Steve’s Views Rotating Header Image

Security

Networking 101

I’ll share some basics here:

All computers and devices on a network are each called a host. Each must
have a unique IP address just like each house has a unique address.

IP addresses are broken into the older IP version 4 (IPv4) which has
four numbers separated by a period ‘.’ like this 8.8.8.8.

Each number must be in the range of 0 to 255, but no host can have an IP
that ends on 0 or 255.

There are three main ranges of IP addresses which will not be routed
(forwarded) across the internet. These ranges are intended to be used in
local networks, which in practice means you can have a number of
computers with their own IP address on your network without it being
open to the world.

In other words these ranges will not work across the internet and is a
direct solution to not wanting to give up a “routeable” address for each
internal device. Otherwise the available IP addresses would be used up
very rapidly by large corporations. Plus, this way we have a layer of
security. There is a technology called Network Address Translation (NAT)
which ensures internal communication traveling from the inside of a
network to the outside is properly tracked.

The three ranges are:

10.0.0.0 – 10.255.255.255 with 16,777,216 IPs
172.16.0.0 – 172.32.255.255 with 1,048,576 IPs
192.168.0.0 – 195.168.255.255 with 65,536 IPs

There is an address for all computers to test networking without needing a
network card which is 127.0.0.1. It is called the loopback device.

The new IP version is called IPv6 and in theory allows for 2 to the
power of 128 (128 digits) versus IPv4 which only have about 4.3 billion
addresses. I’m not going into the details of it here.

A network that is under another one or is internal is generally referred
to as a subnet.

Each network reserves a few IPs for its own use:

For a network able to use all 256 addresses on a subnet , for example, 192.168.1.0 is called the network address, which obviously is the beginning of it.

Usable addresses then would be 1 through 254, except generally the first
usable one is usually the gateway to the network “above” it. So .1 is
usually reserved as the gateway IP.

Then the last IP is usually the broadcast address. The purpose with that
is when a device needs to reach another computer and does now know has
the IP sends out a broadcast asking “who has (IP)?” which is sent to the
.255 address. The gateway will then answer.

192.168.1.0 is the network IP
192.168.1.1 is the gateway
192.168.1.255 is the broadcast IP

We humans have a hard time tracking IP addresses so a system was
designed to allow up to use names instead. A server function called
Domain Name Server (DNS) translates the name to an IP address which is
needed to actually reach another computer.

Now for a computer to save time and not bother the DNS with questions
that it could answer a network mask was created which by its design can
tell if the computer you are trying to reach is on the local network or
needs to be sent to the gateway server to figure out. (And if it does
not know it sends it up to its gateway and so on.)

It is called subnet mask and for the above example it would look like
this 255.255.255.0. Thereby knowing that any host on 192.168.1.0-192.168.1.255 can be sent directly, anything else would need to be sent to the gateway, 192.168.1.1 for it to forward up the line.

Due to criminal elements online it is crucial that you have layers of
security. The first one is called a border firewall and is the first
layer of security. Other layers can be local firewalls on each computer,
educated users on what to do and not, log files that are monitored,
security patches applied in a timely fashion (immediately) and so on.

You do NOT need a separate subnet for VMs unless you WANT to have it. I
rarely do it. But if you do then simply assign IPs for the VMs that are
on the same subnet. If they need to go outside that subnet then make
sure you have a gateway assigned which sits across both subnets. That
will have port forwarding turned on which allows traffic to flow between
the network cards. (Google linux router.)

When you use virtual machines they too will each need an IP to talk to
any other host.

(You could create a subnet which does not have the ability to talk
outside that specific network, which could be handy when testing
something that could be interrupting other hosts on the main network.
Being totally isolated means it cannot be hacked nor leak something
outside that network.)

When you sit inside your subnet you may not allow random external (on
the internet) traffic to reach your internal computers unless there is a
hole on the firewall to allow some traffic in. For example, you might
have a web server which is reachable from the outside, which in turn
uses a database. Access to the database must be guarded to ensure it’s not reachable directly or via a flaw in the code.

You have to make the call if you can or should allow the VMs access to other networks.

First Amendment Rights?

Intended to those in charge.

As someone who has visited Auschwitz as a young man while traveling through Europe, who met people who were deformed from being concentration camp guinea pigs and saw the horrors that came because nobody would do anything about it before it became too late, I was utterly stunned to see how my all time favorite service appears to actually be taking a stance supporting extreme violence hate sites.

I’m guessing it has something to do with the 1st amendment which is generally a great thing to support, though one has to be aware that it only refers to what the government is not being allowed to violate:

“Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.”

Clearly free speech is a crucial part of society, but common sense can step in and say if, for example, you want to insult my wife in my own house, you must leave. If you want to proclaim death to my neighbors, you can’t stand on my stoop to do it from. If you try to promote violent rhetoric using my company – it will be removed.

Doing anything less is supporting what ultimately becomes criminal activities which at the very least is bad for business in the long run.

I also find it shameful. Certainly ignorance and stupidity alike can be very dangerous given the right situation. When I look myself in the mirror I much prefer to feel strength from doing the right thing, and not having acted from ignorance or misinformation.

There is a very real situation where people don’t bother to investigate what they are being told. They are commonly not very well versed with the world outside their own nor have a solid education. Thus being at a disadvantage frequently find themselves not finding any road to success but reasons to be unhappy. Some take advantage of that to misdirect their unhappiness towards people and activities that actually seek to help society. These “some” are stuck wanting to take the world down with them. Meanwhile the lesser educated and informed, but not automatically less valuable, fall pray to the lies and propaganda and with little to loose stand up ready to fight the false evil. Others even less educated about life become willing to meet the vestigial virgins supposedly waiting for them once they click the detonator. The price for freedom is constant alertness and willingness to fight back, not blindly supporting any activity or “right”.

Thus, I frequently assess who I associate myself with and as someone who has so far been a staunch supporter for a decade am now wondering what is your intention visa vie Nazi hate propaganda, and similar sites?

