Bruce Schneier - sfeed_tests - sfeed tests and RSS and Atom files
(HTM) git clone git://git.codemadness.org/sfeed_tests
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
Bruce Schneier (33068B)
---
1 <?xml version="1.0" encoding="UTF-8"?><feed
2 xmlns="http://www.w3.org/2005/Atom"
3 xmlns:thr="http://purl.org/syndication/thread/1.0"
4 xml:lang="en-US"
5 xml:base="https://www.schneier.com/wp-atom.php"
6
7 xmlns:georss="http://www.georss.org/georss"
8 xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#"
9 >
10 <title type="text">Schneier on Security</title>
11 <subtitle type="text"></subtitle>
12
13 <updated>2020-09-19T02:20:55Z</updated>
14
15 <link rel="alternate" type="text/html" href="https://www.schneier.com" />
16 <id>https://www.schneier.com/feed/atom/</id>
17 <link rel="self" type="application/atom+xml" href="https://www.schneier.com/feed/atom/" />
18
19
20 <icon>https://www.schneier.com/wp-content/uploads/2020/06/cropped-favicon-1-32x32.png</icon>
21 <entry>
22 <author>
23 <name>Bruce Schneier</name>
24 </author>
25
26 <title type="html"><![CDATA[Friday Squid Blogging: Nano-Sized SQUIDS]]></title>
27 <link rel="alternate" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/friday-squid-blogging-nano-sized-squids.html" />
28
29 <id>https://www.schneier.com/?p=60205</id>
30 <updated>2020-09-17T15:35:15Z</updated>
31 <published>2020-09-18T21:14:59Z</published>
32 <category scheme="https://www.schneier.com" term="Uncategorized" /><category scheme="https://www.schneier.com" term="squid" />
33 <summary type="html"><![CDATA[<p>SQUID news:</p>
34 <blockquote><p>Physicists have developed a small, compact <a href="https://aip.scitation.org/doi/10.1063/1.2354545">superconducting quantum interference device</a> (SQUID) that can detect magnetic fields. The team l focused on the instrument’s core, which contains two parallel layers of <a href="https://www.graphenea.com/pages/graphene#.X1hJcdZS9QI">graphene</a>.</p></blockquote>
35 <p>As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.</p>
36 <p>Read my blog posting guidelines <a href="https://www.schneier.com/blog/archives/2017/03/commenting_poli.html">here</a>.</p>
37 ]]></summary>
38
39 <content type="html" xml:base="https://www.schneier.com/blog/archives/2020/09/friday-squid-blogging-nano-sized-squids.html"><![CDATA[<p>SQUID news:</p>
40 <blockquote><p>Physicists have developed a small, compact <a href="https://aip.scitation.org/doi/10.1063/1.2354545">superconducting quantum interference device</a> (SQUID) that can detect magnetic fields. The team l focused on the instrument’s core, which contains two parallel layers of <a href="https://www.graphenea.com/pages/graphene#.X1hJcdZS9QI">graphene</a>.</p></blockquote>
41 <p>As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.</p>
42 <p>Read my blog posting guidelines <a href="https://www.schneier.com/blog/archives/2017/03/commenting_poli.html">here</a>.</p>
43 ]]></content>
44
45 <link rel="replies" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/friday-squid-blogging-nano-sized-squids.html#comments" thr:count="5"/>
46 <link rel="replies" type="application/atom+xml" href="https://www.schneier.com/blog/archives/2020/09/friday-squid-blogging-nano-sized-squids.html/feed/atom/" thr:count="5"/>
47 <thr:total>5</thr:total>
48 </entry>
49 <entry>
50 <author>
51 <name>Bruce Schneier</name>
52 </author>
53
54 <title type="html"><![CDATA[Nihilistic Password Security Questions]]></title>
55 <link rel="alternate" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/nihilistic-password-security-questions.html" />
56
57 <id>https://www.schneier.com/?p=60246</id>
58 <updated>2020-09-19T02:20:55Z</updated>
59 <published>2020-09-18T19:08:32Z</published>
60 <category scheme="https://www.schneier.com" term="Uncategorized" /><category scheme="https://www.schneier.com" term="humor" /><category scheme="https://www.schneier.com" term="passwords" /><category scheme="https://www.schneier.com" term="security questions" />
61 <summary type="html"><![CDATA[<p>Posted three years ago, but definitely <a href="https://www.mcsweeneys.net/articles/nihilistic-password-security-questions/">appropriate for the times</a>.</p>
