CRYPTO-GRAM
April 15, 2018
by Bruce Schneier
CTO, IBM Resilient
schneier@schneier.com
https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<https://www.schneier.com/crypto-gram.html>...
You can read this issue on the web at
<https://www.schneier.com/crypto-gram/archives... These
same essays and news items appear in the "Schneier on Security" blog at
<https://www.schneier.com/>, along with a lively and intelligent comment
section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
Facebook and Cambridge Analytica
News
Israeli Security Company Attacks AMD by Publishing Zero-Day
Exploits
Schneier News
Obscure E-Mail Vulnerability
The Digital Security Exchange Is Live
** *** ***** ******* *********** *************
Facebook and Cambridge Analytica
In the wake of the Cambridge Analytica scandal, news articles and commentators
have focused on what Facebook knows about us. A lot, it turns out. It collects
data from our posts, our likes, our photos, things we type and delete without
posting, and things we do while not on Facebook and even when we're offline. It
buys data about us from others. And it can infer even more: our sexual
orientation, political beliefs, relationship status, drug use, and other
personality traits -- even if we didn't take the personality test that
Cambridge Analytica developed.
But for every article about Facebook's creepy stalker behavior, thousands of
other companies are breathing a collective sigh of relief that it's Facebook
and not them in the spotlight. Because while Facebook is one of the biggest
players in this space, there are thousands of other companies that spy on and
manipulate us for profit.
Harvard Business School professor Shoshana Zuboff calls it "surveillance
capitalism." And as creepy as Facebook is turning out to be, the entire
industry is far creepier. It has existed in secret far too long, and it's up to
lawmakers to force these companies into the public spotlight, where we can all
decide if this is how we want society to operate and -- if not -- what to do
about it.
There are 2,500 to 4,000 data brokers in the United States whose business is
buying and selling our personal data. Last year, Equifax was in the news when
hackers stole personal information on 150 million people, including Social
Security numbers, birth dates, addresses, and driver's license numbers.
You certainly didn't give it permission to collect any of that information.
Equifax is one of those thousands of data brokers, most of them you've never
heard of, selling your personal information without your knowledge or consent
to pretty much anyone who will pay for it.
Surveillance capitalism takes this one step further. Companies like Facebook
and Google offer you free services in exchange for your data. Google's
surveillance isn't in the news, but it's startlingly intimate. We never lie to
our search engines. Our interests and curiosities, hopes and fears, desires and
sexual proclivities, are all collected and saved. Add to that the websites we
visit that Google tracks through its advertising network, our Gmail accounts,
our movements via Google Maps, and what it can collect from our smartphones.
That phone is probably the most intimate surveillance device ever invented. It
tracks our location continuously, so it knows where we live, where we work, and
where we spend our time. It's the first and last thing we check in a day, so it
knows when we wake up and when we go to sleep. We all have one, so it knows who
we sleep with. Uber used just some of that information to detect one-night
stands; your smartphone provider and any app you allow to collect location data
knows a lot more.
Surveillance capitalism drives much of the internet. It's behind most of the
"free" services, and many of the paid ones as well. Its goal is psychological
manipulation, in the form of personalized advertising to persuade you to buy
something or do something, like vote for a candidate. And while the
individualized profile-driven manipulation exposed by Cambridge Analytica feels
abhorrent, it's really no different from what every company wants in the end.
This is why all your personal information is collected, and this is why it is
so valuable. Companies that can understand it can use it against you.
None of this is new. The media has been reporting on surveillance capitalism
for years. In 2015, I wrote a book about it. Back in 2010, the Wall Street
Journal published an award-winning two-year series about how people are tracked
both online and offline, titled "What They Know."
Surveillance capitalism is deeply embedded in our increasingly computerized
society, and if the extent of it came to light there would be broad demands for
limits and regulation. But because this industry can largely operate in secret,
only occasionally exposed after a data breach or investigative report, we
remain mostly ignorant of its reach.