Google Suggests Reporting Their Charges as Fraud

In short I tried to cancel a commercial app service for my business but they claim unable to do so.

We had an account with Google which provided a few apps for us. Then that same functionality was moved in house and the use dropped to zero. The account sat there for about two years collecting the monthly charge with no use.

At one point I decided to cancel the service, which is when it got interesting. First I screwed up on how I canceled the service and in effect only killed the admin account. Then forgot about the whole thing while busy with some new and exciting things. After a while I did notice that the charge was still coming through from Google so I attempted to have them close it.

However they told me that the only way I could stop them from taking my money each month would be to login as that admin. Problem is I have a lot of different accounts and that one was cleaned up and deleted, a long time ago. There’s no way for me to recover that information.

However Google obviously have records of transactions and should be able to ask questions that would verify my identity and then stop taking my money for the service I don’t use. Not so, even after escalation to a supervisor, they still said they could not cancel the service.

Google does have a pretty good security record and maybe they only allow a very select few access to data that could authenticate me. But the idea that a company could not stop putting through a charge for a service I’m not using is, let’s be nice and call it odd.

In the end I was told to go to my bank and tell them the charges are fraudulent so the bank would no longer pay Google. That is supposed to lead to the account being suspended and stop the charges. Of course once I told the bank they simply don’t accept the charge anymore, solving my problem. I found the whole thing is pretty unusual. There must be a ton of people that made the same mistake and could not get out of it in a simpler way.

How To Give Away Your Bank Accounts To Criminals

Sherri Davidoff, Author of “Network Forensics: Tracking Hackers Through Cyberspace” has documented a real life example of someone giving away all their credentials which means someone else now have the same access to your identity and subsequently, money, that you have.

It is a very effective demonstration of what not to do, share it with others!

And not necessarily very hard to protect yourself from. The best is of course to never accept and use links in emails, IM, etc. Which can be hard when you think it is from your friend or family member, or in the above case, your bank.

A safer method would be to use a LiveCD (a CD which you boot and run programs from) which does not have the ability to be altered. Which means each time you boot it – it is completely untouched by any virus. But it means booting into it each time you want to visit your bank, or other sensitive websites.

Joanna Rutkowska is a Polish security researcher who released a modified Operating System called Qubes OS which I think is a great compromise, and the best I have seen. It accomplishes that by setting up virtual environments in a particularly nifty way. First the whole O/S have been modified to be hard to break into, then it uses dedicated virtual computers for each sensitive website (all according to your preference).

I created one environment for each bank, Paypal etc. Then I ONLY visited that one website using that virtual environment. In other words if you have Paypal you would use the Paypal virtual environment to only visit Paypal. And so on.

Now it requires that the banks website gets infected with the malware needed to infect my virtual computer but only for that bank. Not for any other. It is also particularly easy to fix. Remove it and add a new one.

Another virtual environment is used for casual browsing. Another for business, email etc.

This means an infected email cannot corrupt your other environments and you have a very effective tool against online malware.

Security is about balancing security and work-ability. Too secure and nothing can get done. Too easy and you’ve given easy access for criminals. You need to strike a balance. It took very little to get used to and is about the safest and best balance I’ve seen anywhere.

As you can see at the bottom of the above article LMG Security offers workshops and her book is a very good read.

Make the extra effort to be security aware and avoid being a victim while at the same time not being the tool used to wreck someone else’s life.

Abandon IT Dept for the Cloud?

People have some interesting affinity for the latest and greatest solution, which gets applied to any and all problems. The grass is apparently so readily seen to be greener on the other side, that even common sense is left behind. I’m guessing there’s frustration afoot, which might be because of a slow or inept IT dept. But could also be because not enough funds are allocated to properly run the IT dept. Just saying.

This urge to always jump on the latest new technology is often done as if there’s a great emergency. The idea behind the Cloud is certainly interesting. But is moving your IT into the Cloud the right move, or are you asking for even more trouble?

Your IT dept has physical control, are motivated by how you run your business. In other words you can hire, fire and make demands to ensure they are aligned with supporting your business plan.

The Cloud however, is ENTIRELY out of your control.

In-house you can observe and handle security issues. On the Cloud you are hoping that they don’t have a staff failure, upsets, or whatever, which results in them not caring properly for your data/information.

In the Cloud which you are part of, you are part of many others, which certainly makes the Cloud a bigger target as far as, in the eyes of the criminal hacker, having higher potential payoff to hack. It’s more worthwhile to break into the Cloud.

When that happens, how do you act to protect your data?

There are many ways to “hack” into something. For example, in social engineering, where by pretending to be someone else, you talk people into giving you knowledge that opens the doors you want “unlocked” A simple phone call, or email, and someone might hand out the “keys”. It is very popular and easy to succeed with. It could also very well be that the people working the Cloud know better than Your average staff, than to fall pray for it.

Ultimately you need to look at your budget, evaluate the business impact of not having much of an internal IT dept, versus handing it out to someone else, and hope for the best.

True, you might already be hoping for the best. That your computers don’t get broken into, that IT knows what they are doing, etc. Data loss, for example, are more often caused by an upset employee, than some outside body. Making an argument for the Cloud. In theory it looks like the Cloud can be viable alternative.

I just don’t trust my business information, to be kept completely safe where things such as motivation, competence, reliability, etc. is not only unknown, but mostly unknowable. Where you can’t take advance action to ensure that the person being fired will not be able to cause you harm in a vengeful moment. Where, if the internet is down, you can’t do anything because all your data lives elsewhere.

Simply jumping on the Cloud because it is the hot thing that “everybody” is talking about, is not a very well evaluated reason. Most of the time common sense is the most reliable tool you have. Use it!

Physical Security Maxims

Security whether physical, computer or any other area, is seldom understood. Arbitrary ideas that saves someone from doing something is usually chosen. It is next to impossible to overstate the amount of ignorance and stupidity demonstrated whenever security is considered. This list brings home the balance of secure vs insecure. Of course security is about balancing security vs useable and practical.

