Pages

Terrorism in the U.S. Since 9/11

Originative | Saturday, October 8, 2011 | Labels: , 


John Mueller and his students analyze the 33 cases of attempted Islamic extremist terrorism in the U.S. since 9/11. So few of them are actually real, and so many of them were created or otherwise facilitated by law enforcement.

The death toll of all these is fourteen: thirteen at Ft. Hood and one in Little Rock. I think it's fair to add to this the 2002 incident at Los Angeles Airport where a lone gunman killed two people at the El Al ticket counter, so that's sixteen deaths in the U.S. to terrorism in the past ten years.

Given the credible estimate that we've spent $1 trillion on anti-terrorism security (this does not include our many foreign wars), that's $62.5 billion per life lost. Is there any other risk that we are even remotely as crazy about?

Note that everyone who died was shot with a gun. No Islamic extremist has been able to successfully detonate a bomb in the U.S. in the past ten years, not even a Molotov cocktail. (In the U.K. there has only been one successful terrorist bombing in the last ten years; the 2005 London Underground attacks.) And almost all of the 33 incidents (34 if you add LAX) have been lone actors, with no ties to al Qaeda.

Looking over the incidents, some of them would make pretty good movie plots. The point of my "movie-plot threat" phrase is not that terrorist attacks are never like that, but that concentrating defensive resources against them is pointless because 1) there are too many of them and 2) it is too easy for the terrorists to change tactics or targets.

I remember the government fear mongering after 9/11. How there were hundreds of sleeper cells in the U.S. How terrorism would become the new normal unless we implemented all sorts of Draconian security measures. You'd think that -- if this were even remotely true -- we would have seen more attempted terrorism in the U.S. over the past decade.
And I think arguments like "the government has secretly stopped lots of plots" don't hold any water. Just look at the list, and remember how the Bush administration would hype even the most tenuous terrorist incident. Stoking fear was the policy. If the government stopped any other plots, they would have made as much of a big deal of them as they did of these 33 incidents.

Mueller's work:
http://polisci.osu.edu/faculty/jmueller/since.html

$1 trillion spent on terrorism security.
http://www.amazon.com/exec/obidos/ASIN/0199795762/counterpane/

To justify the current U.S. spending on homeland security -- not including our various official and unofficial wars -- we'd have to foil 1,667 Times Square-style plots per year.
http://www.slate.com/id/2303169

Here's data on terrorist incidents from 1970 to 2004.
http://www.schneier.com/blog/archives/2007/06/terrorism_stati.html

And here's Nate Silver with data showing that the 1970s and 1980s were more dangerous with respect to airplane terrorism than the 2000s.
http://www.schneier.com/blog/archives/2010/01/nate_silver_on.html

According to the State Department's recent report, fifteen American private citizens died in terrorist attacks in 2010: thirteen in Afghanistan and one each in Iraq and Uganda. Worldwide, 13,186 people died from terrorism in 2010. These numbers pale even in comparison to things that aren't very risky.
http://www.state.gov/documents/organization/170479.pdf

Look at Table 3 on page 16 of this document. The risk of dying in the U.S. from terrorism is substantially less than the risk of drowning in your bathtub, the risk of a home appliance killing you, or the risk of dying in an accident caused by a deer. Remember that more people die every month in automobile crashes than died in 9/11.
http://polisci.osu.edu/faculty/jmueller/ISA10.PDF

In my blog post, I accidentally typed "lives saved" when I meant to type "lives lost." I've corrected that above. We generally have a regulatory safety goal of $1-$10M per life saved. In order for the $100B we have spent per year on counterterrorism to be worth it, it would need to have saved 10,000 lives per year.
http://scienceblogs.com/stoat/2011/08/schneier_confuses_life_with_de.php 
or http://tinyurl.com/3ljpx2d

$1-$10M per life saved:
http://polisci.osu.edu/faculty/jmueller/STEWJTS.PDF
0 comments

Anonymous vs. HBGary

Originative | Monday, March 21, 2011 | Labels: , ,

One of the effects of writing a book is that I don't have the time to devote to other writing. So while I've been wanting to write about Anonymous vs. HBGary, I don't think I will have time. Here's an excellent series of posts on the topic from ArsTechnica.

