Social Media Scams

The media has gone crazy about the Flame worm which has been seen infecting computers in the Middle East (Iran, in particular).

Are the news headlines doing a good job of educating the public about the seriousness of the incident, however?

Flame has been called “the most complex threat”, the world’s “most sophisticated cyber weapon”, and we’ve even been told it’s “much bigger than Stuxnet”.

But what does that actually mean?

Yes, Flame is bigger than Stuxnet. If you’re counting bytes.

Flame, with all of its modules and libraries, can come in at close to 20MBytes. That’s about 40 times larger than Stuxnet – which was itself portly by malware standards. So, yes, Flame is much bigger.

But my guess is that number of bytes wasn’t what you were thinking of when you read the headline.

After all, as we should always remind ourselves, size doesn’t matter. What matters to most computer users is whether they are likely to become infected by the malware or not, and how many computers it has infected.

Kaspersky, which made the biggest media splash regarding Flame has only discovered a few hundred computers infected by the malware.

That’s not that big.

Certainly, it’s pretty insignificant when you compare it to the 600,000 Mac computers which were infected by the Flashback malware earlier this year.

In fact, there were said to be 274 Flashback-infected computers in Apple’s home town of Cupertino alone – that’s more infections than there have been found of Flame in *all* of Iran!

And let’s not forget other malware outbreaks of past years – Conficker, Sasser, Sobig, Code Red – all much more significant in terms of number of infections than Flame.

20MB is a hefty piece of code by malware standards, there’s no doubt about that – even if much of it is made up of code libraries.

But it’s worth realising that it’s much *much* easier writing protection for a piece of malware than *analysing* what it actually does.

What’s going to take a while is dissecting Flame to find out all of its quirks and functionality, not protecting against it. When you hear anti-virus experts talk about Flame’s complexity, chances are that that’s what they’re referring to.

Because, at its simplest level, Flame isn’t doing anything different from the vast majority of other malware we see on a typical day.

Every day, we see approximately 100,000 new pieces of malware and most of them have the ability to steal information (by grabbing keypresses, taking screenshots, stealing your files) just like Flame.

Of course, Flame doesn’t really represent much of a threat anymore. Every anti-virus worth its salt (and even a few crummy ones I expect) now detect it and protect against it.

Whoever was behind it will likely be feeling pretty grumpy, or working hard on a new version which they hope will be able to skirt past defences.

So let’s keep things in perspective. Chances are that your computer is more at threat from some of the many other examples of malware that are in existence out there.

Furthermore, you shouldn’t need to be doing anything out of the ordinary to protect against these threats – keep your anti-virus and security patches up to date, take care over what software you install and the USB sticks you insert into your PC, run a layered defence inside your organisation. You know the drill by now.

I’m not saying that Flame isn’t newsworthy. It clearly is.

If I was a betting man, I’d probably put money on a state agency being involved in the creation of Flame. This seems to be being reported as fact, but there certainly isn’t any proof yet.

Not that the absence of evidence will stop some of the reports – after all, Flame has all the familiar ingredients to add to the ongoing narrative of how states could be using the internet to spy upon each other.

But that’s nothing we haven’t heard before, and it’s hard to think of anything new that typical computer users should be doing to protect themselves.

Sophos products protect users against the Flame threat, identifying it as W32/Flame-A.

_{Evil flames and apple bite image courtesy of Shutterstock.}

Schneier on Security

A blog covering security and security technology.

« Collecting Expert Predictions about Terrorist Attacks | Main

January 11, 2012

Protecting Your Privacy at International Borders

The EFF has published a good guide.

My own advice is here and here.

Posted on January 11, 2012 at 7:15 AM • 19 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

The simplest advice is take nothing with you across any border at any time except the minimum you require to get to your hotel etc.

You arange for anything else to be sent another way.

Two reasons for this,

1, You have nothing that you don’t know about on you.
2, You don’t have any devices on which malware etc can be added to your detriment.

Oh you also have less to be stolen/mislaid and nothing for the TSA et al to scratch the backs of their heads over…

Posted by: Clive Robinson at January 11, 2012 8:53 AM

Carrying a laptop into the U.S. of A. is carrying coals to Newcastle. Just take some money and buy a new one once in, cheaply. In fact, this is what many people from this side of the pond perform routinely as a secondary purpose of their trip.

Once you have it, download the data you need. Before leaving, securely erase it. After returning, keep it or sell it – with a profit usually.

For the purpose of secure deletion: do not buy SSD disks!

Posted by: Peter A. at January 11, 2012 9:13 AM

And all these recommendations fail if they are really after you. i.e. installing some hardware bug while your laptop gets searched.

