CRYPTO-GRAM
August 15, 2011
by Bruce Schneier
Chief Security Technology Officer, BT
schneier@schneier.com
http://www.schneier.comA free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<http://www.schneier.com/crypto-gram-1108.html>. These same essays and news items appear in the "Schneier on Security" blog at <http://www.schneier.com/blog>, along with a lively comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
Developments in Facial Recognition
News
Schneier News
Is There a Hacking Epidemic?
** *** ***** ******* *********** *************
Developments in Facial Recognition
Eventually, it will work. You'll be able to wear a camera that will automatically recognize someone walking towards you, and a earpiece that will relay who that person is and maybe something about him. None of the technologies required to make this work are hard; it's just a matter of getting the error rate down low enough for it to be a useful system.
And there have been a number of recent research results and news stories that illustrate what this new world might look like.
The police want this sort of system. MORIS is an iris-scanning technology that several police forces in the U.S. are using. The next step is the face-scanning glasses that the Brazilian police claim they will be wearing at the 2014 World Cup.
A small camera fitted to the glasses can capture 400 facial images
per second and send them to a central computer database storing up
to 13 million faces.
The system can compare biometric data at 46,000 points on a face
and will immediately signal any matches to known criminals or
people wanted by police.
In the future, this sort of thing won't be limited to the police.
Facebook has recently embarked on a major photo tagging project, and already has the largest collection of identified photographs in the world outside of a government. Researchers at Carnegie Mellon University have combined the public part of that database with a camera and face-recognition software to identify students on campus. (The paper fully describing their work is under review and not online yet, but slides describing the results can be found here.)
Of course, there are false positives -- as there are with any system like this. That's not a big deal if the application is a billboard with face-recognition serving different ads depending on the gender and age
-- and eventually the identity -- of the person looking at it, but is more problematic if the application is a legal one.
In Boston, someone erroneously had his driver's license revoked:
It turned out Gass was flagged because he looks like another
driver, not because his image was being used to create a fake
identity. His driving privileges were returned but, he alleges in a
lawsuit, only after 10 days of bureaucratic wrangling to prove he
is who he says he is.
And apparently, he has company. Last year, the facial recognition
system picked out more than 1,000 cases that resulted in State
Police investigations, officials say. And some of those people are
guilty of nothing more than looking like someone else. Not all go
through the long process that Gass says he endured, but each must
visit the Registry with proof of their identity.
[...]
At least 34 states are using such systems. They help authorities
verify a person's claimed identity and track down people who have
multiple licenses under different aliases, such as underage people
wanting to buy alcohol, people with previous license suspensions,
and people with criminal records trying to evade the law.
The problem is less with the system, and more with the guilty-until-proven-innocent way in which the system is used.
Kaprielian said the Registry gives drivers enough time to respond
to the suspension letters and that it is the individual's
"burden'" to clear up any confusion. She added that protecting
the public far outweighs any inconvenience Gass or anyone else
might experience.
"A driver's license is not a matter of civil rights. It's not a
right. It's a privilege," she said. "Yes, it is an inconvenience
[to have to clear your name], but lots of people have their
identities stolen, and that's an inconvenience, too."
Related, there's a system embedded in a pair of glasses that automatically analyzes and relays micro-facial expressions. The goal is to help autistic people who have trouble reading emotions, but you could easily imagine this sort of thing becoming common. And what happens when we start relying on these computerized systems and ignoring our own intuition?
And finally, CV Dazzle is camouflage from face detection.
