Computer security is an arcane and difficult subject, constantly shifting in response to societal and technological forcings. A layperson hoping to get a better grip on the fundamental issues involved can scarcely do better than to read Bruce Schneier‘s Secrets and Lies: Digital Security in a Networked World. The book is at the middle of the spectrum of his work, with Beyond Fear existing at one end of the spectrum as a general primer on all security related matters and Applied Cryptography providing far more detail than non-experts will ever wish to absorb.
Secrets and Lies takes a systematic approach, describing types of attacks and adversaries, stressing how security is a process rather than a product, and explaining a great many offensive and defences strategies in accessible ways and with telling examples. He stresses the impossibility of preventing all attacks, and hence the importance of maintaining detection and response capabilities. He also demonstrates strong awareness of how security products and procedures interact with the psychology of system designers, attackers, and ordinary users. Most surprisingly, the book is consistently engaging and even entertaining. You would not expect a book on computer security to be so lively.
One critical argument Schneier makes is that the overall security of computing can only increase substantially if vendors become liable for security flaws in their products. When a bridge collapses, the construction and engineering firms end up in court. When a ten year old bug in Windows NT causes millions of dollars in losses for a company losing it, Microsoft may see fit to finally issue a patch. Using regulation to structure incentives to shape behaviour is an approach that works in a huge number of areas. Schneier shows how it can be made to work in computer security.
Average users probably won’t want to read this book – though elements of it would probably entertain and surprise them. Those with an interest in security, whether it is principally in relation to computers or not, should read it mostly because of the quality of Schneier’s though processes and analysis. The bits about technology are quite secondary and pretty easily skimmed. Most people don’t need to know precisely how smart cards or the Windows NT kernel are vulnerable; they need to know what those vulnerabilities mean in the context of how those technologies are used. Reading this book will leave you wiser in relation to an area of ever-growing importance. Those with no special interest in computers are still strongly encouraged to read Beyond Fear: especially if they are legislators working on anti-terrorism laws.
Put not your trust in maths
Sep 7th 2000
From The Economist print edition
SECRETS AND LIES; DIGITAL SECURITY IN A NETWORKED WORLD.
By Bruce Schneier.
John Wiley & Sons; 432 pages; $29.99 and £19.50
Can I also recommend his free monthly newsletter? Very readable, and accessible to the casual reader:-
http://www.schneier.com/crypto-gram.html
The newsletter material is also posted to his blog, which also features good discussions and commentary.
Refuse to be Terrorized
By schneier
I know nothing about the politics of this organization, but their “I am not afraid” campaign is something I can certainly get behind. I think we should all send a letter like this to our elected officials, whatever country we’re in:
“I am not afraid of terrorism, and I want you to stop being afraid on my behalf. Please start scaling back the official government war on terror. Please replace it with a smaller, more focused anti-terrorist police effort in keeping with the rule of law. Please stop overreacting. I understand that it will not be possible to stop all terrorist acts. I accept that. I am not afraid.”
“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.”
– Gene Spafford
“Being able to break security doesn’t make you a hacker anymore than being able to hotwire cars makes you an automotive engineer.”
– Eric Raymond
“Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain.”
– Kevin Mitnick
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
– Bruce Schneier
“Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.”
– Chris Pirillo
New Attack on AES
There’s a new cryptanalytic attack on AES that is better than brute force:
Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has complexity 2119, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class and has higher complexity. The second attack is the first cryptanalysis of the full AES-192. Both our attacks are boomerang attacks, which are based on the recent idea of finding local collisions in block ciphers and enhanced with the boomerang switching techniques to gain free rounds in the middle.
…
We also expect that a careful analysis may reduce the complexities. As a preliminary result, we think that the complexity of the attack on AES-256 can be lowered from 2^119 to about 2^110.5 data and time.
We believe that these results may shed a new light on the design of the key-schedules of block ciphers, but they pose no immediate threat for the real world applications that use AES.
Time Warner Cable Modems Expose Users
“Wired is reporting on a simple hack putting some 65,000 customers at risk. The hack to gain administrative access to the cable modem/router combo is remarkably simple: ‘[David] Chen, founder of a software startup called Pip.io, said he was trying to help a friend change the settings on his cable modem and discovered that Time Warner had hidden administrative functions from its customers with Javascript code. By simply disabling Javascript in his browser, he was able to see those functions, which included a tool to dump the router’s configuration file. That file, it turned out, included the administrative login and password in cleartext. Chen investigated and found the same login and password could access the admin panels for every router in the SMC8014 series on Time Warner’s network — a grave vulnerability, given that the routers also expose their web interfaces to the public-facing internet.’ If you use Time Warner’s SMC8014 series cable modem/Wi-Fi router combo, watch for firmware to be released soon that they are reportedly in the process of testing.”