This might change soon. In 2016, the European Union passed the comprehensive
General Data Protection Regulation, or GDPR. The details of the law are far too
complex to explain here, but some of the things it mandates are that personal
data of EU citizens can only be collected and saved for "specific, explicit,
and legitimate purposes," and only with explicit consent of the user. Consent
can't be buried in the terms and conditions, nor can it be assumed unless the
user opts in. This law will take effect in May, and companies worldwide are
bracing for its enforcement.
Because pretty much all surveillance capitalism companies collect data on
Europeans, this will expose the industry like nothing else. Here's just one
example. In preparation for this law, PayPal quietly published a list of over
600 companies it might share your personal data with. What will it be like when
every company has to publish this sort of information, and explicitly explain
how it's using your personal data? We're about to find out.
In the wake of this scandal, even Mark Zuckerberg said that his industry
probably should be regulated, although he's certainly not wishing for the sorts
of comprehensive regulation the GDPR is bringing to Europe.
He's right. Surveillance capitalism has operated without constraints for far
too long. And advances in both big data analysis and artificial intelligence
will make tomorrow's applications far creepier than today's. Regulation is the
only answer.
The first step to any regulation is transparency. Who has our data? Is it
accurate? What are they doing with it? Who are they selling it to? How are they
securing it? Can we delete it? I don't see any hope of Congress passing a
GDPR-like data protection law anytime soon, but it's not too far-fetched to
demand laws requiring these companies to be more transparent in what they're
doing.
One of the responses to the Cambridge Analytica scandal is that people are
deleting their Facebook accounts. It's hard to do right, and doesn't do
anything about the data that Facebook collects about people who don't use
Facebook. But it's a start. The market can put pressure on these companies to
reduce their spying on us, but it can only do that if we force the industry out
of its secret shadows.
This essay previously appeared on CNN.com. https://www.cnn.com/2018/03/26/opinions/data-...
dex.html
What Facebook collects and knows:
https://www.express.co.uk/life-style/science-...
otos-Data-Collection
http://www.businessinsider.com/facebook-saves...
lete-2013-12
https://www.theguardian.com/technology/2017/j...
ory-california-lawsuit
https://www.propublica.org/article/facebook-d...
lly-knows-about-them
http://www.pnas.org/content/early/2013/03/06/...
http://www.businessinsider.com/facebook-perso...
ta-trump-election-2018-3
Surveillance capitalism:
https://www.amazon.com/Age-Surveillance-Capit...
7/ref=sr_1_sc_1
Data brokers:
http://www.newsweek.com/secretive-world-selli...
Equifax:
https://www.nytimes.com/2017/09/07/business/e...
https://www.nytimes.com/2017/10/02/business/e...
https://www.forbes.com/sites/forrester/2017/0...
-scores/#324765b219d8
Google Maps:
https://mashable.com/2015/07/22/google-maps-y...
Uber's data analysis on one-night stands: https://gigaom.com/2012/03/26/uber-one-night-...
My book, "Data and Goliath":
https://www.schneier.com/books/data_and_golia...
The "What They Know" series:
http://juliaangwin.com/the-what-they-know-ser...
https://ashkansoltani.org/work/what-they-know...
GDPR:
https://www.cennydd.com/writing/a-techies-rou...
PayPal's data sharing:
https://www.paypal.com/ie/webapps/mpp/ua/thir...
https://rebecca-ricks.com/paypal-data/
Zuckerberg and regulating Facebook: https://www.wired.com/story/mark-zuckerberg-t...
acy-problem/
https://www.theverge.com/2018/3/21/17150270/m...
Deleting Facebook:
https://pageflows.com/blog/delete-facebook/
Why deleting Facebook won't help:
https://www.nytimes.com/2018/03/24/opinion/su...
problem.html
Facebook collecting data about people not on Facebook:
https://www.theverge.com/2016/5/27/11795248/f...
es-plug-ins
https://mashable.com/2013/06/26/facebook-shad...
https://gizmodo.com/how-facebook-figures-out-...
?IR=T
Slashdot thread:
https://yro.slashdot.org/story/18/03/31/02532...
ng-on-you
** *** ***** ******* *********** *************
News
This is a good article on the complicated story of hacker Marcus Hutchins.
https://nymag.com/selectall/2018/03/marcus-hu...
