Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

CRYPTOGRAM

7 views
Skip to first unread message

Cornelis Tromp

unread,
Aug 16, 2016, 11:01:50 AM8/16/16
to


CRYPTO-GRAM

August 15, 2016

by Bruce Schneier
CTO, Resilient, an IBM Company
schn...@schneier.com
https://www.schneier.com


A free monthly newsletter providing summaries, analyses, insights, and commentaries on security:
computer and otherwise.

For back issues, or to subscribe, visit <https://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <https://www.schneier.com/crypto-gram/archives/2016/0815.html>. These same essays and news items appear in the "Schneier on Security" blog at <http://www.schneier.com/blog>, along with a lively and intelligent comment section. An RSS feed is available.


** *** ***** ******* *********** *************

In this issue:
The Security of Our Election Systems
Hacking the Vote
News
Real-World Security and the Internet of Things
Schneier News
Hacking Your Computer Monitor
More on the Vulnerabilities Equities Process


** *** ***** ******* *********** *************

The Security of Our Election Systems



Russia was behind the hacks into the Democratic National Committee's computer network that led to
the release of thousands of internal e-mails just before the party's convention began, U.S.
intelligence agencies have reportedly concluded.

The FBI is investigating. WikiLeaks promises there is more data to come. The political nature of
this cyberattack means that Democrats and Republicans are trying to spin this as much as possible.
Even so, we have to accept that someone is attacking our nation's computer systems in an apparent
attempt to influence a presidential election. This kind of cyberattack targets the very core of our
democratic process. And it points to the possibility of an even worse problem in November -- that
our election systems and our voting machines could be vulnerable to a similar attack.

If the intelligence community has indeed ascertained that Russia is to blame, our government needs
to decide what to do in response. This is difficult because the attacks are politically partisan,
but it is essential. If foreign governments learn that they can influence our elections with
impunity, this opens the door for future manipulations, both document thefts and dumps like this
one that we see and more subtle manipulations that we don't see.

Retaliation is politically fraught and could have serious consequences, but this is an attack
against our democracy. We need to confront Russian President Vladimir Putin in some way --
politically, economically or in cyberspace -- and make it clear that we will not tolerate this kind
of interference by any government. Regardless of your political leanings this time, there's no
guarantee the next country that tries to manipulate our elections will share your preferred
candidates.

Even more important, we need to secure our election systems before autumn. If Putin's government
has already used a cyberattack to attempt to help Trump win, there's no reason to believe he won't
do it again -- especially now that Trump is inviting the "help."

Over the years, more and more states have moved to electronic voting machines and have flirted with
Internet voting. These systems are insecure and vulnerable to attack.

But while computer security experts like me have sounded the alarm for many years, states have
largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble
that election officials are largely mollified.

We no longer have time for that. We must ignore the machine manufacturers' spurious claims of
security, create tiger teams to test the machines' and systems' resistance to attack, drastically
increase their cyber-defenses and take them offline if we can't guarantee their security online.

Longer term, we need to return to election systems that are secure from manipulation. This means
voting machines with voter-verified paper audit trails, and no Internet voting. I know it's slower
and less convenient to stick to the old-fashioned way, but the security risks are simply too great.

There are other ways to attack our election system on the Internet besides hacking voting machines
or changing vote tallies: deleting voter records, hijacking candidate or party websites, targeting
and intimidating campaign workers or donors. There have already been multiple instances of
political doxing -- publishing personal information and documents about a person or organization --
and we could easily see more of it in this election cycle. We need to take these risks much more
seriously than before.

Government interference with foreign elections isn't new, and in fact, that's something the United
States itself has repeatedly done in recent history. Using cyberattacks to influence elections is
newer but has been done before, too -- most notably in Latin America. Hacking of voting machines
isn't new, either. But what is new is a foreign government interfering with a U.S. national
election on a large scale. Our democracy cannot tolerate it, and we as citizens cannot accept it.

Last April, the Obama administration issued an executive order outlining how we as a nation respond
to cyberattacks against our critical infrastructure. While our election technology was not
explicitly mentioned, our political process is certainly critical. And while they're a hodgepodge
of separate state-run systems, together their security affects every one of us. After everyone has
voted, it is essential that both sides believe the election was fair and the results accurate.
Otherwise, the election has no legitimacy.

