Schneier on Security

A blog covering security and security technology.

Analysis of PIN Data

An analysis of 3.4 million four-digit PINs. ("1234" is the most common: 10.7% of all PINs. The top 20 PINs are 26.8% of the total. "8068" is the least common PIN -- that'll probably change now that the fact is published.)

Posted on September 19, 2012 at 12:31 PM • 14 Comments

Recent Developments in Password Cracking

A recent Ars Technica article made the point that password crackers are getting better, and therefore passwords are getting weaker. It's not just computing speed; we now have many databases of actual passwords we can use to create dictionaries of common passwords, or common password-generation techniques. (Example: dictionary word plus a single digit.)

This really isn't anything new. I wrote about it in 2007. Even so, the article has caused a bit of a stir since it was published. I didn't blog about it then, because I was waiting for Joe Bonneau to comment. He has, in a two-part blog post that's well worth reading.

Password cracking can be evaluated on two nearly independent axes: power (the ability to check a large number of guesses quickly and cheaply using optimized software, GPUs, FPGAs, and so on) and efficiency (the ability to generate large lists of candidate passwords accurately ranked by real-world likelihood using sophisticated models). It's relatively simple to measure cracking power in units of hashes evaluated per second or hashes per second per unit cost. There are details to account for, like the complexity of the hash being evaluated, but this problem is generally similar to cryptographic brute force against unknown (random) keys and power is generally increasing exponentially in tune with Moore's law. The move to hardware-based cracking has enabled well-documented orders-of-magnitude speedups.

Cracking efficiency, by contrast, is rarely measured well.

Finally, there are two basic schemes for choosing secure passwords: the Schneier scheme and the XKCD scheme.

Posted on September 19, 2012 at 4:41 AM • 32 Comments

Diamond Swallowing as a Ruse

It's a known theft tactic to swallow what you're stealing. It works for food at the supermarket, and it also can work for diamonds. Here's a twist on that tactic:

Police say he could have swallowed the stone in an attempt to distract the diamond's owner, Suresh de Silva, while his accomplice stole the real gem.

Mr de Silva told the BBC that the Chinese men had visited the stall twice and he believed the diamond theft occurred during the first visit and not the second one, when the man swallowed the stone.

He insisted the man was trying to swap a fake stone for the real one and only swallowed the stone when he panicked after Mr de Silva apprehended him and alerted police.

This reminds me of group pickpocket tactics against tourists: the person who steals the wallet quickly passes it to someone else, so if the victim grabs the attacker, the wallet is long gone.

Posted on September 17, 2012 at 7:03 AM • 11 Comments

Friday Squid Blogging: Giant Squid Museum

In Valdés, Spain.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on September 14, 2012 at 4:15 PM • 31 Comments

Schneier on Security on Elementary

Two of my books can be seen in the background in CBS' new Sherlock Holmes drama, Elementary. A copy of Schneier on Security is prominently displayed on Sherlock Holmes' bookshelf. You can see it in the first few minutes of the pilot episode. The show's producers contacted me early on to ask permission to use my books, so it didn't come as a surprise, but it's still a bit of a thrill.

Here's a listing of all the books visible on the bookshelf.

Posted on September 14, 2012 at 2:20 PM • 14 Comments

Man-in-the-Middle Bank Fraud Attack

This sort of attack will become more common as banks require two-factor authentication:

Tatanga checks the user account details including the number of accounts, supported currency, balance/limit details. It then chooses the account from which it could steal the highest amount.

Next, it initiates a transfer.

At this point Tatanga uses a Web Inject to trick the user into believing that the bank is performing a chipTAN test. The fake instructions request that the user generate a TAN for the purpose of this "test" and enter the TAN.

Note that the attack relies on tricking the user, which isn't very hard.

Posted on September 14, 2012 at 11:23 AM • 23 Comments

UGNazi

Good article on the hacker group UGNazi.

