Crypto-Gram
July 15, 2021

by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit Crypto-Gram's web page.

Read this issue on the web

These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:

If these links don't work in your email client, try reading this issue of
Crypto-Gram on the web.

Andrew Appel on New Hampshire's Election Audit VPNs and Trust
Paul van Oorschot's Computer Security and the Internet Intentional Flaw in GPRS
Encryption Algorithm GEA-1 Peloton Vulnerability Found and Fixed The Future of
Machine Learning and Cybersecurity Apple Will Offer Onion Routing for
iCloud/Safari Users Mollitiam Industries is the Newest Cyberweapons Arms
Manufacturer Banning Surveillance-Based Advertising AI-Piloted Fighter Jets
NFC Flaws in POS Devices and ATMs
Risks of Evidentiary Software
Insurance and Ransomware
More Russian Hacking
Stealing Xbox Codes
Vulnerability in the Kaspersky Password Manager Details of the REvil Ransomware
Attack Analysis of the FBI's Anom Phone
Iranian State-Sponsored Hacking Attempts China Taking Control of Zero-Day
Exploits Upcoming Speaking Engagements
** *** ***** ******* *********** *************

Andrew Appel on New Hampshire's Election Audit

[2021.06.15] Really interesting two part analysis of the audit conducted after
the 2020 election in Windham, New Hampshire.

Based on preliminary reports published by the team of experts that New Hampshire
engaged to examine an election discrepancy, it appears that a buildup of dust in
the read heads of optical-scan voting machines (possibly over several years of
use) can cause paper-fold lines in absentee ballots to be interpreted as
votes... New Hampshire (and other states) may need to maintain the accuracy of
their optical-scan voting machines by paying attention to three issues:

Routine risk-limiting audits to detect inaccuracies if/when they occur. Clean
the dust out of optical-scan read heads regularly; pay attention to the
calibration of the optical-scan machines. Make sure that the machines that
automatically fold absentee ballots (before mailing them to voters) don��Tt put
the fold lines over vote-target ovals. (Same for election workers who fold
ballots by hand.)
** *** ***** ******* *********** *************

VPNs and Trust

[2021.06.16] TorrentFreak surveyed nineteen VPN providers, asking them questions
about their privacy practices: what data they keep, how they respond to court
order, what country they are incorporated in, and so on.

Most interesting to me is the home countries of these companies. Express VPN is
incorporated in the British Virgin Islands. NordVPN is incorporated in Panama.
There are VPNs from the Seychelles, Malaysia, and Bulgaria. There are VPNs from
more Western and democratic countries like the US, Switzerland, Canada, and
Sweden. Presumably all of those companies follow the laws of their home country.

And it matters. I��Tve been thinking about this since Trojan Shield was made
public. This is the joint US/Australia-run encrypted messaging service that
lured criminals to use it, and then spied on everything they did. Or, at least,
Australian law enforcement spied on everyone. The FBI wasn��Tt able to because
the US has better privacy laws.

We don��Tt talk about it a lot, but VPNs are entirely based on trust. As a
consumer, you have no idea which company will best protect your privacy. You
don��Tt know the data protection laws of the Seychelles or Panama. You don��Tt
know which countries can put extra-legal pressure on companies operating within
their jurisdiction. You don��Tt know who actually owns and runs the VPNs. You
don��Tt even know which foreign companies the NSA has targeted for mass
surveillance. All you can do is make your best guess, and hope you guessed well.

** *** ***** ******* *********** *************

Paul van Oorschot's Computer Security and the Internet

[2021.06.17] Paul van Oorschot��Ts webpage contains a complete copy of his book:
Computer Security and the Internet: Tools and Jewels. It��Ts worth reading.