Dan Geer on the dangers of computer-only systems: https://www.hoover.org/sites/default/files/re...
d2.pdf
Interesting paper "A first look at browser-based cryptojacking":
https://arxiv.org/abs/1803.02887v1
Interesting analysis and speculation about the Cuban sonic weapon.
https://www.spectrum.ieee.org/semiconductors/...
the-cuban-sonic-weapon-attack
Good Snopes article on this:
https://www.snopes.com/fact-check/do-sonic-we...
-cuba/
Some details about the iPhone unlocker from the US company Greyshift, with
photos.
https://blog.malwarebytes.com/security-world/...
ses-serious-security-concerns/
https://www.schneier.com/blog/archives/2018/0...
Zeynep Tufekci is particularly cogent about Facebook and Cambridge Analytica.
https://www.nytimes.com/2018/03/19/opinion/fa...
Interesting research from 2014 into undetectably adding backdoors into computer
chips during manufacture: "Stealthy dopant-level hardware Trojans: extended
version." The moral is that this kind of technique is
*very* difficult to detect.
https://link.springer.com/article/10.1007/s13...
https://www.emsec.rub.de/media/crypto/veroeff...
lthyExtended.pdf
Yet another development in the arms race between facial recognition systems and
facial-recognition-system foolers. https://arxiv.org/pdf/1803.04683.pdf
https://boingboing.net/2018/03/26/the-threate...
Ross Anderson has a really interesting paper on tracing stolen bitcoin.
https://www.lightbluetouchpaper.org/2018/03/2...
https://www.cl.cam.ac.uk/~rja14/Papers/making...
Brad Templeton wrote about this years ago: http://ideas.4brad.com/what-if-somebody-steal...
Researchers have exploited a flaw in the cryptocurrency Monero to break the
anonymity of transactions.
https://www.wired.com/story/monero-privacy/
https://arxiv.org/pdf/1704.04299/
https://boingboing.net/2018/03/27/perfect-for...
When Spectre and Meltdown were first announced earlier this year, pretty much
everyone predicted that there would be many more attacks targeting branch
prediction in microprocessors. Here's another one: https://arstechnica.com/gadgets/2018/03/its-n...
-more-branch-prediction-attacks/
http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf
It's routine for US police to unlock iPhones with the fingerprints of dead
people. It seems only to work with recently dead people.
https://www.forbes.com/sites/thomasbrewster/2...
-iphones-with-dead-peoples-fingerprints/#3f3dc52a393e
Interesting history of musical ciphers. https://www.atlasobscura.com/articles/musical...
The US Consumer Product Safety Commission is holding hearings on IoT risks:
https://www.federalregister.gov/documents/201...
-things-and-consumer-product-hazards
This is a really interesting research result. This paper proves that two
parties can create a secure communications channel using a communications
system with a backdoor. It's a theoretical result, so it doesn't talk about how
easy that channel is to create. And the assumptions on the adversary are pretty
reasonable: that each party can create his own randomness, and that the
government isn't literally eavesdropping on every single part of the network at
all times. https://eprint.iacr.org/2018/212
This result reminds me a lot of the work about subliminal channels from the
1980s and 1990s, and the notions of how to build an anonymous communications
system on top of an identified system. Basically, it's always possible to
overlay a system around and outside any closed system.
DARPA is launching a program aimed at vulnerability discovery via
human-assisted AI. The new DARPA program is called CHESS (Computers and Humans
Exploring Software Security), and they're holding a proposers day in a week and
a half.
https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-S...
This is the kind of thing that can dramatically change the offense/defense
balance.
Good article about how difficult it is to insure an organization against
Internet attacks, and how expensive the insurance is.
https://www.wired.com/story/cyberinsurance-ta...
ld-of-hacks/
Interesting research: "'Won't Somebody Think of the Children?' Examining COPPA
Compliance at Scale":
https://petsymposium.org/2018/files/papers/is...
