Crypto-Gram
September 15, 2020

by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School
schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit Crypto-Gram's web page.

Read this issue on the web

These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:

Robocall Results from a Telephony Honeypot
Vaccine for Emotet Malware
Using Disinformation to Cause a Blackout
Copying a Key by Listening to It in Action
Yet Another Biometric: Bioacoustic Signatures
DiceKeys
Identifying People by Their Browsing Histories
Amazon Supplier Fraud
Cory Doctorow on The Age of Surveillance Capitalism
US Postal Service Files Blockchain Voting Patent
Seny Kamara on "Crypto for the People"
North Korea ATM Hack
Insider Attack on the Carnegie Library
2017 Tesla Hack
Hacking AI-Graded Tests
More on NIST's Post-Quantum Cryptography
US Space Cybersecurity Directive
The Third Edition of Ross Anderson's Security Engineering
Ranking National Cyber Power
Interesting Attack on the EMV Smartcard Payment Standard
Upcoming Speaking Engagements
** *** ***** ******* *********** *************

Robocall Results from a Telephony Honeypot

[2020.08.17] A group of researchers set up a telephony honeypot and tracked
robocall behavior:

NCSU researchers said they ran 66,606 telephone lines between March 2019 and
January 2020, during which time they said to have received 1,481,201 unsolicited
calls -- even if they never made their phone numbers public via any source.

The research team said they usually received an unsolicited call every 8.42
days, but most of the robocall traffic came in sudden surges they called
ΓÇ£stormsΓÇ¥ that happened at regular intervals, suggesting that robocallers
operated using a tactic of short-burst and well-organized campaigns.

In total, the NCSU team said it tracked 650 storms over 11 months, with most
storms being of the same size.

Research paper. USENIX talk. Slashdot thread.

** *** ***** ******* *********** *************

Vaccine for Emotet Malware

[2020.08.18] Interesting story of a vaccine for the Emotet malware:

Through trial and error and thanks to subsequent Emotet updates that refined how
the new persistence mechanism worked, Quinn was able to put together a tiny
PowerShell script that exploited the registry key mechanism to crash Emotet
itself.

The script, cleverly named EmoCrash, effectively scanned a userΓÇÖs computer and
generated a correct -- but malformed -- Emotet registry key.

When Quinn tried to purposely infect a clean computer with Emotet, the malformed
registry key triggered a buffer overflow in EmotetΓÇÖs code and crashed the
malware, effectively preventing users from getting infected.

When Quinn ran EmoCrash on computers already infected with Emotet, the script
would replace the good registry key with the malformed one, and when Emotet
would re-check the registry key, the malware would crash as well, preventing
infected hosts from communicating with the Emotet command-and-control server.

[...]

The Binary Defense team quickly realized that news about this discovery needed
to be kept under complete secrecy, to prevent the Emotet gang from fixing its
code, but they understood EmoCrash also needed to make its way into the hands of
companies across the world.

Compared to many of todayΓÇÖs major cybersecurity firms, all of which have
decades of history behind them, Binary Defense was founded in 2014, and despite
being one of the industryΓÇÖs up-and-comers, it doesnΓÇÖt yet have the influence
and connections to get this done without news of its discovery leaking, either
by accident or because of a jealous rival.

To get this done, Binary Defense worked with Team CYMRU, a company that has a
decades-long history of organizing and participating in botnet takedowns.

Working behind the scenes, Team CYMRU made sure that EmoCrash made its way into
the hands of national Computer Emergency Response Teams (CERTs), which then
spread it to the companies in their respective jurisdictions.

According to James Shank, Chief Architect for Team CYMRU, the company has
contacts with more than 125 national and regional CERT teams, and also manages a
mailing list through which it distributes sensitive information to more than
6,000 members. Furthermore, Team CYMRU also runs a biweekly group dedicated to
dealing with EmotetΓÇÖs latest shenanigans.

This broad and well-orchestrated effort has helped EmoCrash make its way around
the globe over the course of the past six months.

[...]

