Crypto-Gram
July 15, 2020
by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School
schneier@schneier.com
https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit Crypto-Gram's web page.
Read this issue on the web
These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
Examining the US Cyber Budget
Eavesdropping on Sound Using Variations in Light Bulbs
Bank Card "Master Key" Stolen
Zoom Will Be End-to-End Encrypted for All Users
Theft of CIA's "Vault Seven" Hacking Tools Due to Its Own Lousy Security
New Hacking-for-Hire Company in India
Security and Human Behavior (SHB) 2020
Identifying a Person Based on a Photo, LinkedIn and Etsy Profiles, and Other
Internet Bread Crumbs
Nation-State Espionage Campaigns against Middle East Defense Contractors
Cryptocurrency Pump and Dump Scams
COVID-19 Risks of Flying
Analyzing IoT Security Best Practices
The Unintended Harms of Cybersecurity
iPhone Apps Stealing Clipboard Data
Android Apps Stealing Facebook Credentials
Securing the International IoT Supply Chain
The Security Value of Inefficiency
EncroChat Hacked by Police
ThiefQuest Ransomware for the Mac
IoT Security Principles
Traffic Analysis of Home Security Cameras
Business Email Compromise (BEC) Criminal Ring
EFF's 30th Anniversary Livestream
A Peek into the Fake Review Marketplace
Enigma Machine for Sale
** *** ***** ******* *********** *************
Examining the US Cyber Budget
[2020.06.15] Jason Healey takes a detailed look at the US federal cybersecurity
budget and reaches an important conclusion: the US keeps saying that we need to
prioritize defense, but in fact we prioritize attack.
To its credit, this budget does reveal an overall growth in cybersecurity
funding of about 5 percent above the fiscal 2019 estimate. However, federal
cybersecurity spending on civilian departments like the departments of Homeland
Security, State, Treasury and Justice is overshadowed by that going toward the
military:
The Defense Department's cyber-related budget is nearly 25 percent
higher than the total going to all civilian departments, including the
departments of Homeland Security, Treasury and Energy, which not only have to
defend their own critical systems but also partner with critical infrastructure
to help secure the energy, finance, transportation and health sectors ($9.6
billion compared to $7.8 billion).
The funds to support just the headquarters element -- that is, not even
the operational teams in facilities outside of headquarters -- of U.S. Cyber
Command are 33 percent higher than all the cyber-related funding to the State
Department ($532 million compared to $400 million).
Just the increased funding to Defense was 30 percent higher than the
total Homeland Security budget to improve the security of federal networks ($909
million compared to $694.1 million).
The Defense Department is budgeted two and a half times as much just for
cyber operations as the Cybersecurity and Infrastructure Security Agency (CISA),
which is nominally in charge of cybersecurity ($3.7 billion compared to $1.47
billion). In fact, the cyber operations budget is higher than the budgets for
the CISA, the FBI and the Department of Justice's National Security Division
combined ($3.7 billion compared to $2.21 billion).
The Defense Department's cyber operations have nearly 10 times the
funding as the relevant Homeland Security defensive operational element, the
National Cybersecurity and Communications Integration Center (NCCIC) ($3.7
billion compared to $371.4 million).
The U.S. government budgeted as much on military construction for cyber
units as it did for the entirety of Homeland Security ($1.9 billion for each).
We cannot ignore what the money is telling us. The White House and National
Cyber Strategy emphasize the need to protect the American people and our way of
life, yet the budget does not reflect those values. Rather, the budget clearly
shows that the Defense Department is the government's main priority. Of course,
the exact Defense numbers for how much is spent on offense are classified.
** *** ***** ******* *********** *************
Eavesdropping on Sound Using Variations in Light Bulbs
[2020.06.16] New research is able to recover sound waves in a room by observing
minute changes in the room's light bulbs. This technique works from a distance,
even from a building across the street through a window.
Details:
In an experiment using three different telescopes with different lens
diameters from a distance of 25 meters (a little over 82 feet) the researchers
were successfully able to capture sound being played in a remote room, including
The Beatles' Let It Be, which was distinguishable enough for Shazam to recognize
it, and a speech from President Trump that Google's speech recognition API could
successfully transcribe. With more powerful telescopes and a more sensitive
analog-to-digital converter, the researchers believe the eavesdropping distances
could be even greater.
