[Nolug] Fwd: CRYPTO-GRAM, March 15, 2007

From: Joey Kelly <joey_at_joeykelly.net>
Date: Thu, 15 Mar 2007 20:23:26 -0500
Message-ID: <1c0063340703151823s516fac79r1eaf7c8744825a05@mail.gmail.com>

---------- Forwarded message ----------
From: Bruce Schneier <schneier@schneier.com>
Date: Mar 15, 2007 1:56 AM
Subject: CRYPTO-GRAM, March 15, 2007
To: CRYPTO-GRAM-LIST@listserv.modwest.com

                  CRYPTO-GRAM

                 March 15, 2007

               by Bruce Schneier
                Founder and CTO
                 BT Counterpane
              schneier@schneier.com
             http://www.schneier.com
            http://www.counterpane.com

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at
<http://www.schneier.com/crypto-gram-0703.html>. These same essays
appear in the "Schneier on Security" blog:
<http://www.schneier.com/blog>. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:
      CYA Security
      Copycats
      U.S Terrorism Arrests/Convictions Significantly Overstated
      Movie Plot Threat in Vancouver
      News
      The Doghouse: Onboard Threat Detection System
      Private Police Forces
      BT Counterpane News
      The Doghouse: Sniffex
      Drive-By Pharming
      Cloning RFID Chips Made by HID
      Comments from Readers

** *** ***** ******* *********** *************

      CYA Security

Since 9/11, we've spent hundreds of billions of dollars defending
ourselves from terrorist attacks. Stories about the ineffectiveness of
many of these security measures are common, but less so are discussions
of *why* they are so ineffective. In short: much of our country's
counterterrorism security spending is not designed to protect us from
the terrorists, but instead to protect our public officials from
criticism when another attack occurs.

Boston, January 31: As part of a guerilla marketing campaign, a series
of amateur-looking blinking signs depicting characters from Aqua Teen
Hunger Force, a show on the Cartoon Network, were placed on bridges,
near a medical center, underneath an interstate highway, and in other
crowded public places.

Police mistook these signs for bombs and shut down parts of the city,
eventually spending over $1M sorting it out. Authorities blasted the
stunt as a terrorist hoax, while others ridiculed the Boston authorities
for overreacting. Almost no one looked beyond the finger pointing and
jeering to discuss exactly why the Boston authorities overreacted so
badly. They overreacted because the signs were weird.

If someone left a backpack full of explosives in a crowded movie
theater, or detonated a truck bomb in the middle of a tunnel, no one
would demand to know why the police hadn't noticed it beforehand. But
if a weird device with blinking lights and wires turned out to be a bomb
-- what every movie bomb looks like -- there would be inquiries and
demands for resignations. It took the police two weeks to notice the
Mooninite blinkies, but once they did, they overreacted because their
jobs were at stake.

This is "Cover Your Ass" security, and unfortunately it's very common.

Airplane security seems to forever be looking backwards. Pre-9/11, it
was bombs, guns, and knives. Then it was small blades and box cutters.
  Richard Reid tried to blow up a plane, and suddenly we all have to
take off our shoes. And after last summer's liquid plot, we're stuck
with a series of nonsensical bans on liquids and gels.

Once you think about this in terms of CYA, it starts to make sense. The
TSA wants to be sure that if there's another airplane terrorist attack,
it's not held responsible for letting it slip through. One year ago, no
one could blame the TSA for not detecting liquids. But since everything
seems obvious in hindsight, it's basic job preservation to defend
against what the terrorists tried last time.

We saw this kind of CYA security when Boston and New York randomly
checked bags on the subways after the London bombing, or when buildings
started sprouting concrete barriers after the Oklahoma City bombing. We
also see it in ineffective attempts to detect nuclear bombs; authorities
employ CYA security against the media-driven threat so they can say "we
tried."

At the same time, we're ignoring threat possibilities that don't make
the news as much -- against chemical plants, for example. But if there
were ever an attack, that would change quickly.

CYA also explains the TSA's inability to take anyone off the no-fly
list, no matter how innocent. No one is willing to risk his career on
removing someone from the no-fly list who might -- no matter how remote
the possibility -- turn out to be the next terrorist mastermind.

Another form of CYA security is the overly specific countermeasures we
see during big events like the Olympics and the Oscars, or in protecting
small towns. In all those cases, those in charge of the specific
security don't dare return the money with a message "use this for more
effective general countermeasures." If they were wrong and something
happened, they'd lose their jobs.

