Crypto-Gram
November 15, 2021

by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit Crypto-Gram's web page.

Read this issue on the web

These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:

If these links don't work in your email client, try reading this issue of
Crypto-Gram on the web.

Book Sale: Click Here to Kill Everybody and Data and Goliath Security Risks of
Client-Side Scanning Missouri Governor Doesn't Understand Responsible Disclosure
Ransomware Attacks against Water Treatment Plants Using Machine Learning to
Guess PINs from Video Textbook Rental Scam
Problems with Multifactor Authentication Nation-State Attacker of
Telecommunications Networks New York Times Journalist Hacked with NSO Spyware
How the FBI Gets Location Information More Russian SVR Supply-Chain Attacks
Squid Game Has a Cryptocurrency
Hiding Vulnerabilities in Source Code On Cell Phone Metadata
Using Fake Student Accounts to Shill Brands US Blacklists NSO Group
Squid Game Cryptocurrency Was a Scam Drones Carrying Explosives
Hacking the Sony Playstation 5
Advice for Personal Digital Security MacOS Zero-Day Used against Hong Kong
Activists Upcoming Speaking Engagements
** *** ***** ******* *********** *************

Book Sale: Click Here to Kill Everybody and Data and Goliath

[2021.11.15] For a limited time, I am selling signed copies of Click Here to
Kill Everybody and Data and Goliath, both in paperback, for just $6 each plus
shipping.

I have 500 copies of each book available. When they're gone, the sale is over
and the price will revert to normal.

Order here and here.

Please be patient on delivery. It's a lot of work to sign and mail hundreds of
books. And the pandemic is causing mail slowdowns all over the world. I'll send
them out as quickly as I can, but I can't guarantee any particular delivery
date. Also, signed but not personalized books will arrive faster.

** *** ***** ******* *********** *************

Security Risks of Client-Side Scanning

[2021.10.15] Even before Apple made its announcement, law enforcement shifted
their battle for backdoors to client-side scanning. The idea is that they
wouldn��Tt touch the cryptography, but instead eavesdrop on communications and
systems before encryption or after decryption. It��Ts not a cryptographic
backdoor, but it��Ts still a backdoor -- and brings with it all the insecurities
of a backdoor.

I��Tm part of a group of cryptographers that has just published a paper
discussing the security risks of such a system. (It��Ts substantially the same
group that wrote a similar paper about key escrow in 1997, and other
��exceptional access�� proposals in 2015. We seem to have to do this every
decade or so.) In our paper, we examine both the efficacy of such a system and
its potential security failures, and conclude that it��Ts a really bad idea.

We had been working on the paper well before Apple��Ts announcement. And while
we do talk about Apple��Ts system, our focus is really on the idea in general.

Ross Anderson wrote a blog post on the paper. (It��Ts always great when Ross
writes something. It means I don��Tt have to.) So did Susan Landau. And
there��Ts press coverage in the New York Times, the Guardian, Computer Weekly,
the Financial Times, Forbes, El Pais (English translation), NRK (English
translation), and -- this is the best article of them all -- the Register. See
also this analysis of the law and politics of client-side scanning from last
year.

** *** ***** ******* *********** *************

Missouri Governor Doesn't Understand Responsible Disclosure

[2021.10.18] The Missouri governor wants to prosecute the reporter who
discovered a security vulnerability in a state��Ts website, and then reported it
to the state.

The newspaper agreed to hold off publishing any story while the department fixed
the problem and protected the private information of teachers around the state.

[...]

According to the Post-Dispatch, one of its reporters discovered the flaw in a
web application allowing the public to search teacher certifications and
credentials. No private information was publicly visible, but teacher Social
Security numbers were contained in HTML source code of the pages.

The state removed the search tool after being notified of the issue by the
Post-Dispatch. It was unclear how long the Social Security numbers had been
vulnerable.

[...]

Chris Vickery, a California-based data security expert, told The Independent
that it appears the department of education was ��publishing data that it
shouldn��Tt have been publishing.

��That��Ts not a crime for the journalists discovering it,�� he said.
��Putting Social Security numbers within HTML, even if it��Ts ��~non-display
rendering��T HTML, is a stupid thing for the Missouri website to do and is a
type of boneheaded mistake that has been around since day one of the Internet.
No exploit, hacking or vulnerability is involved here.��

In explaining how he hopes the reporter and news organization will be
prosecuted, [Gov.] Parson pointed to a state statute defining the crime of
tampering with computer data. Vickery said that statute wouldn��Tt work in this
instance because of a recent decision by the U.S. Supreme Court in the case of
Van Buren v. United States.

One hopes that someone will calm the governor down.

Brian Krebs has more.

