Crypto-Gram
January 15, 2023
by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com
https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit Crypto-Gram's web page.
Read this issue on the web
These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
If these links don't work in your email client, try reading this issue of
Crypto-Gram on the web.
A Security Vulnerability in the KmsdBot Botnet Apple Patches iPhone Zero-Day
As Long as WeΓÇÖre on the Subject of CAPTCHAs How to Surrender to a Drone
Trojaned Windows Installer Targets Ukraine Ukraine Intercepting Russian
Soldiers' Cell Phone Calls Critical Microsoft Code-Execution Vulnerability
Hacking the JFK Airport Taxi Dispatch System LastPass Breach
Arresting IT Administrators
QR Code Scam
Recovering Smartphone Voice from the Accelerometer Breaking RSA with a Quantum
Computer Decarbonizing Cryptocurrencies through Taxation Remote Vulnerabilities
in Automobiles Schneier on Security Audiobook Sale Identifying People Using Cell
Phone Location Data ChatGPT-Written Malware
Experian Privacy Vulnerability
Threats of Machine-Generated Text
Booklist Review of A HackerΓÇÖs Mind Upcoming Speaking Engagements
** *** ***** ******* *********** *************
A Security Vulnerability in the KmsdBot Botnet
[2022.12.15] Security researchers found a software bug in the KmsdBot
cryptomining botnet:
With no error-checking built in, sending KmsdBot a malformed command -- like its
controllers did one day while Akamai was watching -- created a panic crash with
an ΓÇ£index out of rangeΓÇ¥ error. Because thereΓÇÖs no persistence, the bot
stays down, and malicious agents would need to reinfect a machine and rebuild
the botΓÇÖs functions. It is, as Akamai notes, ΓÇ£a nice storyΓÇ¥ and
ΓÇ£a strong example of the fickle nature of technology.ΓÇ¥
** *** ***** ******* *********** *************
Apple Patches iPhone Zero-Day
[2022.12.16] The most recent iPhone update -- to version 16.2 -- patches a
zero-day vulnerability that ΓÇ£may have been actively exploited against versions
of iOS released before iOS 15.1.ΓÇ¥
News:
Apple said security researchers at GoogleΓÇÖs Threat Analysis Group, which
investigates nation state-backed spyware, hacking and cyberattacks, discovered
and reported the WebKit bug.
WebKit bugs are often exploited when a person visits a malicious domain in their
browser (or via the in-app browser). ItΓÇÖs not uncommon for bad actors to find
vulnerabilities that target WebKit as a way to break into the deviceΓÇÖs
operating system and the userΓÇÖs private data. WebKit bugs can be
ΓÇ£chainedΓÇ¥ to other vulnerabilities to break through multiple layers of a
deviceΓÇÖs defenses.
** *** ***** ******* *********** *************
As Long as WeΓÇÖre on the Subject of CAPTCHAs
[2022.12.16] There are these.
** *** ***** ******* *********** *************
How to Surrender to a Drone
[2022.12.19] The Ukrainian army has released an instructional video explaining
how Russian soldiers should surrender to a drone:
ΓÇ£Seeing the drone in the field of view, make eye contact with it,ΓÇ¥ the
video instructs. Soldiers should then raise their arms and signal theyΓÇÖre
ready to follow.
After that the drone will move up and down a few meters, before heading off at
walking pace in the direction of the nearest representatives of UkraineΓÇÖs
army, it says.
The video also warns that the droneΓÇÖs battery may run low, in which case it
will head back to base and the soldiers should stay put and await a fresh one.
That one, too, should be met with eye contact and arms raised, it says.
Incredible.
** *** ***** ******* *********** *************
Trojaned Windows Installer Targets Ukraine
[2022.12.20] Mandiant is reporting on a trojaned Windows installer that targets
Ukrainian users. The installer was left on various torrent sites, presumably
ensnaring people downloading pirated copies of the operating system:
Mandiant uncovered a socially engineered supply chain operation focused on
Ukrainian government entities that leveraged trojanized ISO files masquerading
as legitimate Windows 10 Operating System installers. The trojanized ISOs were
hosted on Ukrainian- and Russian-language torrent file sharing sites. Upon
installation of the compromised software, the malware gathers information on the
compromised system and exfiltrates it. At a subset of victims, additional tools
are deployed to enable further intelligence gathering. In some instances, we
discovered additional payloads that were likely deployed following initial
reconnaissance including the STOWAWAY, BEACON, and SPAREPART backdoors.
