CRYPTO-GRAM
November 15, 2016
by Bruce Schneier
CTO, Resilient, an IBM Company
schne...@schneier.com
https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<https://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<https://www.schneier.com/crypto-gram/archives/2016/1115.html>. These
same essays and news items appear in the "Schneier on Security" blog at
<http://www.schneier.com/blog>, along with a lively and intelligent
comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
Election Security
News
Lessons From the Dyn DDoS Attack
Regulation of the Internet of Things
Schneier News
Virtual Kidnapping
Intelligence Oversight and How It Can Fail
Whistleblower Investigative Report on NSA Suite B Cryptography
** *** ***** ******* *********** *************
Election Security
It's over. The voting went smoothly. As of the time of writing, there
are no serious fraud allegations, nor credible evidence that anyone
tampered with voting rolls or voting machines. And most important, the
results are not in doubt.
While we may breathe a collective sigh of relief about that, we can't
ignore the issue until the next election. The risks remain.
As computer security experts have been saying for years, our newly
computerized voting systems are vulnerable to attack by both individual
hackers and government-sponsored cyberwarriors. It is only a matter of
time before such an attack happens.
Electronic voting machines can be hacked, and those machines that do not
include a paper ballot that can verify each voter's choice can be hacked
undetectably. Voting rolls are also vulnerable; they are all
computerized databases whose entries can be deleted or changed to sow
chaos on Election Day.
The largely ad hoc system in states for collecting and tabulating
individual voting results is vulnerable as well. While the difference
between theoretical if demonstrable vulnerabilities and an actual attack
on Election Day is considerable, we got lucky this year. Not just
presidential elections are at risk, but state and local elections, too.
To be very clear, this is not about voter fraud. The risks of ineligible
people voting, or people voting twice, have been repeatedly shown to be
virtually nonexistent, and "solutions" to this problem are largely
voter-suppression measures. Election fraud, however, is both far more
feasible and much more worrisome.
Here's my worry. On the day after an election, someone claims that a
result was hacked. Maybe one of the candidates points to a wide
discrepancy between the most recent polls and the actual results. Maybe
an anonymous person announces that he hacked a particular brand of
voting machine, describing in detail how. Or maybe it's a system failure
during Election Day: voting machines recording significantly fewer votes
than there were voters, or zero votes for one candidate or another.
(These are not theoretical occurrences; they have both happened in the
United States before, though because of error, not malice.)
We have no procedures for how to proceed if any of these things happen.
There's no manual, no national panel of experts, no regulatory body to
steer us through this crisis. How do we figure out if someone hacked the
vote? Can we recover the true votes, or are they lost? What do we do
then?
First, we need to do more to secure our elections system. We should
declare our voting systems to be critical national infrastructure. This
is largely symbolic, but it demonstrates a commitment to secure
elections and makes funding and other resources available to states.
We need national security standards for voting machines, and funding for
states to procure machines that comply with those standards.
Voting-security experts can deal with the technical details, but such
machines must include a paper ballot that provides a record verifiable
by voters. The simplest and most reliable way to do that is already
practiced in 37 states: optical-scan paper ballots, marked by the
voters, counted by computer but recountable by hand. And we need a
system of pre-election and postelection security audits to increase
confidence in the system.
Second, election tampering, either by a foreign power or by a domestic
actor, is inevitable, so we need detailed procedures to follow -- both
technical procedures to figure out what happened, and legal procedures
to figure out what to do -- that will efficiently get us to a fair and
equitable election resolution. There should be a board of independent
computer-security experts to unravel what happened, and a board of
independent election officials, either at the Federal Election
Commission or elsewhere, empowered to determine and put in place an
appropriate response.
In the absence of such impartial measures, people rush to defend their
candidate and their party. Florida in 2000 was a perfect example. What
could have been a purely technical issue of determining the intent of
every voter became a battle for who would win the presidency. The
debates about hanging chads and spoiled ballots and how broad the
recount should be were contested by people angling for a particular
outcome. In the same way, after a hacked election, partisan politics
will place tremendous pressure on officials to make decisions that
override fairness and accuracy.
That is why we need to agree on policies to deal with future election
fraud. We need procedures to evaluate claims of voting-machine hacking.
We need a fair and robust vote-auditing process. And we need all of this
in place before an election is hacked and battle lines are drawn.