Here’s excerpts from a list of maxims produced and assembled by Roger G. Johnston, Ph.D., CPP in the Vulnerability Assessment Team at Argonne National Laboratory.

(You can see the whole list at  www.schneier.com)

Physical Security Maxims
Roger G. Johnston, Ph.D., CPP

Security Maxims
The following maxims, based on our experience with physical
security, nuclear safeguards, & vulnerability assessments, are
not absolute laws or theorems, but they will be essentially
correct 80-90% of the time.

Infinity Maxim: There are an unlimited number of security
vulnerabilities for a given security device, system, or program,
most of which will never be discovered (by the good guys or
bad guys).

Arrogance Maxim: The ease of defeating a security device
or system is proportional to how confident/arrogant the designer,
manufacturer, or user is about it, and to how often they use
words like “impossible” or “tamper-proof”.

Ignorance is Bliss Maxim: The confidence that people have in
security is inversely proportional to how much they know about it.

Be Afraid, Be Very Afraid Maxim: If you’re not running
scared, you have bad security or a bad security product.

High-Tech Maxim: The amount of careful thinking that has
gone into a given security device, system, or program is
inversely proportional to the amount of high-technology it uses.

Schneier’s Maxim #1: The more excited people are about a given
security technology, the less they understand (1) that technology
and (2) their own security problems.

The threat from email

TRACE (Threat Research and Content Engineering) is a group of Marshal security analysts who constantly monitor and respond to Internet security threats. TRACE provides a service to Marshal customers as part of standard product maintenance. The service includes updates to Marshal’s unique, proprietary anti-spam technology, SpamCensor. TRACE analyzes spam, phishing and Internet security trends and provides frequent automated updates to Marshal customers. TRACE also provides “Zero Day” security protection to secure Marshal customers against new email and virus exploits the day they emerge.

There are several terms that are typical in this area:

Phishing, is a play on the word fishing, and does pretty much the same but for information instead of fish. By gathering information from computers and or people they gain enough of an edge to gain access and control over others computers.

Malware is software which is written to basically help cyber-criminals gain information and access to other peoples computers and networks. It might be hiding in web code (html) or some attachment like an mp3 or pdf file.

A Botnet is a network of “contaminated” computers that are under the control of the cyber-criminals. It is used to send bulk emails and to conduct mass attacks.

“It would be incomplete to discuss spam without commenting on the
malware and criminal activity that sustains it. Distributing spam and
malware is firmly in the domain of professional criminals looking for
financial gain. In the last six months, cyber-criminals have, unfortunately,
reached new heights of sophistication and capability.

“Not only have the large botnets taken over in terms of spam volume, they
have also evolved to reach new levels of sophistication. During the middle
of 2007, the Storm botnet grew rapidly following mass spamming of emails
containing links to websites hosting malicious code. The websites not
only hosted executable files that could be downloaded by users, but they
also hosted malicious code that attempted to exploit a number of different
known browser vulnerabilities.

The above are quotes from www.marchal.com. The link points to a page where you can read the whole report, and others.

In the report Marshal talks about cyber-criminals, “They operate in a thriving underworld marketplace where services, software tools, and software development are freely bought and sold. Computer skills are no longer necessary to execute cybercrime.”

They point out that in a recent case a botnet was rented out for $200/week which a spammer can use to send 100 million spam messages. With the considerable income from naive Internet shoppers a lot of money can and is made, which is of course what is attracting people who feel unable to earn an honest income.

Big sites are also hacked to help distribute the malware. MySpace, monster.com are but two examples. By generating a large amount of accounts with gmail, hotmail and the like they are able to spam from these accounts in bulk.

I strongly recommend that if nothing else you read the conclusion and recommendations at the last two pages. (marshal.com)

Why not to give admin or root access by default

[This is a reply to why setting your OS to give admin (root) access without a password on your computer is a not a good idea. It appeared on a Pardus review.]

Your argument is very understandable and is shared by most people. Not to be flippant about your knowledge, but it is from a very limited understanding of security, or shall we say how computers are hacked.

For example, needing to enter a password means that a remote hole in an application running as non root will not have root access automatically.

Thinking you are secure when you really don’t know what makes something insecure is folly.

Breaking into a computer it’s not done by “playing by the rules”. But is done by doing things “wrong”. As an example, back when IP firewalls came out they had rules about who’s allowed access simply by IP.

The firewall has to allow replies to requests back in or is useless. So it looked to see if the inbound packets followed the TCP rules of a reply, and if so allowed it access. That was broken by not following the standard TCP rules and they in effect gained access by saying here’s your reply. The firewall allowed the new connection thinking it was a reply.

After that we got stateful inspection which tracks outbound requests, and can therefor tell if a reply originated from an internal request or not. This is a very old example but the principle still holds true. Holes are found by doing the unusual and often wrong thing.

Take buffer overflows, they have been the most commonly used method. Which consists of writing a lot more information into a field than is expected. The poorly written program cannot process the extra information and they end up someplace in memory where it is executed, resulting in illegal access. This is a simplified view but still holds true.

When you think security, unless you have actually seen not one but how many illicit accesses are gained, don’t make the mistake in thinking that you even have a clue of what is or is not secure. It takes a LOT more than that. What’s even worse is that new holes are discovered all the time. Thus, you need to think in concepts of secure methods. Security becomes not if they can get in but finding the balance of secure vs productive methods of operating. Adding multiple levels of secure behavior with the final level being users who follow the established rules and has some respect for it all.

Look up some challenge when someone said we’ll pay you X dollars if you can break in. Then see how they did it. There were f.ex. a challenge on a shopping cart where it had some 600,000 attempts with a few successful entries. They were so ingenious nobody not experienced in real hands on hacking would have figured it out.

A bad but typical poor security example is from the early days on NT. Microslop claimed NT had received a government security rating. What they did not tell us was it required that the floppy and network card was disabled.