It's not expensive: less than $1,000 worth of equipment is required. And unlike
other techniques like bouncing a laser off the window and measuring the
vibrations, it's completely passive.
News articles.
** *** ***** ******* *********** *************
Bank Card "Master Key" Stolen
[2020.06.17] South Africa's Postbank experienced a catastrophic security
failure. The bank's master PIN key was stolen, forcing it to cancel and replace
12 million bank cards.
The breach resulted from the printing of the bank's encrypted master key in
plain, unencrypted digital language at the Postbank's old data centre in the
Pretoria city centre.
According to a number of internal Postbank reports, which the Sunday Times
obtained, the master key was then stolen by employees.
One of the reports said that the cards would cost about R1bn to replace. The
master key, a 36-digit code, allows anyone who has it to gain unfettered access
to the bank's systems, and allows them to read and rewrite account balances, and
change information and data on any of the bank's 12-million cards.
The bank lost $3.2 million in fraudulent transactions before the theft was
discovered. Replacing all the cards will cost an estimated $58 million.
** *** ***** ******* *********** *************
Zoom Will Be End-to-End Encrypted for All Users
[2020.06.17] Zoom is doing the right thing: it's making end-to-end encryption
available to all users, paid and unpaid. (This is a change; I wrote about the
initial decision here.)
...we have identified a path forward that balances the legitimate right of
all users to privacy and the safety of users on our platform. This will enable
us to offer E2EE as an advanced add-on feature for all of our users around the
globe -- free and paid -- while maintaining the ability to prevent and fight
abuse on our platform.
To make this possible, Free/Basic users seeking access to E2EE will
participate in a one-time process that will prompt the user for additional
pieces of information, such as verifying a phone number via a text message. Many
leading companies perform similar steps on account creation to reduce the mass
creation of abusive accounts. We are confident that by implementing risk-based
authentication, in combination with our current mix of tools -- including our
Report a User function -- we can continue to prevent and fight abuse.
Thank you, Zoom, for coming around to the right answer.
And thank you to everyone for commenting on this issue. We are learning -- in so
many areas -- the power of continued public pressure to change corporate
behavior.
EDITED TO ADD (6/18): Let's do Apple next.
** *** ***** ******* *********** *************
Theft of CIA's "Vault Seven" Hacking Tools Due to Its Own Lousy Security
[2020.06.18] The Washington Post is reporting on an internal CIA report about
its "Vault 7" security breach:
The breach -- allegedly committed by a CIA employee -- was discovered a year
after it happened, when the information was published by WikiLeaks, in March
2017. The anti-secrecy group dubbed the release "Vault 7," and U.S. officials
have said it was the biggest unauthorized disclosure of classified information
in the CIA's history, causing the agency to shut down some intelligence
operations and alerting foreign adversaries to the spy agency's techniques.
The October 2017 report by the CIA's WikiLeaks Task Force, several pages of
which were missing or redacted, portrays an agency more concerned with bulking
up its cyber arsenal than keeping those tools secure. Security procedures were
"woefully lax" within the special unit that designed and built the tools, the
report said.
Without the WikiLeaks disclosure, the CIA might never have known the tools
had been stolen, according to the report. "Had the data been stolen for the
benefit of a state adversary and not published, we might still be unaware of the
loss," the task force concluded.
The task force report was provided to The Washington Post by the office of
Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, who has
pressed for stronger cybersecurity in the intelligence community. He obtained
the redacted, incomplete copy from the Justice Department.
It's all still up on WikiLeaks.
** *** ***** ******* *********** *************
New Hacking-for-Hire Company in India
[2020.06.19] Citizen Lab has a new report on Dark Basin, a large
hacking-for-hire company in India.
Key Findings:
Dark Basin is a hack-for-hire group that has targeted thousands of
individuals and hundreds of institutions on six continents. Targets include
advocacy groups and journalists, elected and senior government officials, hedge
funds, and multiple industries.
Dark Basin extensively targeted American nonprofits, including
organisations working on a campaign called #ExxonKnew, which asserted that
ExxonMobil hid information about climate change for decades.