In cyberspace, the balance of power is on the side of the attacker. Attacking a network is *much* easier than defending a network. That may change eventually -- there might someday be the cyberspace equivalent of trench warfare, where the defender has the natural advantage -- but not anytime soon.

http://arstechnica.com/tech-policy/news/2011/02/anonymous-to-security-firm-working-with-fbi-youve-angered-the-hive.ars

This is a really good piece by Paul Roberts on Anonymous vs. HBGary: not the tactics or the politics, but what HBGary demonstrates about the IT security industry.

http://threatpost.com/en_us/blogs/rsa-2011-winning-war-losing-our-soul-022211

Stephen Colbert on HBGary:

http://www.colbertnation.com/the-colbert-report-videos/375428/february-24-2011/corporate-hacker-tries-to-take-down-wikileaks

Another article:

http://www.h-online.com/security/features/Anonymous-makes-a-laughing-stock-of-HBGary-1198176.html
0 comments

New Versions of SHA-512

Originative | Thursday, March 17, 2011 | Labels: , ,

NIST has just defined two new versions of SHA-512. They're SHA-512/224 and SHA-512/256: 224- and 256-bit truncations of SHA-512 with a new IV. They've done this because SHA-512 is faster than SHA-256 on 64-bit CPUs, so these new SHA variants will be faster.

This is a good thing, and exactly what we did in the design of Skein. We defined different outputs for the same state size, because it makes sense to decouple the internal workings of the hash function from the output size.


http://csrc.nist.gov/publications/drafts/fips180-4/FRN_Draft-FIPS180-4.pdf
0 comments

OpenVAS - 4 Released‏

Originative | | Labels: , ,

The OpenVAS community is proud to announce the availability of OpenVAS-4,the next generation of the Open Vulnerability Assessment System. Though only eight months since OpenVAS 3.1, the new release represents the biggest step forward ever in the history of OpenVAS.

The most significant new features are a Report Format Plugin Framework, a Master-Slave mode and an improved Scanner. The extended OpenVAS Management Protocol (OMP) 2.0 of OpenVAS Manager makes several new features consistently available to all of its clients (Web, Desktop, CLI).

This is the first release that is directly accompanied with installation packages for over 20 platforms, several installation quick guides, a tool to check proper setup and, last but not least a virtual appliance.

OpenVAS-4 covers the following OpenVAS modules: Libraries 4.0, Scanner 3.2, Manager 2.0, Administrator 1.1, GSA 2.0, GSD 1.1 and CLI 1.1. At the OpenVAS developer conference #3, July 7-9 in Osnabrück, Germany, the feature set for OpenVAS-5 will take shape.

Availability

  • Source Code downloads are directly available from OpenVAS homepage: http://www.openvas.org
  • Binary installation packages: http://www.openvas.org/install-packages.html
  • Virtual Appliance: http://www.openvas.org/vm.htm

New features and changes

New: Report Format plugin framework. All previous reporting features were converted to plugins. The XML representation of a report is now the base for any plugin and thus consistency of reports is gained.

Report Format Plugins can be set active so that they appear in the selection lists. Selections can consider content types so that for example only the plugins with content type "text" are offered as email body.

It is possible to use parameters for the plugins so the user can adjust the behaviour of the Report Format to the individual preferences or needs.

A verification method allows to distribute signatures for valid plugins via the NVT Feed.