Either by accident or by figuring out there was something wrong in its
persistence mechanism, the Emotet gang did, eventually, changed its entire
persistence mechanism on Aug. 6 -- exactly six months after Quinn made his
initial discovery.

EmoCrash may not be useful to anyone anymore, but for six months, this tiny
PowerShell script helped organizations stay ahead of malware operations -- a
truly rare sight in todayΓÇÖs cyber-security field.

** *** ***** ******* *********** *************

Using Disinformation to Cause a Blackout

[2020.08.18] Interesting paper: ΓÇ£How weaponizing disinformation can bring down
a cityΓÇÖs power gridΓÇ£:

Abstract: Social media has made it possible to manipulate the masses via
disinformation and fake news at an unprecedented scale. This is particularly
alarming from a security perspective, as humans have proven to be one of the
weakest links when protecting critical infrastructure in general, and the power
grid in particular. Here, we consider an attack in which an adversary attempts
to manipulate the behavior of energy consumers by sending fake discount
notifications encouraging them to shift their consumption into the peak-demand
period. Using Greater London as a case study, we show that such disinformation
can indeed lead to unwitting consumers synchronizing their energy-usage
patterns, and result in blackouts on a city-scale if the grid is heavily loaded.
We then conduct surveys to assess the propensity of people to follow-through on
such notifications and forward them to their friends. This allows us to model
how the disinformation may propagate through social networks, potentially
amplifying the attack impact. These findings demonstrate that in an era when
disinformation can be weaponized, system vulnerabilities arise not only from the
hardware and software of critical infrastructure, but also from the behavior of
the consumers.

IΓÇÖm not sure the attack is practical, but itΓÇÖs an interesting idea.

** *** ***** ******* *********** *************

Copying a Key by Listening to It in Action

[2020.08.20] Researchers are using recordings of keys being used in locks to
create copies.

Once they have a key-insertion audio file, SpiKeyΓÇÖs inference software gets to
work filtering the signal to reveal the strong, metallic clicks as key ridges
hit the lockΓÇÖs pins [and you can hear those filtered clicks online here].
These clicks are vital to the inference analysis: the time between them allows
the SpiKey software to compute the keyΓÇÖs inter-ridge distances and what
locksmiths call the ΓÇ£bitting depthΓÇ¥ of those ridges: basically, how deeply
they cut into the key shaft, or where they plateau out. If a key is inserted at
a nonconstant speed, the analysis can be ruined, but the software can compensate
for small speed variations.

The result of all this is that SpiKey software outputs the three most likely key
designs that will fit the lock used in the audio file, reducing the potential
search space from 330,000 keys to just three. ΓÇ£Given that the profile of the
key is publicly available for commonly used [pin-tumbler lock] keys, we can
3D-print the keys for the inferred bitting codes, one of which will unlock the
door,ΓÇ¥ says Ramesh.

** *** ***** ******* *********** *************

Yet Another Biometric: Bioacoustic Signatures

[2020.08.21] Sound waves through the body are unique enough to be a biometric:

ΓÇ£Modeling allowed us to infer what structures or material features of the
human body actually differentiated people,ΓÇ¥ explains Joo Yong Sim, one of the
ETRI researchers who conducted the study. ΓÇ£For example, we could see how the
structure, size, and weight of the bones, as well as the stiffness of the
joints, affect the bioacoustics spectrum.ΓÇ¥

[...]

Notably, the researchers were concerned that the accuracy of this approach could
diminish with time, since the human body constantly changes its cells, matrices,
and fluid content. To account for this, they acquired the acoustic data of
participants at three separate intervals, each 30 days apart.

ΓÇ£We were very surprised that peopleΓÇÖs bioacoustics spectral pattern
maintained well over time, despite the concern that the pattern would change
greatly,ΓÇ¥ says Sim. ΓÇ£These results suggest that the bioacoustics signature
reflects more anatomical features than changes in water, body temperature, or
biomolecule concentration in blood that change from day to day.ΓÇ¥

ItΓÇÖs not great. A 97% accuracy is worse than fingerprints and iris scans, and
while they were able to reproduce the biometric in a month it almost certainly
changes as we age, gain and lose weight, and so on. Still, interesting.

