• CRYPTO-GRAM, September 15, 2021

    From thecivvie@33:2200/1 to All on Sat Sep 18 23:04:40 2021

    Crypto-Gram
    September 15, 2021

    by Bruce Schneier
    Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com https://www.schneier.com

    A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

    For back issues, or to subscribe, visit Crypto-Gram's web page.

    Read this issue on the web

    These same essays and news items appear in the Schneier on Security blog, along with a lively and intelligent comment section. An RSS feed is available.

    ** *** ***** ******* *********** *************
    In this issue:

    If these links don't work in your email client, try reading this issue of Crypto-Gram on the web.

    Tetris: Chinese Espionage Tool
    Apple's NeuralHash Algorithm Has Been Reverse-Engineered
    T-Mobile Data Breach
    More on Apple's iPhone Backdoor
    Surveillance of the Internet Backbone
    Interesting Privilege Escalation Vulnerability
    Details of the Recent T-Mobile Breach
    Excellent Write-up of the SolarWinds Security Breach
    More Military Cryptanalytics, Part III
    Zero-Click iPhone Exploits
    History of the HX-63 Rotor Machine
    Hacker-Themed Board Game
    Tracking People by their MAC Addresses
    Lightning Cable with Embedded Eavesdropping
    Security Risks of Relying on a Single Smartphone
    More Detail on the Juniper Hack and the NSA PRNG Backdoor
    ProtonMail Now Keeps IP Logs
    Designing Contact-Tracing Apps
    Upcoming Speaking Engagements

    ** *** ***** ******* *********** *************
    Tetris: Chinese Espionage Tool

    [2021.08.18] IĔTm starting to see writings about a Chinese espionage tool that exploits website vulnerabilities to try and identify Chinese dissidents.

    ** *** ***** ******* *********** *************
    Apple's NeuralHash Algorithm Has Been Reverse-Engineered

    [2021.08.18] AppleĔTs NeuralHash algorithm -- the one itĔTs using for client-side scanning on the iPhone -- has been reverse-engineered.

    Turns out it was already in iOS 14.3, and someone noticed:

    Early tests show that it can tolerate image resizing and compression, but not cropping or rotations.

    We also have the first collision: two images that hash to the same value.

    The next step is to generate innocuous images that NeuralHash classifies as prohibited content.

    This was a bad idea from the start, and Apple never seemed to consider the adversarial context of the system as a whole, and not just the cryptography.

    ** *** ***** ******* *********** *************
    T-Mobile Data Breach

    [2021.08.19] ItĔTs a big one:

    As first reported by Motherboard on Sunday, someone on the dark web claims to have obtained the data of 100 million from T-MobileƒîTs servers and is selling a portion of it on an underground forum for 6 bitcoin, about $280,000. The trove includes not only names, phone numbers, and physical addresses but also more sensitive data like social security numbers, driverƒîTs license information, and IMEI numbers, unique identifiers tied to each mobile device. Motherboard confirmed that samples of the data ƒî¨contained accurate information on T-Mobile customers.ƒî¨

    ** *** ***** ******* *********** *************
    More on Apple's iPhone Backdoor

    [2021.08.20] In this post, IĔTll collect links on AppleĔTs iPhone backdoor for scanning CSAM images. Previous links are here and here.

    Apple says that hash collisions in its CSAM detection system were expected, and not a concern. IĔTm not convinced that this secondary system was originally part of the design, since it wasnĔTt discussed in the original specification.

    Good op-ed from a group of Princeton researchers who developed a similar system:

    Our system could be easily repurposed for surveillance and censorship. The design wasnĔTt restricted to a specific category of content; a service could simply swap in any content-matching database, and the person using that service would be none the wiser.

    EDITED TO ADD (8/30): Good essays by Matthew Green and Alex Stamos, Ross Anderson, Edward Snowden, and Susan Landau. And also Kurt Opsahl.

    EDITED TO ADD (9/6): Apple is delaying implementation of the scheme.

    ** *** ***** ******* *********** *************
    Surveillance of the Internet Backbone

    [2021.08.25] Vice has an article about how data brokers sell access to the Internet backbone. This is netflow data. ItĔTs useful for cybersecurity forensics, but can also be used for things like tracing VPN activity.

    At a high level, netflow data creates a picture of traffic flow and volume across a network. It can show which server communicated with another, information that may ordinarily only be available to the server owner or the ISP carrying the traffic. Crucially, this data can be used for, among other
    things, tracking traffic through virtual private networks, which are used to mask where someone is connecting to a server from, and by extension, their approximate physical location.

    In the hands of some governments, that could be dangerous.

    ** *** ***** ******* *********** *************
    Interesting Privilege Escalation Vulnerability

    [2021.08.26] If you plug a Razer peripheral (mouse or keyboard, I think) into a Windows 10 or 11 machine, you can use a vulnerability in the Razer Synapse software -- which automatically downloads -- to gain SYSTEM privileges.

    It should be noted that this is a local privilege escalation (LPE) vulnerability, which means that you need to have a Razer devices and physical access to a computer. With that said, the bug is so easy to exploit as you just need to spend $20 on Amazon for Razer mouse and plug it into Windows 10 to become an admin.

    ** *** ***** ******* *********** *************
    Details of the Recent T-Mobile Breach

    [2021.08.27] Seems that 47 million customers were affected. Surprising no one, T-Mobile had awful security.

    IĔTve lost count of how many times T-Mobile has been hacked.

    ** *** ***** ******* *********** *************
    Excellent Write-up of the SolarWinds Security Breach

    [2021.08.30] Robert Chesney wrote up the Solar Winds story as a case study, and itĔTs a really good summary.

