Crypto-Gram
January 15, 2021
by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School
schneier@schneier.com
https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit Crypto-Gram's web page.
Read this issue on the web
These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
If these links don't work in your email client, try reading this issue of
Crypto-Gram on the web.
Another Massive Russian Hack of US Government Networks
How the SolarWinds Hackers Bypassed Duo's Multi-Factor Authentication
Zodiac Killer Cipher Solved
Mexican Drug Cartels with High-Tech Spyware
More on the SolarWinds Breach
US Schools Are Buying Cell Phone Unlocking Systems
NSA on Authentication Hacks (Related to SolarWinds Breach)
Eavesdropping on Phone Taps from Voice Assistants
Investigating the Navalny Poisoning
How China Uses Stolen US Personnel Data
Russia's SolarWinds Attack
On the Evolution of Ransomware
Brexit Deal Mandates Old Insecure Crypto Algorithms
Amazon Has Trucks Filled with Hard Drives and an Armed Guard
Military Cryptanalytics, Part III
Latest on the SVR's SolarWinds Hack
Backdoor in Zyxel Firewalls and Gateways
Extracting Personal Information from Large Language Models Like GPT-2
Russia's SolarWinds Attack and Software Security
APT Horoscope
Changes in WhatsApp's Privacy Policy
Cloning Google Titan 2FA keys
On US Capitol Security -- By Someone Who Manages Arena-Rock-Concert Security
Finding the Location of Telegram Users
Upcoming Speaking Engagements
Click Here to Kill Everybody Sale
** *** ***** ******* *********** *************
Another Massive Russian Hack of US Government Networks
[2020.12.15] The press is reporting a massive hack of US government networks by
sophisticated Russian hackers.
Officials said a hunt was on to determine if other parts of the government had
been affected by what looked to be one of the most sophisticated, and perhaps
among the largest, attacks on federal systems in the past five years. Several
said national security-related agencies were also targeted, though it was not
clear whether the systems contained highly classified material.
[...]
The motive for the attack on the agency and the Treasury Department remains
elusive, two people familiar with the matter said. One government official said
it was too soon to tell how damaging the attacks were and how much material was
lost, but according to several corporate officials, the attacks had been
underway as early as this spring, meaning they continued undetected through
months of the pandemic and the election season.
The attack vector seems to be a malicious update in SolarWindsΓÇÖ ΓÇ£OrionΓÇ¥ IT
monitoring platform, which is widely used in the US government (and elsewhere).
SolarWindsΓÇÖ comprehensive products and services are used by more than 300,000
customers worldwide, including military, Fortune 500 companies, government
agencies, and education institutions. Our customer list includes:
More than 425 of the US Fortune 500
All ten of the top ten US telecommunications companies
All five branches of the US Military
The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department
of Justice, and the Office of the President of the United States
All five of the top five US accounting firms
Hundreds of universities and colleges worldwide
IΓÇÖm sure more details will become public over the next several weeks.
EDITED TO ADD (12/15): More news.
** *** ***** ******* *********** *************
How the SolarWinds Hackers Bypassed Duo's Multi-Factor Authentication
[2020.12.15] This is interesting:
Toward the end of the second incident that Volexity worked involving Dark Halo,
the actor was observed accessing the e-mail account of a user via OWA. This was
unexpected for a few reasons, not least of which was the targeted mailbox was
protected by MFA. Logs from the Exchange server showed that the attacker
provided username and password authentication like normal but were not
challenged for a second factor through Duo. The logs from the Duo authentication
server further showed that no attempts had been made to log into the account in
question. Volexity was able to confirm that session hijacking was not involved
and, through a memory dump of the OWA server, could also confirm that the
attacker had presented cookie tied to a Duo MFA session named duo-sid.
VolexityΓÇÖs investigation into this incident determined the attacker had
accessed the Duo integration secret key (akey) from the OWA server. This key
then allowed the attacker to derive a pre-computed value to be set in the
duo-sid cookie. After successful password authentication, the server evaluated
the duo-sid cookie and determined it to be valid. This allowed the attacker with
knowledge of a user account and password to then completely bypass the MFA set
on the account. It should be noted this is not a vulnerability with the MFA
provider and underscores the need to ensure that all secrets associated with key
integrations, such as those with an MFA provider, should be changed following a
breach.
Again, this is not a Duo vulnerability. From ArsTechnica:
While the MFA provider in this case was Duo, it just as easily could have
involved any of its competitors. MFA threat modeling generally doesnΓÇÖt include
a complete system compromise of an OWA server. The level of access the hacker
achieved was enough to neuter just about any defense.
** *** ***** ******* *********** *************
Zodiac Killer Cipher Solved
[2020.12.16] The SF Chronicle is reporting (more details here), and the FBI is
confirming, that a Melbourne mathematician and team has decrypted the 1969
message sent by the Zodiac Killer to the newspaper.
ThereΓÇÖs no paper yet, but there are a bunch of details in the news articles.
HereΓÇÖs an interview with one of the researchers:
Cryptologist David Oranchak, who has been trying to crack the notorious ΓÇ£340
cipherΓÇ¥ (it contains 340 characters) for more than a decade, made a crucial
breakthrough earlier this year when applied mathematician Sam Blake came up with
about 650,000 different possible ways in which the code could be read. From
there, using code-breaking software designed by Jarl Van Eycke, the teamΓÇÖs
third member, they came up with a small number of valuable clues that helped
them piece together a message in the cipher
** *** ***** ******* *********** *************
Mexican Drug Cartels with High-Tech Spyware
[2020.12.17] Sophisticated spyware, sold by surveillance tech companies to
Mexican government agencies, are ending up in the hands of drug cartels:
As many as 25 private companies -- including the Israeli company NSO Group and
the Italian firm Hacking Team -- have sold surveillance software to Mexican
federal and state police forces, but there is little or no regulation of the
sector -- and no way to control where the spyware ends up, said the officials.
Lots of details in the article. The cyberweapons arms business is immoral in
many ways. This is just one of them.
** *** ***** ******* *********** *************
More on the SolarWinds Breach
[2020.12.17] The New York Times has more details.
About 18,000 private and government users downloaded a Russian tainted software
update -- a Trojan horse of sorts -- that gave its hackers a foothold into
victimsΓÇÖ systems, according to SolarWinds, the company whose software was
compromised.
Among those who use SolarWinds software are the Centers for Disease Control and
Prevention, the State Department, the Justice Department, parts of the Pentagon
and a number of utility companies. While the presence of the software is not by
itself evidence that each network was compromised and information was stolen,
investigators spent Monday trying to understand the extent of the damage in what
could be a significant loss of American data to a foreign attacker.
