• CRYPTO-GRAM, October 15, 2021

    From thecivvie@33:2200/1 to All on Fri Oct 15 22:45:32 2021
    October 15, 2021

    by Bruce Schneier
    Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com https://www.schneier.com

    A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

    For back issues, or to subscribe, visit Crypto-Gram's web page.

    Read this issue on the web

    These same essays and news items appear in the Schneier on Security blog, along with a lively and intelligent comment section. An RSS feed is available.

    ** *** ***** ******* *********** *************

    In this issue:

    If these links don't work in your email client, try reading this issue of Crypto-Gram on the web.

    Identifying Computer-Generated Faces Zero-Click iMessage Exploit
    Alaska's Department of Health and Social Services Hack FBI Had the REvil Decryption Key
    The Proliferation of Zero-days
    I Am Not Satoshi Nakamoto
    Tracking Stolen Cryptocurrencies
    Check What Information Your Browser Leaks Hardening Your VPN
    A Death Due to Ransomware
    Cheating on Tests
    Facebook Is Down
    Syniverse Hack
    The European Parliament Voted to Ban Remote Biometric Surveillance Airline Passenger Mistakes Vintage Camera for a Bomb Suing Infrastructure Companies for Copyright Violations Recovering Real Faces from Face-Generation ML System Upcoming Speaking Engagements
    ** *** ***** ******* *********** *************

    Identifying Computer-Generated Faces

    [2021.09.15] ItĔTs the eyes:

    The researchers note that in many cases, users can simply zoom in on the eyes of a person they suspect may not be real to spot the pupil irregularities. They also note that it would not be difficult to write software to spot such errors and for social media sites to use it to remove such content. Unfortunately, they also note that now that such irregularities have been identified, the people creating the fake pictures can simply add a feature to ensure the roundness of pupils.

    And the arms race continues....

    Research paper.

    ** *** ***** ******* *********** *************

    Zero-Click iMessage Exploit

    [2021.09.17] Citizen Lab released a report on a zero-click iMessage exploit that is used in NSO GroupĔTs Pegasus spyware.

    Apple patched the vulnerability; everyone needs to update their OS immediately.

    News articles on the exploit.

    ** *** ***** ******* *********** *************

    Alaska's Department of Health and Social Services Hack

    [2021.09.21] Apparently, a nation-state hacked AlaskaĔTs Department of Health and Social Services.

    Not sure why AlaskaĔTs Department of Health and Social Services is of any interest to a nation-state, but thatĔTs probably just my failure of imagination.

    ** *** ***** ******* *********** *************

    FBI Had the REvil Decryption Key

    [2021.09.22] The Washington Post reports that the FBI had a decryption key for the REvil ransomware, but didnĔTt pass it along to victims because it would have disrupted an ongoing operation.

    The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.

    But the FBI held on to the key, with the agreement of other agencies, in part because it was planning to carry out an operation to disrupt the hackers, a group known as REvil, and the bureau did not want to tip them off. Also, a government assessment found the harm was not as severe as initially feared.

    Fighting ransomware is filled with security trade-offs. This is one I had not previously considered.

    Another news story.

    ** *** ***** ******* *********** *************


    [2021.09.23] ROT8000 is the Unicode equivalent of ROT13. WhatĔTs clever about it is that normal English looks like Chinese, and not like ciphertext (to a typical Westerner, that is).

    ** *** ***** ******* *********** *************

    The Proliferation of Zero-days

    [2021.09.24] The MIT Technology Review is reporting that 2021 is a blockbuster year for zero-day exploits:

    One contributing factor in the higher rate of reported zero-days is the rapid global proliferation of hacking tools.

    Powerful groups are all pouring heaps of cash into zero-days to use for themselves -- and theyĔTre reaping the rewards.

    At the top of the food chain are the government-sponsored hackers. China alone is suspected to be responsible for nine zero-days this year, says Jared Semrau, a director of vulnerability and exploitation at the American cybersecurity firm FireEye Mandiant. The US and its allies clearly possess some of the most sophisticated hacking capabilities, and there is rising talk of using those tools more aggressively.


    Few who want zero-days have the capabilities of Beijing and Washington. Most countries seeking powerful exploits donĔTt have the talent or infrastructure to develop them domestically, and so they purchase them instead.