** *** ***** ******* *********** *************

DiceKeys

[2020.08.24] DiceKeys is a physical mechanism for creating and storing a 192-bit
key. The idea is that you roll a special set of twenty-five dice, put them into
a plastic jig, and then use an app to convert those dice into a key. You can
then use that key for a variety of purposes, and regenerate it from the dice if
you need to.

This week Stuart Schechter, a computer scientist at the University of
California, Berkeley, is launching DiceKeys, a simple kit for physically
generating a single super-secure key that can serve as the basis for creating
all the most important passwords in your life for years or even decades to come.
With little more than a plastic contraption that looks a bit like a Boggle set
and an accompanying web app to scan the resulting dice roll, DiceKeys creates a
highly random, mathematically unguessable key. You can then use that key to
derive master passwords for password managers, as the seed to create a U2F key
for two-factor authentication, or even as the secret key for cryptocurrency
wallets. Perhaps most importantly, the box of dice is designed to serve as a
permanent, offline key to regenerate that master password, crypto key, or U2F
token if it gets lost, forgotten, or broken.

[...]

Schechter is also building a separate app that will integrate with DiceKeys to
allow users to write a DiceKeys-generated key to their U2F two-factor
authentication token. Currently the app works only with the open-source SoloKey
U2F token, but Schechter hopes to expand it to be compatible with more commonly
used U2F tokens before DiceKeys ship out. The same API that allows that
integration with his U2F token app will also allow cryptocurrency wallet
developers to integrate their wallets with DiceKeys, so that with a compatible
wallet app, DiceKeys can generate the cryptographic key that protects your
crypto coins too.

HereΓÇÖs the DiceKeys website and app. HereΓÇÖs a short video demo. HereΓÇÖs a
longer SOUPS talk.

Preorder a set here.

Note: I am an adviser on the project.

Another news article. Slashdot thread. Hacker News thread. Reddit thread.

** *** ***** ******* *********** *************

Identifying People by Their Browsing Histories

[2020.08.25] Interesting paper: ΓÇ£Replication: Why We Still CanΓÇÖt Browse in
Peace: On the Uniqueness and Reidentifiability of Web Browsing HistoriesΓÇ¥:

We examine the threat to individualsΓÇÖ privacy based on the feasibility of
reidentifying users through distinctive profiles of their browsing history
visible to websites and third parties. This work replicates and extends the 2012
paper Why Johnny CanΓÇÖt Browse in Peace: On the Uniqueness of Web Browsing
History Patterns[48]. The original work demonstrated that browsing profiles are
highly distinctive and stable. We reproduce those results and extend the
original work to detail the privacy risk posed by the aggregation of browsing
histories. Our dataset consists of two weeks of browsing data from ~52,000
Firefox users. Our work replicates the original paperΓÇÖs core findings by
identifying 48,919 distinct browsing profiles, of which 99% are unique. High
uniqueness hold seven when histories are truncated to just 100 top sites. We
then find that for users who visited 50 or more distinct domains in the two-week
data collection period, ~50% can be reidentified using the top 10k sites.
Reidentifiability rose to over 80% for users that browsed 150 or more distinct
domains. Finally, we observe numerous third parties pervasive enough to gather
web histories sufficient to leverage browsing history as an identifier.

One of the authors of the original study comments on the replication.

** *** ***** ******* *********** *************

Amazon Supplier Fraud

[2020.08.26] Interesting story of an Amazon supplier fraud:

According to the indictment, the brothers swapped ASINs for items Amazon ordered
to send large quantities of different goods instead. In one instance, Amazon
ordered 12 canisters of disinfectant spray costing $94.03. The defendants
allegedly shipped 7,000 toothbrushes costing $94.03 each, using the code for the
disinfectant spray, and later billed Amazon for over $650,000.

In another instance, Amazon ordered a single bottle of designer perfume for
$289.78. In response, according to the indictment, the defendants sent 927
plastic beard trimmers costing $289.79 each, using the ASIN for the perfume.
Prosecutors say the brothers frequently shipped and charged Amazon for more than
10,000 units of an item when it had requested fewer than 100. Once Amazon
detected the fraud and shut down their accounts, the brothers allegedly tried to
open new ones using fake names, different email addresses, and VPNs to obscure
their identity.