We also identify Dark Basin as the group behind the phishing of
organizations working on net neutrality advocacy, previously reported by the
Electronic Frontier Foundation.
We link Dark Basin with high confidence to an Indian company, BellTroX
InfoTech Services, and related entities.
Citizen Lab has notified hundreds of targeted individuals and
institutions and, where possible, provided them with assistance in tracking and
identifying the campaign. At the request of several targets, Citizen Lab shared
information about their targeting with the US Department of Justice (DOJ). We
are in the process of notifying additional targets.
BellTroX InfoTech Services has assisted clients in spying on over 10,000 email
accounts around the world, including accounts of politicians, investors,
journalists and activists.
News article. Boing Boing post
** *** ***** ******* *********** *************
Security and Human Behavior (SHB) 2020
[2020.06.19] Today is the second day of the thirteenth Workshop on Security and
Human Behavior. It's being hosted by the University of Cambridge, which in
today's world means we're all meeting on Zoom.
SHB is a small, annual, invitational workshop of people studying various aspects
of the human side of security, organized each year by Alessandro Acquisti, Ross
Anderson, and myself. The forty or so attendees include psychologists,
economists, computer security researchers, sociologists, political scientists,
criminologists, neuroscientists, designers, lawyers, philosophers,
anthropologists, business school professors, and a smattering of others. It's
not just an interdisciplinary event; most of the people here are individually
interdisciplinary.
Our goal is always to maximize discussion and interaction. We do that by putting
everyone on panels, and limiting talks to six to eight minutes, with the rest of
the time for open discussion. We've done pretty well translating this format to
video chat, including using the random breakout feature to put people into small
groups.
I invariably find this to be the most intellectually stimulating two days of my
professional year. It influences my thinking in many different, and sometimes
surprising, ways.
This year's schedule is here. This page lists the participants and includes
links to some of their work. As he does every year, Ross Anderson is
liveblogging the talks.
Here are my posts on the first, second, third, fourth, fifth, sixth, seventh,
eighth, ninth, tenth, eleventh, and twelfth SHB workshops. Follow those links to
find summaries, papers, and occasionally audio recordings of the various
workshops. Ross also maintains a good webpage of psychology and security
resources.
** *** ***** ******* *********** *************
Identifying a Person Based on a Photo, LinkedIn and Etsy Profiles, and Other
Internet Bread Crumbs
[2020.06.22] Interesting story of how the police can identify someone by
following the evidence chain from website to website.
According to filings in Blumenthal's case, FBI agents had little more to go
on when they started their investigation than the news helicopter footage of the
woman setting the police car ablaze as it was broadcast live May 30.
It showed the woman, in flame-retardant gloves, grabbing a burning piece of
a police barricade that had already been used to set one squad car on fire and
tossing it into the police SUV parked nearby. Within seconds, that car was also
engulfed in flames.
Investigators discovered other images depicting the same scene on Instagram
and the video sharing website Vimeo. Those allowed agents to zoom in and
identify a stylized tattoo of a peace sign on the woman's right forearm.
Scouring other images -- including a cache of roughly 500 photos of the
Philly protest shared by an amateur photographer -- agents found shots of a
woman with the same tattoo that gave a clear depiction of the slogan on her
T-shirt.
[...]
That shirt, agents said, was found to have been sold only in one location: a
shop on Etsy, the online marketplace for crafters, purveyors of custom-made
clothing and jewelry, and other collectibles....
The top review on her page, dated just six days before the protest, was from
a user identifying herself as "Xx Mv," who listed her location as Philadelphia
and her username as "alleycatlore."
A Google search of that handle led agents to an account on Poshmark, the
mobile fashion marketplace, with a user handle "lore-elisabeth." And subsequent
searches for that name turned up Blumenthal's LinkedIn profile, where she
identifies herself as a graduate of William Penn Charter School and several yoga
and massage therapy training centers.
From there, they located Blumenthal's Jenkintown massage studio and its
website, which featured videos demonstrating her at work. On her forearm, agents
discovered, was the same distinctive tattoo that investigators first identified
on the arsonist in the original TV video.
The obvious moral isn't a new one: don't have a distinctive tattoo. But more
interesting is how different pieces of evidence can be strung together in order
to identify someone. This particular chain was put together manually, but expect
machine learning techniques to be able to do this sort of thing automatically --
and for organizations like the NSA to implement them on a broad scale.