Election security is now a national security issue; federal officials need to take the lead, and
they need to do it quickly.

This essay originally appeared in the "Washington Post."
https://www.washingtonpost.com/posteverything/wp/2016/07/27/by-november-russian-hackers-could-
target-voting-machines/

DNC Hack:
http://www.nytimes.com/2016/07/27/world/europe/russia-dnc-hack-emails.html
http://www.cnn.com/2016/07/26/politics/julian-assange-dnc-email-leak-hack/
http://www.defenseone.com/technology/2016/07/how-putin-weaponized-wikileaks-influence-election-
american-president/130163/
http://arstechnica.com/security/2016/06/guest-editorial-the-dnc-hack-and-dump-is-what-cyberwar-
looks-like/
https://www.balloon-juice.com/2016/07/26/we-are-at-cyber-war-so-what-exactly-do-we-do-about-it/

How hackers could influence an election:
http://www.huffingtonpost.com/michael-gregg/top-six-ways-hackers-coul_b_7832730.html

Trump and Russia:
http://talkingpointsmemo.com/edblog/trump-putin-yes-it-s-really-a-thing
https://www.washingtonpost.com/politics/democratic-national-convention-obama-biden-kaine-set-to-
tout-clinton-as-commander-in-chief/2016/07/27/afc57884-53e8-11e6-bbf5-957ad17b4385_story.html

Electronic voting machine insecurities:
http://arstechnica.com/tech-policy/2015/04/meet-the-e-voting-machine-so-easy-to-hack-it-will-take-
your-breath-away/

Insecurity of voting machines:
https://www.statslife.org.uk/significance/politics/2288-how-trustworthy-are-electronic-voting-
systems-in-the-us
https://www.salon.com/2011/09/27/votinghack/
https://www.theguardian.com/us-news/2015/apr/15/virginia-hacking-voting-machines-security
http://whowhatwhy.org/2015/08/31/foreigners-could-hack-us-elections-experts-say/
http://www.popsci.com/gadgets/article/2012-11/how-i-hacked-electronic-voting-machine
https://www.schneier.com/blog/archives/2004/11/the_problem_wit.html
https://www.giac.org/paper/gsec/3687/inherent-problems-electronic-voting-systems/105962
http://homepage.cs.uiowa.edu/~jones/voting/congress.html
https://cs.stanford.edu/people/eroberts/cs181/projects/2006-07/electronic-
voting/index_files/page0004.html
https://citp.princeton.edu/research/voting/

Relevant cartoon:
https://xkcd.com/463/

Diebold's spurious security claims:
https://www.salon.com/2006/09/13/diebold_3/

The importance of voter-verified paper audit trails:
http://votingmachines.procon.org/view.answers.php?questionID=000291

The insecurity of Internet voting:
http://engineering.jhu.edu/magazine/2016/06/internet-voting-nonstarter/
https://www.verifiedvoting.org/resources/internet-voting/vote-online/
http://www.scientificamerican.com/article.cfm?id=2012-presidential-election-electronic-voting

Targeting voter records:
http://thehill.com/policy/cybersecurity/278231-election-fraud-feared-as-hackers-target-voter-records

Political doxing:
https://www.schneier.com/blog/archives/2015/11/the_rise_of_pol.html

Influencing Latin American elections with cyberattacks:
http://www.bloomberg.com/features/2016-how-to-hack-an-election/

Obama's executive order on cyberattack response:
https://www.whitehouse.gov/blog/2015/04/01/our-latest-tool-combat-cyber-attacks-what-you-need-know
https://www.whitehouse.gov/blog/2015/04/01/expanding-our-ability-combat-cyber-threats
https://medium.com/the-white-house/a-new-tool-against-cyber-threats-1a30c188bc4#.jgbalohyi
https://www.whitehouse.gov/the-press-office/2015/04/01/executive-order-blocking-property-certain-
persons-engaging-significant-m


** *** ***** ******* *********** *************

Hacking the Vote



Russia has attacked the US in cyberspace in an attempt to influence our national election, many
experts have concluded. We need to take this national security threat seriously and both respond
and defend, despite the partisan nature of this particular attack.

There is virtually no debate about that, either from the technical experts who analyzed the attack
last month or the FBI which is analyzing it now. The hackers have already released DNC e-mails and
voicemails, and promise more data dumps.