    ** *** ***** ******* *********** *************
    More Military Cryptanalytics, Part III

    [2021.08.31] Late last year, the NSA declassified and released a redacted version of Lambros D. CallimahosĔTs Military Cryptanalytics, Part III. We just got most of the index. ItĔTs hard to believe that there are any real secrets left in this 44-year-old volume.

    ** *** ***** ******* *********** *************
    Zero-Click iPhone Exploits

    [2021.09.01] Citizen Lab is reporting on two zero-click iMessage exploits, in spyware sold by the cyberweapons arms manufacturer NSO Group to the Bahraini government.

    These are particularly scary exploits, since they donĔTt require to victim to do anything, like click on a link or open a file. The victim receives a text message, and then they are hacked.

    More on this here.

    ** *** ***** ******* *********** *************
    History of the HX-63 Rotor Machine

    [2021.09.03] Jon D. Paul has written the fascinating story of the HX-63, a super-complicated electromechanical rotor cipher machine made by Crypto AG.

    ** *** ***** ******* *********** *************
    Hacker-Themed Board Game

    [2021.09.03] Black Hat is a hacker-themed board game.

    ** *** ***** ******* *********** *************
    Tracking People by their MAC Addresses

    [2021.09.06] Yet another article on the privacy risks of static MAC addresses and always-on Bluetooth connections. This one is about wireless headphones.

    The good news is that product vendors are fixing this:

    Several of the headphones which could be tracked over time are for sale in electronics stores, but according to two of the manufacturers NRK have spoken to, these models are being phased out.

    ƒî¨The products in your line-up, Elite Active 65t, Elite 65e and Evolve 75e, will be going out of production before long and newer versions have already been launched with randomized MAC addresses. We have a lot of focus on privacy by design and we continuously work with the available security measures on the market,ƒî¨ head of PR at Jabra, Claus Fonnesbech says.

    ƒî¨To run Bluetooth Classic we, and all other vendors, are required to have static addresses and you will find that in older products,ƒî¨ Fonnesbech says.

    Jens BjA,rnkjA|r Gamborg, head of communications at Bang & Olufsen, says that ƒî¨this is products that were launched several years ago.ƒî¨

    ƒî¨All products launched after 2019 randomize their MAC-addresses on a frequent basis as it has become the market standard to do so,ƒî¨ Gamborg says.

    EDITED TO ADD (9/13): ItĔTs not enough to randomly change MAC addresses. Any other plaintext identifiers need to be changed at the same time.

    ** *** ***** ******* *********** *************
    Lightning Cable with Embedded Eavesdropping

    [2021.09.07] Normal-looking cables (USB-C, Lightning, and so on) that exfiltrate data over a wireless network.

    I blogged about a previous prototype here.

    ** *** ***** ******* *********** *************
    Security Risks of Relying on a Single Smartphone

    [2021.09.08] Isracard used a single cell phone to communicate with credit card clients, and receive documents via WhatsApp. An employee stole the phone. He reformatted the phone and replaced the SIM card, which was oddly the best possible outcome, given the circumstances. Using the data to steal money would have been much worse.

    HereĔTs a link to an archived version.

    ** *** ***** ******* *********** *************
    More Detail on the Juniper Hack and the NSA PRNG Backdoor

    [2021.09.09] We knew the basics of this story, but itĔTs good to have more detail.

    HereĔTs me in 2015 about this Juniper hack. HereĔTs me in 2007 on the NSA backdoor.

    ** *** ***** ******* *********** *************
    ProtonMail Now Keeps IP Logs

    [2021.09.10] After being compelled by a Swiss court to monitor IP logs for a particular user, ProtonMail no longer claims that ƒî¨we do not keep any IP logs.ƒî¨

    EDITED TO ADD (9/14): This seems to be more complicated. ProtonMail is not yet saying that they keep logs. Their privacy policy still states that they do not keep logs except in certain circumstances, and outlines those circumstances. And ProtonMailĔTs warrant canary has an interesting list of data orders they have received from various authorities, whether they complied, and why or why not.

    ** *** ***** ******* *********** *************
    Designing Contact-Tracing Apps

    [2021.09.13] Susan Landau wrote an essay on the privacy, efficacy, and equity of contract-tracing smartphone apps.

    Also see her excellent book on the topic.

    ** *** ***** ******* *********** *************
    Upcoming Speaking Engagements

    [2021.09.14] This is a current list of where and when I am scheduled to speak:

    IĔTm keynoting CIISec Live -- an all-online event -- September 15-16, 2021.
    IĔTm speaking at the Infosecurity Magazine EMEA Autumn Online Summit on September 21, 2021.
    IĔTm speaking at the Cybersecurity and Data Privacy Law Conference in Plano, Texas, USA, September 22-23, 2021.
    IĔTm speaking at the fourth annual Managing Cyber Risk from the C-Suite conference -- a virtual event conducted through Webex -- on October 5, 2021.
    IĔTll be speaking at an Informa event on November 29, 2021. Details to come.

    The list is maintained on this page.

    ** *** ***** ******* *********** *************

    Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security technology. To subscribe, or to read back issues, see Crypto-Gram's web page.

    You can also read these articles on my blog, Schneier on Security.

    Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

    Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of over one dozen books -- including his latest, We Have Root -- as well as hundreds of articles, essays, and academic papers. His newsletter and blog are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an Advisory Board Member of the Electronic Privacy Information Center and VerifiedVoting.org. He is the Chief of Security Architecture at Inrupt, Inc.

    Copyright AC 2021 by Bruce Schneier.

    ** *** ***** ******* *********** *************

    ... TCOB1: telnet and binkd tcob1.duckdns.org

    --- BBBS/Li6 v4.10 Toy-5
    * Origin: TCOB1 at tcob1.duckdns.org BinkP / Telnet (33:2200/1)