Some background: The CSRB was established in 2021, by executive order, to
provide an independent analysis and assessment of significant cyberattacks
against the United States. The goal was to pierce the corporate confidentiality
that often surrounds such attacks and to provide the entire security community
with lessons and recommendations. The more we all know about what happened, the
better we can all do next time. ItΓÇÖs the same thinking that led to the
formation of the National Transportation Safety Board, but for cyberattacks and
not plane crashes.
But the board immediately failed to live up to its mission. It was founded in
response to the Russian cyberattack on the U.S. known as SolarWinds. Although it
was specifically tasked with investigating that incident, it did not -- for
reasons that remain unclear.
So far, the board has published three reports. They offered only simplistic
recommendations. In the first investigation, on Log4J, the CSRB exhorted
companies to patch their systems faster and more often. In the second, on
Lapsus$, the CSRB told organizations not to use SMS-based two-factor
authentication (itΓÇÖs vulnerable to SIM-swapping attacks). These two
recommendations are basic cybersecurity hygiene, and not something we need an
investigation to tell us.
The most recent report -- on ChinaΓÇÖs penetration of Microsoft -- is much
better. This time, the CSRB gave us an extensive analysis of MicrosoftΓÇÖs
security failures and placed blame for the attackΓÇÖs success squarely on their
shoulders. Its recommendations were also more specific and extensive, addressing
MicrosoftΓÇÖs board and leaders specifically and the industry more generally.
The report describes how Microsoft stopped rotating cryptographic keys in early
2021, reducing the security of the systems affected in the hack. The report
suggests that if the company had set up an automated or manual key rotation
system, or a way to alert teams about the age of their keys, it could have
prevented the attack on its systems. The report also looked at how MicrosoftΓÇÖs
competitors -- think Google, Oracle, and Amazon Web Services -- handle this
issue, offering insights on how similar companies avoid mistakes.
Yet there are still problems, with the report itself and with the environment in
which it was produced.
First, the public report cites a large number of anonymous sources. While the
report lays blame for the breach on MicrosoftΓÇÖs lax security culture, it is
actually quite deferential to Microsoft; it makes special mention of the
companyΓÇÖs cooperation. If the board needed to make trades to get information
that would only be provided if people were given anonymity, this should be laid
out more explicitly for the sake of transparency. More importantly, the board
seems to have conflict-of-interest issues arising from the fact that the
investigators are corporate executives and heads of government agencies who have
full-time jobs.
Second: Unlike the NTSB, the CSRB lacks subpoena power. This is, at least in
part, out of fear that the conflicted tech executives and government employees
would use the power in an anticompetitive fashion. As a result, the board must
rely on wheedling and cooperation for its fact-finding. While the DHS press
release said, ΓÇ£Microsoft fully cooperated with the BoardΓÇÖs review,ΓÇ¥ the
next company may not be nearly as cooperative, and we do not know what was not
shared with the CSRB.
One of us, Tarah, recently testified on this topic before the U.S. SenateΓÇÖs
Homeland Security and Governmental Affairs Committee, and the senators asking
questions seemed genuinely interested in how to fix the CSRBΓÇÖs extreme
slowness and lack of transparency in the two reports theyΓÇÖd issued so far.
ItΓÇÖs a hard task. The CSRBΓÇÖs charter comes from Executive Order 14208, which
is why -- unlike the NTSB -- it doesnΓÇÖt have subpoena power. Congress needs to
codify the CSRB in law and give it the subpoena power it so desperately needs.
Additionally, the CSRBΓÇÖs reports donΓÇÖt provide useful guidance going
forward. For example, is the Microsoft report provides no mapping of the
companyΓÇÖs security problems to any government standards that could have
prevented them. In this case, the problem is that there are no standards
overseen by NIST -- the organization in charge of cybersecurity standards -- for
key rotation. It would have been better for the report to have said that
explicitly. The cybersecurity industry needs NIST standards to give us a
compliance floor below which any organization is explicitly failing to provide
due care. The report condemns Microsoft for not rotating an internal encryption
key for seven years, when its standard internally was four years. However, for
the last several years, automated key rotation more on the order of once a month
or even more frequently has become the expected industry guideline.
A guideline, however, is not a standard or regulation. ItΓÇÖs just a strongly
worded suggestion. In this specific case, the report doesnΓÇÖt offer guidance on
how often keys should be rotated. In essence, the CSRB report said that
Microsoft should feel very bad about the fact that they did not rotate their
keys more often -- but did not explain the logic, give an actual baseline of how
often keys should be rotated, or provide any statistical or survey data to
support why that timeline is appropriate. Automated certificate rotation such as
that provided by public free service LetΓÇÖs Encrypt has revolutionized
encrypted-by-default communications, and expectations in the cybersecurity
industry have risen to match. Unfortunately, the report only discusses Microsoft
proprietary keys by brand name, instead of having a larger discussion of why
public key infrastructure exists or what the best practices should be.