** *** ***** ******* *********** *************

Intentional Flaw in GPRS Encryption Algorithm GEA-1

[2021.06.17] General Packet Radio Service (GPRS) is a mobile data standard that
was widely used in the early 2000s. The first encryption algorithm for that
standard was GEA-1, a stream cipher built on three linear-feedback shift
registers and a non-linear combining function. Although the algorithm has a
64-bit key, the effective key length is only 40 bits, due to ��an exceptional
interaction of the deployed LFSRs and the key initialization, which is highly
unlikely to occur by chance.��

GEA-1 was designed by the European Telecommunications Standards Institute in
1998. ETSI was -- and maybe still is -- under the auspices of SOGIS: the Senior
Officials Group, Information Systems Security. That��Ts basically the
intelligence agencies of the EU countries.

Details are in the paper: ��Cryptanalysis of the GPRS Encryption Algorithms
GEA-1 and GEA-2.�� GEA-2 does not have the same flaw, although the researchers
found a practical attack with enough keystream.

Hacker News thread.

EDITED TO ADD (6/18): News article.

** *** ***** ******* *********** *************

Peloton Vulnerability Found and Fixed

[2021.06.18] Researchers have discovered a vulnerability in Peloton stationary
bicycles, one that would give the attacker complete control over the device.

The attack requires physical access to the Peloton, so it��Ts not really a
practical attack. President Biden��Ts Peloton was not in danger.

** *** ***** ******* *********** *************

The Future of Machine Learning and Cybersecurity

[2021.06.21] The Center for Security and Emerging Technology has a new report:
��Machine Learning and Cybersecurity: Hype and Reality.�� Here��Ts the bottom
line:

The report offers four conclusions:

Machine learning can help defenders more accurately detect and triage potential
attacks. However, in many cases these technologies are elaborations on
long-standing methods -- not fundamentally new approaches -- that bring new
attack surfaces of their own.
A wide range of specific tasks could be fully or partially automated with the
use of machine learning, including some forms of vulnerability discovery,
deception, and attack disruption. But many of the most transformative of these
possibilities still require significant machine learning breakthroughs. Overall,
we anticipate that machine learning will provide incremental advances to cyber
defenders, but it is unlikely to fundamentally transform the industry barring
additional breakthroughs. Some of the most transformative impacts may come from
making previously un- or under-utilized defensive strategies available to more
organizations.
Although machine learning will be neither predominantly offense-biased nor
defense-biased, it may subtly alter the threat landscape by making certain types
of strategies more appealing to attackers or defenders.
** *** ***** ******* *********** *************

Apple Will Offer Onion Routing for iCloud/Safari Users

[2021.06.22] At this year��Ts Apple Worldwide Developer Conference, Apple
announced something called ��iCloud Private Relay.�� That��Ts basically its
private version of onion routing, which is what Tor does.

Privacy Relay is built into both the forthcoming iOS and MacOS versions, but it
will only work if you��Tre an iCloud Plus subscriber and you have it enabled
from within your iCloud settings.

Once it��Ts enabled and you open Safari to browse, Private Relay splits up two
pieces of information that -- when delivered to websites together as normal --
could quickly identify you. Those are your IP address (who and exactly where you
are) and your DNS request (the address of the website you want, in numeric
form).

Once the two pieces of information are split, Private Relay encrypts your DNS
request and sends both the IP address and now-encrypted DNS request to an Apple
proxy server. This is the first of two stops your traffic will make before you
see a website. At this point, Apple has already handed over the encryption keys
to the third party running the second of the two stops, so Apple can��Tt see
what website you��Tre trying to access with your encrypted DNS request. All
Apple can see is your IP address.

Although it has received both your IP address and encrypted DNS request,
Apple��Ts server doesn��Tt send your original IP address to the second stop.
Instead, it gives you an anonymous IP address that is approximately associated
with your general region or city.

Not available in China, of course -- and also Belarus, Colombia, Egypt,
Kazakhstan, Saudi Arabia, South Africa, Turkmenistan, Uganda, and the
Philippines.

** *** ***** ******* *********** *************

Mollitiam Industries is the Newest Cyberweapons Arms Manufacturer

[2021.06.23] Wired is reporting on a company called Mollitiam Industries:

Marketing materials left exposed online by a third-party claim Mollitiam��Ts
interception products, dubbed ��Invisible Man�� and ��Night Crawler,�� are
capable of remotely accessing a target��Ts files, location, and covertly turning
on a device��Ts camera and microphone. Its spyware is also said to be equipped
with a keylogger, which means every keystroke made on an infected device --
including passwords, search queries and messages sent via encrypted messaging
apps -- can be tracked and monitored.

