Mailspring/packages/local-sync/spec/fixtures/MessageFactory/parseFromImap/crypto-gram-ascii-plaintext.json
Christine Spang c6a80efc44 [local-sync] Fix parseFromImap specs
Lots has changed for the better! Tests work again also.
2016-12-16 14:42:26 -08:00

1 line
No EOL
93 KiB
JSON

{"imapMessage":{"attributes":{"struct":[{"partID":"1","type":"text","subtype":"plain","params":{"charset":"us-ascii","format":"flowed"},"id":null,"description":null,"encoding":"7BIT","size":42161,"lines":820,"md5":null,"disposition":null,"language":null}],"date":"2016-11-15T07:50:26.000Z","flags":["\\Seen"],"uid":345982,"modseq":"8120006","x-gm-labels":["\\Inbox"],"x-gm-msgid":"1551049662245032910","x-gm-thrid":"1551049662245032910"},"headers":"Delivered-To: christine@spang.cc\r\nReceived: by 10.31.185.141 with SMTP id j135csp15122vkf; Mon, 14 Nov 2016\r\n 23:50:26 -0800 (PST)\r\nX-Received: by 10.37.220.66 with SMTP id y63mr6697075ybe.190.1479196226438;\r\n Mon, 14 Nov 2016 23:50:26 -0800 (PST)\r\nReturn-Path: <crypto-gram-bounces@lists.schneier.com>\r\nReceived: from schneier.modwest.com (schneier.modwest.com. [204.11.247.92]) by\r\n mx.google.com with ESMTPS id i126si6507480ybb.7.2016.11.14.23.50.26 for\r\n <christine@spang.cc> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256\r\n bits=128/128); Mon, 14 Nov 2016 23:50:26 -0800 (PST)\r\nReceived-SPF: pass (google.com: domain of\r\n crypto-gram-bounces@lists.schneier.com designates 204.11.247.92 as permitted\r\n sender) client-ip=204.11.247.92;\r\nAuthentication-Results: mx.google.com; spf=pass (google.com: domain of\r\n crypto-gram-bounces@lists.schneier.com designates 204.11.247.92 as permitted\r\n sender) smtp.mailfrom=crypto-gram-bounces@lists.schneier.com\r\nReceived: from schneier.modwest.com (localhost [127.0.0.1]) by\r\n schneier.modwest.com (Postfix) with ESMTP id A57D33A66E for\r\n <christine@spang.cc>; Tue, 15 Nov 2016 00:48:53 -0700 (MST)\r\nX-Original-To: crypto-gram@lists.schneier.com\r\nDelivered-To: crypto-gram@lists.schneier.com\r\nReceived: from webmail.schneier.com (localhost [127.0.0.1]) by\r\n schneier.modwest.com (Postfix) with ESMTPA id 735B038F18; Tue, 15 Nov 2016\r\n 00:27:10 -0700 (MST)\r\nMIME-Version: 1.0\r\nDate: Tue, 15 Nov 2016 01:27:10 -0600\r\nFrom: Bruce Schneier <schneier@schneier.com>\r\nSubject: CRYPTO-GRAM, November 15, 2016\r\nMessage-ID: <76bcad7045e1f498eb00e27fc969ee53@schneier.com>\r\nX-Sender: schneier@schneier.com\r\nUser-Agent: Roundcube Webmail/0.9.5\r\nX-Mailman-Approved-At: Tue, 15 Nov 2016 00:45:13 -0700\r\nX-BeenThere: crypto-gram@lists.schneier.com\r\nX-Mailman-Version: 2.1.15\r\nPrecedence: list\r\nCc: Crypto-Gram Mailing List <crypto-gram@lists.schneier.com>\r\nList-Id: Crypto-Gram Mailing List <crypto-gram.lists.schneier.com>\r\nList-Unsubscribe: <https://lists.schneier.com/cgi-bin/mailman/options/crypto-gram>,\r\n <mailto:crypto-gram-request@lists.schneier.com?subject=unsubscribe>\r\nList-Post: <mailto:crypto-gram@lists.schneier.com>\r\nList-Help: <mailto:crypto-gram-request@lists.schneier.com?subject=help>\r\nList-Subscribe: <https://lists.schneier.com/cgi-bin/mailman/listinfo/crypto-gram>,\r\n <mailto:crypto-gram-request@lists.schneier.com?subject=subscribe>\r\nContent-Transfer-Encoding: 7bit\r\nContent-Type: text/plain; charset=\"us-ascii\"; Format=\"flowed\"\r\nTo: christine@spang.cc\r\nErrors-To: crypto-gram-bounces@lists.schneier.com\r\nSender: \"Crypto-Gram\" <crypto-gram-bounces@lists.schneier.com>\r\n\r\n","parts":{"1":"\r\n CRYPTO-GRAM\r\n\r\n November 15, 2016\r\n\r\n by Bruce Schneier\r\n CTO, Resilient, an IBM Company\r\n schneier@schneier.com\r\n https://www.schneier.com\r\n\r\n\r\nA free monthly newsletter providing summaries, analyses, insights, and \r\ncommentaries on security: computer and otherwise.\r\n\r\nFor back issues, or to subscribe, visit \r\n<https://www.schneier.com/crypto-gram.html>.\r\n\r\nYou can read this issue on the web at \r\n<https://www.schneier.com/crypto-gram/archives/2016/1115.html>. These \r\nsame essays and news items appear in the \"Schneier on Security\" blog at \r\n<http://www.schneier.com/blog>, along with a lively and intelligent \r\ncomment section. An RSS feed is available.\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\nIn this issue:\r\n Election Security\r\n News\r\n Lessons From the Dyn DDoS Attack\r\n Regulation of the Internet of Things\r\n Schneier News\r\n Virtual Kidnapping\r\n Intelligence Oversight and How It Can Fail\r\n Whistleblower Investigative Report on NSA Suite B Cryptography\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n Election Security\r\n\r\n\r\n\r\nIt's over. The voting went smoothly. As of the time of writing, there \r\nare no serious fraud allegations, nor credible evidence that anyone \r\ntampered with voting rolls or voting machines. And most important, the \r\nresults are not in doubt.\r\n\r\nWhile we may breathe a collective sigh of relief about that, we can't \r\nignore the issue until the next election. The risks remain.\r\n\r\nAs computer security experts have been saying for years, our newly \r\ncomputerized voting systems are vulnerable to attack by both individual \r\nhackers and government-sponsored cyberwarriors. It is only a matter of \r\ntime before such an attack happens.\r\n\r\nElectronic voting machines can be hacked, and those machines that do not \r\ninclude a paper ballot that can verify each voter's choice can be hacked \r\nundetectably. Voting rolls are also vulnerable; they are all \r\ncomputerized databases whose entries can be deleted or changed to sow \r\nchaos on Election Day.\r\n\r\nThe largely ad hoc system in states for collecting and tabulating \r\nindividual voting results is vulnerable as well. While the difference \r\nbetween theoretical if demonstrable vulnerabilities and an actual attack \r\non Election Day is considerable, we got lucky this year. Not just \r\npresidential elections are at risk, but state and local elections, too.\r\n\r\nTo be very clear, this is not about voter fraud. The risks of ineligible \r\npeople voting, or people voting twice, have been repeatedly shown to be \r\nvirtually nonexistent, and \"solutions\" to this problem are largely \r\nvoter-suppression measures. Election fraud, however, is both far more \r\nfeasible and much more worrisome.\r\n\r\nHere's my worry. On the day after an election, someone claims that a \r\nresult was hacked. Maybe one of the candidates points to a wide \r\ndiscrepancy between the most recent polls and the actual results. Maybe \r\nan anonymous person announces that he hacked a particular brand of \r\nvoting machine, describing in detail how. Or maybe it's a system failure \r\nduring Election Day: voting machines recording significantly fewer votes \r\nthan there were voters, or zero votes for one candidate or another. \r\n(These are not theoretical occurrences; they have both happened in the \r\nUnited States before, though because of error, not malice.)\r\n\r\nWe have no procedures for how to proceed if any of these things happen. \r\nThere's no manual, no national panel of experts, no regulatory body to \r\nsteer us through this crisis. How do we figure out if someone hacked the \r\nvote? Can we recover the true votes, or are they lost? What do we do \r\nthen?\r\n\r\nFirst, we need to do more to secure our elections system. We should \r\ndeclare our voting systems to be critical national infrastructure. This \r\nis largely symbolic, but it demonstrates a commitment to secure \r\nelections and makes funding and other resources available to states.\r\n\r\nWe need national security standards for voting machines, and funding for \r\nstates to procure machines that comply with those standards. \r\nVoting-security experts can deal with the technical details, but such \r\nmachines must include a paper ballot that provides a record verifiable \r\nby voters. The simplest and most reliable way to do that is already \r\npracticed in 37 states: optical-scan paper ballots, marked by the \r\nvoters, counted by computer but recountable by hand. And we need a \r\nsystem of pre-election and postelection security audits to increase \r\nconfidence in the system.\r\n\r\nSecond, election tampering, either by a foreign power or by a domestic \r\nactor, is inevitable, so we need detailed procedures to follow -- both \r\ntechnical procedures to figure out what happened, and legal procedures \r\nto figure out what to do -- that will efficiently get us to a fair and \r\nequitable election resolution. There should be a board of independent \r\ncomputer-security experts to unravel what happened, and a board of \r\nindependent election officials, either at the Federal Election \r\nCommission or elsewhere, empowered to determine and put in place an \r\nappropriate response.\r\n\r\nIn the absence of such impartial measures, people rush to defend their \r\ncandidate and their party. Florida in 2000 was a perfect example. What \r\ncould have been a purely technical issue of determining the intent of \r\nevery voter became a battle for who would win the presidency. The \r\ndebates about hanging chads and spoiled ballots and how broad the \r\nrecount should be were contested by people angling for a particular \r\noutcome. In the same way, after a hacked election, partisan politics \r\nwill place tremendous pressure on officials to make decisions that \r\noverride fairness and accuracy.\r\n\r\nThat is why we need to agree on policies to deal with future election \r\nfraud. We need procedures to evaluate claims of voting-machine hacking. \r\nWe need a fair and robust vote-auditing process. And we need all of this \r\nin place before an election is hacked and battle lines are drawn.\r\n\r\nIn response to Florida, the Help America Vote Act of 2002 required each \r\nstate to publish its own guidelines on what constitutes a vote. Some \r\nstates -- Indiana, in particular -- set up a \"war room\" of public and \r\nprivate cybersecurity experts ready to help if anything did occur. While \r\nthe Department of Homeland Security is assisting some states with \r\nelection security, and the F.B.I. and the Justice Department made some \r\npreparations this year, the approach is too piecemeal.\r\n\r\nElections serve two purposes. First, and most obvious, they are how we \r\nchoose a winner. But second, and equally important, they convince the \r\nloser -- and all the supporters -- that he or she lost. To achieve the \r\nfirst purpose, the voting system must be fair and accurate. To achieve \r\nthe second one, it must be *shown* to be fair and accurate.\r\n\r\nWe need to have these conversations before something happens, when \r\neveryone can be calm and rational about the issues. The integrity of our \r\nelections is at stake, which means our democracy is at stake.\r\n\r\nThis essay previously appeared in the New York Times.\r\nhttp://www.nytimes.com/2016/11/09/opinion/american-elections-will-be-hacked.html\r\n\r\nElection-machine vulnerabilities:\r\nhttps://www.washingtonpost.com/posteverything/wp/2016/07/27/by-november-russian-hackers-could-target-voting-machines/\r\n\r\nElections are hard to rig:\r\nhttps://www.washingtonpost.com/news/the-fix/wp/2016/08/03/one-reason-to-doubt-the-presidential-election-will-be-rigged-its-a-lot-harder-than-it-seems/\r\n\r\nVoting systems as critical infrastructure:\r\nhttps://papers.ssrn.com/sol3/papers.cfm?abstract_id=2852461\r\n\r\nVoting machine security:\r\nhttps://www.verifiedvoting.org/\r\nhttp://votingmachines.procon.org/view.answers.php?questionID=000291\r\nhttp://votingmachines.procon.org/view.answers.php?questionID=000291\r\n\r\nElection-defense preparations for 2016:\r\nhttp://www.usatoday.com/story/tech/news/2016/11/05/election-2016-cyber-hack-issues-homeland-security-indiana-pennsylvania-election-protection-verified-voter/93262960/\r\nhttp://www.nbcnews.com/storyline/2016-election-day/all-hands-deck-protect-election-hack-say-officials-n679271\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n News\r\n\r\n\r\n\r\nLance Spitzner looks at the safety features of a power saw and tries to \r\napply them to Internet security.