ItΓÇÖs unlikely that the SVR (a successor to the KGB) penetrated all of those
networks. But it is likely that they penetrated many of the important ones. And
that they have buried themselves into those networks, giving them persistent
access even if this vulnerability is patched. This is a massive intelligence
coup for the Russians and failure for the Americans, even if no classified
networks were touched.
Meanwhile, CISA has directed everyone to remove SolarWinds from their networks.
This is (1) too late to matter, and (2) likely to take many months to complete.
Probably the right answer, though.
This is almost too stupid to believe:
In one previously unreported issue, multiple criminals have offered to sell
access to SolarWindsΓÇÖ computers through underground forums, according to two
researchers who separately had access to those forums.
One of those offering claimed access over the Exploit forum in 2017 was known as
ΓÇ£fxmspΓÇ¥ and is wanted by the FBI ΓÇ£for involvement in several high-profile
incidents,ΓÇ¥ said Mark Arena, chief executive of cybercrime intelligence firm
Intel471. Arena informed his companyΓÇÖs clients, which include U.S. law
enforcement agencies.
Security researcher Vinoth Kumar told Reuters that, last year, he alerted the
company that anyone could access SolarWindsΓÇÖ update server by using the
password ΓÇ£solarwinds123ΓÇ¥
ΓÇ£This could have been done by any attacker, easily,ΓÇ¥ Kumar said.
Neither the password nor the stolen access is considered the most likely source
of the current intrusion, researchers said.
That last sentence is important, yes. But the sloppy security practice is likely
not an isolated incident, and speaks to the overall lack of security culture at
the company.
And I noticed that SolarWinds has removed its customer page, presumably as part
of its damage control efforts. I quoted from it. Did anyone save a copy?
EDITED TO ADD: Both the Wayback Machine and Brian Krebs have saved the
SolarWinds customer page.
** *** ***** ******* *********** *************
US Schools Are Buying Cell Phone Unlocking Systems
[2020.12.18] Gizmodo is reporting that schools in the US are buying equipment to
unlock cell phones from companies like Cellebrite:
Gizmodo has reviewed similar accounting documents from eight school districts,
seven of which are in Texas, showing that administrators paid as much $11,582
for the controversial surveillance technology. Known as mobile device forensic
tools (MDFTs), this type of tech is able to siphon text messages, photos, and
application data from studentΓÇÖs devices. Together, the districts encompass
hundreds of schools, potentially exposing hundreds of thousands of students to
invasive cell phone searches.
The eighth district was in Los Angeles.
** *** ***** ******* *********** *************
NSA on Authentication Hacks (Related to SolarWinds Breach)
[2020.12.18] The NSA has published an advisory outlining how ΓÇ£malicious cyber
actorsΓÇ¥ are ΓÇ£are manipulating trust in federated authentication environments
to access protected data in the cloud.ΓÇ¥ This is related to the SolarWinds hack
I have previously written about, and represents one of the techniques the SVR is
using once it has gained access to target networks.
From the summary:
Malicious cyberactors are abusing trust in federated authentication environments
to access protected data. The exploitation occurs after the actors have gained
initial access to a victimΓÇÖs on-premises network. The actors leverage
privileged access in the on-premises environment to subvert the mechanisms that
the organization uses to grant access to cloud and on-premises resources and/or
to compromise administrator credentials with the ability to manage cloud
resources. The actors demonstrate two sets of tactics, techniques,and procedures
(TTP) for gaining access to the victim networkΓÇÖs cloud resources, often with a
particular focus on organizational email.
In the first TTP, the actors compromise on-premises components of a federated
SSO infrastructure and steal the credential or private key that is used to sign
Security Assertion Markup Language (SAML) tokens(TA0006, T1552, T1552.004).
Using the private keys, the actors then forge trusted authentication tokens to
access cloud resources. A recent NSA Cybersecurity Advisory warned of actors
exploiting a vulnerability in VMware Access and VMware Identity Manager that
allowed them to perform this TTP and abuse federated SSO infrastructure.While
that example of this TTP may have previously been attributed to nation-state
actors, a wealth of actors could be leveraging this TTP for their objectives.
This SAML forgery technique has been known and used by cyber actors since at
least 2017.
In a variation of the first TTP, if the malicious cyber actors are unable to
obtain anon-premises signing key, they would attempt to gain sufficient
administrative privileges within the cloud tenant to add a malicious certificate
trust relationship for forging SAML tokens.
In the second TTP, the actors leverage a compromised global administrator
account to assign credentials to cloud application service principals
(identities for cloud applications that allow the applications to be invoked to
access other cloud resources). The actors then invoke the applicationΓÇÖs
credentials for automated access to cloud resources (often email in particular)
that would otherwise be difficult for the actors to access or would more easily
be noticed as suspicious (T1114, T1114.002).
This is an ongoing story, and I expect to see a lot more about TTP -- nice
acronym there -- in coming weeks.
Related: Tom Bossert has a scathing op-ed on the breach. Jack GoldsmithΓÇÖs
essay is worth reading. So is Nick WeaverΓÇÖs.
** *** ***** ******* *********** *************
Eavesdropping on Phone Taps from Voice Assistants
[2020.12.22] The microphones on voice assistants are very sensitive, and can
snoop on all sorts of data:
In Hey Alexa what did I just type? we show that when sitting up to half a meter
away, a voice assistant can still hear the taps you make on your phone, even in
presence of noise. Modern voice assistants have two to seven microphones, so
they can do directional localisation, just as human ears do, but with greater
sensitivity. We assess the risk and show that a lot more work is needed to
understand the privacy implications of the always-on microphones that are
increasingly infesting our work spaces and our homes.
From the paper:
Abstract: Voice assistants are now ubiquitous and listen in on our everyday
lives. Ever since they became commercially available, privacy advocates worried
that the data they collect can be abused: might private conversations be
extracted by third parties? In this paper we show that privacy threats go beyond
spoken conversations and include sensitive data typed on nearby smartphones.
Using two different smartphones and a tablet we demonstrate that the attacker
can extract PIN codes and text messages from recordings collected by a voice
assistant located up to half a meter away. This shows that remote
keyboard-inference attacks are not limited to physical keyboards but extend to
virtual keyboards too. As our homes become full of always-on microphones, we
need to work through the implications.
** *** ***** ******* *********** *************
Investigating the Navalny Poisoning
[2020.12.23] Bellingcat has investigated the near-fatal poisoning of Alexey
Navalny by the Russian FSB back in August. The details display some impressive
traffic analysis. Navalny got a confession out of one of the poisoners,
displaying some masterful social engineering.
Lots of interesting opsec details in all of this.