62 ]]></summary>
63
64 <content type="html" xml:base="https://www.schneier.com/blog/archives/2020/09/nihilistic-password-security-questions.html"><![CDATA[<p>Posted three years ago, but definitely <a href="https://www.mcsweeneys.net/articles/nihilistic-password-security-questions/">appropriate for the times</a>.</p>
65 ]]></content>
66
67 <link rel="replies" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/nihilistic-password-security-questions.html#comments" thr:count="5"/>
68 <link rel="replies" type="application/atom+xml" href="https://www.schneier.com/blog/archives/2020/09/nihilistic-password-security-questions.html/feed/atom/" thr:count="5"/>
69 <thr:total>5</thr:total>
70 </entry>
71 <entry>
72 <author>
73 <name>Bruce Schneier</name>
74 </author>
75
76 <title type="html"><![CDATA[Matt Blaze on OTP Radio Stations]]></title>
77 <link rel="alternate" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/matt-blaze-on-otp-radio-stations.html" />
78
79 <id>https://www.schneier.com/?p=60209</id>
80 <updated>2020-09-15T15:50:35Z</updated>
81 <published>2020-09-18T11:09:01Z</published>
82 <category scheme="https://www.schneier.com" term="Uncategorized" /><category scheme="https://www.schneier.com" term="one-time pads" /><category scheme="https://www.schneier.com" term="radio" />
83 <summary type="html"><![CDATA[<p>Matt Blaze <a href="https://twitter.com/mattblaze/status/1303769018411757569">discusses</a> an interesting mystery about a Cuban one-time-pad radio station, and a random number generator error that probably helped arrest a pair of Russian spies in the US.</p>
84 ]]></summary>
85
86 <content type="html" xml:base="https://www.schneier.com/blog/archives/2020/09/matt-blaze-on-otp-radio-stations.html"><![CDATA[<p>Matt Blaze <a href="https://twitter.com/mattblaze/status/1303769018411757569">discusses</a> an interesting mystery about a Cuban one-time-pad radio station, and a random number generator error that probably helped arrest a pair of Russian spies in the US.</p>
87 ]]></content>
88
89 <link rel="replies" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/matt-blaze-on-otp-radio-stations.html#comments" thr:count="12"/>
90 <link rel="replies" type="application/atom+xml" href="https://www.schneier.com/blog/archives/2020/09/matt-blaze-on-otp-radio-stations.html/feed/atom/" thr:count="12"/>
91 <thr:total>12</thr:total>
92 </entry>
93 <entry>
94 <author>
95 <name>Bruce Schneier</name>
96 </author>
97
98 <title type="html"><![CDATA[New Bluetooth Vulnerability]]></title>
99 <link rel="alternate" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/new-bluetooth-vulnerability.html" />
100
101 <id>https://www.schneier.com/?p=60212</id>
102 <updated>2020-09-15T15:48:50Z</updated>
103 <published>2020-09-17T11:18:27Z</published>
104 <category scheme="https://www.schneier.com" term="Uncategorized" /><category scheme="https://www.schneier.com" term="authentication" /><category scheme="https://www.schneier.com" term="Bluetooth" /><category scheme="https://www.schneier.com" term="iPhone" /><category scheme="https://www.schneier.com" term="man-in-the-middle attacks" /><category scheme="https://www.schneier.com" term="patching" /><category scheme="https://www.schneier.com" term="vulnerabilities" />
105 <summary type="html"><![CDATA[<p>There’s a new unpatched <a href="https://gizmodo.com/bluetooth-unveils-its-latest-security-issue-with-no-se-1845013709">Bluetooth vulnerability</a>:</p>
106 <blockquote><p>The issue is with a protocol called Cross-Transport Key Derivation (or CTKD, for short). When, say, an iPhone is getting ready to pair up with Bluetooth-powered device, CTKD’s role is to set up two separate authentication keys for that phone: one for a “Bluetooth Low Energy” device, and one for a device using what’s known as the “Basic Rate/Enhanced Data Rate” standard. Different devices require different amounts of data — and battery power — from a phone. Being able to toggle between the standards needed for Bluetooth devices that take a ton of data (like a Chromecast), and those that require a bit less (like a smartwatch) is more efficient. Incidentally, it might also be less secure...</p></blockquote>]]></summary>