** *** ***** ******* *********** *************
Israeli Security Company Attacks AMD by Publishing Zero-Day
Exploits
Last week, the Israeli security company CTS-Labs published a series of exploits
against AMD chips. The publication came with the flashy website, detailed
whitepaper, cool vulnerability names -- RYZENFALL, MASTERKEY, FALLOUT, and
CHIMERA -- and logos we've come to expect from
these sorts of things. What's new is that the company only gave AMD a day's
notice, which breaks with every norm about responsible disclosure. CTS-Labs
didn't release details of the exploits, only high-level
descriptions of the vulnerabilities, but it is probably still enough for others
to reproduce their results. This is incredibly irresponsible of the company.
Moreover, the vulnerabilities are kind of meh. Nicholas Weaver explains:
In order to use any of the four vulnerabilities, an attacker
must already have *almost* complete control over the
machine. For most purposes, if the attacker already has this
access, we would generally say they've already won. But these
days, modern computers at least attempt to protect against a
rogue operating system by having separate secure subprocessors.
CTS-Labs discovered the vulnerabilities when they looked at
AMD's implementation of the secure subprocessor to see if an
attacker, having already taken control of the host operating
system, could bypass these last lines of defense.
In a "Clarification," CTS-Labs kind of agrees:
The vulnerabilities described in amdflaws.com could give an
attacker that has already gained initial foothold into one or
more computers in the enterprise a significant advantage
against IT and security teams.
The only thing the attacker would need after the initial local
compromise is local admin privileges and an affected machine.
To clarify misunderstandings -- there is no need for physical
access, no digital signatures, no additional vulnerability to
reflash an unsigned BIOS. Buy a computer from the store, run
the exploits as admin -- and they will work (on the affected
models as described on the site).
AMD responds:
AMD's response today agrees that all four bug families are real
and are found in the various components identified by CTS. The
company says that it is developing firmware updates for the
three PSP flaws. These fixes, to be made available in "coming
weeks," will be installed through system firmware updates. The
firmware updates will also mitigate, in some unspecified way,
the Chimera issue, with AMD saying that it's working with
ASMedia, the third-party hardware company that developed
Promontory for AMD, to develop suitable protections. In its
report, CTS wrote that, while one CTS attack vector was a
firmware bug (and hence in principle correctable), the other
was a hardware flaw. If true, there may be no effective way of
solving it.
The weirdest thing about this story is that CTS-Labs describes one of the
vulnerabilities, Chimera, as a backdoor. Although it doesn't come out and say
that this was deliberately planted by someone, it does make the point that the
chips were designed in Taiwan. This is an incredible accusation, and honestly
needs more evidence before we can evaluate it.
The upshot of all of this is that CTS-Labs played this for maximum publicity:
over-hyping its results and minimizing AMD's ability to respond. And it may
have an ulterior motive. From Wired:
But CTS's website touting AMD's flaws also contained a
disclaimer that threw some shadows on the company's motives:
"Although we have a good faith belief in our analysis and
believe it to be objective and unbiased, you are advised that
we may have, either directly or indirectly, an economic
interest in the performance of the securities of the companies
whose products are the subject of our reports," reads one line.
WIRED asked in a follow-up email to CTS whether the company
holds any financial positions designed to profit from the
release of its AMD research specifically. CTS didn't respond.
We all need to demand better behavior from security researchers. I know that
any publicity is good publicity, but I am pleased to see the stories critical
of CTS-Labs outnumbering the stories praising it.
Attack:
https://amdflaws.com/
https://safefirmware.com/amdflaws_whitepaper....
https://safefirmware.com/Whitepaper+Clarifica...
Nicholas Weaver:
https://www.lawfareblog.com/researchers-find-...
sors
Wired story:
https://www.wired.com/story/amd-backdoor-cts-...
AMD responds:
https://arstechnica.com/gadgets/2018/03/amd-p...
y-processor-bugs/
https://community.amd.com/community/amd-corpo...
echnical-assessment-of-cts-labs-research
** *** ***** ******* *********** *************
Schneier News
I'm speaking at the RSA Conference on April 17-18 in San Francisco:
https://www.rsaconference.com/events/us18
I'm speaking at an IBM event in Mumbai on May 3.
I'm speaking at an IBM event in Istanbul on May 9.
I'm speaking at an IBM event in London on May 15.
