CRYPTO-GRAM
June 15, 2018
by Bruce Schneier
CTO, IBM Resilient
schneier@schneier.com
https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit <https://www.schneier.com/crypto-gram.h
tml>.
You can read this issue on the web at <https://www.schneier.com/crypto-gram/arc
hives/2018/0615.html>. These same essays and news items appear in the "Schneier
on Security" blog at <https://www.schneier.com/>, along with a lively and
intelligent comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
Important: Crypto-Gram Is Moving to MailChimp
Router Vulnerability and the VPNFilter Botnet
E-Mail Vulnerabilities and Disclosure
News
Russian Censorship of Telegram
Security and Human Behavior (SHB 2018)
Schneier News
Another Spectre-Like CPU Vulnerability
An Example of Deterrence in Cyberspace
New Data Privacy Regulations
** *** ***** ******* *********** *************
Important: Crypto-Gram Is Moving to MailChimp
tl;dr: I'm moving this mailing list to MailChimp. If you still want to get
Crypto-Gram, you don't have to do anything. I'm moving the list over.
I have to move Crypto-Gram now, because my long-time host is getting out of the
hosting business. Truthfully, I've been having trouble with hosting such a large
list for a long time. And the subscription management for the list wasn't very
user-friendly for people who weren't already used to old-school mailing lists. I
hope this change will make things more user-friendly for everyone.
After looking at the various options out there, I've decided to go with
MailChimp. They are willing to work with me to ensure that open tracking and
click tracking are disabled -- so no web bugs. Google Analytics on the MailChimp
site will track you if you subscribe, unsubscribe, or change your preferences; I
can't eliminate that.
Changing hosts may cause some e-mail programs to filter Crypto-Gram differently.
For example, Gmail will probably put it in your "Promotions" tab. You can change
this by dragging it into your primary tab, but you'll have to manage that
yourself. I see no way to avoid this.
If you don't like MailChimp and don't want to be a subscriber, you can
unsubscribe using the personalized unsubscribe link in the footer of this email
until July 1. After July 1, please visit this page to unsubscribe:
https://www.schneier.com/crypto-gram/unsubscr...
If Mailman's unsubscribe system is too annoying, please e-mail me at
listowner@schneier.com and I'll make sure you're removed.
You can also read the monthly edition of Crypto-Gram on my website, or read the
individual articles as they come out on my blog. That URL is:
https://www.schneier.com
I'm also going to start sending out Crypto-Gram in HTML instead of plain text.
It will be very simple, plain HTML with no images, so the newsletter won't look
all that different. But this change will allow me to use bold and italics, and
to keep links in their natural place within the text instead of dumping them
into a long ugly list of URLs at the end. Those of you who've disabled HTML
display in your e-mail clients for security reasons will still see a plain text
version.
I have resisted making this change for several years, but now I really have no
choice. I apologize for any inconvenience.
** *** ***** ******* *********** *************
Router Vulnerability and the VPNFilter Botnet
On May 25, the FBI asked us all to reboot our routers. The story behind this
request is one of sophisticated malware and unsophisticated home-network
security, and it's a harbinger of the sorts of pervasive threats -- from
nation-states, criminals and hackers -- that we should expect in coming years.
VPNFilter is a sophisticated piece of malware that infects mostly older home
and small-office routers made by Linksys, MikroTik, Netgear, QNAP and TP-Link.
It's an impressive piece of work. It can eavesdrop on traffic passing through
the router -- specifically, login credentials and SCADA traffic, which is a
networking protocol that controls power plants, chemical plants and industrial
systems -- attack other targets on the Internet and destructively "kill" its
infected device. It is one of a very few pieces of malware that can survive a
reboot, even though that's what the FBI has requested. It has a number of other
capabilities, and it can be remotely updated to provide still others. More than
500,000 routers in at least 54 countries have been infected since 2016.
Because of the malware's sophistication, VPNFilter is believed to be the work of
a government. The FBI suggested the Russian government was involved for two
circumstantial reasons. One, a piece of the code is identical to one found in
another piece of malware, called BlackEnergy, that was used in the December 2015
attack against Ukraine's power grid. Russia is believed to be behind that
attack. And two, the majority of those 500,000 infections are in Ukraine and
controlled by a separate command-and-control server. There might also be
classified evidence, as an FBI affidavit in this matter identifies the group
behind VPNFilter as Sofacy, also known as APT28 and Fancy Bear. That's the group
behind a long list of attacks, including the 2016 hack of the Democratic
National Committee.
Two companies, Cisco and Symantec, seem to have been working with the FBI during
the past two years to track this malware as it infected ever more routers. The
infection mechanism isn't known, but we believe it targets known vulnerabilities
in these older routers. Pretty much no one patches their routers, so the
vulnerabilities have remained, even if they were fixed in new models from the
same manufacturers.
On May 30, the FBI seized control of toknowall.com, a critical VPNFilter
command-and-control server. This is called "sinkholing," and serves to disrupt a
critical part of this system. When infected routers contact toknowall.com, they
will no longer be contacting a server owned by the malware's creators; instead,
they'll be contacting a server owned by the FBI. This doesn't entirely
neutralize the malware, though. It will stay on the infected routers through
reboot, and the underlying vulnerabilities remain, making the routers
susceptible to reinfection with a variant controlled by a different server.