107
108 <content type="html" xml:base="https://www.schneier.com/blog/archives/2020/09/new-bluetooth-vulnerability.html"><![CDATA[<p>There’s a new unpatched <a href="https://gizmodo.com/bluetooth-unveils-its-latest-security-issue-with-no-se-1845013709">Bluetooth vulnerability</a>:</p>
109 <blockquote><p>The issue is with a protocol called Cross-Transport Key Derivation (or CTKD, for short). When, say, an iPhone is getting ready to pair up with Bluetooth-powered device, CTKD’s role is to set up two separate authentication keys for that phone: one for a “Bluetooth Low Energy” device, and one for a device using what’s known as the “Basic Rate/Enhanced Data Rate” standard. Different devices require different amounts of data — and battery power — from a phone. Being able to toggle between the standards needed for Bluetooth devices that take a ton of data (like a Chromecast), and those that require a bit less (like a smartwatch) is more efficient. Incidentally, it might also be less secure.</p>
110 <p>According to the researchers, if a phone supports both of those standards but doesn’t require some sort of authentication or permission on the user’s end, a hackery sort who’s within Bluetooth range can use its CTKD connection to derive its own competing key. With that connection, according to the researchers, this sort of erzatz authentication can also allow bad actors to weaken the encryption that these keys use in the first place — which can open its owner up to more attacks further down the road, or perform “man in the middle” style attacks that snoop on unprotected data being sent by the phone’s apps and services.</p></blockquote>
111 <p>Another <a href="https://www.zdnet.com/article/blurtooth-vulnerability-lets-attackers-overwrite-bluetooth-authentication-keys/">article</a>:</p>
112 <blockquote><p>Patches are not immediately available at the time of writing. The only way to protect against BLURtooth attacks is to control the environment in which Bluetooth devices are paired, in order to prevent man-in-the-middle attacks, or pairings with rogue devices carried out via social engineering (tricking the human operator).</p>
113 <p>However, patches are expected to be available at one point. When they’ll be, they’ll most likely be integrated as firmware or operating system updates for Bluetooth capable devices.</p>
114 <p>The timeline for these updates is, for the moment, unclear, as device vendors and OS makers usually work on different timelines, and some may not prioritize security patches as others. The number of vulnerable devices is also unclear and hard to quantify.</p></blockquote>
115 <p>Many Bluetooth devices can’t be patched.</p>
116 <p>Final note: this seems to be another example of simultaneous discovery:</p>
117 <blockquote><p>According to the Bluetooth SIG, the BLURtooth attack was discovered independently by two groups of academics from the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University.</p></blockquote>
118 ]]></content>
119
120 <link rel="replies" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/new-bluetooth-vulnerability.html#comments" thr:count="7"/>
121 <link rel="replies" type="application/atom+xml" href="https://www.schneier.com/blog/archives/2020/09/new-bluetooth-vulnerability.html/feed/atom/" thr:count="7"/>
122 <thr:total>7</thr:total>
123 </entry>
124 <entry>
125 <author>
126 <name>Bruce Schneier</name>
127 </author>
128
129 <title type="html"><![CDATA[How the FIN7 Cybercrime Gang Operates]]></title>
130 <link rel="alternate" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/how-the-fin7-cybercrime-gang-operates.html" />
131
132 <id>https://www.schneier.com/?p=60195</id>
133 <updated>2020-09-09T19:03:25Z</updated>
134 <published>2020-09-16T11:00:01Z</published>
135 <category scheme="https://www.schneier.com" term="Uncategorized" /><category scheme="https://www.schneier.com" term="crime" /><category scheme="https://www.schneier.com" term="cybercrime" /><category scheme="https://www.schneier.com" term="hacking" />