\r\nhttps://securingthehuman.sans.org/blog/2016/10/18/what-iot-and-security-needs-to-learn-from-the-dewalt-mitre-saw\r\n\r\nResearchers discover a clever attack that bypasses the address space \r\nlayout randomization (ALSR) on Intel's CPUs.\r\nhttp://arstechnica.com/security/2016/10/flaw-in-intel-chips-could-make-malware-attacks-more-potent/\r\nhttp://www.cs.ucr.edu/~nael/pubs/micro16.pdf\r\n\r\nIn an interviw in Wired, President Obama talks about AI risk, \r\ncybersecurity, and more.\r\nhttps://www.wired.com/2016/10/president-obama-mit-joi-ito-interview/\r\n\r\nPrivacy makes workers more productive. Interesting research.\r\nhttps://www.psychologytoday.com/blog/the-outsourced-mind/201604/want-people-behave-better-give-them-more-privacy\r\n\r\nNews about the DDOS attacks against Dyn.\r\nhttps://motherboard.vice.com/read/twitter-reddit-spotify-were-collateral-damage-in-major-internet-attack\r\nhttps://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit/\r\nhttps://motherboard.vice.com/read/blame-the-internet-of-things-for-destroying-the-internet-today\r\n\r\nJosephine Wolff examines different Internet governance stakeholders and \r\nhow they frame security debates.\r\nhttps://policyreview.info/articles/analysis/what-we-talk-about-when-we-talk-about-cybersecurity-security-internet-governance\r\n\r\nThe UK is admitting \"offensive cyber\" operations against ISIS/Daesh. I \r\nthink this might be the first time it has been openly acknowledged.\r\nhttps://www.theguardian.com/politics/blog/live/2016/oct/20/philip-green-knighthood-commons-set-to-debate-stripping-philip-green-of-his-knighthood-politics-live\r\n\r\nIt's not hard to imagine the criminal possibilities of automation, \r\nautonomy, and artificial intelligence. But the imaginings are becoming \r\nmainstream -- and the future isn't too far off.\r\nhttp://www.nytimes.com/2016/10/24/technology/artificial-intelligence-evolves-with-its-criminal-potential.html\r\n\r\nAlong similar lines, computers are able to predict court verdicts. My \r\nguess is that the real use here isn't to predict actual court verdicts, \r\nbut for well-paid defense teams to test various defensive tactics.\r\nhttp://www.telegraph.co.uk/science/2016/10/23/artifically-intelligent-judge-developed-which-can-predict-court/\r\n\r\nGood long article on the 2015 attack against the US Office of Personnel \r\nManagement.\r\nhttps://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/\r\n\r\nHow Powell's and Podesta's e-mail accounts were hacked. It was phishing.\r\nhttps://motherboard.vice.com/read/how-hackers-broke-into-john-podesta-and-colin-powells-gmail-accounts\r\n\r\nA year and a half ago, I wrote about hardware bit-flipping attacks, \r\nwhich were then largely theoretical. Now, they can be used to root \r\nAndroid phones.\r\nhttp://arstechnica.com/security/2016/10/using-rowhammer-bitflips-to-root-android-phones-is-now-a-thing/\r\nhttps://vvdveen.com/publications/drammer.pdf\r\nhttps://www.vusec.net/projects/drammer/\r\n\r\nEavesdropping on typing while connected over VoIP.\r\nhttps://arxiv.org/pdf/1609.09359.pdf\r\nhttps://news.uci.edu/research/typing-while-skyping-could-compromise-privacy/\r\n\r\nAn impressive Chinese device that automatically reads marked cards in \r\norder to cheat at poker and other card games.\r\nhttps://www.elie.net/blog/security/fuller-house-exposing-high-end-poker-cheating-devices\r\n\r\nA useful guide on how to avoid kidnapping children on Halloween.\r\nhttp://reductress.com/post/how-to-not-kidnap-any-kids-on-halloween-not-even-one/\r\n\r\nA card game based on the iterated prisoner's dilemma.\r\nhttps://opinionatedgamers.com/2016/10/26/h-m-s-dolores-game-review-by-chris-wray/\r\n\r\nThere's another leak of NSA hacking tools and data from the Shadow \r\nBrokers. This one includes a list of hacked sites. The data is old, but \r\nyou can see if you've been hacked.\r\nhttp://arstechnica.co.uk/security/2016/10/new-leak-may-show-if-you-were-hacked-by-the-nsa/\r\nHonestly, I am surprised by this release. I thought that the original \r\nShadow Brokers dump was everything. Now that we know they held things \r\nback, there could easily be more releases.\r\nhttp://www.networkworld.com/article/3137065/security/shadow-brokers-leak-list-of-nsa-targets-and-compromised-servers.html\r\nNote that the Hague-based Organization for the Prohibition of Chemical \r\nWeapons is on the list, hacked in 2000.\r\nhttps://boingboing.net/2016/11/06/in-2000-the-nsa-hacked-the-ha.html\r\n\r\nFree cybersecurity MOOC from F-Secure and the University of Finland.\r\nhttp://mooc.fi/courses/2016/cybersecurity/\r\n\r\nResearchers have trained a neural network to encrypt its communications. \r\nThis story is more about AI and neural networks than it is about \r\ncryptography. The algorithm isn't any good, but is a perfect example of \r\nwhat I've heard called \"Schneier's Law\": Anyone can design a cipher that \r\nthey themselves cannot break.\r\nhttps://www.newscientist.com/article/2110522-googles-neural-networks-invent-their-own-encryption/\r\nhttp://arstechnica.com/information-technology/2016/10/google-ai-neural-network-cryptography/\r\nhttps://www.engadget.com/2016/10/28/google-ai-created-its-own-form-of-encryption/\r\nhttps://arxiv.org/pdf/1610.06918v1.pdf\r\nSchneier's Law:\r\nhttps://www.schneier.com/blog/archives/2011/04/schneiers_law.html\r\n\r\nGoogle now links anonymous browser tracking with identifiable tracking. \r\nThe article also explains how to opt out.\r\nhttps://www.propublica.org/article/google-has-quietly-dropped-ban-on-personally-identifiable-web-tracking\r\n\r\nNew Atlas has a great three-part feature on the history of hacking as \r\nportrayed in films, including video clips. The 1980s. The 1990s. The \r\n2000s.\r\nhttp://newatlas.com/history-hollywood-hacking-1980s/45482/\r\nhttp://newatlas.com/hollywood-hacking-movies-1990s/45623/\r\nhttp://newatlas.com/hollywood-hacking-2000s/45965\r\n\r\nFor years, the DMCA has been used to stifle legitimate research into the \r\nsecurity of embedded systems. Finally, the research exemption to the \r\nDMCA is in effect (for two years, but we can hope it'll be extended \r\nforever).\r\nhttps://www.wired.com/2016/10/hacking-car-pacemaker-toaster-just-became-legal/\r\nhttps://www.eff.org/deeplinks/2016/10/why-did-we-have-wait-year-fix-our-cars\r\n\r\nFirefox is removing the battery status API, citing privacy concerns.\r\nhttps://www.fxsitecompat.com/en-CA/docs/2016/battery-status-api-has-been-removed/\r\nhttps://eprint.iacr.org/2015/616.pdf\r\nW3C is updating the spec.\r\nhttps://www.w3.org/TR/battery-status/#acknowledgements\r\nHere's a battery tracker found in the wild.\r\nhttp://randomwalker.info/publications/OpenWPM_1_million_site_tracking_measurement.pdf\r\n\r\nElection-day humor from 2004, but still relevent.\r\nhttp://www.ganssle.com/tem/tem316.html#article2\r\n\r\nA self-propagating smart light bulb worm.\r\nhttp://iotworm.eyalro.net/\r\nhttps://boingboing.net/2016/11/09/a-lightbulb-worm-could-take-ov.html\r\nhttps://tech.slashdot.org/story/16/11/09/0041201/researchers-hack-philips-hue-smart-bulbs-using-a-drone\r\nThis is exactly the sort of Internet-of-Things attack that has me \r\nworried.\r\n\r\nAd networks are surreptitiously using ultrasonic communications to jump \r\nfrom device to device. It should come as no surprise that this \r\ncommunications channel can be used to hack devices as well.\r\nhttps://www.newscientist.com/article/2110762-your-homes-online-gadgets-could-be-hacked-by-ultrasound/\r\nhttps://www.schneier.com/blog/archives/2015/11/ads_surreptitio.html\r\n\r\nThis is some interesting research. You can fool facial recognition \r\nsystems by wearing glasses printed with elements of other peoples' \r\nfaces.\r\nhttps://www.cs.cmu.edu/~sbhagava/papers/face-rec-ccs16.pdf\r\nhttp://qz.com/823820/carnegie-mellon-made-a-special-pair-of-glasses-that-lets-you-steal-a-digital-identity/\r\nhttps://boingboing.net/2016/11/02/researchers-trick-facial-recog.html\r\n\r\nInteresting research: \"Using Artificial Intelligence to Identify State \r\nSecrets,\" https://arxiv.org/abs/1611.00356\r\n\r\nThere's a Kickstarter for a sticker that you can stick on a glove and \r\nthen register with a biometric access system like an iPhone. It's an \r\ninteresting security trade-off: swapping something you are (the \r\nbiometric) with something you have (the glove).\r\nhttps://www.kickstarter.com/projects/nanotips/taps-touchscreen-sticker-w-touch-id-ships-before-x?token=5b586aa6\r\nhttps://gizmodo.com/these-fake-fingerprint-stickers-let-you-access-a-protec-1788710313\r\n\r\nJulian Oliver has designed and built a cellular eavesdropping device \r\nthat's disguised as an old HP printer. It's more of a conceptual art \r\npiece than an actual piece of eavesdropping equipment, but it still \r\nmakes the point.\r\nhttps://julianoliver.com/output/stealth-cell-tower\r\nhttps://www.wired.com/2016/11/evil-office-printer-hijacks-cellphone-connection/\r\nhttps://boingboing.net/2016/11/03/a-fake-hp-printer-thats-actu.html\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n Lessons From the Dyn DDoS Attack\r\n\r\n\r\n\r\nA week ago Friday, someone took down numerous popular websites in a \r\nmassive distributed denial-of-service (DDoS) attack against the domain \r\nname provider Dyn. DDoS attacks are neither new nor sophisticated. The \r\nattacker sends a massive amount of traffic, causing the victim's system \r\nto slow to a crawl and eventually crash. There are more or less clever \r\nvariants, but basically, it's a datapipe-size battle between attacker \r\nand victim. If the defender has a larger capacity to receive and process \r\ndata, he or she will win. If the attacker can throw more data than the \r\nvictim can process, he or she will win.\r\n\r\nThe attacker can build a giant data cannon, but that's expensive. It is \r\nmuch smarter to recruit millions of innocent computers on the internet. \r\nThis is the \"distributed\" part of the DDoS attack, and pretty much how \r\nit's worked for decades. Cybercriminals infect innocent computers around \r\nthe internet and recruit them into a botnet. They then target that \r\nbotnet against a single victim.\r\n\r\nYou can imagine how it might work in the real world. If I can trick tens \r\nof thousands of others to order pizzas to be delivered to your house at \r\nthe same time, I can clog up your street and prevent any legitimate \r\ntraffic from getting through. If I can trick many millions, I might be \r\nable to crush your house from the weight. That's a DDoS attack -- it's \r\nsimple brute force.\r\n\r\nAs you'd expect, DDoSers have various motives. The attacks started out \r\nas a way to show off, then quickly transitioned to a method of \r\nintimidation -- or a way of just getting back at someone you didn't \r\nlike. More recently, they've become vehicles of protest. In 2013, the \r\nhacker group Anonymous petitioned the White House to recognize DDoS \r\nattacks as a legitimate form of protest. Criminals have used these \r\nattacks as a means of extortion, although one group found that just the \r\nfear of attack was enough. Military agencies are also thinking about \r\nDDoS as a tool in their cyberwar arsenals. A 2007 DDoS attack against \r\nEstonia was blamed on Russia and widely called an act of cyberwar.\r\n\r\nThe DDoS attack against Dyn two weeks ago was nothing new, but it \r\nillustrated several important trends in computer security.