While their motivation remains unclear, they could continue to attack our election from now to
November -- and beyond.

Like everything else in society, elections have gone digital. And just as we've seen cyberattacks
affecting all aspects of society, we're going to see them affecting elections as well.

What happened to the DNC is an example of organizational doxing -- the publishing of private
information -- an increasingly popular tactic against both government and private organizations.
There are other ways to influence elections: denial-of-service attacks against candidate and party
networks and websites, attacks against campaign workers and donors, attacks against voter rolls or
election agencies, hacks of the candidate websites and social media accounts, and -- the one that
scares me the most -- manipulation of our highly insecure but increasingly popular electronic
voting machines.

On the one hand, this attack is a standard intelligence gathering operation, something the NSA does
against political targets all over the world and other countries regularly do to us. The only thing
different between this attack and the more common Chinese and Russian attacks against our
government networks is that the Russians apparently decided to publish selected pieces of what they
stole in an attempt to influence our election, and to use WikiLeaks as a way to both hide their
origin and give them a veneer of respectability.

All of the attacks listed above can be perpetrated by other countries and by individuals as well.
They've been done in elections in other countries. They've been done in other contexts. The
Internet broadly distributes power, and what was once the sole purview of nation states is now in
the hands of the masses. We're living in a world where disgruntled people with the right hacking
skills can influence our elections, wherever they are in the world.

The Snowden documents have shown the world how aggressive our own intelligence agency is in
cyberspace. But despite all of the policy analysis that has gone into our own national
cybersecurity, we seem perpetually taken by surprise when we are attacked. While foreign
interference in national elections isn't new, and something the US has repeatedly done, electronic
interference is a different animal.

The Obama administration is considering how to respond, but politics will get in the way. Were this
an attack against a popular Internet company, or a piece of our physical infrastructure, we would
all be together in response. But because these attacks affect one political party, the other party
benefits. Even worse, the benefited candidate is actively inviting more foreign attacks against his
opponent, though he now says he was just being sarcastic. Any response from the Obama
administration or the FBI will be viewed through this partisan lens, especially because the
president is a Democrat.

We need to rise above that. These threats are real and they affect us all, regardless of political
affiliation. That this particular attack targeted the DNC is no indication of who the next attack
might target. We need to make it clear to the world that we will not accept interference in our
political process, whether by foreign countries or lone hackers.

However we respond to this act of aggression, we also need to increase the security of our election
systems against all threats -- and quickly.

We tend to underestimate threats that haven't happened -- we discount them as "theoretical" -- and
overestimate threats that have happened at least once. The terrorist attacks of 9/11 are a showcase
example of that: administration officials ignored all the warning signs, and then drastically
overreacted after the fact. These Russian attacks against our voting system have happened. And they
will happen again, unless we take action.

If a foreign country attacked US critical infrastructure, we would respond as a nation against the
threat. But if that attack falls along political lines, the response is more complicated. It
shouldn't be. This is a national security threat against our democracy, and needs to be treated as
such.

This essay previously appeared on CNN.com.
http://edition.cnn.com/2016/07/28/opinions/hackers-election-opinion-schneier/

More evidence pointing to Russia:
http://www.cnn.com/2016/07/27/politics/dnc-hacking-emails-russia-white-house/

Organizational doxing:
https://www.schneier.com/blog/archives/2015/07/organizational_.html

How hackers could influence an election:
http://www.huffingtonpost.com/michael-gregg/top-six-ways-hackers-coul_b_7832730.html
http://www.bloomberg.com/features/2016-how-to-hack-an-election/

Foreign interference in US elections:
https://www.washingtonpost.com/posteverything/wp/2016/07/26/why-would-russia-interfere-in-the-u-s-
election-because-it-usually-works/

US interference in foreign elections:
https://www.lawfareblog.com/what-old-and-new-and-scary-russias-probable-dnc-hack

US response:
http://www.nytimes.com/2016/07/28/us/politics/donald-trump-russia-clinton-emails.html

Election interference as cyberattack:
https://www.balloon-juice.com/2016/07/26/we-are-at-cyber-war-so-what-exactly-do-we-do-about-it/


