Subscribe: Schneier on Security
http://www.schneier.com/blog/index.xml
Added By: Feedage Forager Feedage Grade A rated
Language: English
Tags:
article  attack  autocratic regimes  change  data  encryption  internet filtering  internet  messages  new  regimes  security  whatsapp 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Schneier on Security

Schneier on Security



A blog covering security and security technology.



Updated: 2017-01-19T12:22:23Z

 



Heartbeat as Biometric Password

2017-01-19T12:22:23Z

There's research in using a heartbeat as a biometric password. No details in the article. My guess is that there isn't nearly enough entropy in the reproducible biometric, but I might be surprised. The article's suggestion to use it as a password for health records seems especially problematic. "I'm sorry, but we can't access the patient's health records because he's...

There's research in using a heartbeat as a biometric password. No details in the article. My guess is that there isn't nearly enough entropy in the reproducible biometric, but I might be surprised. The article's suggestion to use it as a password for health records seems especially problematic. "I'm sorry, but we can't access the patient's health records because he's having a heart attack."

I wrote about this before here.




Brian Krebs Uncovers Murai Botnet Author

2017-01-18T23:06:23Z

Really interesting investigative story....

Really interesting investigative story.




WhatsApp Security Vulnerability

2017-01-17T12:09:58Z

Back in March, Rolf Weber wrote about a potential vulnerability in the WhatsApp protocol that would allow Facebook to defeat perfect forward secrecy by forcibly change users' keys, allowing it -- or more likely, the government -- to eavesdrop on encrypted messages. It seems that this vulnerability is real: WhatsApp has the ability to force the generation of new encryption... Back in March, Rolf Weber wrote about a potential vulnerability in the WhatsApp protocol that would allow Facebook to defeat perfect forward secrecy by forcibly change users' keys, allowing it -- or more likely, the government -- to eavesdrop on encrypted messages. It seems that this vulnerability is real: WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered. The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users' messages. The security loophole was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. He told the Guardian: "If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys." The vulnerability is not inherent to the Signal protocol. Open Whisper Systems' messaging app, Signal, the app used and recommended by whistleblower Edward Snowden, does not suffer from the same vulnerability. If a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message. WhatsApp's implementation automatically resends an undelivered message with a new key without warning the user in advance or giving them the ability to prevent it. Note that it's an attack against current and future messages, and not something that would allow the government to reach into the past. In that way, it is no more troubling than the government hacking your mobile phone and reading your WhatsApp conversations that way. An unnamed "WhatsApp spokesperson" said that they implemented the encryption this way for usability: In WhatsApp's implementation of the Signal protocol, we have a "Show Security Notifications" setting (option under Settings > Account > Security) that notifies you when a contact's security code has changed. We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp. This is because in many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people's messages are delivered, not lost in transit. He's technically correct. This is not a backdoor. This really isn't even a flaw. It's a design decision that put usability ahead of security in this particular instance. Moxie Marlinspike, creator of Signal and the code base underlying WhatsApp's encryption, said as much: Under normal circumstances, when communicating with a contact who has recently changed devices or reinstalled WhatsApp, it might be possible to send a message before the sending client discovers that the receiving client has new keys. The recipient's device immediately responds, and asks the sender to reencrypt the message with the recipient's new identity key pair. The sender displays the "safety number has changed" notification, reencrypts the message, and delivers it. The WhatsApp clients have been carefully designed so that they will not re-encrypt messages that have already been delivered. Once the sending client displays a "double check mark," it can no longer be asked to re-send that message.[...]



Cloudflare's Experience with a National Security Letter

2017-01-16T12:40:19Z

Interesting post on Cloudflare's experience with receiving a National Security Letter. News article....

Interesting post on Cloudflare's experience with receiving a National Security Letter.

News article.




Friday Squid Blogging: 1874 Giant Squid Attack

2017-01-13T22:52:24Z

This article discusses a giant squid attack on a schooner off the coast of Sri Lanka in 1874. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

This article discusses a giant squid attack on a schooner off the coast of Sri Lanka in 1874.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.




A Comment on the Trump Dossier

2017-01-18T09:47:44Z

Imagine that you are someone in the CIA, concerned about the future of America. You have this Russian dossier on Donald Trump, which you have some evidence might be true. The smartest thing you can do is to leak it to the public. By doing so, you are eliminating any leverage Russia has over Trump and probably reducing the effectiveness...

Imagine that you are someone in the CIA, concerned about the future of America. You have this Russian dossier on Donald Trump, which you have some evidence might be true. The smartest thing you can do is to leak it to the public. By doing so, you are eliminating any leverage Russia has over Trump and probably reducing the effectiveness of any other blackmail material any government might have on Trump. I believe you do this regardless of whether you ultimately believe the document's findings or not, and regardless of whether you support or oppose Trump. It's simple game-theory.

