AT2k Design BBS Message Area
Casually read the BBS message area using an easy to use interface. Messages are categorized exactly like they are on the BBS. You may post new messages or reply to existing messages!

You are not logged in. Login here for full access privileges.

Previous Message | Next Message | Back to Computer Support/Help/Discussion...  <--  <--- Return to Home Page
   Networked Database  Computer Support/Help/Discussion...   [680 / 1624] RSS
 From   To   Subject   Date/Time 
Message   TCOB1 Auto Poster    All   'CRYPTO-GRAM,   August 17, 2022
 5:40 PM *  

Crypto-Gram
August 15, 2022

by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School
schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit Crypto-Gram's web page.

Read this issue on the web

These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.

** *** ***** ******* *********** *************
In this issue:

If these links don't work in your email client, try reading this issue of
Crypto-Gram on the web.

    San Francisco Police Want Real-Time Access to Private Surveillance Cameras
    Facebook Is Now Encrypting Links to Prevent URL Stripping
    NSO GroupΓÇÖs Pegasus Spyware Used against Thailand Pro-Democracy Activists
and Leaders
    Russia Creates Malware False-Flag App
    Critical Vulnerabilities in GPS Trackers
    AppleΓÇÖs Lockdown Mode
    Securing Open-Source Software
    New UEFI Rootkit
    Microsoft Zero-Days Sold and Then Used
    Ring Gives Videos to Police without a Warrant or User Consent
    Surveillance of Your Car
    Drone Deliveries into Prisons
    SIKE Broken
    NISTΓÇÖs Post-Quantum Cryptography Standards
    Hacking Starlink
    A Taxonomy of Access Control
    Twitter Exposes Personal Information for 5.4 Million Accounts
    Upcoming Speaking Engagements

** *** ***** ******* *********** *************
San Francisco Police Want Real-Time Access to Private Surveillance Cameras

[2022.07.15] Surely no one could have predicted this:

    The new proposal -- championed by Mayor London Breed after NovemberΓÇÖs wild
weekend of orchestrated burglaries and theft in the San Francisco Bay Area --
would authorize the police department to use non-city-owned security cameras and
camera networks to live monitor ΓÇ£significant events with public safety
concernsΓÇ¥ and ongoing felony or misdemeanor violations.

    Currently, the police can only request historical footage from private
cameras related to specific times and locations, rather than blanket monitoring.
Mayor Breed also complained the police can only use real-time feeds in
emergencies involving ΓÇ£imminent danger of death or serious physical injury.ΓÇ¥

    If approved, the draft ordinance would also allow SFPD to collect historical
video footage to help conduct criminal investigations and those related to
officer misconduct. The draft law currently stands as the following, which
indicates the cops can broadly ask for and/or get access to live real-time video
streams:

        The proposed Surveillance Technology Policy would authorize the Police
Department to use surveillance cameras and surveillance camera networks owned,
leased, managed, or operated by non-City entities to: (1) temporarily live
monitor activity during exigent circumstances, significant events with public
safety concerns, and investigations relating to active misdemeanor and felony
violations; (2) gather and review historical video footage for the purposes of
conducting a criminal investigation; and (3) gather and review historical video
footage for the purposes of an internal investigation regarding officer
misconduct.

** *** ***** ******* *********** *************
Facebook Is Now Encrypting Links to Prevent URL Stripping

[2022.07.18] Some sites, including Facebook, add parameters to the web address
for tracking purposes. These parameters have no functionality that is relevant
to the user, but sites rely on them to track users across pages and properties.

    Mozilla introduced support for URL stripping in Firefox 102, which it
launched in June 2022. Firefox removes tracking parameters from web addresses
automatically, but only in private browsing mode or when the browserΓÇÖs
Tracking Protection feature is set to strict. Firefox users may enable URL
stripping in all Firefox modes, but this requires manual configuration. Brave
Browser strips known tracking parameters from web addresses as well.

Facebook has responded by encrypting the entire URL into a single ciphertext
blob.