MORIS:
http://www.schneier.com/blog/archives/2011/07/iphone_iris_sca.htmlBrazilian face-scanning glasses:
http://nextbigfuture.com/2011/04/brazilian-police-will-have-face.htmlFacebook photo tagging:
http://www.pcworld.com/article/229870/facebook_photo_tagging_a_privacy_guide.htmlor
http://tinyurl.com/3pbqmofCarnegie Mellon research:
http://blogs.forbes.com/kashmirhill/2011/08/01/how-face-recognition-can-be-used-to-get-your-social-security-number/or
http://tinyurl.com/42fl3m2http://blogs.wsj.com/digits/2011/08/01/tech-today-using-facebook-and-facial-recognition-to-id-random-people/or
http://tinyurl.com/3dodgu2http://pda.physorg.com/news/2011-08-facial-recognition-software-reveal-social.htmlor
http://tinyurl.com/3o4fty9http://www.heinz.cmu.edu/~acquisti/face-recognition-study-FAQ/Billboard with face-recognition:
http://www.engadget.com/2008/06/04/billboards-with-facial-recognition-software-trickling-out/or
http://tinyurl.com/4o9ltdBoston false positive:
http://articles.boston.com/2011-07-17/news/29784761_1_fight-identity-fraud-facial-recognition-system-licenseor
http://tinyurl.com/3sppab3IEEE Spectrum and The Economist have published similar articles.
http://spectrum.ieee.org/riskfactor/computing/it/heres-looking-at-you-and-you-and-you-or
http://tinyurl.com/3rfuuswhttp://www.economist.com/node/21524829Micro facial expression analysis glasses.
http://www.newscientist.com/article/mg21128191.600-specs-that-see-right-through-you.htmlor
http://tinyurl.com/64won9fCV Dazzle:
http://www.core77.com/blog/core77_design_awards/core77_design_award_2011_cv_dazzle_student_winner_for_speculative_objectsconcepts_20115.aspor
http://tinyurl.com/3w4lhcs** *** ***** ******* *********** *************
News
Ross Anderson discusses the technical and policy details of the British
phone hacking scandal.
http://www.lightbluetouchpaper.org/2011/07/16/phone-hacking-technology-and-policy/ or
http://tinyurl.com/3lhz8fnThis is really clever: the Telex anti-censorship system uses deep-packet
inspection to avoid Internet censorship.
https://freedom-to-tinker.com/blog/jhalderm/anticensorship-internets-infrastructure or
http://tinyurl.com/4yhnwm6https://threatpost.com/en_us/blogs/researchers-develop-end-middle-proxy-system-evade-censorship-071811 or
http://tinyurl.com/3lzntqthttp://arstechnica.com/tech-policy/news/2011/07/researchers-develop-end-to-middle-anti-censorship-tech.arsThe police arrested sixteen suspected members of the Anonymous hacker group.
http://www.schneier.com/blog/archives/2011/07/members_of_anon.htmlGoogle detects malware in its search data, and alerts users. There's a
lot that Google sees as a result of its unique and prominent position in
the Internet. Some of it is going to be stuff they never considered.
And while they use a lot of it to make money, it's good of them to give
this one back to the Internet users.
http://googleonlinesecurity.blogspot.com/2011/07/using-data-to-protect-people-from.html or
http://tinyurl.com/3v8zuzdSmuggling drugs in unwitting people's car trunks.
http://www.npr.org/2011/07/21/138548294/at-border-teacher-becomes-unwitting-drug-smuggler or
http://tinyurl.com/4yumaouThis attack works because 1) there's a database of keys available to
lots of people, and 2) both the SENTRI system and the victims are
predictable.
Revenge effects of too-safe playground equipment.
http://www.nytimes.com/2011/07/19/science/19tierney.htmliPhone iris scanning technology:
http://www.reuters.com/article/2011/07/20/us-crime-identification-iris-idUSTRE76J4A120110720 or
http://tinyurl.com/44fdowtGood article on liabilities and computer security.
http://arstechnica.com/tech-policy/news/2011/07/will-your-employer-get-sued-for-your-security-screw-ups.ars or
http://tinyurl.com/3nx4wkvI've been talking about liabilities for about a decade now. Here are
essays I wrote in 2002, 2003, 2004, and 2006.
http://www.schneier.com/essay-369.htmlhttp://www.schneier.com/essay-025.htmlhttp://www.schneier.com/essay-073.htmlhttp://www.schneier.com/essay-116.htmlMatt Blaze analyzes the 2010 U.S. Wiretap Report.
