The Seven Habits of Highly Ineffective Terrorists (9)
share
digg
by
schneier (223)
on
Schneier on Security (273)
17 hours, 55 minutes
ago
permalink
Most counterterrorism policies fail, not because of tactical problems, but because of a fundamental misunderstanding of what motivates terrorists in the first place. If we're ever going to defeat terrorism, we need to understand what drives people to become terrorists in the first place. Conventional wisdom holds that terrorism is inherently political, and that people become terrorists for political reasons. This is the "strategic" model of terrorism, and it's basically an economic model. It posits ...
Clickjacking (2)
share
digg
by
schneier (223)
on
Schneier on Security (273)
1 day, 6 hours
ago
permalink
Good Q&A on clickjacking: In plain English, clickjacking lets hackers and scammers hide malicious stuff under the cover of the content on a legitimate site. You know what happens when a carjacker takes a car? Well, clickjacking is like that, except that the click is the car. "Clickjacking" is a stunningly sexy name, but the vulnerability is really just a variant of cross-site scripting. We don't know how bad it really is, because the details ...
New Cross-Site Request Forgery Attacks (2)
share
digg
by
schneier (223)
on
Schneier on Security (273)
1 day, 16 hours
ago
permalink
Interesting: CSRF vulnerabilities occur when a website allows an authenticated user to perform a sensitive action but does not verify that the user herself is invoking that action. The key to understanding CSRF attacks is to recognize that websites typically don't verify that a request came from an authorized user. Instead they verify only that the request came from the browser of an authorized user. Because browsers run code sent by multiple sites, there is ...
"Scareware" Vendors Sued (2)
share
digg
by
schneier (223)
on
Schneier on Security (273)
5 days, 11 hours
ago
permalink
This is good: Microsoft Corp. and the state of Washington this week filed lawsuits against a slew of "scareware" purveyors, scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software. The case filed by the Washington attorney general's office names Texas-based Branch Software and its owner James Reed McCreary IV, alleging that McCreary's company caused targeted PCs to pop up misleading security alerts about security threats on the ...
Bank Robber Hires Accomplices on Craigslist (32)
share
digg
by
Bruce Schneier (60)
on
Schneier on Security (273)
5 days, 12 hours
ago
permalink
Now this is clever: "I came across the ad that was for a prevailing wage job for $28.50 an hour," said Mike, who saw a Craigslist ad last week looking for workers for a road maintenance project in Monroe. He said he inquired and was e-mailed back with instructions to meet near the Bank of America in Monroe at 11 a.m. Tuesday. He also was told to wear certain work clothing. "Yellow vest, safety goggles, ...
-
Isaac said:
genius
-
SFSlim said:
Clever. Reminds me of the jazz violinist and noted practical joker Joe Venuti who once called fifteen upright bassists for a (non-existent) gig. He instructed each of them to go to a certain intersection (which happened to be downstairs from the hotel room Joe was staying in, in view of his window) at a specific time, and to bring their instrument. Then Joe just waited and watched the confusion as bass player after bass player converged on the streetcorner.
MI6 Camera -- Including Secrets -- Sold on eBay (3)
share
digg
by
schneier (223)
on
Schneier on Security (273)
6 days, 6 hours
ago
permalink
I wish I'd known: A 28-year-old delivery man from the UK who bought a Nikon Coolpix camera for about $31 on eBay got more than he bargained for when the camera arrived with top secret information from the UK's MI6 organization. Allegedly sold by one of the clandestine organization's agents, the camera contained named al-Qaeda cells, names, images of suspected terrorists and weapons, fingerprint information, and log-in details for the Secret Service's computer network, containing ...
Schneier on Security: Hand Grenades as Weapons of Mass Destruction (4)
share
digg
by
schneier (223)
on
Schneier on Security (273)
6 days, 16 hours
ago
permalink
I get that this is terrorism: A 24-year-old convert to Islam has been sentenced to 35 years in prison for plotting to set off hand grenades in a crowded shopping mall during the Christmas season. But I thought "weapons of mass destruction" was reserved for nuclear, chemical, and biological weapons. He was arrested in 2006 on charges of scheming to use weapons of mass destruction at the Cherryvale Mall in the northern Illinois city of ...
Schneier on Security: How to Clone and Modify E-Passports (4)
share
digg
by
schneier (223)
on
Schneier on Security (273)
6 days, 18 hours
ago
permalink
The Hackers Choice has released a tool allowing people to clone and modify electronic passports. The problem is self-signed certificates. A CA is not a great solution: Using a Certification Authority (CA) could solve the attack but at the same time introduces a new set of attack vectors: The CA becomes a single point of failure. It becomes the juicy/high-value target for the attacker. Single point of failures are not good. Attractive targets are not ...
Talk to the TSA (7)
share
digg
Thoughtcrime (4)
share
digg
Sarah Palin's E-Mail (3)
share
digg
by
schneier (223)
on
Schneier on Security (273)
1 week, 6 days
ago
permalink
People have been asking me to comment about Sarah Palin's Yahoo e-mail account being hacked. I've already written about the security problems with "secret questions" back in 2005: The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. It's a great idea from a customer ...