One obvious solution would be for Microsoft to give the Ukrainians Windows
licenses, so they donΓÇÖt have to get their software from sketchy torrent sites.
** *** ***** ******* *********** *************
Ukraine Intercepting Russian Soldiers' Cell Phone Calls
[2022.12.21] TheyΓÇÖre using commercial phones, which go through the Ukrainian
telecom network:
ΓÇ£You still have a lot of soldiers bringing cellphones to the frontline who
want to talk to their families and they are either being intercepted as they go
through a Ukrainian telecommunications provider or intercepted over the air,ΓÇ¥
said Alperovitch. ΓÇ£That doesnΓÇÖt pose too much difficulty for the Ukrainian
security services.ΓÇ¥
[...]
ΓÇ£Security has always been a mess, both in the army and among defence
officials,ΓÇ¥ the source said. ΓÇ£For example, in 2013 they tried to get all the
staff at the ministry of defence to replace our iPhones with Russian-made Yoto
smartphones.
ΓÇ£But everyone just kept using the iPhone as a second mobile because it was
much better. We would just keep the iPhone in the carΓÇÖs glove compartment for
when we got back from work. In the end, the ministry gave up and stopped caring.
If the top doesnΓÇÖt take security very seriously, how can you expect any
discipline in the regular army?ΓÇ¥
This isnΓÇÖt a new problem and it isnΓÇÖt a Russian problem. HereΓÇÖs a more
general article on the problem from 2020.
** *** ***** ******* *********** *************
Critical Microsoft Code-Execution Vulnerability
[2022.12.22] A critical code-execution vulnerability in Microsoft Windows was
patched in September. It seems that researchers just realized how serious it was
(and is):
Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows
attackers to execute malicious code with no authentication required. Also, like
EternalBlue, itΓÇÖs wormable, meaning that a single exploit can trigger a chain
reaction of self-replicating follow-on exploits on other vulnerable systems. The
wormability of EternalBlue allowed WannaCry and several other attacks to spread
across the world in a matter of minutes with no user interaction required.
But unlike EternalBlue, which could be exploited when using only the SMB, or
server message block, a protocol for file and printer sharing and similar
network activities, this latest vulnerability is present in a much broader range
of network protocols, giving attackers more flexibility than they had when
exploiting the older vulnerability.
[...]
Microsoft fixed CVE-2022-37958 in September during its monthly Patch Tuesday
rollout of security fixes. At the time, however, Microsoft researchers believed
the vulnerability allowed only the disclosure of potentially sensitive
information. As such, Microsoft gave the vulnerability a designation of
ΓÇ£important.ΓÇ¥ In the routine course of analyzing vulnerabilities after
theyΓÇÖre patched, Palmiotti discovered it allowed for remote code execution in
much the way EternalBlue did. Last week, Microsoft revised the designation to
critical and gave it a severity rating of 8.1, the same given to EternalBlue.
** *** ***** ******* *********** *************
Hacking the JFK Airport Taxi Dispatch System
[2022.12.23] Two men have been convicted of hacking the taxi dispatch system at
the JFK airport. This enabled them to reorder the taxis on the list; they
charged taxi drivers $10 to cut the line.
** *** ***** ******* *********** *************
LastPass Breach
[2022.12.26] Last August, LastPass reported a security breach, saying that no
customer information -- or passwords -- were compromised. Turns out the full
story is worse:
While no customer data was accessed during the August 2022 incident, some source
code and technical information were stolen from our development environment and
used to target another employee, obtaining credentials and keys which were used
to access and decrypt some storage volumes within the cloud-based storage
service.
[...]