136 <summary type="html"><![CDATA[<p>The Grugq has written an <a href="https://sec.okta.com/articles/2020/08/crimeops-operational-art-cyber-crime">excellent essay</a> on how the Russian cybercriminal gang FIN7 operates. An excerpt:</p>
137 <blockquote><p>The secret of FIN7’s success is their <b>operational art of cyber crime.</b> They managed their resources and operations effectively, allowing them to successfully attack and exploit hundreds of victim organizations. FIN7 was not the most elite hacker group, but they developed a number of fascinating innovations. Looking at the process triangle (people, process, technology), their technology wasn’t sophisticated, but their people management and business processes were...</p></blockquote>]]></summary>
138
139 <content type="html" xml:base="https://www.schneier.com/blog/archives/2020/09/how-the-fin7-cybercrime-gang-operates.html"><![CDATA[<p>The Grugq has written an <a href="https://sec.okta.com/articles/2020/08/crimeops-operational-art-cyber-crime">excellent essay</a> on how the Russian cybercriminal gang FIN7 operates. An excerpt:</p>
140 <blockquote><p>The secret of FIN7’s success is their <b>operational art of cyber crime.</b> They managed their resources and operations effectively, allowing them to successfully attack and exploit hundreds of victim organizations. FIN7 was not the most elite hacker group, but they developed a number of fascinating innovations. Looking at the process triangle (people, process, technology), their technology wasn’t sophisticated, but their people management and business processes were.</p>
141 <p>Their business… is crime! And every business needs business goals, so I wrote a mock FIN7 mission statement:</p>
142 <blockquote><p><i>Our mission is to proactively leverage existing long-term, high-impact growth strategies so that we may deliver the kind of results on the bottom line that our investors expect and deserve.</i></p></blockquote>
143 <p>How does FIN7 actualize this vision? This is CrimeOps:</p>
144 <ul>
145 <li>Repeatable business process
146 <li>CrimeBosses manage workers, projects, data and money.
147 <li>CrimeBosses don’t manage technical innovation. They use incremental improvement to TTP to remain effective, but no more
148 <li>Frontline workers don’t need to innovate (because the process is repeatable)</ul>
149 </blockquote>
150 ]]></content>
151
152 <link rel="replies" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/how-the-fin7-cybercrime-gang-operates.html#comments" thr:count="9"/>
153 <link rel="replies" type="application/atom+xml" href="https://www.schneier.com/blog/archives/2020/09/how-the-fin7-cybercrime-gang-operates.html/feed/atom/" thr:count="9"/>
154 <thr:total>9</thr:total>
155 </entry>
156 <entry>
157 <author>
158 <name>Bruce Schneier</name>
159 </author>
160
161 <title type="html"><![CDATA[Privacy Analysis of Ambient Light Sensors]]></title>
162 <link rel="alternate" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/privacy-analysis-of-ambient-light-sensors.html" />
163
164 <id>https://www.schneier.com/?p=60193</id>
165 <updated>2020-09-09T18:51:01Z</updated>
166 <published>2020-09-15T11:10:40Z</published>
167 <category scheme="https://www.schneier.com" term="Uncategorized" /><category scheme="https://www.schneier.com" term="academic papers" /><category scheme="https://www.schneier.com" term="privacy" /><category scheme="https://www.schneier.com" term="risks" /><category scheme="https://www.schneier.com" term="security engineering" />
168 <summary type="html"><![CDATA[<p>Interesting <a href="https://lukaszolejnik.com/SheddingLightWebPrivacyImpactAssessmentIWPE20.pdf">privacy analysis</a> of the Ambient Light Sensor API. And a <a href="https://blog.lukaszolejnik.com/shedding-light-on-designing-web-features-with-privacy-risks-impact-assessments-case-study/">blog post</a>. Especially note the “Lessons Learned” section.</p>
169 ]]></summary>
170