This false sense of security was then promoted by others, like those who wanted to defend their poor choice in OS or with an inflated self importance, by promoting how secure it was. Subsequently others who knew they themselves did not understand security listen to those who knew even less and believed they actually had a secure OS.

Security is a pain in the butt, which simply has to be balanced with the pain of loosing confidential info or loss of operation, and must not be done by coffee shop security wanna bees.

At the very best you end up shooting yourself and others in the foot with your ignorance. There are plenty of places where you can find discussions by pros discussing holes in various programs and what not. Spend some time with them and get a feel of things. (See Full disclosure, bug track. Crypto-Gram by Bruce Schneier is a very informative list for a layman. You’ll find good links and info on insecure.org.)
Good luck!

Why Windows is less secure then Linux

It’s one thing to know by your own experience, another to be told by others.
Sometimes you run into something that communicates very well. Like images. Here’s an article that does just that. It communicates graphically in a way that is hard to put in words.

Why Windows is less secure than Linux by ZDNet‘s Richard Stiennon
— Windows is inherently harder to secure than Linux. There I said it. The simple truth.

Many millions of words have been written and said on this topic. I have a couple of pictures. The basic argument goes like this. In its long evolution, Windows has grown so complicated that it is harder to secure. Well these images make the point very well. Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture. The same page and picture.

A system call is an opportunity to address memory. A hacker investigates each memory access to see if it is vulnerable to a buffer overflow attack. The developer must do QA on each of these entry points. The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications.

This is a comparison between Linux and their web server and Windows and their webserver. The first picture is of the system calls that occur on a Linux server running Apache.

syscallapachesmall

This second image is of a Windows Server running IIS.

syscalliissmall

The difference is clear. Thanks to Sana Security for generating and providing these images.

Please note that 1. I am not a journalist. 2. I do not work for ZDnet. 3. I am an independant blogger. 4. This is a blog entry not a news article.

A deeper insight into security – CRYPTO-GRAM

Here’s a reprint of Crypto-Gram by Bruce Schneier. His newsletter is one of the most read on the subject. It is a strongly recommended reading for all who care about themselves and others.

Schneier also gives a good insight into how to motivate security in any area. (See Aligning Interest with Capability, below.)

Here in it’s entirety is:

CRYPTO-GRAM

June 15, 2006

by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@counterpane.com
http://www.schneier.com
http://www.counterpane.com

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit
.

You can read this issue on the web at
. These same essays
appear in the “Schneier on Security” blog:
. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:
The Value of Privacy
Movie-Plot Threat Contest Winner
Crypto-Gram Reprints
Diebold Doesn’t Understand the Security Threat
News
Hacking Computers Over USB
The Doghouse: KRYPTO 2.0
Counterpane News
Aligning Interest with Capability
Comments from Readers

** *** ***** ******* *********** *************

The Value of Privacy

Last month, revelation of yet another NSA surveillance effort against
the American people rekindled the privacy debate. Those in favor of
these programs have trotted out the same rhetorical question we hear
every time privacy advocates oppose ID checks, video cameras, massive
databases, data mining, and other wholesale surveillance measures: “If
you aren’t doing anything wrong, what do you have to hide?”

Some clever answers: “If I’m not doing anything wrong, then you have no
cause to watch me.” “Because the government gets to define what’s
wrong, and they keep changing the definition.” “Because you might do
something wrong with my information.” My problem with quips like these
— as right as they are — is that they accept the premise that privacy
is about hiding a wrong. It’s not. Privacy is an inherent human right,
and a requirement for maintaining the human condition with dignity and
respect.

Two proverbs say it best: “Quis custodiet ipsos custodes?” (“Who
watches the watchers?”) and “Absolute power corrupts absolutely.”

Cardinal Richelieu understood the value of surveillance when he
famously said, “If one would give me six lines written by the hand of
the most honest man, I would find something in them to have him
hanged.” Watch someone long enough, and you’ll find something to arrest
— or just blackmail — him with. Privacy is important because without
it, surveillance information will be abused: to peep, to sell to
marketers, and to spy on political enemies — whoever they happen to be
at the time.

Privacy protects us from abuses by those in power, even if we’re doing
nothing wrong at the time of surveillance.

We do nothing wrong when we make love or go to the bathroom. We are not
deliberately hiding anything when we seek out private places for
reflection or conversation. We keep private journals, sing in the
privacy of the shower, and write letters to secret lovers and then burn
them. Privacy is a basic human need.

A future in which privacy would face constant assault was so alien to
the framers of the Constitution that it never occurred to them to call
out privacy as an explicit right. Privacy was inherent to the nobility
of their being and their cause. Of course being watched in your own
home was unreasonable. Watching at all was an act so unseemly as to be
inconceivable among gentlemen in their day. You watched convicted
criminals, not free citizens. You ruled your own home. It’s intrinsic
to the concept of liberty.

For if we are observed in all matters, we are constantly under threat
of correction, judgment, criticism, even plagiarism of our own
uniqueness. We become children, fettered under watchful eyes,
constantly fearful that — either now or in the uncertain future —
patterns we leave behind will be brought back to implicate us, by
whatever authority has now become focused upon our once-private and
innocent acts. We lose our individuality, because everything we do is
observable and recordable.

How many of us have paused during conversations in the past
four-and-a-half years, suddenly aware that we might be eavesdropped on?
Probably it was a phone conversation, although maybe it was an e-mail
or instant message exchange or a conversation in a public place. Maybe
the topic was terrorism, or politics, or Islam. We stop suddenly,
momentarily afraid that our words might be taken out of context, then
we laugh at our paranoia and go on. But our demeanor has changed, and
our words are subtly altered.

This is the loss of freedom we face when our privacy is taken from us.
This was life in the former East Germany, or life in Saddam Hussein’s
Iraq. And it’s our future as we allow an ever-intrusive eye into our
personal, private lives.