And finally, we're seeing CYA security on the national level, from our
politicians. We might be better off as a nation funding intelligence
gathering and Arabic translators, but it's a better re-election strategy
to fund something visible but ineffective, like a national ID card or a
wall between the U.S. and Mexico.

Securing our nation from threats that are weird, threats that either
happened before or captured the media's imagination, and overly specific
threats are all examples of CYA security. It happens not because the
authorities involved -- the Boston police, the TSA, and so on -- are not
competent, or not doing their job. It happens because there isn't
sufficient national oversight, planning, and coordination.

People and organizations respond to incentives. We can't expect the
Boston police, the TSA, the guy who runs security for the Oscars, or
local public officials to balance their own security needs against the
security of the nation. They're all going to respond to the particular
incentives imposed from above. What we need is a coherent antiterrorism
policy at the national level: one based on real threat assessments,
instead of fear-mongering, re-election strategies, or pork-barrel politics.

Sadly, though, there might not be a solution. All the money is in
fear-mongering, re-election strategies, and pork-barrel politics. And,
like so many things, security follows the money.

http://www.schneier.com/blog/archives/2007/02/nonterrorist_em.html

Airplane security:
http://www.schneier.com/blog/archives/2006/08/terrorism_secur.html

Searching bags in subways:
http://www.schneier.com/blog/archives/2005/07/searching_bags.html

No-fly list:
http://www.schneier.com/essay-052.html

More CYA security:
http://entertainment.iafrica.com/news/929710.htm
http://www.news24.com/News24/Entertainment/Oscars/0,,2-1225-1569_1665860,00.html
or http://tinyurl.com/24uuuo
http://www.schneier.com/blog/archives/2005/09/major_security.html
http://www.schneier.com/blog/archives/2006/03/80_cameras_for.html
http://www.schneier.com/blog/archives/2007/01/realid_costs_an.html
http://www.slate.com/id/2143104/

Commentary:
http://www.networkworld.com/community/?q=node/11746
http://yro.slashdot.org/yro/07/02/22/214246.shtml

This essay originally appeared on Wired.com.
http://www.wired.com/news/columns/0,72774-0.html

** *** ***** ******* *********** *************

      Copycats

It's called "splash-and-grab," and it's a new way to rob convenience
stores. (Okay; it's not really new. It was used on the TV show "The
Shield" in 2005. But it's back in the news.) Two guys walk into a
store, and one comes up to the counter with a cup of hot coffee or
cocoa. He pays for it, and when the clerk opens the cash drawer, he
throws the coffee in the clerk's face. The other one grabs the cash
drawer, and they both run.

Crimes never change, but tactics do. This tactic is new; someone just
invented it. But now that it's in the news, copycats are repeating the
trick. There have been at least 19 such robberies in Delaware,
Pennsylvania and New Jersey. (Some arrests have been made since then.)

Here's another example: On Nov. 24, 1971, someone with the alias Dan
Cooper invented a new way to hijack an aircraft. Claiming he had a
bomb, he forced a plane to land and then exchanged the passengers and
flight attendants for $200,000 and four parachutes. (I leave it as
exercise for the reader to explain why asking for more than one
parachute is critical to the plan's success.) Taking off again, he told
the pilots to fly to 10,000 feet. He then lowered the plane's back
stairs and parachuted away. He was never caught, and the FBI still
doesn't know who he is or whether he survived.

After this story hit the press, there was an epidemic of copycat
attacks. In 31 hijackings the following year, half of the hijackers
demanded parachutes. It got so bad that the FAA required Boeing to
install a special latch -- the Cooper Vane -- on the back staircases of
its 727s so they couldn't be lowered in the air.

The internet is filled with copycats. Green-card lawyers invented spam;
now everyone does it. Other people invented phishing, pharming, spear
phishing. The virus, the worm, the Trojan: It's hard to believe that
these ubiquitous internet attack tactics were, until comparatively
recently, tactics that no one had thought of.

Most attackers are copycats. They aren't clever enough to invent a new
way to rob a convenience store, use the web to steal money, or hijack an
airplane. They try the same attacks again and again, or read about a
new attack in the newspaper and decide they can try it, too.