Another article did a more detailed analysis, and concludes that the Etsy review
was the linchpin.
** *** ***** ******* *********** *************
Nation-State Espionage Campaigns against Middle East Defense Contractors
[2020.06.23] Report on espionage attacks using LinkedIn as a vector for malware,
with details and screenshots. They talk about "several hints suggesting a
possible link" to the Lazarus group (aka North Korea), but that's by no means
definite.
As part of the initial compromise phase, the Operation In(ter)ception
attackers had created fake LinkedIn accounts posing as HR representatives of
well-known companies in the aerospace and defense industries. In our
investigation, we've seen profiles impersonating Collins Aerospace (formerly
Rockwell Collins) and General Dynamics, both major US corporations in the field.
Detailed report.
** *** ***** ******* *********** *************
Cryptocurrency Pump and Dump Scams
[2020.06.24] Really interesting research: "An examination of the cryptocurrency
pump and dump ecosystem":
Abstract: The surge of interest in cryptocurrencies has been accompanied by
a proliferation of fraud. This paper examines pump and dump schemes. The recent
explosion of nearly 2,000 cryptocurrencies in an unregulated environment has
expanded the scope for abuse. We quantify the scope of cryptocurrency pump and
dump schemes on Discord and Telegram, two popular group-messaging platforms. We
joined all relevant Telegram and Discord groups/channels and identified
thousands of different pumps. Our findings provide the first measure of the
scope of such pumps and empirically document important properties of this
ecosystem.
** *** ***** ******* *********** *************
COVID-19 Risks of Flying
[2020.06.24] I fly a lot. Over the past five years, my average speed has been 32
miles an hour. That all changed mid-March. It's been 105 days since I've been on
an airplane -- longer than any other time in my adult life -- and I have no
future flights scheduled. This is all a prelude to saying that I have been
paying a lot of attention to the COVID-related risks of flying.
We know a lot more about how COVID-19 spreads than we did in March. The "less
than six feet, more than ten minutes" model has given way to a much more
sophisticated model involving airflow, the level of virus in the room, and the
viral load in the person who might be infected.
Regarding airplanes specifically: on the whole, they seem safer than many other
group activities. Of all the research about contact tracing results I have read,
I have seen no stories of a sick person on an airplane infecting other
passengers. There are no superspreader events involving airplanes. (That did
happen with SARS.) It seems that the airflow inside the cabin really helps.
Airlines are trying to make things better: blocking middle seats, serving less
food and drink, trying to get people to wear masks. (This video is worth
watching.) I've started to see airlines requiring masks and banning those who
won't, and not just strongly encouraging them. (If mask wearing is treated the
same as the seat belt wearing, it will make a huge difference.) Finally, there
are a lot of dumb things that airlines are doing.
This article interviewed 511 epidemiologists, and the general consensus was that
flying is riskier than getting a haircut but less risky than eating in a
restaurant. I think that most of the risk is pre-flight, in the airport: crowds
at the security checkpoints, gates, and so on. And that those are manageable
with mask wearing and situational awareness. So while I am not flying yet, I
might be willing to soon. (It doesn't help that I get a -1 on my COVID saving
throw for type A blood, and another -1 for male pattern baldness. On the other
hand, I think I get a +3 Constitution bonus. Maybe, instead of sky marshals we
can have high-level clerics on the planes.)
And everyone: wear a mask, and wash your hands.
EDITED TO ADD (6/27): Airlines are starting to crowd their flights again.