Too many wrongly characterize the debate as “security versus privacy.”
The real choice is liberty versus control. Tyranny, whether it arises
under threat of foreign physical attack or under constant domestic
authoritative scrutiny, is still tyranny. Liberty requires security
without intrusion, security plus privacy. Widespread police
surveillance is the very definition of a police state. And that’s why
we should champion privacy even when we have nothing to hide.

A version of this essay originally appeared on Wired.com.
http://www.wired.com/news/columns/0,70886-0.html

Daniel Solove comments:
http://www.concurringopinions.com/archives/2006/05/is_there_a_good.html
or http://tinyurl.com/nmj3u

** *** ***** ******* *********** *************

Movie-Plot Threat Contest Winner

I can tell you one thing, you guys are really imaginative. The
response to my Movie-Plot Threat Contest was more than I could imagine:
892 comments. I printed them all out — 195 pages, double sided — and
spiral bound them, so I could read them more easily. The cover read:
“The Big Book of Terrorist Plots.” I tried not to wave it around too
much in airports.

I almost didn’t want to pick a winner, because the real point is the
enormous list of them all. And because it’s hard to choose. But after
careful deliberation, the winning entry is by Tom Grant. Although
planes filled with explosives is already cliche, destroying the Grand
Coulee Dam is inspired. Here it is:

“Mission: Terrorize Americans. Neutralize American economy, make
America feel completely vulnerable, and all Americans unsafe.

“Scene 1: A rented van drives from Spokane, WA, to a remote setting in
Idaho and loads up with shoulder-mounted rocket launchers and a couple
of people dressed in fatigues.

“Scene 2: Terrorists dressed in ‘delivery man’ garb take over the UPS
cargo depot at the Spokane, WA, airport. A van full of explosives is
unloaded at the depot.

“Scene 3: Terrorists dressed in ‘delivery man’ garb take over the UPS
cargo depot at the Kamloops, BC, airport. A van full of explosives is
unloaded at the depot.

“Scene 4: A van with mercenaries drives through the Idaho forests en
route to an unknown destination. Receives cell communiqué that
locations Alpha and Bravo are secured.

“Scene 5: UPS cargo plane lands in Kamloops and is met at the depot by
terrorists who overtake the plane and its crew. Explosives are loaded
aboard the aircraft. The same scene plays out in Spokane moments
later, and that plane is loaded with explosives. Two pilots board
each of the cargo planes and ask for takeoff instructions as night
falls across the West.

“Scene 6: Two cargo jets go airborne from two separate locations. A
van with four terrorists arrives at its destination, parked on an
overlook ridge just after nightfall. They use infrared glasses to scope
the target. The camera pans down and away from the van, exposing the
target. Grand Coulee Dam. The cell phone rings and notification comes
to the leader that ‘Nighthawks alpha and bravo have launched.’

“Scene 7: Two radar operators in separate locations note with alarm
that UPS cargo jets they have been tracking have dropped off the radar
and may have crashed. Aboard each craft the pilots have turned off
navigational radios and are flying on ‘manual’ at low altitude. One
heading South, one heading North.

“Scene 8: Planes are closing in on the ‘target’ and the rocket
launcher crew goes to work. With precision they strike lookout and
defense positions on the dam, then target the office structures
below. As they finish, a cargo jet approaches from the North at high
velocity, slamming into the back side of the dam just above the
waterline and exploding, shuddering the earth. A large portion of the
center-top of the dam is missing. Within seconds a cargo plane coming
from the South slams into the front face of the dam, closer to the
base, and explodes in a blinding flash, shuddering the earth. In
moments, the dam begins to fail, and a final volley from four rocket
launchers on the hill above helps break open the face of the dam. The
40-mile-long Lake Roosevelt begins to pour down the Columbia River
Valley, uncontrolled. No warning is given to the dams downriver, other
than the generation at G.C. is now offline.

“Scene 9: Through the night, the surging wall of water roars down the
Columbia waterway, overtopping dam after dam and gaining momentum (and
huge amounts of water) along the way. The cities of Wenatchee and
Kennewick are inundated and largely swept away. A van of renegades
retreats to Northern Idaho to hide.

“Scene 10: As day breaks in the West, there is no power from Seattle
to Los Angeles. The Western power grid has failed. Commerce has ground
to a halt west of the Rocky Mountains. Water is sweeping down the
Columbia River gorge, threatening to overtop Bonneville dam and wipe
out the large metro area of Portland, OR.

“Scene 11: Bin Laden releases a video on Al Jazeera that claims
victory over the Americans.

“Scene 12: Pandemonium, as water sweeps into a panicked Portland,
Oregon, washing all away in its path, and surging water well up the
Willamette valley.

“Scene 13: Washington situation room…little input is coming in from
the West. Some military bases have emergency power and sat phones, and
are reporting that the devastation of the dam infrastructure is
complete. Seven major and five minor dams have been destroyed.
Re-powering the West coast will take months, as connections from the
Eastern grid will have to be made through the New Mexico Mountains.

“Scene 14: Worst U.S. market crash in history. America’s GNP drops
from the top of the charts to 20th worldwide. Exports and imports cease
on the West coast. Martial law fails to control mass exodus from
Seattle, San Francisco, and L.A. as millions flee to the east. Gas
shortages and vigilante mentality take their toll on the panicked
populace. The West is ‘wild’ once more. The East is overrun with
millions seeking homes and employment.”

Congratulations, Tom. I’m still trying to figure out what you win.

Contest rules and all entries:
http://www.schneier.com/blog/archives/2006/04/announcing_movi.html

Update, including selection criteria:
http://www.schneier.com/blog/archives/2006/04/movie_plot_thre.html

Winning entry:
http://www.schneier.com/blog/archives/2006/04/announcing_movi.html#c54905

** *** ***** ******* *********** *************

Crypto-Gram Reprints

Crypto-Gram is currently in its ninth year of publication. Back issues
cover a variety of security-related topics, and can all be found on
. These are a selection
of articles that appeared in this calendar month in other years.

