AT2k Design BBS Message Area
Casually read the BBS message area using an easy to use interface. Messages are categorized exactly like they are on the BBS. You may post new messages or reply to existing messages!

You are not logged in. Login here for full access privileges.

Previous Message | Next Message | Back to Computer Support/Help/Discussion...  <--  <--- Return to Home Page
   Networked Database  Computer Support/Help/Discussion...   [322 / 1624] RSS
 From   To   Subject   Date/Time 
Message   Sean Rima    All   CRYPTO-GRAM, March 15, 2021   March 20, 2021
 10:07 PM *  

Crypto-Gram
March 15, 2021

by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School
schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit Crypto-Gram's web page.

Read this issue on the web

These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:

If these links don't work in your email client, try reading this issue of
Crypto-Gram on the web.

On Vulnerability-Adjacent Vulnerabilities
Deliberately Playing Copyrighted Music to Avoid Being Live-Streamed
US Cyber Command Valentine's Day Cryptography Puzzles
Malicious Barcode Scanner App
Browser Tracking Using Favicons
Virginia Data Privacy Law
WEIS 2021 Call for Papers
Router Security
GPS Vulnerabilities
Dependency Confusion: Another Supply-Chain Vulnerability
Twelve-Year-Old Vulnerability Found in Windows Defender
On Chinese-Owned Technology Platforms
The Problem with Treating Data as a Commodity
National Security Risks of Late-Stage Capitalism
Mysterious Macintosh Malware
Encoded Message in the Perseverance Mars Lander's Parachute
Chinese Hackers Stole an NSA Windows Exploit in 2014
Four Microsoft Exchange Zero-Days Exploited by China
Threat Model Humor
No, RSA Is Not Broken
Hacking Digitally Signed PDF Files
On Not Fixing Old Vulnerabilities
More on the Chinese Zero-Day Microsoft Exchange Hack
Fast Random Bit Generation
Metadata Left in Security Agency PDFs
Upcoming Speaking Engagements


** *** ***** ******* *********** *************

On Vulnerability-Adjacent Vulnerabilities

[2021.02.15] At the virtual Enigma Conference, GoogleΓÇÖs Project ZeroΓÇÖs
Maggie Stone gave a talk about zero-day exploits in the wild. In it, she talked
about how often vendors fix vulnerabilities only to have the attackers tweak
their exploits to work again. From a MIT Technology Review article:

Soon after they were spotted, the researchers saw one exploit being used in the
wild. Microsoft issued a patch and fixed the flaw, sort of. In September 2019,
another similar vulnerability was found being exploited by the same hacking
group.

More discoveries in November 2019, January 2020, and April 2020 added up to at
least five zero-day vulnerabilities being exploited from the same bug class in
short order. Microsoft issued multiple security updates: some failed to actually
fix the vulnerability being targeted, while others required only slight changes
that required just a line or two to change in the hackerΓÇÖs code to make the
exploit work again.

[...]

ΓÇ£What we saw cuts across the industry: Incomplete patches are making it easier
for attackers to exploit users with zero-days,ΓÇ¥ Stone said on Tuesday at the
security conference Enigma. ΓÇ£WeΓÇÖre not requiring attackers to come up with
all new bug classes, develop brand new exploitation, look at code that has never
been researched before. WeΓÇÖre allowing the reuse of lots of different
vulnerabilities that we previously knew about.ΓÇ¥

[...]

Why arenΓÇÖt they being fixed? Most of the security teams working at software
companies have limited time and resources, she suggests -- and if their
priorities and incentives are flawed, they only check that theyΓÇÖve fixed the
very specific vulnerability in front of them instead of addressing the bigger
problems at the root of many vulnerabilities.

Another article on the talk.

This is an important insight. ItΓÇÖs not enough to patch existing
vulnerabilities. We need to make it harder for attackers to find new
vulnerabilities to exploit. Closing entire families of vulnerabilities, rather
than individual vulnerabilities one at a time, is a good way to do that.

** *** ***** ******* *********** *************

Deliberately Playing Copyrighted Music to Avoid Being Live-Streamed

[2021.02.15] Vice is reporting on a new police hack: playing copyrighted music
when being filmed by citizens, trying to provoke social media sites into taking
the videos down and maybe even banning the filmers:

In a separate part of the video, which Devermont says was filmed later that same
afternoon, Devermont approaches [BHPD Sgt. Billy] Fair outside. The interaction
plays out almost exactly like it did in the department -- when Devermont starts
asking questions, Fair turns on the music.

Devermont backs away, and asks him to stop playing music. Fair says ΓÇ£I canΓÇÖt
hear youΓÇ¥ -- again, despite holding a phone that is blasting tunes.