Bug In Most Linuxes Can Give Untrusted Users Root
Red Midnight and other readers brought to our attention a bug in most deployed versions of Linux that could result in untrusted users getting root access. The bug was found by Brad Spengler last month. “The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable. While attacks can be prevented by implementing a common feature known as mmap_min_addr, the RHEL distribution… doesn’t properly implement that protection… The… bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature. … [Spengler] said many other Linux users are also vulnerable because they run older versions or are forced to turn off [mmap_min_addr] to run certain types of applications.”
“Yet many of these trusted websites have lately become targets for criminals who lay traps for the unwary. Indeed, over 80% of all infected web pages are nowadays found on legitimate websites, says Sophos, an online-security firm. Like other online swindles, the aim is to dupe people into parting with their credit-card details, or to get them to download malicious software (“malware”) such as viruses, worms, key-loggers and Trojan horses that feed back bank-account passwords and other confidential information stored on their computers.
One of the nastiest little tricks is to send people who click on an infected web link, or merely open a compromised web page, a warning that their computer has a virus infection—and that, to remove it, they need to download a special anti-virus program costing $30 or so. Those who waste their money on such fake security software (“scareware”) finish up getting their computers thoroughly infected with key-loggers and Trojans that steal information. Unbeknown to its owner, an infected computer can also team up with thousands of other similarly infected zombie machines to form armies of robot networks (“botnets”) used by criminals to launch “phishing” attacks on millions of unsuspecting internet users.”
Blazing Fast Password Recovery With New ATI Cards
“ElcomSoft accelerates the recovery of Wi-Fi passwords and password-protected iPhone and iPod backups by using ATI video cards. The support of ATI Radeon 5000 series video accelerators allows ElcomSoft to perform password recovery up to 20 times faster compared to Intel top of the line quad-core CPUs, and up to two times faster compared to enterprise-level NVIDIA Tesla solutions. Benchmarks performed by ElcomSoft demonstrate that ATI Radeon HD5970 accelerated password recovery works up to 20 times faster than Core i7-960, Intel’s current top of the line CPU unit.”
“CPUs are built from the ground up to do scalar math really, really fast. That lends itself well to doing tasks that must be performed in sequence, such as running an individual thread. However, they’ve only recently gained the ability to do more than one thing at a time (dual core processors), and even now high end CPUs can only do six calculations at once (6 core processors).
Meanwhile, GPUs are built to do vector math really, really fast. They can’t do individual adds anywhere near as fast as a CPU can, but they can do dozens of them at the same time.
Which type of processor is best for which job depends entirely on the nature of the math involved and how parallelizable the task is. In the case of 3D graphics, drawing a frame involves tons of vector arithmetic work, which is why your 1 GHz GPU will run circles around your 3 GHz CPU for that task (and is also where the GPU gets its name from). In the case mentioned in the article, password cracking is highly parallelizable: you’ve gotta run 100 million tests, and the outcome of any one test has zero influence on the other tests, so the more you can run at the same time, the better. By running it on the GPU, each individual test will take a bit longer than running it on the CPU would, but you’ll be able to run dozens simultaneously instead of just a few, and will thus get your results much faster.
CPUs certainly have their place, though. Some tasks simply must be done in sequence and cannot be easily divided up in to seperate parallel tasks. The CPU will get these done much faster, since running them on the GPU would incur the speed penalty without realizing any benefit.
I’ve simplified it a bit for the sake of explanation, but that’s the gist of it.”
High-tech warfare
Something wrong with our **** chips today
Kill switches are changing the conduct and politics of war
IN THE 1991 Gulf war Iraq’s armed forces used American-made colour photocopiers to produce their battle plans. That was a mistake. The circuitry in some of them contained concealed transmitters that revealed their position to American electronic-warfare aircraft, making bomb and missile strikes more precise. The operation, described by David Lindahl, a specialist at the Swedish Defence Research Agency, a government think-tank, highlights a secret front in high-tech warfare: turning enemy assets into liabilities.
The internet and the growing complexity of electronic circuitry have made it much easier to install what are known as “kill switches” and “back doors”, which may disable, betray or blow up the devices in which they are installed. Chips can easily contain 2 billion transistors, leaving plenty of scope to design a few that operate secretly. Testing even a handful of them for anomalies requires weeks of work.
Kill switches and other remote controls are on the minds of Western governments pondering whether to send weapons such as sophisticated anti-tank missiles, normally tightly policed, to rebels in Libya. Keeping tabs on when and where they are fired will allay fears that they could end up in terrorist hands. Such efforts would not even need to be kept secret. A former CIA official says the rebels could be told: “Look, we’re going to give you this, but we want to be able to control it.”
That lesson was first learned in Afghanistan in the 1980s, when America supplied Stinger missiles to help Afghan fighters against Soviet helicopter gunships, only to have to comb the region’s arms bazaars in later years to buy them back (some were then booby-trapped and sold again, to deter anyone tempted to use them).