Posted on September 14, 2012 at 6:47 AM • 5 Comments

Estimating the Probability of Another 9/11

This statistical research says once per decade:

Abstract: Quantities with right-skewed distributions are ubiquitous in complex social systems, including political conflict, economics and social networks, and these systems sometimes produce extremely large events. For instance, the 9/11 terrorist events produced nearly 3000 fatalities, nearly six times more than the next largest event. But, was this enormous loss of life statistically unlikely given modern terrorism's historical record? Accurately estimating the probability of such an event is complicated by the large fluctuations in the empirical distribution's upper tail. We present a generic statistical algorithm for making such estimates, which combines semi-parametric models of tail behavior and a non-parametric bootstrap. Applied to a global database of terrorist events, we estimate the worldwide historical probability of observing at least one 9/11-sized or larger event since 1968 to be 11-35%. These results are robust to conditioning on global variations in economic development, domestic versus international events, the type of weapon used and a truncated history that stops at 1998. We then use this procedure to make a data-driven statistical forecast of at least one similar event over the next decade.

Article about the research.

Posted on September 13, 2012 at 1:20 PM • 20 Comments

Steganography in the Wild

Steganographic information is embedded in World of Warcraft screen shots.

Posted on September 13, 2012 at 6:15 AM • 57 Comments

Stopping Terrorism

Nice essay on the futility of trying to prevent another 9/11:

"Never again." It is as simplistic as it is absurd. It is as vague as it is damaging. No two words have provided so little meaning or context; no catchphrase has so warped policy discussions that it has permanently confused the public's understanding of homeland security. It convinced us that invulnerability was a possibility.

The notion that policies should focus almost exclusively on preventing the next attack has also masked an ideological battle within homeland-security policy circles between "never again" and its antithesis, commonly referred to as "shit happens" but in polite company known as "resiliency." The debate isn't often discussed this way, and not simply because of the bad language. Time has not only eased the pain of that day, but there have also been no significant attacks. "Never again" has so infiltrated public discourse that to even acknowledge a trend away from prevention is considered risky, un-American. Americans don't do "Keep Calm and Carry On." But if they really want security, the kind of security that is sustainable and realistic, then they are going to have to.

There's a lot of good material in this essay.

And on a related topic, an essay and commentary on overhyping the threat of terrorism at the London Olympics.

Posted on September 12, 2012 at 12:55 PM • 24 Comments

A Real Movie-Plot Threat Contest

The "Australia's Security Nightmares: The National Security Short Story Competition" is part of Safeguarding Australia 2012.

To aid the national security community in imagining contemporary threats, the Australian Security Research Centre (ASRC) is organising Australia's Security Nightmares: The National Security Short Story Competition. The competition aims to produce a set of short stories that will contribute to a better conception of possible future threats and help defence, intelligence services, emergency managers, health agencies and other public, private and non-government organisations to be better prepared. The ASRC competition also aims to raise community awareness of national security challenges, and lead to better individual and community resilience.

New, unpublished writers are encouraged to enter the competition.

The first prize is $1000, with the second prize being $500 and third prize being $300.

[...]

Entrants need to write a short story with a security scenario as the story plot line or as the essential backdrop. An Australia context to the story is required, and the story needs to be set between today and 2020. While the story is to be fictional, it needs to be grounded in a plausible, coherent and detailed security situation. Rather than just describing on an avalanche of frightening events, writers are encouraged to focus on the consequences and challenges posed by their scenarios, and tease out what the official and public responses would be. Such stories provide more useful insights for those planning to face security threats.

People who have entered my movie-plot contests should take note; that's real prize money. I'm working on my own submission: it involves al Qaeda, a comet hitting the earth, zombies, and feral pigs.

(And while we're on the topic, here's a video of the 100 greatest movie threats. Not movie-plot threats -- threats from actual movies.)

Posted on September 12, 2012 at 6:23 AM • 38 Comments

New Attack Against Chip-and-Pin Systems

Well, new to us:

You see, an EMV payment card authenticates itself with a MAC of transaction data, for which the freshly generated component is the unpredictable number (UN). If you can predict it, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and location. You can as good as clone the chip. It's called a "pre-play" attack. Just like most vulnerabilities we find these days some in industry already knew about it but covered it up; we have indications the crooks know about this too, and we believe it explains a good portion of the unsolved phantom withdrawal cases reported to us for which we had until recently no explanation.

Paper here. And news article.

Posted on September 11, 2012 at 12:38 PM • 11 Comments

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.