EDITED TO ADD (11/12): The governor doubled down a few days later.

** *** ***** ******* *********** *************

Ransomware Attacks against Water Treatment Plants

[2021.10.19] According to a report from CISA last week, there were three
ransomware attacks against water treatment plants last year.

WWS Sector cyber intrusions from 2019 to early 2021 include:

In August 2021, malicious cyber actors used Ghost variant ransomware against a
California-based WWS facility. The ransomware variant had been in the system for
about a month and was discovered when three supervisory control and data
acquisition (SCADA) servers displayed a ransomware message. In July 2021, cyber
actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS
facility��Ts wastewater SCADA computer. The treatment system was run manually
until the SCADA computer was restored using local control and more frequent
operator rounds. In March 2021, cyber actors used an unknown ransomware variant
against a Nevada-based WWS facility. The ransomware affected the victim��Ts
SCADA system and backup systems. The SCADA system provides visibility and
monitoring but is not a full industrial control system (ICS).
** *** ***** ******* *********** *************

Using Machine Learning to Guess PINs from Video

[2021.10.19] Researchers trained a machine-learning system on videos of people
typing their PINs into ATMs:

By using three tries, which is typically the maximum allowed number of attempts
before the card is withheld, the researchers reconstructed the correct sequence
for 5-digit PINs 30% of the time, and reached 41% for 4-digit PINs.

This works even if the person is covering the pad with their hands.

Slashdot thread.

EDITED TO ADD (11/11): Here��Ts the original research.

** *** ***** ******* *********** *************

Textbook Rental Scam

[2021.10.20] Here��Ts a story of someone who, with three compatriots, rented
textbooks from Amazon and then sold them instead of returning them. They used
gift cards and prepaid credit cards to buy the books, so there was no available
balance when Amazon tried to charge them the buyout price for non-returned
books. They also used various aliases and other tricks to bypass Amazon��Ts
fifteen-book limit. In all, they stole 14,000 textbooks worth over $1.5 million.

The article doesn��Tt link to the indictment, so I don��Tt know how they were
discovered.

EDITED TO ADD (11/12): Press release.

** *** ***** ******* *********** *************

Problems with Multifactor Authentication

[2021.10.21] Roger Grimes on why multifactor authentication isn��Tt a panacea:

The first time I heard of this issue was from a Midwest CEO. His organization
had been hit by ransomware to the tune of $10M. Operationally, they were still
recovering nearly a year later. And, embarrassingly, it was his most trusted VP
who let the attackers in. It turns out that the VP had approved over 10
different push-based messages for logins that he was not involved in. When the
VP was asked why he approved logins for logins he was not actually doing, his
response was, ��They (IT) told me that I needed to click on Approve when the
message appeared!��

And there you have it in a nutshell. The VP did not understand the importance
(��the WHY��) of why it was so important to ONLY approve logins that they were
participating in. Perhaps they were told this. But there is a good chance that
IT, when implementinthe new push-based MFA, instructed them as to what they
needed to do to successfully log in, but failed to mention what they needed to
do when they were not logging in if the same message arrived. Most likely, IT
assumed that anyone would naturally understand that it also meant not approving
unexpected, unexplained logins. Did the end user get trained as to what to do
when an unexpected login arrived? Were they told to click on
��Deny�� and to contact IT Help Desk to report the active intrusion?

Or was the person told the correct instructions for both approving and denying
and it just did not take? We all have busy lives. We all have too much to do.
Perhaps the importance of the last part of the instructions just did not sink
in. We can think we hear and not really hear. We can hear and still not care.

** *** ***** ******* *********** *************

Nation-State Attacker of Telecommunications Networks

[2021.10.22] Someone has been hacking telecommunications networks around the
world:

LightBasin (aka UNC1945) is an activity cluster that has been consistently
targeting the telecommunications sector at a global scale since at least 2016,
leveraging custom tools and an in-depth knowledge of telecommunications network
architectures.
Recent findings highlight this cluster��Ts extensive knowledge of
telecommunications protocols, including the emulation of these protocols to
facilitate command and control (C2) and utilizing scanning/packet-capture tools
to retrieve highly specific information from mobile communication
infrastructure, such as subscriber information and call metadata. The nature of
the data targeted by the actor aligns with information likely to be of
significant interest to signals intelligence organizations. CrowdStrike
Intelligence assesses that LightBasin is a targeted intrusion actor that will
continue to target the telecommunications sector. This assessment is made with
high confidence and is based on tactics, techniques and procedures (TTPs),
target scope, and objectives exhibited by this activity cluster. There is
currently not enough available evidence to link the cluster��Ts activity to a
specific country-nexus.
Some relation to China is reported, but this is not a definitive attribution.