    ItĔTs easier than ever to buy zero-days from the growing exploit industry. What was once prohibitively expensive and high-end is now more widely accessible.


    And cybercriminals, too, have used zero-day attacks to make money in recent years, finding flaws in software that allow them to run valuable ransomware schemes.

    ƒî¨Financially motivated actors are more sophisticated than ever,ƒî¨ Semrau says. ƒî¨One-third of the zero-days weƒîTve tracked recently can be traced directly back to financially motivated actors. So theyƒîTre playing a significant role in this increase which I donƒîTt think many people are giving credit for.ƒî¨


    No one we spoke to believes that the total number of zero-day attacks more than doubled in such a short period of time -- just the number that have been caught. That suggests defenders are becoming better at catching hackers in the act.

    You can look at the data, such as GoogleĔTs zero-day spreadsheet, which tracks nearly a decade of significant hacks that were caught in the wild.

    One change the trend may reflect is that thereĔTs more money available for defense, not least from larger bug bounties and rewards put forward by tech companies for the discovery of new zero-day vulnerabilities. But there are also better tools.

    ** *** ***** ******* *********** *************

    I Am Not Satoshi Nakamoto

    [2021.09.24] This isnĔTt the first time IĔTve received an e-mail like this:

    Hey! IĔTve done my research and looked at a lot of facts and old forgotten archives. I know that you are Satoshi, I do not want to tell anyone about this. I just wanted to say that you created weapons of mass destruction where niches remained poor and the rich got richer! When bitcoin first appeared, I was small, and alas, my family lost everything on this, you wonĔTt find an apple in the winter garden, people only need strength and money. Sorry for the English, I am from Russia, I can write with errors. You are an amazingly intelligent person, very intelligent, but the road to hell is paved with good intentions. Once I dreamed of a better life for myself and my children, but this will never come ...

    I like the bit about ƒî¨old forgotten archives,ƒî¨ by which I assume heƒîTs referring to the sci.crypt Usenet group and the Cypherpunks mailing list. (I posted to the latter a lot, and the former rarely.)

    For the record, I am not Satoshi Nakamoto. I suppose I could have invented the bitcoin protocols, but I wouldnĔTt have done it in secret. I would have drafted a paper, showed it to a lot of smart people, and improved it based on their comments. And then I would have published it under my own name. Maybe I would have realized how dumb the whole idea is. I doubt I would have predicted that it would become so popular and contribute materially to global climate change. In any case, I did nothing of the sort.

    Read the paper. It doesnĔTt even sound like me.

    Of course, this will convince no one who doesnĔTt already believe. Such is the nature of conspiracy theories.

    ** *** ***** ******* *********** *************

    Tracking Stolen Cryptocurrencies

    [2021.09.27] Good article about the current state of cryptocurrency forensics.

    ** *** ***** ******* *********** *************

    Check What Information Your Browser Leaks

    [2021.09.28] These two sites tell you what sorts of information youĔTre leaking from your browser.

    ** *** ***** ******* *********** *************

    Hardening Your VPN

    [2021.09.30] The NSA and CISA have released a document on how to harden your VPN.

    ** *** ***** ******* *********** *************

    A Death Due to Ransomware

    [2021.10.01] The Wall Street Journal is reporting on a babyĔTs death at an Alabama hospital in 2019, which they argue was a direct result of the ransomware attack the hospital was undergoing.

    Amid the hack, fewer eyes were on the heart monitors -- normally tracked on a large screen at the nursesĔT station, in addition to inside the delivery room. Attending obstetrician Katelyn Parnell texted the nurse manager that she would have delivered the baby by caesarean section had she seen the monitor readout.
    ƒî¨I need u to help me understand why I was not notified.ƒî¨ In another text, Dr. Parnell wrote: ƒî¨This was preventable.ƒî¨

    [The mother] Ms. Kidd has sued Springhill [Medical Center], alleging information about the babyĔTs condition never made it to Dr. Parnell because the hack wiped away the extra layer of scrutiny the heart rate monitor would have received at the nursesĔT station. If proven in court, the case will mark the first confirmed death from a ransomware attack.