** *** ***** ******* *********** *************

News



This is a piece of near-future fiction about a cyberattack on New York, including hacking of cars,
the water system, hospitals, elevators, and the power grid. Although it is definitely a movie-plot
attack, all the individual pieces are plausible and will certainly happen individually and
separately. Worth reading -- it's probably the best example of this sort of thing to date.
http://nymag.com/daily/intelligencer/2016/06/the-hack-that-could-take-down-nyc.html

Stealing money from ISPs through premium-rate calls:
https://www.schneier.com/blog/archives/2016/07/stealing_money_.html

Two researchers are working on a system to detect spoofed messages sent to automobiles by
fingerprinting the clock skew of the various computer components within the car, and then detecting
when those skews are off. It's a clever system, with applications outside of automobiles (and isn't
new).
https://www.wired.com/2016/07/clever-tool-shields-car-hacks-watching-internal-clocks/
https://homes.cs.washington.edu/~yoshi/papers/PDF/KoBrCl05PDF-lowres.pdf
https://kabru.eecs.umich.edu/wordpress/wp-content/uploads/sec16-final165_final.pdf

DARPA document: "On Countering Strategic Deception." Old, but interesting. The document was
published by DARPA in 1973, and approved for release in 2007. It examines the role of deception on
strategic warning systems, and possible actions to protect from strategic foreign deception.
http://documents.theblackvault.com/documents/defenseissues/OnCounteringStrategicDeception.pdf

Good essay pointing out the absurdity of comparing cyberweapons with nuclear weapons.
http://www.slate.com/articles/technology/future_tense/2016/03/cyberweapons_are_not_like_nuclear_wea
pons.html

The "Economist" has an article on the potential hacking of the global financial system, either for
profit or to cause mayhem. It's reasonably balanced.
http://worldif.economist.com/article/12136/joker-pack

Here's the story of how the owner of Kickass Torrents was tracked.
https://www.engadget.com/2016/07/21/kickasstorrents-apple-facebook-homeland-security/
https://www.techdirt.com/articles/20160720/16162535023/kickass-torrents-gets-megaupload-treatment-
site-seized-owner-arrested-charged-with-criminal-infringement.shtml

Interesting law journal paper from 2014: "Intelligence Legalism and the National Security Agency's
Civil Liberties Gap," by Margo Schlanger:
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2495844
https://www.justsecurity.org/7485/nsas-culture-legal-compliance-breaks-law/
https://www.justsecurity.org/17393/ics-legalism-morals-manipulating-rules/

Andrew "bunnie" Huang and Edward Snowden have designed a smartphone case that detects unauthorized
transmissions by the phone. Looks like a clever design. Of course, it has to be outside the device;
otherwise, it could be compromised along with the device. Note that this is still in the research
design stage; there are no public prototypes.
https://www.pubpub.org/pub/direct-radio-introspection/
https://www.theguardian.com/us-news/2016/jul/21/phone-case-privacy-data-monitor-bluetooth-wifi-
snowden-introspection-engine
https://www.wired.com/2016/07/snowden-designs-device-warn-iphones-radio-snitches/
http://www.bbc.com/news/technology-36865209

I spend a lot of time in my book "Liars and Outliers" on cooperating versus defecting. Cooperating
is good for the group at the expense of the individual. Defecting is good for the individual at the
expense of the group. Given that evolution concerns individuals, there has been a lot of
controversy over how altruism might have evolved. Here's one possible answer: it's favored by
chance.
https://www.sciencedaily.com/releases/2016/07/160719124256.htm
http://www.pnas.org/content/113/32/E4745.abstract
Related article:
http://arstechnica.com/science/2016/07/cooperation-can-help-boost-your-reputation/

Most wireless keyboards are unencrypted, which makes them vulnerable to all sorts of attacks.
https://www.wired.com/2016/07/radio-hack-steals-keystrokes-millions-wireless-keyboards/
http://searchsecurity.techtarget.com/news/450301194/KeySniffer-vulnerability-enables-eavesdropping-
on-wireless-keyboards
http://www.geek.com/news/hack-steals-keystrokes-from-millions-of-wireless-keyboards-1663684/
http://www.darkreading.com/vulnerabilities---threats/mousejack-researchers-uncover-major-wireless-
keyboard-vulnerability/d/d-id/1326391
http://www.keysniffer.net/affected-devices/
https://www.bastille.net/affected-devices