To date, we have determined that once the cloud storage access key and dual
storage container decryption keys were obtained, the threat actor copied
information from backup that contained basic customer account information and
related metadata including company names, end-user names, billing addresses,
email addresses, telephone numbers, and the IP addresses from which customers
were accessing the LastPass service.
The threat actor was also able to copy a backup of customer vault data from the
encrypted storage container which is stored in a proprietary binary format that
contains both unencrypted data, such as website URLs, as well as fully-encrypted
sensitive fields such as website usernames and passwords, secure notes, and
form-filled data.
ThatΓÇÖs bad. ItΓÇÖs not an epic disaster, though.
These encrypted fields remain secured with 256-bit AES encryption and can only
be decrypted with a unique encryption key derived from each userΓÇÖs master
password using our Zero Knowledge architecture. As a reminder, the master
password is never known to LastPass and is not stored or maintained by LastPass.
So, according to the company, if you chose a strong master password -- hereΓÇÖs
my advice on how to do it -- your passwords are safe. That is, you are secure as
long as your password is resilient to a brute-force attack. (That they lost
customer data is another story....)
Fair enough, as far as it goes. My guess is that many LastPass users do not have
strong master passwords, even though the compromise of your encrypted password
file should be part of your threat model. But, even so, note this unverified
tweet:
I think the situation at @LastPass may be worse than they are letting on. On
Sunday the 18th, four of my wallets were compromised. The losses are not
significant. Their seeds were kept, encrypted, in my lastpass vault, behind a 16
character password using all character types.
If thatΓÇÖs true, it means that LastPass has some backdoor -- possibly
unintentional -- into the password databases that the hackers are accessing. (Or
that @CryptopathicΓÇÖs ΓÇ£16 character password using all character typesΓÇ¥ is
something like ΓÇ£P@ssw0rdP@ssw0rd.ΓÇ¥)
My guess is that weΓÇÖll learn more during the coming days. But this should
serve as a cautionary tale for anyone who is using the cloud: the cloud is
another name for ΓÇ£someone elseΓÇÖs computer,ΓÇ¥ and you need to understand how
much or how little you trust that computer.
If youΓÇÖre changing password managers, look at my own Password Safe. Its main
downside is that you canΓÇÖt synch between devices, but thatΓÇÖs because I
donΓÇÖt use the cloud for anything.
News articles. Slashdot thread.
EDITED TO ADD: People choose lousy master passwords.
** *** ***** ******* *********** *************
Arresting IT Administrators
[2022.12.27] This is one way of ensuring that IT keeps up with patches:
Albanian prosecutors on Wednesday asked for the house arrest of five public
employees they blame for not protecting the country from a cyberattack by
alleged Iranian hackers.
Prosecutors said the five IT officials of the public administration department
had failed to check the security of the system and update it with the most
recent antivirus software.
The next step would be to arrest managers at software companies for not
releasing patches fast enough. And maybe programmers for writing buggy code. I
donΓÇÖt know where this line of thinking ends.
** *** ***** ******* *********** *************
QR Code Scam
[2022.12.28] An enterprising individual made fake parking tickets with a QR code
for easy payment.
** *** ***** ******* *********** *************
Recovering Smartphone Voice from the Accelerometer
[2022.12.30] Yet another smartphone side-channel attack: ΓÇ£EarSpy: Spying
Caller Speech and Identity through Tiny Vibrations of Smartphone Ear
SpeakersΓÇ£:
Abstract: Eavesdropping from the userΓÇÖs smartphone is a well-known threat to
the userΓÇÖs safety and privacy. Existing studies show that loudspeaker
reverberation can inject speech into motion sensor readings, leading to speech
eavesdropping. While more devastating attacks on ear speakers, which produce
much smaller scale vibrations, were believed impossible to eavesdrop with
zero-permission motion sensors. In this work, we revisit this important line of
reach. We explore recent trends in smartphone manufacturers that include
extra/powerful speakers in place of small ear speakers, and demonstrate the
feasibility of using motion sensors to capture such tiny speech vibrations. We
investigate the impacts of these new ear speakers on built-in motion sensors and
examine the potential to elicit private speech information from the minute
vibrations. Our designed system EarSpy can successfully detect word regions,
time, and frequency domain features and generate a spectrogram for each word
region. We train and tes
t the extracted data using classical machine learning algorithms and
convolutional neural networks. We found up to 98.66% accuracy in gender
detection, 92.6% detection in speaker detection, and 56.42% detection in digit
detection (which is 5X more significant than the random selection (10%)). Our
result unveils the potential threat of eavesdropping on phone conversations from
ear speakers using motion sensors.