In response to Florida, the Help America Vote Act of 2002 required each
state to publish its own guidelines on what constitutes a vote. Some
states -- Indiana, in particular -- set up a "war room" of public and
private cybersecurity experts ready to help if anything did occur. While
the Department of Homeland Security is assisting some states with
election security, and the F.B.I. and the Justice Department made some
preparations this year, the approach is too piecemeal.
Elections serve two purposes. First, and most obvious, they are how we
choose a winner. But second, and equally important, they convince the
loser -- and all the supporters -- that he or she lost. To achieve the
first purpose, the voting system must be fair and accurate. To achieve
the second one, it must be *shown* to be fair and accurate.
We need to have these conversations before something happens, when
everyone can be calm and rational about the issues. The integrity of our
elections is at stake, which means our democracy is at stake.
This essay previously appeared in the New York Times.
http://www.nytimes.com/2016/11/09/opinion/american-elections-will-be-hacked.html
Election-machine vulnerabilities:
https://www.washingtonpost.com/posteverything/wp/2016/07/27/by-november-russian-hackers-could-target-voting-machines/
Elections are hard to rig:
https://www.washingtonpost.com/news/the-fix/wp/2016/08/03/one-reason-to-doubt-the-presidential-election-will-be-rigged-its-a-lot-harder-than-it-seems/
Voting systems as critical infrastructure:
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2852461
Voting machine security:
https://www.verifiedvoting.org/
http://votingmachines.procon.org/view.answers.php?questionID=000291
http://votingmachines.procon.org/view.answers.php?questionID=000291
Election-defense preparations for 2016:
http://www.usatoday.com/story/tech/news/2016/11/05/election-2016-cyber-hack-issues-homeland-security-indiana-pennsylvania-election-protection-verified-voter/93262960/
http://www.nbcnews.com/storyline/2016-election-day/all-hands-deck-protect-election-hack-say-officials-n679271
** *** ***** ******* *********** *************
News
Lance Spitzner looks at the safety features of a power saw and tries to
apply them to Internet security.
https://securingthehuman.sans.org/blog/2016/10/18/what-iot-and-security-needs-to-learn-from-the-dewalt-mitre-saw
Researchers discover a clever attack that bypasses the address space
layout randomization (ALSR) on Intel's CPUs.
http://arstechnica.com/security/2016/10/flaw-in-intel-chips-could-make-malware-attacks-more-potent/
http://www.cs.ucr.edu/~nael/pubs/micro16.pdf
In an interviw in Wired, President Obama talks about AI risk,
cybersecurity, and more.
https://www.wired.com/2016/10/president-obama-mit-joi-ito-interview/
Privacy makes workers more productive. Interesting research.
https://www.psychologytoday.com/blog/the-outsourced-mind/201604/want-people-behave-better-give-them-more-privacy
News about the DDOS attacks against Dyn.
https://motherboard.vice.com/read/twitter-reddit-spotify-were-collateral-damage-in-major-internet-attack
https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit/
https://motherboard.vice.com/read/blame-the-internet-of-things-for-destroying-the-internet-today
Josephine Wolff examines different Internet governance stakeholders and
how they frame security debates.
https://policyreview.info/articles/analysis/what-we-talk-about-when-we-talk-about-cybersecurity-security-internet-governance
The UK is admitting "offensive cyber" operations against ISIS/Daesh. I
think this might be the first time it has been openly acknowledged.
https://www.theguardian.com/politics/blog/live/2016/oct/20/philip-green-knighthood-commons-set-to-debate-stripping-philip-green-of-his-knighthood-politics-live
It's not hard to imagine the criminal possibilities of automation,
autonomy, and artificial intelligence. But the imaginings are becoming
mainstream -- and the future isn't too far off.
http://www.nytimes.com/2016/10/24/technology/artificial-intelligence-evolves-with-its-criminal-potential.html
Along similar lines, computers are able to predict court verdicts. My
guess is that the real use here isn't to predict actual court verdicts,
but for well-paid defense teams to test various defensive tactics.
http://www.telegraph.co.uk/science/2016/10/23/artifically-intelligent-judge-developed-which-can-predict-court/
Good long article on the 2015 attack against the US Office of Personnel
Management.
https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/
How Powell's and Podesta's e-mail accounts were hacked. It was phishing.
https://motherboard.vice.com/read/how-hackers-broke-into-john-podesta-and-colin-powells-gmail-accounts
A year and a half ago, I wrote about hardware bit-flipping attacks,
which were then largely theoretical. Now, they can be used to root
Android phones.
