AT2k Design BBS Message Area
Casually read the BBS message area using an easy to use interface. Messages are categorized exactly like they are on the BBS. You may post new messages or reply to existing messages!

You are not logged in. Login here for full access privileges.

Previous Message | Next Message | Back to Computer Support/Help/Discussion...  <--  <--- Return to Home Page
   Networked Database  Computer Support/Help/Discussion...   [605 / 1624] RSS
 From   To   Subject   Date/Time 
Message   Sean Rima    All   CRYPTO-GRAM, December 15, 2021   December 15, 2021
 6:42 PM *  

Crypto-Gram 
December 15, 2021

by Bruce Schneier 
Fellow and Lecturer, Harvard Kennedy School  schneier@schneier.com 
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and 
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit Crypto-Gram's web page.

Read this issue on the web

These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:

If these links don't work in your email client, try reading this issue of
Crypto-
Gram on the web.

Securing Your Smartphone
Why I Hate Password Rules
Wire Fraud Scam Upgraded with Bitcoin Is Microsoft Stealing People�s Bookmarks?
New Rowhammer Technique
�Crypto� Means �Cryptography,� Not �Cryptocurrency�
Apple Sues NSO Group
Proposed UK Law Bans Default Passwords Intel Is Maintaining Legacy Technology
for Security Research Smart Contract Bug Results in $31 Million Loss Testing
Faraday Cages
Thieves Using AirTags to �Follow� Cars Someone Is Running Lots of Tor Relays New
German Government is Pro-Encryption and Anti-Backdoors Google Shuts Down
Glupteba Botnet, Sues Operators Law Enforcement Access to Chat Data and Metadata
NSO Group�s Pegasus Spyware Used Against US State Department Officials
On the Log4j Vulnerability
Upcoming Speaking Engagements
** *** ***** ******* *********** *************

Securing Your Smartphone

[2021.11.15] This is part 3 of Sean Gallagher�s advice for �securing your
digital 
life.�

** *** ***** ******* *********** *************

Why I Hate Password Rules

[2021.11.16] The other day, I was creating a new account on the web. It was 
financial in nature, which means it gets one of my most secure passwords. I used

Password Safe to generate this 16-character alphanumeric password:

:s^Twd.J;3hzg=Q~
Which was rejected by the site, because it didn�t meet its password security 
rules.

It took me a minute to figure out what was wrong with it. The site wanted at 
least two numbers.

Sheesh.

Okay, that�s not really why I don�t like password rules. I don�t like them 
because they�re all different. Even if someone has a strong password generation
system, it is likely that whatever they come up with won�t pass somebody�s 
ruleset.

** *** ***** ******* *********** *************

Wire Fraud Scam Upgraded with Bitcoin

[2021.11.16] The FBI has issued a bulletin describing a bitcoin variant of a
wire 
fraud scam:

As the agency describes it, the scammer will contact their victim and somehow 
convince them that they need to send money, either with promises of love,
further 
riches, or by impersonating an actual institution like a bank or utility
company. 
After the mark is convinced, the scammer will have them get cash (sometimes out
of investment or retirement accounts), and head to an ATM that sells 
cryptocurrencies and supports reading QR codes. Once the victim�s there, they�ll

scan a QR code that the scammer sent them, which will tell the machine to send 
any crypto purchased to the scammer�s address. Just like that, the victim loses
their money, and the scammer has successfully exploited them.

[...]

The �upgrade� (as it were) for scammers with the crypto ATM method is two-fold:
it can be less friction than sending a wire transfer, and at the end the scammer

has cryptocurrency instead of fiat. With wire transfers, you have to fill out a
form, and you may give that form to an actual person (who could potentially vibe

check you). Using the ATM method, there�s less time to reflect on the fact that
you�re about to send money to a stranger. And, if you�re a criminal trying to
get 
your hands on Bitcoin, you won�t have to teach your targets how to buy coins on
the internet and transfer them to another wallet -- they probably already know 
how to use an ATM and scan a QR code.