** *** ***** ******* *********** *************

New York Times Journalist Hacked with NSO Spyware

[2021.10.25] Citizen Lab is reporting that a New York Times journalist was
hacked with the NSO Group��Ts spyware Pegasus, probably by the Saudis.

The world needs to do something about these cyberweapons arms manufacturers.
This kind of thing isn��Tt enough; NSO Group is an Israeli company.

** *** ***** ******* *********** *************

How the FBI Gets Location Information

[2021.10.27] Vice has a detailed article about how the FBI gets data from cell
phone providers like AT&T, T-Mobile, and Verizon, based on a leaked (I think)
2019 139-page presentation.

EDITED TO ADD (11/12): My mistake. It was not a leak:

Ryan Shapiro, executive director of nonprofit organization Property of the
People, shared the document with Motherboard after obtaining it through a public
record act request. Property of the People focuses on obtaining and publishing
government records.

** *** ***** ******* *********** *************

More Russian SVR Supply-Chain Attacks

[2021.10.28] Microsoft is reporting that the same attacker that was behind the
SolarWinds breach -- the Russian SVR, which Microsoft is calling Nobelium -- is
continuing with similar supply-chain attacks:

Nobelium has been attempting to replicate the approach it has used in past
attacks by targeting organizations integral to the global IT supply chain. This
time, it is attacking a different part of the supply chain: resellers and other
technology service providers that customize, deploy and manage cloud services
and other technologies on behalf of their customers. We believe Nobelium
ultimately hopes to piggyback on any direct access that resellers may have to
their customers��T IT systems and more easily impersonate an organization��Ts
trusted technology partner to gain access to their downstream customers. We
began observing this latest campaign in May 2021 and have been notifying
impacted partners and customers while also developing new technical assistance
and guidance for the reseller community. Since May, we have notified more than
140 resellers and technology service providers that have been targeted by
Nobelium. We continue to investigate, but to date we believe as many as 14 of
these resellers and service providers have been compromised. Fortunately, we
have discovered this campaign during its early stages, and we are sharing these
developments to help cloud service resellers, technology providers, and their
customers take timely steps to help ensure Nobelium is not more successful.

** *** ***** ******* *********** *************

Squid Game Has a Cryptocurrency

[2021.10.29] In what may be peak hype, Squid Game has its own cryptocurrency.
Not in the fictional show, but in real life.

** *** ***** ******* *********** *************

Hiding Vulnerabilities in Source Code

[2021.11.01] Really interesting research demonstrating how to hide
vulnerabilities in source code by manipulating how Unicode text is displayed.
It��Ts really clever, and not the sort of attack one would normally think about.

From Ross Anderson��Ts blog:

We have discovered ways of manipulating the encoding of source code files so
that human viewers and compilers see different logic. One particularly
pernicious method uses Unicode directionality override characters to display
code as an anagram of its true logic. We��Tve verified that this attack works
against C, C++, C#, JavaScript, Java, Rust, Go, and Python, and suspect that it
will work against most other modern languages.

This potentially devastating attack is tracked as CVE-2021-42574, while a
related attack that uses homoglyphs -- - visually similar characters -- - is
tracked as CVE-2021-42694. This work has been under embargo for a 99-day period,
giving time for a major coordinated disclosure effort in which many compilers,
interpreters, code editors, and repositories have implemented defenses.

Website for the attack. Rust security advisory.

Brian Krebs has a blog post.

EDITED TO ADD (11/12): An older paper on similar issues.

** *** ***** ******* *********** *************

On Cell Phone Metadata

[2021.11.02] Interesting Twitter thread on how cell phone metadata can be used
to identify and track people who don��Tt want to be identified and tracked.

** *** ***** ******* *********** *************

Using Fake Student Accounts to Shill Brands

[2021.11.03] It turns out that it��Ts surprisingly easy to create a fake Harvard
student and get a harvard.edu email account. Scammers are using that prestigious
domain name to shill brands:

Basically, it appears that anyone with $300 to spare can -- or could, depending
on whether Harvard successfully shuts down the practice -- advertise nearly
anything they wanted on Harvard.edu, in posts that borrow the university��Ts
domain and prestige while making no mention of the fact that it in reality they
constitute paid advertising....

A Harvard spokesperson said that the university is working to crack down on the
fake students and other scammers that have gained access to its site. They also
said that the scammers were creating the fake accounts by signing up for online
classes and then using the email address that process provided to infiltrate the
university��Ts various blogging platforms.