If you want to make sure your router is no longer infected, you need to do more
than reboot it, the FBI's warning notwithstanding. You need to reset the router
to its factory settings. That means you need to reconfigure it for your network,
which can be a pain if you're not sophisticated in these matters. If you want to
make sure your router cannot be reinfected, you need to update the firmware with
any security patches from the manufacturer. This is harder to do and may strain
your technical capabilities, though it's ridiculous that routers don't
automatically download and install firmware updates on their own. Some of these
models probably do not even have security patches available. Honestly, the best
thing to do if you have one of the vulnerable models is to throw it away and get
a new one. (Your ISP will probably send you a new one free if you claim that
it's not working properly. And you *should* have a new one, because if your
current one is on the list, it's probably at least 10 years old.)
So if it won't clear out the malware, why is the FBI asking us to reboot our
routers? It's mostly just to get a sense of how bad the problem is. The FBI now
controls toknowall.com. When an infected router gets rebooted, it connects to
that server to get fully reinfected, and when it does, the FBI will know.
Rebooting will give it a better idea of how many devices out there are infected.
Should you do it? It can't hurt.
Internet of Things malware isn't new. The 2016 Mirai botnet, for example,
created by a lone hacker and not a government, targeted vulnerabilities in
Internet-connected digital video recorders and webcams. Other malware has
targeted Internet-connected thermostats. Lots of malware targets home routers.
These devices are particularly vulnerable because they are often designed by ad
hoc teams without a lot of security expertise, stay around in networks far
longer than our computers and phones, and have no easy way to patch them.
It wouldn't be surprising if the Russians targeted routers to build a network of
infected computers for follow-on cyber operations. I'm sure many governments are
doing the same. As long as we allow these insecure devices on the Internet
-- and short of security regulations, there's no way to stop them -- we're
going to be vulnerable to this kind of malware.
And next time, the command-and-control server won't be so easy to disrupt.
Addendum: The malware is more capable than we previously thought.
https://arstechnica.com/information-technolog...
ing-50000-devices-is-worse-than-we-thought/
This essay previously appeared in the "Washington Post."
https://www.washingtonpost.com/news/postevery...
nts-you-to-reboot-your-router-and-why-that-wont-be-enough-next-time/
https://arstechnica.com/information-technolog...
nsumer-routers-all-over-the-world-with-malware/
https://www.wired.com/story/vpnfilter-router-...
Vulnerable routers:
https://www.symantec.com/blogs/threat-intelli...
BlackEnergy:
https://usa.kaspersky.com/resource-center/thr...
FBI's affidavit:
http://www.kingpin.cc/wp-content/uploads/2018...
https://www.justice.gov/opa/pr/justice-depart...
anced-persistent-threat-28-botnet-infected
Cisco's post:
https://blog.talosintelligence.com/2018/05/VP...
FBI sinkholes command-and-control system:
https://amp.thedailybeast.com/exclusive-fbi-s...
Updating your router firmware:
https://krebsonsecurity.com/2018/05/fbi-kindl...
ore-44020
FBI's request:
https://www.nytimes.com/2018/05/27/technology...
https://www.ic3.gov/media/2018/180525.aspx
Should you do it?:
https://www.cnet.com/how-to/the-fbi-says-you-...
ou-explainer/
** *** ***** ******* *********** *************
E-Mail Vulnerabilities and Disclosure
Last week, researchers disclosed vulnerabilities in a large number of encrypted
e-mail clients: specifically, those that use OpenPGP and S/MIME, including
Thunderbird and AppleMail. These are serious vulnerabilities: An attacker who
can alter mail sent to a vulnerable client can trick that client into sending a
copy of the plaintext to a web server controlled by that attacker. The story of
these vulnerabilities and the tale of how they were disclosed illustrate some
important lessons about security vulnerabilities in general and e-mail security
in particular.
But first, if you use PGP or S/MIME to encrypt e-mail, you need to check the
list and see if you are vulnerable. If you are, check with the vendor to see if
they've fixed the vulnerability. (Note that some early patches turned out not to
fix the vulnerability.) If not, stop using the encrypted e-mail program entirely
until it's fixed. Or, if you know how to do it, turn off your e-mail client's
ability to process HTML e-mail or -- even better -- stop decrypting e-mails from
within the client. There's even more complex advice for more sophisticated
users, but if you're one of those, you don't need me to explain this to you.
Consider your encrypted e-mail insecure until this is fixed.
All software contains security vulnerabilities, and one of the primary ways we
all improve our security is by researchers discovering those vulnerabilities and
vendors patching them. It's a weird system: Corporate researchers are motivated
by publicity, academic researchers by publication credentials, and just about
everyone by individual fame and the small bug-bounties paid by some vendors.
Software vendors, on the other hand, are motivated to fix vulnerabilities by the
threat of public disclosure. Without the threat of eventual publication, vendors
are likely to ignore researchers and delay patching. This happened a lot in the
1990s, and even today, vendors often use legal tactics to try to block
publication. It makes sense; they look bad when their products are pronounced
insecure.
Over the past few years, researchers have started to choreograph vulnerability
announcements to make a big press splash. Clever names -- the e-mail
vulnerability is called "Efail" -- websites, and cute logos are now common. Key
reporters are given advance information about the vulnerabilities. Sometimes
advance teasers are released. Vendors are now part of this process, trying to
announce their patches at the same time the vulnerabilities are announced.