This document is particularly safe to release. Because it's not a classified report of the CIA, leaking it is not a crime. And you release it now, before Trump becomes president, because doing so afterwards becomes much more dangerous.

MODERATION NOTE: Please keep comments focused on this particular point. More general comments, especially uncivil comments, will be deleted.




Internet Filtering in Authoritarian Regimes

2017-01-13T12:48:42Z

Interesting research: Sebastian Hellmeier, "The Dictator's Digital Toolkit: Explaining Variation in Internet Filtering in Authoritarian Regimes," Politics & Policy, 2016 (full paper is behind a paywall): Abstract: Following its global diffusion during the last decade, the Internet was expected to become a liberation technology and a threat for autocratic regimes by facilitating collective action. Recently, however, autocratic regimes took control...

Interesting research: Sebastian Hellmeier, "The Dictator's Digital Toolkit: Explaining Variation in Internet Filtering in Authoritarian Regimes," Politics & Policy, 2016 (full paper is behind a paywall):

Abstract: Following its global diffusion during the last decade, the Internet was expected to become a liberation technology and a threat for autocratic regimes by facilitating collective action. Recently, however, autocratic regimes took control of the Internet and filter online content. Building on the literature concerning the political economy of repression, this article argues that regime characteristics, economic conditions, and conflict in bordering states account for variation in Internet filtering levels among autocratic regimes. Using OLS-regression, the article analyzes the determinants of Internet filtering as measured by the Open Net Initiative in 34 autocratic regimes. The results show that monarchies, regimes with higher levels of social unrest, regime changes in neighboring countries, and less oppositional competition in the political arena are more likely to filter the Internet. The article calls for a systematic data collection to analyze the causal mechanisms and the temporal dynamics of Internet filtering.




NSA Given More Ability to Share Raw Intelligence Data

2017-01-13T09:18:40Z

President Obama has changed the rules regarding raw intelligence, allowing the NSA to share raw data with the US's other 16 intelligence agencies. The new rules significantly relax longstanding limits on what the N.S.A. may do with the information gathered by its most powerful surveillance operations, which are largely unregulated by American wiretapping laws. These include collecting satellite transmissions, phone...

President Obama has changed the rules regarding raw intelligence, allowing the NSA to share raw data with the US's other 16 intelligence agencies.

The new rules significantly relax longstanding limits on what the N.S.A. may do with the information gathered by its most powerful surveillance operations, which are largely unregulated by American wiretapping laws. These include collecting satellite transmissions, phone calls and emails that cross network switches abroad, and messages between people abroad that cross domestic network switches.

The change means that far more officials will be searching through raw data. Essentially, the government is reducing the risk that the N.S.A. will fail to recognize that a piece of information would be valuable to another agency, but increasing the risk that officials will see private information about innocent people.

Here are the new procedures.

This rule change has been in the works for a while. Here are two blog posts from April discussing the then-proposed changes.

From a privacy perspective, this feels like a really bad idea to me.




Twofish Power Analysis Attack

2017-01-12T12:28:23Z

New paper: "A Simple Power Analysis Attack on the Twofish Key Schedule." This shouldn't be a surprise; these attacks are devastating if you don't take steps to mitigate them. The general issue is if an attacker has physical control of the computer performing the encryption, it is very hard to secure the encryption inside the computer. I wrote a paper...

New paper: "A Simple Power Analysis Attack on the Twofish Key Schedule." This shouldn't be a surprise; these attacks are devastating if you don't take steps to mitigate them.

The general issue is if an attacker has physical control of the computer performing the encryption, it is very hard to secure the encryption inside the computer. I wrote a paper about this back in 1999.




Law Enforcement Access to IoT Data

2017-01-11T12:22:15Z

In the first of what will undoubtedly be a large number of battles between companies that make IoT devices and the police, Amazon is refusing to comply with a warrant demanding data on what its Echo device heard at a crime scene. The particulars of the case are weird. Amazon's Echo does not constantly record; it only listens for its...

In the first of what will undoubtedly be a large number of battles between companies that make IoT devices and the police, Amazon is refusing to comply with a warrant demanding data on what its Echo device heard at a crime scene.

The particulars of the case are weird. Amazon's Echo does not constantly record; it only listens for its name. So it's unclear that there is any evidence to be turned over. But this general issue isn't going away. We are all under ubiquitous surveillance, but it is surveillance by the companies that control the Internet-connected devices in our lives. The rules by which police and intelligence agencies get access to that data will come under increasing pressure for change.

Related: A newscaster discussed Amazon's Echo on the news, causing devices in the same room as tuned-in televisions to order unwanted products. This year, the same technology is coming to LG appliances such as refrigerators.