    Since it is no longer possible to identify the tracking part of the web
address, it is no longer possible to remove it from the address automatically.
In other words: Facebook has the upper hand in regards to URL-based tracking at
the time, and there is little that can be done about it short of finding a way
to decrypt the information.

** *** ***** ******* *********** *************
NSO GroupΓÇÖs Pegasus Spyware Used against Thailand Pro-Democracy Activists and
Leaders

[2022.07.19] Yet another basic human rights violation, courtesy of NSO Group:
Citizen Lab has the details:

    Key Findings

        We discovered an extensive espionage campaign targeting Thai
pro-democracy protesters, and activists calling for reforms to the monarchy.
        We forensically confirmed that at least 30 individuals were infected
with NSO GroupΓÇÖs Pegasus spyware.
        The observed infections took place between October 2020 and November
2021.
        The ongoing investigation was triggered by notifications sent by Apple
to Thai civil society members in November 2021. Following the notification,
multiple recipients made contact with civil society groups, including the
Citizen Lab.
        The report describes the results of an ensuing collaborative
investigation by the Citizen Lab, and Thai NGOs iLaw, and DigitalReach.
        A sample of the victims was independently analyzed by Amnesty
InternationalΓÇÖs Security Lab which confirms the methodology used to determine
Pegasus infections.

    [...]

    NSO Group has denied any wrongdoing and maintains that its products are to
be used ΓÇ£in a legal manner and according to court orders and the local law of
each country.ΓÇ¥ This justification is problematic, given the presence of local
laws that infringe on international human rights standards and the lack of
judicial oversight, transparency, and accountability in governmental
surveillance, which could result in abuses of power. In Thailand, for example,
Section 112 of the Criminal Code (also known as the lèse-majesté law), which
criminalizes defamation, insults, and threats to the Thai royal family, has been
criticized for being ΓÇ£fundamentally incompatible with the right to freedom of
expression,ΓÇ¥ while the amended Computer Crime Act opens the door to potential
rights violations, as it ΓÇ£gives overly broad powers to the government to
restrict free speech [and] enforce surveillance and censorship.ΓÇ¥ Both laws
have been used in concert to prosecute lawyers and activists, some of whom were
targeted with Pegasus.

More details. News articles.

A few months ago, Ronan Farrow wrote a really good article on NSO Group and its
problems. The company was itself hacked in 2021.

L3Harris Corporation was looking to buy NSO Group, but dropped its bid after the
Biden administration expressed concerns. The US government blacklisted NSO Group
last year, and the company is even more toxic than it was as a result -- and a
mess internally.

In another story, the nephew of jailed Hotel Rwanda dissident was also hacked by
Pegasus.

EDITED TO ADD (7/28): The House Intelligence Committee held hearings on what to
do about this rogue industry. ItΓÇÖs important to remember that while NSO Group
gets all the heat, there are many other companies that do the same thing.

John-Scott Railton at the hearing:

    If NSO Group goes bankrupt tomorrow, there are other companies, perhaps
seeded with U.S. venture capital, that will attempt to step in to fill the gap.
As long as U.S. investors see the mercenary spyware industry as a growth market,
the U.S. financial sector is poised to turbocharge the problem and set fire to
our collective cybersecurity and privacy.

** *** ***** ******* *********** *************
Russia Creates Malware False-Flag App

[2022.07.20] The Russian hacking group Turla released an Android app that seems
to aid Ukrainian hackers in their attacks against Russian networks. ItΓÇÖs
actually malware, and provides information back to the Russians:

    The hackers pretended to be a ΓÇ£community of free people around the world
who are fighting russiaΓÇÖs aggressionΓÇ¥ -- much like the IT Army. But the app
they developed was actually malware. The hackers called it CyberAzov, in
reference to the Azov Regiment or Battalion, a far-right group that has become
part of UkraineΓÇÖs national guard. To add more credibility to the ruse they
hosted the app on a domain ΓÇ£spoofingΓÇ¥ the Azov Regiment: cyberazov[.]com.

    [...]

    The app actually didnΓÇÖt DDoS anything, but was designed to map out and
figure out who would want to use such an app to attack Russian websites,
according to Huntely.