171 <content type="html" xml:base="https://www.schneier.com/blog/archives/2020/09/privacy-analysis-of-ambient-light-sensors.html"><![CDATA[<p>Interesting <a href="https://lukaszolejnik.com/SheddingLightWebPrivacyImpactAssessmentIWPE20.pdf">privacy analysis</a> of the Ambient Light Sensor API. And a <a href="https://blog.lukaszolejnik.com/shedding-light-on-designing-web-features-with-privacy-risks-impact-assessments-case-study/">blog post</a>. Especially note the “Lessons Learned” section.</p>
172 ]]></content>
173
174 <link rel="replies" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/privacy-analysis-of-ambient-light-sensors.html#comments" thr:count="8"/>
175 <link rel="replies" type="application/atom+xml" href="https://www.schneier.com/blog/archives/2020/09/privacy-analysis-of-ambient-light-sensors.html/feed/atom/" thr:count="8"/>
176 <thr:total>8</thr:total>
177 </entry>
178 <entry>
179 <author>
180 <name>Bruce Schneier</name>
181 </author>
182
183 <title type="html"><![CDATA[Upcoming Speaking Engagements]]></title>
184 <link rel="alternate" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/upcoming-speaking-engagements.html" />
185
186 <id>https://www.schneier.com/?p=60221</id>
187 <updated>2020-09-17T03:07:59Z</updated>
188 <published>2020-09-15T02:15:11Z</published>
189 <category scheme="https://www.schneier.com" term="Uncategorized" /><category scheme="https://www.schneier.com" term="Schneier news" />
190 <summary type="html"><![CDATA[<p>This is a current list of where and when I am scheduled to speak:</p>
191 <ul>
192 <li>I’m speaking at the <a href="https://www.law.umn.edu/events/cybersecurity-law-policy-scholars-virtual-conference">Cybersecurity Law & Policy Scholars Virtual Conference</a> on September 17, 2020.</li>
193 <li>I’m keynoting the Canadian Internet Registration Authority’s online symposium, <a href="https://member.cira.ca/Events/CanadiansConnected/Events/About.aspx">Canadians Connected</a>, on Wednesday, September 23, 2020.</li>
194 <li>I’m giving a webinar as part of the <a href="https://one-conference.nl/">Online One Conference 2020</a> on September 29, 2020.</li>
195 <li>I’m speaking at the <a href="https://www.isc2.org/Congress">(ISC)² Security Congress 2020</a>, November 16-18, 2020.</li>
196 </ul>
197 <p>The list is maintained on <a href="https://www.schneier.com/events/">this page</a>.</p>
198 ]]></summary>
199
200 <content type="html" xml:base="https://www.schneier.com/blog/archives/2020/09/upcoming-speaking-engagements.html"><![CDATA[<p>This is a current list of where and when I am scheduled to speak:</p>
201 <ul>
202 <li>I’m speaking at the <a href="https://www.law.umn.edu/events/cybersecurity-law-policy-scholars-virtual-conference">Cybersecurity Law & Policy Scholars Virtual Conference</a> on September 17, 2020.</li>
203 <li>I’m keynoting the Canadian Internet Registration Authority’s online symposium, <a href="https://member.cira.ca/Events/CanadiansConnected/Events/About.aspx">Canadians Connected</a>, on Wednesday, September 23, 2020.</li>
204 <li>I’m giving a webinar as part of the <a href="https://one-conference.nl/">Online One Conference 2020</a> on September 29, 2020.</li>
205 <li>I’m speaking at the <a href="https://www.isc2.org/Congress">(ISC)² Security Congress 2020</a>, November 16-18, 2020.</li>
206 </ul>
207 <p>The list is maintained on <a href="https://www.schneier.com/events/">this page</a>.</p>
208 ]]></content>
209
210 <link rel="replies" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/upcoming-speaking-engagements.html#comments" thr:count="3"/>
211 <link rel="replies" type="application/atom+xml" href="https://www.schneier.com/blog/archives/2020/09/upcoming-speaking-engagements.html/feed/atom/" thr:count="3"/>
212 <thr:total>3</thr:total>
213 </entry>
214 <entry>
215 <author>
216 <name>Bruce Schneier</name>
217 </author>
218
219 <title type="html"><![CDATA[Interesting Attack on the EMV Smartcard Payment Standard]]></title>
220 <link rel="alternate" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/interesting-attack-on-the-emv-smartcard-payment-standard.html" />
221
222 <id>https://www.schneier.com/?p=60190</id>
223 <updated>2020-09-09T18:50:12Z</updated>