\r\n\r\nThese attack techniques are broadly available. Fully capable DDoS attack \r\ntools are available for free download. Criminal groups offer DDoS \r\nservices for hire. The particular attack technique used against Dyn was \r\nfirst used a month earlier. It's called Mirai, and since the source code \r\nwas released four weeks ago, over a dozen botnets have incorporated the \r\ncode.\r\n\r\nThe Dyn attacks were probably not originated by a government. The \r\nperpetrators were most likely hackers mad at Dyn for helping Brian Krebs \r\nidentify -- and the FBI arrest -- two Israeli hackers who were running a \r\nDDoS-for-hire ring. Recently I have written about probing DDoS attacks \r\nagainst internet infrastructure companies that appear to be perpetrated \r\nby a nation-state. But, honestly, we don't know for sure.\r\n\r\nThis is important. Software spreads capabilities. The smartest attacker \r\nneeds to figure out the attack and write the software. After that, \r\nanyone can use it. There's not even much of a difference between \r\ngovernment and criminal attacks. In December 2014, there was a \r\nlegitimate debate in the security community as to whether the massive \r\nattack against Sony had been perpetrated by a nation-state with a $20 \r\nbillion military budget or a couple of guys in a basement somewhere. The \r\ninternet is the only place where we can't tell the difference. Everyone \r\nuses the same tools, the same techniques and the same tactics.\r\n\r\nThese attacks are getting larger. The Dyn DDoS attack set a record at \r\n1.2 Tbps. The previous record holder was the attack against \r\ncybersecurity journalist Brian Krebs a month prior at 620 Gbps. This is \r\nmuch larger than required to knock the typical website offline. A year \r\nago, it was unheard of. Now it occurs regularly.\r\n\r\nThe botnets attacking Dyn and Brian Krebs consisted largely of unsecure \r\nInternet of Things (IoT) devices -- webcams, digital video recorders, \r\nrouters and so on. This isn't new, either. We've already seen \r\ninternet-enabled refrigerators and TVs used in DDoS botnets. But again, \r\nthe scale is bigger now. In 2014, the news was hundreds of thousands of \r\nIoT devices -- the Dyn attack used millions. Analysts expect the IoT to \r\nincrease the number of things on the internet by a factor of 10 or more. \r\nExpect these attacks to similarly increase.\r\n\r\nThe problem is that these IoT devices are unsecure and likely to remain \r\nthat way. The economics of internet security don't trickle down to the \r\nIoT. Commenting on the Krebs attack last month, I wrote:\r\n\r\n The market can't fix this because neither the buyer nor the\r\n seller cares. Think of all the CCTV cameras and DVRs used in\r\n the attack against Brian Krebs. The owners of those devices\r\n don't care. Their devices were cheap to buy, they still work,\r\n and they don't even know Brian. The sellers of those devices\r\n don't care: They're now selling newer and better models, and\r\n the original buyers only cared about price and features. There\r\n is no market solution because the insecurity is what economists\r\n call an externality: It's an effect of the purchasing decision\r\n that affects other people. Think of it kind of like invisible\r\n pollution.\r\n\r\nTo be fair, one company that made some of the unsecure things used in \r\nthese attacks recalled its unsecure webcams. But this is more of a \r\npublicity stunt than anything else. I would be surprised if the company \r\ngot many devices back. We already know that the reputational damage from \r\nhaving your unsecure software made public isn't large and doesn't last. \r\nAt this point, the market still largely rewards sacrificing security in \r\nfavor of price and time-to-market.\r\n\r\nDDoS prevention works best deep in the network, where the pipes are the \r\nlargest and the capability to identify and block the attacks is the most \r\nevident. But the backbone providers have no incentive to do this. They \r\ndon't feel the pain when the attacks occur and they have no way of \r\nbilling for the service when they provide it. So they let the attacks \r\nthrough and force the victims to defend themselves. In many ways, this \r\nis similar to the spam problem. It, too, is best dealt with in the \r\nbackbone, but similar economics dump the problem onto the endpoints.\r\n\r\nWe're unlikely to get any regulation forcing backbone companies to clean \r\nup either DDoS attacks or spam, just as we are unlikely to get any \r\nregulations forcing IoT manufacturers to make their systems secure. This \r\nis me again:\r\n\r\n What this all means is that the IoT will remain insecure unless\r\n government steps in and fixes the problem. When we have market\r\n failures, government is the only solution. The government could\r\n impose security regulations on IoT manufacturers, forcing them\r\n to make their devices secure even though their customers don't\r\n care. They could impose liabilities on manufacturers, allowing\r\n people like Brian Krebs to sue them. Any of these would raise\r\n the cost of insecurity and give companies incentives to spend\r\n money making their devices secure.\r\n\r\nThat leaves the victims to pay. This is where we are in much of computer \r\nsecurity. Because the hardware, software and networks we use are so \r\nunsecure, we have to pay an entire industry to provide after-the-fact \r\nsecurity.\r\n\r\nThere are solutions you can buy. Many companies offer DDoS protection, \r\nalthough they're generally calibrated to the older, smaller attacks. We \r\ncan safely assume that they'll up their offerings, although the cost \r\nmight be prohibitive for many users. Understand your risks. Buy \r\nmitigation if you need it, but understand its limitations. Know the \r\nattacks are possible and will succeed if large enough. And the attacks \r\nare getting larger all the time. Prepare for that.\r\n\r\nThis essay previously appeared on the SecurityIntelligence website.\r\nhttps://securityintelligence.com/lessons-from-the-dyn-ddos-attack/\r\n\r\nhttps://securityintelligence.com/news/multi-phased-ddos-attack-causes-hours-long-outages/\r\nhttp://arstechnica.com/information-technology/2016/10/inside-the-machine-uprising-how-cameras-dvrs-took-down-parts-of-the-internet/\r\nhttps://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet\r\nhttp://searchsecurity.techtarget.com/news/450401962/Details-emerging-on-Dyn-DNS-DDoS-attack-Mirai-IoT-botnet\r\nhttp://hub.dyn.com/static/hub.dyn.com/dyn-blog/dyn-statement-on-10-21-2016-ddos-attack.html\r\n\r\nDDoS petition:\r\nhttp://www.huffingtonpost.com/2013/01/12/anonymous-ddos-petition-white-house_n_2463009.html\r\n\r\nDDoS extortion:\r\nhttps://securityintelligence.com/ddos-extortion-easy-and-lucrative/\r\nhttp://www.computerworld.com/article/3061813/security/empty-ddos-threats-deliver-100k-to-extortion-group.html\r\n\r\nDDoS against Estonia:\r\nhttp://www.iar-gwu.org/node/65\r\n\r\nDDoS for hire:\r\nhttp://www.forbes.com/sites/thomasbrewster/2016/10/23/massive-ddos-iot-botnet-for-hire-twitter-dyn-amazon/#11f82518c915\r\n\r\nMirai:\r\nhttps://www.arbornetworks.com/blog/asert/mirai-iot-botnet-description-ddos-attack-mitigation/\r\nhttps://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/\r\nhttps://threatpost.com/mirai-bots-more-than-double-since-source-code-release/121368/\r\n\r\nKrebs:\r\nhttp://krebsonsecurity.com/2016/09/israeli-online-attack-service-vdos-earned-600000-in-two-years/\r\nhttp://www.theverge.com/2016/9/11/12878692/vdos-israeli-teens-ddos-cyberattack-service-arrested\r\nhttps://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/\r\nhttp://www.businessinsider.com/akamai-brian-krebs-ddos-attack-2016-9\r\n\r\nNation-state DDoS Attacks:\r\nhttps://www.schneier.com/blog/archives/2016/09/someone_is_lear.html\r\n\r\nNorth Korea and Sony:\r\nhttps://www.theatlantic.com/international/archive/2014/12/did-north-korea-really-attack-sony/383973/\r\n\r\nInternet of Things (IoT) security:\r\nhttps://securityintelligence.com/will-internet-things-leveraged-ruin-companys-day-understanding-iot-security/\r\nhttps://thehackernews.com/2014/01/100000-refrigerators-and-other-home.html\r\n\r\nEver larger DDoS Attacks:\r\nhttp://www.ibtimes.co.uk/biggest-ever-terabit-scale-ddos-attack-yet-could-be-horizon-experts-warn-1588364\r\n\r\nMy previous essay on this:\r\nhttps://www.schneier.com/essays/archives/2016/10/we_need_to_save_the_.html\r\n\r\nrecalled:\r\nhttp://www.zdnet.com/article/chinese-tech-giant-recalls-webcams-used-in-dyn-cyberattack/\r\n\r\nidentify and block the attacks:\r\nhttp://www.ibm.com/security/threat-protection/\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n Regulation of the Internet of Things\r\n\r\n\r\n\r\nLate last month, popular websites like Twitter, Pinterest, Reddit and \r\nPayPal went down for most of a day. The distributed denial-of-service \r\nattack that caused the outages, and the vulnerabilities that made the \r\nattack possible, was as much a failure of market and policy as it was of \r\ntechnology. If we want to secure our increasingly computerized and \r\nconnected world, we need more government involvement in the security of \r\nthe \"Internet of Things\" and increased regulation of what are now \r\ncritical and life-threatening technologies. It's no longer a question of \r\nif, it's a question of when.\r\n\r\nFirst, the facts. Those websites went down because their domain name \r\nprovider -- a company named Dyn -- was forced offline. We don't know who \r\nperpetrated that attack, but it could have easily been a lone hacker. \r\nWhoever it was launched a distributed denial-of-service attack against \r\nDyn by exploiting a vulnerability in large numbers -- possibly millions \r\n-- of Internet-of-Things devices like webcams and digital video \r\nrecorders, then recruiting them all into a single botnet. The botnet \r\nbombarded Dyn with traffic, so much that it went down. And when it went \r\ndown, so did dozens of websites.\r\n\r\nYour security on the Internet depends on the security of millions of \r\nInternet-enabled devices, designed and sold by companies you've never \r\nheard of to consumers who don't care about your security.\r\n\r\nThe technical reason these devices are insecure is complicated, but \r\nthere is a market failure at work. The Internet of Things is bringing \r\ncomputerization and connectivity to many tens of millions of devices \r\nworldwide. These devices will affect every aspect of our lives, because \r\nthey're things like cars, home appliances, thermostats, lightbulbs, \r\nfitness trackers, medical devices, smart streetlights and sidewalk \r\nsquares. Many of these devices are low-cost, designed and built \r\noffshore, then rebranded and resold. The teams building these devices \r\ndon't have the security expertise we've come to expect from the major \r\ncomputer and smartphone manufacturers, simply because the market won't \r\nstand for the additional costs that would require. These devices don't \r\nget security updates like our more expensive computers, and many don't \r\neven have a way to be patched. And, unlike our computers and phones, \r\nthey stay around for years and decades.\r\n\r\nAn additional market failure illustrated by the Dyn attack is that \r\nneither the seller nor the buyer of those devices cares about fixing the \r\nvulnerability. The owners of those devices don't care. They wanted a \r\nwebcam -- or thermostat, or refrigerator -- with nice features at a good \r\nprice. Even after they were recruited into this botnet, they still work \r\nfine -- you can't even tell they were used in the attack. The sellers of \r\nthose devices don't care: They've already moved on to selling newer and \r\nbetter models. There is no market solution because the insecurity \r\nprimarily affects other people. It's a form of invisible pollution.