Hacking Lottery Machines

Interesting article about how a former security director of the US Multi-State Lottery Association hacked the random-number generator in lottery software so he could predict the winning numbers.

For several years, Eddie Tipton, the former security director of the US Multi-State Lottery Association, installed software code that allowed him to predict winning numbers on specific days of the year, investigators allege. The random-number generators had been erased, but new forensic evidence has revealed how the hack was apparently done.

[...]

The number generator had apparently been hacked to produce predictable numbers on three days of the year, after the machine had gone through a security audit.

Note that last bit. The software would only produce the non-random results after the software security audit was completed.

It's getting harder and harder to trust opaque and unaccountable algorithms. Anyone who thinks we should have electronic voting machines -- or worse, Internet voting -- needs to pay attention.

Tags: , , , ,

Posted on April 12, 2016 at 6:39 AM37 Comments

2016 Protocols Workshop

Ross Anderson has liveblogged the 24th International Workshop on Security Protocols in Brno, Czech Republic.

Tags: , ,

Posted on April 11, 2016 at 2:06 PM9 Comments

Scams from the 1800s

They feel quaint today:

But in the spring of 1859, folks were concerned about another kind of hustle: A man who went by the name of A.V. Lamartine drifted from town to town in the Midwest ­ pretending to attempt suicide.

He would walk into a hotel ­ according to newspaper accounts from Salem, Ore., to Richmond, Va., and other places ­ and appear depressed as he requested a room. Once settled in, he would ring a bell for assistance, and when someone arrived, Lamartine would point to an empty bottle on the table labeled "2 ounces of laudanum" and call for a clergyman.

People rushing to his bedside to help him would find a suicide note. The Good Samaritans would summon a doctor, administer emetics and nurse him as he recovered.

Somehow Lamartine knew his situation would engender medical and financial assistance from kind strangers in the 19th century. The scenarios ended this way, as one Brooklyn reporter explained: "He is restored with difficulty and sympathetic people raise a purse for him and he departs.

Tags: ,

Posted on April 11, 2016 at 6:49 AM38 Comments

Friday Squid Blogging: Cooking with Squid Ink

Risotto nero and more.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Tags:

Posted on April 8, 2016 at 4:30 PM139 Comments

Security Lessons from the Game of Werewolf

I can't believe I haven't posted this before.

Tags: , , ,

Posted on April 8, 2016 at 12:27 PM13 Comments

Breaking Semantic Image CAPTCHAs

Interesting research: Suphannee Sivakorn, Iasonas Polakis and Angelos D. Keromytis, "I Am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs":

Abstract: Since their inception, captchas have been widely used for preventing fraudsters from performing illicit actions. Nevertheless, economic incentives have resulted in an armsrace, where fraudsters develop automated solvers and, in turn, captcha services tweak their design to break the solvers. Recent work, however, presented a generic attack that can be applied to any text-based captcha scheme. Fittingly, Google recently unveiled the latest version of reCaptcha. The goal of their new system is twofold; to minimize the effort for legitimate users, while requiring tasks that are more challenging to computers than text recognition. ReCaptcha is driven by an "advanced risk analysis system" that evaluates requests and selects the difficulty of the captcha that will be returned. Users may be required to click in a checkbox, or solve a challenge by identifying images with similar content.

In this paper, we conduct a comprehensive study of reCaptcha, and explore how the risk analysis process is influenced by each aspect of the request. Through extensive experimentation, we identify flaws that allow adversaries to effortlessly influence the risk analysis, bypass restrictions, and deploy large-scale attacks. Subsequently, we design a novel low-cost attack that leverages deep learning technologies for the semantic annotation of images. Our system is extremely effective, automatically solving 70.78% of the image reCaptcha challenges, while requiring only 19 seconds per challenge. We also apply our attack to the Facebook image captcha and achieve an accuracy of 83.5%. Based on our experimental findings, we propose a series of safeguards and modifications for impacting the scalability and accuracy of our attacks. Overall, while our study focuses on reCaptcha, our findings have wide implications; as the semantic information conveyed via images is increasingly within the realm of automated reasoning, the future of captchas relies on the exploration of novel directions.

