Subscribe: Schneier on Security
http://www.schneier.com/blog/index.rdf
Preview: Schneier on Security

Schneier on Security



A blog covering security and security technology.



Updated: 2017-04-21T22:04:55Z

 



Friday Squid Blogging: Video of Squid Attacking Another Squid

2017-04-21T22:04:55Z

Wow, is this cool. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....

Wow, is this cool.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.




Tracing Spam from E-mail Headers

2017-04-21T11:22:15Z

Interesting article from Brian Krebs....

Interesting article from Brian Krebs.




The DEA Is Buying Cyberweapons from Hacking Team

2017-04-20T19:21:05Z

The US Drug Enforcement Agency has purchased zero-day exploits from the cyberweapons arms manufacturer Hacking Team. BoingBoing post....

The US Drug Enforcement Agency has purchased zero-day exploits from the cyberweapons arms manufacturer Hacking Team.

BoingBoing post.




Smart TV Hack via the Broadcast Signal

2017-04-20T12:41:37Z

This is impressive: The proof-of-concept exploit uses a low-cost transmitter to embed malicious commands into a rogue TV signal. That signal is then broadcast to nearby devices. It worked against two fully updated TV models made by Samsung. By exploiting two known security flaws in the Web browsers running in the background, the attack was able to gain highly privileged...

This is impressive:

The proof-of-concept exploit uses a low-cost transmitter to embed malicious commands into a rogue TV signal. That signal is then broadcast to nearby devices. It worked against two fully updated TV models made by Samsung. By exploiting two known security flaws in the Web browsers running in the background, the attack was able to gain highly privileged root access to the TVs. By revising the attack to target similar browser bugs found in other sets, the technique would likely work on a much wider range of TVs.




Covert Channel via Two VMs

2017-04-18T10:58:34Z

Researchers build a covert channel between two virtual machines using a shared cache....

Researchers build a covert channel between two virtual machines using a shared cache.




Surveillance and our Insecure Infrastructure

2017-04-17T11:21:00Z

Since Edward Snowden revealed to the world the extent of the NSA's global surveillance network, there has been a vigorous debate in the technological community about what its limits should be. Less discussed is how many of these same surveillance techniques are used by other -- smaller and poorer -- more totalitarian countries to spy on political opponents, dissidents, human... Since Edward Snowden revealed to the world the extent of the NSA's global surveillance network, there has been a vigorous debate in the technological community about what its limits should be. Less discussed is how many of these same surveillance techniques are used by other -- smaller and poorer -- more totalitarian countries to spy on political opponents, dissidents, human rights defenders; the press in Toronto has documented some of the many abuses, by countries like Ethiopia , the UAE, Iran, Syria, Kazakhstan , Sudan, Ecuador, Malaysia, and China. That these countries can use network surveillance technologies to violate human rights is a shame on the world, and there's a lot of blame to go around. We can point to the governments that are using surveillance against their own citizens. We can certainly blame the cyberweapons arms manufacturers that are selling those systems, and the countries -- mostly European -- that allow those arms manufacturers to sell those systems. There's a lot more the global Internet community could do to limit the availability of sophisticated Internet and telephony surveillance equipment to totalitarian governments. But I want to focus on another contributing cause to this problem: the fundamental insecurity of our digital systems that makes this a problem in the first place. IMSI catchers are fake mobile phone towers. They allow someone to impersonate a cell network and collect information about phones in the vicinity of the device and they're used to create lists of people who were at a particular event or near a particular location. Fundamentally, the technology works because the phone in your pocket automatically trusts any cell tower to which it connects. There's no security in the connection protocols between the phones and the towers. IP intercept systems are used to eavesdrop on what people do on the Internet. Unlike the surveillance that happens at the sites you visit, by companies like Facebook and Google, this surveillance happens at the point where your computer connects to the Internet. Here, someone can eavesdrop on everything you do. This system also exploits existing vulnerabilities in the underlying Internet communications protocols. Most of the traffic between your computer and the Internet is unencrypted, and what is encrypted is often vulnerable to man-in-the-middle attacks because of insecurities in both the Internet protocols and the encryption protocols that protect it. There are many other examples. What they all have in common is that they are vulnerabilities in our underlying digital communications systems that allow someone -- whether it's a country's secret police, a rival national intelligence organization, or criminal group -- to break or bypass what security there is and spy on the users of these systems. These insecurities exist for two reasons. First, they were designed in an era where computer hardware was expensive and inaccessibility was a reasonable proxy for security. When the mobile phone network was designed, faking a cell tower was an incredibly difficult technical exercise, and it was reasonable to assume that only legitimate cell providers would go to the effort of creating such towers. At the same time, computers were less powerful and software was much slower, so adding security into the system seemed like a waste of resources. Fast forward to today: computers are cheap and software is fast, and what was impossible only a few decades ago is now easy. The second reason is that governments use these surveillance capabil[...]



Friday Squid Blogging: Chilean Squid Producer Diversifies

2017-04-14T21:25:31Z

In another symptom of climate change, Chile's largest squid producer "plans to diversify its offering in the future, selling sea urchin, cod and octopus, to compensate for the volatility of giant squid catches...." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines...

In another symptom of climate change, Chile's largest squid producer "plans to diversify its offering in the future, selling sea urchin, cod and octopus, to compensate for the volatility of giant squid catches...."

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.




New C++ Secure Coding Standard

2017-04-14T12:20:36Z

Carnegie Mellon University has released a comprehensive list of C++ secure-coding best practices....

Carnegie Mellon University has released a comprehensive list of C++ secure-coding best practices.




2017 Security Protocols Workshop

2017-04-13T19:42:09Z

Ross Anderson liveblogged the presentations....

Ross Anderson liveblogged the presentations.




Attack vs. Defense in Nation-State Cyber Operations

2017-04-13T10:45:57Z

I regularly say that, on the Internet, attack is easier than defense. There are a bunch of reasons for this, but primarily it's 1) the complexity of modern networked computer systems and 2) the attacker's ability to choose the time and method of the attack versus the defender's necessity to secure against every type of attack. This is true, but...

I regularly say that, on the Internet, attack is easier than defense. There are a bunch of reasons for this, but primarily it's 1) the complexity of modern networked computer systems and 2) the attacker's ability to choose the time and method of the attack versus the defender's necessity to secure against every type of attack. This is true, but how this translates to military cyber-operations is less straightforward. Contrary to popular belief, government cyberattacks are not bolts out of the blue, and the attack/defense balance is more...well...balanced.

Rebecca Slayton has a good article in International Security that tries to make sense of this: "What is the Cyber Offense-Defense Balance? Conceptions, Causes, and Assessment." In it, she points out that launching a cyberattack is more than finding and exploiting a vulnerability, and it is those other things that help balance the offensive advantage.