Later, Fair starts berating DevermontΓÇÖs livestreaming account, saying ΓÇ£I
read the comments [on your account], they talk about how fake you are.ΓÇ¥ He
then holds out his phone, which is still on full blast, and walks toward
Devermont, saying ΓÇ£Listen to the musicΓÇ¥.

In a statement emailed to VICE News, Beverly Hills PD said that ΓÇ£the playing
of music while accepting a complaint or answering questions is not a procedure
that has been recommended by Beverly Hills Police command staff,ΓÇ¥ and that the
videos of Fair were ΓÇ£currently under review.ΓÇ¥

However, this is not the first time that a Beverly Hills police officer has done
this, nor is Fair the only one.

In an archived clip from a livestream shared privately to VICE Media that
Devermont has not publicly reposted but he says was taken weeks ago, another
officer can be seen quickly swiping through his phone as Devermont approaches.
By the time Devermont is close enough to speak to him, the officerΓÇÖs phone is
already blasting ΓÇ£In My LifeΓÇ¥ by the Beatles -- a group whose rightsholders
have notoriously sued Apple numerous times. If you want to get someone in
trouble for copyright infringement, the Beatles are quite possibly your best
bet.

As Devermont asks about the music, the officer points the phone at him, asking,
ΓÇ£Do you like it?ΓÇ¥

Clever, really, and an illustration of the problem with context-free copyright
enforcement.

** *** ***** ******* *********** *************

US Cyber Command Valentine's Day Cryptography Puzzles

[2021.02.15] The US Cyber Command has released a series of ten ValentineΓÇÖs Day
ΓÇ£Cryptography Challenge Puzzles.ΓÇ¥

Slashdot thread. Reddit thread. (And hereΓÇÖs the archived link, in case Cyber
Command takes the page down.)

** *** ***** ******* *********** *************

Malicious Barcode Scanner App

[2021.02.16] Interesting story about a barcode scanner app that has been pushing
malware on to Android phones. The app is called Barcode Scanner. ItΓÇÖs been
around since 2017 and is owned by the Ukrainian company Lavabird Ldt. But a
December 2020 update included some new features:

However, a rash of malicious activity was recently traced back to the app. Users
began noticing something weird going on with their phones: their default
browsers kept getting hijacked and redirected to random advertisements,
seemingly out of nowhere.

Generally, when this sort of thing happens itΓÇÖs because the app was recently
sold. ThatΓÇÖs not the case here.

It is frightening that with one update an app can turn malicious while going
under the radar of Google Play Protect. It is baffling to me that an app
developer with a popular app would turn it into malware. Was this the scheme all
along, to have an app lie dormant, waiting to strike after it reaches
popularity? I guess we will never know.

** *** ***** ******* *********** *************

Browser Tracking Using Favicons

[2021.02.17] Interesting research on persistent web tracking using favicons.
(For those who donΓÇÖt know, favicons are those tiny icons that appear in
browser tabs next to the page name.)

Abstract: The privacy threats of online tracking have garnered considerable
attention in recent years from researchers and practitioners alike. This has
resulted in users becoming more privacy-cautious and browser vendors gradually
adopting countermeasures to mitigate certain forms of cookie-based and
cookie-less tracking. Nonetheless, the complexity and feature-rich nature of
modern browsers often lead to the deployment of seemingly innocuous
functionality that can be readily abused by adversaries. In this paper we
introduce a novel tracking mechanism that misuses a simple yet ubiquitous
browser feature: favicons. In more detail, a website can track users across
browsing sessions by storing a tracking identifier as a set of entries in the
browserΓÇÖs dedicated favicon cache, where each entry corresponds to a specific
subdomain. In subsequent user visits the website can reconstruct the identifier
by observing which favicons are requested by the browser while the user is
automatically and rapidly redirected through a series of subdomains. More
importantly, the caching of favicons in modern browsers exhibits several unique
characteristics that render this tracking vector particularly powerful, as it is
persistent (not affected by users clearing their browser data), non-destructive
(reconstructing the identifier in subsequent visits does not alter the existing
combination of cached entries), and even crosses the isolation of the incognito
mode. We experimentally evaluate several aspects of our attack, and present a
series of optimization techniques that render our attack practical. We find that
combining our favicon-based tracking technique with immutable
browser-fingerprinting attributes that do not change over time allows a website
to reconstruct a 32-bit tracking identifier in 2 seconds. Furthermore,our attack
works in all major browsers that use a favicon cache, including Chrome and
Safari. Due to the severity of our attack we propose changes to browsersΓÇÖ
favicon caching behavior that can prevent this form of tracking, and have
disclosed our findings to browser vendors who are currently exploring
appropriate mitigation strategies.