    [...]

    Google said the fake app wasnΓÇÖt hosted on the Play Store, and that the
number of installs ΓÇ£was miniscule.ΓÇ¥

Details from GoogleΓÇÖs Threat Analysis Group here.

** *** ***** ******* *********** *************
Critical Vulnerabilities in GPS Trackers

[2022.07.21] This is a dangerous vulnerability:

    An assessment from security firm BitSight found six vulnerabilities in the
Micodus MV720, a GPS tracker that sells for about $20 and is widely available.
The researchers who performed the assessment believe the same critical
vulnerabilities are present in other Micodus tracker models. The China-based
manufacturer says 1.5 million of its tracking devices are deployed across
420,000 customers. BitSight found the device in use in 169 countries, with
customers including governments, militaries, law enforcement agencies, and
aerospace, shipping, and manufacturing companies.

    BitSight discovered what it said were six ΓÇ£severeΓÇ¥ vulnerabilities in
the device that allow for a host of possible attacks. One flaw is the use of
unencrypted HTTP communications that makes it possible for remote hackers to
conduct adversary-in-the-middle attacks that intercept or change requests sent
between the mobile application and supporting servers. Other vulnerabilities
include a flawed authentication mechanism in the mobile app that can allow
attackers to access the hardcoded key for locking down the trackers and the
ability to use a custom IP address that makes it possible for hackers to monitor
and control all communications to and from the device.

    The security firm said it first contacted Micodus in September to notify
company officials of the vulnerabilities. BitSight and CISA finally went public
with the findings on Tuesday after trying for months to privately engage with
the manufacturer. As of the time of writing, all of the vulnerabilities remain
unpatched and unmitigated.

These are computers and computer vulnerabilities, but because the computers are
attached to cars, the vulnerabilities become potentially life-threatening. CISA
writes:

    These vulnerabilities could impact access to a vehicle fuel supply, vehicle
control, or allow locational surveillance of vehicles in which the device is
installed.

I wouldnΓÇÖt have buried ΓÇ£vehicle controlΓÇ¥ in the middle of that sentence.

** *** ***** ******* *********** *************
AppleΓÇÖs Lockdown Mode

[2022.07.26] I havenΓÇÖt written about AppleΓÇÖs Lockdown Mode yet, mostly
because I havenΓÇÖt delved into the details. This is how Apple describes it:

    Lockdown Mode offers an extreme, optional level of security for the very few
users who, because of who they are or what they do, may be personally targeted
by some of the most sophisticated digital threats, such as those from NSO Group
and other private companies developing state-sponsored mercenary spyware.
Turning on Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura further hardens
device defenses and strictly limits certain functionalities, sharply reducing
the attack surface that potentially could be exploited by highly targeted
mercenary spyware.

    At launch, Lockdown Mode includes the following protections:

        Messages: Most message attachment types other than images are blocked.
Some features, like link previews, are disabled.
        Web browsing: Certain complex web technologies, like just-in-time (JIT)
JavaScript compilation, are disabled unless the user excludes a trusted site
from Lockdown Mode.
        Apple services: Incoming invitations and service requests, including
FaceTime calls, are blocked if the user has not previously sent the initiator a
call or request.
        Wired connections with a computer or accessory are blocked when iPhone
is locked.
        Configuration profiles cannot be installed, and the device cannot enroll
into mobile device management (MDM), while Lockdown Mode is turned on.

What Apple has done here is really interesting. ItΓÇÖs common to trade security
off for usability, and the results of that are all over AppleΓÇÖs operating
systems -- and everywhere else on the Internet. What theyΓÇÖre doing with
Lockdown Mode is the reverse: theyΓÇÖre trading usability for security. The
result is a user experience with fewer features, but a much smaller attack
surface. And they arenΓÇÖt just removing random features; theyΓÇÖre removing
features that are common attack vectors.

There arenΓÇÖt a lot of people who need Lockdown Mode, but itΓÇÖs an excellent
option for those who do.

News article.

EDITED TO ADD (7/31): An analysis of the effect of Lockdown Mode on Safari.