ItΓÇÖs not great, but itΓÇÖs an impressive start.
** *** ***** ******* *********** *************
Breaking RSA with a Quantum Computer
[2023.01.03] A group of Chinese researchers have just published a paper claiming
that they can -- although they have not yet done so -- break 2048-bit RSA. This
is something to take seriously. It might not be correct, but itΓÇÖs
not obviously wrong.
We have long known from ShorΓÇÖs algorithm that factoring with a quantum
computer is easy. But it takes a big quantum computer, on the orders of millions
of qbits, to factor anything resembling the key sizes we use today. What the
researchers have done is combine classical lattice reduction factoring
techniques with a quantum approximate optimization algorithm. This means that
they only need a quantum computer with 372 qbits, which is well within whatΓÇÖs
possible today. (The IBM Osprey is a 433-qbit quantum computer, for example.
Others are on their way as well.)
The Chinese group didnΓÇÖt have that large a quantum computer to work with. They
were able to factor 48-bit numbers using a 10-qbit quantum computer. And while
there are always potential problems when scaling something like this up by a
factor of 50, there are no obvious barriers.
Honestly, most of the paper is over my head -- both the lattice-reduction math
and the quantum physics. And thereΓÇÖs the nagging question of why the Chinese
government didnΓÇÖt classify this research. But...wow...maybe...and yikes! Or
not.
ΓÇ£Factoring integers with sublinear resources on a superconducting quantum
processorΓÇ¥
Abstract: ShorΓÇÖs algorithm has seriously challenged information security based
on public key cryptosystems. However, to break the widely used RSA-2048 scheme,
one needs millions of physical qubits, which is far beyond current technical
capabilities. Here, we report a universal quantum algorithm for integer
factorization by combining the classical lattice reduction with a quantum
approximate optimization algorithm (QAOA). The number of qubits required is
O(logN/loglogN ), which is sublinear in the bit length of the integer N , making
it the most qubit-saving factorization algorithm to date. We demonstrate the
algorithm experimentally by factoring integers up to 48 bits with 10
superconducting qubits, the largest integer factored on a quantum device. We
estimate that a quantum circuit with 372 physical qubits and a depth of
thousands is necessary to challenge RSA-2048 using our algorithm. Our study
shows great promise in expediting the application of current noisy quantum
computers, and paves the way to fact or large integers of realistic
cryptographic significance.
In email, Roger Grimes told me: ΓÇ£Apparently what happened is another guy who
had previously announced he was able to break traditional asymmetric encryption
using classical computers...but reviewers found a flaw in his algorithm and that
guy had to retract his paper. But this Chinese team realized that the step that
killed the whole thing could be solved by small quantum computers. So they
tested and it worked.ΓÇ¥
EDITED TO ADD: One of the issues with the algorithm is that it relies on a
recent factoring paper by Claus Schnorr. ItΓÇÖs a controversial paper; and
despite the ΓÇ£this destroys the RSA cryptosystemΓÇ¥ claim in the abstract, it
does nothing of the sort. SchnorrΓÇÖs algorithm works well with smaller moduli
-- around the same order as ones the Chinese group has tested -- but falls
apart at larger sizes. At this point, nobody understands why. The Chinese paper
claims that their quantum techniques get around this limitation (I think
thatΓÇÖs whatΓÇÖs behind GrimesΓÇÖs comment) but donΓÇÖt give any details -- and
they havenΓÇÖt tested it with larger moduli. So if itΓÇÖs true that the Chinese
paper depends on this Schnorr technique that doesnΓÇÖt scale, the techniques in
this Chinese paper wonΓÇÖt scale, either. (On the other hand, if it does scale
then I think it also breaks a bunch of lattice-based public-key cryptosystems.)