EDITED TO ADD (1/13) Bellingcat on their methodology.
** *** ***** ******* *********** *************
How China Uses Stolen US Personnel Data
[2020.12.24] Interesting analysis of ChinaΓÇÖs efforts to identify US spies:
By about 2010, two former CIA officials recalled, the Chinese security services
had instituted a sophisticated travel intelligence program, developing databases
that tracked flights and passenger lists for espionage purposes. ΓÇ£We looked at
it very carefully,ΓÇ¥ said the former senior CIA official. ChinaΓÇÖs spies
ΓÇ£were actively using that for counterintelligence and offensive intelligence.
The capability was there and was being utilized.ΓÇ¥ China had also stepped up
its hacking efforts targeting biometric and passenger data from transit hubs...
To be sure, China had stolen plenty of data before discovering how deeply
infiltrated it was by U.S. intelligence agencies. However, the shake-up between
2010 and 2012 gave Beijing an impetus not only to go after bigger, riskier
targets, but also to put together the infrastructure needed to process the
purloined information. It was around this time, said a former senior NSA
official, that Chinese intelligence agencies transitioned from merely being able
to steal large datasets en masse to actually rapidly sifting through information
from within them for use....
For U.S. intelligence personnel, these new capabilities made ChinaΓÇÖs
successful hack of the U.S. Office of Personnel Management (OPM) that much more
chilling. During the OPM breach, Chinese hackers stole detailed, often highly
sensitive personnel data from 21.5 million current and former U.S. officials,
their spouses, and job applicants, including health, residency, employment,
fingerprint, and financial data. In some cases, details from background
investigations tied to the granting of security clearances -- investigations
that can delve deeply into individualsΓÇÖ mental health records, their sexual
histories and proclivities, and whether a personΓÇÖs relatives abroad may be
subject to government blackmail -- were stolen as well....
When paired with travel details and other purloined data, information from the
OPM breach likely provided Chinese intelligence potent clues about unusual
behavior patterns, biographical information, or career milestones that marked
individuals as likely U.S. spies, officials say. Now, these officials feared,
China could search for when suspected U.S. spies were in certain locations --
and potentially also meeting secretly with their Chinese sources. China
ΓÇ£collects bulk personal data to help it track dissidents or other perceived
enemies of China around the world,ΓÇ¥ Evanina, the top U.S. counterintelligence
official, said.
[..]
But after the OPM breach, anomalies began to multiply. In 2012, senior U.S. spy
hunters began to puzzle over some ΓÇ£head-scratchersΓÇ¥: In a few cases, spouses
of U.S. officials whose sensitive work should have been difficult to discern
were being approached by Chinese and Russian intelligence operatives abroad,
according to the former counterintelligence executive. In one case, Chinese
operatives tried to harass and entrap a U.S. officialΓÇÖs wife while she
accompanied her children on a school field trip to China. ΓÇ£The MO is that,
usually at the end of the trip, the lightbulb goes on [and the foreign
intelligence service identifies potential persons of interest]. But these were
from day one, from the airport onward,ΓÇ¥ the former official said.
Worries about what the Chinese now knew precipitated an intelligence
community-wide damage assessment surrounding the OPM and other hacks, recalled
Douglas Wise, a former senior CIA official who served deputy director of the
Defense Intelligence Agency from 2014 to 2016. Some worried that China might
have purposefully secretly altered data in individualsΓÇÖ OPM files to later use
as leverage in recruitment attempts. Officials also believed that the Chinese
might sift through the OPM data to try and craft the most ideal profiles for
Chinese intelligence assets seeking to infiltrate the U.S. government -- since
they now had granular knowledge of what the U.S. government looked for, and what
it didnΓÇÖt, while considering applicants for sensitive positions. U.S.
intelligence agencies altered their screening procedures to anticipate new, more
finely tuned Chinese attempts at human spying, Wise said.
** *** ***** ******* *********** *************
Russia's SolarWinds Attack
[2020.12.28] Recent news articles have all been talking about the massive
Russian cyberattack against the United States, but thatΓÇÖs wrong on two
accounts. It wasnΓÇÖt a cyberattack in international relations terms, it was
espionage. And the victim wasnΓÇÖt just the US, it was the entire world. But it
was massive, and it is dangerous.
Espionage is internationally allowed in peacetime. The problem is that both
espionage and cyberattacks require the same computer and network intrusions, and
the difference is only a few keystrokes. And since this Russian operation
isnΓÇÖt at all targeted, the entire world is at risk -- and not just from
Russia. Many countries carry out these sorts of operations, none more
extensively than the US. The solution is to prioritize security and defense over
espionage and attack.
HereΓÇÖs what we know: Orion is a network management product from a company
named SolarWinds, with over 300,000 customers worldwide. Sometime before March,
hackers working for the Russian SVR -- previously known as the KGB -- hacked
into SolarWinds and slipped a backdoor into an Orion software update. (We
donΓÇÖt know how, but last year the companyΓÇÖs update server was protected by
the password ΓÇ£solarwinds123ΓÇ¥ -- something that speaks to a lack of security
culture.) Users who downloaded and installed that corrupted update between March
and June unwittingly gave SVR hackers access to their networks.
This is called a supply-chain attack, because it targets a supplier to an
organization rather than an organization itself -- and can affect all of a
supplierΓÇÖs customers. ItΓÇÖs an increasingly common way to attack networks.
Other examples of this sort of attack include fake apps in the Google Play
store, and hacked replacement screens for your smartphone.
SolarWinds has removed its customer list from its website, but the Internet
Archive saved it: all five branches of the US military, the state department,
the White House, the NSA, 425 of the Fortune 500 companies, all five of the top
five accounting firms, and hundreds of universities and colleges. In an SEC
filing, SolarWinds said that it believes ΓÇ£fewer than 18,000ΓÇ¥ of those
customers installed this malicious update, another way of saying that more than
17,000 did.
ThatΓÇÖs a lot of vulnerable networks, and itΓÇÖs inconceivable that the SVR
penetrated them all. Instead, it chose carefully from its cornucopia of targets.
MicrosoftΓÇÖs analysis identified 40 customers who were infiltrated using this
vulnerability. The great majority of those were in the US, but networks in
Canada, Mexico, Belgium, Spain, the UK, Israel and the UAE were also targeted.
This list includes governments, government contractors, IT companies,
thinktanks, and NGOs -- and it will certainly grow.
Once inside a network, SVR hackers followed a standard playbook: establish
persistent access that will remain even if the initial vulnerability is fixed;
move laterally around the network by compromising additional systems and
accounts; and then exfiltrate data. Not being a SolarWinds customer is no
guarantee of security; this SVR operation used other initial infection vectors
and techniques as well. These are sophisticated and patient hackers, and weΓÇÖre
only just learning some of the techniques involved here.