** *** ***** ******* *********** *************

Is Microsoft Stealing People�s Bookmarks?

[2021.11.17] I received email from two people who told me that Microsoft Edge 
enabled synching without warning or consent, which means that Microsoft sucked
up 
all of their bookmarks. Of course they can turn synching off, but it�s too late.

Has this happened to anyone else, or was this user error of some sort? If this
is 
real, can some reporter write about it?

(Not that �user error� is a good justification. Any system where making a simple

mistake means that you�ve forever lost your privacy isn�t a good one. We see
this 
same situation with sharing contact lists with apps on smartphones. Apps will 
repeatedly ask, and only need you to accidentally click �okay� once.)

EDITED TO ADD: It�s actually worse than I thought. Edge urges users to store 
passwords, ID numbers, and even passport numbers, all of which get uploaded to 
Microsoft by default when synch is enabled.

** *** ***** ******* *********** *************

New Rowhammer Technique

[2021.11.19] Rowhammer is an attack technique involving accessing -- that�s 
�hammering� -- rows of bits in memory, millions of times per second, with the 
intent of causing bits in neighboring rows to flip. This is a side-channel 
attack, and the result can be all sorts of mayhem.

Well, there is a new enhancement:

All previous Rowhammer attacks have hammered rows with uniform patterns, such as

single-sided, double-sided, or n-sided. In all three cases, these �aggressor� 
rows -- meaning those that cause bitflips in nearby �victim� rows -- are
accessed 
the same number of times.

Research published on Monday presented a new Rowhammer technique. It uses non-
uniform patterns that access two or more aggressor rows with different 
frequencies. The result: all 40 of the randomly selected DIMMs in a test pool 
experienced bitflips, up from 13 out of 42 chips tested in previous work from
the 
same researchers.

[...]

The non-uniform patterns work against Target Row Refresh. Abbreviated as TRR,
the 
mitigation works differently from vendor to vendor but generally tracks the 
number of times a row is accessed and recharges neighboring victim rows when 
there are signs of abuse. The neutering of this defense puts further pressure on

chipmakers to mitigate a class of attacks that many people thought more recent 
types of memory chips were resistant to.

** *** ***** ******* *********** *************

�Crypto� Means �Cryptography,� Not �Cryptocurrency�

[2021.11.22] I have long been annoyed that the word �crypto� has been co-opted
by 
the blockchain people, and no longer refers to �cryptography.� I�m not the only
one.

** *** ***** ******* *********** *************

Apple Sues NSO Group

[2021.11.24] Piling more on NSO Group�s legal troubles, Apple is suing it:

The complaint provides new information on how NSO Group infected victims�
devices 
with its Pegasus spyware. To prevent further abuse and harm to its users, Apple
is also seeking a permanent injunction to ban NSO Group from using any Apple 
software, services, or devices.

NSO Group�s Pegasus spyware is favored by totalitarian governments around the 
world, who use it to hack Apple phones and computers.

More news:

Apple�s legal complaint provides new information on NSO Group�s FORCEDENTRY, an
exploit for a now-patched vulnerability previously used to break into a victim�s

Apple device and install the latest version of NSO Group�s spyware product, 
Pegasus. The exploit was originally identified by the Citizen Lab, a research 
group at the University of Toronto.

The spyware was used to attack a small number of Apple users worldwide with 
dangerous malware and spyware. Apple�s lawsuit seeks to ban NSO Group from 
further harming individuals by using Apple�s products and services. The lawsuit
also seeks redress for NSO Group�s flagrant violations of US federal and state 
law, arising out of its efforts to target and attack Apple and its users.

NSO Group and its clients devote the immense resources and capabilities of 
nation-states to conduct highly targeted cyberattacks, allowing them to access 
the microphone, camera, and other sensitive data on Apple and Android devices.
To 
deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send 
malicious data to a victim�s device -- allowing NSO Group or its clients to 
deliver and install Pegasus spyware without a victim�s knowledge. Though misused

to deliver FORCEDENTRY, Apple servers were not hacked or compromised in the 
attacks.