To evade detection, the malware makes use of the company��Ts so-called
��invisible low stealth technology�� and its Android product is advertised as
having ��low data and battery consumption�� to prevent people from suspecting
their phone or tablet has been infected. Mollitiam is also currently marketing a
tool that it claims enables ��mass surveillance of digital profiles and
identities�� across social media and the dark web.

** *** ***** ******* *********** *************

Banning Surveillance-Based Advertising

[2021.06.24] The Norwegian Consumer Council just published a fantastic new
report: ��Time to Ban Surveillance-Based Advertising.�� From the Introduction:

The challenges caused and entrenched by surveillance-based advertising include,
but are not limited to:

privacy and data protection infringements opaque business models
manipulation and discrimination at scale fraud and other criminal activity
serious security risks
In the following chapters, we describe various aspects of these challenges and
point out how today��Ts dominant model of online advertising is a threat to
consumers, democratic societies, the media, and even to advertisers themselves.
These issues are significant and serious enough that we believe that it is time
to ban these detrimental practices.

A ban on surveillance-based practices should be complemented by stronger
enforcement of existing legislation, including the General Data Protection
Regulation, competition regulation, and the Unfair Commercial Practices
Directive. However, enforcement currently consumes significant time and
resources, and usually happens after the damage has already been done. Banning
surveillance-based advertising in general will force structural changes to the
advertising industry and alleviate a number of significant harms to consumers
and to society at large.

A ban on surveillance-based advertising does not mean that one can no longer
finance digital content using advertising. To illustrate this, we describe some
possible ways forward for advertising-funded digital content, and point to
alternative advertising technologies that may contribute to a safer and
healthier digital economy for both consumers and businesses.

Press release. Press coverage.

I signed their open letter.

** *** ***** ******* *********** *************

AI-Piloted Fighter Jets

[2021.06.25] News from Georgetown��Ts Center for Security and Emerging
Technology:

China Claims Its AI Can Beat Human Pilots in Battle: Chinese state media
reported that an AI system had successfully defeated human pilots during
simulated dogfights. According to the Global Times report, the system had shot
down several PLA pilots during a handful of virtual exercises in recent years.
Observers outside China noted that while reports coming out of state-controlled
media outlets should be taken with a grain of salt, the capabilities described
in the report are not outside the realm of possibility. Last year, for example,
an AI agent defeated a U.S. Air Force F-16 pilot five times out of five as part
of DARPA��Ts AlphaDogfight Trial (which we covered at the time). While the
Global Times report indicated plans to incorporate AI into future fighter
planes, it is not clear how far away the system is from real-world testing. At
the moment, the system appears to be used only for training human pilots. DARPA,
for its part, is aiming to test dogfights with AI-piloted subscale jets
later this year and with full-scale jets in 2023 and 2024.

More: ��AI weapons�� in China��Ts military innovation | AI Could Enable
��~Swarm Warfare��T for Tomorrow��Ts Fighter Jets
** *** ***** ******* *********** *************

NFC Flaws in POS Devices and ATMs

[2021.06.28] It��Ts a series of vulnerabilities:

Josep Rodriguez, a researcher and consultant at security firm IOActive, has
spent the last year digging up and reporting vulnerabilities in the so-called
near-field communications reader chips used in millions of ATMs and
point-of-sale systems worldwide. NFC systems are what let you wave a credit card
over a reader -- rather than swipe or insert it -- to make a payment or extract
money from a cash machine. You can find them on countless retail store and
restaurant counters, vending machines, taxis, and parking meters around the
globe.

Now Rodriguez has built an Android app that allows his smartphone to mimic those
credit card radio communications and exploit flaws in the NFC systems��T
firmware. With a wave of his phone, he can exploit a variety of bugs to crash
point-of-sale devices, hack them to collect and transmit credit card data,
invisibly change the value of transactions, and even lock the devices while
displaying a ransomware message. Rodriguez says he can even force at least one
brand of ATMs to dispense cashthough that ��jackpotting�� hack only works in
combination with additional bugs he says he��Ts found in the ATMs��T software.
He declined to specify or disclose those flaws publicly due to nondisclosure
agreements with the ATM vendors.