This simultaneous announcement is best for security. While it's always possible
that some organization -- either government or criminal -- has independently
discovered and is using the vulnerability before the researchers go public, use
of the vulnerability is essentially guaranteed after the announcement. The time
period between announcement and patching is the most dangerous, and everyone
except would-be attackers wants to minimize it.
Things get much more complicated when multiple vendors are involved. In this
case, Efail isn't a vulnerability in a particular product; it's a vulnerability
in a standard that is used in dozens of different products. As such, the
researchers had to ensure both that everyone knew about the vulnerability in
time to fix it and that no one leaked the vulnerability to the public during
that time. As you can imagine, that's close to impossible.
Efail was discovered sometime last year, and the researchers alerted dozens of
different companies between last October and March. Some companies took the news
more seriously than others. Most patched. Amazingly, news about the
vulnerability didn't leak until the day before the scheduled announcement date.
Two days before the scheduled release, the researchers unveiled a teaser --
honestly, a really bad idea -- which resulted in details leaking.
After the leak, the Electronic Frontier Foundation posted a notice about the
vulnerability without details. The organization has been criticized for its
announcement, but I am hard-pressed to find fault with its advice. (Note: I am a
board member at EFF.) Then, the researchers published -- and lots of press
followed.
All of this speaks to the difficulty of coordinating vulnerability disclosure
when it involves a large number of companies or -- even more problematic --
communities without clear ownership. And that's what we have with OpenPGP. It's
even worse when the bug involves the interaction between different parts of a
system. In this case, there's nothing wrong with PGP or S/MIME in and of
themselves. Rather, the vulnerability occurs because of the way many e-mail
programs handle encrypted e-mail. GnuPG, an implementation of OpenPGP, decided
that the bug wasn't its fault and did nothing about it. This is arguably true,
but irrelevant. They should fix it.
Expect more of these kinds of problems in the future. The Internet is shifting
from a set of systems we deliberately use -- our phones and computers -- to a
fully immersive Internet-of-things world that we live in 24/7. And like this
e-mail vulnerability, vulnerabilities will emerge through the interactions of
different systems. Sometimes it will be obvious who should fix the problem.
Sometimes it won't be. Sometimes it'll be two secure systems that, when they
interact in a particular way, cause an insecurity. In April, I wrote about a
vulnerability that arose because Google and Netflix make different assumptions
about e-mail addresses. I don't even know who to blame for that one.
It gets even worse. Our system of disclosure and patching assumes that vendors
have the expertise and ability to patch their systems, but that simply isn't
true for many of the embedded and low-cost Internet of things software packages.
They're designed at a much lower cost, often by offshore teams that come
together, create the software, and then disband; as a result, there simply isn't
anyone left around to receive vulnerability alerts from researchers and write
patches. Even worse, many of these devices aren't patchable at all. Right now,
if you own a digital video recorder that's vulnerable to being recruited for a
botnet -- remember Mirai from 2016? -- the only way to patch it is to throw it
away and buy a new one.
Patching is starting to fail, which means that we're losing the best mechanism
we have for improving software security at exactly the same time that software
is gaining autonomy and physical agency. Many researchers and organizations,
including myself, have proposed government regulations enforcing minimal
security standards for Internet-of-things devices, including standards around
vulnerability disclosure and patching. This would be expensive, but it's hard to
see any other viable alternative.
Getting back to e-mail, the truth is that it's incredibly difficult to secure
well. Not because the cryptography is hard, but because we expect e-mail to do
so many things. We use it for correspondence, for conversations, for scheduling,
and for record-keeping. I regularly search my 20-year e-mail archive. The PGP
and S/MIME security protocols are outdated, needlessly complicated and have been
difficult to properly use the whole time. If we could start again, we would
design something better and more user-friendly -- but the huge number of legacy
applications that use the existing standards mean that we can't. I tell people
that if they want to communicate securely with someone, to use one of the secure
messaging systems: Signal, Off-the-Record, or -- if having one of those two on
your system is itself suspicious -- WhatsApp. Of course they're not perfect, as
last week's announcement of a vulnerability (patched within hours) in Signal
illustrates. And they're not as flexible as e-mail, but that makes them easier
to secure.
This essay previously appeared on Lawfare.com. https://www.lawfareblog.com/what-efail-tells-...
-disclosure
Efail vulnerability:
https://efail.de/
https://efail.de/efail-attack-paper.pdf
EFF post:
https://www.eff.org/deeplinks/2018/05/not-so-...
fail-and-pgp-flaw-0
Press articles:
https://arstechnica.com/information-technolog...
ugs-can-reveal-encrypted-e-mails-uninstall-now/
https://www.wired.com/story/efail-encrypted-e...
https://www.washingtonpost.com/news/the-switc...
eading-your-encrypted-emails-heres-how/
https://arstechnica.com/information-technolog...
can-decrypt-previously-obtained-encrypted-e-mails/
https://motherboard.vice.com/en_us/article/3k...
Early patches fail:
https://twitter.com/hanno/status/997138771194...
More complex advice for securing your router: https://lists.gnupg.org/pipermail/gnupg-users...