http://arstechnica.com/security/2016/10/using-rowhammer-bitflips-to-root-android-phones-is-now-a-thing/
https://vvdveen.com/publications/drammer.pdf
https://www.vusec.net/projects/drammer/
Eavesdropping on typing while connected over VoIP.
https://arxiv.org/pdf/1609.09359.pdf
https://news.uci.edu/research/typing-while-skyping-could-compromise-privacy/
An impressive Chinese device that automatically reads marked cards in
order to cheat at poker and other card games.
https://www.elie.net/blog/security/fuller-house-exposing-high-end-poker-cheating-devices
A useful guide on how to avoid kidnapping children on Halloween.
http://reductress.com/post/how-to-not-kidnap-any-kids-on-halloween-not-even-one/
A card game based on the iterated prisoner's dilemma.
https://opinionatedgamers.com/2016/10/26/h-m-s-dolores-game-review-by-chris-wray/
There's another leak of NSA hacking tools and data from the Shadow
Brokers. This one includes a list of hacked sites. The data is old, but
you can see if you've been hacked.
http://arstechnica.co.uk/security/2016/10/new-leak-may-show-if-you-were-hacked-by-the-nsa/
Honestly, I am surprised by this release. I thought that the original
Shadow Brokers dump was everything. Now that we know they held things
back, there could easily be more releases.
http://www.networkworld.com/article/3137065/security/shadow-brokers-leak-list-of-nsa-targets-and-compromised-servers.html
Note that the Hague-based Organization for the Prohibition of Chemical
Weapons is on the list, hacked in 2000.
https://boingboing.net/2016/11/06/in-2000-the-nsa-hacked-the-ha.html
Free cybersecurity MOOC from F-Secure and the University of Finland.
http://mooc.fi/courses/2016/cybersecurity/
Researchers have trained a neural network to encrypt its communications.
This story is more about AI and neural networks than it is about
cryptography. The algorithm isn't any good, but is a perfect example of
what I've heard called "Schneier's Law": Anyone can design a cipher that
they themselves cannot break.
https://www.newscientist.com/article/2110522-googles-neural-networks-invent-their-own-encryption/
http://arstechnica.com/information-technology/2016/10/google-ai-neural-network-cryptography/
https://www.engadget.com/2016/10/28/google-ai-created-its-own-form-of-encryption/
https://arxiv.org/pdf/1610.06918v1.pdf
Schneier's Law:
https://www.schneier.com/blog/archives/2011/04/schneiers_law.html
Google now links anonymous browser tracking with identifiable tracking.
The article also explains how to opt out.
https://www.propublica.org/article/google-has-quietly-dropped-ban-on-personally-identifiable-web-tracking
New Atlas has a great three-part feature on the history of hacking as
portrayed in films, including video clips. The 1980s. The 1990s. The
2000s.
http://newatlas.com/history-hollywood-hacking-1980s/45482/
http://newatlas.com/hollywood-hacking-movies-1990s/45623/
http://newatlas.com/hollywood-hacking-2000s/45965
For years, the DMCA has been used to stifle legitimate research into the
security of embedded systems. Finally, the research exemption to the
DMCA is in effect (for two years, but we can hope it'll be extended
forever).
https://www.wired.com/2016/10/hacking-car-pacemaker-toaster-just-became-legal/
https://www.eff.org/deeplinks/2016/10/why-did-we-have-wait-year-fix-our-cars
Firefox is removing the battery status API, citing privacy concerns.
https://www.fxsitecompat.com/en-CA/docs/2016/battery-status-api-has-been-removed/
https://eprint.iacr.org/2015/616.pdf
W3C is updating the spec.
https://www.w3.org/TR/battery-status/#acknowledgements
Here's a battery tracker found in the wild.
http://randomwalker.info/publications/OpenWPM_1_million_site_tracking_measurement.pdf
Election-day humor from 2004, but still relevent.
http://www.ganssle.com/tem/tem316.html#article2
A self-propagating smart light bulb worm.
http://iotworm.eyalro.net/
https://boingboing.net/2016/11/09/a-lightbulb-worm-could-take-ov.html
https://tech.slashdot.org/story/16/11/09/0041201/researchers-hack-philips-hue-smart-bulbs-using-a-drone
This is exactly the sort of Internet-of-Things attack that has me
worried.