http://www.crypto.com/blog/wiretap2010/I second Matt's recommendation of Susan Landau's book "Surveillance or
Security: The Risks Posed by New Wiretapping Technologies" (MIT Press,
2011). It's an excellent discussion of the security and politics of
wiretapping.
http://www.amazon.com/exec/obidos/ASIN/0262015307/counterpane/Data privacy as a prisoner's dilemma: a good analysis.
http://arstechnica.com/tech-policy/news/2011/07/why-the-us-needs-a-data-privacy-lawand-why-it-might-actually-happen.ars or
http://tinyurl.com/3n2gytvThe solution -- and one endorsed by the essay -- is a comprehensive
privacy law. That reduces the incentive to defect.
http://www.schneier.com/blog/archives/2011/07/data_privacy_as.htmlShareMeNot is a Firefox add-on for preventing tracking from third-party
buttons (like the Facebook "Like" button or the Google "+1" button)
until the user actually chooses to interact with them. That is,
ShareMeNot doesn't disable/remove these buttons completely. Rather, it
allows them to render on the page, but prevents the cookies from being
sent until the user actually clicks on them, at which point ShareMeNot
releases the cookies and the user gets the desired behavior (i.e., they
can Like or +1 the page).
http://sharemenot.cs.washington.edu/Hacking Apple laptop batteries.
https://threatpost.com/en_us/blogs/apple-laptop-batteries-can-be-bricked-firmware-hacked-072211 or
http://tinyurl.com/43zgnpwBypassing the lock on luggage.
http://kipkay.com/videos/just-for-fun/is-your-luggage-safe-from-airport-security/ or
http://tinyurl.com/3hv3dldInteresting paper: "Science Fiction Prototyping and Security Education:
Cultivating Contextual and Societal Thinking in Computer Security
Education and Beyond," by Tadayoshi Kohno and Brian David Johnson.
http://www.cs.washington.edu/homes/yoshi/papers/SIGCSE/csefp118-kohno.pdf or
http://tinyurl.com/3ecj6c3Breaking the Xilinx Virtex-II FPGA bitstream encryption. It's a
power-analysis attack, which makes it much harder to defend against.
And since the attack model is an engineer trying to reverse-engineer the
chip, it's a valid attack.
http://eprint.iacr.org/2011/390Attacking embedded systems in prison doors.
http://m.wired.com/threatlevel/2011/07/prison-plc-vulnerabilities/This seems like a minor risk today; Stuxnet was a military-grade effort,
and beyond the reach of your typical criminal organization. But that
can only change, as people study and learn from the reverse-engineered
Stuxnet code and as hacking PLCs becomes more common. As we move from
mechanical, or even electro-mechanical, systems to digital systems, and
as we network those digital systems, this sort of vulnerability is going
to only become more common.
The article is in the context of the big Facebook lawsuit, but the part
about identifying people by their writing style is interesting.
http://www.nytimes.com/2011/07/24/opinion/sunday/24gray.htmlIt seems reasonable that we have a linguistic fingerprint, although 1)
there are far fewer of them than finger fingerprints, 2) they're easier
to fake. It's probably not much of a stretch to take that software that
"identifies bundles of linguistic features, hundreds in all" and use the
data to automatically modify my writing to look like someone else's.
A good criticism of the science behind author recognition, and a paper
on how to evade these systems.
http://languagelog.ldc.upenn.edu/nll/?p=3317http://www.aaai.org/ocs/index.php/IAAI/IAAI09/paper/view/257Seems that the one-time pad was not first invented by Vernam.
http://www.nytimes.com/2011/07/26/science/26code.htmlhttp://www.theregister.co.uk/2011/07/26/perfect_cipher_crypto_discovery/ or
http://tinyurl.com/3cbv8meThe paper:
http://www.tandfonline.com/doi/abs/10.1080/01611194.2011.583711Two items on hacking lotteries. The first is about someone who figured
out how to spot winners in a scratch-off tic-tac-toe style game, and a
daily draw style game where expected payout can exceed the ticket price.