    What will be interesting to see is whether the courts rule that the hospital was negligent in its security, contributing to the success of the ransomware and by extension the death of the infant.

    Springhill declined to name the hackers, but Allan Liska, a senior intelligence analyst at Recorded Future, said it was likely the Russianbased Ryuk gang, which was singling out hospitals at the time.

    TheyĔTre certainly never going to be held accountable.

    Another article.

    ** *** ***** ******* *********** *************

    Cheating on Tests

    [2021.10.04] Interesting story of test-takers in India using Bluetooth-connected flip-flops to communicate with accomplices while taking a test.

    WhatĔTs interesting is how this cheating was discovered. ItĔTs not that someone noticed the communication devices. ItĔTs that the proctors noticed that cheating test takers were acting hinky.

    ** *** ***** ******* *********** *************

    Facebook Is Down

    [2021.10.04] Facebook -- along with Instagram and WhatsApp -- went down globally today. Basically, someone deleted their BGP records, which made their DNS fall apart.

    ...at approximately 11:39 a.m. ET today (15:39 UTC), someone at Facebook caused an update to be made to the companyĔTs Border Gateway Protocol (BGP) records. BGP is a mechanism by which Internet service providers of the world share
    information about which providers are responsible for routing Internet traffic to which specific groups of Internet addresses.

    In simpler terms, sometime this morning Facebook took away the map telling the worldĔTs computers how to find its various online properties. As a result, when one types Facebook.com into a web browser, the browser has no idea where to find Facebook.com, and so returns an error page.

    In addition to stranding billions of users, the Facebook outage also has stranded its employees from communicating with one another using their internal Facebook tools. ThatĔTs because FacebookĔTs email and tools are all managed in house and via the same domains that are now stranded.

    What I heard is that none of the employee keycards work, since they have to ping a now-unreachable server. So people canĔTt get into buildings and offices.

    And every third-party site that relies on ƒî¨log in with Facebookƒî¨ is stuck as well.

    The fix wonĔTt be quick:

    As a former network admin who worked on the internet at this level, I anticipate Facebook will be down for hours more. I suspect it will end up being FacebookĔTs longest and most severe failure to date before itĔTs fixed.

    We all know the security risks of monocultures.

    EDITED TO ADD (10/6): Good explanation of what happened. Shorter from Jonathan Zittrain: ƒî¨Facebook basically locked its keys in the car.ƒî¨

    ** *** ***** ******* *********** *************

    Syniverse Hack

    [2021.10.06] This is interesting:

    A company that is a critical part of the global telecommunications infrastructure used by AT&T, T-Mobile, Verizon and several others around the world such as Vodafone and China Mobile, quietly disclosed that hackers were inside its systems for years, impacting more than 200 of its clients and potentially millions of cellphone users worldwide.

    IĔTve never heard of the company.

    No details about the hack. It could be nothing. It could be a national intelligence service looking for information.

    ** *** ***** ******* *********** *************

    The European Parliament Voted to Ban Remote Biometric Surveillance

    [2021.10.11] ItĔTs not actually banned in the EU yet -- the legislative process is much more complicated than that -- but itĔTs a step: a total ban on biometric mass surveillance.

    To respect ƒî¨privacy and human dignity,ƒî¨ MEPs said that EU lawmakers should pass a permanent ban on the automated recognition of individuals in public spaces, saying citizens should only be monitored when suspected of a crime.

    The parliament has also called for a ban on the use of private facial recognition databases -- such as the controversial AI system created by U.S. startup Clearview (also already in use by some police forces in Europe) -- and said predictive policing based on behavioural data should also be outlawed.

    MEPs also want to ban social scoring systems which seek to rate the trustworthiness of citizens based on their behaviour or personality.

    ** *** ***** ******* *********** *************

    Airline Passenger Mistakes Vintage Camera for a Bomb

    [2021.10.12] I feel sorry for the accused:

    The ƒî¨security incidentƒî¨ that forced a New-York bound flight to make an emergency landing at LaGuardia Airport on Saturday turned out to be a misunderstanding -- after an airline passenger mistook another travelerƒîTs camera for a bomb, sources said Sunday.

