Subscribe: Schneier on Security
http://www.schneier.com/blog/atom.xml
Added By: Feedage Forager Feedage Grade A rated
Language: English
Tags:
card  details  election  machines  news  online  paper ballots  paper  payment  researchers  security  squid  system  voting  websites 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Schneier on Security

Schneier on Security



A blog covering security and security technology.



Updated: 2016-12-05T20:20:41Z

 



Voynich Manuscript Facsimile Published

2016-12-05T20:20:41Z

Yale University Press has published a facsimile of the Voynich Manuscript. The manuscript is also available online....

Yale University Press has published a facsimile of the Voynich Manuscript.

The manuscript is also available online.




Guessing Credit Card Security Details

2016-12-05T14:31:30Z

Researchers have found that they can guess various credit-card-number security details by spreading their guesses around multiple websites so as not to trigger any alarms. From a news article: Mohammed Ali, a PhD student at the university's School of Computing Science, said: "This sort of attack exploits two weaknesses that on their own are not too severe but when used...

Researchers have found that they can guess various credit-card-number security details by spreading their guesses around multiple websites so as not to trigger any alarms.

From a news article:

Mohammed Ali, a PhD student at the university's School of Computing Science, said: "This sort of attack exploits two weaknesses that on their own are not too severe but when used together, present a serious risk to the whole payment system.

"Firstly, the current online payment system does not detect multiple invalid payment requests from different websites.

"This allows unlimited guesses on each card data field, using up to the allowed number of attempts -- typically 10 or 20 guesses -- on each website.

"Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it's quite easy to build up the information and piece it together like a jigsaw.

"The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time.

"Each generated card field can be used in succession to generate the next field and so on. If the hits are spread across enough websites then a positive response to each question can be received within two seconds -- just like any online payment.

"So even starting with no details at all other than the first six digits -- which tell you the bank and card type and so are the same for every card from a single provider -- a hacker can obtain the three essential pieces of information to make an online purchase within as little as six seconds."

That's card number, expiration date, and CVV code.

From the paper:

Abstract: This article provides an extensive study of the current practice of online payment using credit and debit cards, and the intrinsic security challenges caused by the differences in how payment sites operate. We investigated the Alexa top-400 online merchants' payment sites, and realised that the current landscape facilitates a distributed guessing attack. This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions. We will show that this attack would not be practical if all payment sites performed the same security checks. As part of our responsible disclosure measure, we notified a selection of payment sites about our findings, and we report on their responses. We will discuss potential solutions to the problem and the practical difficulty to implement these, given the varying technical and business concerns of the involved parties.

BoingBoing post:

The researchers believe this method has already been used in the wild, as part of a spectacular hack against Tesco bank last month.

MasterCard is immune to this hack because they detect the guesses, even though they're distributed across multiple websites. Visa is not.




A 50-Foot Squid Has Not been Found in New Zealand

2016-12-03T00:18:03Z

A 50-foot squid has not been found in New Zealand. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

A 50-foot squid has not been found in New Zealand.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.




Auditing Elections for Signs of Hacking

2016-12-02T12:39:17Z

Excellent essay pointing out that election security is a national security issue, and that we need to perform random ballot audits on every future election: The good news is that we know how to solve this problem. We need to audit computers by manually examining randomly selected paper ballots and comparing the results to machine results. Audits require a voter-verified...

Excellent essay pointing out that election security is a national security issue, and that we need to perform random ballot audits on every future election:

The good news is that we know how to solve this problem. We need to audit computers by manually examining randomly selected paper ballots and comparing the results to machine results. Audits require a voter-verified paper ballot, which the voter inspects to confirm that his or her selections have been correctly and indelibly recorded. Since 2003, an active community of academics, lawyers, election officials and activists has urged states to adopt paper ballots and robust audit procedures. This campaign has had significant, but slow, success. As of now, about three quarters of U.S. voters vote on paper ballots. Twenty-six states do some type of manual audit, but none of their procedures are adequate. Auditing methods have recently been devised that are much more efficient than those used in any state. It is important that audits be performed on every contest in every election, so that citizens do not have to request manual recounts to feel confident about election results. With high-quality audits, it is very unlikely that election fraud will go undetected whether perpetrated by another country or a political party.

Another essay along similar lines.

Related: there is some information about Russian political hacking this election cycle that is classified. My guess is that it has nothing to do with hacking the voting machines -- the NSA was on high alert for anything, and I have it on good authority that they found nothing -- but something related to either the political-organization hacking, the propaganda machines, or something else before Election Day.




Analyzing WeChat

2016-12-05T14:32:29Z

Citizen Lab has analyzed how censorship works in the Chinese chat app WeChat: Key Findings: Keyword filtering on WeChat is only enabled for users with accounts registered to mainland China phone numbers, and persists even if these users later link the account to an International number. Keyword censorship is no longer transparent. In the past, users received notification when their...