Ad networks are surreptitiously using ultrasonic communications to jump
from device to device. It should come as no surprise that this
communications channel can be used to hack devices as well.
https://www.newscientist.com/article/2110762-your-homes-online-gadgets-could-be-hacked-by-ultrasound/
https://www.schneier.com/blog/archives/2015/11/ads_surreptitio.html
This is some interesting research. You can fool facial recognition
systems by wearing glasses printed with elements of other peoples'
faces.
https://www.cs.cmu.edu/~sbhagava/papers/face-rec-ccs16.pdf
http://qz.com/823820/carnegie-mellon-made-a-special-pair-of-glasses-that-lets-you-steal-a-digital-identity/
https://boingboing.net/2016/11/02/researchers-trick-facial-recog.html
Interesting research: "Using Artificial Intelligence to Identify State
Secrets," https://arxiv.org/abs/1611.00356
There's a Kickstarter for a sticker that you can stick on a glove and
then register with a biometric access system like an iPhone. It's an
interesting security trade-off: swapping something you are (the
biometric) with something you have (the glove).
https://www.kickstarter.com/projects/nanotips/taps-touchscreen-sticker-w-touch-id-ships-before-x?token=5b586aa6
https://gizmodo.com/these-fake-fingerprint-stickers-let-you-access-a-protec-1788710313
Julian Oliver has designed and built a cellular eavesdropping device
that's disguised as an old HP printer. It's more of a conceptual art
piece than an actual piece of eavesdropping equipment, but it still
makes the point.
https://julianoliver.com/output/stealth-cell-tower
https://www.wired.com/2016/11/evil-office-printer-hijacks-cellphone-connection/
https://boingboing.net/2016/11/03/a-fake-hp-printer-thats-actu.html
** *** ***** ******* *********** *************
Lessons From the Dyn DDoS Attack
A week ago Friday, someone took down numerous popular websites in a
massive distributed denial-of-service (DDoS) attack against the domain
name provider Dyn. DDoS attacks are neither new nor sophisticated. The
attacker sends a massive amount of traffic, causing the victim's system
to slow to a crawl and eventually crash. There are more or less clever
variants, but basically, it's a datapipe-size battle between attacker
and victim. If the defender has a larger capacity to receive and process
data, he or she will win. If the attacker can throw more data than the
victim can process, he or she will win.
The attacker can build a giant data cannon, but that's expensive. It is
much smarter to recruit millions of innocent computers on the internet.
This is the "distributed" part of the DDoS attack, and pretty much how
it's worked for decades. Cybercriminals infect innocent computers around
the internet and recruit them into a botnet. They then target that
botnet against a single victim.
You can imagine how it might work in the real world. If I can trick tens
of thousands of others to order pizzas to be delivered to your house at
the same time, I can clog up your street and prevent any legitimate
traffic from getting through. If I can trick many millions, I might be
able to crush your house from the weight. That's a DDoS attack -- it's
simple brute force.
As you'd expect, DDoSers have various motives. The attacks started out
as a way to show off, then quickly transitioned to a method of
intimidation -- or a way of just getting back at someone you didn't
like. More recently, they've become vehicles of protest. In 2013, the
hacker group Anonymous petitioned the White House to recognize DDoS
attacks as a legitimate form of protest. Criminals have used these
attacks as a means of extortion, although one group found that just the
fear of attack was enough. Military agencies are also thinking about
DDoS as a tool in their cyberwar arsenals. A 2007 DDoS attack against
Estonia was blamed on Russia and widely called an act of cyberwar.
The DDoS attack against Dyn two weeks ago was nothing new, but it
illustrated several important trends in computer security.
These attack techniques are broadly available. Fully capable DDoS attack
tools are available for free download. Criminal groups offer DDoS
services for hire. The particular attack technique used against Dyn was
first used a month earlier. It's called Mirai, and since the source code
was released four weeks ago, over a dozen botnets have incorporated the
code.
The Dyn attacks were probably not originated by a government. The
perpetrators were most likely hackers mad at Dyn for helping Brian Krebs
identify -- and the FBI arrest -- two Israeli hackers who were running a
DDoS-for-hire ring. Recently I have written about probing DDoS attacks
against internet infrastructure companies that appear to be perpetrated
by a nation-state. But, honestly, we don't know for sure.