** *** ***** ******* *********** *************
Analyzing IoT Security Best Practices
[2020.06.25] New research: "Best Practices for IoT Security: What Does That Even
Mean?" by Christopher Bellman and Paul C. van Oorschot:
Abstract: Best practices for Internet of Things (IoT) security have recently
attracted considerable attention worldwide from industry and governments, while
academic research has highlighted the failure of many IoT product manufacturers
to follow accepted practices. We explore not the failure to follow best
practices, but rather a surprising lack of understanding, and void in the
literature, on what (generically) "best practice" means, independent of
meaningfully identifying specific individual practices. Confusion is evident
from guidelines that conflate desired outcomes with security practices to
achieve those outcomes. How do best practices, good practices, and standard
practices differ? Or guidelines, recommendations, and requirements? Can
something be a best practice if it is not actionable? We consider categories of
best practices, and how they apply over the lifecycle of IoT devices. For
concreteness in our discussion, we analyze and categorize a set of 1014 IoT
security best practices, recommendations, and guidelines from industrial,
government, and academic sources. As one example result, we find that about 70\%
of these practices or guidelines relate to early IoT device lifecycle stages,
highlighting the critical position of manufacturers in addressing the security
issues in question. We hope that our work provides a basis for the community to
build on in order to better understand best practices, identify and reach
consensus on specific practices, and then find ways to motivate relevant
stakeholders to follow them.
Back in 2017, I catalogued nineteen security and privacy guideline documents for
the Internet of Things. Our problem right now isn't that we don't know how to
secure these devices, it's that there is no economic or regulatory incentive to
do so.
** *** ***** ******* *********** *************
The Unintended Harms of Cybersecurity
[2020.06.26] Interesting research: "Identifying Unintended Harms of
Cybersecurity Countermeasures":
Abstract: Well-meaning cybersecurity risk owners will deploy countermeasures
(technologies or procedures) to manage risks to their services or systems. In
some cases, those countermeasures will produce unintended consequences, which
must then be addressed. Unintended consequences can potentially induce harm,
adversely affecting user behaviour, user inclusion, or the infrastructure itself
(including other services or countermeasures). Here we propose a framework for
preemptively identifying unintended harms of risk countermeasures in
cybersecurity.The framework identifies a series of unintended harms which go
beyond technology alone, to consider the cyberphysical and sociotechnical space:
displacement, insecure norms, additional costs, misuse, misclassification,
amplification, and disruption. We demonstrate our framework through application
to the complex,multi-stakeholder challenges associated with the prevention of
cyberbullying as an applied example. Our framework aims to illuminate harmful
consequences, not to paralyze decision-making, but so that potential unintended
harms can be more thoroughly considered in risk management strategies. The
framework can support identification and preemptive planning to identify
vulnerable populations and preemptively insulate them from harm. There are
opportunities to use the framework in coordinating risk management strategy
across stakeholders in complex cyberphysical environments.
Security is always a trade-off. I appreciate work that examines the details of
that trade-off.
** *** ***** ******* *********** *************
iPhone Apps Stealing Clipboard Data
[2020.06.29] iOS apps are repeatedly reading clipboard data, which can include
all sorts of sensitive information.
While Haj Bakry and Mysk published their research in March, the invasive
apps made headlines again this week with the developer beta release of iOS 14. A
novel feature Apple added provides a banner warning every time an app reads
clipboard contents. As large numbers of people began testing the beta release,
they quickly came to appreciate just how many apps engage in the practice and
just how often they do it.
This YouTube video, which has racked up more than 87,000 views since it was
posted on Tuesday, shows a small sample of the apps triggering the new warning.
EDITED TO ADD (7/6): LinkedIn and Reddit are doing this.
** *** ***** ******* *********** *************
Android Apps Stealing Facebook Credentials
[2020.06.30] Google has removed 25 Android apps from its store because they
steal Facebook credentials:
Before being taken down, the 25 apps were collectively downloaded more than
2.34 million times.
The malicious apps were developed by the same threat group and despite
offering different features, under the hood, all the apps worked the same.
According to a report from French cyber-security firm Evina shared with
ZDNet today, the apps posed as step counters, image editors, video editors,
wallpaper apps, flashlight applications, file managers, and mobile games.
The apps offered a legitimate functionality, but they also contained
malicious code. Evina researchers say the apps contained code that detected what
app a user recently opened and had in the phone's foreground.
** *** ***** ******* *********** *************
Securing the International IoT Supply Chain
[2020.07.01] Together with Nate Kim (former student) and Trey Herr (Atlantic
Council Cyber Statecraft Initiative), I have written a paper on IoT supply chain
security. The basic problem we try to solve is: How do you enforce IoT security
regulations when most of the stuff is made in other countries? And our solution
is: enforce the regulations on the domestic company that's selling the stuff to
consumers. There's a lot of detail between here and there, though, and it's all
in the paper.