** *** ***** ******* *********** *************
Securing Open-Source Software

[2022.07.27] Good essay arguing that open-source software is a critical
national-security asset and needs to be treated as such:

    Open source is at least as important to the economy, public services, and
national security as proprietary code, but it lacks the same standards and
safeguards. It bears the qualities of a public good and is as indispensable as
national highways. Given open sourceΓÇÖs value as a public asset, an
institutional structure must be built that sustains and secures it.

    This is not a novel idea. Open-source code has been called the ΓÇ£roads and
bridgesΓÇ¥ of the current digital infrastructure that warrants the same ΓÇ£focus
and funding.ΓÇ¥ Eric Brewer of Google explicitly called open-source software
ΓÇ£critical infrastructureΓÇ¥ in a recent keynote at the Open Source Summit in
Austin, Texas. Several nations have adopted regulations that recognize
open-source projects as significant public assets and central to their most
important systems and services. Germany wants to treat open-source software as a
public good and launched a sovereign tech fund to support open-source projects
ΓÇ£just as much as bridges and roads,ΓÇ¥ and not just when a bridge collapses.
The European Union adopted a formal open-source strategy that encourages it to
ΓÇ£explore opportunities for dedicated support services for open source
solutions [it] considers critical.ΓÇ¥

    Designing an institutional framework that would secure open source requires
addressing adverse incentives, ensuring efficient resource allocation, and
imposing minimum standards. But not all open-source projects are made equal. The
first step is to identify which projects warrant this heightened level of
scrutiny -- projects that are critical to society. CISA defines critical
infrastructure as industry sectors ΓÇ£so vital to the United States that [its]
incapacity or destruction would have a debilitating impact on our physical or
economic security or public health or safety.ΓÇ¥ Efforts should target the
open-source projects that share those features.

** *** ***** ******* *********** *************
New UEFI Rootkit

[2022.07.28] Kaspersky is reporting on a new UEFI rootkit that survives
reinstalling the operating system and replacing the hard drive. From an article:

    The firmware compromises the UEFI, the low-level and highly opaque chain of
firmware required to boot up nearly every modern computer. As the software that
bridges a PCΓÇÖs device firmware with its operating system, the UEFI -- short
for Unified Extensible Firmware Interface -- is an OS in its own right. ItΓÇÖs
located in an SPI-connected flash storage chip soldered onto the computer
motherboard, making it difficult to inspect or patch the code. Because itΓÇÖs
the first thing to run when a computer is turned on, it influences the OS,
security apps, and all other software that follows.

Both links have lots of technical details; the second contains a list of
previously discovered UEFI rootkits. Also relevant are the NSAΓÇÖs capabilities
-- now a decade old -- in this area.

** *** ***** ******* *********** *************
Microsoft Zero-Days Sold and Then Used

[2022.07.29] Yet another article about cyberweapons arms manufacturers and their
particular supply chain. This one is about Windows and Adobe Reader zero-day
exploits sold by an Austrian company named DSIRF.

ThereΓÇÖs an entire industry devoted to undermining all of our security. It
needs to be stopped.

** *** ***** ******* *********** *************
Ring Gives Videos to Police without a Warrant or User Consent

[2022.08.01] Amazon has revealed that it gives police videos from its Ring
doorbells without a warrant and without user consent.

    Ring recently revealed how often the answer to that question has been yes.
The Amazon company responded to an inquiry from US Senator Ed Markey (D-Mass.),
confirming that there have been 11 cases in 2022 where Ring complied with police
ΓÇ£emergencyΓÇ¥ requests. In each case, Ring handed over private recordings,
including video and audio, without letting users know that police had access to
-- and potentially downloaded -- their data. This raises many concerns about
increased police reliance on private surveillance, a practice that has long gone
unregulated.

EFF writes:

    Police are not the customers for Ring; the people who buy the devices are
the customers. But AmazonΓÇÖs long-standing relationships with police blur that
line. For example, in the past Amazon has given coaching to police to tell
residents to install the Ring app and purchase cameras for their homes -- an
arrangement that made salespeople out of the police force. The LAPD launched an
investigation into how Ring provided free devices to officers when people used
their discount codes to purchase cameras.