So if you are paranoid taking no device with you seems the only solution.

Posted by: ChristianO at January 11, 2012 9:39 AM

They missed one trick in a sidebar. Dr. Akina doesn’t need to ‘securely wipe’ the travel laptop, she just mails it back.

Given the fun and games involved with secure wiping and the triviality of simply FedExing it back (or, if it really is a worthless travel laptop, throwing it away) makes it pretty clear which I’d recommend.

Finally, doesn’t this just blow the lid of a very serious problem?!

Given an information economy, isn’t the idea that any information of value you bring over the border can and will be stolen outright anathematic to everyone except highwaymen??

J.

PS – And yes, if you bring over a pile of cash (over $10,000), it too can and will be stolen from you, in the name of ‘fighting drugs’. J.

Posted by: Jon at January 11, 2012 11:31 AM

I can dream, but I can suppose loading up your laptop with a bunch of lawfully purchased media files which is then taken from you and copied would expose the ICE, CPB, and DHS to monstrous copyright fines, or even get them unplugged from the Internet…

J.

Posted by: Jon at January 11, 2012 11:35 AM

What a complete pain. And every precaution, every contingency described, begets more pain. How far we’ve come.

Posted by: simon at January 11, 2012 11:54 AM

My MacBook has Lion’s pre-boot filevault encryption on the small root partition, and TrueCrypt for the remaining large user partition with my home directories, so the entire disk is encrypted.

When I travel internationally, I make a full image copy of that drive, physically remove it, and then install a clean OS into the MacBook. If I need it, I then place the original encrypted drive into a small USB enclosure. It talks only a couple of minutes to open the MacBook, swap out the drive, and close it again.

Border officials can examine the MacBook as much as they want. If they also ask to see the drive in the USB enclosure in my coat pocket, which they have not so far, I can say that it was wiped and not formatted. When I place it into the mac, it shows up as an uninitialized disk, and a window pops up asking if they want to format it, which they can. They can even keep the external USB drive, since it is encrypted and I have it backed at home.

(My backups are also TrueCrypt encrypted.)

This might seem nuts, but I work in the semiconductor and banking industries and travel globally, and my laptop is full of trade secrets and security data.

I have had my laptops previously inspected in USA, Britain, Japan, and China. I don’t see a need to hand over legal trade secrets and security data to corrupt officials without any just cause, if I want to keep my job.

Posted by: Lisa at January 11, 2012 12:30 PM

Forgot to mention, that I have to use FileVault + TrueCrypt for full disk encryption, since TrueCrypt does not provide full disk encryption on the Mac yet.

And I don’t trust that Apple Lion’s closed source FileVault does not have some secret back door for officials.

Posted by: Lisa at January 11, 2012 12:33 PM

They are missing something I pointed out a long time ago. It’s hard to securely overwrite every storage location on a system. However, there is a way to do that without doing that: ensure it’s strongly encrypted & simply loose the long, truly random key. This concept was independently discovered in an academic paper a few years back. I’ve voluntarily, and involunatirly , erased hundreds of GB worth of data using this method.

The deletion process is almost instant if digital & happens in seconds if the key is stored on paper (lighter or stove required). If a suitable algorithm & implementation is used, then the data will be truly unrecoverable. No, really, I tried my best undelete that stuff.

Posted by: Nick P at January 11, 2012 12:47 PM

… or just do what I have for the last 11 years. Don’t travel to right-wing theocracies (Pakistan, USA, Iran etc.). Can’t say I’ve missed anything.

:p

Posted by: Slarty at January 11, 2012 1:42 PM

@Lisa: “I can say that it was wiped and not formatted.”

That would be lying to a federal officer, which, just FYI, is illegal.

Posted by: Paeniteo at January 11, 2012 1:58 PM

@Slarty – or Canada, at least if you’re a Bishop

Posted by: NobodySpecial at January 11, 2012 2:08 PM

@ Lisa,

And I don’t trust that Apple Lion’s closed source FileVault does not have some secret back door for officials

It might have but then again it might have bugs or even faux bugs that are realy backdoors.

That’s the problem with complex security and software, you can easily drive yourself crazy trying to “verify and trust”.

So the best thing is to assume that all software has bugs and is thus insecure (including products that claim EmSec level security), and you have to make the choice of how to mitigate accordingly.

The usual choice for low value data items is to chain various pieces of the security systems in sequence giving you the “onion layer” model. However on most OS’s this has a fatal flaw which is the OS it’s self, because it provides the link between all the pieces.