Internet Attack Trends:
http://www.schneier.com/crypto-gram-0506.html#1

U.S. Medical Privacy Law Gutted:
http://www.schneier.com/crypto-gram-0506.html#9

Breaking Iranian Codes:
http://www.schneier.com/crypto-gram-0406.html#1

The Witty Worm:
http://www.schneier.com/crypto-gram-0406.html#9

The Risks Of Cyberterrorism:
http://www.schneier.com/crypto-gram-0306.html#1

Fixing Intelligence Failures:
http://www.schneier.com./crypto-gram-0206.html#1

Honeypots and the Honeynet Project
http://www.schneier.com/crypto-gram-0106.html#1

Microsoft SOAP:
http://www.schneier.com/crypto-gram-0006.html#SOAP

The Data Encryption Standard (DES):
http://www.schneier.com/crypto-gram-0006.html#DES

The internationalization of cryptography policy:
http://www.schneier.com/crypto-gram-9906.html#policy
and products:
http://www.schneier.com/crypto-gram-9906.html#products

The new breeds of viruses, worms, and other malware:
http://www.schneier.com/crypto-gram-9906.html#viruses

Timing attacks, power analysis, and other “side-channel” attacks
against cryptosystems:
http://www.schneier.com/crypto-gram-9806.html#side

** *** ***** ******* *********** *************

In the long term, corporate data mining efforts are more of a privacy
risk than government data mining efforts. And here’s an off-the-shelf
product from IBM:
http://www-306.ibm.com/common/ssi/fcgi-bin/ssialias?subtype=ca&infotype=
an&appname=iSource&supplier=649&letternum=ENUSA06-0519 or
http://tinyurl.com/q29er

The UK Intelligence and Security Committee has issued a report on the
July 7 terrorist bombings in London:
http://www.cabinetoffice.gov.uk/publications/reports/intelligence/isc_7j
uly_report.pdf or http://tinyurl.com/hazzn
The UK government has issued a response:
http://www.cabinetoffice.gov.uk/publications/reports/intelligence/govres
_7july.pdf or http://tinyurl.com/j8q5x
About the Intelligence and Security Committee:
http://www.cabinetoffice.gov.uk/intelligence/index.asp

From a list of 100,000 passwords for a German dating site, we learn
that “123456” works 1.4% of the time and that 2.5% of all passwords
begin with “1234.” Interesting.
http://www.heise.de/newsticker/meldung/73396

Bank defends its bad security by saying that everyone else does it, too.
http://blogs.zdnet.com/Ou/?p=226

Interesting essay about how EU law would treat the NSA’s collection of
everyone’s phone records.
http://www.concurringopinions.com/archives/2006/05/the_nsa_phone_c.html
or http://tinyurl.com/mpv6d

Animated political cartoon on NSA eavesdropping. And a song, too.
http://www.newsday.com/news/opinion/ny-wh-nsawiretapping,0,1906650.flash
or http://tinyurl.com/rg57v

You can audit “Welcome to Practical Aspects of Modern Cryptography”:
University of Washington, Winter 2006, by Josh Benaloh, Brian
LaMacchia, and John Manferdelli. The course materials and videos of
the lectures are online.
http://www.cs.washington.edu/education/courses/csep590/06wi/
http://www.cs.washington.edu/education/courses/csep590/06wi/lectures/

Fascinating interview with a debit card scammer. Moral: securing this
system isn’t going to be easy.
http://smallworldpodcast.com/?p=391

And some comments from a fake ID salesman, in case you thought
hard-to-forge national ID cards would solve the problem:
http://www.cbsnews.com/stories/2006/06/02/ap/national/mainD8I07PHG0.shtm
l or http://tinyurl.com/rafve

“How to Avoid Going to Jail under 18 U.S.C. Section 1001 for Lying to
Government Agents.”
http://library.findlaw.com/2004/May/11/147945.html

Nice article discussing the hype, and reality, over the threat of
homebrew chemical weapons.
http://www.theregister.co.uk/2006/06/04/chemical_bioterror_analysis/

Just hide this gadget in someone’s car or briefcase — or maybe sew it
into his coat — and then track his every move using GPS. You have to
recover the device to play it back, but presumably the next generation
will be queryable remotely.
http://www.thinkgeek.com/gadgets/security/8212/?cpg=cj

The U.S. government is asking ISPs to save personal data about you, in
case they need access to it.
http://www.latimes.com/technology/la-fi-internet2jun02,0,622125.story?co
ll=la-home-headlines or http://tinyurl.com/zpzvz
Note that the Justice Department invoked two of the Four Horsemen of
the Internet Apocalypse: child pornographers and terrorists. If they
can figure out how to work kidnappers and drug dealers in, they can
probably do anything they want.

From “Assassination in the United States: An Operational Study of
Recent Assassins, Attackers, and Near-Lethal Approachers,” (a 1999
article published in the “Journal of Forensic Sciences”): “Few
attackers or near-lethal approachers possessed the cunning or the
bravado of assassins in popular movies or novels. The reality of
American assassination is much more mundane, more banal than
assassinations depicted on the screen. Neither monsters nor martyrs,
recent American assassins, attackers, and near-lethal approachers
engaged in pre-incident patterns of thinking and behaviour.” The quote
is from the last page. The whole thing is interesting reading.
http://www.secretservice.gov/ntac/ntac_jfs.pdf

Interesting law review article by Helen Nissenbaum: “Privacy as
Contextual Integrity.”
http://crypto.stanford.edu/portia/papers/RevnissenbaumDTP31.pdf

New directions in chemical warfare: chemicals that make enemy soldiers
sexually irresistible to each other, attract swarms of enraged wasps,
or cause “severe and lasting halitosis”:
http://www.newscientist.com/article.ns?id=mg18524823.800
Technology always gets better; it never gets worse. There will be a
time, probably in our lifetimes, when weapons like these will be real.