In combating threats, it makes sense to focus on copycats when there is
a population of people already willing to commit the crime, who will
migrate to a new tactic once it has been demonstrated to be successful.
  In instances where there aren't many attacks or attackers, and they're
smarter -- al-Qaeda-style terrorism comes to mind -- focusing on
copycats is less effective because the bad guys will respond by
modifying their attacks accordingly.

Compare that to suicide bombings in Israel, which are mostly copycat
attacks. The authorities basically know what a suicide bombing looks
like, and do a pretty good job defending against the particular tactics
they tend to see again and again. It's still an arms race, but there is
a lot of security gained by defending against copycats.

But even so, it's important to understand which aspect of the crime will
be adopted by copycats. Splash-and-grab crimes have nothing to do with
convenience stores; copycats can target any store where hot coffee is
easily available and there is only one clerk on duty. And the tactic
doesn't necessarily need coffee; one copycat used bleach. The new idea
is to throw something painful and damaging in a clerk's face, grab the
valuables and run.

Similarly, when a suicide bomber blows up a restaurant in Israel, the
authorities don't automatically assume the copycats will attack other
restaurants. They focus on the particulars of the bomb, the triggering
mechanism and the way the bomber arrived at his target. Those are the
tactics that copycats will repeat. The next target may be a theater or a
hotel or any other crowded location.

The lesson for counterterrorism in America: Stay flexible. We're not
threatened by a bunch of copycats, so we're best off expending effort on
security measures that will work regardless of the tactics or the
targets: intelligence, investigation and emergency response. By
focusing too much on specifics -- what the terrorists did last time --
we're wasting valuable resources that could be used to keep us safer.

http://www.philly.com/mld/inquirer/news/local/16824777.htm
http://kyw1060.com/pages/254744.php?contentType=4&contentId=340063
http://www.delawareonline.com/apps/pbcs.dll/article?AID=/20070222/NEWS/702220360/1006/NEWS
or http://tinyurl.com/2f3gyj
http://www.nbc10.com/news/11155984/detail.html?subid=10101521

Dan Cooper and the Cooper Vane:
http://www.crimelibrary.com/criminal_mind/scams/DB_Cooper/index.html
http://en.wikipedia.org/wiki/Cooper_Vane

Green-card lawyers:
http://www.wired.com/news/politics/0,1283,19098,00.html

This essay originally appeared on Wired.com.
http://www.wired.com/news/columns/0,72887-0.html

Blog entry URL:
http://www.schneier.com/blog/archives/2007/03/post.html

** *** ***** ******* *********** *************

      U.S Terrorism Arrests/Convictions Significantly Overstated

A new report (long, but at least read the Executive Summary) from the
U.S. Department of Justice's Inspector General says, basically, that all
the U.S. terrorism statistics since 9/11 -- arrests, convictions, and so
on -- have been grossly inflated.

The report gives a series of reasons why the statistics were so bad.
Here's one: "The number of terrorism-related convictions was overstated
because the FBI initially coded the investigative cases as
terrorism-related when the cases were opened, but did not recode cases
when no link to terrorism was established."

And here's an example of a problem: "For example, Operation Tarmac was
a worksite enforcement operation launched in November 2001 at the
nation's airports. During this operation, Department and other federal
agents went into regional airports and checked the immigration papers of
airport workers. The agents then arrested any individuals who used
falsified documents, such as social security numbers, drivers' licenses,
and other identification documents, to gain employment. EOUSA officials
told us they believe these defendants are properly coded under the
anti-terrorism program activity. We do not agree that law enforcement
efforts such as these should be counted as "anti-terrorism" unless the
subject or target is reasonably linked to terrorist activity."

("EOUSA" is the Executive Office for United States Attorneys, part of
the U.S. Department of Justice.)

There's an enormous amount of detail in the report, if you want to wade
through the 80 or so pages of report and another 80ish of appendices.

http://www.usdoj.gov/oig/reports/plus/a0720/final.pdf

** *** ***** ******* *********** *************

      Movie Plot Threat in Vancouver

The idiocy of this is impressive: "A Vancouver Police computer crime
investigator has warned the city that plans for a citywide wireless
Internet system put the city at risk of terrorist attack during the 2010
Winter Olympic Games."

The problem? Well, the problem seems to be that terrorists might attend
the Olympic games and use the Internet while they're there.

"'If you have an open wireless system across the city, as a bad guy I
could sit on a bus with a laptop and do global crime,' Fenton explained.
'It would be virtually impossible to find me.'"