Earlier this month, President Obama issued a policy directive (PPD-41) on cyber-incident response
coordination. The FBI is in charge, which is no surprise. Actually, there's not much surprising in
the document. I suppose it's important to formalize this stuff, but I think it's what happens now.
https://www.whitehouse.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states-
cyber-incident
http://www.natlawreview.com/article/white-house-releases-presidential-policy-directive-us-cyber-
incident-response
http://www.computerworld.com/article/3100625/security/fbi-to-lead-nations-cyberattack-responses.html
https://www.lawfareblog.com/overview-and-analysis-ppd-41-us-cyber-incident-coordination
https://www.fbi.gov/news/stories/new-us-cyber-security-policy-solidifies-fbi-as-key-cyber-leader

NIST is no longer recommending two-factor authentication systems that use SMS, because of their
many insecurities. In the latest draft of its Digital Authentication Guideline, there's the line:
"[Out of band verification] using SMS is deprecated, and will no longer be allowed in future
releases of this guidance."
https://pages.nist.gov/800-63-3/sp800-63b.html
https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/
http://www.eweek.com/security/nist-says-sms-based-two-factor-authentication-isnt-secure.html
https://threatpost.com/nist-recommends-sms-two-factor-authentication-deprecation/119507/
http://fortune.com/2016/07/26/nist-sms-two-factor/

It's easy to spoof GPS signals, and hard to defend against.
http://spectrum.ieee.org/telecom/security/protecting-gps-from-spoofers-is-critical-to-the-future-of-
navigation

I've been saying for years that requiring frequent password changes is bad security advice, that it
encourages poor passwords. Lorrie Cranor, now the FTC's chief technologist, agrees:
http://arstechnica.com/security/2016/08/frequent-password-changes-are-the-enemy-of-security-ftc-
technologist-says/

Another hijack attack against vehicles, this time trucks and buses.
https://www.wired.com/2016/08/researchers-hack-big-rig-truck-hijack-accelerator-brakes

Good article on voting machine security.
https://www.wired.com/2016/08/americas-voting-machines-arent-ready-election/

Citizen Lab has a new report on an Iranian government hacking program that targets dissidents.
https://www.washingtonpost.com/posteverything/wp/2016/08/02/how-foreign-governments-spy-using-email-
and-powerpoint/
https://citizenlab.org/2016/08/group5-syria/
http://bigstory.ap.org/article/6ab1ab75e89e480a9d12befd3fea4115/experts-iranian-link-attempted-hack-
syrian-dissident

EFF has the story of malware from the Kazakhstan government against "journalists and political
activists critical of Kazakhstan's authoritarian government, along with their family members,
lawyers, and associates."
https://www.eff.org/press/releases/malware-linked-government-kazakhstan-targets-journalists-
political-activists-lawyers

At Defcon last weekend, researchers demonstrated hacks against Bluetooth door locks and Internet-
enabled thermostats.
http://www.tomsguide.com/us/bluetooth-lock-hacks-defcon2016,news-23129.html
https://boingboing.net/2016/08/08/proof-of-concept-ransomware-fo.html

Scott Atran has done some really interesting research on why ordinary people become terrorists.
https://www.sciencenews.org/article/new-studies-explore-why-ordinary-people-turn-terrorist
http://www.journals.uchicago.edu/doi/abs/10.1086/685495
http://www.journals.uchicago.edu/doi/full/10.1086/686221

We're seeing car thefts in the wild accomplished through hacking:
http://fortune.com/2016/08/06/houston-car-hackers/

Nice hack against electronic safes:
https://www.wired.com/2016/08/hacker-unlocks-high-security-electronic-safes-without-trace/

Some minimal information about the NSA's abilities to hack networks via submarine.
https://www.washingtonpost.com/news/the-switch/wp/2016/07/29/america-is-hacking-other-countries-
with-stealthy-submarines

In a cautionary tale to those who favor government-mandated back doors to security systems,
Microsoft accidentally leaked the key protecting its UEFI Secure boot feature. As we all know, the
problems with back doors are less the cryptography and more the systems surrounding the
cryptography.
http://appleinsider.com/articles/16/08/10/oops-microsoft-leaks-its-golden-key-unlocking-windows-
secure-boot-and-exposing-the-danger-of-backdoors
http://arstechnica.co.uk/security/2016/08/microsoft-secure-boot-firmware-snafu-leaks-golden-key/
http://www.theregister.co.uk/2016/08/10/microsoft_secure_boot_ms16_100/