Another researcher has implemented this proof of concept:

Strehle has set up a website that demonstrates how easy it is to track a user
online using a favicon. He said itΓÇÖs for research purposes, has released his
source code online, and detailed a lengthy explanation of how supercookies work
on his website.

The scariest part of the favicon vulnerability is how easily it bypasses
traditional methods people use to keep themselves private online. According to
Strehle, the supercookie bypasses the ΓÇ£privateΓÇ¥ mode of Chrome, Safari,
Edge, and Firefox. Clearing your cache, surfing behind a VPN, or using an
ad-blocker wonΓÇÖt stop a malicious favicon from tracking you.

EDITED TO ADD (3/12): There was an issue about whether this paper was
inappropriately disclosed, and briefly deleted from the NDSS website. It was
later put back with a prefatory note from the NDSS.

** *** ***** ******* *********** *************

Virginia Data Privacy Law

[2021.02.18] Virginia is about to get a data privacy law, modeled on
CaliforniaΓÇÖs law.

** *** ***** ******* *********** *************

WEIS 2021 Call for Papers

[2021.02.18] The 20th Annual Workshop on the Economics of Information Security
(WEIS 2021) will be held online in June. We just published the call for papers.

** *** ***** ******* *********** *************

Router Security

[2021.02.19] This report is six months old, and I donΓÇÖt know anything about
the organization that produced it, but it has some alarming data about router
security.

Conclusion: Our analysis showed that Linux is the most used OS running on more
than 90% of the devices. However, many routers are powered by very old versions
of Linux. Most devices are still powered with a 2.6 Linux kernel, which is no
longer maintained for many years. This leads to a high number of critical and
high severity CVEs affecting these devices.

Since Linux is the most used OS, exploit mitigation techniques could be enabled
very easily. Anyhow, they are used quite rarely by most vendors except the NX
feature.

A published private key provides no security at all. Nonetheless, all but one
vendor spread several private keys in almost all firmware images.

Mirai used hard-coded login credentials to infect thousands of embedded devices
in the last years. However, hard-coded credentials can be found in many of the
devices and some of them are well known or at least easy crackable.

However, we can tell for sure that the vendors prioritize security differently.
AVM does better job than the other vendors regarding most aspects. ASUS and
Netgear do a better job in some aspects than D-Link, Linksys, TP-Link and Zyxel.

Additionally, our evaluation showed that large scale automated security analysis
of embedded devices is possible today utilizing just open source software. To
sum it up, our analysis shows that there is no router without flaws and there is
no vendor who does a perfect job regarding all security aspects. Much more
effort is needed to make home routers as secure as current desktop of server
systems.

One comment on the report:

One-third ship with Linux kernel version 2.6.36 was released in October 2010.
You can walk into a store today and buy a brand new router powered by software
thatΓÇÖs almost 10 years out of date! This outdated version of the Linux kernel
has 233 known security vulnerabilities registered in the Common Vulnerability
and Exposures (CVE) database. The average router contains 26 critically-rated
security vulnerabilities, according to the study.

We know the reasons for this. Most routers are designed offshore, by third
parties, and then private labeled and sold by the vendors youΓÇÖve heard of.
Engineering teams come together, design and build the router, and then disperse.
ThereΓÇÖs often no one around to write patches, and most of the time router
firmware isnΓÇÖt even patchable. The way to update your home router is to throw
it away and buy a new one.

And this paper demonstrates that even the new ones arenΓÇÖt likely to be secure.

** *** ***** ******* *********** *************

GPS Vulnerabilities

[2021.02.22] Really good op-ed in the New York Times about how vulnerable the
GPS system is to interference, spoofing, and jamming -- and potential
alternatives.

The 2018 National Defense Authorization Act included funding for the Departments
of Defense, Homeland Security and Transportation to jointly conduct
demonstrations of various alternatives to GPS, which were concluded last March.
Eleven potential systems were tested, including eLoran, a low-frequency,
high-power timing and navigation system transmitted from terrestrial towers at
Coast Guard facilities throughout the United States.

ΓÇ£China, Russia, Iran, South Korea and Saudi Arabia all have eLoran systems
because they donΓÇÖt want to be as vulnerable as we are to disruptions of
signals from space,ΓÇ¥ said Dana Goward, the president of the Resilient
Navigation and Timing Foundation, a nonprofit that advocates for the
implementation of an eLoran backup for GPS.

Also under consideration by federal authorities are timing systems delivered via
fiber optic network and satellite systems in a lower orbit than GPS, which
therefore have a stronger signal, making them harder to hack. A report on the
technologies was submitted to Congress last week.

