Newsday has a story that, if true, is fascinating. They are reporting that using technology supplied by Iran, Hezbollah fighters were able to listen in on Israeli radio communications. They of course used this intel to evade the advancing units and counter attack.

“We were able to monitor Israeli communications, and we used this information to adjust our planning,” said a Hezbollah commander involved in the battles, speaking on the condition of anonymity. The official refused to detail how Hezbollah was able to intercept and decipher Israeli transmissions. He acknowledged that guerrillas were not able to hack into Israeli communications around the clock.

…a former Israeli general, who spoke on the condition of anonymity, said Hezbollah’s ability to secretly hack into military transmissions had “disastrous” consequences for the Israeli offensive.

For some interesting reading on this, try Ross Anderson’s Security Engineering on Electronic and Information Warfare [PDF]. This attack also reminds me of the man in the middle attack he talks about in Chapter 2 [PDF].

Hezbollah cracked the code [Newsday]

Interesting:

The State Department is recovering from large-scale computer break-ins worldwide over the past several weeks that appeared to target its headquarters and offices dealing with China and
North Korea, The Associated Press has learned.

Investigators believe hackers stole sensitive U.S. information and passwords and implanted backdoors in unclassified government computers to allow them to return at will, said U.S. officials familiar with the hacking.

Their response is even more interesting:

State Department’s emergency response severely limited Internet access at many locations… The department also temporarily disabled a technology known as secure sockets layer, used to transmit encrypted information over the Internet. Hackers can exploit weaknesses in this technology to break into computers, and they can use the same technology to transmit stolen information covertly off a victim’s network.

Yet again again demonstrates that cypto can be used for you or against you.

Agency recovers from computer break-ins [Yahoo/AP]

The non-profit Privacy Rights Clearinghouse has compiled a summary of all the published data breaches since the choice point breach in Feb 2005:

TOTAL number of records containing sensitive personal information involved in security breaches: 88,795,619

When will the madness stop? The real challenge is knowing which of these breaches is meaningful. With the best data (pdf) I’ve seen says that only 8.9 million people actually reported having their identities stolen, and that number is actually decreasing:

In the last twelve months, 8.9 million American adults (4.0% of US adult population) became victims of identity fraud, an 11.9% decrease from 2003.

Also, if this data is right, 90% of those beaches were by non-electronic means. By my count, that means that less that 1% (~890,000) people were actually affected by a data breach. While this is a significant number, it’s not the crisis the news makes it out to be.

What’s happening with the other 99% of these records? They are lost. People lose things.
We need something other than data breach reporting. They are becoming so common, and actually affecting so few people, that the noise is drowning out the true signal of what people should be worried about.

Until we get sensible regulations about these things there are a few things that security professionals can be doing to make sure their company doesn’t add to the statistics:

• Encrypt portable devices - laptops, thumbs drives, etc.
• Encrypt backup tapes
• Implement good access to controls to your databases where sensitive data is held.
• Educate users about the risks. Use the all the examples in the PRC’s report to make your point.
• Pray.

A Chronology of Data Breaches Reported Since the choice point Incident [privacyrights.org]

2006 Identity Fraud Survey Report (PDF) [Javelin Strategy and Research]

Also useful is the PRC’s link to the Consumer’s Union compilation of all the relevant state laws. When can we get one national standard?

Notice of Security Breach State Laws (PDF) [Consumers Union]

Thankfully the former head of al-Qaida in Iraq hadn’t discovered laptop or flash drive encryption:

Al-Rubaie said a laptop, flashdrive and other documents were found in the debris after the airstrike that killed the al-Qaida in Iraq leader last week outside Baqouba, and more information has been uncovered in raids of other insurgent hideouts since then.

He called it a “huge treasure … a huge amount of information.”

When asked how he could be sure the information was authentic, al-Rubaie said “there is nothing more authentic than finding a thumbdrive in his pocket.”

Well actually I have every confidence that the NSA could have read it anyway, or at least cracked his password (I’d start with 1nf1d3lsMustD13).

But let this be a reminder that you should always encrypt your organization should always encrypt its plans for world domination strategic information.

Iraq Announces Info From Al-Zarqawi Raid [AP / myway news]

BMW’s X5 SUVs seem to have a slight <cough>flaw</cough> in their authentication systems. The net effect: Thieves have used laptops to steal two of European soccer star David Beckham’s X5’s.

Because the decryption process can take a while - up to 20 minutes, according to Hart - the thieves usually wait to find the car in a secluded area where it will be left for a long period. That is believed to be what happened to Mr. Beckham - the crooks followed him to the mall where he was to have lunch, and went to work on his X5 after it was parked.

Now that’s strong encryption.

Maybe Mr. Beckham should stay away from wireless technologies all together.

Gone in 20 Minutes: using laptops to steal cars [Left Lane News] (via Engadget)

ComputerWorld has a scary article about the strategies being utilized by some of the more advanced trojans to bypass SSL and even the most advanced authentication. Among the strategies they are using:

• Stealing passwords via keystroke loggers, plus taking screen shots of secondary authentication mechanisms like on-screen keyboards.
• Creating a man-in-the middle site on the users own computer and using that to harvest credentials, while still proxying them on to the real site.
• And, my favorite, using the existing authenticated channel to the bank:

The Trojan then manipulates the underlying transaction, so that what the user thinks is happening is different from what’s actually transpiring on the site’s servers…When the user successfully authenticates, the Trojan opens a hidden browser window, reads the user’s account balance, and creates another hidden window that initiates a secret transfer.

I may be transferring all my money to First National Bank of the Mattress soon.

How SSL-evading Trojans Work

Bruce has a good overview of the upcoming features of BitLocker, the whole disk encryption feature of Windows Vista. In typical style, he analyzes the encryption (thumbs up), and talks about the practical of implementation:

For most people, basic mode is the best. People will keep their USB key in their computer bag with their laptop, so it won’t add much security. But if you can force users to attach it to their keychains — remember that you only need the key to boot the computer, not to operate the computer — and convince them to go through the trouble of sticking it in their computer every time they boot, then you’ll get a higher level of security.

This is a particularly timely features as large organizations try to deal with data leakage by lost or stolen hardware. There certainly is enough of it happening.

The real question will be managability. XP SP2 firewall is adequate for most purposes, but most large organizations don’t use it because it’s difficult to manage on a large scale.

Schneier on Security: Microsoft’s BitLocker

…Or at least that’s what Mathematics Awareness Month would have you believe. The focus of this year’s awareness campaign is Cryptography and its role in Internet Security. NPR has a good piece on it. Seemed like a good time to do our part to share some good crypto resources. Here’s some linkage:

• Email Newsletters: Bruce Schneier’s Cryptogram and RSA’s Cryptobytes.
• Books: Bruce Schneier’s Practical Cryptography and Applied Cryptography (If you really want to nerd out), and Code Breakers (more historical, more interesting stories).
• Websites: Wikipedia Article, Gary Kessler’s Overview of Crypto

Now, go get your crypto on!

Mathematics Awareness Month