It all worked because Amazon is so huge that everything is automated.

** *** ***** ******* *********** *************

Cory Doctorow on The Age of Surveillance Capitalism

[2020.08.27] Cory Doctorow has writtten an extended rebuttal of The Age of
Surveillance Capitalism by Shoshana Zuboff. He summarized the argument on
Twitter.

Shorter summary: itΓÇÖs not the surveillance part, itΓÇÖs the fact that these
companies are monopolies.

I think itΓÇÖs both. Surveillance capitalism has some unique properties that
make it particularly unethical and incompatible with a free society, and Zuboff
makes them clear in her book. But the current acceptance of monopolies in our
society is also extremely damaging -- which Doctorow makes clear.

** *** ***** ******* *********** *************

US Postal Service Files Blockchain Voting Patent

[2020.08.28] The US Postal Service has filed a patent on a blockchain voting
method:

Abstract: A voting system can use the security of blockchain and the mail to
provide a reliable voting system. A registered voter receives a computer
readable code in the mail and confirms identity and confirms correct ballot
information in an election. The system separates voter identification and votes
to ensure vote anonymity, and stores votes on a distributed ledger in a
blockchain

I wasnΓÇÖt going to bother blogging this, but IΓÇÖve received enough emails
about it that I should comment.

As is pretty much always the case, blockchain adds nothing. The security of this
system has nothing to do with blockchain, and would be better off without it.
For voting in particular, blockchain adds to the insecurity. Matt Blaze is most
succinct on that point:

Why is blockchain voting a dumb idea?

Glad you asked.

For starters:

It doesnΓÇÖt solve any problems civil elections actually have.
ItΓÇÖs basically incompatible with ΓÇ£software independenceΓÇ¥, considered an
essential property.
It can make ballot secrecy difficult or impossible.
Both Ben Adida and Matthew Green have written longer pieces on blockchain and
voting.

News articles.

** *** ***** ******* *********** *************

Seny Kamara on "Crypto for the People"

[2020.08.31] Seny Kamara gave an excellent keynote talk this year at the
(online) CRYPTO Conference. He talked about solving real-world crypto problems
for marginalized communities around the world, instead of crypto problems for
governments and corporations. Well worth watching and listening to.

** *** ***** ******* *********** *************

North Korea ATM Hack

[2020.09.01] The US Cybersecurity and Infrastructure Security Agency (CISA)
published a long and technical alert describing a North Korea hacking scheme
against ATMs in a bunch of countries worldwide:

This joint advisory is the result of analytic efforts among the Cybersecurity
and Infrastructure Security Agency (CISA), the Department of the Treasury
(Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command
(USCYBERCOM). Working with U.S. government partners, CISA, Treasury, FBI, and
USCYBERCOM identified malware and indicators of compromise (IOCs) used by the
North Korean government in an automated teller machine (ATM) cash-out scheme --
referred to by the U.S. Government as ΓÇ£FASTCash 2.0: North KoreaΓÇÖs
BeagleBoyz Robbing Banks.ΓÇ¥

The level of detail is impressive, as seems to be common in CISAΓÇÖs alerts and
analysis reports.

** *** ***** ******* *********** *************

Insider Attack on the Carnegie Library

[2020.09.02] Greg Priore, the person in charge of the rare book room at the
Carnegie Library, stole from it for almost two decades before getting caught.

ItΓÇÖs a perennial problem: trusted insiders have to be trusted.

** *** ***** ******* *********** *************

2017 Tesla Hack

[2020.09.03] Interesting story of a class break against the entire Tesla fleet.

** *** ***** ******* *********** *************

Hacking AI-Graded Tests

[2020.09.04] The company Edgenuity sells AI systems for grading tests. Turns out
that they just search for keywords without doing any actual semantic analysis.

** *** ***** ******* *********** *************

More on NIST's Post-Quantum Cryptography

[2020.09.08] Back in July, NIST selected third-round algorithms for its
post-quantum cryptography standard.