I am much less worried that this technique will work now. But this is something
the IBM quantum computing people can test right now.
EDITED TO ADD (1/4): A reporter just asked me my gut feel about this. I replied
that I donΓÇÖt think this will break RSA. Several times a year the cryptography
community received ΓÇ£breakthroughsΓÇ¥ from people outside the community.
ThatΓÇÖs why we created the RSA Factoring Challenge: to force people to provide
proofs of their claims. In general, the smart bet is on the new techniques not
working. But someday, that bet will be wrong. Is it today? Probably not. But it
could be. WeΓÇÖre in the worst possible position right now: we donΓÇÖt have the
facts to know. Someone needs to implement the quantum algorithm and see.
EDITED TO ADD (1/5): Scott AaronsonΓÇÖs take is a ΓÇ£noΓÇ¥:
In the new paper, the authors spend page after page saying-without-saying that
it might soon become possible to break RSA-2048, using a NISQ (i.e.,
non-fault-tolerant) quantum computer. They do so via two time-tested strategems:
the detailed exploration of irrelevancies (mostly, optimization of the number of
qubits, while ignoring the number of gates), and complete silence about the one
crucial point. Then, finally, they come clean about the one crucial point in a
single sentence of the Conclusion section:
It should be pointed out that the quantum speedup of the algorithm is unclear
due to the ambiguous convergence of QAOA.
ΓÇ£UnclearΓÇ¥ is an understatement here. It seems to me that a miracle would be
required for the approach here to yield any benefit at all, compared to just
running the classical SchnorrΓÇÖs algorithm on your laptop. And if the latter
were able to break RSA, it wouldΓÇÖve already done so.
All told, this is one of the most actively misleading quantum computing papers
IΓÇÖve seen in 25 years, and IΓÇÖve seen ... many.
EDITED TO ADD (1/7): More commentary. Again: no need to panic.
EDITED TO ADD (1/12): Peter Shor has suspicions.
** *** ***** ******* *********** *************
Decarbonizing Cryptocurrencies through Taxation
[2023.01.04] Maintaining bitcoin and other cryptocurrencies causes about 0.3
percent of global CO2 emissions. That may not sound like a lot, but itΓÇÖs more
than the emissions of Switzerland, Croatia, and Norway combined. As many
cryptocurrencies crash and the FTX bankruptcy moves into the litigation stage,
regulators are likely to scrutinize the cryptocurrency world more than ever
before. This presents a perfect opportunity to curb their environmental damage.
The good news is that cryptocurrencies donΓÇÖt have to be carbon intensive. In
fact, some have near-zero emissions. To encourage polluting currencies to reduce
their carbon footprint, we need to force buyers to pay for their environmental
harms through taxes.
The difference in emissions among cryptocurrencies comes down to how they create
new coins. Bitcoin and other high emitters use a system called ΓÇ£proof of
workΓÇ£: to generate coins, participants, or ΓÇ£miners,ΓÇ¥ have to solve math
problems that demand extraordinary computing power. This allows currencies to
maintain their decentralized ledger -- the blockchain -- but requires enormous
amounts of energy.
Greener alternatives exist. Most notably, the ΓÇ£proof of stakeΓÇ¥ system
enables participants to maintain their blockchain by depositing cryptocurrency
holdings in a pool. When the second-largest cryptocurrency, Ethereum, switched
from proof of work to proof of stake earlier this year, its energy consumption
dropped by more than 99.9% overnight.
Bitcoin and other cryptocurrencies probably wonΓÇÖt follow suit unless forced
to, because proof of work offers massive profits to miners -- and theyΓÇÖre the
ones with power in the system. Multiple legislative levers could be used to
entice them to change.
The most blunt solution is to ban cryptocurrency mining altogether. China did
this in 2018, but it only made the problem worse; mining moved to other
countries with even less efficient energy generation, and emissions went up. The
only way for a mining ban to meaningfully reduce carbon emissions is to enact it
across most of the globe. Achieving that level of international consensus is, to
say the least, unlikely.