Recovering from this attack isnΓÇÖt easy. Because any SVR hackers would
establish persistent access, the only way to ensure that your network isnΓÇÖt
compromised is to burn it to the ground and rebuild it, similar to reinstalling
your computerΓÇÖs operating system to recover from a bad hack. This is how a lot
of sysadmins are going to spend their Christmas holiday, and even then they
can&;t be sure. There are many ways to establish persistent access that survive
rebuilding individual computers and networks. We know, for example, of an NSA
exploit that remains on a hard drive even after it is reformatted. Code for that
exploit was part of the Equation Group tools that the Shadow Brokers -- again
believed to be Russia -- stole from the NSA and published in 2016. The SVR
probably has the same kinds of tools.
Even without that caveat, many network administrators wonΓÇÖt go through the
long, painful, and potentially expensive rebuilding process. TheyΓÇÖll just hope
for the best.
ItΓÇÖs hard to overstate how bad this is. We are still learning about US
government organizations breached: the state department, the treasury
department, homeland security, the Los Alamos and Sandia National Laboratories
(where nuclear weapons are developed), the National Nuclear Security
Administration, the National Institutes of Health, and many more. At this point,
thereΓÇÖs no indication that any classified networks were penetrated, although
that could change easily. It will take years to learn which networks the SVR has
penetrated, and where it still has access. Much of that will probably be
classified, which means that we, the public, will never know.
And now that the Orion vulnerability is public, other governments and
cybercriminals will use it to penetrate vulnerable networks. I can guarantee you
that the NSA is using the SVRΓÇÖs hack to infiltrate other networks; why would
they not? (Do any Russian organizations use Orion? Probably.)
While this is a security failure of enormous proportions, it is not, as Senator
Richard Durban said, ΓÇ£virtually a declaration of war by Russia on the United
States.ΓÇ¥ While President-elect Biden said he will make this a top priority,
itΓÇÖs unlikely that he will do much to retaliate.
The reason is that, by international norms, Russia did nothing wrong. This is
the normal state of affairs. Countries spy on each other all the time. There are
no rules or even norms, and itΓÇÖs basically ΓÇ£buyer beware.ΓÇ¥ The US
regularly fails to retaliate against espionage operations -- such as ChinaΓÇÖs
hack of the Office of Personal Management (OPM) and previous Russian hacks --
because we do it, too. Speaking of the OPM hack, the then director of national
intelligence, James Clapper, said: ΓÇ£You have to kind of salute the Chinese for
what they did. If we had the opportunity to do that, I donΓÇÖt think weΓÇÖd
hesitate for a minute.ΓÇ¥
We donΓÇÖt, and IΓÇÖm sure NSA employees are grudgingly impressed with the SVR.
The US has by far the most extensive and aggressive intelligence operation in
the world. The NSAΓÇÖs budget is the largest of any intelligence agency. It
aggressively leverages the USΓÇÖs position controlling most of the internet
backbone and most of the major internet companies. Edward Snowden disclosed many
targets of its efforts around 2014, which then included 193 countries, the World
Bank, the IMF and the International Atomic Energy Agency. We are undoubtedly
running an offensive operation on the scale of this SVR operation right now, and
itΓÇÖll probably never be made public. In 2016, President Obama boasted that we
have ΓÇ£more capacity than anybody both offensively and defensively.ΓÇ¥
He may have been too optimistic about our defensive capability. The US
prioritizes and spends many times more on offense than on defensive
cybersecurity. In recent years, the NSA has adopted a strategy of ΓÇ£persistent
engagement,ΓÇ¥ sometimes called ΓÇ£defending forward.ΓÇ¥ The idea is that
instead of passively waiting for the enemy to attack our networks and
infrastructure, we go on the offensive and disrupt attacks before they get to
us. This strategy was credited with foiling a plot by the Russian Internet
Research Agency to disrupt the 2018 elections.
But if persistent engagement is so effective, how could it have missed this
massive SVR operation? It seems that pretty much the entire US government was
unknowingly sending information back to Moscow. If we had been watching
everything the Russians were doing, we would have seen some evidence of this.
The RussiansΓÇÖ success under the watchful eye of the NSA and US Cyber Command
shows that this is a failed approach.
And how did US defensive capability miss this? The only reason we know about
this breach is because, earlier this month, the security company FireEye
discovered that it had been hacked. During its own audit of its network, it
uncovered the Orion vulnerability and alerted the US government. Why donΓÇÖt
organizations like the Departments of State, Treasury and Homeland Wecurity
regularly conduct that level of audit on their own systems? The governmentΓÇÖs
intrusion detection system, Einstein 3, failed here because it doesnΓÇÖt detect
new sophisticated attacks -- a deficiency pointed out in 2018 but never fixed.
We shouldnΓÇÖt have to rely on a private cybersecurity company to alert us of a
major nation-state attack.
If anything, the USΓÇÖs prioritization of offense over defense makes us less
safe. In the interests of surveillance, the NSA has pushed for an insecure cell
phone encryption standard and a backdoor in random number generators (important
for secure encryption). The DoJ has never relented in its insistence that the
worldΓÇÖs popular encryption systems be made insecure through back doors --
another hot point where attack and defense are in conflict. In other words, we
allow for insecure standards and systems, because we can use them to spy on
others.
We need to adopt a defense-dominant strategy. As computers and the internet
become increasingly essential to society, cyberattacks are likely to be the
precursor to actual war. We are simply too vulnerable when we prioritize
offense, even if we have to give up the advantage of using those insecurities to
spy on others.
Our vulnerability is magnified as eavesdropping may bleed into a direct attack.
The SVRΓÇÖs access allows them not only to eavesdrop, but also to modify data,
degrade network performance, or erase entire networks. The first might be normal
spying, but the second certainly could be considered an act of war. Russia is
almost certainly laying the groundwork for future attack.
This preparation would not be unprecedented. ThereΓÇÖs a lot of attack going on
in the world. In 2010, the US and Israel attacked the Iranian nuclear program.
In 2012, Iran attacked the Saudi national oil company. North Korea attacked Sony
in 2014. Russia attacked the Ukrainian power grid in 2015 and 2016. Russia is
hacking the US power grid, and the US is hacking RussiaΓÇÖs power grid -- just
in case the capability is needed someday. All of these attacks began as a spying
operation. Security vulnerabilities have real-world consequences.
