Crypto-Gram
August 15, 2024
by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School
schneier@schneier.com
https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit Crypto-Gram's web page.
Read this issue on the web
These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
If these links don't work in your email client, try reading this issue of
Crypto-Gram on the web.
Hacking Scientific Citations
Cloudflare Reports that Almost 7% of All Internet Traffic Is Malicious
Criminal Gang Physically Assaulting People for Their Cryptocurrency
Brett Solomon on Digital Rights
Snake Mimics a Spider
2017 ODNI Memo on Kaspersky Labs
Robot Dog Internet Jammer
Data Wallets Using the Solid Protocol
The CrowdStrike Outage and Market-Driven Brittleness
Compromising the Secure Boot Process
New Research in Detecting AI-Generated Videos
Providing Security Updates to Automobile Software
Education in Secure Software Development
Leaked GitHub Python Token
New Patent Application for Car-to-Car Surveillance
On the Cyber Safety Review Board
Problems with GeorgiaΓÇÖs Voter Registration Portal
People-Search Site Removal Services Largely Ineffective
Taxonomy of Generative AI Misuse
On the Voynich Manuscript
Texas Sues GM for Collecting Driving Data without Consent
Upcoming Speaking Engagements
** *** ***** ******* *********** *************
Hacking Scientific Citations
[2024.07.15] Some scholars are inflating their reference counts by sneaking them
into metadata:
Citations of scientific work abide by a standardized referencing system:
Each reference explicitly mentions at least the title, authorsΓÇÖ names,
publication year, journal or conference name, and page numbers of the cited
publication. These details are stored as metadata, not visible in the
articleΓÇÖs text directly, but assigned to a digital object identifier, or DOI
-- a unique identifier for each scientific publication.
References in a scientific publication allow authors to justify
methodological choices or present the results of past studies, highlighting the
iterative and collaborative nature of science.
However, we found through a chance encounter that some unscrupulous actors
have added extra references, invisible in the text but present in the
articlesΓÇÖ metadata, when they submitted the articles to scientific databases.
The result? Citation counts for certain researchers or journals have
skyrocketed, even though these references were not cited by the authors in their
articles.
[...]
In the journals published by Technoscience Academy, at least 9% of recorded
references were ΓÇ£sneaked references.ΓÇ¥ These additional references were only
in the metadata, distorting citation counts and giving certain authors an unfair
advantage. Some legitimate references were also lost, meaning they were not
present in the metadata.
In addition, when analyzing the sneaked references, we found that they
highly benefited some researchers. For example, a single researcher who was
associated with Technoscience Academy benefited from more than 3,000 additional
illegitimate citations. Some journals from the same publisher benefited from a
couple hundred additional sneaked citations.
Be careful what youΓÇÖre measuring, because thatΓÇÖs what youΓÇÖll get. Make
sure itΓÇÖs what you actually want.
** *** ***** ******* *********** *************
Cloudflare Reports that Almost 7% of All Internet Traffic Is Malicious
[2024.07.17] 6.8%, to be precise.
From ZDNet:
However, Distributed Denial of Service (DDoS) attacks continue to be
cybercriminalsΓÇÖ weapon of choice, making up over 37% of all mitigated traffic.
The scale of these attacks is staggering. In the first quarter of 2024 alone,
Cloudflare blocked 4.5 million unique DDoS attacks. That total is nearly a third
of all the DDoS attacks they mitigated the previous year.
But itΓÇÖs not just about the sheer volume of DDoS attacks. The
sophistication of these attacks is increasing, too. Last August, Cloudflare
mitigated a massive HTTP/2 Rapid Reset DDoS attack that peaked at 201 million
requests per second (RPS). That number is three times bigger than any previously
observed attack.
It wasnΓÇÖt just Cloudflare that was hit by the largest DDoS attack in its
history. Google Cloud reported the same attack peaked at an astonishing 398
million RPS. So, how big is that number? According to Google, Google Cloud was
slammed by more RPS in two minutes than Wikipedia saw traffic during September
2023.