A second solution is to prohibit the buying and selling of proof-of-work
currencies. The European ParliamentΓÇÖs Committee on Economic and Monetary
Affairs considered making such a proposal, but voted against it in March. This
is understandable; as with a mining ban, it would be both viewed as
paternalistic and difficult to implement politically.
Employing a tax instead of an outright ban would largely skirt these issues. As
with taxes on gasoline, tobacco, plastics, and alcohol, a cryptocurrency tax
could reduce real-world harm by making consumers pay for it.
Most ways of taxing cryptocurrencies would be inefficient, because theyΓÇÖre
easy to circumvent and hard to enforce. To avoid these pitfalls, the tax should
be levied as a fixed percentage of each proof-of-work-cryptocurrency purchase.
Cryptocurrency exchanges should collect the tax, just as merchants collect sales
taxes from customers before passing the sum on to governments. To make it harder
to evade, the tax should apply regardless of how the proof-of-work currency is
being exchanged -- whether for a fiat currency or another cryptocurrency. Most
important, any state that implements the tax should target all purchases by
citizens in its jurisdiction, even if they buy through exchanges with no legal
presence in the country.
This sort of tax would be transparent and easy to enforce. Because most people
buy cryptocurrencies from one of only a few large exchanges -- such as Binance,
Coinbase, and Kraken -- auditing them should be cheap enough that it pays for
itself. If an exchange fails to comply, it should be banned.
Even a small tax on proof-of-work currencies would reduce their damage to the
planet. Imagine that youΓÇÖre new to cryptocurrency and want to become a
first-time investor. YouΓÇÖre presented with a range of currencies to choose
from: bitcoin, ether, litecoin, monero, and others. You notice that all of them
except ether add an environmental tax to your purchase price. Which one do you
buy?
Countries donΓÇÖt need to coordinate across borders for a proof-of-work tax on
their own citizens to be effective. But early adopters should still consider
ways to encourage others to come on board. This has precedent. The European
Union is trying to influence global policy with its carbon border adjustments,
which are designed to discourage people from buying carbon-intensive products
abroad in order to skirt taxes. Similar rules for a proof-of-work tax could
persuade other countries to adopt one.
Of course, some people will try to evade the tax, just as people evade every
other tax. For example, people might buy tax-free coins on centralized exchanges
and then swap them for polluting coins on decentralized exchanges. To some
extent, this is inevitable; no tax is perfect. But the effort and technical
know-how needed to evade a proof-of-work tax will be a major deterrent.
Even if only a few countries implement this tax -- and even if some people evade
it -- the desirability of bitcoin will fall globally, and the environmental
benefit will be significant. A high enough tax could also cause a
self-reinforcing cycle that will drive down these cryptocurrenciesΓÇÖ prices.
Because the value of many cryptocurrencies rely largely on speculation, they are
dependent on future buyers. When speculators are deterred by the tax, the lack
of demand will cause the price of bitcoin to fall, which could prompt more
current holders to sell -- further lowering prices and accelerating the effect.
Declining prices will pressure the bitcoin community to abandon proof of work
altogether.
Taxing proof-of-work exchanges might hurt them in the short run, but it would
not hinder blockchain innovation. Instead, it would redirect innovation toward
greener cryptocurrencies. This is no different than how government incentives
for electric vehicles encourage carmakers to improve green alternatives to the
internal combustion engine. These incentives donΓÇÖt restrict innovation in
automobiles -- they promote it.
Taxing environmentally harmful cryptocurrencies can gain support across the
political spectrum, from people with varied interests. It would benefit
blockchain innovators and cryptocurrency researchers by shifting focus from
environmental harm to beneficial uses of the technology. It has the potential to
make our planet significantly greener. It would increase government revenues.
Even bitcoin maximalists have reason to embrace the proposal: it would offer the
bitcoin community a chance to prove it can survive and grow sustainably.
This essay was written with Christos Porios, and previously appeared in the
Atlantic.