GPS is a piece of our critical infrastructure that is essential to a lot of the
rest of our critical infrastructure. It needs to be more secure.

** *** ***** ******* *********** *************

Dependency Confusion: Another Supply-Chain Vulnerability

[2021.02.23] Alex Birsan writes about being able to install malware into
proprietary corporate software by naming the code files to be identical to
internal corporate code files. From a ZDNet article:

Today, developers at small or large companies use package managers to download
and import libraries that are then assembled together using build tools to
create a final app.

This app can be offered to the companyΓÇÖs customers or can be used internally
at the company as an employee tool.

But some of these apps can also contain proprietary or highly-sensitive code,
depending on their nature. For these apps, companies will often use private
libraries that they store inside a private (internal) package repository, hosted
inside the companyΓÇÖs own network.

When apps are built, the companyΓÇÖs developers will mix these private libraries
with public libraries downloaded from public package portals like npm, PyPI,
NuGet, or others.

[...]

Researchers showed that if an attacker learns the names of private libraries
used inside a companyΓÇÖs app-building process, they could register these names
on public package repositories and upload public libraries that contain
malicious code.

The ΓÇ£dependency confusionΓÇ¥ attack takes place when developers build their
apps inside enterprise environments, and their package manager prioritizes the
(malicious) library hosted on the public repository instead of the internal
library with the same name.

The research team said they put this discovery to the test by searching for
situations where big tech firms accidentally leaked the names of various
internal libraries and then registered those same libraries on package
repositories like npm, RubyGems, and PyPI.

Using this method, researchers said they successfully loaded their
(non-malicious) code inside apps used by 35 major tech firms, including the
likes of Apple, Microsoft, PayPal, Shopify, Netflix, Yelp, Uber, and others.

Clever attack, and one that has netted him $130K in bug bounties.

More news articles.

** *** ***** ******* *********** *************

Twelve-Year-Old Vulnerability Found in Windows Defender

[2021.02.24] Researchers found, and Microsoft has patched, a vulnerability in
Windows Defender that has been around for twelve years. There is no evidence
that anyone has used the vulnerability during that time.

The flaw, discovered by researchers at the security firm SentinelOne, showed up
in a driver that Windows Defender -- renamed Microsoft Defender last year --
uses to delete the invasive files and infrastructure that malware can create.
When the driver removes a malicious file, it replaces it with a new, benign one
as a sort of placeholder during remediation. But the researchers discovered that
the system doesnΓÇÖt specifically verify that new file. As a result, an attacker
could insert strategic system links that direct the driver to overwrite the
wrong file or even run malicious code.

It isnΓÇÖt unusual that vulnerabilities lie around for this long. They canΓÇÖt
be fixed until someone finds them, and people arenΓÇÖt always looking.

** *** ***** ******* *********** *************

On Chinese-Owned Technology Platforms

[2021.02.25] I am a co-author on a report published by the Hoover Institution:
ΓÇ£Chinese Technology Platforms Operating in the United States.ΓÇ¥ From a blog
post:

The report suggests a comprehensive framework for understanding and assessing
the risks posed by Chinese technology platforms in the United States and
developing tailored responses. It starts from the common view of the signatories
-- one reflected in numerous publicly available threat assessments -- that
ChinaΓÇÖs power is growing, that a large part of that power is in the digital
sphere, and that China can and will wield that power in ways that adversely
affect our national security. However, the specific threats and risks posed by
different Chinese technologies vary, and effective policies must start with a
targeted understanding of the nature of risks and an assessment of the impact US
measures will have on national security and competitiveness. The goal of the
paper is not to specifically quantify the risk of any particular technology, but
rather to analyze the various threats, put them into context, and offer a
framework for assessing proposed responses in ways that the signatories hope can
aid those doing the risk analysis in individual cases.

** *** ***** ******* *********** *************

The Problem with Treating Data as a Commodity

[2021.02.26] Excellent Brookings paper: ΓÇ£Why data ownership is the wrong
approach to protecting privacy.ΓÇ¥

From the introduction:

Treating data like it is property fails to recognize either the value that
varieties of personal information serve or the abiding interest that individuals
have in their personal information even if they choose to ΓÇ£sellΓÇ¥ it. Data is
not a commodity. It is information. Any system of information rights -- whether
patents, copyrights, and other intellectual property, or privacy rights --
presents some tension with strong interest in the free flow of information that
is reflected by the First Amendment. Our personal information is in demand
precisely because it has value to others and to society across a myriad of uses.

From the conclusion:

Privacy legislation should empower individuals through more layered and
meaningful transparency and individual rights to know, correct, and delete
personal information in databases held by others. But relying entirely on
individual control will not do enough to change a system that is failing
individuals, and trying to reinforce control with a property interest is likely
to fail society as well. Rather than trying to resolve whether personal
information belongs to individuals or to the companies that collect it, a
baseline federal privacy law should directly protect the abiding interest that
individuals have in that information and also enable the social benefits that
flow from sharing information.