This follows in the footsteps of Facebook, which is also suing NSO Group and 
demanding a similar prohibition. And while the idea of the intermediary suing
the 
attacker, and not the victim, is somewhat novel, I think it makes a lot of
sense. 
I have a law journal article about to be published with Jon Penney on the 
Facebook case.

EDITED TO ADD (12/14): Supplemental brief.

** *** ***** ******* *********** *************

Proposed UK Law Bans Default Passwords

[2021.11.26] Following California�s lead, a new UK law would ban default 
passwords in IoT devices.

EDITED TO ADD (12/12): Commentary.

EDITED TO ADD (12/14): A draft of the bill.

** *** ***** ******* *********** *************

Intel Is Maintaining Legacy Technology for Security Research

[2021.11.30] Interesting:

Intel�s issue reflects a wider concern: Legacy technology can introduce 
cybersecurity weaknesses. Tech makers constantly improve their products to take
advantage of speed and power increases, but customers don�t always upgrade at
the 
same pace. This creates a long tail of old products that remain in widespread 
use, vulnerable to attacks.

Intel�s answer to this conundrum was to create a warehouse and laboratory in 
Costa Rica, where the company already had a research-and-development lab, to 
store the breadth of its technology and make the devices available for remote 
testing. After planning began in mid-2018, the Long-Term Retention Lab was up
and 
running in the second half of 2019.

The warehouse stores around 3,000 pieces of hardware and software, going back 
about a decade. Intel plans to expand next year, nearly doubling the space to 
27,000 square feet from 14,000, allowing the facility to house 6,000 pieces of 
computer equipment.

Intel engineers can request a specific machine in a configuration of their 
choice. It is then assembled by a technician and accessible through cloud 
services. The lab runs 24 hours a day, seven days a week, typically with about
25 
engineers working any given shift.

Slashdot thread.

** *** ***** ******* *********** *************

Smart Contract Bug Results in $31 Million Loss

[2021.12.02] A hacker stole $31 million from the blockchain company MonoX
Finance 
, by exploiting a bug in software the service uses to draft smart contracts.

Specifically, the hack used the same token as both the tokenIn and tokenOut, 
which are methods for exchanging the value of one token for another. MonoX 
updates prices after each swap by calculating new prices for both tokens. When 
the swap is completed, the price of tokenInthat is, the token sent by the 
userdecreases and the price of tokenOutor the token received by the 
userincreases.

By using the same token for both tokenIn and tokenOut, the hacker greatly 
inflated the price of the MONO token because the updating of the tokenOut 
overwrote the price update of the tokenIn. The hacker then exchanged the token 
for $31 million worth of tokens on the Ethereum and Polygon blockchains.

The article goes on to talk about how common these sorts of attacks are. The 
basic problem is that the code is the ultimate authority -- there is no 
adjudication protocol -- so if there�s a vulnerability in the code, there is no
recourse. And, of course, there are lots of vulnerabilities in code.

To me, this is reason enough never to use smart contracts for anything
important. 
Human-based adjudication systems are not useless pre-Internet human baggage, 
they�re vital.

** *** ***** ******* *********** *************

Testing Faraday Cages

[2021.12.03] Matt Blaze tested a variety of Faraday cages for phones, both 
commercial and homemade.

The bottom line:

A quick and likely reliable �go/no go test� can be done with an Apple AirTag and

an iPhone: drop the AirTag in the bag under test, and see if the phone can
locate 
it and activate its alarm (beware of caching in the FindMy app when doing this).

This test won�t tell you the exact attenuation level, of course, but it will
tell 
you if the attenuation is sufficient for most practical purposes. It can also 
detect whether an otherwise good bag has been damaged and compromised.

At least in the frequency ranges I tested, two commercial Faraday pouches (the 
EDEC OffGrid and Mission Darkness Window pouches) yielded excellent performance
sufficient to provide assurance of signal isolation under most real-world 
circumstances. None of the makeshift solutions consistently did nearly as well,
although aluminum foil can, under ideal circumstances (that are difficult to 
replicate) sometimes provide comparable levels of attenuation.