WeΓÇÖre not going to be able to secure our networks and systems in this
no-rules, free-for-all every-network-for-itself world. The US needs to willingly
give up part of its offensive advantage in cyberspace in exchange for a vastly
more secure global cyberspace. We need to invest in securing the worldΓÇÖs
supply chains from this type of attack, and to press for international norms and
agreements prioritizing cybersecurity, like the 2018 Paris Call for Trust and
Security in Cyberspace or the Global Commission on the Stability of Cyberspace.
Hardening widely used software like Orion (or the core internet protocols) helps
everyone. We need to dampen this offensive arms race rather than exacerbate it,
and work towards cyber peace. Otherwise, hypocritically criticizing the Russians
for doing the same thing we do every day wonΓÇÖt help create the safer world in
which we all want to live.
This essay previously appeared in the Guardian.
** *** ***** ******* *********** *************
On the Evolution of Ransomware
[2020.12.30] Good article on the evolution of ransomware:
Though some researchers say that the scale and severity of ransomware attacks
crossed a bright line in 2020, others describe this year as simply the next step
in a gradual and, unfortunately, predictable devolution. After years spent
honing their techniques, attackers are growing bolder. TheyΓÇÖve begun to
incorporate other types of extortion like blackmail into their arsenals, by
exfiltrating an organizationΓÇÖs data and then threatening to release it if the
victim doesnΓÇÖt pay an additional fee. Most significantly, ransomware attackers
have transitioned from a model in which they hit lots of individuals and
accumulated many small ransom payments to one where they carefully plan attacks
against a smaller group of large targets from which they can demand massive
ransoms. The antivirus firm Emsisoft found that the average requested fee has
increased from about $5,000 in 2018 to about $200,000 this year.
Ransomware is a decades-old idea. Today, itΓÇÖs increasingly profitable and
professional.
** *** ***** ******* *********** *************
Brexit Deal Mandates Old Insecure Crypto Algorithms
[2020.12.31] In what is surely an unthinking cut-and-paste issue, page 921 of
the Brexit deal mandates the use of SHA-1 and 1024-bit RSA:
The open standard s/MIME as extension to de facto e-mail standard SMTP will be
deployed to encrypt messages containing DNA profile information. The protocol
s/MIME (V3) allows signed receipts, security labels, and secure mailing lists...
The underlying certificate used by s/MIME mechanism has to be in compliance with
X.509 standard.... The processing rules for s/MIME encryption operations... are
as follows:
the sequence of the operations is: first encryption and then signing,
the encryption algorithm AES (Advanced Encryption Standard) with 256 bit key
length and RSA with 1,024 bit key length shall be applied for symmetric and
asymmetric encryption respectively,
the hash algorithm SHA-1 shall be applied.
s/MIME functionality is built into the vast majority of modern e-mail software
packages including Outlook, Mozilla Mail as well as Netscape Communicator 4.x
and inter-operates among all major e-mail software packages.
And s/MIME? Bleah.
** *** ***** ******* *********** *************
Amazon Has Trucks Filled with Hard Drives and an Armed Guard
[2021.01.04] From an interview with an Amazon Web Services security engineer:
So when you use AWS, part of what youΓÇÖre paying for is security.
Right; itΓÇÖs part of what we sell. LetΓÇÖs say a prospective customer comes to
AWS. They say, ΓÇ£I like pay-as-you-go pricing. Tell me more about that.ΓÇ¥ We
say, ΓÇ£Okay, hereΓÇÖs how much you can use at peak capacity. Here are the
savings we can see in your case.ΓÇ¥
Then the company says, ΓÇ£How do I know that IΓÇÖm secure on AWS?ΓÇ¥ And this is
where the heat turns up. This is where we get them. We say, ΓÇ£Well, letΓÇÖs
take a look at what youΓÇÖre doing right now and see if we can offer a
comparable level of security.ΓÇ¥ So they tell us about the setup of their data
centers.
We say, ΓÇ£Oh my! It seems like we have level five security and your data center
has level three security. Are you really comfortable staying where you are?ΓÇ¥
The customer figures, not only am I going to save money by going with AWS, I
also just became aware that IΓÇÖm not nearly as secure as I thought.
Plus, we make it easy to migrate and difficult to leave. If you have a ton of
data in your data center and you want to move it to AWS but you donΓÇÖt want to
send it over the internet, weΓÇÖll send an eighteen-wheeler to you filled with
hard drives, plug it into your data center with a fiber optic cable, and then
drive it across the country to us after loading it up with your data.
What? How do you do that?
We have a product called Snowmobile. ItΓÇÖs a gas-guzzling truck. There are no
public pictures of the inside, but itΓÇÖs pretty cool. ItΓÇÖs like a modular
datacenter on wheels. And customers rightly expect that if they load a truck
with all their data, they want security for that truck. So thereΓÇÖs an armed
guard in it at all times.
ItΓÇÖs a pretty easy sell. If a customer looks at that option, they say, yeah,
of course I want the giant truck and the guy with a gun to move my data, not
some crappy system that I develop on my own.
Lots more about how AWS views security, and Keith AlexanderΓÇÖs position on
AmazonΓÇÖs board of directors, in the interview.
Found on Slashdot.
** *** ***** ******* *********** *************
Military Cryptanalytics, Part III
[2021.01.04] The NSA has just declassified and released a redacted version of
Military Cryptanalytics, Part III, by Lambros D. Callimahos, October 1977.
Parts I and II, by Lambros D. Callimahos and William F. Friedman, were released
decades ago -- I believe repeatedly, in increasingly unredacted form -- and
published by the late Wayne Griswold BarkerΓÇÖs Agean Park Press. I own them in
hardcover.
Like Parts I and II, Part III is primarily concerned with pre-computer ciphers.
At this point, the document only has historical interest. If there is any lesson
for today, itΓÇÖs that modern cryptanalysis is possible primarily because people
make mistakes
The monograph took a while to become public. The cover page says that the
initial FOIA request was made in July 2012: eight and a half years ago.
And thereΓÇÖs more books to come. Page 1 starts off:
This text constitutes the third of six basic texts on the science of
cryptanalytics. The first two texts together have covered most of the necessary
fundamentals of cryptanalytics; this and the remaining three texts will be
devoted to more specialized and more advanced aspects of the science.
Presumably, volumes IV, V, and VI are still hidden inside the classified
libraries of the NSA.