Initial discovery of the vulnerability: http://flaked.sockpuppet.org/2018/05/16/a-uni...
Teaser from the researchers:
https://twitter.com/seecurity/status/99590657...
Details leaking:
https://lists.gnupg.org/pipermail/gnupg-users...
EFF criticism:
https://www.riskbasedsecurity.com/2018/05/efa...
/
https://protonmail.com/blog/pgp-vulnerability...
EFF defense:
https://blog.cryptographyengineering.com/2018...
rribly-screwed-up/
OpenPGP and Efail:
https://medium.com/@cipherpunk/efail-a-postmo...
https://lists.gnupg.org/pipermail/gnupg-users...
Google/Netflix vulnerability:
https://www.schneier.com/blog/archives/2018/0...
The unpatchability of IOT devices:
https://www.wired.com/2014/01/theres-no-good-...
s-and-thats-a-huge-problem/
Mirai botnet:
https://www.csoonline.com/article/3258748/sec...
ow-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html
E-mail security:
https://www.theatlantic.com/technology/archiv...
0/
https://blog.hboeck.de/archives/893-efail-Out...
e.html
https://blog.cryptographyengineering.com/2014...
https://people.eecs.berkeley.edu/~tygar/paper...
pdf
Signal:
https://signal.org/
Off-the-Record:
https://otr.cypherpunks.ca/
WhatsApp:
https://www.whatsapp.com/
WhatsApp vulnerability:
https://ivan.barreraoro.com.ar/signal-desktop...
** *** ***** ******* *********** *************
News
Securus Technologies gives police the ability to track cell phone locations
without a warrant:
https://www.nytimes.com/2018/05/10/technology...
t.html
https://arstechnica.com/tech-policy/2018/05/s...
lity-to-get-real-time-mobile-location-data/
https://boingboing.net/2018/05/12/extraordina...
Securus was hacked:
https://motherboard.vice.com/en_us/article/gy...
y-hacked
https://www.cnet.com/news/securus-reportedly-...
The White House has eliminated the cybersecurity coordinator position. This
seems like a spectacularly bad idea. https://www.nytimes.com/2018/05/15/technology...
https://politicalwire.com/2018/05/15/white-ho...
https://www.wired.com/story/white-house-cyber...
https://www.lawfareblog.com/boltons-magnifice...
Someone changed the address of the UPS corporate headquarters to his own
apartment in Chicago. The company discovered it three months later. The problem,
of course, is that in the US there isn't any authentication of change-of-address
submissions.
http://www.chicagotribune.com/news/local/brea...
-20180417-story.html
The Intercept has a long article on Japan's equivalent of the NSA: the
Directorate for Signals Intelligence. Interesting, but nothing really
surprising.
https://theintercept.com/2018/05/19/japan-dfs...
The rise of self-checkout has caused a corresponding rise in shoplifting.
https://www.theguardian.com/global/2018/may/2...
t-self-checkout
Interesting research in steganography at the font level.
http://www.cs.columbia.edu/~cxz/publications/...
https://securityboulevard.com/2018/05/glyph-p...
eganography/
https://www.sciencedaily.com/releases/2018/05...
https://www.wired.com/story/fontcode-invisibl...
Interesting research on lie detecting through mouse movements.
http://journals.plos.org/plosone/article?id=1...
https://boingboing.net/2018/05/24/analyzing-m...
Fake kidnapping fraud:
http://mobile.abc.net.au/news/2018-05-28/cybe...
ents-kidnapping-scheme/9807904
Interesting article about numbers stations. https://warontherocks.com/2018/05/explaining-...
A great story of the first cyberattack -- from 1834 -- against a telegraph
network.
https://www.1843magazine.com/technology/rewin...
https://nakedsecurity.sophos.com/2018/05/31/f...
etworking-hack-from-way-way-back/
Playing a sound over the speakers can cause computers to crash and possibly even
physically damage the hard drive. https://arstechnica.com/information-technolog...
s-to-ddos-video-recorders-and-pcs/
https://spqr.eecs.umich.edu/papers/bolton-blu...
Ross Anderson has a new paper on cryptocurrency exchanges and regulating
Bitcoin.
https://www.lightbluetouchpaper.org/2018/06/0...
ow-to-tackle-it/
https://weis2018.econinfosec.org/wp-content/u...
aper_38.pdf
We all know that it happens: when we see a security warning too often -- and
without effect -- we start tuning it out. A new paper uses fMRI, eye tracking,
and field studies to prove it.
https://neurosecurity.byu.edu/misq-longitudin...
https://neurosecurity.byu.edu/media/Vance_et_...
iOS 12, the next release of Apple's iPhone operating system, may include
features to prevent someone from unlocking your phone without your permission.
This is part of a bunch of security enhancements in iOS 12.
https://motherboard.vice.com/en_us/article/zm...
ode-cellebrite-grayshift
For many years, I have said that complexity is the worst enemy of security. At
CyCon earlier this month, Thomas Dullien gave an excellent talk on the subject
with far more detail than I've ever provided. https://www.err.ee/836236/video-google-0-proj...
conil
https://docs.google.com/presentation/d/17bKud...