More generally, because the CSRB reports so far have failed to generalize their
findings with transparent and thorough research that provides real standards and
expectations for the cybersecurity industry, we -- policymakers, industry
leaders, the U.S. public -- find ourselves filling in the gaps. Individual
experts are having to provide anecdotal and individualized interpretations of
what their investigations might imply for companies simply trying to learn what
their actual due care responsibilities are.
ItΓÇÖs as if no one is sure whether boiling your drinking water or nailing a
horseshoe up over the door is statistically more likely to decrease the
incidence of cholera. Sure, a lot of us think that boiling your water is
probably best, but no one is saying that with real science. No one is saying how
long you have to boil your water for, or if any water sources more likely to
carry illness. And until there are real numbers and general standards, our
educated opinions are on an equal footing with horseshoes and hope.
It should not be the job of cybersecurity experts, even us, to generate lessons
from CSRB reports based on our own opinions. This is why we continue to ask the
CSRB to provide generalizable standards which either are based on or call for
NIST standardization. We want proscriptive and descriptive reports of incidents:
see, for example, the UK GAO report for the WannaCry ransomware, which remains a
gold standard of government cybersecurity incident investigation reports.
We need and deserve more than one-off anecdotes about how one company didnΓÇÖt
do security well and should do it better in future. LetΓÇÖs start treating
cybersecurity like the equivalent of public safety and get some real lessons
learned.
This essay was written with Tarah Wheeler, and was published on Defense One.
** *** ***** ******* *********** *************
Problems with GeorgiaΓÇÖs Voter Registration Portal
[2024.08.07] ItΓÇÖs possible to cancel other peopleΓÇÖs voter registrations:
On Friday, four days after Georgia Democrats began warning that bad actors
could abuse the stateΓÇÖs new online portal for canceling voter registrations,
the Secretary of StateΓÇÖs Office acknowledged to ProPublica that it had
identified multiple such attempts...
...the portal suffered at least two security glitches that briefly exposed
votersΓÇÖ dates of birth, the last four digits of their Social Security numbers
and their full driverΓÇÖs license numbers -- the exact information needed to
cancel othersΓÇÖ voter registrations.
I get that this is a hard problem to solve. We want the portal to be easy for
people to use -- even non-tech-savvy people -- and hard for fraudsters to abuse,
and it turns out to be impossible to do both without an overarching digital
identity infrastructure. But Georgia is making it easy to abuse.
EDITED TO ADD (8/14): There was another issue with the portal, making it easy to
request cancellation of any GeorgianΓÇÖs registration. The elections director
said that cancellations submitted this way wouldnΓÇÖt have been processed
because they didnΓÇÖt have all the necessary information, which I guess is
probably true, but it shows just how sloppy the coding is.
** *** ***** ******* *********** *************
People-Search Site Removal Services Largely Ineffective
[2024.08.09] Consumer Reports has a new study of people-search site removal
services, concluding that they donΓÇÖt really work:
As a whole, people-search removal services are largely ineffective. Private
information about each participant on the people-search sites decreased after
using the people-search removal services. And, not surprisingly, the removal
services did save time compared with manually opting out. But, without
exception, information about each participant still appeared on some of the 13
people-search sites at the one-week, one-month, and four-month intervals. We
initially found 332 instances of information about the 28 participants who would
later be signed up for removal services (that does not include the four
participants who were opted out manually). Of those 332 instances, only 117, or
35%, were removed within four months.
** *** ***** ******* *********** *************
Taxonomy of Generative AI Misuse
[2024.08.12] Interesting paper: ΓÇ£Generative AI Misuse: A Taxonomy of Tactics
and Insights from Real-World DataΓÇ¥:
Generative, multimodal artificial intelligence (GenAI) offers transformative
potential across industries, but its misuse poses significant risks. Prior
research has shed light on the potential of advanced AI systems to be exploited
for malicious purposes. However, we still lack a concrete understanding of how
GenAI models are specifically exploited or abused in practice, including the
tactics employed to inflict harm. In this paper, we present a taxonomy of GenAI
misuse tactics, informed by existing academic literature and a qualitative
analysis of approximately 200 observed incidents of misuse reported between
January 2023 and March 2024. Through this analysis, we illuminate key and novel
patterns in misuse during this time period, including potential motivations,
strategies, and how attackers leverage and abuse system capabilities across
modalities (e.g. image, text, audio, video) in the wild.
Blog post. Note the graphic mapping goals with strategies.
** *** ***** ******* *********** *************
On the Voynich Manuscript
[2024.08.13] Really interesting article on the ancient-manuscript scholars who
are applying their techniques to the Voynich Manuscript.