There's also some scary stuff about SCADA systems, and the city putting
some of its own service on the Internet. Clearly this guy has thought
about the risks a lot, just not with any sense. He's overestimating
cyberterrorism. He's overestimating how important this one particular
method of wireless Internet access is. He's overestimating how
important the 2010 Winter Olympics are.

But the newspaper was happy to play along and spread the fear. The
photograph accompanying the article is captioned: "Anyone with a laptop
and wireless access could commit a terrorist act, police warn."

http://www.canada.com/topics/news/national/story.html?id=207f6d54-68fc-40da-8ae3-dc9f057c2f54&k=25065
or http://tinyurl.com/2nmy5j

Cyberterrorism:
http://www.schneier.com/crypto-gram-0306.html#1

** *** ***** ******* *********** *************

      News

According to a new report, the FBI has lost 160 laptops, including at
least ten with classified information, in the past four years. But it's
not all bad news. A similar audit in 2002 found that 317 laptops were
lost or stolen at the FBI over about two years. The FBI: Now losing
fewer laptops!
http://www.usdoj.gov/oig/reports/FBI/index.htm
http://www.washingtonpost.com/wp-dyn/content/article/2007/02/12/AR2007021200629.html
or http://tinyurl.com/38hsvh
http://www.eweek.com/article2/0,1895,2094290,00.asp
http://arstechnica.com/news.ars/post/20070212-8821.html

There's a UAC security hole in Vista. What's interesting is that
Microsoft is positioning this as a trade-off between security and
ease-of-use. That's correct, of course, but it seems that someone made
a bad decision in this regard.
http://blogs.zdnet.com/security/?p=29&tag=nl.e589
http://theinvisiblethings.blogspot.com/2007/02/running-vista-every-day.html
or http://tinyurl.com/yo42z7

Slowly, AACS -- the security in both Blu-ray and HD DVD -- has been
cracked. Now, it has been cracked even further. As I have said before,
what will be interesting to watch is how well HD DVD and Blu-ray
recover. Both were built expecting these sorts of cracks, and both have
mechanisms to recover security for future movies. It remains to be seen
how well these recovery systems will work.
http://www.boingboing.net/2007/02/13/bluray_and_hddvd_bro.html
Previous cracks:
http://www.schneier.com/blog/archives/2006/12/aacs_cracked_1.html
http://www.schneier.com/blog/archives/2007/01/bluray_cracked.html

Was the TSA website hacked, or was it just incredibly bad webpage design
and coding?
http://blog.wired.com/27bstroke6/2007/02/homeland_securi.html
http://paranoia.dubfire.net/2007/02/tsa-has-outsourced-tsa-traveler.html
or http://tinyurl.com/ywm7qx

Real-world back doors: a social engineering test where the attackers
entered the building through a back-door left open for smokers.
http://www.theregister.com/2007/02/15/smoke_ban_hack_risk/

OpenSSL is now FIPS 140-2 certified. The process took five years. This
is a major problem with long certification cycles; software development
cycles are faster.
http://www.linux.com/article.pl?sid=07/02/08/1935232

Is everything a bomb these days? In New Mexico, a bomb squad blew up
two CD players, duct-taped to the bottoms of church pews, that played
pornographic messages during Mass. This is a pretty funny high school
prank and I hope the kids that did it get suitably punished. But
they're not terrorists. And I have a hard time believing that the
police actually thought CD players were bombs.
http://www.cnn.com/2007/US/02/22/church.foul.language.ap/index.html
Meanwhile, the British Police Force blew up a tape dispenser left
outside a police station in Northern Ireland.
http://news.bbc.co.uk/1/hi/northern_ireland/6387857.stm

And not to be outdone, the Dutch police mistook one of their own
transmitters for a bomb. At least they didn't blow anything up.
http://www.playfuls.com/news_10_14162-Dutch-Police-Seal-Off-Street-On-Taking-Own-Transmitter-For-Bomb.html
or http://tinyurl.com/2b6qn4
Okay, everyone. We need some ideas, here. If we're going to think
everything weird is a bomb, then the false alarms are going to kill any
hope of security.
http://www.schneier.com/blog/archives/2007/02/nonterrorist_em.html

If you're having trouble identifying bombs, this quiz should help.
http://www.bombornot.com
And here's a relevant cartoon.
http://www.geekculture.com/joyoftech/joyarchives/919.html