** *** ***** ******* *********** *************

Thieves Using AirTags to �Follow� Cars

[2021.12.06] From Ontario and not surprising:

Since September 2021, officers have investigated five incidents where suspects 
have placed small tracking devices on high-end vehicles so they can later locate

and steal them. Brand name �air tags� are placed in out-of-sight areas of the 
target vehicles when they are parked in public places like malls or parking
lots. 
Thieves then track the targeted vehicles to the victim�s residence, where they 
are stolen from the driveway.

Thieves typically use tools like screwdrivers to enter the vehicles through the
driver or passenger door, while ensuring not to set off alarms. Once inside, an
electronic device, typically used by mechanics to reprogram the factory setting,

is connected to the onboard diagnostics port below the dashboard and programs
the 
vehicle to accept a key the thieves have brought with them. Once the new key is
programmed, the vehicle will start and the thieves drive it away.

I�m not sure if there�s anything that can be done:

When Apple first released AirTags earlier this year, concerns immediately sprung

up about nefarious use cases for the covert trackers. Apple responded with a
slew 
of anti-stalking measures, but those are more intended for keeping people safe 
than cars. An AirTag away from its owner will sound an alarm, letting anyone 
nearby know that it�s been left behind, but it can take up to 24 hours for that
alarm to go off -- more than enough time to nab a car in the dead of night.

** *** ***** ******* *********** *************

Someone Is Running Lots of Tor Relays

[2021.12.07] Since 2017, someone is running about a thousand -- 10% of the total

-- Tor servers in an attempt to deanonymize the network:

Grouping these servers under the KAX17 umbrella, Nusenu says this threat actor 
has constantly added servers with no contact details to the Tor network in 
industrial quantities, operating servers in the realm of hundreds at any given 
point.

The actor�s servers are typically located in data centers spread all over the 
world and are typically configured as entry and middle points primarily,
although 
KAX17 also operates a small number of exit points.

Nusenu said this is strange as most threat actors operating malicious Tor relays

tend to focus on running exit points, which allows them to modify the user�s 
traffic. For example, a threat actor that Nusenu has been tracking as BTCMITM20
ran thousands of malicious Tor exit nodes in order to replace Bitcoin wallet 
addresses inside web traffic and hijack user payments.

KAX17�s focus on Tor entry and middle relays led Nusenu to believe that the 
group, which he described as �non-amateur level and persistent,� is trying to 
collect information on users connecting to the Tor network and attempting to map

their routes inside it.

In research published this week and shared with The Record, Nusenu said that at
one point, there was a 16% chance that a Tor user would connect to the Tor 
network through one of KAX17�s servers, a 35% chance they would pass through one

of its middle relays, and up to 5% chance to exit through one.

Slashdot thread.

** *** ***** ******* *********** *************

New German Government is Pro-Encryption and Anti-Backdoors

[2021.12.08] I hope this is true:

According to Jens Zimmermann, the German coalition negotiations had made it 
�quite clear� that the incoming government of the Social Democrats (SPD), the 
Greens and the business-friendly liberal FDP would reject �the weakening of 
encryption, which is being attempted under the guise of the fight against child
abuse� by the coalition partners.

Such regulations, which are already enshrined in the interim solution of the 
ePrivacy Regulation, for example, �diametrically contradict the character of the

coalition agreement� because secure end-to-end encryption is guaranteed there, 
Zimmermann said.

Introducing backdoors would undermine this goal of the coalition agreement, he 
added.

I have written about this.

** *** ***** ******* *********** *************

Google Shuts Down Glupteba Botnet, Sues Operators

[2021.12.09] Google took steps to shut down the Glupteba botnet, at least for 
now. (The botnet uses the bitcoin blockchain as a backup command-and-control 
mechanism, making it hard to get rid of it permanently.) So Google is also suing

the botnet�s operators.

It�s an interesting strategy. Let�s see if it�s successful.