For higher value data items it used to be “use hardware” such as “Inline Media Encryptors” but as the US Gov and others have found the hardware is made outside of their control these days and could well be “Backdoored” by foreign nationals working for their governments…

Thus as I’ve said before on a number of occasions sometimes the best way to work is not to take high value data items with you across a border, nor the hardware&OS that can be “backdoored” as you go through.

There is however another option available which you are part way to with your external USB drive, but is not an option available to all. Which is “roll your own”.

I’ve used a number of the more recent micro controlers with multiple USB ports to do this. You can buy the source to a RTOS that has multi tasking, and you can also buy the source to the USB and other stacks. You can also download for free very striped down RTOS’s and limited schedulers from the net and USB stacks and software for flash drives etc. You can thus design and build your own “Inline Media Encryptor”.

For those nervous about “flash memory” just remember provided the drive only has encrypted data on it as Nick P has pointed out if you lose the crypto key you go from “data brick” to “house brick” in one go.

There is also a further wiggle you can do (simplest with stream ciphers) which is to have the data in flash encrypted under one key, the inline hardware changes that to encrypted under the transmission key to be sent across the USB cable and the driver on the commodity computer changes that into decrypted plain text. Now the trick is to make the transmission key evolve with time and data usage such that any data a third party picks up off of the wire will be different every time.

You then pick a method of sending/agreeing the transmission key from the commodity computer driver to the inline encryptor. There are a number of well known and well described protocols for doing this.

Oh and finally just incase you think “rubber hose” analysis will be applied to you, as you presumably work for an international company you can use MofN key shares from different jurisdictions with agreed “duress codes”.

But to be honest when it gets to this level you realy should consider not moving high value data items around, and changing the working practices to suit. Simply because it removes the risk to you and others, as a hostile agency that has targeted the company is almost certainly going to know what the internal company procedures are before they grab an individual “courier”, it they know no data gets shifted by courier they will leave all the companies travlers alone.

Posted by: Clive Robinson at January 11, 2012 2:18 PM

Passwords, if written down, should be written on small slivers of paper, small enough to fit within a pill’s capsule, yet durable enough to last unpacking and repacking.

Yes, they sell bags of empty pill capsules by the hundreds or thousands for cheap, look at your local health food store.

These “capsules” containing your password(s) can be mixed in with a medicine bottle and carried on your person.

Withdrawing a capsule from a medicine bottle and swallowing it casually but quickly draws less attention than attempting to force a huge wad of paper down your throat, or ripping them up into pieces and chewing them for good measure before gulping them down.

But if you’re attacked by someone and they force you to vomit, you’re screwed either way, unless you have a fast dissolving capsule and paper medium. Rice paper wouldn’t tolerate much manhandling but there are other options.

(bad) example:
– https://secure.wikimedia.org/wikipedia/en/wiki/Rice_paper

The ultimate solution would be a V2K device for your own personal enjoyment, but that’s in the military domain for now.

A Truecrypt volume placed on an mp3 player, disguised as a track of music could work, you could combine this with stego tech too for a fake audio track or a photo mixed in other photos of the same type.

And those are some tips for the border security. I’m sure you’ve seen everything and some really strange concealment methods, I’d love to hear amusing stories if anyone has them.

Posted by: fork() at January 11, 2012 2:50 PM

@Peter A

“For the purpose of secure deletion: do not buy SSD disks!”

There was an article from a forensic IT investigator last year in which he noted the way that aggressive firmware garbage collection in modern SSDs permanently removed deleted data without operator intervention.

He said he was shocked at how much information was overwritten for good after just 10 minutes of letting the SSD sit powered up, but otherwise inactive.

So maybe SSDs are one of the most secure storage options, by default?

Posted by: Godel at January 11, 2012 4:22 PM

“Oh and finally just incase you think “rubber hose” analysis will be applied to you, as you presumably work for an international company”

I would hope those working in “sensitive” fields would already be programmed in ways of dissociation. The net is full of information on this both in military and in government fields. Most Google searches will probably bring up conspiracy theories but read between the lines, there are some good articles on the subject.

The mind “splits” and no matter how much they torture you, the information stays within you. This is often found in people with MPD.

Posted by: The Conversation at January 11, 2012 4:51 PM

I think I’d rather play it safe and not bring my laptop with me. It seems like more of a hassle than it’s worth.

Posted by: Deck Construction at January 11, 2012 5:30 PM

“If a border agent asks you to provide an account password or encryption passphrase or to decrypt data stored on your device, you don’t have to comply.”