  • New default Report Format: TXT for simple text.
  • New default Report Format: LaTeX for LaTeX source.
  • New sample Report Format: Simple Bar Chart. Demonstrates how to use Gnuplot for graphical reports.
  • New sample Report Format: Simple Topo Plot. Demonstrates how to use Graphviz for graphical reports.
  • New sample Report Format: Simple Pie Chart. Demonstrates how to use PyChart for graphical reports.
  • New sample Report Format: Simple Map Plot. Demonstrates how to use MapServer and GDAL for graphical reports.
  • New sample Report Format: Sourcefire Host Input. Demonstrates that Report Formats can be used to build connectors.
  • New: Master-Slave mode. Any OpenVAS Manager can use one or many other OpenVAS Manager as slave to run scans. The whole scan task is transferred to the slave, results are continuously reported to the Master during scan process. After the scan is finished all data is removed from the slave.The master can also retrieve system reports from the slave and thus can collect the performance overview for all configured slaves.
  • New Escalator: HTTP GET. This allows for example to access text message (SMS) gateways or ticket management systems.
  • Extended Escalator: For email escalation it is now possible to select from configured Report Formats to be included in the email body.
  • Agents: A verification method was added. This allows to distribute signatures for valid agents via the NVT Feed.
  • Credentials: Can now be edited. This allows to change the login name or password without the need to create a new scan configuration.
  • Credentials: Auto-generated installer packages are now created on the fly. If the generators are improved, it is now easy to create an updated package for already existing credentials.
  • Targets: Credentials for SMB and SSH are now distinguished.
  • Targets: Various opportunities have been added to specify and combine IP ranges and ports.
  • Tasks: The task overview is delivered much faster now.
  • Reports: The report filtering is much faster now.
  • Performance: A fall-back performance report delivers some base data if no other tool is configured.
  • Web interface: Changed login mechanism from HTTP BasicAuth to session based authentication.
  • Scan behaviour: By default now only ports are scanned that are specified as part of the target.
  • No binary NVTs: The remaining binary NVTs are turned into built-in functionality. Binary plugins are (finally) no more supported by OpenVAS.
  • Network scan NVTs: Network-wide initial scans now posible.
  • Scan performance increased: Lower memory footprint (~10% more concurrent scans possible)
  • Scan Feature for VHosts: Preferences allow to specify VHosts.
  • Scanner: Command line options "--dump-cfg" and "--gen-config" are removed.
  • Scanner: Configuration file "openvassd.conf" not mandatory anymore.
  • Helper tool openvas-mkcert: New switches and does not create openvassd.conf.
  • OpenVAS is now compliant with the Filesystem Hierarchy Standard (FHS 2.3).
  • Consolidated default ports: Manager listens on 9390, Scanner on 9391, GSA on 9392 and Administrator on 9393.
  • OpenVAS build environment now consistently uses cmake and pkgconfig across all modules.
  • Compile-time hardening flags are now enabled by default across all modules.
  • All applications now consistently deliver output of --version compliant with the GNU Coding Standard.
  • OMP self-documentation: Part of the Managers' XML-based communication protocol OMP 2.0 is to deliver the full specification and documentation of the protocol itself (command "HELP"). It can be retrieved as XML-, RNC- or HTML representation. See here for online documentation: http://www.openvas.org/omp-2-0.html
  • OAP self-documentation: Part of the Administrators' XML-based communication protocol OAP 1.0 is to deliver the full specification and documentation of the protocol itself (command "HELP"). It can be retrieved as XML-, RNC- or HTML representation. See here for online documentation: http://www.openvas.org/oap-1-0.html
  • Extended Language Support: Dekstop client GSD now supports english, german and french.