** *** ***** ******* *********** *************

Law Enforcement Access to Chat Data and Metadata

[2021.12.10] A January 2021 FBI document outlines what types of data and
metadata 
can be lawfully obtained by the FBI from messaging apps. Rolling Stone broke the

story and it�s been written about elsewhere.

I don�t see a lot of surprises in the document. Lots of apps leak all sorts of 
metadata: iMessage and WhatsApp seem to be the worst. Signal protects the most 
metadata. End-to-end encrypted message content can be available if the user 
uploads it to an unencrypted backup server.

EDITED TO ADD (12/13): Here�s a more legible copy of the text.

** *** ***** ******* *********** *************

NSO Group�s Pegasus Spyware Used Against US State Department Officials

[2021.12.13] NSO Group�s descent into Internet pariah status continues. Its 
Pegasus spyware was used against nine US State Department employees. We don�t 
know which NSO Group customer trained the spyware on the US. But the company 
does:

NSO Group said in a statement on Thursday that it did not have any indication 
their tools were used but canceled access for the relevant customers and would 
investigate based on the Reuters inquiry.

�If our investigation shall show these actions indeed happened with NSO�s
tools, 
such customer will be terminated permanently and legal actions will take place,�

said an NSO spokesperson, who added that NSO will also �cooperate with any 
relevant government authority and present the full information we will have.�

** *** ***** ******* *********** *************

On the Log4j Vulnerability

[2021.12.14] It�s serious:

The range of impacts is so broad because of the nature of the vulnerability 
itself. Developers use logging frameworks to keep track of what happens in a 
given application. To exploit Log4Shell, an attacker only needs to get the
system 
to log a strategically crafted string of code. From there they can load
arbitrary 
code on the targeted server and install malware or launch other attacks.
Notably, 
hackers can introduce the snippet in seemingly benign ways, like by sending the
string in an email or setting it as an account username.

Threat advisory from Cisco. Cloudflare found it in the wild before it was 
disclosed. CISA is very concerned, saying that hundreds of millions of devices 
are likely affected.

** *** ***** ******* *********** *************

Upcoming Speaking Engagements

[2021.12.14] This is a current list of where and when I am scheduled to speak:

I�m speaking at the RSA Conference 2022 in San Francisco on February 8, 2022.
I�m speaking at IT-S Now 2022 in Vienna on June 2, 2022. I�m speaking at the
14th International Conference on Cyber Conflict, CyCon 2022, 
in Tallinn, Estonia on June 3, 2022. The list is maintained on this page.

** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security technology. To subscribe, or to

read back issues, see Crypto-Gram's web page.

You can also read these articles on my blog, Schneier on Security.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint CRYPTO-
GRAM, as long as it is reprinted in its entirety.

Bruce Schneier is an internationally renowned security technologist, called a 
security guru by the Economist. He is the author of over one dozen books -- 
including his latest, We Have Root -- as well as hundreds of articles, essays, 
and academic papers. His newsletter and blog are read by over 250,000 people. 
Schneier is a fellow at the Berkman Klein Center for Internet & Society at 
Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a

board member of the Electronic Frontier Foundation, AccessNow, and the Tor 
Project; and an Advisory Board Member of the Electronic Privacy Information 
Center and VerifiedVoting.org. He is the Chief of Security Architecture at 
Inrupt, Inc.

Copyright C 2021 by Bruce Schneier.

--- BBBS/Li6 v4.10 Toy-5
 * Origin: TCOB1 at tcob1.duckdns.org BinkP / Telnet (618:500/14)
  Show ANSI Codes | Hide BBCodes | Show Color Codes | Hide Encoding | Hide HTML Tags | Show Routing
Previous Message | Next Message | Back to Computer Support/Help/Discussion...  <--  <--- Return to Home Page

VADV-PHP
Execution Time: 0.0255 seconds

If you experience any problems with this website or need help, contact the webmaster.
VADV-PHP Copyright © 2002-2024 Steve Winn, Aspect Technologies. All Rights Reserved.
Virtual Advanced Copyright © 1995-1997 Roland De Graaf.
v2.1.241108