224 <published>2020-09-14T11:21:36Z</published>
225 <category scheme="https://www.schneier.com" term="Uncategorized" /><category scheme="https://www.schneier.com" term="academic papers" /><category scheme="https://www.schneier.com" term="credit cards" /><category scheme="https://www.schneier.com" term="fraud" /><category scheme="https://www.schneier.com" term="man-in-the-middle attacks" /><category scheme="https://www.schneier.com" term="PINs" /><category scheme="https://www.schneier.com" term="point of sale" /><category scheme="https://www.schneier.com" term="smart cards" /><category scheme="https://www.schneier.com" term="smartphones" />
226 <summary type="html"><![CDATA[<p>It’s <a href="https://arxiv.org/pdf/2006.08249.pdf">complicated</a>, but it’s basically a man-in-the-middle attack that involves two smartphones. The first phone reads the actual smartcard, and then forwards the required information to a second phone. That second phone actually conducts the transaction on the POS terminal. That second phone is able to convince the POS terminal to conduct the transaction without requiring the normally required PIN.</p>
227 <p>From a <a href="https://techxplore.com/news/2020-09-outsmarting-pin-code.html">news article</a>:</p>
228 <blockquote><p>The researchers were able to demonstrate that it is possible to exploit the vulnerability in practice, although it is a fairly complex process. They first developed an Android app and installed it on two NFC-enabled mobile phones. This allowed the two devices to read data from the credit card chip and exchange information with payment terminals. Incidentally, the researchers did not have to bypass any special security features in the Android operating system to install the app...</p></blockquote>]]></summary>
229
230 <content type="html" xml:base="https://www.schneier.com/blog/archives/2020/09/interesting-attack-on-the-emv-smartcard-payment-standard.html"><![CDATA[<p>It’s <a href="https://arxiv.org/pdf/2006.08249.pdf">complicated</a>, but it’s basically a man-in-the-middle attack that involves two smartphones. The first phone reads the actual smartcard, and then forwards the required information to a second phone. That second phone actually conducts the transaction on the POS terminal. That second phone is able to convince the POS terminal to conduct the transaction without requiring the normally required PIN.</p>
231 <p>From a <a href="https://techxplore.com/news/2020-09-outsmarting-pin-code.html">news article</a>:</p>
232 <blockquote><p>The researchers were able to demonstrate that it is possible to exploit the vulnerability in practice, although it is a fairly complex process. They first developed an Android app and installed it on two NFC-enabled mobile phones. This allowed the two devices to read data from the credit card chip and exchange information with payment terminals. Incidentally, the researchers did not have to bypass any special security features in the Android operating system to install the app.</p>
233 <p>To obtain unauthorized funds from a third-party credit card, the first mobile phone is used to scan the necessary data from the credit card and transfer it to the second phone. The second phone is then used to simultaneously debit the amount at the checkout, as many cardholders do nowadays. As the app declares that the customer is the authorized user of the credit card, the vendor does not realize that the transaction is fraudulent. The crucial factor is that the app outsmarts the card’s security system. Although the amount is over the limit and requires PIN verification, no code is requested.</p></blockquote>
234 <p>The paper: “<a href="https://arxiv.org/pdf/2006.08249.pdf">The EMV Standard: Break, Fix, Verify</a>.”</p>
235 <blockquote><p><b>Abstract:</b> EMV is the international protocol standard for smartcard payment and is used in over 9 billion cards worldwide. Despite the standard’s advertised security, various issues have been previously uncovered, deriving from logical flaws that are hard to spot in EMV’s lengthy and complex specification, running over 2,000 pages.</p>