This is important. Software spreads capabilities. The smartest attacker
needs to figure out the attack and write the software. After that,
anyone can use it. There's not even much of a difference between
government and criminal attacks. In December 2014, there was a
legitimate debate in the security community as to whether the massive
attack against Sony had been perpetrated by a nation-state with a $20
billion military budget or a couple of guys in a basement somewhere. The
internet is the only place where we can't tell the difference. Everyone
uses the same tools, the same techniques and the same tactics.
These attacks are getting larger. The Dyn DDoS attack set a record at
1.2 Tbps. The previous record holder was the attack against
cybersecurity journalist Brian Krebs a month prior at 620 Gbps. This is
much larger than required to knock the typical website offline. A year
ago, it was unheard of. Now it occurs regularly.
The botnets attacking Dyn and Brian Krebs consisted largely of unsecure
Internet of Things (IoT) devices -- webcams, digital video recorders,
routers and so on. This isn't new, either. We've already seen
internet-enabled refrigerators and TVs used in DDoS botnets. But again,
the scale is bigger now. In 2014, the news was hundreds of thousands of
IoT devices -- the Dyn attack used millions. Analysts expect the IoT to
increase the number of things on the internet by a factor of 10 or more.
Expect these attacks to similarly increase.
The problem is that these IoT devices are unsecure and likely to remain
that way. The economics of internet security don't trickle down to the
IoT. Commenting on the Krebs attack last month, I wrote:
The market can't fix this because neither the buyer nor the
seller cares. Think of all the CCTV cameras and DVRs used in
the attack against Brian Krebs. The owners of those devices
don't care. Their devices were cheap to buy, they still work,
and they don't even know Brian. The sellers of those devices
don't care: They're now selling newer and better models, and
the original buyers only cared about price and features. There
is no market solution because the insecurity is what economists
call an externality: It's an effect of the purchasing decision
that affects other people. Think of it kind of like invisible
pollution.
To be fair, one company that made some of the unsecure things used in
these attacks recalled its unsecure webcams. But this is more of a
publicity stunt than anything else. I would be surprised if the company
got many devices back. We already know that the reputational damage from
having your unsecure software made public isn't large and doesn't last.
At this point, the market still largely rewards sacrificing security in
favor of price and time-to-market.
DDoS prevention works best deep in the network, where the pipes are the
largest and the capability to identify and block the attacks is the most
evident. But the backbone providers have no incentive to do this. They
don't feel the pain when the attacks occur and they have no way of
billing for the service when they provide it. So they let the attacks
through and force the victims to defend themselves. In many ways, this
is similar to the spam problem. It, too, is best dealt with in the
backbone, but similar economics dump the problem onto the endpoints.
We're unlikely to get any regulation forcing backbone companies to clean
up either DDoS attacks or spam, just as we are unlikely to get any
regulations forcing IoT manufacturers to make their systems secure. This
is me again:
What this all means is that the IoT will remain insecure unless
government steps in and fixes the problem. When we have market
failures, government is the only solution. The government could
impose security regulations on IoT manufacturers, forcing them
to make their devices secure even though their customers don't
care. They could impose liabilities on manufacturers, allowing
people like Brian Krebs to sue them. Any of these would raise
the cost of insecurity and give companies incentives to spend
money making their devices secure.
That leaves the victims to pay. This is where we are in much of computer
security. Because the hardware, software and networks we use are so
unsecure, we have to pay an entire industry to provide after-the-fact
security.
There are solutions you can buy. Many companies offer DDoS protection,
although they're generally calibrated to the older, smaller attacks. We
can safely assume that they'll up their offerings, although the cost
might be prohibitive for many users. Understand your risks. Buy
mitigation if you need it, but understand its limitations. Know the
attacks are possible and will succeed if large enough. And the attacks
are getting larger all the time. Prepare for that.