** *** ***** ******* *********** *************
Obscure E-Mail Vulnerability
This vulnerability is a result of an interaction between two different ways of
handling e-mail addresses. Gmail ignores dots in addresses, so
bruce.schneier@gmail.com is the same as bruceschneier@gmail.com is the same as
b.r.u.c.e.schneier@gmail.com. (Note: I do not own any of those email addresses
-- if they're even valid.) Netflix doesn't ignore dots, so those are all unique
e-mail addresses and can each be used to register an account. This difference
can be exploited.
I was almost fooled into perpetually paying for Eve's Netflix
access, and only paused because I didn't recognize the declined
card. More generally, the phishing scam here is:
1. Hammer the Netflix signup form until you find a
gmail.com address which is "already registered". Let's say you
find the victim jameshfisher.
2. Create a Netflix account with address james.hfisher.
3. Sign up for free trial with a throwaway card number.
4. After Netflix applies the "active card check", cancel the
card.
5. Wait for Netflix to bill the cancelled card. Then Netflix
emails james.hfisher asking for a valid card.
6. Hope Jim reads the email to james.hfisher, assumes it's for
his Netflix account backed by jameshfisher, then enters his
card **** 1234.
7. Change the email for the Netflix account to eve@gmail.com,
kicking Jim's access to this account.
8. Use Netflix free forever with Jim's card **** 1234!
Obscure, yes? A problem, yes?
James Fisher, who wrote the post, argues that it's Google's fault. Ignoring
dots might give people an enormous number of different email addresses, but
it's not a feature that people actually want. And as long as other sites don't
follow Google's lead, these sorts of problems are possible.
I think the problem is more subtle. It's an example of two systems without a
security vulnerability coming together to create a security vulnerability. As
we connect more systems directly to each other, we're going to see a lot more
of these. And like this Google/Netflix interaction, it's going to be hard to
figure out who to blame and who -- if anyone -- has the responsibility of
fixing it.
https://jameshfisher.com/2018/04/07/the-dots-...
.html
** *** ***** ******* *********** *************
The Digital Security Exchange Is Live
Last year, I wrote about the Digital Security Exchange. The project is live:
The DSX works to strengthen the digital resilience of U.S.
civil society groups by improving their understanding and
mitigation of online threats.
We do this by pairing civil society and social sector
organizations with credible and trustworthy digital security
experts and trainers who can help them keep their data and
networks safe from exposure, exploitation, and attack. We are
committed to working with community-based organizations, legal
and journalistic organizations, civil rights advocates, local
and national organizers, and public and high-profile figures
who are working to advance social, racial, political, and
economic justice in our communities and our world.
If you are either an organization who needs help, or an expert who can provide
help, visit their website.
Note: I am on their advisory committee.
https://digitalsecurityexchange.org/
My previous blog post:
https://www.schneier.com/blog/archives/2017/0...
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security: computer and otherwise. You
can subscribe, unsubscribe, or change your address on the Web at
<https://www.schneier.com/crypto-gram.html>... Back issues are also available at
that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint
CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an
internationally renowned security technologist, called a "security guru" by The
Economist. He is the author of 12 books -- including "Liars and Outliers:
Enabling the Trust Society Needs to Survive" -- as well as hundreds of
articles, essays, and academic papers. His influential newsletter "Crypto-Gram"
and his blog "Schneier on Security" are read by over 250,000 people. He has
testified before Congress, is a frequent guest on television and radio, has
served on several government committees, and is regularly quoted in the press.
Schneier is a fellow at the Berkman Center for Internet and Society at Harvard
Law School, a program fellow at the New America Foundation's Open Technology
Institute, a board member of the Electronic Frontier Foundation, an Advisory
Board Member of the Electronic Privacy Information Center, and CTO of IBM
Resilient and Special Advisor to IBM Security. See
<https://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily
those of IBM Resilient.
Copyright (c) 2018 by Bruce Schneier.
** *** ***** ******* *********** *************
--- BBBS/LiR v4.10 Toy-3
* Origin: Pi TCOB1 bbbs.mooo.com (618:500/14)
|
Computer Support/Help/Discussion... 