DC8w/edit#slide=id.p1
** *** ***** ******* *********** *************
Russian Censorship of Telegram
Internet censors have a new strategy in their bid to block applications and
websites: pressuring the large cloud providers that host them. These providers
have concerns that are much broader than the targets of censorship efforts, so
they have the choice of either standing up to the censors or capitulating in
order to maximize their business. Today's Internet largely reflects the
dominance of a handful of companies behind the cloud services, search engines
and mobile platforms that underpin the technology landscape. This new
centralization radically tips the balance between those who want to censor parts
of the Internet and those trying to evade censorship. When the profitable answer
is for a software giant to acquiesce to censors' demands, how long can Internet
freedom last?
The recent battle between the Russian government and the Telegram messaging app
illustrates one way this might play out. Russia has been trying to block
Telegram since April, when a Moscow court banned it after the company refused to
give Russian authorities access to user messages. Telegram, which is widely used
in Russia, works on both iPhone and Android, and there are Windows and Mac
desktop versions available. The app offers optional end-to-end encryption,
meaning that all messages are encrypted on the sender's phone and decrypted on
the receiver's phone; no part of the network can eavesdrop on the messages.
Since then, Telegram has been playing cat-and-mouse with the Russian telecom
regulator Roskomnadzor by varying the IP address the app uses to communicate.
Because Telegram isn't a fixed website, it doesn't need a fixed IP address.
Telegram bought tens of thousands of IP addresses and has been quickly rotating
through them, staying a step ahead of censors. Cleverly, this tactic is
invisible to users. The app never sees the change, or the entire list of IP
addresses, and the censor has no clear way to block them all.
A week after the court ban, Roskomnadzor countered with an unprecedented move of
its own: blocking 19 million IP addresses, many on Amazon Web Services and
Google Cloud. The collateral damage was widespread: The action inadvertently
broke many other web services that use those platforms, and Roskomnadzor scaled
back after it became clear that its action had affected services critical for
Russian business. Even so, the censor is still blocking millions of IP
addresses.
More recently, Russia has been pressuring Apple not to offer the Telegram app in
its iPhone App Store. As of this writing, Apple has not complied, and the
company has allowed Telegram to download a critical software update to iPhone
users (after what the app's founder called a delay last month). Roskomnadzor
could further pressure Apple, though, including by threatening to turn off its
entire iPhone app business in Russia.
Telegram might seem a weird app for Russia to focus on. Those of us who work in
security don't recommend the program, primarily because of the nature of its
cryptographic protocols. In general, proprietary cryptography has numerous fatal
security flaws. We generally recommend Signal for secure SMS messaging, or, if
having that program on your computer is somehow incriminating, WhatsApp. (More
than 1.5 billion people worldwide use WhatsApp.) What Telegram has going for it
is that it works really well on lousy networks. That's why it is so popular in
places like Iran and Afghanistan. (Iran is also trying to ban the app.)
What the Russian government doesn't like about Telegram is its anonymous
broadcast feature -- channel capability and chats -- which makes it an effective
platform for political debate and citizen journalism. The Russians might not
like that Telegram is encrypted, but odds are good that they can simply break
the encryption. Telegram's role in facilitating uncontrolled journalism is the
real issue.
Iran attempts to block Telegram have been more successful than Russia's, less
because Iran's censorship technology is more sophisticated but because Telegram
is not willing to go as far to defend Iranian users. The reasons are not rooted
in business decisions. Simply put, Telegram is a Russian product and the
designers are more motivated to poke Russia in the eye. Pavel Durov, Telegram's
founder, has pledged millions of dollars to help fight Russian censorship.
For the moment, Russia has lost. But this battle is far from over. Russia could
easily come back with more targeted pressure on Google, Amazon and Apple. A year
earlier, Zello used the same trick Telegram is using to evade Russian censors.
Then, Roskomnadzor threatened to block all of Amazon Web Services and Google
Cloud; and in that instance, both companies forced Zello to stop its IP-hopping
censorship-evasion tactic.
Russia could also further develop its censorship infrastructure. If its
capabilities were as finely honed as China's, it would be able to more
effectively block Telegram from operating. Right now, Russia can block only
specific IP addresses, which is too coarse a tool for this issue. Telegram's
voice capabilities in Russia are significantly degraded, however, probably
because high-capacity IP addresses are easier to block.
Whatever its current frustrations, Russia might well win in the long term. By
demonstrating its willingness to suffer the temporary collateral damage of
blocking major cloud providers, it prompted cloud providers to block another and
more effective anti-censorship tactic, or at least accelerated the process. In
April, Google and Amazon banned -- and technically blocked -- the practice of
"domain fronting," a trick anti-censorship tools use to get around Internet
censors by pretending to be other kinds of traffic. Developers would use popular
websites as a proxy, routing traffic to their own servers through another
website -- in this case Google.com -- to fool censors into believing the traffic
was intended for Google.com. The anonymous web-browsing tool Tor has used domain
fronting since 2014. Signal, since 2016. Eliminating the capability is a boon to
censors worldwide.
Tech giants have gotten embroiled in censorship battles for years. Sometimes
they fight and sometimes they fold, but until now there have always been
options. What this particular fight highlights is that Internet freedom is
increasingly in the hands of the world's largest Internet companies. And while
freedom may have its advocates -- the American Civil Liberties Union has tweeted
its support for those companies, and some 12,000 people in Moscow protested
against the Telegram ban -- actions such as disallowing domain fronting
illustrate that getting the big tech companies to sacrifice their near-term
commercial interests will be an uphill battle. Apple has already removed
anti-censorship apps from its Chinese app store.