This essay previously appeared on the SecurityIntelligence website.
https://securityintelligence.com/lessons-from-the-dyn-ddos-attack/
https://securityintelligence.com/news/multi-phased-ddos-attack-causes-hours-long-outages/
http://arstechnica.com/information-technology/2016/10/inside-the-machine-uprising-how-cameras-dvrs-took-down-parts-of-the-internet/
https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet
http://searchsecurity.techtarget.com/news/450401962/Details-emerging-on-Dyn-DNS-DDoS-attack-Mirai-IoT-botnet
http://hub.dyn.com/static/hub.dyn.com/dyn-blog/dyn-statement-on-10-21-2016-ddos-attack.html
DDoS petition:
http://www.huffingtonpost.com/2013/01/12/anonymous-ddos-petition-white-house_n_2463009.html
DDoS extortion:
https://securityintelligence.com/ddos-extortion-easy-and-lucrative/
http://www.computerworld.com/article/3061813/security/empty-ddos-threats-deliver-100k-to-extortion-group.html
DDoS against Estonia:
http://www.iar-gwu.org/node/65
DDoS for hire:
http://www.forbes.com/sites/thomasbrewster/2016/10/23/massive-ddos-iot-botnet-for-hire-twitter-dyn-amazon/#11f82518c915
Mirai:
https://www.arbornetworks.com/blog/asert/mirai-iot-botnet-description-ddos-attack-mitigation/
https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/
https://threatpost.com/mirai-bots-more-than-double-since-source-code-release/121368/
Krebs:
http://krebsonsecurity.com/2016/09/israeli-online-attack-service-vdos-earned-600000-in-two-years/
http://www.theverge.com/2016/9/11/12878692/vdos-israeli-teens-ddos-cyberattack-service-arrested
https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
http://www.businessinsider.com/akamai-brian-krebs-ddos-attack-2016-9
Nation-state DDoS Attacks:
https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html
North Korea and Sony:
https://www.theatlantic.com/international/archive/2014/12/did-north-korea-really-attack-sony/383973/
Internet of Things (IoT) security:
https://securityintelligence.com/will-internet-things-leveraged-ruin-companys-day-understanding-iot-security/
https://thehackernews.com/2014/01/100000-refrigerators-and-other-home.html
Ever larger DDoS Attacks:
http://www.ibtimes.co.uk/biggest-ever-terabit-scale-ddos-attack-yet-could-be-horizon-experts-warn-1588364
My previous essay on this:
https://www.schneier.com/essays/archives/2016/10/we_need_to_save_the_.html
recalled:
http://www.zdnet.com/article/chinese-tech-giant-recalls-webcams-used-in-dyn-cyberattack/
identify and block the attacks:
http://www.ibm.com/security/threat-protection/
** *** ***** ******* *********** *************
Regulation of the Internet of Things
Late last month, popular websites like Twitter, Pinterest, Reddit and
PayPal went down for most of a day. The distributed denial-of-service
attack that caused the outages, and the vulnerabilities that made the
attack possible, was as much a failure of market and policy as it was of
technology. If we want to secure our increasingly computerized and
connected world, we need more government involvement in the security of
the "Internet of Things" and increased regulation of what are now
critical and life-threatening technologies. It's no longer a question of
if, it's a question of when.
First, the facts. Those websites went down because their domain name
provider -- a company named Dyn -- was forced offline. We don't know who
perpetrated that attack, but it could have easily been a lone hacker.
Whoever it was launched a distributed denial-of-service attack against
Dyn by exploiting a vulnerability in large numbers -- possibly millions
-- of Internet-of-Things devices like webcams and digital video
recorders, then recruiting them all into a single botnet. The botnet
bombarded Dyn with traffic, so much that it went down. And when it went
down, so did dozens of websites.
Your security on the Internet depends on the security of millions of
Internet-enabled devices, designed and sold by companies you've never
heard of to consumers who don't care about your security.
The technical reason these devices are insecure is complicated, but
there is a market failure at work. The Internet of Things is bringing
computerization and connectivity to many tens of millions of devices
worldwide. These devices will affect every aspect of our lives, because
they're things like cars, home appliances, thermostats, lightbulbs,
fitness trackers, medical devices, smart streetlights and sidewalk
squares. Many of these devices are low-cost, designed and built
offshore, then rebranded and resold. The teams building these devices
don't have the security expertise we've come to expect from the major
computer and smartphone manufacturers, simply because the market won't
stand for the additional costs that would require. These devices don't
get security updates like our more expensive computers, and many don't
even have a way to be patched. And, unlike our computers and phones,
they stay around for years and decades.
An additional market failure illustrated by the Dyn attack is that
neither the seller nor the buyer of those devices cares about fixing the
vulnerability. The owners of those devices don't care. They wanted a
webcam -- or thermostat, or refrigerator -- with nice features at a good
price. Even after they were recruited into this botnet, they still work
fine -- you can't even tell they were used in the attack. The sellers of
those devices don't care: They've already moved on to selling newer and
better models. There is no market solution because the insecurity
primarily affects other people. It's a form of invisible pollution.