And from page ii:
Chapters IV-XI are revisions of seven of my monographs in the NSA Technical
Literature Series, viz: Monograph No. 19, ΓÇ£The Cryptanalysis of Ciphertext and
Plaintext Autokey SystemsΓÇ¥; Monograph No. 20, ΓÇ£The Analysis of Systems
Employing Long or Continuous KeysΓÇ¥; Monograph No. 21, ΓÇ£The Analysis of
Cylindrical Cipher Devices and Strip Cipher SystemsΓÇ¥; Monograph No. 22, ΓÇ£The
Analysis of Systems Employing Geared Disk CryptomechanismsΓÇ¥; Monograph No.23,
ΓÇ£Fundamentals of Key AnalysisΓÇ¥; Monograph No. 15, ΓÇ£An Introduction to
Teleprinter Key AnalysisΓÇ¥; and Monograph No. 18, ΓÇ£Ars Conjectandi: The
Fundamentals of Cryptodiagnosis.ΓÇ¥
This points to a whole series of still-classified monographs whose titles we do
not even know.
EDITED TO ADD: I have been informed by a reliable source that Parts 4 through 6
were never completed. There may be fragments and notes, but no finished works.
** *** ***** ******* *********** *************
Latest on the SVR's SolarWinds Hack
[2021.01.05] The New York Times has an in-depth article on the latest
information about the SolarWinds hack (not a great name, since itΓÇÖs much more
far-reaching than that).
Interviews with key players investigating what intelligence agencies believe to
be an operation by RussiaΓÇÖs S.V.R. intelligence service revealed these points:
The breach is far broader than first believed. Initial estimates were that
Russia sent its probes only into a few dozen of the 18,000 government and
private networks they gained access to when they inserted code into network
management software made by a Texas company named SolarWinds. But as businesses
like Amazon and Microsoft that provide cloud services dig deeper for evidence,
it now appears Russia exploited multiple layers of the supply chain to gain
access to as many as 250 networks.
The hackers managed their intrusion from servers inside the United States,
exploiting legal prohibitions on the National Security Agency from engaging in
domestic surveillance and eluding cyberdefenses deployed by the Department of
Homeland Security.
ΓÇ£Early warningΓÇ¥ sensors placed by Cyber Command and the National Security
Agency deep inside foreign networks to detect brewing attacks clearly failed.
There is also no indication yet that any human intelligence alerted the United
States to the hacking.
The governmentΓÇÖs emphasis on election defense, while critical in 2020, may
have diverted resources and attention from long-brewing problems like protecting
the ΓÇ£supply chainΓÇ¥ of software. In the private sector, too, companies that
were focused on election security, like FireEye and Microsoft, are now revealing
that they were breached as part of the larger supply chain attack.
SolarWinds, the company that the hackers used as a conduit for their attacks,
had a history of lackluster security for its products, making it an easy target,
according to current and former employees and government investigators. Its
chief executive, Kevin B. Thompson, who is leaving his job after 11 years, has
sidestepped the question of whether his company should have detected the
intrusion.
Some of the compromised SolarWinds software was engineered in Eastern Europe,
and American investigators are now examining whether the incursion originated
there, where Russian intelligence operatives are deeply rooted.
Separately, it seems that the SVR conducted a dry run of the attack five months
before the actual attack:
The hackers distributed malicious files from the SolarWinds network in October
2019, five months before previously reported files were sent to victims through
the companyΓÇÖs software update servers. The October files, distributed to
customers on Oct. 10, did not have a backdoor embedded in them, however, in the
way that subsequent malicious files that victims downloaded in the spring of
2020 did, and these files went undetected until this month.
[...]
ΓÇ£This tells us the actor had access to SolarWindsΓÇÖ environment much earlier
than this year. We know at minimum they had access Oct. 10, 2019. But they would
certainly have had to have access longer than that,ΓÇ¥ says the source. ΓÇ£So
that intrusion [into SolarWinds] has to originate probably at least a couple of
months before that - probably at least mid-2019 [if not earlier].ΓÇ¥
The files distributed to victims in October 2019 were signed with a legitimate
SolarWinds certificate to make them appear to be authentic code for the
companyΓÇÖs Orion Platform software, a tool used by system administrators to
monitor and configure servers and other computer hardware on their network.
** *** ***** ******* *********** *************
Backdoor in Zyxel Firewalls and Gateways
[2021.01.06] This is bad:
More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers
contain a hardcoded admin-level backdoor account that can grant attackers root
access to devices via either the SSH interface or the web administration panel.
[...]
Installing patches removes the backdoor account, which, according to Eye Control
researchers, uses the ΓÇ£zyfwpΓÇ¥ username and the ΓÇ£PrOw!aN_fXpΓÇ¥ password.
ΓÇ£The plaintext password was visible in one of the binaries on the system,ΓÇ¥
the Dutch researchers said in a report published before the Christmas 2020
holiday.
** *** ***** ******* *********** *************
Extracting Personal Information from Large Language Models Like GPT-2
[2021.01.07] Researchers have been able to find all sorts of personal
information within GPT-2. This information was part of the training data, and
can be extracted with the right sorts of queries.
Paper: ΓÇ£Extracting Training Data from Large Language Models.ΓÇ¥
Abstract: It has become common to publish large (billion parameter) language
models that have been trained on private datasets. This paper demonstrates that
in such settings, an adversary can perform a training data extraction attack to
recover individual training examples by querying the language model.
We demonstrate our attack on GPT-2, a language model trained on scrapes of the
public Internet, and are able to extract hundreds of verbatim text sequences
from the modelΓÇÖs training data. These extracted examples include (public)
personally identifiable information (names, phone numbers, and email addresses),
IRC conversations, code, and 128-bit UUIDs. Our attack is possible even though
each of the above sequences are included in just one document in the training
data.
We comprehensively evaluate our extraction attack to understand the factors that
contribute to its success. For example, we find that larger models are more
vulnerable than smaller models. We conclude by drawing lessons and discussing
possible safeguards for training large language models.
From a blog post:
We generated a total of 600,000 samples by querying GPT-2 with three different
sampling strategies. Each sample contains 256 tokens, or roughly 200 words on
average. Among these samples, we selected 1,800 samples with abnormally high
likelihood for manual inspection. Out of the 1,800 samples, we found 604 that
contain text which is reproduced verbatim from the training set.
The rest of the blog post discusses the types of data they found.
** *** ***** ******* *********** *************
Russia's SolarWinds Attack and Software Security
[2021.01.08] The information that is emerging about RussiaΓÇÖs extensive
cyberintelligence operation against the United States and other countries should
be increasingly alarming to the public. The magnitude of the hacking, now
believed to have affected more than 250 federal agencies and businesses --
primarily through a malicious update of the SolarWinds network management
software -- may have slipped under most peopleΓÇÖs radar during the holiday
season, but its implications are stunning.
According to a Washington Post report, this is a massive intelligence coup by
RussiaΓÇÖs foreign intelligence service (SVR). And a massive security failure on
the part of the United States is also to blame. Our insecure Internet
infrastructure has become a critical national security risk -- one that we need
to take seriously and spend money to reduce.