Recently, Daniel Apon of NIST gave a talk detailing the selection criteria.
Interesting stuff.

** *** ***** ******* *********** *************

US Space Cybersecurity Directive

[2020.09.09] The Trump Administration just published ΓÇ£Space Policy Directive
ΓÇô 5ΓÇ£: ΓÇ£Cybersecurity Principles for Space Systems.ΓÇ¥ ItΓÇÖs pretty
general:

Principles. (a) Space systems and their supporting infrastructure, including
software, should be developed and operated using risk-based,
cybersecurity-informed engineering. Space systems should be developed to
continuously monitor, anticipate,and adapt to mitigate evolving malicious cyber
activities that could manipulate, deny, degrade, disrupt,destroy, surveil, or
eavesdrop on space system operations. Space system configurations should be
resourced and actively managed to achieve and maintain an effective and
resilient cyber survivability posture throughout the space system lifecycle.

(b) Space system owners and operators should develop and implement cybersecurity
plans for their space systems that incorporate capabilities to ensure operators
or automated control center systems can retain or recover positive control of
space vehicles. These plans should also ensure the ability to verify the
integrity, confidentiality,and availability of critical functions and the
missions, services,and data they enable and provide.

These unclassified directives are typically so general that itΓÇÖs hard to tell
whether they actually matter.

News article.

** *** ***** ******* *********** *************

The Third Edition of Ross Anderson's Security Engineering

[2020.09.10] Ross AndersonΓÇÖs fantastic textbook, Security Engineering, will
have a third edition. The book wonΓÇÖt be published until December, but Ross has
been making drafts of the chapters available online as he finishes them. Now
that the book is completed, I expect the publisher to make him take the drafts
off the Internet.

I personally find both the electronic and paper versions to be incredibly
useful. Grab an electronic copy now while you still can.

** *** ***** ******* *********** *************

Ranking National Cyber Power

[2020.09.11] Harvard Kennedy SchoolΓÇÖs Belfer Center published the ΓÇ£National
Cyber Power Index 2020: Methodology and Analytical Considerations.ΓÇ¥ The
rankings: 1. US, 2. China, 3. UK, 4. Russia, 5. Netherlands, 6. France, 7.
Germany, 8. Canada, 9. Japan, 10. Australia, 11. Israel. More countries are in
the document.

We could -- and should -- argue about the criteria and the methodology, but
itΓÇÖs good that someone is starting this conversation.

Executive Summary: The Belfer National Cyber Power Index (NCPI) measures 30
countriesΓÇÖ cyber capabilities in the context of seven national objectives,
using 32 intent indicators and 27 capability indicators with evidence collected
from publicly available data.

In contrast to existing cyber related indices, we believe there is no single
measure of cyber power. Cyber Power is made up of multiple components and should
be considered in the context of a countryΓÇÖs national objectives. We take an
all-of-country approach to measuring cyber power. By considering
ΓÇ£all-of-countryΓÇ¥ we include all aspects under the control of a government
where possible. Within the NCPI we measure government strategies, capabilities
for defense and offense, resource allocation, the private sector, workforce, and
innovation. Our assessment is both a measurement of proven power and potential,
where the final score assumes that the government of that country can wield
these capabilities effectively.

The NCPI has identified seven national objectives that countries pursue using
cyber means. The seven objectives are:

Surveilling and Monitoring Domestic Groups;
Strengthening and Enhancing National Cyber Defenses;
Controlling and Manipulating the Information Environment;
Foreign Intelligence Collection for National Security;
Commercial Gain or Enhancing Domestic Industry Growth;
Destroying or Disabling an AdversaryΓÇÖs Infrastructure and Capabilities; and,
Defining International Cyber Norms and Technical Standards.
In contrast to the broadly held view that cyber power means destroying or
disabling an adversaryΓÇÖs infrastructure (commonly referred to as offensive
cyber operations), offense is only one of these seven objectives countries
pursue using cyber means.

