m Quec.lim's republished posts.http://quec.li/~m /The Effect of Real Names on Online Behaviorhttps://www.schneier.com/blog/archives/2017/01/the_effect_of_r.htmltag:www.schneier.com,2017:/blog//2.10957Fri, 06 Jan 2017 10:44:00 -0500<p>Good <a href="https://blog.coralproject.net/the-real-name-fallacy/">article</a> debunking the myth that requiring people to use their real names on the Internet makes them behave better.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2017%3A%2Fblog%2F%2F2.10957An SQL Injection Attack Is a Legal Company Name in the UKhttps://www.schneier.com/blog/archives/2017/01/an_sql_injectio.htmltag:www.schneier.com,2017:/blog//2.10953Wed, 04 Jan 2017 16:17:00 -0500<p>Someone just <a href="https://beta.companieshouse.gov.uk/company/10542519">registered their company name</a> as ; DROP TABLE "COMPANIES";-- LTD.</p> <p>Reddit <a href="https://www.reddit.com/r/sysadmin/comments/5l030g/someone_just_registered_an_interesting_company/">thread</a>. Obligatory <a href="https://xkcd.com/327/">xkcd comic</a>. </p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2017%3A%2Fblog%2F%2F2.10953Photocopier Securityhttps://www.schneier.com/blog/archives/2017/01/photocopier_sec.htmltag:www.schneier.com,2017:/blog//2.10950Mon, 02 Jan 2017 07:12:00 -0500<p>A modern photocopier is basically a computer with a scanner and printer attached. This computer has a hard drive, and scans of images are regularly stored on that drive. This means that when a photocopier is thrown away, that hard drive is filled with pages that the machine copied over its lifetime. As you might expect, some of those pages will contain sensitive information.</p> <p>This <a href="https://www.archives.gov/files/oig/pdf/2011/audit-report-11-07.pdf">2011 report</a> was written by the Inspector General of the National Archives and Records Administration (NARA). It found that the organization did nothing to safeguard its photocopiers.</p> <blockquote><p>Our audit found that opportunities exist to strengthen controls to ensure photocopier hard drives are protected from potential exposure. Specifically, we found the following weaknesses. <ul><li>NARA lacks appropriate controls to ensure all photocopiers across the agency are accounted for and that any hard drives residing on these machines are tracked and properly sanitized or destroyed prior to disposal. <p><li>There are no policies documenting security measures to be taken for photocopiers utilized for general use nor are there procedures to ensure photocopier hard drives are sanitized or destroyed prior to disposal or at the end of the lease term.</p> <p><li>Photocopier lease agreements and contracts do not include a "keep disk"1 or similar clause as required by NARA's IT Security Methodology for Media Protection Policy version 5.1.</ul></blockquote> <p>I don't mean to single this organization out. Pretty much no one thinks about this security threat.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2017%3A%2Fblog%2F%2F2.10950Appliance Repairhttp://xkcd.com/1780/http://xkcd.com/1780/Mon, 02 Jan 2017 00:00:00 -0500<img src="http://imgs.xkcd.com/comics/appliance_repair.png" title="[holding up a three-phase motor] As you can see here, the problem is that the humidifier I took this from is broken." alt="[holding up a three-phase motor] As you can see here, the problem is that the humidifier I took this from is broken." />http://quec.li/EntryComments?feed=http%3A%2F%2Fxkcd.com%2Frss.xml&entry=http%3A%2F%2Fxkcd.com%2F1780%2FSecurity Risks of TSA PreCheckhttps://www.schneier.com/blog/archives/2016/12/security_risks_12.htmltag:www.schneier.com,2016:/blog//2.10946Tue, 27 Dec 2016 07:11:00 -0500<p>Former TSA Administrator Kip Hawley <a href="http://www.latimes.com/opinion/op-ed/la-oe-hawley-tsa-precheck-vulnerabilities-20161223-story.html">wrote</a> an op-ed pointing out the security vulnerabilities in the TSA's PreCheck program:</p> <blockquote><p>The first vulnerability in the system is its enrollment process, which seeks to verify an applicant's identity. We know verification is a challenge: A 2011 Government Accountability Office report on TSA's system for checking airport workers' identities concluded that it was "not designed to provide reasonable assurance that only qualified applicants" got approved. It's not a stretch to believe a reasonably competent terrorist could construct an identity that would pass PreCheck's front end. <p>The other step in PreCheck's "intelligence-driven, risk-based security strategy" is absurd on its face: The absence of negative information about a person doesn't mean he or she is trustworthy. News reports are filled with stories of people who seemed to be perfectly normal right up to the moment they committed a heinous act. There is no screening algorithm and no database check that can accurately predict human behavior -- especially on the scale of millions. It is axiomatic that terrorist organizations recruit operatives who have clean backgrounds and interview well.