The Two Classes of Airport Contraband (26)
share
digg
by
schneier (223)
on
Schneier on Security (273)
2 weeks
ago
permalink
Airport security found a jar of pasta sauce in my luggage last month. It was a 6-ounce jar, above the limit; the official confiscated it, because allowing it on the airplane with me would have been too dangerous. And to demonstrate how dangerous he really thought that jar was, he blithely tossed it in a nearby bin of similar liquid bottles and sent me on my way. There are two classes of contraband at airport ...
-
Dan Stowell said:
"To fix this, airport security has to make a choice. If something is dangerous, treat it as dangerous and treat anyone who tries to bring it on as potentially dangerous. If it's not dangerous, then stop trying to keep it off airplanes. Trying to have it both ways just distracts the screeners from actually making us safer."
India Using Brain Scans to Prove Guilt in Court (6)
share
digg
by
schneier (223)
on
Schneier on Security (273)
2 weeks, 1 day
ago
permalink
This seems like a whole lot of pseudo-science: The technologies, generally regarded as promising but unproved, have yet to be widely accepted as evidence — except in India, where in recent years judges have begun to admit brain scans. But it was only in June, in a murder case in Pune, in Maharashtra State, that a judge explicitly cited a scan as proof that the suspect’s brain held “experiential knowledge” about the crime that only ...
-
Rick Dillon said:
Better hope the defendant doesn't know how to, ya know, meditate.
TSA Employees Bypassing Airport Screening (2)
share
digg
by
schneier (223)
on
Schneier on Security (273)
2 weeks, 4 days
ago
permalink
Airport screeners are now able to bypass airport screening: The Transportation Security Administration (TSA) rolled out the new uniforms and new screening policy at airports nationwide on Sept. 11. The new policy says screeners can arrive for work and walk behind security lines without any of their belongings examined or X-rayed. "Lunch or a bomb, you can walk right through with it," said Mike Boyd, an aviation consultant in Evergreen. "This is a major security ...
-
nybble said:
huh. This is why Bruce is smarter than me.
The Pentagon's World of Warcraft Movie-Plot Threat (6)
share
digg
by
schneier (223)
on
Schneier on Security (273)
2 weeks, 5 days
ago
permalink
In a presentation that rivals any of my movie-plot threat contest entries, a Pentagon researcher is worried that terrorists might plot using World of Warcraft: In a presentation late last week at the Director of National Intelligence Open Source Conference in Washington, Dr. Dwight Toavs, a professor at the Pentagon-funded National Defense University, gave a bit of a primer on virtual worlds to an audience largely ignorant about what happens in these online spaces. Then ...
The NSA Teams Up with the Chinese Government to Limit Internet Anonymity (3)
share
digg
by
schneier (223)
on
Schneier on Security (273)
2 weeks, 5 days
ago
permalink
Definitely strange bedfellows: A United Nations agency is quietly drafting technical standards, proposed by the Chinese government, to define methods of tracing the original source of Internet communications and potentially curbing the ability of users to remain anonymous. The U.S. National Security Agency is also participating in the "IP Traceback" drafting group, named Q6/17, which is meeting next week in Geneva to work on the traceback proposal. Members of Q6/17 have declined to release key ...
NSA Snooping on Cell Phone Calls (1)
share
digg
by
schneier (223)
on
Schneier on Security (273)
2 weeks, 6 days
ago
permalink
From CNet: A recent article in the London Review of Books revealed that a number of private companies now sell off-the-shelf data-mining solutions to government spies interested in analyzing mobile-phone calling records and real-time location information. These companies include ThorpeGlen, VASTech, Kommlabs, and Aqsacom--all of which sell "passive probing" data-mining services to governments around the world. ThorpeGlen, a U.K.-based firm, offers intelligence analysts a graphical interface to the company's mobile-phone location and call-record data-mining software. ...
GPS Spoofing (9)
share
digg
by
schneier (223)
on
Schneier on Security (273)
2 weeks, 6 days
ago
permalink
Interesting: Jon used a desktop computer attached to a GPS satellite simulator to create a fake GPS signal. Portable GPS satellite simulators can fit in the trunk of a car, and are often used for testing. They are available as commercial off-the-shelf products. You can also rent them for less than $1K a week -- peanuts to anyone thinking of hijacking a cargo truck and selling stolen goods. In his first experiments, Jon placed his ...
Change Your Name and Avoid the TSA Watchlist (11)
share
digg
by
schneier (223)
on
Schneier on Security (273)
3 weeks, 1 day
ago
permalink
Shhhh. Don't tell the terrorists: The U.S. Department of Homeland Security wrote a letter to Labbé in 2004, saying he had been placed on their watch list after falling victim to identity theft. At the time, the department said there was no way for his name to be removed. Although Labbé wrote letters to the U.S. department, his efforts were in vain, prompting him to legally change his name. "So now, my official name is ...
-
Ben said:
This is way too funny.
-
trygve said:
Ahh "security", turning innocents into experts in exploiting security flaws. And making a mockery of the American government in the process.