\r\n\r\nAnd, like pollution, the only solution is to regulate. The government \r\ncould impose minimum security standards on IoT manufacturers, forcing \r\nthem to make their devices secure even though their customers don't \r\ncare. They could impose liabilities on manufacturers, allowing companies \r\nlike Dyn to sue them if their devices are used in DDoS attacks. The \r\ndetails would need to be carefully scoped, but either of these options \r\nwould raise the cost of insecurity and give companies incentives to \r\nspend money making their devices secure.\r\n\r\nIt's true that this is a domestic solution to an international problem \r\nand that there's no U.S. regulation that will affect, say, an Asian-made \r\nproduct sold in South America, even though that product could still be \r\nused to take down U.S. websites. But the main costs in making software \r\ncome from development. If the United States and perhaps a few other \r\nmajor markets implement strong Internet-security regulations on IoT \r\ndevices, manufacturers will be forced to upgrade their security if they \r\nwant to sell to those markets. And any improvements they make in their \r\nsoftware will be available in their products wherever they are sold, \r\nsimply because it makes no sense to maintain two different versions of \r\nthe software. This is truly an area where the actions of a few countries \r\ncan drive worldwide change.\r\n\r\nRegardless of what you think about regulation vs. market solutions, I \r\nbelieve there is no choice. Governments will get involved in the IoT, \r\nbecause the risks are too great and the stakes are too high. Computers \r\nare now able to affect our world in a direct and physical manner.\r\n\r\nSecurity researchers have demonstrated the ability to remotely take \r\ncontrol of Internet-enabled cars. They've demonstrated ransomware \r\nagainst home thermostats and exposed vulnerabilities in implanted \r\nmedical devices. They've hacked voting machines and power plants. In one \r\nrecent paper, researchers showed how a vulnerability in smart lightbulbs \r\ncould be used to start a chain reaction, resulting in them *all* being \r\ncontrolled by the attackers -- that's every one in a city. Security \r\nflaws in these things could mean people dying and property being \r\ndestroyed.\r\n\r\nNothing motivates the U.S. government like fear. Remember 2001? A \r\nsmall-government Republican president created the Department of Homeland \r\nSecurity in the wake of the Sept. 11 terrorist attacks: a rushed and \r\nill-thought-out decision that we've been trying to fix for more than a \r\ndecade. A fatal IoT disaster will similarly spur our government into \r\naction, and it's unlikely to be well-considered and thoughtful action. \r\nOur choice isn't between government involvement and no government \r\ninvolvement. Our choice is between smarter government involvement and \r\nstupider government involvement. We have to start thinking about this \r\nnow. Regulations are necessary, important and complex -- and they're \r\ncoming. We can't afford to ignore these issues until it's too late.\r\n\r\nIn general, the software market demands that products be fast and cheap \r\nand that security be a secondary consideration. That was okay when \r\nsoftware didn't matter -- it was okay that your spreadsheet crashed once \r\nin a while. But a software bug that literally crashes your car is \r\nanother thing altogether. The security vulnerabilities in the Internet \r\nof Things are deep and pervasive, and they won't get fixed if the market \r\nis left to sort it out for itself. We need to proactively discuss good \r\nregulatory solutions; otherwise, a disaster will impose bad ones on us.\r\n\r\nThis essay previously appeared in the Washington Post.\r\nhttps://www.washingtonpost.com/posteverything/wp/2016/11/03/your-wifi-connected-thermostat-can-take-down-the-whole-internet-we-need-new-regulations/\r\n\r\n\r\nDDoS:\r\nhttps://www.washingtonpost.com/news/the-switch/wp/2016/10/21/someone-attacked-a-major-part-of-the-internets-infrastructure/\r\n\r\nIoT and DDoS:\r\nhttps://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/\r\n\r\nThe IoT market failure and regulation:\r\nhttps://www.schneier.com/essays/archives/2016/10/we_need_to_save_the_.html\r\nhttps://www.wired.com/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem/\r\nhttp://www.computerworld.com/article/3136650/security/after-ddos-attack-senator-seeks-industry-led-security-standards-for-iot-devices.html\r\n\r\nIoT ransomware:\r\nhttps://motherboard.vice.com/read/internet-of-things-ransomware-smart-thermostat\r\nmedical:\r\n\r\nHacking medical devices:\r\nhttp://motherboard.vice.com/read/hackers-killed-a-simulated-human-by-turning-off-its-pacemaker\r\nhttp://abcnews.go.com/US/vice-president-dick-cheney-feared-pacemaker-hacking/story?id=20621434\r\n\r\nHacking voting machines:\r\nhttp://www.politico.com/magazine/story/2016/08/2016-elections-russia-hack-how-to-hack-an-election-in-seven-minutes-214144\r\n\r\nHacking power plants:\r\nhttps://www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-hack/\r\n\r\nHacking light bulbs:\r\nhttp://iotworm.eyalro.net\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n Schneier News\r\n\r\n\r\nI am speaking in Cambridge, MA on November 15 at the Harvard Big-Data \r\nClub.\r\nhttp://harvardbigdata.com/event/keynote-lecture-bruce-schneier\r\n\r\nI am speaking in Palm Springs, CA on November 30 at the TEDMED \r\nConference.\r\nhttp://www.tedmed.com/speakers/show?id=627300\r\n\r\nI am participating in the Resilient end-of-year webinar on December 8.\r\nhttp://info.resilientsystems.com/webinar-eoy-cybersecurity-2016-review-2017-predictions\r\n\r\nI am speaking on December 14 in Accra at the University of Ghana.\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n Virtual Kidnapping\r\n\r\n\r\n\r\nThis is a harrowing story of a scam artist that convinced a mother that \r\nher daughter had been kidnapped. It's unclear if these virtual \r\nkidnappers use data about their victims, or just call people at random \r\nand hope to get lucky. Still, it's a new criminal use of smartphones and \r\nubiquitous information. Reminds me of the scammers who call low-wage \r\nworkers at retail establishments late at night and convince them to do \r\noutlandish and occasionally dangerous things.\r\nhttps://www.washingtonpost.com/local/we-have-your-daughter-a-virtual-kidnapping-and-a-mothers-five-hours-of-hell/2016/10/03/8f082690-8963-11e6-875e-2c1bfe943b66_story.html\r\nMore stories are here.\r\nhttp://www.nbcwashington.com/investigations/Several-Virtual-Kidnapping-Attempts-in-Maryland-Recently-375792991.html\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n Intelligence Oversight and How It Can Fail\r\n\r\n\r\n\r\nFormer NSA attorneys John DeLong and Susan Hennessay have written a \r\nfascinating article describing a particular incident of oversight \r\nfailure inside the NSA. Technically, the story hinges on a definitional \r\ndifference between the NSA and the FISA court meaning of the word \r\n\"archived.\" (For the record, I would have defaulted to the NSA's \r\ninterpretation, which feels more accurate technically.) But while the \r\nstory is worth reading, what's especially interesting are the broader \r\nissues about how a nontechnical judiciary can provide oversight over a \r\nvery technical data collection-and-analysis organization -- especially \r\nif the oversight must largely be conducted in secret.\r\n\r\nIn many places I have separated different kinds of oversight: are we \r\ndoing things right versus are we doing the right things? This is very \r\nmuch about the first: is the NSA complying with the rules the courts \r\nimpose on them? I believe that the NSA tries very hard to follow the \r\nrules it's given, while at the same time being very aggressive about how \r\nit interprets any kind of ambiguities and using its nonadversarial \r\nrelationship with its overseers to its advantage.\r\n\r\nThe only possible solution I can see to all of this is more public \r\nscrutiny. Secrecy is toxic here.\r\n\r\nhttps://www.lawfareblog.com/understanding-footnote-14-nsa-lawyering-oversight-and-compliance\r\n\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n Whistleblower Investigative Report on NSA Suite B Cryptography\r\n\r\n\r\n\r\nThe NSA has been abandoning secret and proprietary cryptographic \r\nalgorithms in favor of commercial public algorithms, generally known as \r\n\"Suite B.\" In 2010, an NSA employee filed some sort of whistleblower \r\ncomplaint, alleging that this move is both insecure and wasteful. The \r\nUS DoD Inspector General investigated and wrote a report in 2011.\r\n\r\nThe report -- slightly redacted and declassified -- found that there was \r\nno wrongdoing. But the report is an interesting window into the NSA's \r\nsystem of algorithm selection and testing (pages 5 and 6), as well as \r\nhow they investigate whistleblower complaints.\r\n\r\nhttp://www.dodig.mil/FOIA/err/11-INTEL-06%20(Redacted).pdf\r\n\r\nSuite B Cryptography:\r\nhttp://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2006-03/E_Barker-March2006-ISPAB.pdf\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\nSince 1998, CRYPTO-GRAM has been a free monthly newsletter providing \r\nsummaries, analyses, insights, and commentaries on security: computer \r\nand otherwise. You can subscribe, unsubscribe, or change your address on \r\nthe Web at <https://www.schneier.com/crypto-gram.html>. Back issues are \r\nalso available at that URL.\r\n\r\nPlease feel free to forward CRYPTO-GRAM, in whole or in part, to \r\ncolleagues and friends who will find it valuable. Permission is also \r\ngranted to reprint CRYPTO-GRAM, as long as it is reprinted in its \r\nentirety.\r\n\r\nCRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an \r\ninternationally renowned security technologist, called a \"security guru\" \r\nby The Economist. He is the author of 13 books -- including his latest, \r\n\"Data and Goliath\" -- as well as hundreds of articles, essays, and \r\nacademic papers. His influential newsletter \"Crypto-Gram\" and his blog \r\n\"Schneier on Security\" are read by over 250,000 people. He has testified \r\nbefore Congress, is a frequent guest on television and radio, has served \r\non several government committees, and is regularly quoted in the press. \r\nSchneier is a fellow at the Berkman Center for Internet and Society at \r\nHarvard Law School, a program fellow at the New America Foundation's \r\nOpen Technology Institute, a board member of the Electronic Frontier \r\nFoundation, an Advisory Board Member of the Electronic Privacy \r\nInformation Center, and the Chief Technology Officer at Resilient, an \r\nIBM Company. See <https://www.schneier.com>.\r\n\r\nCrypto-Gram is a personal newsletter. Opinions expressed are not \r\nnecessarily those of Resilient, an IBM Company.\r\n\r\nCopyright (c) 2016 by Bruce Schneier.\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n\r\n\r\n\r\n\r\nTo unsubscribe from Crypto-Gram, click this link:\r\n\r\nhttps://lists.schneier.com/cgi-bin/mailman/options/crypto-gram/christine%40spang.cc?login-unsub=Unsubscribe\r\n\r\nYou will be e-mailed a confirmation message. Follow the instructions in that message to confirm your removal from the list.\r\n"}},"desiredParts":[{"id":"1","encoding":"7BIT","mimetype":"text/plain"}],"result":{"to":[{"name":"","email":"christine@spang.cc"}],"cc":[{"name":"Crypto-Gram Mailing List","email":"crypto-gram@lists.schneier.com"}],"bcc":[],"from":[{"name":"Bruce Schneier","email":"schneier@schneier.com"}],"replyTo":[],"accountId":"test-account-id","body":"<pre class=\"nylas-plaintext\">\r\n CRYPTO-GRAM\r\n\r\n November 15, 2016\r\n\r\n by Bruce Schneier\r\n CTO, Resilient, an IBM Company\r\n schneier@schneier.com\r\n https://www.schneier.com\r\n\r\n\r\nA free monthly newsletter providing summaries, analyses, insights, and \r\ncommentaries on security: computer and otherwise.