NSA surveillance cartoon:
http://www.ibiblio.org/Dave/Dr-Fun/df200605/df20060517.jpg

Interesting paper on the security of contactless smartcards:
http://www.chi-publishing.com/samples/ISB0903HH.pdf

Wireless surveillance camera detector:
http://www.brickhousesecurity.com/dd9000.html

Great article comparing the barrier Israel is erecting to protect
itself from the West Bank with the hypothetical barrier the U.S. would
build to protect itself from Mexico: “No wonder the [Israeli] fence is
considered a good deal by those living on its western side. But
applying this model to the U.S.-Mexico border will not be easy. U.S.
citizens will find it hard to justify such tough measures when their
only goal is to stop people coming in for work — rather than
preventing them from trying to commit murder. And the cost will be more
important. It’s much easier to open your wallet when someone is
threatening to blow up your local cafe.”
http://www.slate.com/id/2143104/

$1M VoIP scam:
http://www.networkingpipeline.com/news/188702745

NIST has just published “Recommendation for Random Number Generation
Using Deterministic Random Bit Generators.”
http://csrc.nist.gov/publications/nistpubs/index.html

The NSA is combing through MySpace:
http://www.newscientisttech.com/article/mg19025556.200-pentagon-sets-its
-sights-on-social-networking-websites.html or http://tinyurl.com/fk3z6

** *** ***** ******* *********** *************

Hacking Computers Over USB

I’ve previously written about the risks of small portable computing
devices; how more and more data can be stored on them, and then lost or
stolen. But there’s another risk: if an attacker can convince you to
plug his USB device into your computer, he can take it over. From CSO
Magazine:

“Plug an iPod or USB stick into a PC running Windows and the device can
literally take over the machine and search for confidential documents,
copy them back to the iPod or USB’s internal storage, and hide them as
“deleted” files. Alternatively, the device can simply plant spyware, or
even compromise the operating system. Two features that make this
possible are the Windows AutoRun facility and the ability of
peripherals to use something called direct memory access (DMA). The
first attack vector you can and should plug; the second vector is the
result of a design flaw that’s likely to be with us for many years to
come.”

The article has the details, but basically you can configure a file on
your USB device to automatically run when it’s plugged into a
computer. That file can, of course, do anything you want it to.

Recently I’ve been seeing more and more written about this attack. The
Spring 2006 issue of 2600 Magazine, for example, contains a short
article called “iPod Sneakiness” (unfortunately, not online). The
author suggests that you can innocently ask someone at an Internet cafe
if you can plug your iPod into his computer to power it up — and then
steal his passwords and critical files.

And about someone used this trick in a penetration test:

“We figured we would try something different by baiting the same
employees that were on high alert. We gathered all the worthless vendor
giveaway thumb drives collected over the years and imprinted them with
our own special piece of software. I had one of my guys write a Trojan
that, when run, would collect passwords, logins and machine-specific
information from the user’s computer, and then email the findings back
to us.

“The next hurdle we had was getting the USB drives in the hands of the
credit union’s internal users. I made my way to the credit union at
about 6 a.m. to make sure no employees saw us. I then proceeded to
scatter the drives in the parking lot, smoking areas, and other areas
employees frequented.

“Once I seeded the USB drives, I decided to grab some coffee and watch
the employees show up for work. Surveillance of the facility was worth
the time involved. It was really amusing to watch the reaction of the
employees who found a USB drive. You know they plugged them into their
computers the minute they got to their desks.

“I immediately called my guy that wrote the Trojan and asked if
anything was received at his end. Slowly but surely info was being
mailed back to him. I would have loved to be on the inside of the
building watching as people started plugging the USB drives in,
scouring through the planted image files, then unknowingly running our
piece of software.”

There is a partial defense. From the first article:

“AutoRun is just a bad idea. People putting CD-ROMs or USB drives into
their computers usually want to see what’s on the media, not have
programs automatically run. Fortunately you can turn AutoRun off. A
simple manual approach is to hold down the “Shift” key when a disk or
USB storage device is inserted into the computer. A better way is to
disable the feature entirely by editing the Windows Registry. There are
many instructions for doing this online (just search for ‘disable
autorun’) or you can download and use Microsoft’s TweakUI program,
which is part of the Windows XP PowerToys download. With Windows XP you
can also disable AutoRun for CDs by right-clicking on the CD drive icon
in the Windows explorer, choosing the AutoPlay tab, and then selecting
‘Take no action’ for each kind of disk that’s listed. Unfortunately,
disabling AutoPlay for CDs won’t always disable AutoPlay for USB
devices, so the registry hack is the safest course of action.”

In the 1990s, the Macintosh operating system had this feature, which
was removed after a virus made use of it in 1998. Microsoft needs to
remove this feature as well.

But it’s only a partial defense. In the penetration test, they didn’t
use AutoRun. They just created a sufficiently enticing file, and the
people who found the USB drives manually invoked the executable.

http://www.csoonline.com/read/050106/ipods.html
http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1
http://www.darkreading.com/boards/message.asp?msg_id=134658

My previous essay:
http://www.schneier.com/blog/archives/2005/07/risks_of_losing.html

** *** ***** ******* *********** *************

The Doghouse: KRYPTO 2.0

The website is hysterical:

“Proof of the Krypto security !
Which would be, if one would try one of Krypto coded file unauthorized
to decode.
A coded file with the length of 18033 indications has therefore
according to computation, 256 bits highly 18033 indications =
6,184355814363201353319227173630ë+43427
file possibilities. Each file possibility has exactly 18033 indications
byte.
Multiplied by the number of file possibilities then need results in the
memory.
Those are then: 1,1152248840041161000440562362208e+43432 byte.
Those are then: 1,038634110245961789082788150963è+43423 Giga byte data
quantity.
That is a number with 43424 places.
I can surely maintain as much memory place give it in the whole world
not never.
And the head problem now is, which is now the correctly decoded file.
Who it does not know can only say there. That does not know so exactly !
They can code naturally naturally also still successively several
times, even up to
the infinity.”