In 1993, John Gilmore famously said that "The Internet interprets censorship as
damage and routes around it." That was technically true when he said it but only
because the routing structure of the Internet was so distributed. As
centralization increases, the Internet loses that robustness, and censorship by
governments and companies becomes easier.
This essay previously appeared on Lawfare.com. https://www.lawfareblog.com/censorship-age-la...
Telegram:
https://telegram.org/
Russia's ban:
https://www.theguardian.com/world/2018/apr/13...
ing-app
Optional encryption:
http://telegra.ph/Why-Isnt-Telegram-End-to-En...
Roskomnadzor's IP blocking:
https://www.theguardian.com/world/2018/apr/17...
esses-in-battle-against-telegram-app
https://www.techdirt.com/articles/20180417/13...
ussia-breaks-internet.shtml
https://techcrunch.com/2018/04/19/russias-gam...
o-19m-blocked-ips-hitting-twitch-spotify-and-more/
https://slate.com/technology/2018/04/russian-...
ram-app-ban.html
https://usher2.club/en/
Apple's Telegram update:
https://www.engadget.com/2018/06/02/apple-app...
russia-ban/
https://www.engadget.com/2018/05/31/apple-tel...
Telegram's security flaws:
https://news.ycombinator.com/item?id=6913456
https://www.wired.com/story/ditch-all-those-o...
should-use-signal/
https://medium.freecodecamp.org/why-i-asked-m...
nd-telegram-e93346b3c1f0
Signal:
https://signal.org/
WhatsApp:
https://www.whatsapp.com/
Iranian Telegram ban:
https://www.reuters.com/article/us-iran-teleg...
es-ban-on-telegram-messaging-app-idUSKBN1I607A
https://www.nytimes.com/2018/05/01/world/midd...
ml
Telegram's broadcast feature:
https://www.androidpolice.com/2015/09/22/tele...
ting-messages-world/
Telegram founder vs. Russia:
https://themoscowtimes.com/news/telegram-foun...
-political-censorship-61197
Zello and Telegram:
https://techcrunch.com/2018/04/17/russias-tel...
gle-amazon-ip-addresses-had-a-precedent-in-zello/
Domain fronting:
https://www.theverge.com/2018/4/18/17253784/g...
-signal-tor-vpn
https://arstechnica.com/information-technolog...
nting-threatens-to-shut-down-signals-account/
https://www.bamsoftware.com/papers/fronting/
https://blog.torproject.org/domain-fronting-c...
https://www.bamsoftware.com/papers/thesis/#se...
https://signal.org/blog/doodles-stickers-cens...
https://www.bloomberg.com/view/articles/2018-...
m-google-and-amazon
ACLU:
https://twitter.com/ACLU/status/9867026283347...
Apple removed anti-censorship apps: http://fortune.com/2017/07/29/apple-censorshi...
Gilmore quote:
http://kirste.userpage.fu-berlin.de/outerspac...
** *** ***** ******* *********** *************
Security and Human Behavior (SHB 2018)
This year, Carnegie Mellon University hosted the eleventh Workshop on Security
and Human Behavior. SHB is a small invitational gathering of people studying
various aspects of the human side of security, organized each year by Alessandro
Acquisti, Ross Anderson, and myself. The 50 or so people in the room included
psychologists, economists, computer security researchers, sociologists,
political scientists, neuroscientists, designers, lawyers, philosophers,
anthropologists, business school professors, and a smattering of others. It's
not just an interdisciplinary event; most of the people here are individually
interdisciplinary.
The goal is to maximize discussion and interaction. We do that by putting
everyone on panels, and limiting talks to 7-10 minutes. The rest of the time is
left to open discussion. Four hour-and-a-half panels per day over two days
equals eight panels; six people per panel means that 48 people get to speak. We
also have lunches, dinners, and receptions -- all designed so people from
different disciplines talk to each other.
I invariably find this to be the most intellectually stimulating conference of
my year. It influences my thinking in many different, and sometimes surprising,
ways.
Next year, I'll be hosting the event at Harvard.
Blog entry URL:
https://www.schneier.com/blog/archives/2018/0...
The 2018 Workshop on Security and Human Behavior: https://www.heinz.cmu.edu/~acquisti/SHB2018/i...
Ross Anderson's liveblog of the talks: https://www.lightbluetouchpaper.org/2018/05/2...
/#respond
Ross Anderson's psychology and security resources page:
https://www.cl.cam.ac.uk/~rja14/psysec.html
Here are my posts on the first, second, third, fourth, fifth, sixth, seventh,
eighth, ninth, and tenth SHB workshops. Follow those links to find summaries,
papers, and occasionally audio recordings of the various workshops.
http://www.schneier.com/blog/archives/2008/06...
http://www.schneier.com/blog/archives/2009/06...
http://www.schneier.com/blog/archives/2010/06...
http://www.schneier.com/blog/archives/2011/06...
https://www.schneier.com/blog/archives/2012/0...
https://www.schneier.com/blog/archives/2013/0...
https://www.schneier.com/blog/archives/2014/0...
https://www.schneier.com/blog/archives/2015/0...
https://www.schneier.com/blog/archives/2016/0...
https://www.schneier.com/blog/archives/2017/0...