This may be true in the USA, but almost certainly, if you’re passing through USA customs, you have or will pass through some other country’s customs with the device, and their laws may differ.

Posted by: MW at January 11, 2012 5:58 PM

@Peter A.
“Carrying a laptop into the U.S. of A. is carrying coals to Newcastle. Just take some money and buy a new one once in, cheaply.”

Fine if you’re doing this for economic reasons, but if you’re worried about security the first thing you’re going to do to a new laptop is re-install from scratch to get rid of shovel-ware, or at the very least patch it. Either way, hours of fun…

@Jon
“They missed one trick in a sidebar. Dr. Akina doesn’t need to ‘securely wipe’ the travel laptop, she just mails it back.”

And trust the courier?
The last time I send a PC via courier the insurance premiums implied they loose about one in 10 of them.

Posted by: Thomas at January 11, 2012 6:40 PM

Subscribe to comments on this entry

Post a comment

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Some very interesting solutions to international travel and protecting your privacy. Has it really come to this?

Messages have spread rapidly across Twitter and Facebook in the last few hours, claiming that the 1980s British popstar Adam Ant has died.

According to the messages, the musician – who had hits with songs such as “Prince Charming” and “Stand and Deliver” – died from injuries he sustained in a jet ski accident on the Turks and Caicos Islands.

Although some users are just tweeting their respects at the “news” of Adam Ant’s death, others are posting a link to what appears to be an online news report about the musician’s death.

It’s a very sad story. Or at least, it would be if it was true.

Here’s what you see if you follow the link.

Do you notice the “adam.ant” in the url? I wonder what happens if I change that to include my own name.

Well fancy that – I’m a dead musician!

Some small print, included at the bottom of the webpage in a tiny font gives the game away for anyone who hasn’t realised that the report is utterly bogus:

FAKE... THIS STORY IS 100% FAKE! this is an entertainment website, and this is a totally fake article based on zero truth and is a complete work of fiction for entertainment purposes! this story was dynamically generated using a generic 'template' and is not factual.

Of course, the sheer number of people tweeting out the link won’t have done any harm at all for the website – which presumably is earning revenue from the adverts plastered on its fictional news report.

Always think carefully before believing breaking news that someone has shared with you on the net. If a major news outlet has not confirmed it to be true, it’s possible that you could be falling for a confidence trick.

Just imagine the harm that could occur if there was malware lying in wait at the end of that salacious news story link?

No doubt this won’t be the last time that a rumour spreads quickly across the internet that a celebrity has died. Remember when Christian Slater was killed in a snowboarding accident? Or Tom Cruise fell to his death off a cliff in New Zealand? Or Johnny Depp came to a sticky end in a car crash?

A new site, MyPermissions.org, makes it easy to herd a posse of wild cats – aka the hoard of applications and sites to which we’ve granted permission to access our information on Twitter, Facebook and more.

MyPermissions doesn’t ask for your personal information or login details, thank goodness. Otherwise, it would be a phishing goldmine.

Rather, the site simply offers a handy set of links to permissions lists. It also allows you to easily revoke access from the permissions pages.

On top of that, MyPermissions offers a reminder service: a monthly email via ifttt that prompts you to check your permissions.

Of course, you can set up a reminder on your own calendar and bookmark permissions pages on your own, but MyPermissions is a handy place to do it all from one spot.

Clicking through to different sites’ lists of permissions is an eye-opener. Do you know, offhand, how many applications can access your Facebook information, for example?

I was a trifle surprised to find that I’ve granted permission to 15 Facebook applications. I thought it sounded high until I read a comment from PStamatiou on a Hacker News thread about MyPermissions:

Nice! Just revoked access to about 40 things on Twitter, 30 on Flickr, 15 on Google, a handful on LinkedIn, 11 on dropbox, and about 150 (yikes!) on Facebook.

150 applications can access Pstamatiou’s personal information on Facebook??? Yikes indeed!

Of course, there are many legitimate apps and websites which you can give permission to connect with your account – but that doesn’t mean you have to have a free-for-all.

Remember, any application that gets permission to access your profile information potentially puts that information at risk. And, in the case of Facebook, it could put your friends’ information at risk, as well.

Any permissions can be dangerous, but Facebook is particularly worrisome, given the high number of users who are happy to give their personal information to strangers.

As Sophos found when it contacted 200 Facebook users posing as a plastic frog back in 2007, 87 responded, with 82 – or 41% – leaking personal information when they did so.

That personal information can be used for identity theft. It can be used for a mind-boggling array of other nastiness, as well. Bill Pringle has a nice compilation page of Facebook security issues, but lest we forget, the other social media sites can be used in similar mischievous ways.