    Ring, like other surveillance companies that sell directly to the general
public, continues to provide free services to the police, even though they
donΓÇÖt have to. Ring could build a device, sold straight to residents, that
ensures police come to the userΓÇÖs door if they are interested in footage --
but Ring instead has decided it would rather continue making money from
residents while providing services to police.

CNet has a good explainer.

Slashdot thread.

** *** ***** ******* *********** *************
Surveillance of Your Car

[2022.08.02] TheMarkup has an extensive analysis of connected vehicle data and
the companies that are collecting it.

    The Markup has identified 37 companies that are part of the rapidly growing
connected vehicle data industry that seeks to monetize such data in an
environment with few regulations governing its sale or use.

    While many of these companies stress they are using aggregated or anonymized
data, the unique nature of location and movement data increases the potential
for violations of user privacy.

** *** ***** ******* *********** *************
Drone Deliveries into Prisons

[2022.08.03] Seems itΓÇÖs now common to sneak contraband into prisons with a
drone.

** *** ***** ******* *********** *************
SIKE Broken

[2022.08.04] SIKE is one of the new algorithms that NIST recently added to the
post-quantum cryptography competition.

It was just broken, really badly.

    We present an efficient key recovery attack on the Supersingular Isogeny
Diffie-Hellman protocol (SIDH), based on a ΓÇ£glue-and-splitΓÇ¥ theorem due to
Kani. Our attack exploits the existence of a small non-scalar endomorphism on
the starting curve, and it also relies on the auxiliary torsion point
information that Alice and Bob share during the protocol. Our Magma
implementation breaks the instantiation SIKEp434, which aims at security level 1
of the Post-Quantum Cryptography standardization process currently ran by NIST,
in about one hour on a single core.

News article.

** *** ***** ******* *********** *************
NISTΓÇÖs Post-Quantum Cryptography Standards

[2022.08.08] Quantum computing is a completely new paradigm for computers. A
quantum computer uses quantum properties such as superposition, which allows a
qubit (a quantum bit) to be neither 0 nor 1, but something much more
complicated. In theory, such a computer can solve problems too complex for
conventional computers.

Current quantum computers are still toy prototypes, and the engineering advances
required to build a functionally useful quantum computer are somewhere between a
few years away and impossible. Even so, we already know that that such a
computer could potentially factor large numbers and compute discrete logs, and
break the RSA and Diffie-Hellman public-key algorithms in all of the useful key
sizes.

Cryptographers hate being rushed into things, which is why NIST began a
competition to create a post-quantum cryptographic standard in 2016. The idea is
to standardize on both a public-key encryption and digital signature algorithm
that is resistant to quantum computing, well before anyone builds a useful
quantum computer.

NIST is an old hand at this competitive process, having previously done this
with symmetric algorithms (AES in 2001) and hash functions (SHA-3 in 2015). I
participated in both of those competitions, and have likened them to demolition
derbies. The idea is that participants put their algorithms into the ring, and
then we all spend a few years beating on each otherΓÇÖs submissions. Then, with
input from the cryptographic community, NIST crowns a winner. ItΓÇÖs a good
process, mostly because NIST is both trusted and trustworthy.

In 2017, NIST received eighty-two post-quantum algorithm submissions from all
over the world. Sixty-nine were considered complete enough to be Round 1
candidates. Twenty-six advanced to Round 2 in 2019, and seven (plus another
eight alternates) were announced as Round 3 finalists in 2020. NIST was poised
to make final algorithm selections in 2022, with a plan to have a draft standard
available for public comment in 2023.

Cryptanalysis over the competition was brutal. Twenty-five of the Round 1
algorithms were attacked badly enough to remove them from the competition.
Another eight were similarly attacked in Round 2. But hereΓÇÖs the real
surprise: there were newly published cryptanalysis results against at least four
of the Round 3 finalists just months ago -- moments before NIST was to make its
final decision.