The Boston police blew up a traffic counter. I'm beginning to think
that something is seriously wrong with the police chain of command in
Boston. Boston PD: Putting the "error" in "terror."
http://www.boingboing.net/2007/02/28/boston_police_blow_u.html
http://wbztv.com/local/local_story_059122735.html
http://www3.whdh.com:80/news/articles/local/BO44642/
http://www.schneier.com/blog/archives/2007/03/boston_police_b.html

Lists of default router passwords:
http://www.phenoelit.de/dpl/dpl.html
http://www.phenoelit.de/dpl/
http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php
http://www.virus.org/default-password/

"Windows for Warships." I'm not sure this is a good idea.
http://www.theregister.co.uk/2007/02/26/windows_boxes_at_sea/
A related article from 1998, involving Windows NT and the USS Yorktown.
http://www.wired.com/news/technology/0,1282,13987,00.html

There's a rumor about a software bug in the F-22 Raptor stealth fighter.
  It seems that the computer systems had problems flying west across the
International Date Line. No word as to what operating system the
computers were running.
http://it.slashdot.org/article.pl?sid=07/02/25/2038217
http://www.f-16.net/index.php?name=PNphpBB2&file=viewtopic&p=91277
http://www.flightglobal.com/articles/2007/02/14/212102/pictures-navigational-software-glitch-forces-lockheed-martin-f-22-raptors-back-to-hawaii.html
or http://tinyurl.com/26p5s6
http://www.dailytech.com/article.aspx?newsid=6225

With all the attention on foreign money laundering, we're ignoring the
problem in the U.S.
http://members.forbes.com/forbes/2007/0212/096.html

Faking hardware memory access:
http://www.darkreading.com/document.asp?doc_id=118291

There's good news regarding Canada's anti-terrorism laws. First,
security certificates were declared unconstitutional.
http://www.cbc.ca/canada/story/2007/02/23/security-certificate.html
And second, the House of Commons voted against extending two provisions
of a 2001 anti-terrorism law. They expired at the end of February.
http://www.cbc.ca/canada/story/2007/02/27/terror-vote.html
http://www.thestar.com/News/article/186476

Paranoia poster:
http://digitalfury.popmartian.com/images/20070202/paranoia.jpg

Powder-sized RFID tags:
http://news.bbc.co.uk/1/hi/technology/6389581.stm
http://www.theregister.co.uk/2007/02/19/rfid_powder/

Xbox 360 privilege escalation attack:
http://www.securityfocus.com/archive/1/461489/30/0/threaded

Very interesting article about Apple's DRM system, which they call
"FairPlay."
http://www.roughlydrafted.com/RD/RDM.Tech.Q1.07/2A351C60-A4E5-4764-A083-FF8610E66A46.html
or http://tinyurl.com/229pcm

The cost-effectiveness of sky marshals in Australia is being debated. I
have not seen any similar cost analysis from the United States.
http://www.theage.com.au/news/national/skyhigh-cost-of-flying-cops/2007/02/24/1171734074064.html
or http://tinyurl.com/ywpt4t

Fascinating article about changing generational notions of privacy:
http://nymag.com/news/features/27341/

The FBI issued illegal National Security Letters under the USA PATRIOT Act
http://www.schneier.com/blog/archives/2007/03/fbi_issued_ille_1.html

"Digital Security and Privacy for Human Rights Defenders":
http://www.frontlinedefenders.org/pdfs/esecman.en.pdf

Cloning a UK RFID passport:
http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=440069&in_page_id=1770
http://www.theregister.com/2007/03/06/daily_mail_passport_clone/
Nothing I haven't said before, only a demonstration of how insecure they
are.
http://www.schneier.com/blog/archives/2006/09/renew_your_pass.html

Some airport baggage handlers used their official credentials to bypass
security and smuggle guns and marijuana onto an airplane. This kind of
thing is inevitable. Whenever you have a system that requires trusted
people -- that is, every security system -- there is the possibility
that those trusted people will not behave in a trustworthy manner. But
there are ways of minimizing this risk.
http://www.cbsnews.com/stories/2007/03/08/national/main2549166.shtml

Find out if you're on the "no fly" list:
http://www.huffingtonpost.com/jim-moore/are-you-on-the-no-fly-lis_b_42443.html
or http://tinyurl.com/29ve8o

Vista activation security cracked by brute force:
http://www.theinquirer.net/default.aspx?article=37941