236 <p>We formalize a comprehensive symbolic model of EMV in Tamarin, a state-of-the-art protocol verifier. Our model is the first that supports a fine-grained analysis of all relevant security guarantees that EMV is intended to offer. We use our model to automatically identify flaws that lead to two critical attacks: one that defrauds the cardholder and another that defrauds the merchant. First, criminals can use a victim’s Visa contact-less card for high-value purchases, without knowledge of the card’s PIN. We built a proof-of-concept Android application and successfully demonstrated this attack on real-world payment terminals. Second, criminals can trick the terminal into accepting an unauthentic offline transaction, which the issuing bank should later decline, after the criminal has walked away with the goods. This attack is possible for implementations following the standard, although we did not test it on actual terminals for ethical reasons. Finally, we propose and verify improvements to the standard that prevent these attacks, as well as any other attacks that violate the considered security properties.The proposed improvements can be easily implemented in the terminals and do not affect the cards in circulation.</p></blockquote>
237 ]]></content>
238
239 <link rel="replies" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/interesting-attack-on-the-emv-smartcard-payment-standard.html#comments" thr:count="17"/>
240 <link rel="replies" type="application/atom+xml" href="https://www.schneier.com/blog/archives/2020/09/interesting-attack-on-the-emv-smartcard-payment-standard.html/feed/atom/" thr:count="17"/>
241 <thr:total>17</thr:total>
242 </entry>
243 <entry>
244 <author>
245 <name>Bruce Schneier</name>
246 </author>
247
248 <title type="html"><![CDATA[Friday Squid Blogging: Calamari vs. Squid]]></title>
249 <link rel="alternate" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/friday-squid-blogging-calamari-vs-squid.html" />
250
251 <id>https://www.schneier.com/?p=60202</id>
252 <updated>2020-09-11T18:24:48Z</updated>
253 <published>2020-09-11T21:05:03Z</published>
254 <category scheme="https://www.schneier.com" term="Uncategorized" /><category scheme="https://www.schneier.com" term="squid" />
255 <summary type="html"><![CDATA[<p><i>St. Louis Magazine</i> answers the important question: “<a href="https://www.stlmag.com/dining/ask-george-is-there-a-difference-between-calamari-and-squid/">Is there a difference between calamari and squid?”</a> Short answer: no.</p>
256 <p>As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.</p>
257 <p>Read my blog posting guidelines <a href="https://www.schneier.com/blog/archives/2017/03/commenting_poli.html">here</a>.</p>
258 ]]></summary>
259
260 <content type="html" xml:base="https://www.schneier.com/blog/archives/2020/09/friday-squid-blogging-calamari-vs-squid.html"><![CDATA[<p><i>St. Louis Magazine</i> answers the important question: “<a href="https://www.stlmag.com/dining/ask-george-is-there-a-difference-between-calamari-and-squid/">Is there a difference between calamari and squid?”</a> Short answer: no.</p>
261 <p>As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.</p>
262 <p>Read my blog posting guidelines <a href="https://www.schneier.com/blog/archives/2017/03/commenting_poli.html">here</a>.</p>
263 ]]></content>
264
265 <link rel="replies" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/friday-squid-blogging-calamari-vs-squid.html#comments" thr:count="112"/>
266 <link rel="replies" type="application/atom+xml" href="https://www.schneier.com/blog/archives/2020/09/friday-squid-blogging-calamari-vs-squid.html/feed/atom/" thr:count="112"/>
267 <thr:total>112</thr:total>
268 </entry>
269 <entry>
270 <author>
271 <name>Bruce Schneier</name>
272 </author>
273
274 <title type="html"><![CDATA[Ranking National Cyber Power]]></title>
275 <link rel="alternate" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/ranking-national-cyber-power.html" />
276
277 <id>https://www.schneier.com/?p=60187</id>
278 <updated>2020-09-11T13:52:02Z</updated>
279 <published>2020-09-11T11:15:08Z</published>
