How People Learn about Computer Security

https://www.schneier.com/blog/archives/2015/12/how_people_lear.html

Interesting research: "Identifying patterns in informal sources of security information," by Emilee Rader and Rick Wash, Journal of Cybersecurity, 1 Dec 2015.

Abstract: Computer users have access to computer security information from many different sources, but few people receive explicit computer security training. Despite this lack of formal education, users regularly make many important security decisions, such as "Should I click on this potentially shady link?" or "Should I enter my password into this form?" For these decisions, much knowledge comes from incidental and informal learning. To better understand differences in the security-related information available to users for such learning, we compared three informal sources of computer security information: news articles, web pages containing computer security advice, and stories about the experiences of friends and family. Using a Latent Dirichlet Allocation topic model, we found that security information from peers usually focuses on who conducts attacks, information containing expertise focuses instead on how attacks are conducted, and information from the news focuses on the consequences of attacks. These differences may prevent users from understanding the persistence and frequency of seemingly mundane threats (viruses, phishing), or from associating protective measures with the generalized threats the users are concerned about (hackers). Our findings highlight the potential for sources of informal security education to create patterns in user knowledge that affect their ability to make good security decisions.

Terrifying Technologies

https://www.schneier.com/blog/archives/2015/12/terrifying_tech.html

I've written about the difference between risk perception and risk reality. I thought about that when reading this list of Americans' top technology fears:

  1. Cyberterrorism
  2. Corporate tracking of personal information
  3. Government tracking of personal information
  4. Robots replacing workforce
  5. Trusting artificial intelligence to do work
  6. Robots
  7. Artificial intelligence
  8. Technology I don't understand

More at the link.

How Israel Regulates Encryption

https://www.schneier.com/blog/archives/2015/12/how_israel_regu.html

Interesting essay about how Israel regulates encryption:

...the Israeli encryption control mechanisms operate without directly legislating any form of encryption-key depositories, built-in back or front door access points, or other similar requirements. Instead, Israel's system emphasizes smooth initial licensing processes and cultivates government-private sector collaboration. These processes help ensure that Israeli authorities are apprised of the latest encryption and cyber developments and position the government to engage effectively with the private sector when national security risks are identified.

Basically, it looks like secret agreements made in smoke-filled rooms, very discreet with no oversight or accountability. The fact that pretty much everyone in IT security has served in an offensive cybersecurity capacity for the Israeli army helps. As does the fact that the country is so small, making informal deal-making manageable. It doesn't scale.

Why is this important?

...companies in Israel, a country comprising less than 0.11% of the world's population, are estimated to have sold 10% ($6 billion out of $60 billion) of global encryption and cyber technologies for 2014.

Forced Authorization Attacks Against Chip-and-Pin Credit Card Terminals

https://www.schneier.com/blog/archives/2015/12/forced_authoriz.html

Clever:

The way forced authorisation fraud works is that the retailer sets up the terminal for a transaction by inserting the customer's card and entering the amount, then hands the terminal over to the customer so they can type in the PIN. But the criminal has used a stolen or counterfeit card, and due to the high value of the transaction the terminal performs a "referral" -- asking the retailer to call the bank to perform additional checks such as the customer answering a security question. If the security checks pass, the bank will give the retailer an authorisation code to enter into the terminal.

The problem is that when the terminal asks for these security checks, it's still in the hands of the criminal, and it's the criminal that follows the steps that the retailer should have. Since there's no phone conversation with the bank, the criminal doesn't know the correct authorisation code. But what surprises retailers is that the criminal can type in anything at this stage and the transaction will go through. The criminal might also be able to bypass other security features, for example they could override the checking of the PIN by following the steps the retailer would if the customer has forgotten the PIN.

By the time the terminal is passed back to the retailer, it looks like the transaction was completed successfully. The receipt will differ only very subtly from that of a normal transaction, if at all. The criminal walks off with the goods and it's only at the end of the day that the authorisation code is checked by the bank. By that time, the criminal is long gone. Because some of the security checks the bank asked for weren't completed, the retailer doesn't get the money.

Friday Squid Blogging: North Korean Squid Fisherman Found Dead in Boats

https://www.schneier.com/blog/archives/2015/12/friday_squid_bl_504.html

I don't know if you've been following the story of the boats full of corpses that have been found in Japanese waters:

Over the past two months, at least 12 wooden boats have been found adrift or on the coast, carrying chilling cargo -- the decaying bodies of 22 people, police and Japan's coast guard said.

All the bodies were "partially skeletonized" -- two were found without heads -- and one boat contained six skulls, the coast guard said. The first boat was found in October, then a series of boats were found in November.

Writing on the boats suggests that they are from North Korea, and there's other evidence that they strayed into Japanese waters hunting squid:

Squid fishing equipment found in the boats suggest that the bodies could be of fisherman from food-short North Korea who have been increasingly entering Japanese waters to hunt squid...

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Worldwide Cryptographic Products Survey: Edits and Additions Wanted

https://www.schneier.com/blog/archives/2015/12/worldwide_crypt.html

Back in September, I announced my intention to survey the world market of cryptographic products. The goal is to compile a list of both free and commercial encryption products that can be used to protect arbitrary data and messages. That is, I'm not interested in products that are specifically designed for a narrow application, like financial transactions, or products that provide authentication or data integrity. I am interested in products that people like FBI director James Comey can possibly claim help criminals communicate securely.

Together with a student here at Harvard University, we've compiled a spreadsheet of over 400 products from many different countries.

At this point, we would like your help. Please look at the list. Please correct anything that is wrong, and add anything that is missing. Use this form to submit changes and additions. If it's more complicated than that, please e-mail me.

As the rhetoric surrounding weakening or banning strong encryption continues, it's important for policymakers to understand how international the cryptographic market is, and how much of it is not under their control. My hope is that this survey will contribute to the debate by making that point.

Security vs. Business Flexibility

https://www.schneier.com/blog/archives/2015/12/security_vs_bus.html

This article demonstrates that security is less important than functionality.

When asked about their preference if they needed to choose between IT security and business flexibility, 71 percent of respondents said that security should be equally or more important than business flexibility.

But show them the money and things change, when the same people were asked if they would take the risk of a potential security threat in order to achieve the biggest deal of their life, 69 percent of respondents say they would take the risk.

The reactions I've read call this a sad commentary on security, but I think it's a perfectly reasonable result. Security is important, but when there's an immediate conflicting requirement, security takes a back seat. I don't think this is a problem of security literacy, or of awareness, or of training. It's a consequence of our natural proclivity to take risks when the rewards are great.

Given the option, I would choose the security threat, too.

In the IT world, we need to recognize this reality. We need to build security that's flexible and adaptable, that can respond to and mitigate security breaches, and can maintain security even in the face of business executives who would deliberately bypass security protection measures to achieve the biggest deal of their lives.

This essay previously appeared on Resilient Systems's blog.

Tracking Someone Using LifeLock

https://www.schneier.com/blog/archives/2015/12/tracking_someon.html

Someone opened a LifeLock account in his ex-wife's name, and used the service to track her bank accounts, credit cards, and other financial activities.

The article is mostly about how appalling LifeLock was about this, but I'm more interested in the surveillance possibilities. Certainly the FBI can use LifeLock to surveil people with a warrant. The FBI/NSA can also collect the financial data of every LifeLock customer with a National Security Letter. But it's interesting how easy it was for an individual to open an account for another individual.