\r\n\r\nFor back issues, or to subscribe, visit \r\n&lt;https://www.schneier.com/crypto-gram.html&gt;.\r\n\r\nYou can read this issue on the web at \r\n&lt;https://www.schneier.com/crypto-gram/archives/2016/1115.html&gt;. These \r\nsame essays and news items appear in the &quot;Schneier on Security&quot; blog at \r\n&lt;http://www.schneier.com/blog&gt;, along with a lively and intelligent \r\ncomment section. An RSS feed is available.\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\nIn this issue:\r\n Election Security\r\n News\r\n Lessons From the Dyn DDoS Attack\r\n Regulation of the Internet of Things\r\n Schneier News\r\n Virtual Kidnapping\r\n Intelligence Oversight and How It Can Fail\r\n Whistleblower Investigative Report on NSA Suite B Cryptography\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n Election Security\r\n\r\n\r\n\r\nIt&#x27;s over. The voting went smoothly. As of the time of writing, there \r\nare no serious fraud allegations, nor credible evidence that anyone \r\ntampered with voting rolls or voting machines. And most important, the \r\nresults are not in doubt.\r\n\r\nWhile we may breathe a collective sigh of relief about that, we can&#x27;t \r\nignore the issue until the next election. The risks remain.\r\n\r\nAs computer security experts have been saying for years, our newly \r\ncomputerized voting systems are vulnerable to attack by both individual \r\nhackers and government-sponsored cyberwarriors. It is only a matter of \r\ntime before such an attack happens.\r\n\r\nElectronic voting machines can be hacked, and those machines that do not \r\ninclude a paper ballot that can verify each voter&#x27;s choice can be hacked \r\nundetectably. Voting rolls are also vulnerable; they are all \r\ncomputerized databases whose entries can be deleted or changed to sow \r\nchaos on Election Day.\r\n\r\nThe largely ad hoc system in states for collecting and tabulating \r\nindividual voting results is vulnerable as well. While the difference \r\nbetween theoretical if demonstrable vulnerabilities and an actual attack \r\non Election Day is considerable, we got lucky this year. Not just \r\npresidential elections are at risk, but state and local elections, too.\r\n\r\nTo be very clear, this is not about voter fraud. The risks of ineligible \r\npeople voting, or people voting twice, have been repeatedly shown to be \r\nvirtually nonexistent, and &quot;solutions&quot; to this problem are largely \r\nvoter-suppression measures. Election fraud, however, is both far more \r\nfeasible and much more worrisome.\r\n\r\nHere&#x27;s my worry. On the day after an election, someone claims that a \r\nresult was hacked. Maybe one of the candidates points to a wide \r\ndiscrepancy between the most recent polls and the actual results. Maybe \r\nan anonymous person announces that he hacked a particular brand of \r\nvoting machine, describing in detail how. Or maybe it&#x27;s a system failure \r\nduring Election Day: voting machines recording significantly fewer votes \r\nthan there were voters, or zero votes for one candidate or another. \r\n(These are not theoretical occurrences; they have both happened in the \r\nUnited States before, though because of error, not malice.)\r\n\r\nWe have no procedures for how to proceed if any of these things happen. \r\nThere&#x27;s no manual, no national panel of experts, no regulatory body to \r\nsteer us through this crisis. How do we figure out if someone hacked the \r\nvote? Can we recover the true votes, or are they lost? What do we do \r\nthen?\r\n\r\nFirst, we need to do more to secure our elections system. We should \r\ndeclare our voting systems to be critical national infrastructure. This \r\nis largely symbolic, but it demonstrates a commitment to secure \r\nelections and makes funding and other resources available to states.\r\n\r\nWe need national security standards for voting machines, and funding for \r\nstates to procure machines that comply with those standards. \r\nVoting-security experts can deal with the technical details, but such \r\nmachines must include a paper ballot that provides a record verifiable \r\nby voters. The simplest and most reliable way to do that is already \r\npracticed in 37 states: optical-scan paper ballots, marked by the \r\nvoters, counted by computer but recountable by hand. And we need a \r\nsystem of pre-election and postelection security audits to increase \r\nconfidence in the system.\r\n\r\nSecond, election tampering, either by a foreign power or by a domestic \r\nactor, is inevitable, so we need detailed procedures to follow -- both \r\ntechnical procedures to figure out what happened, and legal procedures \r\nto figure out what to do -- that will efficiently get us to a fair and \r\nequitable election resolution. There should be a board of independent \r\ncomputer-security experts to unravel what happened, and a board of \r\nindependent election officials, either at the Federal Election \r\nCommission or elsewhere, empowered to determine and put in place an \r\nappropriate response.\r\n\r\nIn the absence of such impartial measures, people rush to defend their \r\ncandidate and their party. Florida in 2000 was a perfect example. What \r\ncould have been a purely technical issue of determining the intent of \r\nevery voter became a battle for who would win the presidency. The \r\ndebates about hanging chads and spoiled ballots and how broad the \r\nrecount should be were contested by people angling for a particular \r\noutcome. In the same way, after a hacked election, partisan politics \r\nwill place tremendous pressure on officials to make decisions that \r\noverride fairness and accuracy.\r\n\r\nThat is why we need to agree on policies to deal with future election \r\nfraud. We need procedures to evaluate claims of voting-machine hacking. \r\nWe need a fair and robust vote-auditing process. And we need all of this \r\nin place before an election is hacked and battle lines are drawn.\r\n\r\nIn response to Florida, the Help America Vote Act of 2002 required each \r\nstate to publish its own guidelines on what constitutes a vote. Some \r\nstates -- Indiana, in particular -- set up a &quot;war room&quot; of public and \r\nprivate cybersecurity experts ready to help if anything did occur. While \r\nthe Department of Homeland Security is assisting some states with \r\nelection security, and the F.B.I. and the Justice Department made some \r\npreparations this year, the approach is too piecemeal.\r\n\r\nElections serve two purposes. First, and most obvious, they are how we \r\nchoose a winner. But second, and equally important, they convince the \r\nloser -- and all the supporters -- that he or she lost. To achieve the \r\nfirst purpose, the voting system must be fair and accurate. To achieve \r\nthe second one, it must be *shown* to be fair and accurate.\r\n\r\nWe need to have these conversations before something happens, when \r\neveryone can be calm and rational about the issues. The integrity of our \r\nelections is at stake, which means our democracy is at stake.\r\n\r\nThis essay previously appeared in the New York Times.\r\nhttp://www.nytimes.com/2016/11/09/opinion/american-elections-will-be-hacked.html\r\n\r\nElection-machine vulnerabilities:\r\nhttps://www.washingtonpost.com/posteverything/wp/2016/07/27/by-november-russian-hackers-could-target-voting-machines/\r\n\r\nElections are hard to rig:\r\nhttps://www.washingtonpost.com/news/the-fix/wp/2016/08/03/one-reason-to-doubt-the-presidential-election-will-be-rigged-its-a-lot-harder-than-it-seems/\r\n\r\nVoting systems as critical infrastructure:\r\nhttps://papers.ssrn.com/sol3/papers.cfm?abstract_id=2852461\r\n\r\nVoting machine security:\r\nhttps://www.verifiedvoting.org/\r\nhttp://votingmachines.procon.org/view.answers.php?questionID=000291\r\nhttp://votingmachines.procon.org/view.answers.php?questionID=000291\r\n\r\nElection-defense preparations for 2016:\r\nhttp://www.usatoday.com/story/tech/news/2016/11/05/election-2016-cyber-hack-issues-homeland-security-indiana-pennsylvania-election-protection-verified-voter/93262960/\r\nhttp://www.nbcnews.com/storyline/2016-election-day/all-hands-deck-protect-election-hack-say-officials-n679271\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n News\r\n\r\n\r\n\r\nLance Spitzner looks at the safety features of a power saw and tries to \r\napply them to Internet security.\r\nhttps://securingthehuman.sans.org/blog/2016/10/18/what-iot-and-security-needs-to-learn-from-the-dewalt-mitre-saw\r\n\r\nResearchers discover a clever attack that bypasses the address space \r\nlayout randomization (ALSR) on Intel&#x27;s CPUs.\r\nhttp://arstechnica.com/security/2016/10/flaw-in-intel-chips-could-make-malware-attacks-more-potent/\r\nhttp://www.cs.ucr.edu/~nael/pubs/micro16.pdf\r\n\r\nIn an interviw in Wired, President Obama talks about AI risk, \r\ncybersecurity, and more.\r\nhttps://www.wired.com/2016/10/president-obama-mit-joi-ito-interview/\r\n\r\nPrivacy makes workers more productive. Interesting research.\r\nhttps://www.psychologytoday.com/blog/the-outsourced-mind/201604/want-people-behave-better-give-them-more-privacy\r\n\r\nNews about the DDOS attacks against Dyn.\r\nhttps://motherboard.vice.com/read/twitter-reddit-spotify-were-collateral-damage-in-major-internet-attack\r\nhttps://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit/\r\nhttps://motherboard.vice.com/read/blame-the-internet-of-things-for-destroying-the-internet-today\r\n\r\nJosephine Wolff examines different Internet governance stakeholders and \r\nhow they frame security debates.\r\nhttps://policyreview.info/articles/analysis/what-we-talk-about-when-we-talk-about-cybersecurity-security-internet-governance\r\n\r\nThe UK is admitting &quot;offensive cyber&quot; operations against ISIS/Daesh. I \r\nthink this might be the first time it has been openly acknowledged.\r\nhttps://www.theguardian.com/politics/blog/live/2016/oct/20/philip-green-knighthood-commons-set-to-debate-stripping-philip-green-of-his-knighthood-politics-live\r\n\r\nIt&#x27;s not hard to imagine the criminal possibilities of automation, \r\nautonomy, and artificial intelligence. But the imaginings are becoming \r\nmainstream -- and the future isn&#x27;t too far off.\r\nhttp://www.nytimes.com/2016/10/24/technology/artificial-intelligence-evolves-with-its-criminal-potential.html\r\n\r\nAlong similar lines, computers are able to predict court verdicts. My \r\nguess is that the real use here isn&#x27;t to predict actual court verdicts, \r\nbut for well-paid defense teams to test various defensive tactics.\r\nhttp://www.telegraph.co.uk/science/2016/10/23/artifically-intelligent-judge-developed-which-can-predict-court/\r\n\r\nGood long article on the 2015 attack against the US Office of Personnel \r\nManagement.\r\nhttps://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/\r\n\r\nHow Powell&#x27;s and Podesta&#x27;s e-mail accounts were hacked. It was phishing.\r\nhttps://motherboard.vice.com/read/how-hackers-broke-into-john-podesta-and-colin-powells-gmail-accounts\r\n\r\nA year and a half ago, I wrote about hardware bit-flipping attacks, \r\nwhich were then largely theoretical. Now, they can be used to root \r\nAndroid phones.\r\nhttp://arstechnica.com/security/2016/10/using-rowhammer-bitflips-to-root-android-phones-is-now-a-thing/\r\nhttps://vvdveen.com/publications/drammer.pdf\r\nhttps://www.vusec.net/projects/drammer/\r\n\r\nEavesdropping on typing while connected over VoIP.