280 <category scheme="https://www.schneier.com" term="Uncategorized" /><category scheme="https://www.schneier.com" term="cyberwar" /><category scheme="https://www.schneier.com" term="power" /><category scheme="https://www.schneier.com" term="reports" />
281 <summary type="html"><![CDATA[<p>Harvard Kennedy School’s Belfer Center published the “<a href="https://www.belfercenter.org/sites/default/files/2020-09/NCPI_2020.pdf">National Cyber Power Index 2020: Methodology and Analytical Considerations</a>.” The rankings: 1. US, 2. China, 3. UK, 4. Russia, 5. Netherlands, 6. France, 7. Germany, 8. Canada, 9. Japan, 10. Australia, 11. Israel. More countries are in the document.</p>
282 <p>We could — and should — argue about the criteria and the methodology, but it’s good that someone is starting this conversation.</p>
283 <blockquote><p><b>Executive Summary</b>: The Belfer National Cyber Power Index (NCPI) measures 30 countries’ cyber capabilities in the context of seven national objectives, using 32 intent indicators and 27 capability indicators with evidence collected from publicly available data...</p></blockquote>]]></summary>
284
285 <content type="html" xml:base="https://www.schneier.com/blog/archives/2020/09/ranking-national-cyber-power.html"><![CDATA[<p>Harvard Kennedy School’s Belfer Center published the “<a href="https://www.belfercenter.org/sites/default/files/2020-09/NCPI_2020.pdf">National Cyber Power Index 2020: Methodology and Analytical Considerations</a>.” The rankings: 1. US, 2. China, 3. UK, 4. Russia, 5. Netherlands, 6. France, 7. Germany, 8. Canada, 9. Japan, 10. Australia, 11. Israel. More countries are in the document.</p>
286 <p>We could — and should — argue about the criteria and the methodology, but it’s good that someone is starting this conversation.</p>
287 <blockquote><p><b>Executive Summary</b>: The Belfer National Cyber Power Index (NCPI) measures 30 countries’ cyber capabilities in the context of seven national objectives, using 32 intent indicators and 27 capability indicators with evidence collected from publicly available data.</p>
288 <p>In contrast to existing cyber related indices, we believe there is no single measure of cyber power. Cyber Power is made up of multiple components and should be considered in the context of a country’s national objectives. We take an all-of-country approach to measuring cyber power. By considering “all-of-country” we include all aspects under the control of a government where possible. Within the NCPI we measure government strategies, capabilities for defense and offense, resource allocation, the private sector, workforce, and innovation. Our assessment is both a measurement of proven power and potential, where the final score assumes that the government of that country can wield these capabilities effectively.</p>
289 <p>The NCPI has identified seven national objectives that countries pursue using cyber means. The seven objectives are:</p>
290 <ol>
291 <li>Surveilling and Monitoring Domestic Groups;
292 <li>Strengthening and Enhancing National Cyber Defenses;
293 <li>Controlling and Manipulating the Information Environment;
294 <li>Foreign Intelligence Collection for National Security;
295 <li>Commercial Gain or Enhancing Domestic Industry Growth;
296 <li>Destroying or Disabling an Adversary’s Infrastructure and Capabilities; and,
297 <li>Defining International Cyber Norms and Technical Standards.</ol>
298 <p>In contrast to the broadly held view that cyber power means destroying or disabling an adversary’s infrastructure (commonly referred to as offensive cyber operations), offense is only one of these seven objectives countries pursue using cyber means.</p></blockquote>
299 ]]></content>
300
301 <link rel="replies" type="text/html" href="https://www.schneier.com/blog/archives/2020/09/ranking-national-cyber-power.html#comments" thr:count="26"/>
302 <link rel="replies" type="application/atom+xml" href="https://www.schneier.com/blog/archives/2020/09/ranking-national-cyber-power.html/feed/atom/" thr:count="26"/>
303 <thr:total>26</thr:total>
304 </entry>
305