-9970972-7.html
http://nakedsecurity.sophos.com/2012/10/01/hacked-routers-brazil-vb2012/
or http://tinyurl.com/8js9jg2
http://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices or
http://tinyurl.com/ncwl6rr
http://arstechnica.com/security/2013/11/new-linux-worm-targets-routers-cameras-internet-of-things-devices/
Two essays that debunk the "NSA surveillance could have stopped 9/11" myth:
http://www.cnn.com/2013/12/30/opinion/bergen-nsa-surveillance-september-11/
http://www.newyorker.com/talk/comment/2014/01/13/140113taco_talk_wright
The changing cost of surveillance:
http://ashkansoltani.org/2014/01/09/the-cost-of-surveillance/
http://www.yalelawjournal.org/the-yale-law-journal-pocket-part/constitutional-law/tiny-constables-and-the-cost-of-surveillance:-making-cents-out-of-united-states-v.-jones
** *** ***** ******* *********** *************
Schneier News
I left BT at the end of December.
https://www.schneier.com/blog/archives/2013/12/yes_im_leaving.html
Last month, Eben Moglen and I had a conversation about NSA surveillance.
Audio and video are online.
https://www.softwarefreedom.org/events/2013/a_conversation_with_bruce_schneier/
or http://tinyurl.com/mganzed
https://www.youtube.com/watch?v=N8Sc6pUR1mA
** *** ***** ******* *********** *************
Schneier News: I've Joined Co3 Systems
For decades, I've said that good security is a combination of
protection, detection, and response. In 1999, when I formed Counterpane
Internet Security, I focused the company on what was then the nascent
area of detection. Since then, there have been many products and
services that focus on detection, and it's a huge part of the
information security industry. Now, it's time for response. While
there are many companies that offer services to aid in incident response
-- mitigation, forensics, recovery, compliance -- there are no
comprehensive products in this area.
Well, almost none. Co3 Systems provides a coordination system for
incident response. I think of it as a social networking site for
incident response, though the company doesn't use this term. The idea
is that the system generates your incident response plan on
installation, and when something happens, automatically executes it. It
collects information about the incident, assigns and tracks tasks, and
logs everything you do. It links you with information you might need,
companies you might want to talk to, and regulations you might be
required to comply with. And it logs everything, so you can demonstrate
that you followed your response plan and thus the law -- or see how and
where you fell short.
Years ago, attacks were both less frequent and less serious, and
compliance requirements were more modest. But today, companies get
breached all the time, and regulatory requirements are complicated --
and getting more so all the time. Ad hoc incident response isn't enough
anymore. There are lots of things you need to do when you're attacked,
both to secure your network from the attackers and to secure your
company from litigation.
The problem with any emergency response plan is that you only need it in
an emergency. Emergencies are both complicated and stressful, and it's
easy for things to fall through the cracks. It's critical to have
something -- a system, a checklist, even a person -- that tracks
everything and makes sure that everything that has to get done is.
Co3 Systems is great in an emergency, but of course you really want to
have installed and configured it *before* the emergency.
It will also serve you better if you use it regularly. Co3 Systems is
designed to be valuable for all incident response, both the mundane and
the critical. The system can record and assess everything that appears
abnormal. The incident response plans it generates make it easy, and
the intelligence feeds make it useful. If Co3 Systems is already in
place, when something turns out to be a real incident, it's easy to
escalate it to the next level, and you'll be using tools you're already
familiar with.
Co3 Systems works either from a private cloud or on your network. I
think the cloud makes more sense; you don't want to coordinate incident
response from the network that is under attack. And it's constantly
getting better as more partner companies integrate their information
feeds and best practices. The company has launched some of these
partnerships already, and there are some major names soon to be announced.
Today I am joining Co3 Systems as its Chief Technology Officer. I've
been on the company's advisory board for about a year, and was an
informal adviser to CEO John Bruce before that. John and I worked
together at Counterpane in the early 2000s, and we both think this is a
natural extension to what we tried to build there. I also know CMO Ted
Julian from his days at @Stake. Together, we're going to build *the*
incident response product.
I'm really excited about this -- and the fact that the company
headquarters are just three T stops inbound to Harvard and the Berkman
Center makes it even more perfect.
https://www.co3sys.com/news/news-releases/bruce-schneier-joins-co3-systems-cto
or http://tinyurl.com/nzhbsf4
http://www.darkreading.com/attacks-breaches/bruce-schneier-departs-bt-for-startup-co/240165137
or http://tinyurl.com/nyatozb
http://threatpost.com/bruce-schneier-joins-startup-co3-systems/103429 or
http://tinyurl.com/puynhos
http://www.networkworld.com/news/2014/010614-schneier-co3-277365.html or
http://tinyurl.com/kd4f4j9
https://www.co3sys.com/blog-post/bruce-schneier-chief-technology-officer
or http://tinyurl.com/kszop9o
https://www.co3sys.com/blog-post/security-legend-bruce-schneier-joins-co3 or
http://tinyurl.com/k2u3rnb
https://www.youtube.com/watch?v=c7XMWR1hD9M&sns=tw
http://threatpost.com/bruce-schneier-joins-startup-co3-systems/103429#
or http://tinyurl.com/khs2gdk
** *** ***** ******* *********** *************
Twitter Users: Please Make Sure You're Following the Right Feed
I have an official Twitter feed of my blog; it's @schneierblog. There's
also an unofficial feed at @Bruce_Schneier. I have nothing to do with
that one.
I wouldn't mind the unofficial feed -- if people are reading my blog,
who cares -- except that it isn't working right, and hasn't been for
some time. It publishes some posts weeks late and skips others
entirely. I'm only hoping that this one will show up there.
It's also kind of annoying that @Bruce_Schneier keeps following people,
who think it's me. It's not; I never log in to Twitter and I don't
follow anyone there.
So if you want to read my blog on Twitter, please make sure you're
following @schneierblog. And if you are the person who runs the
@Bruce_Schneier account -- if anyone is even running it anymore --
please e-mail me at the address on my Contact page. I'd rather see it
fixed than shut down, but better for it to be shut down than continue in
its broken state.
@schneierblog:
http://twitter.com/schneierblog/
@Bruce_Schneier:
https://twitter.com/Bruce_Schneier
My contact page:
https://www.schneier.com/contact.html
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer
and otherwise. You can subscribe, unsubscribe, or change your address on
the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are
also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an
internationally renowned security technologist, called a "security guru"
by The Economist. He is the author of 12 books -- including "Liars and
Outliers: Enabling the Trust Society Needs to Survive" -- as well as
hundreds of articles, essays, and academic papers. His influential
newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by
over 250,000 people. He has testified before Congress, is a frequent
guest on television and radio, has served on several government
committees, and is regularly quoted in the press. Schneier is a fellow
at the Berkman Center for Internet and Society at Harvard Law School, a
program fellow at the New America Foundation's Open Technology
Institute, a board member of the Electronic Frontier Foundation, an
Advisory Board Member of the Electronic Privacy Information Center, and
the Chief Technology Officer at Co3 Systems, Inc. See
<http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of Co3 Systems, Inc.
Copyright (c) 2014 by Bruce Schneier.
** *** ***** ******* *********** *************
** *** ***** ******* *********** *************
To unsubscribe from Crypto-Gram, click this link:
You will be e-mailed a confirmation message. Follow the instructions in
that message to confirm your removal from the list.
___________________
Nolug mailing list
nolug@nolug.org
Received on 01/15/14
This archive was generated by hypermail 2.2.0 : 02/10/14 EST