Citizen Lab has analyzed how censorship works in the Chinese chat app WeChat:

Key Findings:

  • Keyword filtering on WeChat is only enabled for users with accounts registered to mainland China phone numbers, and persists even if these users later link the account to an International number.

  • Keyword censorship is no longer transparent. In the past, users received notification when their message was blocked; now censorship of chat messages happens without any user notice.

  • More keywords are blocked on group chat, where messages can reach a larger audience, than one-to-one chat.

  • Keyword censorship is dynamic. Some keywords that triggered censorship in our original tests were later found to be permissible in later tests. Some newfound censored keywords appear to have been added in response to current news events.

  • WeChat's internal browser blocks China-based accounts from accessing a range of websites including gambling, Falun Gong, and media that report critically on China. Websites that are blocked for China accounts were fully accessible for International accounts, but there is intermittent blocking of gambling and pornography websites on International accounts.

Lots more details in the paper.




DigiTally

2016-11-30T15:33:18Z

Ross Anderson describes DigiTally, a secure payments system for use in areas where there is little or no network connectivity....

Ross Anderson describes DigiTally, a secure payments system for use in areas where there is little or no network connectivity.




You, Too, Can Rent the Murai Botnet

2016-11-29T12:01:13Z

You can rent a 400,000-computer Murai botnet and DDoS anyone you like. BoingBoing post. Slashdot thread....

You can rent a 400,000-computer Murai botnet and DDoS anyone you like.

BoingBoing post. Slashdot thread.




San Francisco Transit System Target of Ransomware

2016-11-28T23:36:34Z

It's really bad. The ticket machines were hacked. Over the next couple of years, I believe we are going to see the downside of our headlong rush to put everything on the Internet. Slashdot thread....

It's really bad. The ticket machines were hacked.

Over the next couple of years, I believe we are going to see the downside of our headlong rush to put everything on the Internet.

Slashdot thread.




Friday Squid Blogging: Striped Pyjama Squid

2016-12-05T14:33:02Z

Here's a nice picture of one of the few known poisonous squids. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Here's a nice picture of one of the few known poisonous squids.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.




Hacking and the 2016 Presidential Election

2016-12-05T14:35:23Z

Was the 2016 presidential election hacked? It's hard to tell. There were no obvious hacks on Election Day, but new reports have raised the question of whether voting machines were tampered with in three states that Donald Trump won this month: Wisconsin, Michigan and Pennsylvania. The researchers behind these reports include voting rights lawyer John Bonifaz and J. Alex Halderman,... Was the 2016 presidential election hacked? It's hard to tell. There were no obvious hacks on Election Day, but new reports have raised the question of whether voting machines were tampered with in three states that Donald Trump won this month: Wisconsin, Michigan and Pennsylvania. The researchers behind these reports include voting rights lawyer John Bonifaz and J. Alex Halderman, the director of the University of Michigan Center for Computer Security and Society, both respected in the community. They have been talking with Hillary Clinton's campaign, but their analysis is not yet public. According to a report in New York magazine, the share of votes received by Clinton was significantly lower in precincts that used a particular type of voting machine: The magazine story suggested that Clinton had received 7 percent fewer votes in Wisconsin counties that used electronic machines, which could be hacked, than in counties that used paper ballots. That is exactly the sort of result we would expect to see if there had been some sort of voting machine hack. There are many different types of voting machines, and attacks against one type would not work against the others. So a voting anomaly correlated to machine type could be a red flag, although Trump did better across the entire Midwest than pre-election polls expected, and there are also some correlations between voting machine type and the demographics of the various precincts. Even Halderman wrote early Wednesday morning that "the most likely explanation is that the polls were systematically wrong, rather than that the election was hacked." What the allegations, and the ripples they're causing on social media, really show is how fundamentally untrustworthy our hodgepodge election system is. Accountability is a major problem for US elections. The candidates are the ones required to petition for recounts, and we throw the matter into the courts when we can't figure it out. This all happens after an election, and because the battle lines have already been drawn, the process is intensely political. Unlike many other countries, we don't have an independent body empowered to investigate these matters. There is no government agency empowered to verify these researchers' claims, even if it would be merely to reassure voters that the election count was accurate. Instead, we have a patchwork of voting systems: different rules, different machines, different standards. I've seen arguments that there is security in this setup ­ an attacker can't broadly attack the entire country ­ but the downsides of this system are much more critical. National standards would significantly improve our voting process. Further investigation of the claims raised by the researchers would help settle this particular question. Unfortunately, time is of the essence ­ underscoring another problem with how we conduct elections. For anything to happen, Clinton has to call for a recount and investigation. She has until Friday to do it in Wisconsin, until Monday in Pennsylvania and until next Wednesday in Michigan. I don't expect the research team to have any better data before then. Without changes to the system, we're telling future hackers that they can be successful as long as they're able to hide their attacks for a few weeks until after the recount deadlines pass. Computer forensics investigations are not easy, and they're not quick. They require access to the machine[...]