Both Kaspersky and Symantec have uncovered another piece of malware that seems to be a government
design. It's called either "ProjectSauron" or "Remsec," and is impressive. We don't know who
designed this, but it certainly seems likely to be a country with a serious cyberespionage budget.
https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf
http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets


** *** ***** ******* *********** *************

Real-World Security and the Internet of Things



Disaster stories involving the Internet of Things are all the rage. They feature cars (both driven
and driverless), the power grid, dams, and tunnel ventilation systems. A particularly vivid and
realistic one, near-future fiction published last month in "New York Magazine," described a
cyberattack on New York that involved hacking of cars, the water system, hospitals, elevators, and
the power grid. In these stories, thousands of people die. Chaos ensues. While some of these
scenarios overhype the mass destruction, the individual risks are all real. And traditional
computer and network security isn't prepared to deal with them.

Classic information security is a triad: confidentiality, integrity, and availability. You'll see
it called "CIA," which admittedly is confusing in the context of national security. But basically,
the three things I can do with your data are steal it (confidentiality), modify it (integrity), or
prevent you from getting it (availability).

So far, Internet threats have largely been about confidentiality. These can be expensive; one
survey estimated that data breaches cost an average of $3.8 million each. They can be embarrassing,
as in the theft of celebrity photos from Apple's iCloud in 2014 or the Ashley Madison breach in
2015. They can be damaging, as when the government of North Korea stole tens of thousands of
internal documents from Sony or when hackers stole data about 83 million customer accounts from
JPMorgan Chase, both in 2014. They can even affect national security, as in the case of the Office
of Personnel Management data breach by -- presumptively -- China in 2015.

On the Internet of Things, integrity and availability threats are much worse than confidentiality
threats. It's one thing if your smart door lock can be eavesdropped upon to know who is home. It's
another thing entirely if it can be hacked to allow a burglar to open the door -- or prevent you
from opening your door. A hacker who can deny you control of your car, or take over control, is
much more dangerous than one who can eavesdrop on your conversations or track your car's location.

With the advent of the Internet of Things and cyber-physical systems in general, we've given the
Internet hands and feet: the ability to directly affect the physical world. What used to be attacks
against data and information have become attacks against flesh, steel, and concrete.

Today's threats include hackers crashing airplanes by hacking into computer networks, and remotely
disabling cars, either when they're turned off and parked or while they're speeding down the
highway. We're worried about manipulated counts from electronic voting machines, frozen water pipes
through hacked thermostats, and remote murder through hacked medical devices. The possibilities are
pretty literally endless. The Internet of Things will allow for attacks we can't even imagine.

The increased risks come from three things: software control of systems, interconnections between
systems, and automatic or autonomous systems. Let's look at them in turn:

*Software Control*. The Internet of Things is a result of everything turning into a computer. This
gives us enormous power and flexibility, but it brings insecurities with it as well. As more things
come under software control, they become vulnerable to all the attacks we've seen against
computers. But because many of these things are both inexpensive and long-lasting, many of the
patch and update systems that work with computers and smartphones won't work. Right now, the only
way to patch most home routers is to throw them away and buy new ones. And the security that comes
from replacing your computer and phone every few years won't work with your refrigerator and
thermostat: on the average, you replace the former every 15 years, and the latter approximately
never. A recent Princeton survey found 500,000 insecure devices on the Internet. That number is
about to explode.

*Interconnections*. As these systems become interconnected, vulnerabilities in one lead to attacks
against others. Already we've seen Gmail accounts compromised through vulnerabilities in Samsung
smart refrigerators, hospital IT networks compromised through vulnerabilities in medical devices,
and Target Corporation hacked through a vulnerability in its HVAC system. Systems are filled with
externalities that affect other systems in unforeseen and potentially harmful ways. What might seem
benign to the designers of a particular system becomes harmful when it's combined with some other
system. Vulnerabilities on one system cascade into other systems, and the result is a vulnerability
that no one saw coming and no one bears responsibility for fixing. The Internet of Things will make
exploitable vulnerabilities much more common. It's simple mathematics. If 100 systems are all
interacting with each other, that's about 5,000 interactions and 5,000 potential vulnerabilities
resulting from those interactions. If 300 systems are all interacting with each other, that's
45,000 interactions. 1,000 systems: 12.5 million interactions. Most of them will be benign or
uninteresting, but some of them will be very damaging.