Compatibility and migration

  • The OpenVAS NVT Feed will be extended with tests that take advantage of the network scan feature but fully keeps the behaviour for previous releases.Also the replacement methods for the former binary NVTs are compatible across OpenVAS 2 through 4.
  • The OpenVAS Manager has a migration option for updating an OpenVAS Manager 1.0 SQL database. But there is no support to downgrade the database back to 1.0.
  • Migration from OpenVAS 2.x/3.x: Several default file locations changed for the new OpenVAS Scanner. Installing OpenVAS-4 "ontop" of an older release will likely cause trouble because the old, and now only optional "openvassd.conf" forces wrong paths. Delete or move away that file before starting with OpenVAS-4.
  • OpenVAS Scanner communication protocol (OTP) remains compatible with the previous release, so the latest release of the old OpenVAS-Client still works.
0 comments

Scareware: How Crime Pays

Originative | Saturday, February 26, 2011 | Labels: ,

Scareware is fraudulent software that uses deceptive advertising to trick users into believing they're infected with some variety of malware, then convinces them to pay money to protect themselves. The infection isn't real, and the software they buy is fake, too. It's all a scam.

One scareware operator sold "more than 1 million software products" at "$39.95 or more," and now has to pay $8.2 million to settle a Federal Trade Commission complaint.

Seems to me that $40 per customer, minus $8.20 to pay off the FTC, is still a pretty good revenue model. Their operating costs can't be very high, since the software doesn't actually do anything. Yes, a court ordered them to close down their business, but certainly there are other creative entrepreneurs that can recognize a business opportunity when they see it.

http://www.pcworld.com/businesscenter/article/217987alleged_scareware_vendors_to_pay_82_million_to_ftc.html
0 comments

Bioencryption

Originative | Sunday, February 20, 2011 | Labels: ,

A group of students at the Chinese University in Hong Kong have figured out how to store data in bacteria. The article talks about how secure it is, and the students even coined the term "bioencryption," but I don't see any encryption. It's just storage.

In another article, one of the researchers claims: "Bacteria can't be hacked."

Why can't bacteria be hacked? If the storage system is attached to a network, it's just as vulnerable as anything else attached to a network. And if it's disconnected from any network, then it's just as secure as anything else disconnected from a network. The problem the U.S. diplomats had was authorized access to the WikiLeaks cables by someone who decided to leak them. No cryptography helps against that.

There is cryptography in the project: "In addition we have created an encryption module with the R64 Shufflon-Specific Recombinase to further secure the information."

If the group is smart, this will be some conventional cryptography algorithm used to encrypt the data before it is stored on the bacteria.

In any case, this is fascinating and interesting work. I just don't see any new form of encryption, or anything inherently unhackable.

The project:
The project:
http://2010.igem.org/Team:Hong_Kong-CUHK
0 comments

Domodedovo Airport Bombing

Originative | Wednesday, February 16, 2011 | Labels: ,

I haven't written anything about the suicide bombing at Moscow's Domodedovo Airport because I didn't think there was anything to say. The bomber was outside the security checkpoint, in the area where family and friends wait for arriving passengers. From a security perspective, the bombing had nothing to do with airport security. He could have just as easily been in a movie theater, stadium, shopping mall, market, or anywhere else lots of people are crowded together with limited exits. The large death and injury toll indicates the bomber chose his location well.

I've often written that security measures that are only effective if the implementers guess the plot correctly are largely wastes of money -- at best they would have forced this bomber to choose another target -- and that our best security investments are intelligence, investigation, and emergency response. This latest terrorist attack underscores that even more. "Critics say" that the TSA couldn't have detected this sort of attack. Of course; the TSA can't be everywhere. And that's precisely the point.

Many reporters asked me about the likely U.S. reaction. I don't know; it could range from "Moscow is a long way off and that doesn't concern us" to "Oh my god we're all going to die!" The worry, of course, is that we will need to "do something," even though there is no "something" that should be done.I was interviewed by the Esquire politics blog about this. I'm not terribly happy with the interview; I was rushed and sloppy on the phone.

Me on terrorism security,
http://www.schneier.com/essay-292.html

"Critics say":
http://abcnews.go.com/Blotter/tsa-detect-moscow-style-attack-critics/story?id=12752581
or http://tinyurl.com/6esrgxl

My Esquire interview:
http://www.esquire.com/blogs/politics/moscow-airport-bruce-schneier-5022769
or http://tinyurl.com/45fea6q
0 comments
Subscribe to: Posts (Atom)