\r\nhttps://arxiv.org/pdf/1609.09359.pdf\r\nhttps://news.uci.edu/research/typing-while-skyping-could-compromise-privacy/\r\n\r\nAn impressive Chinese device that automatically reads marked cards in \r\norder to cheat at poker and other card games.\r\nhttps://www.elie.net/blog/security/fuller-house-exposing-high-end-poker-cheating-devices\r\n\r\nA useful guide on how to avoid kidnapping children on Halloween.\r\nhttp://reductress.com/post/how-to-not-kidnap-any-kids-on-halloween-not-even-one/\r\n\r\nA card game based on the iterated prisoner&#x27;s dilemma.\r\nhttps://opinionatedgamers.com/2016/10/26/h-m-s-dolores-game-review-by-chris-wray/\r\n\r\nThere&#x27;s another leak of NSA hacking tools and data from the Shadow \r\nBrokers. This one includes a list of hacked sites. The data is old, but \r\nyou can see if you&#x27;ve been hacked.\r\nhttp://arstechnica.co.uk/security/2016/10/new-leak-may-show-if-you-were-hacked-by-the-nsa/\r\nHonestly, I am surprised by this release. I thought that the original \r\nShadow Brokers dump was everything. Now that we know they held things \r\nback, there could easily be more releases.\r\nhttp://www.networkworld.com/article/3137065/security/shadow-brokers-leak-list-of-nsa-targets-and-compromised-servers.html\r\nNote that the Hague-based Organization for the Prohibition of Chemical \r\nWeapons is on the list, hacked in 2000.\r\nhttps://boingboing.net/2016/11/06/in-2000-the-nsa-hacked-the-ha.html\r\n\r\nFree cybersecurity MOOC from F-Secure and the University of Finland.\r\nhttp://mooc.fi/courses/2016/cybersecurity/\r\n\r\nResearchers have trained a neural network to encrypt its communications. \r\nThis story is more about AI and neural networks than it is about \r\ncryptography. The algorithm isn&#x27;t any good, but is a perfect example of \r\nwhat I&#x27;ve heard called &quot;Schneier&#x27;s Law&quot;: Anyone can design a cipher that \r\nthey themselves cannot break.\r\nhttps://www.newscientist.com/article/2110522-googles-neural-networks-invent-their-own-encryption/\r\nhttp://arstechnica.com/information-technology/2016/10/google-ai-neural-network-cryptography/\r\nhttps://www.engadget.com/2016/10/28/google-ai-created-its-own-form-of-encryption/\r\nhttps://arxiv.org/pdf/1610.06918v1.pdf\r\nSchneier&#x27;s Law:\r\nhttps://www.schneier.com/blog/archives/2011/04/schneiers_law.html\r\n\r\nGoogle now links anonymous browser tracking with identifiable tracking. \r\nThe article also explains how to opt out.\r\nhttps://www.propublica.org/article/google-has-quietly-dropped-ban-on-personally-identifiable-web-tracking\r\n\r\nNew Atlas has a great three-part feature on the history of hacking as \r\nportrayed in films, including video clips. The 1980s. The 1990s. The \r\n2000s.\r\nhttp://newatlas.com/history-hollywood-hacking-1980s/45482/\r\nhttp://newatlas.com/hollywood-hacking-movies-1990s/45623/\r\nhttp://newatlas.com/hollywood-hacking-2000s/45965\r\n\r\nFor years, the DMCA has been used to stifle legitimate research into the \r\nsecurity of embedded systems. Finally, the research exemption to the \r\nDMCA is in effect (for two years, but we can hope it&#x27;ll be extended \r\nforever).\r\nhttps://www.wired.com/2016/10/hacking-car-pacemaker-toaster-just-became-legal/\r\nhttps://www.eff.org/deeplinks/2016/10/why-did-we-have-wait-year-fix-our-cars\r\n\r\nFirefox is removing the battery status API, citing privacy concerns.\r\nhttps://www.fxsitecompat.com/en-CA/docs/2016/battery-status-api-has-been-removed/\r\nhttps://eprint.iacr.org/2015/616.pdf\r\nW3C is updating the spec.\r\nhttps://www.w3.org/TR/battery-status/#acknowledgements\r\nHere&#x27;s a battery tracker found in the wild.\r\nhttp://randomwalker.info/publications/OpenWPM_1_million_site_tracking_measurement.pdf\r\n\r\nElection-day humor from 2004, but still relevent.\r\nhttp://www.ganssle.com/tem/tem316.html#article2\r\n\r\nA self-propagating smart light bulb worm.\r\nhttp://iotworm.eyalro.net/\r\nhttps://boingboing.net/2016/11/09/a-lightbulb-worm-could-take-ov.html\r\nhttps://tech.slashdot.org/story/16/11/09/0041201/researchers-hack-philips-hue-smart-bulbs-using-a-drone\r\nThis is exactly the sort of Internet-of-Things attack that has me \r\nworried.\r\n\r\nAd networks are surreptitiously using ultrasonic communications to jump \r\nfrom device to device. It should come as no surprise that this \r\ncommunications channel can be used to hack devices as well.\r\nhttps://www.newscientist.com/article/2110762-your-homes-online-gadgets-could-be-hacked-by-ultrasound/\r\nhttps://www.schneier.com/blog/archives/2015/11/ads_surreptitio.html\r\n\r\nThis is some interesting research. You can fool facial recognition \r\nsystems by wearing glasses printed with elements of other peoples&#x27; \r\nfaces.\r\nhttps://www.cs.cmu.edu/~sbhagava/papers/face-rec-ccs16.pdf\r\nhttp://qz.com/823820/carnegie-mellon-made-a-special-pair-of-glasses-that-lets-you-steal-a-digital-identity/\r\nhttps://boingboing.net/2016/11/02/researchers-trick-facial-recog.html\r\n\r\nInteresting research: &quot;Using Artificial Intelligence to Identify State \r\nSecrets,&quot; https://arxiv.org/abs/1611.00356\r\n\r\nThere&#x27;s a Kickstarter for a sticker that you can stick on a glove and \r\nthen register with a biometric access system like an iPhone. It&#x27;s an \r\ninteresting security trade-off: swapping something you are (the \r\nbiometric) with something you have (the glove).\r\nhttps://www.kickstarter.com/projects/nanotips/taps-touchscreen-sticker-w-touch-id-ships-before-x?token=5b586aa6\r\nhttps://gizmodo.com/these-fake-fingerprint-stickers-let-you-access-a-protec-1788710313\r\n\r\nJulian Oliver has designed and built a cellular eavesdropping device \r\nthat&#x27;s disguised as an old HP printer. It&#x27;s more of a conceptual art \r\npiece than an actual piece of eavesdropping equipment, but it still \r\nmakes the point.\r\nhttps://julianoliver.com/output/stealth-cell-tower\r\nhttps://www.wired.com/2016/11/evil-office-printer-hijacks-cellphone-connection/\r\nhttps://boingboing.net/2016/11/03/a-fake-hp-printer-thats-actu.html\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n Lessons From the Dyn DDoS Attack\r\n\r\n\r\n\r\nA week ago Friday, someone took down numerous popular websites in a \r\nmassive distributed denial-of-service (DDoS) attack against the domain \r\nname provider Dyn. DDoS attacks are neither new nor sophisticated. The \r\nattacker sends a massive amount of traffic, causing the victim&#x27;s system \r\nto slow to a crawl and eventually crash. There are more or less clever \r\nvariants, but basically, it&#x27;s a datapipe-size battle between attacker \r\nand victim. If the defender has a larger capacity to receive and process \r\ndata, he or she will win. If the attacker can throw more data than the \r\nvictim can process, he or she will win.\r\n\r\nThe attacker can build a giant data cannon, but that&#x27;s expensive. It is \r\nmuch smarter to recruit millions of innocent computers on the internet. \r\nThis is the &quot;distributed&quot; part of the DDoS attack, and pretty much how \r\nit&#x27;s worked for decades. Cybercriminals infect innocent computers around \r\nthe internet and recruit them into a botnet. They then target that \r\nbotnet against a single victim.\r\n\r\nYou can imagine how it might work in the real world. If I can trick tens \r\nof thousands of others to order pizzas to be delivered to your house at \r\nthe same time, I can clog up your street and prevent any legitimate \r\ntraffic from getting through. If I can trick many millions, I might be \r\nable to crush your house from the weight. That&#x27;s a DDoS attack -- it&#x27;s \r\nsimple brute force.\r\n\r\nAs you&#x27;d expect, DDoSers have various motives. The attacks started out \r\nas a way to show off, then quickly transitioned to a method of \r\nintimidation -- or a way of just getting back at someone you didn&#x27;t \r\nlike. More recently, they&#x27;ve become vehicles of protest. In 2013, the \r\nhacker group Anonymous petitioned the White House to recognize DDoS \r\nattacks as a legitimate form of protest. Criminals have used these \r\nattacks as a means of extortion, although one group found that just the \r\nfear of attack was enough. Military agencies are also thinking about \r\nDDoS as a tool in their cyberwar arsenals. A 2007 DDoS attack against \r\nEstonia was blamed on Russia and widely called an act of cyberwar.\r\n\r\nThe DDoS attack against Dyn two weeks ago was nothing new, but it \r\nillustrated several important trends in computer security.\r\n\r\nThese attack techniques are broadly available. Fully capable DDoS attack \r\ntools are available for free download. Criminal groups offer DDoS \r\nservices for hire. The particular attack technique used against Dyn was \r\nfirst used a month earlier. It&#x27;s called Mirai, and since the source code \r\nwas released four weeks ago, over a dozen botnets have incorporated the \r\ncode.\r\n\r\nThe Dyn attacks were probably not originated by a government. The \r\nperpetrators were most likely hackers mad at Dyn for helping Brian Krebs \r\nidentify -- and the FBI arrest -- two Israeli hackers who were running a \r\nDDoS-for-hire ring. Recently I have written about probing DDoS attacks \r\nagainst internet infrastructure companies that appear to be perpetrated \r\nby a nation-state. But, honestly, we don&#x27;t know for sure.\r\n\r\nThis is important. Software spreads capabilities. The smartest attacker \r\nneeds to figure out the attack and write the software. After that, \r\nanyone can use it. There&#x27;s not even much of a difference between \r\ngovernment and criminal attacks. In December 2014, there was a \r\nlegitimate debate in the security community as to whether the massive \r\nattack against Sony had been perpetrated by a nation-state with a $20 \r\nbillion military budget or a couple of guys in a basement somewhere. The \r\ninternet is the only place where we can&#x27;t tell the difference. Everyone \r\nuses the same tools, the same techniques and the same tactics.\r\n\r\nThese attacks are getting larger. The Dyn DDoS attack set a record at \r\n1.2 Tbps. The previous record holder was the attack against \r\ncybersecurity journalist Brian Krebs a month prior at 620 Gbps. This is \r\nmuch larger than required to knock the typical website offline. A year \r\nago, it was unheard of. Now it occurs regularly.\r\n\r\nThe botnets attacking Dyn and Brian Krebs consisted largely of unsecure \r\nInternet of Things (IoT) devices -- webcams, digital video recorders, \r\nrouters and so on. This isn&#x27;t new, either. We&#x27;ve already seen \r\ninternet-enabled refrigerators and TVs used in DDoS botnets. But again, \r\nthe scale is bigger now. In 2014, the news was hundreds of thousands of \r\nIoT devices -- the Dyn attack used millions. Analysts expect the IoT to \r\nincrease the number of things on the internet by a factor of 10 or more. \r\nExpect these attacks to similarly increase.\r\n\r\nThe problem is that these IoT devices are unsecure and likely to remain \r\nthat way. The economics of internet security don&#x27;t trickle down to the \r\nIoT. Commenting on the Krebs attack last month, I wrote:\r\n\r\n The market can&#x27;t fix this because neither the buyer nor the\r\n seller cares. Think of all the CCTV cameras and DVRs used in\r\n the attack against Brian Krebs. The owners of those devices\r\n don&#x27;t care. Their devices were cheap to buy, they still work,\r\n and they don&#x27;t even know Brian. The sellers of those devices\r\n don&#x27;t care: They&#x27;re now selling newer and better models, and\r\n the original buyers only cared about price and features. There\r\n is no market solution because the insecurity is what economists\r\n call an externality: It&#x27;s an effect of the purchasing decision\r\n that affects other people. Think of it kind of like invisible\r\n pollution.