*Autonomy*. Increasingly, our computer systems are autonomous. They buy and sell stocks, turn the
furnace on and off, regulate electricity flow through the grid, and -- in the case of driverless
cars -- automatically pilot multi-ton vehicles to their destinations. Autonomy is great for all
sorts of reasons, but from a security perspective it means that the effects of attacks can take
effect immediately, automatically, and ubiquitously. The more we remove humans from the loop,
faster attacks can do their damage and the more we lose our ability to rely on actual smarts to
notice something is wrong before it's too late.

We're building systems that are increasingly powerful, and increasingly useful. The necessary side
effect is that they are increasingly dangerous. A single vulnerability forced Chrysler to recall
1.4 million vehicles in 2015. We're used to computers being attacked at scale -- think of the large-
scale virus infections from the last decade -- but we're not prepared for this happening to
everything else in our world.

Governments are taking notice. Last year, both Director of National Intelligence James Clapper and
NSA Director Mike Rogers testified before Congress, warning of these threats. They both believe
we're vulnerable.

This is how it was phrased in the DNI's 2015 Worldwide Threat Assessment: "Most of the public
discussion regarding cyber threats has focused on the confidentiality and availability of
information; cyber espionage undermines confidentiality, whereas denial-of-service operations and
data-deletion attacks undermine availability. In the future, however, we might also see more cyber
operations that will change or manipulate electronic information in order to compromise its
integrity (i.e. accuracy and reliability) instead of deleting it or disrupting access to it.
Decision-making by senior government officials (civilian and military), corporate executives,
investors, or others will be impaired if they cannot trust the information they are receiving."

The DNI 2016 threat assessment included something similar: "Future cyber operations will almost
certainly include an increased emphasis on changing or manipulating data to compromise its
integrity (i.e., accuracy and reliability) to affect decision making, reduce trust in systems, or
cause adverse physical effects. Broader adoption of IoT devices and AI -- in settings such as
public utilities and healthcare -- will only exacerbate these potential effects."

Security engineers are working on technologies that can mitigate much of this risk, but many
solutions won't be deployed without government involvement. This is not something that the market
can solve. Like data privacy, the risks and solutions are too technical for most people and
organizations to understand; companies are motivated to hide the insecurity of their own systems
from their customers, their users, and the public; the interconnections can make it impossible to
connect data breaches with resultant harms; and the interests of the companies often don't match
the interests of the people.

Governments need to play a larger role: setting standards, policing compliance, and implementing
solutions across companies and networks. And while the White House Cybersecurity National Action
Plan says some of the right things, it doesn't nearly go far enough, because so many of us are
phobic of any government-led solution to anything.

The next president will probably be forced to deal with a large-scale Internet disaster that kills
multiple people. I hope he or she responds with both the recognition of what government can do that
industry can't, and the political will to make it happen.

This essay previously appeared on Vice Motherboard:
https://motherboard.vice.com/read/the-internet-of-things-will-cause-the-first-ever-large-scale-
internet-disaster

Overhyping mass destruction:
https://www.schneier.com/essays/archives/2005/09/terrorists_dont_do_m.html

Estimated cost of a data breach:
https://securityintelligence.com/cost-of-a-data-breach-2015/

Integrity and availability threats are much worse:
https://www.schneier.com/blog/archives/2016/01/integrity_and_a.html

Attacks against smart door locks:
https://www.wired.com/2016/05/flaws-samsungs-smart-home-let-hackers-unlock-doors-set-off-fire-
alarms/

Giving the Internet hands and feet:
https://www.schneier.com/blog/archives/2016/02/the_internet_of_1.html

Hacking airplanes:
http://www.wired.com/2015/05/possible-passengers-hack-commercial-aircraft
https://www.schneier.com/blog/archives/2015/04/hacking_airplan.html

Hacking cars:
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

Hacking electronic voting machines:
https://www.schneier.com/blog/archives/2004/11/the_problem_wit.html

Hacking thermostats:
http://www.networkworld.com/article/2905053/security0/smart-home-hacking-is-easier-than-you-
think.html