I'm tired of headlines like this: "New autopilot 'will make another
9/11 impossible.'" Why are people so narrowly focused? The goal isn't
to protect against another 9/11. The goal is to protect against another
horrific terrorist incident.
http://www.rinf.com/columnists/news/new-autopilot-will-make-another-911-impossible
or http://tinyurl.com/2862gm
Stop focusing on the tactics, people. Look at the broad threats.
http://www.schneier.com/blog/archives/2006/08/terrorism_secur.html
I've written about this particular countermeasure before.
http://www.schneier.com/blog/archives/2006/07/remotecontrol_a.html

Insurance and risk cartoon:
http://www.wondermark.com/d/279.html

Interesting article on the difficulty of profiling terrorists:
http://www.washingtonpost.com/wp-dyn/content/article/2007/03/11/AR2007031101618.html

** *** ***** ******* *********** *************

      The Doghouse: Onboard Threat Detection System

It's almost too absurd to even write about seriously -- this plan to
spot terrorists in airplane seats:

"Cameras fitted to seat-backs will record every twitch, blink, facial
expression or suspicious movement before sending the data to onboard
software which will check it against individual passenger profiles."

And:

"They say that rapid eye movements, blinking excessively, licking lips
or ways of stroking hair or ears are classic symptoms of somebody trying
to conceal something."

"A separate microphone will hear and record even whispered remarks.
Islamic suicide bombers are known to whisper texts from the Koran in the
moments before they explode bombs."

"The software being developed by the scientists will be so sophisticated
that it will be able to take account of nervous flyers or people with a
natural twitch, helping to ensure there are no false alarms."

The only thing I can think of is that some company press release got
turned into real news without a whole lot of thinking.

http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=435342&in_page_id=1770
or http://tinyurl.com/2oqsyn

** *** ***** ******* *********** *************

      Private Police Forces

In Raleigh, N.C., employees of Capitol Special Police patrol apartment
buildings, a bowling alley and nightclubs, stopping suspicious people,
searching their cars and making arrests.

Sounds like a good thing, but Capitol Special Police isn't a police
force at all -- it's a for-profit security company hired by private
property owners.

This isn't unique. Private security guards outnumber real police more
than 5 to 1, and increasingly act like them.

They wear uniforms, carry weapons and drive lighted patrol cars on
private properties like banks and apartment complexes and in public
areas like bus stations and national monuments. Sometimes they operate
as ordinary citizens and can only make citizen's arrests, but in more
and more states they're being granted official police powers.

This trend should greatly concern citizens. Law enforcement should be a
government function, and privatizing it puts us all at risk.

Most obviously, there's the problem of agenda. Public police forces are
charged with protecting the citizens of the cities and towns over which
they have jurisdiction. Of course, there are instances of policemen
overstepping their bounds, but these are exceptions, and the police
officers and departments are ultimately responsible to the public.

Private police officers are different. They don't work for us; they work
for corporations. They're focused on the priorities of their employers
or the companies that hire them. They're less concerned with due
process, public safety and civil rights.

Also, many of the laws that protect us from police abuse do not apply to
the private sector. Constitutional safeguards that regulate police
conduct, interrogation and evidence collection do not apply to private
individuals. Information that is illegal for the government to collect
about you can be collected by commercial data brokers, then purchased by
the police.

We've all seen policemen "reading people their rights" on television cop
shows. If you're detained by a private security guard, you don't have
nearly as many rights.

For example, a federal law known as Section 1983 allows you to sue for
civil rights violations by the police but not by private citizens. The
Freedom of Information Act allows us to learn what government law
enforcement is doing, but the law doesn't apply to private individuals
and companies. In fact, most of your civil rights protections apply only
to real police.

Training and regulation is another problem. Private security guards
often receive minimal training, if any. They don't graduate from police
academies. And while some states regulate these guard companies, others
have no regulations at all: anyone can put on a uniform and play
policeman. Abuses of power, brutality, and illegal behavior are much
more common among private security guards than real police.

A horrific example of this happened in South Carolina in 1995. Ricky
Coleman, an unlicensed and untrained Best Buy security guard with a
violent criminal record, choked a fraud suspect to death while another
security guard held him down.

This trend is larger than police. More and more of our nation's prisons
are being run by for-profit corporations. The IRS has started
outsourcing some back-tax collection to debt-collection companies that
will take a percentage of the money recovered as their fee. And there
are about 20,000 private police and military personnel in Iraq, working
for the Defense Department.