** *** ***** ******* *********** *************

National Security Risks of Late-Stage Capitalism

[2021.03.01] Early in 2020, cyberspace attackers apparently working for the
Russian government compromised a piece of widely used network management
software made by a company called SolarWinds. The hack gave the attackers access
to the computer networks of some 18,000 of SolarWindsΓÇÖs customers, including
US government agencies such as the Homeland Security Department and State
Department, American nuclear research labs, government contractors, IT companies
and nongovernmental agencies around the world.

It was a huge attack, with major implications for US national security. The
Senate Intelligence Committee is scheduled to hold a hearing on the breach on
Tuesday. Who is at fault?

The US government deserves considerable blame, of course, for its inadequate
cyberdefense. But to see the problem only as a technical shortcoming is to miss
the bigger picture. The modern market economy, which aggressively rewards
corporations for short-term profits and aggressive cost-cutting, is also part of
the problem: Its incentive structure all but ensures that successful tech
companies will end up selling insecure products and services.

Like all for-profit corporations, SolarWinds aims to increase shareholder value
by minimizing costs and maximizing profit. The company is owned in large part by
Silver Lake and Thoma Bravo, private-equity firms known for extreme
cost-cutting.

SolarWinds certainly seems to have underspent on security. The company
outsourced much of its software engineering to cheaper programmers overseas,
even though that typically increases the risk of security vulnerabilities. For a
while, in 2019, the update serverΓÇÖs password for SolarWindsΓÇÖs network
management software was reported to be ΓÇ£solarwinds123.ΓÇ¥ Russian hackers were
able to breach SolarWindsΓÇÖs own email system and lurk there for months.
Chinese hackers appear to have exploited a separate vulnerability in the
companyΓÇÖs products to break into US government computers. A cybersecurity
adviser for the company said that he quit after his recommendations to
strengthen security were ignored.

There is no good reason to underspend on security other than to save money --
especially when your clients include government agencies around the world and
when the technology experts that you pay to advise you are telling you to do
more.

As the economics writer Matt Stoller has suggested, cybersecurity is a natural
area for a technology company to cut costs because its customers wonΓÇÖt notice
unless they are hacked -- and if they are, they will have already paid for the
product. In other words, the risk of a cyberattack can be transferred to the
customers. DoesnΓÇÖt this strategy jeopardize the possibility of long-term,
repeat customers? Sure, thereΓÇÖs a danger there -- but investors are so focused
on short-term gains that theyΓÇÖre too often willing to take that risk.

The market loves to reward corporations for risk-taking when those risks are
largely borne by other parties, like taxpayers. This is known as ΓÇ£privatizing
profits and socializing losses.ΓÇ¥ Standard examples include companies that are
deemed ΓÇ£too big to fail,ΓÇ¥ which means that society as a whole pays for their
bad luck or poor business decisions. When national security is compromised by
high-flying technology companies that fob off cybersecurity risks onto their
customers, something similar is at work.

Similar misaligned incentives affect your everyday cybersecurity, too. Your
smartphone is vulnerable to something called SIM-swap fraud because phone
companies want to make it easy for you to frequently get a new phone -- and they
know that the cost of fraud is largely borne by customers. Data brokers and
credit bureaus that collect, use, and sell your personal data donΓÇÖt spend a
lot of money securing it because itΓÇÖs your problem if someone hacks them and
steals it. Social media companies too easily let hate speech and misinformation
flourish on their platforms because itΓÇÖs expensive and complicated to remove
it, and they donΓÇÖt suffer the immediate costs -- indeed, they tend to profit
from user engagement regardless of its nature.

There are two problems to solve. The first is information asymmetry: buyers
canΓÇÖt adequately judge the security of software products or company practices.
The second is a perverse incentive structure: the market encourages companies to
make decisions in their private interest, even if that imperils the broader
interests of society. Together these two problems result in companies that save
money by taking on greater risk and then pass off that risk to the rest of us,
as individuals and as a nation.

The only way to force companies to provide safety and security features for
customers and users is with government intervention. Companies need to pay the
true costs of their insecurities, through a combination of laws, regulations,
and legal liability. Governments routinely legislate safety -- pollution
standards, automobile seat belts, lead-free gasoline, food service regulations.
We need to do the same with cybersecurity: the federal government should set
minimum security standards for software and software development.