** *** ***** ******* *********** *************

Risks of Evidentiary Software

[2021.06.29] Over at Lawfare, Susan Landau has an excellent essay on the risks
posed by software used to collect evidence (a Breathalyzer is probably the most
obvious example).

Bugs and vulnerabilities can lead to inaccurate evidence, but the proprietary
nature of software makes it hard for defendants to examine it.

The software engineers proposed a three-part test. First, the court should have
access to the ��Known Error Log,�� which should be part of any professionally
developed software project. Next the court should consider whether the evidence
being presented could be materially affected by a software error. Ladkin and his
co-authors noted that a chain of emails back and forth are unlikely to have such
an error, but the time that a software tool logs when an application was used
could easily be incorrect. Finally, the reliability experts recommended seeing
whether the code adheres to an industry standard used in an non-computerized
version of the task (e.g., bookkeepers always record every transaction, and thus
so should bookkeeping software).

[...]

Inanimate objects have long served as evidence in courts of law: the door handle
with a fingerprint, the glove found at a murder scene, the Breathalyzer result
that shows a blood alcohol level three times the legal limit. But the last of
those examples is substantively different from the other two. Data from a
Breathalyzer is not the physical entity itself, but rather a software
calculation of the level of alcohol in the breath of a potentially drunk driver.
As long as the breath sample has been preserved, one can always go back and
retest it on a different device.

What happens if the software makes an error and there is no sample to check or
if the software itself produces the evidence? At the time of our writing the
article on the use of software as evidence, there was no overriding requirement
that law enforcement provide a defendant with the code so that they might
examine it themselves.

[...]

Given the high rate of bugs in complex software systems, my colleagues and I
concluded that when computer programs produce the evidence, courts cannot assume
that the evidentiary software is reliable. Instead the prosecution must make the
code available for an ��adversarial audit�� by the defendant��Ts experts. And
to avoid problems in which the government doesn��Tt have the code, government
procurement contracts must include delivery of source code -- code that is
more-or-less readable by people -- for every version of the code or device.

** *** ***** ******* *********** *************

Insurance and Ransomware

[2021.07.01] As ransomware becomes more common, I��Tm seeing more discussions
about the ethics of paying the ransom. Here��Ts one more contribution to that
issue: a research paper that the insurance industry is hurting more than it��Ts
helping.

However, the most pressing challenge currently facing the industry is
ransomware. Although it is a societal problem, cyber insurers have received
considerable criticism for facilitating ransom payments to cybercriminals. These
add fuel to the fire by incentivising cybercriminals��T engagement in ransomware
operations and enabling existing operators to invest in and expand their
capabilities. Growing losses from ransomware attacks have also emphasised that
the current reality is not sustainable for insurers either.

To overcome these challenges and champion the positive effects of cyber
insurance, this paper calls for a series of interventions from government and
industry. Some in the industry favour allowing the market to mature on its own,
but it will not be possible to rely on changing market forces alone. To date,
the UK government has taken a light-touch approach to the cyber insurance
industry. With the market undergoing changes amid growing losses, more
coordinated action by government and regulators is necessary to help the
industry reach its full potential.

The interventions recommended here are still relatively light, and reflect the
fact that cyber insurance is only a potential incentive for managing societal
cyber risk.They include: developing guidance for minimum security standards for
underwriting; expanding data collection and data sharing; mandating cyber
insurance for government suppliers; and creating a new collaborative approach
between insurers and intelligence and law enforcement agencies around
ransomware.

Finally, although a well-functioning cyber insurance industry could improve
cyber security practices on a societal scale, it is not a silver bullet for the
cyber security challenge. It is important to remember that the primary purpose
of cyber insurance is not to improve cyber security, but to transfer residual
risk. As such, it should be one of many tools that governments and businesses
can draw on to manage cyber risk more effectively.