** *** ***** ******* *********** *************
Remote Vulnerabilities in Automobiles
[2023.01.06] This group has found a ton of remote vulnerabilities in all sorts
of automobiles.
ItΓÇÖs enough to make you want to buy a car that is not Internet-connected.
Unfortunately, that seems to be impossible.
** *** ***** ******* *********** *************
Schneier on Security Audiobook Sale
[2023.01.06] IΓÇÖm not sure why, but Audiobooks.com is offering the audiobook
version of Schneier on Security at 50% off until January 17.
EDITED TO ADD: The audiobook of We Have Root is 50% off until January 27 if you
use this link.
** *** ***** ******* *********** *************
Identifying People Using Cell Phone Location Data
[2023.01.09] The two people who shut down four Washington power stations in
December were arrested. This is the interesting part:
Investigators identified Greenwood and Crahan almost immediately after the
attacks took place by using cell phone data that allegedly showed both men in
the vicinity of all four substations, according to court documents.
Nowadays, it seems like an obvious thing to do -- although the search is
probably unconstitutional. But way back in 2012, the Canadian CSEC -- thatΓÇÖs
their NSA -- did some top-secret work on this kind of thing. The document is
part of the Snowden archive, and I wrote about it:
The second application suggested is to identify a particular person whom you
know visited a particular geographical area on a series of dates/times. The
example in the presentation is a kidnapper. He is based in a rural area, so he
canΓÇÖt risk making his ransom calls from that area. Instead, he drives to an
urban area to make those calls. He either uses a burner phone or a pay phone, so
he canΓÇÖt be identified that way. But if you assume that he has some sort of
smart phone in his pocket that identifies itself over the Internet, you might be
able to find him in that dataset. That is, he might be the only ID that appears
in that geographical location around the same time as the ransom calls and at no
other times.
ThereΓÇÖs a whole lot of surveillance you can do if you can follow everyone,
everywhere, all the time. I donΓÇÖt even think turning your cell phone off would
help in this instance. How many people in the Washington area turned their
phones off during exactly the times of the Washington power station attacks?
Probably a small enough number to investigate them all.
** *** ***** ******* *********** *************
ChatGPT-Written Malware
[2023.01.10] I donΓÇÖt know how much of a thing this will end up being, but we
are seeing ChatGPT-written malware in the wild.
...within a few weeks of ChatGPT going live, participants in cybercrime forums
-- some with little or no coding experience -- were using it to write software
and emails that could be used for espionage, ransomware, malicious spam, and
other malicious tasks.
ΓÇ£ItΓÇÖs still too early to decide whether or not ChatGPT capabilities will
become the new favorite tool for participants in the Dark Web,ΓÇ¥ company
researchers wrote. ΓÇ£However, the cybercriminal community has already shown
significant interest and are jumping into this latest trend to generate
malicious code.ΓÇ¥
Last month, one forum participant posted what they claimed was the first script
they had written and credited the AI chatbot with providing a ΓÇ£nice [helping]
hand to finish the script with a nice scope.ΓÇ¥
The Python code combined various cryptographic functions, including code
signing, encryption, and decryption. One part of the script generated a key
using elliptic curve cryptography and the curve ed25519 for signing files.
Another part used a hard-coded password to encrypt system files using the
Blowfish and Twofish algorithms. A third used RSA keys and digital signatures,
message signing, and the blake2 hash function to compare various files.
Check Point Research report.
ChatGPT-generated code isnΓÇÖt that good, but itΓÇÖs a start. And the technology
will only get better. Where it matters here is that it gives less skilled
hackers -- script kiddies -- new capabilities.
** *** ***** ******* *********** *************
Experian Privacy Vulnerability
[2023.01.12] Brian Krebs is reporting on a vulnerability in ExperianΓÇÖs
website:
Identity thieves have been exploiting a glaring security weakness in the website
of Experian, one of the big three consumer credit reporting bureaus. Normally,
Experian requires that those seeking a copy of their credit report successfully
answer several multiple choice questions about their financial history. But
until the end of 2022, ExperianΓÇÖs website allowed anyone to bypass these
questions and go straight to the consumerΓÇÖs report. All that was needed was
the personΓÇÖs name, address, birthday and Social Security number.