In todayΓÇÖs underregulated markets, itΓÇÖs just too easy for software companies
like SolarWinds to save money by skimping on security and to hope for the best.
ThatΓÇÖs a rational decision in todayΓÇÖs free-market world, and the only way to
change that is to change the economic incentives.

This essay previously appeared in the New York Times.

** *** ***** ******* *********** *************

Mysterious Macintosh Malware

[2021.03.02] This is weird:

Once an hour, infected Macs check a control server to see if there are any new
commands the malware should run or binaries to execute. So far, however,
researchers have yet to observe delivery of any payload on any of the infected
30,000 machines, leaving the malwareΓÇÖs ultimate goal unknown. The lack of a
final payload suggests that the malware may spring into action once an unknown
condition is met.

Also curious, the malware comes with a mechanism to completely remove itself, a
capability thatΓÇÖs typically reserved for high-stealth operations. So far,
though, there are no signs the self-destruct feature has been used, raising the
question of why the mechanism exists.

Besides those questions, the malware is notable for a version that runs natively
on the M1 chip that Apple introduced in November, making it only the second
known piece of macOS malware to do so. The malicious binary is more mysterious
still because it uses the macOS Installer JavaScript API to execute commands.
That makes it hard to analyze installation package contents or the way that
package uses the JavaScript commands.

The malware has been found in 153 countries with detections concentrated in the
US, UK, Canada, France, and Germany. Its use of Amazon Web Services and the
Akamai content delivery network ensures the command infrastructure works
reliably and also makes blocking the servers harder. Researchers from Red
Canary, the security firm that discovered the malware, are calling the malware
Silver Sparrow.

Feels government-designed, rather than criminal or hacker.

Another article. And the Red Canary analysis.

** *** ***** ******* *********** *************

Encoded Message in the Perseverance Mars Lander's Parachute

[2021.03.03] NASA made an oblique reference to a coded message in the color
pattern of the Perseverance Mars Lander ΓÇÿs parachute.

More information.

** *** ***** ******* *********** *************

Chinese Hackers Stole an NSA Windows Exploit in 2014

[2021.03.04] Check Point has evidence that (probably government affiliated)
Chinese hackers stole and cloned an NSA Windows hacking tool years before
(probably government affiliated) Russian hackers stole and then published the
same tool. HereΓÇÖs the timeline:

The timeline basically seems to be, according to Check Point:

2013: NSAΓÇÖs Equation Group developed a set of exploits including one called
EpMe that elevates oneΓÇÖs privileges on a vulnerable Windows system to
system-administrator level, granting full control. This allows someone with a
foothold on a machine to commandeer the whole box.
2014-2015: ChinaΓÇÖs hacking team code-named APT31, aka Zirconium, developed
Jian by, one way or another, cloning EpMe.
Early 2017: The Equation GroupΓÇÖs tools were teased and then leaked online by a
team calling itself the Shadow Brokers. Around that time, Microsoft cancelled
its February Patch Tuesday, identified the vulnerability exploited by EpMe
(CVE-2017-0005), and fixed it in a bumper March update. Interestingly enough,
Lockheed Martin was credited as alerting Microsoft to the flaw, suggesting it
was perhaps used against an American target.
Mid 2017: Microsoft quietly fixed the vulnerability exploited by the leaked EpMo
exploit.
Lots of news articles about this.

** *** ***** ******* *********** *************

Four Microsoft Exchange Zero-Days Exploited by China

[2021.03.04] Microsoft has issued an emergency Microsoft Exchange patch to fix
four zero-day vulnerabilities currently being exploited by China.

EDITED TO ADD (3/12): Exchange Online is not affected.

** *** ***** ******* *********** *************

Threat Model Humor

[2021.03.05] At a hospital.

** *** ***** ******* *********** *************

No, RSA Is Not Broken

[2021.03.05] I have been seeing this paper by cryptographer Peter Schnorr making
the rounds: ΓÇ£Fast Factoring Integers by SVP Algorithms.ΓÇ¥ It describes a new
factoring method, and its abstract ends with the provocative sentence: ΓÇ£This
destroys the RSA cryptosystem.ΓÇ¥

It does not. At best, itΓÇÖs an improvement in factoring -- and IΓÇÖm not sure
itΓÇÖs even that. The paper is a preprint: it hasnΓÇÖt been peer reviewed. Be
careful taking its claims at face value.

Some discussion here.

IΓÇÖll append more analysis links to this post when I find them.

EDITED TO ADD (3/12): The latest version of the paper does not have the words
ΓÇ£This destroys the RSA cryptosystemΓÇ¥ in the abstract. Some more discussion.