One of the most popular algorithms, Rainbow, was found to be completely broken.
Not that it could theoretically be broken with a quantum computer, but that it
can be broken today -- with an off-the-shelf laptop in just over two days. Three
other finalists, Kyber, Saber, and Dilithium, were weakened with new techniques
that will probably work against some of the other algorithms as well. (Fun fact:
Those three algorithms were broken by the Center of Encryption and Information
Security, part of the Israeli Defense Force. This represents the first time a
national intelligence organization has published a cryptanalysis result in the
open literature. And they had a lot of trouble publishing, as the authors wanted
to remain anonymous.)

That was a close call, but it demonstrated that the process is working properly.
Remember, this is a demolition derby. The goal is to surface these cryptanalytic
results before standardization, which is exactly what happened. At this writing,
NIST has chosen a single algorithm for general encryption and three
digital-signature algorithms. It has not chosen a public-key encryption
algorithm, and there are still four finalists. Check NISTΓÇÖs webpage on the
project for the latest information.

Ian Cassels, British mathematician and World War II cryptanalyst, once said that
ΓÇ£cryptography is a mixture of mathematics and muddle, and without the muddle
the mathematics can be used against you.ΓÇ¥ This mixture is particularly
difficult to achieve with public-key algorithms, which rely on the mathematics
for their security in a way that symmetric algorithms do not. We got lucky with
RSA and related algorithms: their mathematics hinge on the problem of factoring,
which turned out to be robustly difficult. Post-quantum algorithms rely on other
mathematical disciplines and problems -- code-based cryptography, hash-based
cryptography, lattice-based cryptography, multivariate cryptography, and so on
-- whose mathematics are both more complicated and less well-understood. WeΓÇÖre
seeing these breaks because those core mathematical problems arenΓÇÖt nearly as
well-studied as factoring is.

The moral is the need for cryptographic agility. ItΓÇÖs not enough to implement
a single standard; itΓÇÖs vital that our systems be able to easily swap in new
algorithms when required. WeΓÇÖve learned the hard way how algorithms can get so
entrenched in systems that it can take many years to update them: in the
transition from DES to AES, and the transition from MD4 and MD5 to SHA, SHA-1,
and then SHA-3.

We need to do better. In the coming years weΓÇÖll be facing a double
uncertainty. The first is quantum computing. When and if quantum computing
becomes a practical reality, we will learn a lot about its strengths and
limitations. It took a couple of decades to fully understand von Neumann
computer architecture; expect the same learning curve with quantum computing.
Our current understanding of quantum computing architecture will change, and
that could easily result in new cryptanalytic techniques.

The second uncertainly is in the algorithms themselves. As the new cryptanalytic
results demonstrate, weΓÇÖre still learning a lot about how to turn hard
mathematical problems into public-key cryptosystems. We have too much math and
an inability to add more muddle, and that results in algorithms that are
vulnerable to advances in mathematics. More cryptanalytic results are coming,
and more algorithms are going to be broken.

We canΓÇÖt stop the development of quantum computing. Maybe the engineering
challenges will turn out to be impossible, but itΓÇÖs not the way to bet. In the
face of all that uncertainty, agility is the only way to maintain security.

This essay originally appeared in IEEE Security & Privacy.

EDITED TO ADD: One of the four public-key encryption algorithms selected for
further research, SIKE, was just broken.

** *** ***** ******* *********** *************
Hacking Starlink

[2022.08.11] This is the first -- of many, I assume -- hack of Starlink.
Leveraging a string of vulnerabilities, attackers can access the Starlink system
and run custom code on the devices.

** *** ***** ******* *********** *************
A Taxonomy of Access Control

[2022.08.12] My personal definition of a brilliant idea is one that is
immediately obvious once itΓÇÖs explained, but no one has thought of it before.
I canΓÇÖt believe that no one has described this taxonomy of access control
before Ittay Eyal laid it out in this paper. The paper is about cryptocurrency
wallet design, but the ideas are more general. Ittay points out that a key -- or
an account, or anything similar -- can be in one of four states:

    safe Only the user has access,

    loss No one has access,

    leak Both the user and the adversary have access, or

    theft Only the adversary has access.