Throughout most of history, specific people were charged by those in
power to keep the peace, collect taxes and wage wars. Corruption and
incompetence were the norm, and justice was scarce. It is for this very
reason that, since the 1600s, European governments have been built
around a professional civil service to both enforce the laws and protect
rights.

Private security guards turn this bedrock principle of modern government
on its head. Whether it's FedEx policemen in Tennessee who can request
search warrants and make arrests; a privately funded surveillance
helicopter in Jackson, Miss., that can bypass constitutional
restrictions on aerial spying; or employees of Capitol Special Police in
North Carolina who are lobbying to expand their jurisdiction beyond the
specific properties they protect -- privately funded policemen are not
protecting us or working in our best interests.

http://www.washingtonpost.com/wp-dyn/content/article/2007/01/01/AR2007010100665.html
or http://tinyurl.com/y26xgr
http://www.nlg-npap.org/html/research/LWprivatepolice.pdf

This op-ed originally appeared in the "Minneapolis Star-Tribune":
http://www.startribune.com/562/story/1027072.html

When I posted this on my blog, I got a lot of negative comments from
Libertarians who believe that somehow, the market makes private
policemen more responsible to the public than government policemen. I'm
sorry, but this is nonsense. Best Buy is going to be responsive to its
customers; an apartment complex is going to be responsive to its
renters. Petty criminals who prey on those businesses are an economic
externality; they're not going to enter into the economic arguments.
After all, people might be more likely to shop at Best Buy if their
security guards save them money by keeping crime down -- who cares if
they crack a few non-customer heads while doing it.

None of this is meant to imply that public police forces are magically
honorable and ethical; just that the economic forces are different. So
people can consider carefully which is the lesser of two evils, here's
Radley Balko's paper "Overkill: The Rise of Paramilitary Police Raids in
America":
http://www.cato.org/pub_display.php?pub_id=6476
And an interactive map of public police raids gone bad:
http://www.cato.org/raidmap/

** *** ***** ******* *********** *************

      BT Counterpane News

Schneier is a recipient of the 2007 EFF Pioneer Award, together with
Yochai Benkler and Cory Doctorow.
http://www.eff.org/news/archives/2007_03.php#005149

PC World named Schneier the 31st most influential person on the Web:
http://www.pcworld.com/printable/article/id,129301/printable.html

Article on Schneier from the Hindustan Times:
http://www.schneier.com/news-031.html

As part of BT's Big Thinkers series, Esther Dyson interviewed Schneier
and two other people (Risto Siilasmaa, Chairman of F-Secure Corporation;
and Michael Barrett, PayPal's CISO) on network security issues.
http://www.networked.bt.com/bigthinkers_security.php
The other interviews in the series are here.
http://www.networked.bt.com/bigthinkers.php

Schneier is giving a public lecture in London on March 21:
http://www.lse.ac.uk/collections/informationSystems/newsAndEvents/2007events/SSIT7.htm
or http://tinyurl.com/25c2ap

Schneier is speaking at Temple Sharey Tefilo-Israel in South Orange, NJ
on March 25th.

Schneier is speaking at NIST in Gaithersburg, MD, on April 10th:

Schneier is speaking at the Security and Liberty Forum at UNC Chapel
Hill on April 14:
http://www.seclibforum.org/

** *** ***** ******* *********** *************

      The Doghouse: Sniffex

It's nothing more than a homeland security scam: a dowsing rod for
explosives. That, and a pump-and-dump stock scam. The Sniffex site is
down, but Google has a cache, and they seem to be back as Homeland
Safety International. They also have a patent.

http://www.sniffex.com/
http://72.14.253.104/search?q=cache:T397Ap3BNTIJ:www.sniffex.com/+SNIFFEX&hl=en&ct=clnk&cd=1&gl=us&client=opera
or http://tinyurl.com/ysl3le
http://www.homelandsafetyintl.com/
http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=6,344,818.PN.&OS=PN/6,344,818&RS=PN/6,344,818
http://blog.wired.com/defense/2007/02/sniffing_bomb_d.html or
http://tinyurl.com/28mg44

** *** ***** ******* *********** *************

      Drive-By Pharming

Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson have developed a
clever, and potentially devastating, attack against home routers,
something they call "drive-by pharming."