</p></blockquote> <p>None of this is news.</p> <p>Back in 2004, I <a href="https://www.schneier.com/essays/archives/2004/08/an_easy_path_for_ter.html">wrote</a>:</p> <blockquote><p>Imagine you're a terrorist plotter with half a dozen potential terrorists at your disposal. They all apply for a card, and three get one. Guess which are going on the mission? And they'll buy round-trip tickets with credit cards and have a "normal" amount of luggage with them. <p>What the Trusted Traveler program does is create two different access paths into the airport: high security and low security. The intent is that only good guys will take the low-security path, and the bad guys will be forced to take the high-security path, but it rarely works out that way. You have to assume that the bad guys will find a way to take the low-security path.</p> <p>The Trusted Traveler program is based on the dangerous myth that terrorists match a particular profile and that we can somehow pick terrorists out of a crowd if we only can identify everyone. That's simply not true. Most of the 9/11 terrorists were unknown and not on any watch list. Timothy McVeigh was an upstanding US citizen before he blew up the Oklahoma City Federal Building. Palestinian suicide bombers in Israel are normal, nondescript people. Intelligence reports indicate that Al Qaeda is recruiting non-Arab terrorists for US operations.</p></blockquote> <p>I <a href="https://www.schneier.com/essays/archives/2007/01/life_in_the_fast_lan.html">wrote</a> much the same thing in 2007:</p> <blockquote><p>Background checks are based on the dangerous myth that we can somehow pick terrorists out of a crowd if we could identify everyone. Unfortunately, there isn't any terrorist profile that prescreening can uncover. Timothy McVeigh could probably have gotten one of these cards. So could have Eric Rudolph, the pipe bomber at the 1996 Olympic Games in Atlanta. There isn't even a good list of known terrorists to check people against; the government list used by the airlines has been the butt of jokes for years. <p>And have we forgotten how prevalent identity theft is these days? If you think having a criminal impersonating you to your bank is bad, wait until they start impersonating you to the Transportation Security Administration.</p> <p>The truth is that whenever you create two paths through security -- a high-security path and a low-security path -- you have to assume that the bad guys will find a way to exploit the low-security path. It may be counterintuitive, but we are all safer if the people chosen for more thorough screening are truly random and not based on an error-filled database or a cursory background check.</p></blockquote> <p>In a <a href="http://kiphawley.typed.com/blog/precheck-tsas-security-hologram%22">companion blog post</a>, Hawley has more details about why the program doesn't work:</p> <blockquote><p>In the sense that PreCheck bars people who were identified by intelligence or law enforcement agencies as possible terrorists, then it was intelligence-driven. But using that standard for PreCheck is ridiculous since those people already get extra screening or are on the No-Fly list. The movie <i>Patriots Day</i>, out now, reminds us of the tragic and preventable Boston Marathon bombing. The FBI sent agents to talk to the Tsarnaev brothers and investigate them as possible terror suspects. And cleared them. Even they did not meet the "intelligence-driven" definition used in PreCheck. <p>The other problem with "intelligence-driven" in the PreCheck context is that intelligence actually tells us the <i>opposite</i>; specifically that terrorists pick clean operatives. If TSA uses current intelligence to evaluate risk, it would not be out enrolling everybody they can into pre-9/11 security for everybody not flagged by the security services.</p></blockquote> <p>Hawley and I may agree on the problem, but we have completely opposite solutions. The op-ed was too short to include details, but they're in a companion <a href="http://kiphawley.typed.com/blog/precheck-tsas-security-hologram">blog post</a>. Basically, he wants to screen PreCheck passengers more:</p> <blockquote><p>In the interests of space, I left out details of what I would suggest as short-and medium-term solutions. Here are a few ideas: <ul><li>Immediately scrub the PreCheck enrollees for false identities. That can probably be accomplished best and most quickly by getting permission from members, and then using, commercial data. If the results show that PreCheck has already been penetrated, the program should be suspended. <p><li>Deploy K-9 teams at PreCheck lanes.