We also wrote a Lawfare post:
...we propose to leverage these supply chains as part of the solution.
Selling to U.S. consumers generally requires that IoT manufacturers sell through
a U.S. subsidiary or, more commonly, a domestic distributor like Best Buy or
Amazon. The Federal Trade Commission can apply regulatory pressure to this
distributor to sell only products that meet the requirements of a security
framework developed by U.S. cybersecurity agencies. That would put pressure on
manufacturers to make sure their products are compliant with the standards set
out in this security framework, including pressuring their component vendors and
original device manufacturers to make sure they supply parts that meet the
recognized security framework.
News article.
** *** ***** ******* *********** *************
The Security Value of Inefficiency
[2020.07.02] For decades, we have prized efficiency in our economy. We strive
for it. We reward it. In normal times, that's a good thing. Running just at the
margins is efficient. A single just-in-time global supply chain is efficient.
Consolidation is efficient. And that's all profitable. Inefficiency, on the
other hand, is waste. Extra inventory is inefficient. Overcapacity is
inefficient. Using many small suppliers is inefficient. Inefficiency is
unprofitable.
But inefficiency is essential security, as the COVID-19 pandemic is teaching us.
All of the overcapacity that has been squeezed out of our healthcare system; we
now wish we had it. All of the redundancy in our food production that has been
consolidated away; we want that, too. We need our old, local supply chains --
not the single global ones that are so fragile in this crisis. And we want our
local restaurants and businesses to survive, not just the national chains.
We have lost much inefficiency to the market in the past few decades. Investors
have become very good at noticing any fat in every system and swooping down to
monetize those redundant assets. The winner-take-all mentality that has
permeated so many industries squeezes any inefficiencies out of the system.
This drive for efficiency leads to brittle systems that function properly when
everything is normal but break under stress. And when they break, everyone
suffers. The less fortunate suffer and die. The more fortunate are merely hurt,
and perhaps lose their freedoms or their future. But even the extremely
fortunate suffer -- maybe not in the short term, but in the long term from the
constriction of the rest of society.
Efficient systems have limited ability to deal with system-wide economic shocks.
Those shocks are coming with increased frequency. They're caused by global
pandemics, yes, but also by climate change, by financial crises, by political
crises. If we want to be secure against these crises and more, we need to add
inefficiency back into our systems.
I don't simply mean that we need to make our food production, or healthcare
system, or supply chains sloppy and wasteful. We need a certain kind of
inefficiency, and it depends on the system in question. Sometimes we need
redundancy. Sometimes we need diversity. Sometimes we need overcapacity.
The market isn't going to supply any of these things, least of all in a
strategic capacity that will result in resilience. What's necessary to make any
of this work is regulation.
First, we need to enforce antitrust laws. Our meat supply chain is brittle
because there are limited numbers of massive meatpacking plants -- now disease
factories -- rather than lots of smaller slaughterhouses. Our retail supply
chain is brittle because a few national companies and websites dominate. We need
multiple companies offering alternatives to a single product or service. We need
more competition, more niche players. We need more local companies, more
domestic corporate players, and diversity in our international suppliers.
Competition provides all of that, while monopolies suck that out of the system.
The second thing we need is specific regulations that require certain
inefficiencies. This isn't anything new. Every safety system we have is, to some
extent, an inefficiency. This is true for fire escapes on buildings, lifeboats
on cruise ships, and multiple ways to deploy the landing gear on aircraft. Not
having any of those things would make the underlying systems more efficient, but
also less safe. It's also true for the internet itself, originally designed with
extensive redundancy as a Cold War security measure.
With those two things in place, the market can work its magic to provide for
these strategic inefficiencies as cheaply and as effectively as possible. As
long as there are competitors who are vying with each other, and there aren't
competitors who can reduce the inefficiencies and undercut the competition,
these inefficiencies just become part of the price of whatever we're buying.
The government is the entity that steps in and enforces a level playing field
instead of a race to the bottom. Smart regulation addresses the long-term need
for security, and ensures it's not continuously sacrificed to short-term
considerations.
We have largely been content to ignore the long term and let Wall Street run our
economy as efficiently as it can. That's no longer sustainable. We need
inefficiency -- the right kind in the right way -- to ensure our security. No,
it's not free. But it's worth the cost.