Hacking medical devices:
http://www.informationweek.com/partner-perspectives/bitdefender/hacking-vulnerable-medical-
equipment-puts-millions-at-risk/a/d-id/1319873

Princeton survey:
https://freedom-to-tinker.com/blog/feamster/who-will-secure-the-internet-of-things/

Gmail attack
http://www.networkworld.com/article/2976270/internet-of-things/smart-refrigerator-hack-exposes-
gmail-login-credentials.html

Medical device attack:
http://www.meddeviceonline.com/doc/medjacking-how-hackers-use-medical-devices-to-launch-cyber-
attacks-0001

Target attack:
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

Jeep recall:
https://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/

James Clapper's comments:
http://www.scmagazine.com/intelligence-committee-hosts-cybersecurity-hearing/article/438202

Mike Rogers's comments:
http://thehill.com/policy/cybersecurity/254977-officials-worried-hackers-will-change-your-data-not-
steal-it

2015 DNI Threat Assessment:
http://www.dni.gov/files/documents/Unclassified_2015_ATA_SFR_-_SASC_FINAL.pdf

2016 DNI Threat Assessment:
http://www.armed-services.senate.gov/imo/media/doc/Clapper_02-09-16.pdf

Market failures of the Internet of Things
https://www.schneier.com/essays/archives/2014/01/the_internet_of_thin.html

Cybersecurity National Action Plan:
https://www.whitehouse.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan

BoingBoing post:
https://boingboing.net/2016/07/25/bruce-schneier-on-the-coming-i.html

Another essay that agrees with me:
http://cloudblog.ericsson.com/why-bruce-is-right-and-what-industrialized-blockchains-can-solve


** *** ***** ******* *********** *************

Schneier News



I did an "Ask Me Anything" on Reddit earlier this month.
https://www.reddit.com/r/security/comments/4vs90j/bruce_schneier_ama_live_here_from_13_pm_est/?st=i
rdlqlh5&sh=dafd3051

My Reddit AMA from 2013.
http://www.reddit.com/r/IAmA/comments/1r8ibh/iama_security_technologist_and_author_bruce

I was interviewed on WGBH on the security of voting systems.
http://news.wgbh.org/2016/08/04/boston-public-radio-podcast/after-dnc-hack-whats-stopping-russian-
hackers-accessing


** *** ***** ******* *********** *************

Hacking Your Computer Monitor



Here's an interesting hack against a computer's monitor:

A group of researchers has found a way to hack directly into
the tiny computer that controls your monitor without getting
into your actual computer, and both see the pixels displayed on
the monitor -- effectively spying on you -- and also manipulate
the pixels to display different images.

I've written a lot about the Internet of Things, and how everything is now a computer. But while
it's true for cars and refrigerators and thermostats, it's also true for all the parts of your
computer. Your keyboard, hard drives, and monitor are all individual computers, and what you think
of as your computer is actually a collection of computers working together. So just as the NSA
directly attacks the computer that is the hard drive, this attack targets the computer that is your
monitor.

https://motherboard.vice.com/read/hackers-could-break-into-your-monitor-to-spy-on-you-and-
manipulate-your-pixels

NSA attacking hard drives:
https://motherboard.vice.com/read/the-only-way-you-can-delete-this-nsa-malware-is-to-smash-your-
hard-drive-to-bits


** *** ***** ******* *********** *************

More on the Vulnerabilities Equities Process



The Open Technology Institute of the New America Foundation has released a policy paper on the
vulnerabilities equities process: "Bugs in the System: A Primer on the Software Vulnerability
Ecosystem and its Policy Implications."

Their policy recommendations:

* Minimize participation in the vulnerability black market.
* Establish strong, clear procedures for disclosure when it discovers and acquires vulnerability.
* Establish rules for government hacking.
* Support bug bounty programs.
* Reform the DMCA and CFAA so they encourage responsible vulnerability disclosure.

It's a good document, and worth reading.

https://www.newamerica.org/oti/policy-papers/bugs-system/


** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <https://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will
find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in
its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 13 books -- including his latest, "Data and Goliath" -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Chief Technology Officer at Resilient, an IBM Company. See <https://www.schneier.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Resilient, an
IBM Company.

Copyright (c) 2016 by Bruce Schneier.

** *** ***** ******* *********** *************





0 new messages