** *** ***** ******* *********** *************
Threats of Machine-Generated Text
[2023.01.13] With the release of ChatGPT, IΓÇÖve read many random articles about
this or that threat from the technology. This paper is a good survey of the
field: what the threats are, how we might detect machine-generated text,
directions for future research. ItΓÇÖs a solid grounding amongst all of the
hype.
Machine Generated Text: A Comprehensive Survey of Threat Models and Detection
Methods
Abstract: Advances in natural language generation (NLG) have resulted in machine
generated text that is increasingly difficult to distinguish from human authored
text. Powerful open-source models are freely available, and user-friendly tools
democratizing access to generative models are proliferating. The great potential
of state-of-the-art NLG systems is tempered by the multitude of avenues for
abuse. Detection of machine generated text is a key countermeasure for reducing
abuse of NLG models, with significant technical challenges and numerous open
problems. We provide a survey that includes both 1) an extensive analysis of
threat models posed by contemporary NLG systems, and 2) the most complete review
of machine generated text detection methods to date. This survey places machine
generated text within its cybersecurity and social context, and provides strong
guidance for future work addressing the most critical threat models, and
ensuring detection systems themselves demonstrate trustworthiness through fa
irness, robustness, and accountability.
** *** ***** ******* *********** *************
Booklist Review of A HackerΓÇÖs Mind
[2023.01.14] Booklist reviews A HackerΓÇÖs Mind:
Author and public-interest security technologist Schneier (Data and Goliath,
2015) defines a ΓÇ£hackΓÇ¥ as an activity allowed by a system ΓÇ£that subverts
the rules or norms of the system [...] at the expense of someone else affected
by the system.ΓÇ¥ In accessing the security of a particular system,
technologists such as Schneier look at how it might fail. In order to counter a
hack, it becomes necessary to think like a hacker. Schneier lays out the
ramifications of a variety of hacks, contrasting the hacking of the tax code to
benefit the wealthy with hacks in realms such as sports that can innovate and
change a game for the better. The key to dealing with hacks is being proactive
and providing adequate patches to fix any vulnerabilities. SchneierΓÇÖs
fascinating work illustrates how susceptible many systems are to being hacked
and how lives can be altered by these subversions. SchneierΓÇÖs deep dive into
this cross-section of technology and humanity makes for investigative gold.
The book will be published on February 7. HereΓÇÖs the bookΓÇÖs webpage. You can
pre-order a signed copy from me here.
** *** ***** ******* *********** *************
Upcoming Speaking Engagements
[2023.01.14] This is a current list of where and when I am scheduled to speak:
IΓÇÖm speaking at Capricon, a four-day science fiction convention in Chicago. My
talk is on ΓÇ£The Coming AI HackersΓÇ¥ and will be held Friday, February 3 at
1:00 PM.
The list is maintained on this page.
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries,
analyses, insights, and commentaries on security technology. To subscribe, or to
read back issues, see Crypto-Gram's web page.
You can also read these articles on my blog, Schneier on Security.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and
friends who will find it valuable. Permission is also granted to reprint
CRYPTO-GRAM, as long as it is reprinted in its entirety.
Bruce Schneier is an internationally renowned security technologist, called a
security guru by the Economist. He is the author of over one dozen books --
including his latest, We Have Root -- as well as hundreds of articles, essays,
and academic papers. His newsletter and blog are read by over 250,000 people.
Schneier is a fellow at the Berkman Klein Center for Internet & Society at
Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a
board member of the Electronic Frontier Foundation, AccessNow, and the Tor
Project; and an Advisory Board Member of the Electronic Privacy Information
Center and VerifiedVoting.org. He is the Chief of Security Architecture at
Inrupt, Inc.
Copyright © 2023 by Bruce Schneier.
--- BBBS/Li6 v4.10 Toy-5
* Origin: TCOB1 - binkd.thecivv.ie (618:500/14)
|
Computer Support/Help/Discussion... 