President-elect Joe BidenΓÇÖs initial response spoke of retaliation, but there
really isnΓÇÖt much the United States can do beyond what it already does.
Cyberespionage is business as usual among countries and governments, and the
United States is aggressively offensive in this regard. We benefit from the lack
of norms in this area and are unlikely to push back too hard because we donΓÇÖt
want to limit our own offensive actions.
Biden took a more realistic tone last week when he spoke of the need to improve
US defenses. The initial focus will likely be on how to clean the hackers out of
our networks, why the National Security Agency and US Cyber Command failed to
detect this intrusion and whether the 2-year-old Cybersecurity and
Infrastructure Security Agency has the resources necessary to defend the United
States against attacks of this caliber. These are important discussions to have,
but we also need to address the economic incentives that led to SolarWinds being
breached and how that insecure software ended up in so many critical US
government networks.
Software has become incredibly complicated. Most of us almost donΓÇÖt know all
of the software running on our laptops and what itΓÇÖs doing. We donΓÇÖt know
where itΓÇÖs connecting to on the Internet -- not even which countries itΓÇÖs
connecting to -- and what data itΓÇÖs sending. We typically donΓÇÖt know what
third party libraries are in the software we install. We donΓÇÖt know what
software any of our cloud services are running. And weΓÇÖre rarely alone in our
ignorance. Finding all of this out is incredibly difficult.
This is even more true for software that runs our large government networks, or
even the Internet backbone. Government software comes from large companies,
small suppliers, open source projects and everything in between. Obscure
software packages can have hidden vulnerabilities that affect the security of
these networks, and sometimes the entire Internet. RussiaΓÇÖs SVR leveraged one
of those vulnerabilities when it gained access to SolarWindsΓÇÖ update server,
tricking thousands of customers into downloading a malicious software update
that gave the Russians access to those networks.
The fundamental problem is one of economic incentives. The market rewards quick
development of products. It rewards new features. It rewards spying on customers
and users: collecting and selling individual data. The market does not reward
security, safety or transparency. It doesnΓÇÖt reward reliability past a bare
minimum, and it doesnΓÇÖt reward resilience at all.
This is what happened at SolarWinds. A New York Times report noted the company
ignored basic security practices. It moved software development to Eastern
Europe, where Russia has more influence and could potentially subvert
programmers, because itΓÇÖs cheaper.
Short-term profit was seemingly prioritized over product security.
Companies have the right to make decisions like this. The real question is why
the US government bought such shoddy software for its critical networks. This is
a problem that Biden can fix, and he needs to do so immediately.
The United States needs to improve government software procurement. Software is
now critical to national security. Any system for acquiring software needs to
evaluate the security of the software and the security practices of the company,
in detail, to ensure they are sufficient to meet the security needs of the
network theyΓÇÖre being installed in. Procurement contracts need to include
security controls of the software development process. They need security
attestations on the part of the vendors, with substantial penalties for
misrepresentation or failure to comply. The government needs detailed best
practices for government and other companies.
Some of the groundwork for an approach like this has already been laid by the
federal government, which has sponsored the development of a ΓÇ£Software Bill of
MaterialsΓÇ¥ that would set out a process for software makers to identify the
components used to assemble their software.
This scrutiny canΓÇÖt end with purchase. These security requirements need to be
monitored throughout the softwareΓÇÖs life cycle, along with what software is
being used in government networks.
None of this is cheap, and we should be prepared to pay substantially more for
secure software. But thereΓÇÖs a benefit to these practices. If the government
evaluations are public, along with the list of companies that meet them, all
network buyers can benefit from them. The US government acting purely in the
realm of procurement can improve the security of nongovernmental networks
worldwide.
This is important, but it isnΓÇÖt enough. We need to set minimum safety and
security standards for all software: from the code in that Internet of Things
appliance you just bought to the code running our critical national
infrastructure. ItΓÇÖs all one network, and a vulnerability in your
refrigeratorΓÇÖs software can be used to attack the national power grid.
The IOT Cybersecurity Improvement Act, signed into law last month, is a start in
this direction.
The Biden administration should prioritize minimum security standards for all
software sold in the United States, not just to the government but to everyone.
Long gone are the days when we can let the software industry decide how much
emphasis to place on security. Software security is now a matter of personal
safety: whether itΓÇÖs ensuring your car isnΓÇÖt hacked over the Internet or
that the national power grid isnΓÇÖt hacked by the Russians.
This regulation is the only way to force companies to provide safety and
security features for customers -- just as legislation was necessary to mandate
food safety measures and require auto manufacturers to install life-saving
features such as seat belts and air bags. Smart regulations that incentivize
innovation create a market for security features. And they improve security for
everyone.
ItΓÇÖs true that creating software in this sort of regulatory environment is
more expensive. But if we truly value our personal and national security, we
need to be prepared to pay for it.
The truth is that weΓÇÖre already paying for it. Today, software companies
increase their profits by secretly pushing risk onto their customers. We pay the
cost of insecure personal computers, just as the government is now paying the
cost to clean up after the SolarWinds hack. Fixing this requires both
transparency and regulation. And while the industry will resist both, they are
essential for national security in our increasingly computer-dependent worlds.
This essay previously appeared on CNN.com.
** *** ***** ******* *********** *************
APT Horoscope
[2021.01.08] This delightful essay matches APT hacker groups up with
astrological signs. This is me:
Capricorn is renowned for its discipline, skilled navigation, and steadfastness.
Just like Capricorn, Helix Kitten (also known as APT 35 or OilRig) is a skilled
navigator of vast online networks, maneuvering deftly across an array of
organizations, including those in aerospace, energy, finance, government,
hospitality, and telecommunications. Steadfast in its work and objectives, Helix
Kitten has a consistent track record of developing meticulous spear-phishing
attacks.
** *** ***** ******* *********** *************
Changes in WhatsApp's Privacy Policy
[2021.01.11] If youΓÇÖre a WhatsApp user, pay attention to the changes in the
privacy policy that youΓÇÖre being forced to agree with.
In 2016, WhatsApp gave users a one-time ability to opt out of having account
data turned over to Facebook. Now, an updated privacy policy is changing that.
Come next month, users will no longer have that choice. Some of the data that
WhatsApp collects includes:
User phone numbers
Other peopleΓÇÖs phone numbers stored in address books
Profile names
Profile pictures and
Status message including when a user was last online
Diagnostic data collected from app logs
Under the new terms, Facebook reserves the right to share collected data with
its family of companies.
EDITED TO ADD (1/13): WhatsApp tries to explain.
