Tuesday, July 7, 2009

Podcast: Crypto-Gram 15 Mar 2007: CYA Security

from the Mar 15, 2007 Crypto-Gram Newsletter
by Bruce Schneier

* CYA Security

Much of our country's counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs.

This is "Cover Your Ass" security, and unfortunately it's very common.

* Copycats

The lesson for counterterrorism in America: Stay flexible. We're not threatened by a bunch of copycats, so we're best off expending effort on security measures that will work regardless of the tactics or the targets: intelligence, investigation and emergency response. By focusing too much on specifics -- what the terrorists did last time -- we're wasting valuable resources that could be used to keep us safer.

* U.S Terrorism Arrests/Convictions Significantly Overstated

A new report from the U.S. Department of Justice's Inspector General says, basically, that all the U.S. terrorism statistics since 9/11 -- arrests, convictions, and so on -- have been grossly inflated.

* The Doghouse: Onboard Threat Detection System

Cameras fitted to seat-backs will record every twitch, blink, facial expression or suspicious movement before sending the data to onboard software which will check it against individual passenger profiles.

* Private Police Forces

Private security guards outnumber real police more than 5 to 1, and increasingly act like them.

Private police officers are different. They don't work for us; they work for corporations. They're focused on the priorities of their employers or the companies that hire them. They're less concerned with due process, public safety and civil rights.

Also, many of the laws that protect us from police abuse do not apply to the private sector.

If you're detained by a private security guard, you don't have nearly as many rights.

* Drive-By Pharming

Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson have developed a clever, and potentially devastating, attack against home routers, something they call "drive-by pharming."

First, the attacker creates a web page containing a simple piece of malicious JavaScript code. When the page is viewed, the code makes a login attempt into the user's home broadband router, and then attempts to change its DNS server settings to point to an attacker-controlled DNS server. Once the user's machine receives the updated DNS settings from the router (after the machine is rebooted) future DNS requests are made to and resolved by the attacker's DNS server.

And then the attacker basically owns the victim's web connection.

The main condition for the attack to be successful is that the attacker can guess the router password. This is surprisingly easy, since home routers come with a default password that is uniform and often never changed.

They've written proof of concept code that can successfully carry out the steps of the attack on Linksys, D-Link, and NETGEAR home routers. If users change their home broadband router passwords to something difficult to guess, they are safe from this attack.

time 24:15
PS: this is my cheat sheet of Bruce Schneier's Podcast:

Labels: ,


Post a Comment

<< Home