Basically, the insurance industry incents companies to do the cheapest
mitigation possible. Often, that��Ts paying the ransom.

News article.

** *** ***** ******* *********** *************

More Russian Hacking

[2021.07.02] Two reports this week. The first is from Microsoft, which wrote:

As part of our investigation into this ongoing activity, we also detected
information-stealing malware on a machine belonging to one of our customer
support agents with access to basic account information for a small number of
our customers. The actor used this information in some cases to launch
highly-targeted attacks as part of their broader campaign.

The second is from the NSA, CISA, FBI, and the UK��Ts NCSC, which wrote that the
GRU is continuing to conduct brute-force password guessing attacks around the
world, and is in some cases successful. From the NSA press release:

Once valid credentials were discovered, the GTsSS combined them with various
publicly known vulnerabilities to gain further access into victim networks.
This, along with various techniques also detailed in the advisory, allowed the
actors to evade defenses and collect and exfiltrate various information in the
networks, including mailboxes.

News article.

** *** ***** ******* *********** *************

Stealing Xbox Codes

[2021.07.05] Detailed story of Volodymyr Kvashuk, a Microsoft insider who
noticed a bug in the company��Ts internal systems that allowed him to create
unlimited Xbox gift cards, and stole $10.1 million before he was caught.

** *** ***** ******* *********** *************

Vulnerability in the Kaspersky Password Manager

[2021.07.06] A vulnerability (just patched) in the random number generator used
in the Kaspersky Password Manager resulted in easily guessable passwords:

The password generator included in Kaspersky Password Manager had several
problems. The most critical one is that it used a PRNG not suited for
cryptographic purposes. Its single source of entropy was the current time. All
the passwords it created could be bruteforced in seconds. This article explains
how to securely generate passwords, why Kaspersky Password Manager failed, and
how to exploit this flaw. It also provides a proof of concept to test if your
version is vulnerable.

The product has been updated and its newest versions aren��Tt affected by this
issue.

Stupid programming mistake, or intentional backdoor? We don��Tt know.

More generally: generating random numbers is hard. I recommend my own algorithm:
Fortuna. I also recommend my own password manager: Password Safe.

EDITED TO ADD: Commentary from Matthew Green.

** *** ***** ******* *********** *************

Details of the REvil Ransomware Attack

[2021.07.08] ArsTechnica has a good story on the REvil ransomware attack of last
weekend, with technical details:

This weekend��Ts attack was carried out with almost surgical precision.
According to Cybereason, the REvil affiliates first gained access to targeted
environments and then used the zero-day in the Kaseya Agent Monitor to gain
administrative control over the target��Ts network. After writing a
base-64-encoded payload to a file named agent.crt the dropper executed it.

[...]

The ransomware dropper Agent.exe is signed with a Windows-trusted certificate
that uses the registrant name ��PB03 TRANSPORT LTD.�� By digitally signing
their malware, attackers are able to suppress many security warnings that would
otherwise appear when it��Ts being installed. Cybereason said that the
certificate appears to have been used exclusively by REvil malware that was
deployed during this attack.

To add stealth, the attackers used a technique called DLL Side-Loading, which
places a spoofed malicious DLL file in a Windows��T WinSxS directory so that the
operating system loads the spoof instead of the legitimate file. In the case
here, Agent.exe drops an outdated version that is vulnerable to DLL Side-Loading
of ��msmpeng.exe,�� which is the file for the Windows Defender executable.

Once executed, the malware changes the firewall settings to allow local windows
systems to be discovered. Then, it starts to encrypt the files on the system....

REvil is demanding $70 million for a universal decryptor that will recover the
data from the 1,500 affected Kaseya customers.

More news.

Note that this is yet another supply-chain attack. Instead of infecting those
1,500 networks directly, REvil infected a single managed service provider. And
it leveraged a zero-day vulnerability in that provider.

EDITED TO ADD (7/13): Employees warned Kaseya��Ts management for years about
critical security flaws, but they were ignored.

** *** ***** ******* *********** *************

Analysis of the FBI's Anom Phone

[2021.07.12] Motherboard got its hands on one of those Anom phones that were
really FBI honeypots.