\r\n\r\nTo be fair, one company that made some of the unsecure things used in \r\nthese attacks recalled its unsecure webcams. But this is more of a \r\npublicity stunt than anything else. I would be surprised if the company \r\ngot many devices back. We already know that the reputational damage from \r\nhaving your unsecure software made public isn&#x27;t large and doesn&#x27;t last. \r\nAt this point, the market still largely rewards sacrificing security in \r\nfavor of price and time-to-market.\r\n\r\nDDoS prevention works best deep in the network, where the pipes are the \r\nlargest and the capability to identify and block the attacks is the most \r\nevident. But the backbone providers have no incentive to do this. They \r\ndon&#x27;t feel the pain when the attacks occur and they have no way of \r\nbilling for the service when they provide it. So they let the attacks \r\nthrough and force the victims to defend themselves. In many ways, this \r\nis similar to the spam problem. It, too, is best dealt with in the \r\nbackbone, but similar economics dump the problem onto the endpoints.\r\n\r\nWe&#x27;re unlikely to get any regulation forcing backbone companies to clean \r\nup either DDoS attacks or spam, just as we are unlikely to get any \r\nregulations forcing IoT manufacturers to make their systems secure. This \r\nis me again:\r\n\r\n What this all means is that the IoT will remain insecure unless\r\n government steps in and fixes the problem. When we have market\r\n failures, government is the only solution. The government could\r\n impose security regulations on IoT manufacturers, forcing them\r\n to make their devices secure even though their customers don&#x27;t\r\n care. They could impose liabilities on manufacturers, allowing\r\n people like Brian Krebs to sue them. Any of these would raise\r\n the cost of insecurity and give companies incentives to spend\r\n money making their devices secure.\r\n\r\nThat leaves the victims to pay. This is where we are in much of computer \r\nsecurity. Because the hardware, software and networks we use are so \r\nunsecure, we have to pay an entire industry to provide after-the-fact \r\nsecurity.\r\n\r\nThere are solutions you can buy. Many companies offer DDoS protection, \r\nalthough they&#x27;re generally calibrated to the older, smaller attacks. We \r\ncan safely assume that they&#x27;ll up their offerings, although the cost \r\nmight be prohibitive for many users. Understand your risks. Buy \r\nmitigation if you need it, but understand its limitations. Know the \r\nattacks are possible and will succeed if large enough. And the attacks \r\nare getting larger all the time. Prepare for that.\r\n\r\nThis essay previously appeared on the SecurityIntelligence website.\r\nhttps://securityintelligence.com/lessons-from-the-dyn-ddos-attack/\r\n\r\nhttps://securityintelligence.com/news/multi-phased-ddos-attack-causes-hours-long-outages/\r\nhttp://arstechnica.com/information-technology/2016/10/inside-the-machine-uprising-how-cameras-dvrs-took-down-parts-of-the-internet/\r\nhttps://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet\r\nhttp://searchsecurity.techtarget.com/news/450401962/Details-emerging-on-Dyn-DNS-DDoS-attack-Mirai-IoT-botnet\r\nhttp://hub.dyn.com/static/hub.dyn.com/dyn-blog/dyn-statement-on-10-21-2016-ddos-attack.html\r\n\r\nDDoS petition:\r\nhttp://www.huffingtonpost.com/2013/01/12/anonymous-ddos-petition-white-house_n_2463009.html\r\n\r\nDDoS extortion:\r\nhttps://securityintelligence.com/ddos-extortion-easy-and-lucrative/\r\nhttp://www.computerworld.com/article/3061813/security/empty-ddos-threats-deliver-100k-to-extortion-group.html\r\n\r\nDDoS against Estonia:\r\nhttp://www.iar-gwu.org/node/65\r\n\r\nDDoS for hire:\r\nhttp://www.forbes.com/sites/thomasbrewster/2016/10/23/massive-ddos-iot-botnet-for-hire-twitter-dyn-amazon/#11f82518c915\r\n\r\nMirai:\r\nhttps://www.arbornetworks.com/blog/asert/mirai-iot-botnet-description-ddos-attack-mitigation/\r\nhttps://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/\r\nhttps://threatpost.com/mirai-bots-more-than-double-since-source-code-release/121368/\r\n\r\nKrebs:\r\nhttp://krebsonsecurity.com/2016/09/israeli-online-attack-service-vdos-earned-600000-in-two-years/\r\nhttp://www.theverge.com/2016/9/11/12878692/vdos-israeli-teens-ddos-cyberattack-service-arrested\r\nhttps://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/\r\nhttp://www.businessinsider.com/akamai-brian-krebs-ddos-attack-2016-9\r\n\r\nNation-state DDoS Attacks:\r\nhttps://www.schneier.com/blog/archives/2016/09/someone_is_lear.html\r\n\r\nNorth Korea and Sony:\r\nhttps://www.theatlantic.com/international/archive/2014/12/did-north-korea-really-attack-sony/383973/\r\n\r\nInternet of Things (IoT) security:\r\nhttps://securityintelligence.com/will-internet-things-leveraged-ruin-companys-day-understanding-iot-security/\r\nhttps://thehackernews.com/2014/01/100000-refrigerators-and-other-home.html\r\n\r\nEver larger DDoS Attacks:\r\nhttp://www.ibtimes.co.uk/biggest-ever-terabit-scale-ddos-attack-yet-could-be-horizon-experts-warn-1588364\r\n\r\nMy previous essay on this:\r\nhttps://www.schneier.com/essays/archives/2016/10/we_need_to_save_the_.html\r\n\r\nrecalled:\r\nhttp://www.zdnet.com/article/chinese-tech-giant-recalls-webcams-used-in-dyn-cyberattack/\r\n\r\nidentify and block the attacks:\r\nhttp://www.ibm.com/security/threat-protection/\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n Regulation of the Internet of Things\r\n\r\n\r\n\r\nLate last month, popular websites like Twitter, Pinterest, Reddit and \r\nPayPal went down for most of a day. The distributed denial-of-service \r\nattack that caused the outages, and the vulnerabilities that made the \r\nattack possible, was as much a failure of market and policy as it was of \r\ntechnology. If we want to secure our increasingly computerized and \r\nconnected world, we need more government involvement in the security of \r\nthe &quot;Internet of Things&quot; and increased regulation of what are now \r\ncritical and life-threatening technologies. It&#x27;s no longer a question of \r\nif, it&#x27;s a question of when.\r\n\r\nFirst, the facts. Those websites went down because their domain name \r\nprovider -- a company named Dyn -- was forced offline. We don&#x27;t know who \r\nperpetrated that attack, but it could have easily been a lone hacker. \r\nWhoever it was launched a distributed denial-of-service attack against \r\nDyn by exploiting a vulnerability in large numbers -- possibly millions \r\n-- of Internet-of-Things devices like webcams and digital video \r\nrecorders, then recruiting them all into a single botnet. The botnet \r\nbombarded Dyn with traffic, so much that it went down. And when it went \r\ndown, so did dozens of websites.\r\n\r\nYour security on the Internet depends on the security of millions of \r\nInternet-enabled devices, designed and sold by companies you&#x27;ve never \r\nheard of to consumers who don&#x27;t care about your security.\r\n\r\nThe technical reason these devices are insecure is complicated, but \r\nthere is a market failure at work. The Internet of Things is bringing \r\ncomputerization and connectivity to many tens of millions of devices \r\nworldwide. These devices will affect every aspect of our lives, because \r\nthey&#x27;re things like cars, home appliances, thermostats, lightbulbs, \r\nfitness trackers, medical devices, smart streetlights and sidewalk \r\nsquares. Many of these devices are low-cost, designed and built \r\noffshore, then rebranded and resold. The teams building these devices \r\ndon&#x27;t have the security expertise we&#x27;ve come to expect from the major \r\ncomputer and smartphone manufacturers, simply because the market won&#x27;t \r\nstand for the additional costs that would require. These devices don&#x27;t \r\nget security updates like our more expensive computers, and many don&#x27;t \r\neven have a way to be patched. And, unlike our computers and phones, \r\nthey stay around for years and decades.\r\n\r\nAn additional market failure illustrated by the Dyn attack is that \r\nneither the seller nor the buyer of those devices cares about fixing the \r\nvulnerability. The owners of those devices don&#x27;t care. They wanted a \r\nwebcam -- or thermostat, or refrigerator -- with nice features at a good \r\nprice. Even after they were recruited into this botnet, they still work \r\nfine -- you can&#x27;t even tell they were used in the attack. The sellers of \r\nthose devices don&#x27;t care: They&#x27;ve already moved on to selling newer and \r\nbetter models. There is no market solution because the insecurity \r\nprimarily affects other people. It&#x27;s a form of invisible pollution.\r\n\r\nAnd, like pollution, the only solution is to regulate. The government \r\ncould impose minimum security standards on IoT manufacturers, forcing \r\nthem to make their devices secure even though their customers don&#x27;t \r\ncare. They could impose liabilities on manufacturers, allowing companies \r\nlike Dyn to sue them if their devices are used in DDoS attacks. The \r\ndetails would need to be carefully scoped, but either of these options \r\nwould raise the cost of insecurity and give companies incentives to \r\nspend money making their devices secure.\r\n\r\nIt&#x27;s true that this is a domestic solution to an international problem \r\nand that there&#x27;s no U.S. regulation that will affect, say, an Asian-made \r\nproduct sold in South America, even though that product could still be \r\nused to take down U.S. websites. But the main costs in making software \r\ncome from development. If the United States and perhaps a few other \r\nmajor markets implement strong Internet-security regulations on IoT \r\ndevices, manufacturers will be forced to upgrade their security if they \r\nwant to sell to those markets. And any improvements they make in their \r\nsoftware will be available in their products wherever they are sold, \r\nsimply because it makes no sense to maintain two different versions of \r\nthe software. This is truly an area where the actions of a few countries \r\ncan drive worldwide change.\r\n\r\nRegardless of what you think about regulation vs. market solutions, I \r\nbelieve there is no choice. Governments will get involved in the IoT, \r\nbecause the risks are too great and the stakes are too high. Computers \r\nare now able to affect our world in a direct and physical manner.\r\n\r\nSecurity researchers have demonstrated the ability to remotely take \r\ncontrol of Internet-enabled cars. They&#x27;ve demonstrated ransomware \r\nagainst home thermostats and exposed vulnerabilities in implanted \r\nmedical devices. They&#x27;ve hacked voting machines and power plants. In one \r\nrecent paper, researchers showed how a vulnerability in smart lightbulbs \r\ncould be used to start a chain reaction, resulting in them *all* being \r\ncontrolled by the attackers -- that&#x27;s every one in a city. Security \r\nflaws in these things could mean people dying and property being \r\ndestroyed.\r\n\r\nNothing motivates the U.S. government like fear. Remember 2001? A \r\nsmall-government Republican president created the Department of Homeland \r\nSecurity in the wake of the Sept. 11 terrorist attacks: a rushed and \r\nill-thought-out decision that we&#x27;ve been trying to fix for more than a \r\ndecade. A fatal IoT disaster will similarly spur our government into \r\naction, and it&#x27;s unlikely to be well-considered and thoughtful action. \r\nOur choice isn&#x27;t between government involvement and no government \r\ninvolvement. Our choice is between smarter government involvement and \r\nstupider government involvement. We have to start thinking about this \r\nnow. Regulations are necessary, important and complex -- and they&#x27;re \r\ncoming. We can&#x27;t afford to ignore these issues until it&#x27;s too late.