** *** ***** ******* *********** *************

US Blacklists NSO Group

[2021.11.04] The Israeli cyberweapons arms manufacturer -- and human rights
violator, and probably war criminal -- NSO Group has been added to the US
Department of Commerce��Ts trade blacklist. US companies and individuals cannot
sell to them. Aside from the obvious difficulties this causes, it��Tll make it
harder for them to buy zero-day vulnerabilities on the open market.

This is another step in the ongoing US actions against the company.

** *** ***** ******* *********** *************

Squid Game Cryptocurrency Was a Scam

[2021.11.05] The Squid Game cryptocurrency was a complete scam:

The SQUID cryptocurrency peaked at a price of $2,861 before plummeting to $0
around 5:40 a.m. ET., according to the website CoinMarketCap. This kind of
theft, commonly called a ��rug pull�� by crypto investors, happens when the
creators of the crypto quickly cash out their coins for real money, draining the
liquidity pool from the exchange.

I don��Tt know why anyone would trust an investment -- any investment -- that
you could buy but not sell.

Wired story.

** *** ***** ******* *********** *************

Drones Carrying Explosives

[2021.11.08] We��Tve now had an (unsuccessful) assassination attempt by
explosive-laden drones.

** *** ***** ******* *********** *************

Hacking the Sony Playstation 5

[2021.11.10] I just don��Tt think it��Ts possible to create a hack-proof
computer system, especially when the system is physically in the hands of the
hackers. The Sony Playstation 5 is the latest example:

Hackers may have just made some big strides towards possibly jailbreaking the
PlayStation 5 over the weekend, with the hacking group Fail0verflow claiming to
have managed to obtain PS5 root keys allowing them to decrypt the console��Ts
firmware.

[...]

The two exploits are particularly notable due to the level of access they
theoretically give to the PS5��Ts software. Decrypted firmware which is possible
through Fail0verflow��Ts keys would potentially allow for hackers to further
reverse engineer the PS5 software and potentially develop the sorts of hacks
that allowed for things like installing Linux, emulators, or even pirated games
on past Sony consoles.

In 1999, Adam Shostack and I wrote a paper discussing the security challenges of
giving people devices that included embedded secrets that needed to be kept from
those people. We were writing about smart cards, but our lessons were general.
And they��Tre no less applicable today.

** *** ***** ******* *********** *************

Advice for Personal Digital Security

[2021.11.11] ArsTechnica��Ts Sean Gallagher has a two-part article on
��securing your digital life.��

It��Ts pretty good.

** *** ***** ******* *********** *************

MacOS Zero-Day Used against Hong Kong Activists

[2021.11.12] Google researchers discovered a MacOS zero-day exploit being used
against Hong Kong activists. It was a ��watering hole�� attack, which means
the malware was hidden in a legitimate website. Users visiting that website
would get infected.

From an article:

Google��Ts researchers were able to trigger the exploits and study them by
visiting the websites compromised by the hackers. The sites served both iOS and
MacOS exploit chains, but the researchers were only able to retrieve the MacOS
one. The zero-day exploit was similar to another in-the-wild vulnerability
analyzed by another Google researcher in the past, according to the report.

In addition, the zero-day exploit used in this hacking campaign is
��identical�� to an exploit previously found by cybersecurity research group
Pangu Lab, Huntley said. Pangu Lab��Ts researchers presented the exploit at a
security conference in China in April of this year, a few months before hackers
used it against Hong Kong users.

The exploit was discovered in August. Apple patched the vulnerability in
September. China is, of course, the obvious suspect, given the victims.

** *** ***** ******* *********** *************

Upcoming Speaking Engagements

[2021.11.14] This is a current list of where and when I am scheduled to speak:

I'm speaking on "Securing a World of Physically Capable Computers" at @Hack on
November 29, 2021.
The list is maintained on this page.

** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security technology. To subscribe, or to
read back issues, see Crypto-Gram's web page.

You can also read these articles on my blog, Schneier on Security.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint
CRYPTO-GRAM, as long as it is reprinted in its entirety.

Bruce Schneier is an internationally renowned security technologist, called a
security guru by the Economist. He is the author of over one dozen books --
including his latest, We Have Root -- as well as hundreds of articles, essays,
and academic papers. His newsletter and blog are read by over 250,000 people.
Schneier is a fellow at the Berkman Klein Center for Internet & Society at
Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a
board member of the Electronic Frontier Foundation, AccessNow, and the Tor
Project; and an Advisory Board Member of the Electronic Privacy Information
Center and VerifiedVoting.org. He is the Chief of Security Architecture at
Inrupt, Inc.

Copyright AC 2021 by Bruce Schneier.

... TCOB1: telnet and binkd tcob1.duckdns.org

--- BBBS/Li6 v4.10 Toy-5
 * Origin: TCOB1 at tcob1.duckdns.org BinkP / Telnet (618:500/14)