** *** ***** ******* *********** *************
Schneier News
I am speaking at Cyber Week in Tel Aviv, June 20-21:
https://cyberweek.tau.ac.il/2018/
I am speaking at FIRST conference in Kuala Lumpur on June 27:
https://www.first.org/conference/2018/kuala-l...
** *** ***** ******* *********** *************
Another Spectre-Like CPU Vulnerability
Google and Microsoft researchers have disclosed another Spectre-like CPU
side-channel vulnerability, called "Speculative Store Bypass." Like the others,
the fix will slow the CPU down.
The German tech site Heise reports that more are coming.
I'm not surprised. Writing about Spectre and Meltdown in January, I predicted
that we'd be seeing a lot more of these sorts of vulnerabilities.
Spectre and Meltdown are pretty catastrophic vulnerabilities,
but they only affect the confidentiality of data. Now that they
-- and the research into the Intel ME vulnerability -- have
shown researchers where to look, more is coming -- and what
they'll find will be worse than either Spectre or Meltdown.
I still predict that we'll be seeing lots more of these in the coming months and
years, as we learn more about this class of vulnerabilities.
https://www.theverge.com/2018/5/21/17377994/g...
speculative-store-bypass-variant-4
https://www.us-cert.gov/ncas/alerts/TA18-141A
https://www.zdnet.com/article/are-8-new-spect...
/
https://www.heise.de/ct/artikel/Super-GAU-fue...
-Anflug-4039134.html
My prediction:
https://www.schneier.com/blog/archives/2018/0...
** *** ***** ******* *********** *************
An Example of Deterrence in Cyberspace
In 2016, the US was successfully deterred from attacking Russia in cyberspace
because of fears of Russian capabilities against the US.
I have two citations for this. The first is from the book "Russian Roulette: The
Inside Story of Putin's War on America and the Election of Donald Trump," by
Michael Isikoff and David Corn. Here's the quote:
The principals did discuss cyber responses. The prospect of
hitting back with cyber caused trepidation within the deputies
and principals meetings. The United States was telling Russia
this sort of meddling was unacceptable. If Washington engaged
in the same type of covert combat, some of the principals
believed, Washington's demand would mean nothing, and there
could be an escalation in cyber warfare. There were concerns
that the United States would have more to lose in all-out
cyberwar.
"If we got into a tit-for-tat on cyber with the Russians, it
would not be to our advantage," a participant later remarked.
"They could do more to damage us in a cyber war or have a
greater impact." In one of the meetings, Clapper said he was
worried that Russia might respond with cyberattacks against
America's critical infrastructure -- and possibly shut down
the electrical grid.
The second is from the book "The World as It Is," by President Obama's deputy
national security advisor Ben Rhodes. Here's the New York Times writing about
the book.
Mr. Rhodes writes he did not learn about the F.B.I.
investigation until after leaving office, and then from the
news media. Mr. Obama did not impose sanctions on Russia in
retaliation for the meddling before the election because he
believed it might prompt Moscow into hacking into Election Day
vote tabulations. Mr. Obama did impose sanctions after the
election but Mr. Rhodes's suggestion that the targets include
President Vladimir V. Putin was rebuffed on the theory that
such a move would go too far.
When people try to claim that there's no such thing as deterrence in cyberspace,
this serves as a counterexample.
Isikoff/Corn book:
https://www.amazon.com/gp/product/B075WVX3MS
Rhodes book
https://www.motherjones.com/politics/2018/03/...
Cyberdeterrence skeptics:
https://www.thecipherbrief.com/column_article...
stop
https://www.sciencedirect.com/science/article...
** *** ***** ******* *********** *************
New Data Privacy Regulations
When Marc Zuckerberg testified before both the House and the Senate last month,
it became immediately obvious that few US lawmakers had any appetite to regulate
the pervasive surveillance taking place on the Internet.
Right now, the only way we can force these companies to take our privacy more
seriously is through the market. But the market is broken. First, none of us do
business directly with these data brokers. Equifax might have lost my personal
data in 2017, but I can't fire them because I'm not their customer or even their
user. I could complain to the companies I do business with who sell my data to
Equifax, but I don't know who they are. Markets require voluntary exchange to
work properly. If consumers don't even know where these data brokers are getting
their data from and what they're doing with it, they can't make intelligent
buying choices.
This is starting to change, thanks to a new law in Vermont and another in
Europe. And more legislation is coming.
Vermont first. At the moment, we don't know how many data brokers collect data
on Americans. Credible estimates range from 2,500 to 4,000 different companies.
Last week, Vermont passed a law that will change that.
The law does several things to improve the security of Vermonters' data, but
several provisions matter to all of us. First, the law requires data brokers
that trade in Vermonters' data to register annually. And while there are many
small local data brokers, the larger companies collect data nationally and even
internationally. This will help us get a more accurate look at who's in this
business. The companies also have to disclose what opt-out options they offer,
and how people can request to opt out. Again, this information is useful to all
of us, regardless of the state we live in. And finally, the companies have to
disclose the number of security breaches they've suffered each year, and how
many individuals were affected.