The second is about someone who has won the lottery four times, with
speculation that she had advance knowledge of where and when certain
jackpot-winning scratch-off tickets would be sold.
http://www.wired.com/wiredscience/2011/07/broken-lotteries/http://www.scribd.com/doc/60495831/Nathaniel-Rich-The-Luckiest-Woman-on-Earth-Three-Ways-to-Win-the-LotteryHome-made Wi-Fi hacking, phone snooping, UAV.
http://www.geekosystem.com/tag/wireless-aerial-surveillance-platform/German police call airport full-body scanners useless.
http://www.google.com/hostednews/afp/article/ALeqM5jGUyRTjF-WA40GLjIMEo6dFgSxlw?docId=CNG.d76d1890df3edca8dd08181cb6808c7f.881 or
http://tinyurl.com/4y9dvudHere's a story about full-body scanners that are overly sensitive to
sweaty armpits.
http://news.cnet.com/8301-17852_3-20086884-71/new-airport-scanners-alarmed-by-sweaty-armpits/ or
http://tinyurl.com/3slpxgoThe Zodiac cipher was announced as cracked, but the break was a hoax.
http://www.schneier.com/blog/archives/2011/08/zodiac_cipher_c.htmlXKCD on the CIA hack.
http://www.xkcd.com/932/I've been using the phrase "arms race" to describe the world's
militaries' rush into cyberspace for a couple of years now. Here's a
good article on the topic that uses the same phrase.
http://www.businessweek.com/printer/magazine/cyber-weapons-the-new-arms-race-07212011.html or
http://tinyurl.com/3ehcpa8New bank-fraud Trojan.
http://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/ or
http://tinyurl.com/4y8cof5An article on MRI lie detectors -- lots of interesting research.
http://www.salon.com/life/feature/2011/07/23/lie_detector_excerpt/index.html or
http://tinyurl.com/3cbdr74My previous blog post on the topic.
http://www.schneier.com/blog/archives/2007/07/mri_lie_detecto_1.htmlThere's a security story from biology I've used a few times: plants that
use chemicals to call in airstrikes by wasps on the herbivores attacking
them. This is a new variation: a species of orchid that emits the same
signals as a trick, to get pollinated.
http://blogs.discovermagazine.com/notrocketscience/2008/05/12/orchid-lures-in-pollinating-wasps-with-promise-of-fresh-meat/ or
http://tinyurl.com/3r9unrmI'm a big fan of taxonomies, and this "Taxonomy of Operational Cyber
Security Risks" -- from Carnegie Mellon -- seems like a useful one.
http://www.schneier.com/blog/archives/2011/08/taxonomy_of_ope.htmlGPRS hacked.
http://www.technologyreview.com/communications/38268/http://www.theregister.co.uk/2011/08/10/gprs_cellphone_call_snooping/http://blogs.computerworld.com/18776/mobile_phone_eavesdropping_made_easy_hackers_crack_gprs_encryption?source=rss_blogs or
http://tinyurl.com/3rafv3kSecurity flaws in encrypted police radios: "Why (Special Agent) Johnny
(Still) Can't Encrypt: A Security Analysis of the APCO Project 25
Two-Way Radio System," by Sandy Clark, Travis Goodspeed, Perry Metzger,
Zachary Wasserman, Kevin Xu, and Matt Blaze. I've heard Matt talk about
this project several times. It's great work, and a fascinating insight
into the usability problems of encryption in the real world.
http://online.wsj.com/public/resources/documents/p25sec08102011.pdfhttp://blogs.wsj.com/digits/2011/08/10/security-flaws-in-feds-radios-make-for-easy-eavesdropping/?mod=WSJBlog&mod= or
http://tinyurl.com/3suhkteCounterfeit pilot IDs and uniforms will now be sufficient to bypass
airport security. TSA is testing a program to not screen pilots.
http://www.schneier.com/blog/archives/2011/08/counterfeit_pil.htmlThe African crested rat applies tree poison to its fur to make itself
more deadly.