</p> <p><li>Use Behaviorally trained officers to interact with and check the credentials of PreCheck passengers.</p> <p><li>Use Explosives Trace Detection cotton swabs on PreCheck passengers at a much higher rate. Same with removing shoes.</p> <p><li>Turn on the body scanners and keep them fully utilized.</p> <p><li>Allow liquids to stay in the carry-on since TSA scanners can detect threat liquids.</p> <p><li>Work with the airlines to keep the PreCheck experience positive.</p> <p><li>Work with airports to place PreCheck lanes away from regular checkpoints so as not to diminish lane capacity for non-PreCheck passengers. Rental Car check-in areas could be one alternative. Also, downtown check-in and screening (with secure transport to the airport) is a possibility.</p></blockquote> <p>These solutions completely ignore the data from the real-world experiment PreCheck has been. Hawley writes that PreCheck tells us that "terrorists pick clean operatives." That's exactly wrong. PreCheck tells us that, basically, there are no terrorists. If 1) it's an easier way through airport security that terrorists will invariably use, and 2) there have been no instances of terrorists using it in the 10+ years it and its predecessors have been in operation, then the inescapable conclusion is that the threat is minimal. Instead of screening PreCheck passengers more, we should screen everybody else <i>less</i>. <a href="https://www.schneier.com/blog/archives/2012/10/hacking_tsa_pre.html">This</a> is me in 2012: "I think the PreCheck level of airport screening is what everyone should get, and that the no-fly list and the photo ID check add nothing to security."</p> <p>I agree with Hawley that we need to overhaul airport security. Me in 2010: "<a href="http://www.nytimes.com/roomfordebate/2010/11/22/do-body-scanners-make-us-safer/a-waste-of-money-and-time">Airport security is the last line of defense, and it's not a very good one.</a>" We need to recognize that the <a href="https://www.schneier.com/essays/archives/2015/06/why_are_we_spending_.html">actual risk is much lower than we fear</a>, and ratchet airport security down accordingly. And then we need to continue to invest in <a href="https://www.schneier.com/essays/archives/2009/11/beyond_security_thea.html">investigation and intelligence</a>: security measures that work regardless of the tactic or target.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2016%3A%2Fblog%2F%2F2.10946Startup Opportunityhttp://xkcd.com/1772/http://xkcd.com/1772/Wed, 14 Dec 2016 00:00:00 -0500<img src="http://imgs.xkcd.com/comics/startup_opportunity.png" title="While there's no formal regulation, it turns out their industry group is NOT one you want mad at you." alt="While there's no formal regulation, it turns out their industry group is NOT one you want mad at you." />http://quec.li/EntryComments?feed=http%3A%2F%2Fxkcd.com%2Frss.xml&entry=http%3A%2F%2Fxkcd.com%2F1772%2FWWW Malware Hides in Imageshttps://www.schneier.com/blog/archives/2016/12/www_malware_hid.htmltag:www.schneier.com,2016:/blog//2.10926Wed, 07 Dec 2016 09:06:00 -0500<p>There's <a href="https://www.bleepingcomputer.com/news/security/new-stegano-exploit-kit-hides-malvertising-code-in-image-pixels/">new malware toolkit</a> that uses stegaography to hide in images:</p> <blockquote><p>For the past two months, a new exploit kit has been serving malicious code hidden in the pixels of banner ads via a malvertising campaign that has been active on several high profile websites. <p>Discovered by security researchers from ESET, this new exploit kit is named Stegano, from the word steganography, which is a technique of hiding content inside other files.</p> <p>In this particular scenario, malvertising campaign operators hid malicious code inside PNG images used for banner ads.</p> <p>The crooks took a PNG image and altered the transparency value of several pixels. They then packed the modified image as an ad, for which they bought ad displays on several high-profile websites.</p> <p>Since a large number of advertising networks allow advertisers to deliver JavaScript code with their ads, the crooks also included JS code that would parse the image, extract the pixel transparency values, and using a mathematical formula, convert those values into a character.</p></blockquote> <p>Slashdot <a href="https://slashdot.org/story/16/12/06/2324213/new-stegano-exploit-kit-hides-malvertising-code-in-banner-pixels">thread</a>.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2016%3A%2Fblog%2F%2F2.10926