As Tim O’Reilly Tweeted about the site (the site proudly displays said Tweet on its home page), MyPermissions is an excellent idea. “Treat your permissions with respect,” Mr. O’Reilly advises.

I wholeheartedly agree. Now, if you’ll excuse me, I’m off to choke a few Facebook applications in their cradles before they turn out to be monsters.

And please, feel free to let us know what surprises you in your permissions page.

It is well worth your time to check this out.

I keep getting asked – by journalists, friends, colleagues, competitors, delegates at conferences, people on the bus – what my attitude is to hacktivism, hacking and hackers.

I usually answer by saying, “What do you mean by hacktivism?” And the answer is frequently, and impassably, circular. “Y’know – all that hacking that hacktivists are doing these days.”

No! I don’t know! And I’m not willing to guess what you mean just so I’ve got something to say!

Fortunately, a few days ago a friend alerted me to a cartoon in the XKCD series (‘a webcomic of romance, sarcasm, mathematics, and language’, in its own words) which – like many XKCDs – cuts through most of the ambiguity and misunderstanding which surrounds the abovementioned H-words. (Don’t forget to hover over the image below to read the pop-up text.)

And we need to cut through the ambiguity, because every time we use the H-words on Naked Security, we seem to end up in comment wars over their relevance, meaning and imputation.

Does calling someone a hacker imply they’re a cybercriminal, even if they aren’t, and even if they might use that word to describe themselves? Does calling a cybercriminal a hacker demean everyone who ever took the term hacker as a badge of honour?

More importantly, does the sort of stuff which many so-called hacktivists get up to actually count as hacking, even if you allow the word to denote criminality?

For example, Anonymous recently bragged about a hack Down Under in which it revealed to the public a database of already-published web pages belonging to a local council. One publication blared this to the world as ‘Council falls prey to computer hacking gang’. Another avoided the H-word, but still rather extravagantly announced that ‘Anonymous releases government records including Australian council data.’

If that’s hacking, then perhaps walking to the bus stop is a major athletic achievement worthy of coverage in sporting magazines worldwide?

As the always-amusing Richard Chirgwin pointed out in The Register, the truth about this Down Under ‘hack’ was a little less dramatic.

Under the wry headline Council Website copied by Anonymous – Wget would have worked nearly as well, Chirgwin noted:

Australian democracy stubbornly fails to teeter on the brink of collapse this morning, after a bunch of script-kiddies mistakenly published a backup copy of a public Website in the delusional belief that they'd achieved yet another stunning coup in the "anti-sec" campaign.

In a world under clear and ongoing economic erosion by cybercriminals – not by hacking, or by hacktivists, or by hackers, but by cybercriminals – the overuse of the H-words in the media actually works against computer security in general.

Firstly, calling most self-styled hacktivists by their own name of choice imbues them with a social conscience and a justification they don’t seem to possess – rather like legitimising the looters currently on the rampage in Britain by labelling them as protesters.

Secondly, with all the attention that so-called “hacktivism hacks” against high-profile organisations are getting, it’s easy to fall into the trap of assuming that individuals and small businesses are safely under the radar. After all, who would target the website of Uncle Fred’s Garden Mowing Service when they could be taking on the mighty CIA?

The answer is that cybercriminals generally don’t care.

You might not have any data worth stealing (though it’s almost certain you do), but even if all you have to offer them is a badly-protected PC infected with zombie malware – a resource they can use to line up their next attacks whilst keeping out of the frame themselves – you are inadvertently aiding, if not abetting, their criminal activities.

So why not take one step tonight which will improve your attitude to security, and your personal resilience to compromise?

For example:

* If you use the same password for many websites, make tonight the night you change that approach.

* If you’ve been leaving your virus scanner turned off or out-of-date, make tonight the night you get it back up-to-date and activated.

* If you’ve been putting off downloading and installing the latest security patches for your operating system and software, make tonight the night you catch up.

* If you’re in the habit of friending people on Facebook just because they’re there, make tonight the night you treat Facebook friendships like you do real-life ones – based on knowing, liking and trusting the person.

* If you give inadvertent succour to hacktivists by simply following along and watching “for the lulz”, make tonight the night you search out something more visibly positive to do online for the greater good of all.

(Writing documentation for open source software projects is something most people can help with, even if they’re non-technical. It’s not glamorous but it’s important, useful, and can teach you a lot. You’ll be much more of a hacker than someone who joins in a DDoS attack – and you can put it on your CV, too!)

These terms are used often and almost always misunderstood.