\r\n\r\nIn general, the software market demands that products be fast and cheap \r\nand that security be a secondary consideration. That was okay when \r\nsoftware didn&#x27;t matter -- it was okay that your spreadsheet crashed once \r\nin a while. But a software bug that literally crashes your car is \r\nanother thing altogether. The security vulnerabilities in the Internet \r\nof Things are deep and pervasive, and they won&#x27;t get fixed if the market \r\nis left to sort it out for itself. We need to proactively discuss good \r\nregulatory solutions; otherwise, a disaster will impose bad ones on us.\r\n\r\nThis essay previously appeared in the Washington Post.\r\nhttps://www.washingtonpost.com/posteverything/wp/2016/11/03/your-wifi-connected-thermostat-can-take-down-the-whole-internet-we-need-new-regulations/\r\n\r\n\r\nDDoS:\r\nhttps://www.washingtonpost.com/news/the-switch/wp/2016/10/21/someone-attacked-a-major-part-of-the-internets-infrastructure/\r\n\r\nIoT and DDoS:\r\nhttps://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/\r\n\r\nThe IoT market failure and regulation:\r\nhttps://www.schneier.com/essays/archives/2016/10/we_need_to_save_the_.html\r\nhttps://www.wired.com/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem/\r\nhttp://www.computerworld.com/article/3136650/security/after-ddos-attack-senator-seeks-industry-led-security-standards-for-iot-devices.html\r\n\r\nIoT ransomware:\r\nhttps://motherboard.vice.com/read/internet-of-things-ransomware-smart-thermostat\r\nmedical:\r\n\r\nHacking medical devices:\r\nhttp://motherboard.vice.com/read/hackers-killed-a-simulated-human-by-turning-off-its-pacemaker\r\nhttp://abcnews.go.com/US/vice-president-dick-cheney-feared-pacemaker-hacking/story?id=20621434\r\n\r\nHacking voting machines:\r\nhttp://www.politico.com/magazine/story/2016/08/2016-elections-russia-hack-how-to-hack-an-election-in-seven-minutes-214144\r\n\r\nHacking power plants:\r\nhttps://www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-hack/\r\n\r\nHacking light bulbs:\r\nhttp://iotworm.eyalro.net\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n Schneier News\r\n\r\n\r\nI am speaking in Cambridge, MA on November 15 at the Harvard Big-Data \r\nClub.\r\nhttp://harvardbigdata.com/event/keynote-lecture-bruce-schneier\r\n\r\nI am speaking in Palm Springs, CA on November 30 at the TEDMED \r\nConference.\r\nhttp://www.tedmed.com/speakers/show?id=627300\r\n\r\nI am participating in the Resilient end-of-year webinar on December 8.\r\nhttp://info.resilientsystems.com/webinar-eoy-cybersecurity-2016-review-2017-predictions\r\n\r\nI am speaking on December 14 in Accra at the University of Ghana.\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n Virtual Kidnapping\r\n\r\n\r\n\r\nThis is a harrowing story of a scam artist that convinced a mother that \r\nher daughter had been kidnapped. It&#x27;s unclear if these virtual \r\nkidnappers use data about their victims, or just call people at random \r\nand hope to get lucky. Still, it&#x27;s a new criminal use of smartphones and \r\nubiquitous information. Reminds me of the scammers who call low-wage \r\nworkers at retail establishments late at night and convince them to do \r\noutlandish and occasionally dangerous things.\r\nhttps://www.washingtonpost.com/local/we-have-your-daughter-a-virtual-kidnapping-and-a-mothers-five-hours-of-hell/2016/10/03/8f082690-8963-11e6-875e-2c1bfe943b66_story.html\r\nMore stories are here.\r\nhttp://www.nbcwashington.com/investigations/Several-Virtual-Kidnapping-Attempts-in-Maryland-Recently-375792991.html\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n Intelligence Oversight and How It Can Fail\r\n\r\n\r\n\r\nFormer NSA attorneys John DeLong and Susan Hennessay have written a \r\nfascinating article describing a particular incident of oversight \r\nfailure inside the NSA. Technically, the story hinges on a definitional \r\ndifference between the NSA and the FISA court meaning of the word \r\n&quot;archived.&quot; (For the record, I would have defaulted to the NSA&#x27;s \r\ninterpretation, which feels more accurate technically.) But while the \r\nstory is worth reading, what&#x27;s especially interesting are the broader \r\nissues about how a nontechnical judiciary can provide oversight over a \r\nvery technical data collection-and-analysis organization -- especially \r\nif the oversight must largely be conducted in secret.\r\n\r\nIn many places I have separated different kinds of oversight: are we \r\ndoing things right versus are we doing the right things? This is very \r\nmuch about the first: is the NSA complying with the rules the courts \r\nimpose on them? I believe that the NSA tries very hard to follow the \r\nrules it&#x27;s given, while at the same time being very aggressive about how \r\nit interprets any kind of ambiguities and using its nonadversarial \r\nrelationship with its overseers to its advantage.\r\n\r\nThe only possible solution I can see to all of this is more public \r\nscrutiny. Secrecy is toxic here.\r\n\r\nhttps://www.lawfareblog.com/understanding-footnote-14-nsa-lawyering-oversight-and-compliance\r\n\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n Whistleblower Investigative Report on NSA Suite B Cryptography\r\n\r\n\r\n\r\nThe NSA has been abandoning secret and proprietary cryptographic \r\nalgorithms in favor of commercial public algorithms, generally known as \r\n&quot;Suite B.&quot; In 2010, an NSA employee filed some sort of whistleblower \r\ncomplaint, alleging that this move is both insecure and wasteful. The \r\nUS DoD Inspector General investigated and wrote a report in 2011.\r\n\r\nThe report -- slightly redacted and declassified -- found that there was \r\nno wrongdoing. But the report is an interesting window into the NSA&#x27;s \r\nsystem of algorithm selection and testing (pages 5 and 6), as well as \r\nhow they investigate whistleblower complaints.\r\n\r\nhttp://www.dodig.mil/FOIA/err/11-INTEL-06%20(Redacted).pdf\r\n\r\nSuite B Cryptography:\r\nhttp://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2006-03/E_Barker-March2006-ISPAB.pdf\r\n\r\n\r\n** *** ***** ******* *********** *************\r\n\r\nSince 1998, CRYPTO-GRAM has been a free monthly newsletter providing \r\nsummaries, analyses, insights, and commentaries on security: computer \r\nand otherwise. You can subscribe, unsubscribe, or change your address on \r\nthe Web at &lt;https://www.schneier.com/crypto-gram.html&gt;. Back issues are \r\nalso available at that URL.\r\n\r\nPlease feel free to forward CRYPTO-GRAM, in whole or in part, to \r\ncolleagues and friends who will find it valuable. Permission is also \r\ngranted to reprint CRYPTO-GRAM, as long as it is reprinted in its \r\nentirety.\r\n\r\nCRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an \r\ninternationally renowned security technologist, called a &quot;security guru&quot; \r\nby The Economist. He is the author of 13 books -- including his latest, \r\n&quot;Data and Goliath&quot; -- as well as hundreds of articles, essays, and \r\nacademic papers. His influential newsletter &quot;Crypto-Gram&quot; and his blog \r\n&quot;Schneier on Security&quot; are read by over 250,000 people. He has testified \r\nbefore Congress, is a frequent guest on television and radio, has served \r\non several government committees, and is regularly quoted in the press. \r\nSchneier is a fellow at the Berkman Center for Internet and Society at \r\nHarvard Law School, a program fellow at the New America Foundation&#x27;s \r\nOpen Technology Institute, a board member of the Electronic Frontier \r\nFoundation, an Advisory Board Member of the Electronic Privacy \r\nInformation Center, and the Chief Technology Officer at Resilient, an \r\nIBM Company. See &lt;https://www.schneier.com&gt;.\r\n\r\nCrypto-Gram is a personal newsletter. Opinions expressed are not \r\nnecessarily those of Resilient, an IBM Company.\r\n\r\nCopyright (c) 2016 by Bruce Schneier.\r\n\r\n** *** ***** ******* *********** *************\r\n\r\n\r\n\r\n\r\n\r\nTo unsubscribe from Crypto-Gram, click this link:\r\n\r\nhttps://lists.schneier.com/cgi-bin/mailman/options/crypto-gram/christine%40spang.cc?login-unsub=Unsubscribe\r\n\r\nYou will be e-mailed a confirmation message. Follow the instructions in that message to confirm your removal from the list.\r\n</pre>","snippet":"CRYPTO-GRAM November 15, 2016 by Bruce Schneier CTO, Resilient, an IBM Company schneier@schneier.com","unread":false,"starred":false,"date":"2016-11-15T07:50:26.000Z","folderImapUID":345982,"folderId":"test-folder-id","folder":{"id":"test-folder-id","account_id":"test-account-id","object":"folder","name":null,"display_name":"Test Folder","sync_state":{}},"labels":[],"headers":{"delivered-to":["christine@spang.cc","crypto-gram@lists.schneier.com"],"received":["by 10.31.185.141 with SMTP id j135csp15122vkf; Mon, 14 Nov 2016 23:50:26 -0800 (PST)","from schneier.modwest.com (schneier.modwest.com. [204.11.247.92]) by mx.google.com with ESMTPS id i126si6507480ybb.7.2016.11.14.23.50.26 for <christine@spang.cc> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Nov 2016 23:50:26 -0800 (PST)","from schneier.modwest.com (localhost [127.0.0.1]) by schneier.modwest.com (Postfix) with ESMTP id A57D33A66E for <christine@spang.cc>; Tue, 15 Nov 2016 00:48:53 -0700 (MST)","from webmail.schneier.com (localhost [127.0.0.1]) by schneier.modwest.com (Postfix) with ESMTPA id 735B038F18; Tue, 15 Nov 2016 00:27:10 -0700 (MST)"],"x-received":["by 10.37.220.66 with SMTP id y63mr6697075ybe.190.1479196226438; Mon, 14 Nov 2016 23:50:26 -0800 (PST)"],"return-path":["<crypto-gram-bounces@lists.schneier.com>"],"received-spf":["pass (google.com: domain of crypto-gram-bounces@lists.schneier.com designates 204.11.247.92 as permitted sender) client-ip=204.11.247.92;"],"authentication-results":["mx.google.com; spf=pass (google.com: domain of crypto-gram-bounces@lists.schneier.com designates 204.11.247.92 as permitted sender) smtp.mailfrom=crypto-gram-bounces@lists.schneier.com"],"x-original-to":["crypto-gram@lists.schneier.com"],"mime-version":["1.0"],"date":["Tue, 15 Nov 2016 01:27:10 -0600"],"from":["Bruce Schneier <schneier@schneier.com>"],"subject":["CRYPTO-GRAM, November 15, 2016"],"message-id":["<76bcad7045e1f498eb00e27fc969ee53@schneier.com>"],"x-sender":["schneier@schneier.com"],"user-agent":["Roundcube Webmail/0.9.5"],"x-mailman-approved-at":["Tue, 15 Nov 2016 00:45:13 -0700"],"x-beenthere":["crypto-gram@lists.schneier.com"],"x-mailman-version":["2.1.15"],"precedence":["list"],"cc":["Crypto-Gram Mailing List <crypto-gram@lists.schneier.com>"],"list-id":["Crypto-Gram Mailing List <crypto-gram.lists.schneier.com>"],"list-unsubscribe":["<https://lists.schneier.com/cgi-bin/mailman/options/crypto-gram>, <mailto:crypto-gram-request@lists.schneier.com?subject=unsubscribe>"],"list-post":["<mailto:crypto-gram@lists.schneier.com>"],"list-help":["<mailto:crypto-gram-request@lists.schneier.com?subject=help>"],"list-subscribe":["<https://lists.schneier.com/cgi-bin/mailman/listinfo/crypto-gram>, <mailto:crypto-gram-request@lists.schneier.com?subject=subscribe>"],"content-transfer-encoding":["7bit"],"content-type":["text/plain; charset=\"us-ascii\"; Format=\"flowed\""],"to":["christine@spang.cc"],"errors-to":["crypto-gram-bounces@lists.schneier.com"],"sender":["\"Crypto-Gram\" <crypto-gram-bounces@lists.schneier.com>"],"x-gm-thrid":"1551049662245032910","x-gm-msgid":"1551049662245032910","x-gm-labels":["\\Inbox"]},"headerMessageId":"<76bcad7045e1f498eb00e27fc969ee53@schneier.com>","gMsgId":"1551049662245032910","subject":"CRYPTO-GRAM, November 15, 2016","id":"bd4b21c7ed7c0cd66dbd488b34c9ae59737f9be5f53b879106e9f3cdc983f20b","folderImapXGMLabels":"[\"\\\\Inbox\"]"}}