The details are interesting.

** *** ***** ******* *********** *************

Iranian State-Sponsored Hacking Attempts

[2021.07.13] Interesting attack:

Masquerading as UK scholars with the University of London��Ts School of Oriental
and African Studies (SOAS), the threat actor TA453 has been covertly approaching
individuals since at least January 2021 to solicit sensitive information. The
threat actor, an APT who we assess with high confidence supports Islamic
Revolutionary Guard Corps (IRGC) intelligence collection efforts, established
backstopping for their credential phishing infrastructure by compromising a
legitimate site of a highly regarded academic institution to deliver
personalized credential harvesting pages disguised as registration links.
Identified targets included experts in Middle Eastern affairs from think tanks,
senior professors from well-known academic institutions, and journalists
specializing in Middle Eastern coverage.

These connection attempts were detailed and extensive, often including lengthy
conversations prior to presenting the next stage in the attack chain. Once the
conversation was established, TA453 delivered a ��registration link�� to a
legitimate but compromised website belonging to the University of London��Ts
SOAS radio. The compromised site was configured to capture a variety of
credentials. Of note, TA453 also targeted the personal email accounts of at
least one of their targets. In subsequent phishing emails, TA453 shifted their
tactics and began delivering the registration link earlier in their engagement
with the target without requiring extensive conversation. This operation, dubbed
SpoofedScholars, represents one of the more sophisticated TA453 campaigns
identified by Proofpoint.

The report details the tactics.

News article.

** *** ***** ******* *********** *************

China Taking Control of Zero-Day Exploits

[2021.07.14] China is making sure that all newly discovered zero-day exploits
are disclosed to the government.

Under the new rules, anyone in China who finds a vulnerability must tell the
government, which will decide what repairs to make. No information can be given
to ��overseas organizations or individuals�� other than the product��Ts
manufacturer.

No one may ��collect, sell or publish information on network product security
vulnerabilities,�� say the rules issued by the Cyberspace Administration of
China and the police and industry ministries.

This just blocks the cyber-arms trade. It doesn��Tt prevent researchers from
telling the products��T companies, even if they are outside of China.

** *** ***** ******* *********** *************

Upcoming Speaking Engagements

[2021.07.14] This is a current list of where and when I am scheduled to speak:

I��Tm speaking at Norbert Wiener in the 21st Century, a virtual conference
hosted by The IEEE Society on Social Implications of Technology (SSIT), July
23-25, 2021.
I��Tm speaking at DEFCON 29, August 5-8, 2021. I��Tm speaking (via Internet) at
SHIFT Business Festival in Finland, August 25-26, 2021.
I��Tll be speaking at an Informa event on September 14, 2021. Details to come.
I��Tm keynoting CIISec Live -- an all-online event -- September 15-16, 2021.
I��Tm speaking at the Cybersecurity and Data Privacy Law Conference in Plano,
Texas, USA, September 22-23, 2021.
The list is maintained on this page.

** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security technology. To subscribe, or to
read back issues, see Crypto-Gram's web page.

You can also read these articles on my blog, Schneier on Security.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint
CRYPTO-GRAM, as long as it is reprinted in its entirety.

Bruce Schneier is an internationally renowned security technologist, called a
security guru by the Economist. He is the author of over one dozen books --
including his latest, We Have Root -- as well as hundreds of articles, essays,
and academic papers. His newsletter and blog are read by over 250,000 people.
Schneier is a fellow at the Berkman Klein Center for Internet & Society at
Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a
board member of the Electronic Frontier Foundation, AccessNow, and the Tor
Project; and an Advisory Board Member of the Electronic Privacy Information
Center and VerifiedVoting.org. He is the Chief of Security Architecture at
Inrupt, Inc.

Copyright AC 2021 by Bruce Schneier.

** *** ***** ******* *********** *************

... tcob1: telnet binkp tcob1.duckdns.org

--- BBBS/Li6 v4.10 Toy-5
 * Origin: TCOB1 at tcob1.duckdns.org BinkP / Telnet (618:500/14)