This essay previously appeared in Quartz.
EDITED TO ADD (7/14): A related piece by Dan Geer.
** *** ***** ******* *********** *************
EncroChat Hacked by Police
[2020.07.03] French police hacked EncroChat secure phones, which are widely used
by criminals:
Encrochat's phones are essentially modified Android devices, with some
models using the "BQ Aquaris X2," an Android handset released in 2018 by a
Spanish electronics company, according to the leaked documents. Encrochat took
the base unit, installed its own encrypted messaging programs which route
messages through the firm's own servers, and even physically removed the GPS,
camera, and microphone functionality from the phone. Encrochat's phones also had
a feature that would quickly wipe the device if the user entered a PIN, and ran
two operating systems side-by-side. If a user wanted the device to appear
innocuous, they booted into normal Android. If they wanted to return to their
sensitive chats, they switched over to the Encrochat system. The company sold
the phones on a subscription based model, costing thousands of dollars a year
per device.
This allowed them and others to investigate and arrest many:
Unbeknownst to Mark, or the tens of thousands of other alleged Encrochat
users, their messages weren't really secure. French authorities had penetrated
the Encrochat network, leveraged that access to install a technical tool in what
appears to be a mass hacking operation, and had been quietly reading the users'
communications for months. Investigators then shared those messages with
agencies around Europe.
Only now is the astonishing scale of the operation coming into focus: It
represents one of the largest law enforcement infiltrations of a communications
network predominantly used by criminals ever, with Encrochat users spreading
beyond Europe to the Middle East and elsewhere. French, Dutch, and other
European agencies monitored and investigated "more than a hundred million
encrypted messages" sent between Encrochat users in real time, leading to
arrests in the UK, Norway, Sweden, France, and the Netherlands, a team of
international law enforcement agencies announced Thursday.
EncroChat learned about the hack, but didn't know who was behind it.
Going into full-on emergency mode, Encrochat sent a message to its users
informing them of the ongoing attack. The company also informed its SIM
provider, Dutch telecommunications firm KPN, which then blocked connections to
the malicious servers, the associate claimed. Encrochat cut its own SIM service;
it had an update scheduled to push to the phones, but it couldn't guarantee
whether that update itself wouldn't be carrying malware too. That, and maybe KPN
was working with the authorities, Encrochat's statement suggested (KPN declined
to comment). Shortly after Encrochat restored SIM service, KPN removed the
firewall, allowing the hackers' servers to communicate with the phones once
again. Encrochat was trapped.
Encrochat decided to shut itself down entirely.
Lots of details about the hack in the article. Well worth reading in full.
The UK National Crime Agency called it Operation Venetic: "46 arrests, and £54m
criminal cash, 77 firearms and over two tonnes of drugs seized so far."
Many more news articles. EncroChat website. Slashdot thread. Hacker News
threads.
EDITED TO ADD (7/14): Some people are questioning the official story. I don't
know.
** *** ***** ******* *********** *************
ThiefQuest Ransomware for the Mac
[2020.07.06] There's a new ransomware for the Mac called ThiefQuest or
EvilQuest. It's hard to get infected:
For your Mac to become infected, you would need to torrent a compromised
installer and then dismiss a series of warnings from Apple in order to run it.
It's a good reminder to get your software from trustworthy sources, like
developers whose code is "signed" by Apple to prove its legitimacy, or from
Apple's App Store itself. But if you're someone who already torrents programs
and is used to ignoring Apple's flags, ThiefQuest illustrates the risks of that
approach.
But it's nasty:
In addition to ransomware, ThiefQuest has a whole other set of spyware
capabilities that allow it to exfiltrate files from an infected computer, search
the system for passwords and cryptocurrency wallet data, and run a robust
keylogger to grab passwords, credit card numbers, or other financial information
as a user types it in. The spyware component also lurks persistently as a
backdoor on infected devices, meaning it sticks around even after a computer
reboots, and could be used as a launchpad for additional, or "second stage,"
attacks. Given that ransomware is so rare on Macs to begin with, this one-two
punch is especially noteworthy.
