** CRYPTO-GRAM DECEMBER 15, 2024
------------------------------------------------------------
by Bruce Schneier Fellow and Lecturer, Harvard Kennedy School
schneier@schneier.com https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit Crypto-Gram's web page
[https://www.schneier.com/crypto-gram/].
Read this issue on the web
[https://www.schneier.com/crypto-gram/archives...]
These same essays and news items appear in the Schneier on Security
[https://www.schneier.com/] blog, along with a lively and intelligent
comment section. An RSS feed is available.
** *** ***** ******* *********** *************
** IN THIS ISSUE:
------------------------------------------------------------
1. Good Essay on the History of Bad Password Policies 2. Most of
2023ΓÇÖs Top Exploited Vulnerabilities Were Zero-Days 3. Why Italy Sells
So Much Spyware 4. Steve BellovinΓÇÖs Retirement Talk 5. Secret Service
Tracking PeopleΓÇÖs Locations without Warrant 6. The Scale of
Geoblocking by Nation 7. Security Analysis of the MERGE Voting
Protocol 8. What Graykey Can and CanΓÇÖt Unlock 9. NSO Group Spies on
People on Behalf of Governments 10. Race Condition Attacks against
LLMs 11. Details about the iOS Inactivity Reboot Feature 12.
Algorithms Are Coming for DemocracyΓÇöbut ItΓÇÖs Not All Bad 13. AI and
the 2024 Elections 14. Detecting Pegasus Infections 15. Trust Issues
in AI 16. Full-Face Masks to Frustrate Identification 17. Jailbreaking
LLM-Controlled Robots 18. Ultralytics Supply-Chain Attack 19. Upcoming
Speaking Events
** *** ***** ******* *********** *************
** GOOD ESSAY ON THE HISTORY OF BAD PASSWORD POLICIES
------------------------------------------------------------
[2024.11.15]
[https://www.schneier.com/blog/archives/2024/1...]
Stuart Schechter makes some good points
[https://stuartschechter.org/posts/password-hi...] on the history of bad
password policies:
> Morris and ThompsonΓÇÖs work brought much-needed data to highlight a
problem that lots of people suspected was bad, but that had not been
studied scientifically. Their work was a big step forward, if not for two
mistakes that would impede future progress in improving passwords for
decades. > > First, was Morris and ThompsonΓÇÖs confidence that their
solution, a password policy, would fix the underlying problem of weak
passwords. They incorrectly assumed that if they prevented the specific
categories of weakness that they had noted, that the result would be
something strong. After implementing a requirement that password have
multiple characters sets or more total characters, they wrote: > >
>> >> These improvements make it exceedingly difficult to find any
individual password. The user is warned of the risks and if he cooperates,
he is very safe indeed. > > As should be obvious now, a user who chooses
ΓÇ£p@sswordΓÇ¥ to comply with policies such as those proposed by Morris and
Thompson is not very safe indeed. Morris and Thompson assumed their
intervention would be effective without testing its efficacy, considering
its unintended consequences, or even defining a metric of success to test
against. Not only did their hunch turn out to be wrong, but their second
mistake prevented anyone from proving them wrong.
That second mistake was convincing sysadmins to hash passwords, so there
was no way to evaluate how secure anyoneΓÇÖs password actually was. And it
wasnΓÇÖt until hackers started stealing and publishing large troves of actual
passwords that we got the data: people are terrible at generating secure
passwords, even with rules.
** *** ***** ******* *********** *************
** MOST OF 2023ΓÇÖS TOP EXPLOITED VULNERABILITIES WERE ZERO-DAYS
------------------------------------------------------------
[2024.11.18]
[https://www.schneier.com/blog/archives/2024/1...]
Zero-day vulnerabilities are more commonly used
[https://www.cisa.gov/news-events/cybersecurit...],
according to the Five Eyes:
> Key Findings > > In 2023, malicious cyber actors exploited more zero-day
vulnerabilities to compromise enterprise networks compared to 2022,
allowing them to conduct cyber operations against higher-priority targets.
In 2023, the majority of the most frequently exploited vulnerabilities were
initially exploited as a zero-day, which is an increase from 2022, when
less than half of the top exploited vulnerabilities were exploited as a
zero-day. > > Malicious cyber actors continue to have the most success
exploiting vulnerabilities within two years after public disclosure of the
vulnerability. The utility of these vulnerabilities declines over time as
more systems are patched or replaced. Malicious cyber actors find less
utility from zero-day exploits when international cybersecurity efforts
reduce the lifespan of zero-day vulnerabilities.
** *** ***** ******* *********** *************
** WHY ITALY SELLS SO MUCH SPYWARE
------------------------------------------------------------
[2024.11.19]
[https://www.schneier.com/blog/archives/2024/1...]
Interesting analysis
[https://therecord.media/how-italy-became-an-u...]:
> Although much attention is given to sophisticated, zero-click spyware
developed by companies like IsraelΓÇÖs NSO Group, the Italian spyware
marketplace has been able to operate relatively under the radar by
specializing in cheaper tools. According to an Italian Ministry of Justice
---
* Origin: High Portable Tosser at my node (618:500/14.1)
|
Computer Support/Help/Discussion... 