Once you know these states, you can assign probabilities of transitioning from
one state to another (someone hacks your account and locks you out, you forgot
your own password, etc.) and then build optimal security and reliability to deal
with it. ItΓÇÖs a truly elegant way of conceptualizing the problem.

** *** ***** ******* *********** *************
Twitter Exposes Personal Information for 5.4 Million Accounts

[2022.08.12] Twitter accidentally exposed the personal information -- including
phone numbers and email addresses -- for 5.4 million accounts. And someone was
trying to sell this information.

    In January 2022, we received a report through our bug bounty program of a
vulnerability in TwitterΓÇÖs systems. As a result of the vulnerability, if
someone submitted an email address or phone number to TwitterΓÇÖs systems,
TwitterΓÇÖs systems would tell the person what Twitter account the submitted
email addresses or phone number was associated with, if any. This bug resulted
from an update to our code in June 2021. When we learned about this, we
immediately investigated and fixed it. At that time, we had no evidence to
suggest someone had taken advantage of the vulnerability.

    In July 2022, we learned through a press report that someone had potentially
leveraged this and was offering to sell the information they had compiled. After
reviewing a sample of the available data for sale, we confirmed that a bad actor
had taken advantage of the issue before it was addressed.

This includes anonymous accounts.

This comment has it right:

    So after forcing users to enter a phone number to continue using twitter,
despite twitter having no need to know the users phone number, they then leak
the phone numbers and associated accounts. Great.

    But it gets worse... After being told of the leak in January, rather than
disclosing the fact millions of users data had been open for anyone who looked,
they quietly fixed it and hoped nobody else had found it.

    It was only when the press started to notice they finally disclosed the
leak.

    That isnΓÇÖt just one bug causing a security leak -- itΓÇÖs a chain of bad
decisions and bad security culture, and if anything should attract government
fines for lax data security, this is it.

TwitterΓÇÖs blog post unhelpfully goes on to say:

    If you operate a pseudonymous Twitter account, we understand the risks an
incident like this can introduce and deeply regret that this happened. To keep
your identity as veiled as possible, we recommend not adding a publicly known
phone number or email address to your Twitter account.

Three news articles.

** *** ***** ******* *********** *************
Upcoming Speaking Engagements

[2022.08.14] This is a current list of where and when I am scheduled to speak:

    IΓÇÖm speaking as part of a Geneva Centre for Security Policy course on
Cyber Security in the Context of International Security, online, on September
22, 2022.
    IΓÇÖm speaking at IT-Security INSIDE 2022 in Zurich, Switzerland, on
September 22, 2022.

The list is maintained on this page.

** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security technology. To subscribe, or to
read back issues, see Crypto-Gram's web page.

You can also read these articles on my blog, Schneier on Security.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint
CRYPTO-GRAM, as long as it is reprinted in its entirety.

Bruce Schneier is an internationally renowned security technologist, called a
security guru by the Economist. He is the author of over one dozen books --
including his latest, We Have Root -- as well as hundreds of articles, essays,
and academic papers. His newsletter and blog are read by over 250,000 people.
Schneier is a fellow at the Berkman Klein Center for Internet & Society at
Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a
board member of the Electronic Frontier Foundation, AccessNow, and the Tor
Project; and an Advisory Board Member of the Electronic Privacy Information
Center and VerifiedVoting.org. He is the Chief of Security Architecture at
Inrupt, Inc.

Copyright © 2022 by Bruce Schneier.

** *** ***** ******* *********** *************
--- 
 * Origin: TCOB1 (618:500/14)
  Show ANSI Codes | Hide BBCodes | Show Color Codes | Hide Encoding | Hide HTML Tags | Show Routing
Previous Message | Next Message | Back to Computer Support/Help/Discussion...  <--  <--- Return to Home Page

VADV-PHP
Execution Time: 0.0163 seconds

If you experience any problems with this website or need help, contact the webmaster.
VADV-PHP Copyright © 2002-2024 Steve Winn, Aspect Technologies. All Rights Reserved.
Virtual Advanced Copyright © 1995-1997 Roland De Graaf.
v2.1.241108