Machine translated (on the website; not by me) from German into
English. My head hurts just trying to read that.

http://kryptochef.net/index2e.htm

** *** ***** ******* *********** *************

Counterpane News

Schneier is speaking at the FIRST Conference in Baltimore on June 30:
http://www.first.org/conference/2006/

Interview with Bruce Schneier:
http://www.sevendaysvt.com/features/2006/tales-from-the-cryptographer.html

Counterpane announced two pretty cool service agreements:
http://www.counterpane.com/pr-20060605.html

Network World wrote about Counterpane at the Gartner Security Conference:
http://www.networkworld.com/news/2006/060506-gartner-security.html

** *** ***** ******* *********** *************

Aligning Interest with Capability

Have you ever been to a retail store and seen this sign on the
register: “Your purchase free if you don’t get a receipt”? You almost
certainly didn’t see it in an expensive or high-end store. You saw it
in a convenience store, or a fast-food restaurant, or maybe a liquor
store. That sign is a security device, and a clever one at that. And
it illustrates a very important rule about security: it works best when
you align interests with capability.

If you’re a store owner, one of your security worries is employee
theft. Your employees handle cash all day, and dishonest ones will
pocket some of it for themselves. The history of the cash register is
mostly a history of preventing this kind of theft. Early cash
registers were just boxes with a bell attached. The bell rang when an
employee opened the box, alerting the store owner — who was presumably
elsewhere in the store — that an employee was handling money.

The register tape was an important development in security against
employee theft. Every transaction is recorded in write-only media, in
such a way that it’s impossible to insert or delete transactions. It’s
an audit trail. Using that audit trail, the store owner can count the
cash in the drawer, and compare the amount with the register tape. Any
discrepancies can be docked from the employee’s paycheck.

If you’re a dishonest employee, you have to keep transactions off the
register. If someone hands you money for an item and walks out, you
can pocket that money without anyone being the wiser. And, in fact,
that’s how employees steal cash in retail stores.

What can the store owner do? He can stand there and watch the
employee, of course. But that’s not very efficient; the whole point of
having employees is so that the store owner can do other things. The
customer is standing there anyway, but the customer doesn’t care one
way or another about a receipt.

So here’s what the employer does: he hires the customer. By putting up
a sign saying “Your purchase free if you don’t get a receipt,” the
employer is getting the customer to guard the employee. The customer
makes sure the employee gives him a receipt, and employee theft is
reduced accordingly.

There is a general rule in security to align interest with
capability. The customer has the capability of watching the employee;
the sign gives him the interest.

In Beyond Fear, I wrote about ATM fraud; you can see the same mechanism
at work:

“When ATM cardholders in the US complained about phantom withdrawals
from their accounts, the courts generally held that the banks had to
prove fraud. Hence, the banks’ agenda was to improve security and keep
fraud low, because they paid the costs of any fraud. In the UK, the
reverse was true: The courts generally sided with the banks and assumed
that any attempts to repudiate withdrawals were cardholder fraud, and
the cardholder had to prove otherwise. This caused the banks to have
the opposite agenda; they didn’t care about improving security, because
they were content to blame the problems on the customers and send them
to jail for complaining. The result was that in the US, the banks
improved ATM security to forestall additional losses–most of the fraud
actually was not the cardholder’s fault — while in the UK, the banks
did nothing.”

The banks had the capability to improve security. In the US, they also
had the interest. But in the UK, only the customer had the
interest. It wasn’t until the UK courts reversed themselves and
aligned interest with capability that ATM security improved.

Computer security is no different. For years I have argued in favor of
software liabilities. Software vendors are in the best position to
improve software security; they have the capability. But,
unfortunately, they don’t have much interest. Features, schedule, and
profitability are far more important. Software liabilities will change
that. They’ll align interest with capability, and they’ll improve
software security.

One last story. In Italy, tax fraud used to be a national hobby. (It
may still be; I don’t know.) The government was tired of retail stores
not reporting sales and paying taxes, so they passed a law regulating
the customers. Any customer having just purchased an item and stopped
within a certain distance of a retail store, had to produce a receipt
or they would be fined. Just as in the “Your purchase free if you
don’t get a receipt” story, the law turned the customers into tax
inspectors. They demanded receipts from merchants, which in turn
forced the merchants to create a paper audit trail for the purchase and
pay the required tax.

This was a great idea, but it didn’t work very well. Customers,
especially tourists, didn’t like to be stopped by police. People
started demanding that the police prove they just purchased the
item. Threatening people with fines if they didn’t guard merchants
wasn’t as effective an enticement as offering people a reward if they
didn’t get a receipt.

Interest must be aligned with capability, but you need to be careful
how you generate interest.

This essay originally appeared on Wired.com.
http://www.wired.com/news/columns/0,71032-0.html

** *** ***** ******* *********** *************

Comments from Readers

There are hundreds of comments — many of them interesting — on these
topics on my blog. Search for the story you want to comment on, and
join in.

http://www.schneier.com/blog

** *** ***** ******* *********** *************

CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on security: computer and otherwise. You
can subscribe, unsubscribe, or change your address on the Web at
. Back issues are also
available at that URL.

Comments on CRYPTO-GRAM should be sent to
schneier@counterpane.com. Permission to print comments is assumed
unless otherwise stated. Comments may be edited for length and clarity.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who
will find it valuable. Permission is granted to reprint CRYPTO-GRAM,
as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of
the best sellers “Beyond Fear,” “Secrets and Lies,” and “Applied
Cryptography,” and an inventor of the Blowfish and Twofish
algorithms. He is founder and CTO of Counterpane Internet Security
Inc., and is a member of the Advisory Board of the Electronic Privacy
Information Center (EPIC). He is a frequent writer and lecturer on
security topics. See .

Counterpane is the world’s leading protector of networked information –
the inventor of outsourced security monitoring and the foremost
authority on effective mitigation of emerging IT threats. Counterpane
protects networks for Fortune 1000 companies and governments
world-wide. See .

Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of Counterpane Internet Security, Inc.

Copyright (c) 2006 by Bruce Schneier.