First, the attacker creates a web page containing a simple piece of
malicious JavaScript code. When the page is viewed, the code makes a
login attempt into the user's home broadband router, and then attempts
to change its DNS server settings to point to an attacker-controlled DNS
server. Once the user's machine receives the updated DNS settings from
the router (after the machine is rebooted) future DNS requests are made
to and resolved by the attacker's DNS server.

And then the attacker basically owns the victim's web connection.

The main condition for the attack to be successful is that the attacker
can guess the router password. This is surprisingly easy, since home
routers come with a default password that is uniform and often never
changed.

They've written proof of concept code that can successfully carry out
the steps of the attack on Linksys, D-Link, and NETGEAR home routers.
If users change their home broadband router passwords to something
difficult to guess, they are safe from this attack.

Cisco says that 77 of its routers are vulnerable.

Note that the attack does not require the user to download any malicious
software; simply viewing a web page with the malicious JavaScript code
is enough.

http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html
or http://tinyurl.com/2uqwug
http://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf
http://it.slashdot.org/article.pl?sid=07/02/16/1421238
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9011588&intsrc=hm_list
or http://tinyurl.com/2vy7xv

Blog comment: "The attack is called 'CSRF' Cross-Site
Request-Forgeries. It's been documented for several years, I remember
stumbling on it myself 2-3 years ago, and being very surprised that it
doesn't get wider publicity -- that has luckily changed in the past
year. It's not only routers, but all sorts of intranet-web applications
are open to this line of attack (especially when it's standard-software,
or someone has insider-knowledge; and users stay logged in for most for
most of the time)."

** *** ***** ******* *********** *************

      Cloning RFID Chips Made by HID

Remember the Cisco fiasco from BlackHat 2005? Next in the stupid box is
RFID-card manufacturer HID, who has prevented Chris Paget from
presenting research on how to clone those cards. The ACLU presented in
his place.

Won't these companies ever learn? HID won't prevent the public from
learning about the vulnerability, and it will end up looking like heavy
handed goons. And it's not even secret; Paget demonstrated the attack
to me and others at the RSA Conference last month.

There's a difference between a security flaw and information about a
security flaw; HID needs to fix the first and not worry about the
second. Full disclosure benefits us all.

http://www.darkreading.com/document.asp?doc_id=1182851
http://www.networkworld.com/news/2007/022707-battle-brewing-over-rfid-chip-hacking.html
or http://tinyurl.com/2dvqww
http://www.aclunc.org/issues/technology/bytes_and_pieces/blackhat_presenters_threatened_with_patent_suit_for_exposing_rfid_vulnerabilities.shtml
or http://tinyurl.com/2q8tkj

Attack demonstration:
http://weblog.infoworld.com/techwatch/archives/010227.html

Cisco story:
http://www.schneier.com/blog/archives/2005/07/cisco_harasses.html
http://www.schneier.com/blog/archives/2005/08/more_lynncisco.html

Full disclosure:
http://www.schneier.com/crypto-gram-0111.html#1

** *** ***** ******* *********** *************

      Comments from Readers

There are hundreds of comments -- many of them interesting -- on these
topics on my blog. Search for the story you want to comment on, and join
in.

http://www.schneier.com/blog

** *** ***** ******* *********** *************

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on security: computer and otherwise. You can
subscribe, unsubscribe, or change your address on the Web at
<http://www.schneier.com/crypto-gram.html>. Back issues are also
available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the
best sellers "Beyond Fear," "Secrets and Lies," and "Applied
Cryptography," and an inventor of the Blowfish and Twofish algorithms.
He is founder and CTO of BT Counterpane, and is a member of the Board of
Directors of the Electronic Privacy Information Center (EPIC). He is a
frequent writer and lecturer on security topics. See
<http://www.schneier.com>.

BT Counterpane is the world's leading protector of networked information
- the inventor of outsourced security monitoring and the foremost
authority on effective mitigation of emerging IT threats. BT
Counterpane protects networks for Fortune 1000 companies and governments
world-wide. See <http://www.counterpane.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of BT or BT Counterpane.

Copyright (c) 2007 by Bruce Schneier.

-- 
Joey Kelly
< Minister of the Gospel | Linux Consultant >
http://joeykelly.net
(sent via gmail.com, no GPG signature)
___________________
Nolug mailing list
nolug@nolug.org
Received on 03/15/07

This archive was generated by hypermail 2.2.0 : 12/19/08 EST