** *** ***** ******* *********** *************

Hacking Digitally Signed PDF Files

[2021.03.08] Interesting paper: ΓÇ£Shadow Attacks: Hiding and Replacing Content
in Signed PDFsΓÇ£:

Abstract: Digitally signed PDFs are used in contracts and invoices to guarantee
the authenticity and integrity of their content. A user opening a signed PDF
expects to see a warning in case of any modification. In 2019, Mladenov et al.
revealed various parsing vulnerabilities in PDF viewer implementations.They
showed attacks that could modify PDF documents without invalidating the
signature. As a consequence, affected vendors of PDF viewers implemented
countermeasures preventing all attacks.

This paper introduces a novel class of attacks, which we call shadow attacks.
The shadow attacks circumvent all existing countermeasures and break the
integrity protection of digitally signed PDFs. Compared to previous attacks, the
shadow attacks do not abuse implementation issues in a PDF viewer. In contrast,
shadow attacks use the enormous flexibility provided by the PDF specification so
that shadow documents remain standard-compliant. Since shadow attacks abuse only
legitimate features,they are hard to mitigate.

Our results reveal that 16 (including Adobe Acrobat and Foxit Reader) of the 29
PDF viewers tested were vulnerable to shadow attacks. We introduce our tool
PDF-Attacker which can automatically generate shadow attacks. In addition, we
implemented PDF-Detector to prevent shadow documents from being signed or
forensically detect exploits after being applied to signed PDFs.

EDITED TO ADD (3/12): This was written about last summer.

** *** ***** ******* *********** *************

On Not Fixing Old Vulnerabilities

[2021.03.09] How is this even possible?

...26% of companies Positive Technologies tested were vulnerable to WannaCry,
which was a threat years ago, and some even vulnerable to Heartbleed. ΓÇ£The
most frequent vulnerabilities detected during automated assessment date back to
2013-2017, which indicates a lack of recent software updates,ΓÇ¥ the reported
stated.

26%!? One in four networks?

Even if we assume that the report is self-serving to the company that wrote it,
and that the statistic is not generally representative, this is still a
disaster. The number should be 0%.

WannaCry was a 2017 cyberattack, based on a NSA-discovered and
Russia-stolen-and-published Windows vulnerability. It primarily affects older,
no-longer-supported products like Windows 7. If we canΓÇÖt keep our systems
secure from these vulnerabilities, how are we ever going to secure them from new
threats?

** *** ***** ******* *********** *************

More on the Chinese Zero-Day Microsoft Exchange Hack

[2021.03.10] Nick Weaver has an excellent post on the Microsoft Exchange hack:

The investigative journalist Brian Krebs has produced a handy timeline of events
and a few things stand out from the chronology. The attacker was first detected
by one group on Jan. 5 and another on Jan. 6, and Microsoft acknowledged the
problem immediately. During this time the attacker appeared to be relatively
subtle, exploiting particular targets (although we generally lack insight into
who was targeted). Microsoft determined on Feb. 18 that it would patch these
vulnerabilities on the March 9th ΓÇ£Patch TuesdayΓÇ¥ release of fixes.

Somehow, the threat actor either knew that the exploits would soon become
worthless or simply guessed that they would. So, in late February, the attacker
changed strategy. Instead of simply exploiting targeted Exchange servers, the
attackers stepped up their pace considerably by targeting tens of thousands of
servers to install the web shell, an exploit that allows attackers to have
remote access to a system. Microsoft then released the patch with very little
warning on Mar. 2, at which point the attacker simply sought to compromise
almost every vulnerable Exchange server on the Internet. The result? Virtually
every vulnerable mail server received the web shell as a backdoor for further
exploitation, making the patch effectively useless against the Chinese
attackers; almost all of the vulnerable systems were exploited before they were
patched.

This is a rational strategy for any actor who doesnΓÇÖt care about consequences.
When a zero-day is confidential and undiscovered, the attacker tries to be
careful, only using it on attackers of sufficient value. But if the attacker
knows or has reason to believe their vulnerabilities may be patched, they will
increase the pace of exploits and, once a patch is released, there is no reason
to not try to exploit everything possible.

We know that Microsoft shares advance information about updates with some
organizations. I have long believed that they give the NSA a few weeksΓÇÖ notice
to do basically what the Chinese did: use the exploit widely, because you
donΓÇÖt have to worry about losing the capability.

Estimates on the number of affected networks continues to rise. At least 30,000
in the US, and 100,000 worldwide. More?

And the vulnerabilities:

The Chinese actors were not using a single vulnerability but actually a sequence
of four ΓÇ£zero-dayΓÇ¥ exploits. The first allowed an unauthorized user to
basically tell the server ΓÇ£let me in, IΓÇÖm the serverΓÇ¥ by tricking the
server into contacting itself. After the unauthorized user gained entry, the
hacker could use the second vulnerability, which used a malformed voicemail
that, when interpreted by the server, allowed them to execute arbitrary
commands. Two further vulnerabilities allow the attacker to write new files,
which is a common primitive that attackers use to increase their access: An
attacker uses a vulnerability to write a file and then uses the arbitrary
command execution vulnerability to execute that file.