** *** ***** ******* *********** *************

Interesting Attack on the EMV Smartcard Payment Standard

[2020.09.14] ItΓÇÖs complicated, but itΓÇÖs basically a man-in-the-middle attack
that involves two smartphones. The first phone reads the actual smartcard, and
then forwards the required information to a second phone. That second phone
actually conducts the transaction on the POS terminal. That second phone is able
to convince the POS terminal to conduct the transaction without requiring the
normally required PIN.

From a news article:

The researchers were able to demonstrate that it is possible to exploit the
vulnerability in practice, although it is a fairly complex process. They first
developed an Android app and installed it on two NFC-enabled mobile phones. This
allowed the two devices to read data from the credit card chip and exchange
information with payment terminals. Incidentally, the researchers did not have
to bypass any special security features in the Android operating system to
install the app.

To obtain unauthorized funds from a third-party credit card, the first mobile
phone is used to scan the necessary data from the credit card and transfer it to
the second phone. The second phone is then used to simultaneously debit the
amount at the checkout, as many cardholders do nowadays. As the app declares
that the customer is the authorized user of the credit card, the vendor does not
realize that the transaction is fraudulent. The crucial factor is that the app
outsmarts the cardΓÇÖs security system. Although the amount is over the limit
and requires PIN verification, no code is requested.

The paper: ΓÇ£The EMV Standard: Break, Fix, Verify.ΓÇ¥

Abstract: EMV is the international protocol standard for smartcard payment and
is used in over 9 billion cards worldwide. Despite the standardΓÇÖs advertised
security, various issues have been previously uncovered, deriving from logical
flaws that are hard to spot in EMVΓÇÖs lengthy and complex specification,
running over 2,000 pages.

We formalize a comprehensive symbolic model of EMV in Tamarin, a
state-of-the-art protocol verifier. Our model is the first that supports a
fine-grained analysis of all relevant security guarantees that EMV is intended
to offer. We use our model to automatically identify flaws that lead to two
critical attacks: one that defrauds the cardholder and another that defrauds the
merchant. First, criminals can use a victimΓÇÖs Visa contact-less card for
high-value purchases, without knowledge of the cardΓÇÖs PIN. We built a
proof-of-concept Android application and successfully demonstrated this attack
on real-world payment terminals. Second, criminals can trick the terminal into
accepting an unauthentic offline transaction, which the issuing bank should
later decline, after the criminal has walked away with the goods. This attack is
possible for implementations following the standard, although we did not test it
on actual terminals for ethical reasons. Finally, we propose and verify
improvements to the standard that prevent these attacks, as well as any other
attacks that violate the considered security properties.The proposed
improvements can be easily implemented in the terminals and do not affect the
cards in circulation.

** *** ***** ******* *********** *************

Upcoming Speaking Engagements

[2020.09.14] This is a current list of where and when I am scheduled to speak:

IΓÇÖm speaking at the Cybersecurity Law & Policy Scholars Virtual Conference on
September 17, 2020.
IΓÇÖm keynoting the Canadian Internet Registration AuthorityΓÇÖs online
symposium, Canadians Connected, on Wednesday, September 23, 2020.
IΓÇÖm giving a webinar as part of the Online One Conference 2020 on September
29, 2020.
IΓÇÖm speaking at the (ISC)┬▓ Security Congress 2020, November 16-18, 2020.
The list is maintained on this page.

** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security technology. To subscribe, or to
read back issues, see Crypto-Gram's web page.

You can also read these articles on my blog, Schneier on Security.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint
CRYPTO-GRAM, as long as it is reprinted in its entirety.

Bruce Schneier is an internationally renowned security technologist, called a
security guru by the Economist. He is the author of over one dozen books --
including his latest, Click Here to Kill Everybody -- as well as hundreds of
articles, essays, and academic papers. His newsletter and blog are read by over
250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet
and Society at Harvard University; a Lecturer in Public Policy at the Harvard
Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow,
and the Tor Project; and an advisory board member of EPIC and
VerifiedVoting.org.

Copyright © 2020 by Bruce Schneier.

--- GoldED+/OSX 1.1.5-b20180707
 * Origin: A Pointless Point in Connemara (618:500/14.1)