    American Airlines Flight 4817 from Indianapolis -- operated by Republic Airways -- made an emergency landing at LaGuardia just after 3 p.m., and authorities took a suspicious passenger into custody for several hours.

    It turns out the would-be ƒî¨bomberƒî¨ was just a vintage camera aficionado and the woman who reported him made a mistake, sources said.

    Why in the world was the passenger in custody for ƒî¨several hoursƒî¨? They didnƒîTt do anything wrong.

    Back in 2007, I called this the ƒî¨war on the unexpected.ƒî¨ ItƒîTs why ƒî¨see something, say somethingƒî¨ doesnƒîTt work. If you put amateurs in the front lines of security, donƒîTt be surprised when you get amateur security. I have lots of examples.

    ** *** ***** ******* *********** *************

    Suing Infrastructure Companies for Copyright Violations

    [2021.10.13] ItĔTs a matter of going after those with deep pockets. From Wired:

    Cloudflare was sued in November 2018 by Mon Cheri Bridals and Maggie Sottero Designs, two wedding dress manufacturers and sellers that alleged Cloudflare was guilty of contributory copyright infringement because it didnĔTt terminate services for websites that infringed on the dressmakersĔT copyrighted designs....

    [Judge] Chhabria noted that the dressmakers have been harmed ƒî¨by the proliferation of counterfeit retailers that sell knock-off dresses using the plaintiffsƒîT copyrighted imagesƒî¨ and that they have ƒî¨gone after the infringers in a range of actions, but to no avail -- every time a website is successfully shut down, a new one takes its place.ƒî¨ Chhabria continued, ƒî¨In an effort to more effectively stamp out infringement, the plaintiffs now go after a service common to many of the infringers: Cloudflare. The plaintiffs claim that Cloudflare contributes to the underlying copyright infringement by providing infringers with caching, content delivery, and security services. Because a reasonable jury could not -- at least on this record -- conclude that Cloudflare materially contributes to the underlying copyright infringement, the plaintiffsƒîT motion for summary judgment is denied and CloudflareƒîTs motion for summary judgment is granted.ƒî¨

    I was an expert witness for Cloudflare in this case, basically explaining to the court how the service works.

    ** *** ***** ******* *********** *************

    Recovering Real Faces from Face-Generation ML System

    [2021.10.14] New paper: ƒî¨This Person (Probably) Exists. Identity Membership Attacks Against GAN Generated Faces.

    Abstract: Recently, generative adversarial networks (GANs) have achieved stunning realism, fooling even human observers. Indeed, the popular tongue-in-cheek website http://thispersondoesnotexist.com, taunts users with GAN generated images that seem too real to believe. On the other hand, GANs do
    leak information about their training data, as evidenced by membership attacks recently demonstrated in the literature. In this work, we challenge the assumption that GAN faces really are novel creations, by constructing a successful membership attack of a new kind. Unlike previous works, our attack can accurately discern samples sharing the same identity as training samples without being the same samples. We demonstrate the interest of our attack across several popular face datasets and GAN training procedures. Notably, we show that even in the presence of significant dataset diversity, an over represented person can pose a privacy concern.

    News article. Slashdot post.

    ** *** ***** ******* *********** *************

    Upcoming Speaking Engagements

    [2021.10.14] This is a current list of where and when I am scheduled to speak:

    IĔTll be speaking at an Informa event on November 29, 2021. Details to come. The list is maintained on this page.

    ** *** ***** ******* *********** *************

    Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security technology. To subscribe, or to read back issues, see Crypto-Gram's web page.

    You can also read these articles on my blog, Schneier on Security.

    Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

    Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of over one dozen books -- including his latest, We Have Root -- as well as hundreds of articles, essays, and academic papers. His newsletter and blog are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an Advisory Board Member of the Electronic Privacy Information Center and VerifiedVoting.org. He is the Chief of Security Architecture at Inrupt, Inc.

    Copyright AC 2021 by Bruce Schneier.

    ** *** ***** ******* *********** *************

    ... TCOB1: telnet and binkd tcob1.duckdns.org

    --- BBBS/Li6 v4.10 Toy-5
    * Origin: TCOB1 at tcob1.duckdns.org BinkP / Telnet (33:2200/1)