Using this access, the attackers could read anybodyΓÇÖs email or indeed take
over the mail server completely. Critically, they would almost always do more,
introducing a ΓÇ£web shell,ΓÇ¥ a program that would enable further remote
exploitation even if the vulnerabilities are patched.

The details of that web shell matter. If it was sophisticated, it implies that
the Chinese hackers were planning on installing it from the beginning of the
operation. If itΓÇÖs kind of slapdash, it implies a last-minute addition when
they realized their exploit window was closing.

Now comes the criminal attacks. Any unpatched network is still vulnerable, and
we know from history that lots of networks will remain vulnerable for a long
time. Expect the ransomware gangs to weaponize this attack within days.

EDITED TO ADD (3/12): Right on schedule, criminal hacker groups are exploiting
the vulnerabilities.

EDITED TO ADD (3/13): And now the ransomware.

** *** ***** ******* *********** *************

Fast Random Bit Generation

[2021.03.11] Science has a paper (and commentary) on generating 250 random
terabits per second with a laser. I donΓÇÖt know how cryptographically secure
they are, but that can be cleaned up with something like Fortuna.

EDITED TO ADD (3/12): Here are free versions of the paper and the commentary.

** *** ***** ******* *********** *************

Metadata Left in Security Agency PDFs

[2021.03.12] Really interesting research:

ΓÇ£Exploitation and Sanitization of Hidden Data in PDF FilesΓÇ¥

Abstract: Organizations publish and share more and more electronic documents
like PDF files. Unfortunately, most organizations are unaware that these
documents can compromise sensitive information like authors names, details on
the information system and architecture. All these information can be exploited
easily by attackers to footprint and later attack an organization. In this
paper, we analyze hidden data found in the PDF files published by an
organization. We gathered a corpus of 39664 PDF files published by 75 security
agencies from 47 countries. We have been able to measure the quality and
quantity of information exposed in these PDF files. It can be effectively used
to find weak links in an organization: employees who are running outdated
software. We have also measured the adoption of PDF files sanitization by
security agencies. We identified only 7 security agencies which sanitize few of
their PDF files before publishing. Unfortunately, we were still able to find
sensitive information within 65% of these sanitized PDF files. Some agencies are
using weak sanitization techniques: it requires to remove all the hidden
sensitive information from the file and not just to remove the data at the
surface. Security agencies need to change their sanitization methods.

Short summary: no one is doing great.

** *** ***** ******* *********** *************

Upcoming Speaking Engagements

[2021.03.14] This is a current list of where and when I am scheduled to speak:

IΓÇÖm speaking at the Australian Cyber Conference 2021 on March 17 and 18, 2021.
IΓÇÖm keynoting the (all-virtual) RSA Conference 2021, May 17-20, 2021.
IΓÇÖll be speaking at an Informa event on September 14, 2021. Details to come.
The list is maintained on this page.

** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security technology. To subscribe, or to
read back issues, see Crypto-Gram's web page.

You can also read these articles on my blog, Schneier on Security.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint
CRYPTO-GRAM, as long as it is reprinted in its entirety.

Bruce Schneier is an internationally renowned security technologist, called a
security guru by the Economist. He is the author of over one dozen books --
including his latest, We Have Root -- as well as hundreds of articles, essays,
and academic papers. His newsletter and blog are read by over 250,000 people.
Schneier is a fellow at the Berkman Klein Center for Internet & Society at
Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a
board member of the Electronic Frontier Foundation, AccessNow, and the Tor
Project; and an Advisory Board Member of the Electronic Privacy Information
Center and VerifiedVoting.org. He is the Chief of Security Architecture at
Inrupt, Inc.

Copyright © 2021 by Bruce Schneier.

--- GoldED+/OSX 1.1.5-b20180707
 * Origin: A Pointless Point in Connemara (618:500/14.1)
  Show ANSI Codes | Hide BBCodes | Show Color Codes | Hide Encoding | Hide HTML Tags | Show Routing
Previous Message | Next Message | Back to Computer Support/Help/Discussion...  <--  <--- Return to Home Page

VADV-PHP
Execution Time: 0.0192 seconds

If you experience any problems with this website or need help, contact the webmaster.
VADV-PHP Copyright © 2002-2024 Steve Winn, Aspect Technologies. All Rights Reserved.
Virtual Advanced Copyright © 1995-1997 Roland De Graaf.
v2.1.241108