** *** ***** ******* *********** *************
IoT Security Principles
[2020.07.07] The BSA -- also known as the Software Alliance, formerly the
Business Software Alliance (which explains the acronym) -- is an industry
lobbying group. They just published "Policy Principles for Building a Secure and
Trustworthy Internet of Things."
They call for:
Distinguishing between consumer and industrial IoT.
Offering incentives for integrating security.
Harmonizing national and international policies.
Establishing regularly updated baseline security requirements
As with pretty much everything else, you can assume that if an industry lobbying
group is in favor of it, then it doesn't go far enough.
And if you need more security and privacy principles for the IoT, here's a list
of over twenty.
** *** ***** ******* *********** *************
Traffic Analysis of Home Security Cameras
[2020.07.09] Interesting research on home security cameras with cloud storage.
Basically, attackers can learn very basic information about what's going on in
front of the camera, and infer when there is someone home.
News article.
Slashdot thread.
** *** ***** ******* *********** *************
Business Email Compromise (BEC) Criminal Ring
[2020.07.10] A criminal group called Cosmic Lynx seems to be based in Russia:
Dubbed Cosmic Lynx, the group has carried out more than 200 BEC campaigns
since July 2019, according to researchers from the email security firm Agari,
particularly targeting senior executives at large organizations and corporations
in 46 countries. Cosmic Lynx specializes in topical, tailored scams related to
mergers and acquisitions; the group typically requests hundreds of thousands or
even millions of dollars as part of its hustles.
[...]
For example, rather than use free accounts, Cosmic Lynx will register
strategic domain names for each BEC campaign to create more convincing email
accounts. And the group knows how to shield these domains so they're harder to
trace to the true owner. Cosmic Lynx also has a strong understanding of the
email authentication protocol DMARC and does reconnaissance to assess its
targets' specific system DMARC policies to most effectively circumvent them.
Cosmic Lynx also drafts unusually clean and credible-looking messages to
deceive targets. The group will find a company that is about to complete an
acquisition and contact one of its top executives posing as the CEO of the
organization being bought. This phony CEO will then involve "external legal
counsel" to facilitate the necessary payments. This is where Cosmic Lynx adds a
second persona to give the process an air of legitimacy, typically impersonating
a real lawyer from a well-regarded law firm in the United Kingdom. The fake
lawyer will email the same executive that the "CEO" wrote to, often in a new
email thread, and share logistics about completing the transaction. Unlike most
BEC campaigns, in which the messages often have grammatical mistakes or awkward
wording, Cosmic Lynx messages are almost always clean.
** *** ***** ******* *********** *************
EFF's 30th Anniversary Livestream
[2020.07.10] It's the EFF's 30th birthday, and the organization is having a
celebratory livestream today from 3:00 to 10:00 pm PDT.
There are a lot of interesting discussions and things. I am having a fireside
chat at 4:10 pm PDT to talk about the Crypto Wars and more.
Stop by. And thank you for supporting EFF.
EDITED TO ADD: This event is over, but you can watch a recorded version on
YouTube.
** *** ***** ******* *********** *************
A Peek into the Fake Review Marketplace
[2020.07.13] A personal account of someone who was paid to buy products on
Amazon and leave fake reviews.
Fake reviews are one of the problems that everyone knows about, and no one knows
what to do about -- so we all try to pretend doesn't exist.
** *** ***** ******* *********** *************
Enigma Machine for Sale
[2020.07.14] A four-rotor Enigma machine -- with rotors -- is up for auction.
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security technology. To subscribe, or to
read back issues, see Crypto-Gram's web page.
You can also read these articles on my blog, Schneier on Security.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint
CRYPTO-GRAM, as long as it is reprinted in its entirety.
Bruce Schneier is an internationally renowned security technologist, called a
security guru by the Economist. He is the author of over one dozen books --
including his latest, Click Here to Kill Everybody -- as well as hundreds of
articles, essays, and academic papers. His newsletter and blog are read by over
250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet
and Society at Harvard University; a Lecturer in Public Policy at the Harvard
Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow,
and the Tor Project; and an advisory board member of EPIC and
VerifiedVoting.org.
Copyright © 2020 by Bruce Schneier.
--- GoldED+/LNX 1.1.5-b20180707
* Origin: A Destination in the Sun (618:500/14)
|
Computer Support/Help/Discussion... 