http://news.nationalgeographic.com/news/2011/08/110803-african-rat-poison-crested-hair-science-proceedings/ or
http://tinyurl.com/42q8opkA couple of weeks ago Wired reported the discovery of a new,
undeletable, web cookie.
http://www.wired.com/epicenter/2011/07/undeletable-cookie/The Wired article was very short on specifics, so I waited until one of
the researchers -- Ashkan Soltani -- wrote up more details. He finally
did, in a quite technical essay.
http://ashkansoltani.org/docs/respawn_redux.html** *** ***** ******* *********** *************
Schneier News
My new book, "Liars and Outliers," has a cover. Publication is still
scheduled for the end of February -- in time for the RSA Conference --
assuming I finish the manuscript in time.
http://www.schneier.com/blog/archives/2011/08/liars_and_outli.htmlOlder posts on the book:
http://www.schneier.com/blog/archives/2011/05/status_report_t.htmlhttp://www.schneier.com/blog/archives/2011/02/societal_securi.htmlInterview with me from the Homeland Security News Wire.
http://www.homelandsecuritynewswire.com/attackers-have-advantage-cyberspace-says-cybersecurity-expert or
http://tinyurl.com/3jhw73s** *** ***** ******* *********** *************
Is There a Hacking Epidemic?
Freakonomics asks: "Why has there been such a spike in hacking recently?
Or is it merely a function of us paying closer attention and of
institutions being more open about reporting security breaches?"
They posted five answers, including mine:
The apparent recent hacking epidemic is more a function of news
reporting than an actual epidemic. Like shark attacks or school
violence, natural fluctuations in data become press epidemics, as
more reporters write about more events, and more people read about
them. Just because the average person reads more articles about
more events doesn't mean that there are more events -- just more
articles.
Hacking for fun -- like LulzSec -- has been around for decades.
It's where hacking started, before criminals discovered the
Internet in the 1990s. Criminal hacking for profit -- like the
Citibank hack -- has been around for over a decade. International
espionage existed for millennia before the Internet, and has never
taken a holiday.
The past several months have brought us a string of newsworthy
hacking incidents. First there was the hacking group Anonymous, and
its hacktivism attacks as a response to the pressure to interdict
contributions to Julian Assange's legal defense fund and the
torture of Bradley Manning. Then there was the probably
espionage-related attack against RSA, Inc. and its authentication
token -- made more newsworthy because of the bungling of the
disclosure by the company -- and the subsequent attack against
Lockheed Martin. And finally, there were the very public attacks
against Sony, which became the company to attack simply because
everyone else was attacking it, and the public hacktivism by
LulzSec.
None of this is new. None of this is unprecedented. To a security
professional, most of it isn't even interesting. And while
national intelligence organizations and some criminal groups are
organized, hacker groups like Anonymous and LulzSec are much more
informal. Despite the impression we get from movies, there is no
organization. There's no membership, there are no dues, there is
no initiation. It's just a bunch of guys. You too can join
Anonymous -- just hack something, and claim you're a member.
That's probably what the members of Anonymous arrested in Turkey
were: 32 people who just decided to use that name.
It's not that things are getting worse; it's that things were
always this bad. To a lot of security professionals, the value of
some of these groups is to graphically illustrate what we've been
saying for years: organizations need to beef up their security
against a wide variety of threats. But the recent news epidemic
also illustrates how safe the Internet is. Because news articles
are the only contact most of us have had with any of these attacks.
http://www.freakonomics.com/2011/07/19/why-has-there-been-so-much-hacking-lately-or-is-it-just-reported-more-a-freakonomics-quorum/ or
http://tinyurl.com/3jtfcnk** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer
and otherwise. You can subscribe, unsubscribe, or change your address
on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues
are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the
best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies,"
and "Applied Cryptography," and an inventor of the Blowfish, Twofish,
Threefish, Helix, Phelix, and Skein algorithms. He is the Chief
Security Technology Officer of BT BCSG, and is on the Board of Directors
of the Electronic Privacy Information Center (EPIC). He is a frequent
writer and lecturer on security topics. See <http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of BT.
Copyright (c) 2011 by Bruce Schneier.