Admittedly, the regulations imposed by the Vermont law are modest. Earlier
drafts of the law included a provision requiring data brokers to disclose how
many individuals' data it has in its databases, what sorts of data it collects
and where the data came from, but those were removed as the bill negotiated its
way into law. A more comprehensive law would allow individuals to demand to
exactly what information they have about them -- and maybe allow individuals to
correct and even delete data. But it's a start, and the first statewide law of
its kind to be passed in the face of strong industry opposition.
Vermont isn't the first to attempt this, though. On the other side of the
country, Representative Norma Smith of Washington introduced a similar bill in
both 2017 and 2018. It goes further, requiring disclosure of what kinds of data
the broker collects. So far, the bill has stalled in the state's legislature,
but she believes it will have a much better chance of passing when she
introduces it again in 2019. I am optimistic that this is a trend, and that many
states will start passing bills forcing data brokers to be increasingly more
transparent in their activities. And while their laws will be tailored to
residents of those states, all of us will benefit from the information.
A 2018 California ballot initiative could help. Among its provisions, it gives
consumers the right to demand exactly what information a data broker has about
them. If it passes in November, once it takes effect, lots of Californians will
take the list of data brokers from Vermont's registration law and demand this
information based on their own law. And again, all of us -- regardless of the
state we live in -- will benefit from the information.
We will also benefit from another, much more comprehensive, data privacy and
security law from the European Union. The General Data Protection Regulation
(GDPR) was passed in 2016 and took effect on 25 May. The details of the law are
far too complex to explain here, but among other things, it mandates that
personal data can only be collected and saved for specific purposes and only
with the explicit consent of the user. We'll learn who is collecting what and
why, because companies that collect data are going to have to ask European users
and customers for permission. And while this law only applies to EU citizens and
people living in EU countries, the disclosure requirements will show all of us
how these companies profit off our personal data.
It has already reaped benefits. Over the past couple of weeks, you've received
many e-mails from companies that have you on their mailing lists. In the coming
weeks and months, you're going to see other companies disclose what they're
doing with your data. One early example is PayPal: in preparation for GDPR, it
published a list of the over 600 companies it shares your personal data with.
Expect a lot more like this.
Surveillance is the business model of the Internet. It's not just the big
companies like Facebook and Google watching everything we do online and selling
advertising based on our behaviors; there's also a large and largely unregulated
industry of data brokers that collect, correlate and then sell intimate personal
data about our behaviors. If we make the reasonable assumption that Congress is
not going to regulate these companies, then we're left with the market and
consumer choice. The first step in that process is transparency. These new laws,
and the ones that will follow, are slowly shining a light on this secretive
industry.
This essay originally appeared in the "Guardian." https://www.theguardian.com/commentisfree/201...
-shine-light-industry
Blog entry URL:
https://www.schneier.com/blog/archives/2018/0...
Zuckerberg testimonies:
https://www.washingtonpost.com/news/the-switc...
erbergs-appearance-before-house-committee/
https://www.washingtonpost.com/news/the-switc...
-zuckerbergs-senate-hearing/
Equifax breach:
https://www.theguardian.com/business/2018/mar...
reach-jun-ying-charged
Data broker estimates:
http://www.newsweek.com/secretive-world-selli...
Vermont law:
https://vermontbiz.com/news/2018/may/25/vermo...
http://ago.vermont.gov/blog/2018/05/24/a-g-ne...
onters/
Washington state bill:
https://www.seattletimes.com/opinion/state-la...
rivacy-protection/
https://www.geekwire.com/2017/proposed-state-...
-business-groups/
http://lawfilesext.leg.wa.gov/biennium/2017-1...
HBA%20TED%2018.pdf
http://lawfilesext.leg.wa.gov/biennium/2017-1...
pdf
California ballot initiative:
https://www.caprivacy.org/facts/information-c...
https://www.nytimes.com/2018/05/13/business/c...
ure.html
General Data Protection Regulation: https://www.eugdpr.org/
https://www.cennydd.com/writing/a-techies-rou...
PayPal:
https://www.paypal.com/ie/webapps/mpp/ua/thir...
https://rebecca-ricks.com/paypal-data/
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security: computer and otherwise. You
can subscribe, unsubscribe, or change your address on the Web at
<https://www.schneier.com/crypto-gram.html>... Back issues are also available at
that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint
CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally
renowned security technologist, called a "security guru" by The Economist. He is
the author of 12 books -- including "Liars and Outliers: Enabling the Trust
Society Needs to Survive" -- as well as hundreds of articles, essays, and
academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier
on Security" are read by over 250,000 people. He has testified before Congress,
is a frequent guest on television and radio, has served on several government
committees, and is regularly quoted in the press. Schneier is a fellow at the
Berkman Center for Internet and Society at Harvard Law School, a program fellow
at the New America Foundation's Open Technology Institute, a board member of the
Electronic Frontier Foundation, an Advisory Board Member of the Electronic
Privacy Information Center, and CTO of IBM Resilient and Special Advisor to IBM
Security. See <https://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily
those of IBM Resilient.
Copyright (c) 2018 by Bruce Schneier.
** *** ***** ******* *********** *************
--- BBBS/LiR v4.10 Toy-3
* Origin: Pi TCOB1 bbbs.mooo.com (618:500/14)
|
Computer Support/Help/Discussion... 