And, like pollution, the only solution is to regulate. The government
could impose minimum security standards on IoT manufacturers, forcing
them to make their devices secure even though their customers don't
care. They could impose liabilities on manufacturers, allowing companies
like Dyn to sue them if their devices are used in DDoS attacks. The
details would need to be carefully scoped, but either of these options
would raise the cost of insecurity and give companies incentives to
spend money making their devices secure.
It's true that this is a domestic solution to an international problem
and that there's no U.S. regulation that will affect, say, an Asian-made
product sold in South America, even though that product could still be
used to take down U.S. websites. But the main costs in making software
come from development. If the United States and perhaps a few other
major markets implement strong Internet-security regulations on IoT
devices, manufacturers will be forced to upgrade their security if they
want to sell to those markets. And any improvements they make in their
software will be available in their products wherever they are sold,
simply because it makes no sense to maintain two different versions of
the software. This is truly an area where the actions of a few countries
can drive worldwide change.
Regardless of what you think about regulation vs. market solutions, I
believe there is no choice. Governments will get involved in the IoT,
because the risks are too great and the stakes are too high. Computers
are now able to affect our world in a direct and physical manner.
Security researchers have demonstrated the ability to remotely take
control of Internet-enabled cars. They've demonstrated ransomware
against home thermostats and exposed vulnerabilities in implanted
medical devices. They've hacked voting machines and power plants. In one
recent paper, researchers showed how a vulnerability in smart lightbulbs
could be used to start a chain reaction, resulting in them *all* being
controlled by the attackers -- that's every one in a city. Security
flaws in these things could mean people dying and property being
destroyed.
Nothing motivates the U.S. government like fear. Remember 2001? A
small-government Republican president created the Department of Homeland
Security in the wake of the Sept. 11 terrorist attacks: a rushed and
ill-thought-out decision that we've been trying to fix for more than a
decade. A fatal IoT disaster will similarly spur our government into
action, and it's unlikely to be well-considered and thoughtful action.
Our choice isn't between government involvement and no government
involvement. Our choice is between smarter government involvement and
stupider government involvement. We have to start thinking about this
now. Regulations are necessary, important and complex -- and they're
coming. We can't afford to ignore these issues until it's too late.
In general, the software market demands that products be fast and cheap
and that security be a secondary consideration. That was okay when
software didn't matter -- it was okay that your spreadsheet crashed once
in a while. But a software bug that literally crashes your car is
another thing altogether. The security vulnerabilities in the Internet
of Things are deep and pervasive, and they won't get fixed if the market
is left to sort it out for itself. We need to proactively discuss good
regulatory solutions; otherwise, a disaster will impose bad ones on us.
This essay previously appeared in the Washington Post.
https://www.washingtonpost.com/posteverything/wp/2016/11/03/your-wifi-connected-thermostat-can-take-down-the-whole-internet-we-need-new-regulations/
DDoS:
https://www.washingtonpost.com/news/the-switch/wp/2016/10/21/someone-attacked-a-major-part-of-the-internets-infrastructure/
IoT and DDoS:
https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
The IoT market failure and regulation:
https://www.schneier.com/essays/archives/2016/10/we_need_to_save_the_.html
https://www.wired.com/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem/
http://www.computerworld.com/article/3136650/security/after-ddos-attack-senator-seeks-industry-led-security-standards-for-iot-devices.html
IoT ransomware:
https://motherboard.vice.com/read/internet-of-things-ransomware-smart-thermostat
medical:
Hacking medical devices:
http://motherboard.vice.com/read/hackers-killed-a-simulated-human-by-turning-off-its-pacemaker
http://abcnews.go.com/US/vice-president-dick-cheney-feared-pacemaker-hacking/story?id=20621434
Hacking voting machines:
http://www.politico.com/magazine/story/2016/08/2016-elections-russia-hack-how-to-hack-an-election-in-seven-minutes-214144
Hacking power plants:
https://www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-hack/
Hacking light bulbs:
http://iotworm.eyalro.net
** *** ***** ******* *********** *************
Schneier News
I am speaking in Cambridge, MA on November 15 at the Harvard Big-Data
Club.
http://harvardbigdata.com/event/keynote-lecture-bruce-schneier
I am speaking in Palm Springs, CA on November 30 at the TEDMED
Conference.
http://www.tedmed.com/speakers/show?id=627300
I am participating in the Resilient end-of-year webinar on December 8.
http://info.resilientsystems.com/webinar-eoy-cybersecurity-2016-review-2017-predictions
I am speaking on December 14 in Accra at the University of Ghana.