News articles.

Posted on April 8, 2016 at 6:39 AM15 Comments

Bypassing Phone Security through Social Engineering

This works:

Khan was arrested in mid-July 2015. Undercover police officers posing as company managers arrived at his workplace and asked to check his driver and work records, according to the source. When they disputed where he was on a particular day, he got out his iPhone and showed them the record of his work.

The undercover officers asked to see his iPhone and Khan handed it over. After that, he was arrested. British police had 30 seconds to change the password settings to keep the phone open.

Reminds me about how the FBI arrested Ross William Ulbricht:

The agents had tailed him, waiting for the 29-year-old to open his computer and enter his passwords before swooping in.

That also works.

And, yes, I understand that none of this would have worked with the already dead Syed Farook and his iPhone.

Tags: , , , ,

Posted on April 7, 2016 at 6:39 AM29 Comments

IBM Officially Owns Resilient Systems

It's officially final; IBM has "completed the acquisition" of Resilient Systems, Inc. We are now "Resilient: an IBM Company."

As I expected when I announced this acquisition, I am staying on as the CTO of Resilient and something like Senior Advisor to IBM Security -- we're still working on the exact title. Everything I've seen so far indicates that this will be a good home for me. They know what they're getting, and they're still keeping me on. I have no intention of changing what I write about or speak about -- or to whom.

For the company, this is still a great deal. The acquisition was big news at the RSA Conference a month ago, and we've gotten nothing but a positive response from analysts and a primarily positive response from customers.

Here's a video of Resilent CEO John Bruce talking with IBM Security General Manager Marc van Zadelhoff about the acquisition. And here's an analyst talking about the acquisition.

Tags: , ,

Posted on April 6, 2016 at 12:47 PM37 Comments

CONIKS

CONIKS is an new easy-to-use transparent key-management system:

CONIKS is a key management system for end users capable of integration in end-to-end secure communication services. The main idea is that users should not have to worry about managing encryption keys when they want to communicate securely, but they also should not have to trust their secure communication service providers to act in their interest.

Here's the academic paper. And here's a good discussion of the protocol and how it works. This is the problem they're trying to solve:

One of the main challenges to building usable end-to-end encrypted communication tools is key management. Services such as Apple's iMessage have made encrypted communication available to the masses with an excellent user experience because Apple manages a directory of public keys in a centralized server on behalf of their users. But this also means users have to trust that Apple's key server won't be compromised or compelled by hackers or nation-state actors to insert spurious keys to intercept and manipulate users' encrypted messages. The alternative, and more secure, approach is to have the service provider delegate key management to the users so they aren't vulnerable to a compromised centralized key server. This is how Google's End-To-End works right now. But decentralized key management means users must "manually" verify each other's keys to be sure that the keys they see for one another are valid, a process that several studies have shown to be cumbersome and error-prone for the vast majority of users. So users must make the choice between strong security and great usability.

And this is CONIKS:

In CONIKS, communication service providers (e.g. Google, Apple) run centralized key servers so that users don't have to worry about encryption keys, but the main difference is CONIKS key servers store the public keys in a tamper-evident directory that is publicly auditable yet privacy-preserving. On a regular basis, CONIKS key servers publish directory summaries, which allow users in the system to verify they are seeing consistent information. To achieve this transparent key management, CONIKS uses various cryptographic mechanisms that leave undeniable evidence if any malicious outsider or insider were to tamper with any key in the directory and present different parties different views of the directory. These consistency checks can be automated and built into the communication apps to minimize user involvement.

Tags: , , , , ,

Posted on April 6, 2016 at 10:27 AM13 Comments

WhatsApp is Now End-to-End Encrypted

WhatsApp is now end-to-end encrypted.

Here's the WhatsApp security page, and here's the technical whitepaper.

EDITED TO ADD: Slashdot thread. HackerNews thread. More news articles.

EDITED TO ADD (4/6): Another article.

Posted on April 5, 2016 at 10:04 AM106 Comments

← Earlier Entries

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.