No one has been able to understand the writing yet, but there are some new
understandings:
Davis presented her findings at the medieval-studies conference and
published them in 2020 in the journal Manuscript Studies. She had hardly solved
the Voynich, but sheΓÇÖd opened it to new kinds of investigation. If five
scribes had come together to write it, the manuscript was probably the work of a
community, rather than of a single deranged mind or con artist. Why the
community used its own language, or code, remains a mystery. Whether it was a
cloister of alchemists, or mad monks, or a group like the medieval Béguines --
a secluded order of Christian women -- required more study. But the marks of
frequent use signaled that the manuscript served some routine, perhaps daily
function.
DavisΓÇÖs work brought like-minded scholars out of hiding. In just the past
few years, a Yale linguist named Claire Bowern had begun performing
sophisticated analyses of the text, building on the efforts of earlier scholars
and on methods Bowern had used with undocumented Indigenous languages in
Australia. At the University of Malta, computer scientists were figuring out how
to analyze the Voynich with tools for natural-language processing. Researchers
found that the manuscriptΓÇÖs roughly 38,000 words -- and 9,000-word vocabulary
-- had many of the statistical hallmarks of actual language. The VoynichΓÇÖs
most common word, whatever it meant, appeared roughly twice as often as the
second-most-common word and three times as often as the third-commonest, and so
on -- a touchstone of natural language known as ZipfΓÇÖs law. The mix of word
lengths and the ratio of unique words to total words were similarly
language-like. Certain words, moreover, seemed to follow one another in
predictable order, a possible sign of grammar.
Finally, each of the textΓÇÖs sections -- as defined by the drawings of
plants, stars, bathing women, and so on -- had different sets of overrepresented
words, just as one would expect in a real book whose chapters focused on
different subjects.
Spelling was the chief aberration. The Voynich alphabet -- if thatΓÇÖs what
it was -- appeared to have a conventional 20-odd letters. But compared with
known languages, too many of those letters repeated in the same order, both
within words and across neighboring words, like a childrenΓÇÖs rhyme. In some
places, the spellings of adjacent words so converged that a single word repeated
two or three times in a row. A rough English equivalent might be something akin
to ΓÇ£She sells sea shells by the sea shore.ΓÇ¥ Another possibility, Bowern told
me, was something like pig Latin, or the Yiddishism -- known as
ΓÇ£shm-reduplicationΓÇ¥ -- that begets phrases such as fancy shmancy and rules
shmules.
** *** ***** ******* *********** *************
Texas Sues GM for Collecting Driving Data without Consent
[2024.08.14] Texas is suing General Motors for collecting driver data without
consent and then selling it to insurance companies:
From CNN:
In car models from 2015 and later, the Detroit-based car manufacturer
allegedly used technology to ΓÇ£collect, record, analyze, and transmit highly
detailed driving data about each time a driver used their vehicle,ΓÇ¥ according
to the AGΓÇÖs statement.
General Motors sold this information to several other companies, including
to at least two companies for the purpose of generating ΓÇ£Driving ScoresΓÇ¥
about GMΓÇÖs customers, the AG alleged. The suit said those two companies then
sold these scores to insurance companies.
Insurance companies can use data to see how many times people exceeded a
speed limit or obeyed other traffic laws. Some insurance firms ask customers if
they want to voluntarily opt-in to such programs, promising lower rates for
safer drivers.
But the attorney generalΓÇÖs office claimed GM ΓÇ£deceivedΓÇ¥ its Texan
customers by encouraging them to enroll in programs such as OnStar Smart Driver.
But by agreeing to join these programs, customers also unknowingly agreed to the
collection and sale of their data, the attorney generalΓÇÖs office said.
Press release. Court filing. Slashdot thread.
** *** ***** ******* *********** *************
Upcoming Speaking Engagements
[2024.08.14] This is a current list of where and when I am scheduled to speak:
IΓÇÖm speaking at eCrime 2024 in Boston, Massachusetts, USA. The event runs
from September 24 through 26, 2024, and my keynote is on the 24th.
The list is maintained on this page.
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security technology. To subscribe, or to
read back issues, see Crypto-Gram's web page.
You can also read these articles on my blog, Schneier on Security.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint
CRYPTO-GRAM, as long as it is reprinted in its entirety.
Bruce Schneier is an internationally renowned security technologist, called a
security guru by the Economist. He is the author of over one dozen books --
including his latest, A HackerΓÇÖs Mind -- as well as hundreds of articles,
essays, and academic papers. His newsletter and blog are read by over 250,000
people. Schneier is a fellow at the Berkman Klein Center for Internet & Society
at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy
School; a board member of the Electronic Frontier Foundation, AccessNow, and the
Tor Project; and an Advisory Board Member of the Electronic Privacy Information
Center and VerifiedVoting.org. He is the Chief of Security Architecture at
Inrupt, Inc.
Copyright © 2024 by Bruce Schneier.
** *** ***** ******* *********** *************
---
* Origin: High Portable Tosser at my node (618:500/14.1)
|
Computer Support/Help/Discussion... 