** *** ***** ******* *********** *************
Virtual Kidnapping
This is a harrowing story of a scam artist that convinced a mother that
her daughter had been kidnapped. It's unclear if these virtual
kidnappers use data about their victims, or just call people at random
and hope to get lucky. Still, it's a new criminal use of smartphones and
ubiquitous information. Reminds me of the scammers who call low-wage
workers at retail establishments late at night and convince them to do
outlandish and occasionally dangerous things.
https://www.washingtonpost.com/local/we-have-your-daughter-a-virtual-kidnapping-and-a-mothers-five-hours-of-hell/2016/10/03/8f082690-8963-11e6-875e-2c1bfe943b66_story.html
More stories are here.
http://www.nbcwashington.com/investigations/Several-Virtual-Kidnapping-Attempts-in-Maryland-Recently-375792991.html
** *** ***** ******* *********** *************
Intelligence Oversight and How It Can Fail
Former NSA attorneys John DeLong and Susan Hennessay have written a
fascinating article describing a particular incident of oversight
failure inside the NSA. Technically, the story hinges on a definitional
difference between the NSA and the FISA court meaning of the word
"archived." (For the record, I would have defaulted to the NSA's
interpretation, which feels more accurate technically.) But while the
story is worth reading, what's especially interesting are the broader
issues about how a nontechnical judiciary can provide oversight over a
very technical data collection-and-analysis organization -- especially
if the oversight must largely be conducted in secret.
In many places I have separated different kinds of oversight: are we
doing things right versus are we doing the right things? This is very
much about the first: is the NSA complying with the rules the courts
impose on them? I believe that the NSA tries very hard to follow the
rules it's given, while at the same time being very aggressive about how
it interprets any kind of ambiguities and using its nonadversarial
relationship with its overseers to its advantage.
The only possible solution I can see to all of this is more public
scrutiny. Secrecy is toxic here.
https://www.lawfareblog.com/understanding-footnote-14-nsa-lawyering-oversight-and-compliance
** *** ***** ******* *********** *************
Whistleblower Investigative Report on NSA Suite B Cryptography
The NSA has been abandoning secret and proprietary cryptographic
algorithms in favor of commercial public algorithms, generally known as
"Suite B." In 2010, an NSA employee filed some sort of whistleblower
complaint, alleging that this move is both insecure and wasteful. The
US DoD Inspector General investigated and wrote a report in 2011.
The report -- slightly redacted and declassified -- found that there was
no wrongdoing. But the report is an interesting window into the NSA's
system of algorithm selection and testing (pages 5 and 6), as well as
how they investigate whistleblower complaints.
http://www.dodig.mil/FOIA/err/11-INTEL-06%20(Redacted).pdf
Suite B Cryptography:
http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2006-03/E_Barker-March2006-ISPAB.pdf
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer
and otherwise. You can subscribe, unsubscribe, or change your address on
the Web at <https://www.schneier.com/crypto-gram.html>. Back issues are
also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its
entirety.
CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an
internationally renowned security technologist, called a "security guru"
by The Economist. He is the author of 13 books -- including his latest,
"Data and Goliath" -- as well as hundreds of articles, essays, and
academic papers. His influential newsletter "Crypto-Gram" and his blog
"Schneier on Security" are read by over 250,000 people. He has testified
before Congress, is a frequent guest on television and radio, has served
on several government committees, and is regularly quoted in the press.
Schneier is a fellow at the Berkman Center for Internet and Society at
Harvard Law School, a program fellow at the New America Foundation's
Open Technology Institute, a board member of the Electronic Frontier
Foundation, an Advisory Board Member of the Electronic Privacy
Information Center, and the Chief Technology Officer at Resilient, an
IBM Company. See <https://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of Resilient, an IBM Company.
Copyright (c) 2016 by Bruce Schneier.
** *** ***** ******* *********** *************
To unsubscribe from Crypto-Gram, click this link:
https://lists.schneier.com/cgi-bin/mailman/options/crypto-gram/archive%40mail-archive.com?login-unsub=Unsubscribe
You will be e-mailed a confirmation message. Follow the instructions in that
message to confirm your removal from the list.