** *** ***** ******* *********** *************
Cloning Google Titan 2FA keys
[2021.01.12] This is a clever side-channel attack:
The cloning works by using a hot air gun and a scalpel to remove the plastic key
casing and expose the NXP A700X chip, which acts as a secure element that stores
the cryptographic secrets. Next, an attacker connects the chip to hardware and
software that take measurements as the key is being used to authenticate on an
existing account. Once the measurement-taking is finished, the attacker seals
the chip in a new casing and returns it to the victim.
Extracting and later resealing the chip takes about four hours. It takes another
six hours to take measurements for each account the attacker wants to hack. In
other words, the process would take 10 hours to clone the key for a single
account, 16 hours to clone a key for two accounts, and 22 hours for three
accounts.
By observing the local electromagnetic radiations as the chip generates the
digital signatures, the researchers exploit a side channel vulnerability in the
NXP chip. The exploit allows an attacker to obtain the long-term elliptic curve
digital signal algorithm private key designated for a given account. With the
crypto key in hand, the attacker can then create her own key, which will work
for each account she targeted.
The attack isnΓÇÖt free, but itΓÇÖs not expensive either:
A hacker would first have to steal a targetΓÇÖs account password and also gain
covert possession of the physical key for as many as 10 hours. The cloning also
requires up to $12,000 worth of equipment and custom software, plus an advanced
background in electrical engineering and cryptography. That means the key
cloning -- were it ever to happen in the wild -- would likely be done only by a
nation-state pursuing its highest-value targets.
That last line about ΓÇ£nation-state pursuing its highest-value targetsΓÇ¥ is
just not true. There are many other situations where this attack is feasible.
Note that the attack isnΓÇÖt against the Google system specifically. It exploits
a side-channel attack in the NXP chip. Which means that other systems are
probably vulnerable:
While the researchers performed their attack on the Google Titan, they believe
that other hardware that uses the A700X, or chips based on the A700X, may also
be vulnerable. If true, that would include YubicoΓÇÖs YubiKey NEO and several
2FA keys made by Feitian.
** *** ***** ******* *********** *************
On US Capitol Security -- By Someone Who Manages Arena-Rock-Concert Security
[2021.01.13] Smart commentary:
...I was floored on Wednesday when, glued to my television, I saw police in some
areas of the U.S. Capitol using little more than those same mobile gates I had
the ones that look like bike racks that can hook together to try to keep the
crowds away from sensitive areas and, later, push back people intent on
accessing the grounds. (A new fence that appears to be made of sturdier material
was being erected on Thursday.) ThatΓÇÖs the same equipment and approximately
the same amount of force I was able to use when a group of fans got a little
feisty and tried to get backstage at a Vanilla Ice show.
[...]
ThereΓÇÖs not ever going to be enough police or security at any event to stop
people if they all act in unison; if enough people want to get to Vanilla Ice at
the same time, theyΓÇÖre going to get to Vanilla Ice. Social constructs and
basic decency, not lightweight security gates, are what hold everyone except the
outliers back in a typical crowd.
[...]
When there are enough outliers in a crowd, it throws the normal dynamics of
crowd control off; everyone in my business knows this. Citizens tend to hold
each other to certain standards which is why my 40,000-person town does not have
40,000 police officers, and why the 8.3 million people of New York City arenΓÇÖt
policed by 8.3 million police officers.
Social norms are the fabric that make an event run smoothly -- and, really, hold
society together. There arenΓÇÖt enough police in your town to handle it if
everyone starts acting up at the same time.
I like that she uses the term ΓÇ£outliers,ΓÇ¥ and I make much the same points in
Liars and Outliers.
** *** ***** ******* *********** *************
Finding the Location of Telegram Users
[2021.01.14] Security researcher Ahmed Hassan has shown that spoofing the
Android's "People Nearby" feature allows him to pinpoint the physical location
of Telegram users:
Using readily available software and a rooted Android device, he's able to spoof
the location his device reports to Telegram servers. By using just three
different locations and measuring the corresponding distance reported by People
Nearby, he is able to pinpoint a user's precise location.
[...]
A proof-of-concept video the researcher sent to Telegram showed how he could
discern the address of a People Nearby user when he used a free GPS spoofing app
to make his phone report just three different locations. He then drew a circle
around each of the three locations with a radius of the distance reported by
Telegram. The user's precise location was where all three intersected.
[...]
Fixing the problem -- or at least making it much harder to exploit it --
wouldn't be hard from a technical perspective. Rounding locations to the nearest
mile and adding some random bits generally suffices. When the Tinder app had a
similar disclosure vulnerability, developers used this kind of technique to fix
it.
** *** ***** ******* *********** *************
Upcoming Speaking Engagements
[2021.01.14] This is a current list of where and when I am scheduled to speak:
I'm speaking (online) as part of Western Washington University's Internet
Studies Lecture Series on January 20, 2021.
I'm speaking at ITY Denmark on February 2, 2021. Details to come.
I'm being interviewed by Keith Cronin as part of The Center for Innovation,
Security, and New Technology's CSINT Conversations series, February 10, 2021
from 11:00 AM - 11:30 AM CST.
IΓÇÖll be speaking at an Informa event on February 28, 2021. Details to come.
The list is maintained on this page.
** *** ***** ******* *********** *************
Click Here to Kill Everybody Sale
[2021.01.15] For a limited time, I am selling signed copies of Click Here to
Kill Everybody in hardcover for just $6, plus shipping.
Note that I have had occasional problems with international shipping. The book
just disappears somewhere in the process. At this price, international orders
are at the buyer's risk. Also, the USPS keeps reminding us that shipping -- both
US and international -- may be delayed during the pandemic.
I have 500 copies of the book available. When they're gone, the sale is over and
the price will revert to normal.
Order here.
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security technology. To subscribe, or to
read back issues, see Crypto-Gram's web page.
You can also read these articles on my blog, Schneier on Security.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint
CRYPTO-GRAM, as long as it is reprinted in its entirety.
Bruce Schneier is an internationally renowned security technologist, called a
security guru by the Economist. He is the author of over one dozen books --
including his latest, We Have Root -- as well as hundreds of articles, essays,
and academic papers. His newsletter and blog are read by over 250,000 people.
Schneier is a fellow at the Berkman Klein Center for Internet & Society at
Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a
board member of the Electronic Frontier Foundation, AccessNow, and the Tor
Project; and an Advisory Board Member of the Electronic Privacy Information
Center and VerifiedVoting.org. He is the Chief of Security Architecture at
Inrupt, Inc.
Copyright © 2021 by Bruce Schneier.
--- GoldED+/OSX 1.1.5-b20180707
* Origin: A Pointless Point in Connemara (618:500/14.1)
|
Computer Support/Help/Discussion... 