** *** ***** ******* *********** *************
Criminal Gang Physically Assaulting People for Their Cryptocurrency
[2024.07.18] This is pretty horrific:
...a group of men behind a violent crime spree designed to compel victims to
hand over access to their cryptocurrency savings. That announcement and the
criminal complaint laying out charges against St. Felix focused largely on a
single theft of cryptocurrency from an elderly North Carolina couple, whose home
St. Felix and one of his accomplices broke into before physically assaulting the
two victims -- both in their seventies -- and forcing them to transfer more than
$150,000 in Bitcoin and Ether to the thievesΓÇÖ crypto wallets.
I think cryptocurrencies are more susceptible to this kind of real-world attack
because they are largely outside the conventional banking system. Yet another
reason to stay away from them.
** *** ***** ******* *********** *************
Brett Solomon on Digital Rights
[2024.07.19] Brett Solomon is retiring from AccessNow after fifteen years as its
Executive Director. HeΓÇÖs written a blog post about what heΓÇÖs learned and
what comes next.
** *** ***** ******* *********** *************
Snake Mimics a Spider
[2024.07.22] This is a fantastic video. ItΓÇÖs an Iranian spider-tailed horned
viper (Pseudocerastes urarachnoides). Its tail looks like a spider, which the
snake uses to fool passing birds looking for a meal.
** *** ***** ******* *********** *************
2017 ODNI Memo on Kaspersky Labs
[2024.07.23] ItΓÇÖs heavily redacted, but still interesting.
Many more ODNI documents here.
** *** ***** ******* *********** *************
Robot Dog Internet Jammer
[2024.07.24] Supposedly the DHS has these:
The robot, called ΓÇ£NEO,ΓÇ¥ is a modified version of the ΓÇ£Quadruped
Unmanned Ground VehicleΓÇ¥ (Q-UGV) sold to law enforcement by a company called
Ghost Robotics. Benjamine Huffman, the director of DHSΓÇÖs Federal Law
Enforcement Training Centers (FLETC), told police at the 2024 Border Security
Expo in Texas that DHS is increasingly worried about criminals setting ΓÇ£booby
trapsΓÇ¥ with internet of things and smart home devices, and that NEO allows DHS
to remotely disable the home networks of a home or building law enforcement is
raiding. The Border Security Expo is open only to law enforcement and defense
contractors. A transcript of HuffmanΓÇÖs speech was obtained by the Electronic
Frontier FoundationΓÇÖs Dave Maass using a Freedom of Information Act request
and was shared with 404 Media.
ΓÇ£NEO can enter a potentially dangerous environment to provide video and
audio feedback to the officers before entry and allow them to communicate with
those in that environment,ΓÇ¥ Huffman said, according to the transcript. ΓÇ£NEO
carries an onboard computer and antenna array that will allow officers the
ability to create a ΓÇÿdenial-of-serviceΓÇÖ (DoS) event to disable ΓÇÿInternet
of ThingsΓÇÖ devices that could potentially cause harm while entry is made.ΓÇ¥
Slashdot thread.
** *** ***** ******* *********** *************
Data Wallets Using the Solid Protocol
[2024.07.25] I am the Chief of Security Architecture at Inrupt, Inc., the
company that is commercializing Tim Berners-LeeΓÇÖs Solid open W3C standard for
distributed data ownership. This week, we announced a digital wallet based on
the Solid architecture.
Details are here, but basically a digital wallet is a repository for personal
data and documents. Right now, there are hundreds of different wallets, but no
standard. We think designing a wallet around Solid makes sense for lots of
reasons. A wallet is more than a data store -- data in wallets is for using and
sharing. That requires interoperability, which is what you get from an open
standard. It also requires fine-grained permissions and robust security, and
thatΓÇÖs what the Solid protocols provide.
---
* Origin: High Portable Tosser at my node (618:500/14.1)
|
Computer Support/Help/Discussion... 
