Crypto-Gram
August 15, 2022
by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School
schneier@schneier.com
https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit Crypto-Gram's web page.
Read this issue on the web
These same essays and news items appear in the Schneier on Security blog, along with a lively and intelligent comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
If these links don't work in your email client, try reading this issue of Crypto-Gram on the web.
San Francisco Police Want Real-Time Access to Private Surveillance Cameras
Facebook Is Now Encrypting Links to Prevent URL Stripping
NSO Group's Pegasus Spyware Used against Thailand Pro-Democracy Activists and Leaders
Russia Creates Malware False-Flag App
Critical Vulnerabilities in GPS Trackers
Apple's Lockdown Mode
Securing Open-Source Software
New UEFI Rootkit
Microsoft Zero-Days Sold and Then Used
Ring Gives Videos to Police without a Warrant or User Consent
Surveillance of Your Car
Drone Deliveries into Prisons
SIKE Broken
NIST's Post-Quantum Cryptography Standards
Hacking Starlink
A Taxonomy of Access Control
Twitter Exposes Personal Information for 5.4 Million Accounts
Upcoming Speaking Engagements
** *** ***** ******* *********** *************
San Francisco Police Want Real-Time Access to Private Surveillance Cameras
[2022.07.15] Surely no one could have predicted this:
The new proposal -- championed by Mayor London Breed after November's wild weekend of orchestrated burglaries and theft in the San Francisco Bay Area -- would authorize the police department to use non-city-owned security cameras and camera networks to live monitor "significant events with public safety concerns" and ongoing felony or misdemeanor violations.
Currently, the police can only request historical footage from private cameras related to specific times and locations, rather than blanket monitoring. Mayor Breed also complained the police can only use real-time feeds in emergencies involving "imminent danger of death or serious physical injury."
If approved, the draft ordinance would also allow SFPD to collect historical video footage to help conduct criminal investigations and those related to officer misconduct. The draft law currently stands as the following, which indicates the cops can broadly ask for and/or get access to live real-time video streams:
The proposed Surveillance Technology Policy would authorize the Police Department to use surveillance cameras and surveillance camera networks owned, leased, managed, or operated by non-City entities to: (1) temporarily live monitor activity during exigent circumstances, significant events with public safety concerns, and investigations relating to active misdemeanor and felony violations; (2) gather and review historical video footage for the purposes of conducting a criminal investigation; and (3) gather and review historical video footage for the purposes of an internal investigation regarding officer misconduct.
** *** ***** ******* *********** *************
Facebook Is Now Encrypting Links to Prevent URL Stripping
[2022.07.18] Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties.
Mozilla introduced support for URL stripping in Firefox 102, which it launched in June 2022. Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser's Tracking Protection feature is set to strict. Firefox users may enable URL stripping in all Firefox modes, but this requires manual configuration. Brave Browser strips known tracking parameters from web addresses as well.
Facebook has responded by encrypting the entire URL into a single ciphertext blob.
Since it is no longer possible to identify the tracking part of the web address, it is no longer possible to remove it from the address automatically. In other words: Facebook has the upper hand in regards to URL-based tracking at the time, and there is little that can be done about it short of finding a way to decrypt the information.
** *** ***** ******* *********** *************
NSO Group's Pegasus Spyware Used against Thailand Pro-Democracy Activists and Leaders
[2022.07.19] Yet another basic human rights violation, courtesy of NSO Group: Citizen Lab has the details:
Key Findings
We discovered an extensive espionage campaign targeting Thai pro-democracy protesters, and activists calling for reforms to the monarchy.
We forensically confirmed that at least 30 individuals were infected with NSO Group's Pegasus spyware.
The observed infections took place between October 2020 and November 2021.
The ongoing investigation was triggered by notifications sent by Apple to Thai civil society members in November 2021. Following the notification, multiple recipients made contact with civil society groups, including the Citizen Lab.
The report describes the results of an ensuing collaborative investigation by the Citizen Lab, and Thai NGOs iLaw, and DigitalReach.
A sample of the victims was independently analyzed by Amnesty International's Security Lab which confirms the methodology used to determine Pegasus infections.
[...]
NSO Group has denied any wrongdoing and maintains that its products are to be used "in a legal manner and according to court orders and the local law of each country." This justification is problematic, given the presence of local laws that infringe on international human rights standards and the lack of judicial oversight, transparency, and accountability in governmental surveillance, which could result in abuses of power. In Thailand, for example, Section 112 of the Criminal Code (also known as the lese-majeste law), which criminalizes defamation, insults, and threats to the Thai royal family, has been criticized for being "fundamentally incompatible with the right to freedom of expression," while the amended Computer Crime Act opens the door to potential rights violations, as it "gives overly broad powers to the government to restrict free speech [and] enforce surveillance and censorship." Both laws have been used in concert to prosecute lawyers and activists, some of whom were targeted with Pegasus.
More details. News articles.
A few months ago, Ronan Farrow wrote a really good article on NSO Group and its problems. The company was itself hacked in 2021.
L3Harris Corporation was looking to buy NSO Group, but dropped its bid after the Biden administration expressed concerns. The US government blacklisted NSO Group last year, and the company is even more toxic than it was as a result -- and a mess internally.
In another story, the nephew of jailed Hotel Rwanda dissident was also hacked by Pegasus.
EDITED TO ADD (7/28): The House Intelligence Committee held hearings on what to do about this rogue industry. It's important to remember that while NSO Group gets all the heat, there are many other companies that do the same thing.
John-Scott Railton at the hearing:
If NSO Group goes bankrupt tomorrow, there are other companies, perhaps seeded with U.S. venture capital, that will attempt to step in to fill the gap. As long as U.S. investors see the mercenary spyware industry as a growth market, the U.S. financial sector is poised to turbocharge the problem and set fire to our collective cybersecurity and privacy.
** *** ***** ******* *********** *************
Russia Creates Malware False-Flag App
[2022.07.20] The Russian hacking group Turla released an Android app that seems to aid Ukrainian hackers in their attacks against Russian networks. It's actually malware, and provides information back to the Russians:
The hackers pretended to be a "community of free people around the world who are fighting russia's aggression" -- much like the IT Army. But the app they developed was actually malware. The hackers called it CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine's national guard. To add more credibility to the ruse they hosted the app on a domain "spoofing" the Azov Regiment: cyberazov[.]com.
[...]
The app actually didn't DDoS anything, but was designed to map out and figure out who would want to use such an app to attack Russian websites, according to Huntely.
[...]
Google said the fake app wasn't hosted on the Play Store, and that the number of installs "was miniscule."
Details from Google's Threat Analysis Group here.
** *** ***** ******* *********** *************
Critical Vulnerabilities in GPS Trackers
[2022.07.21] This is a dangerous vulnerability:
An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720, a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.
BitSight discovered what it said were six "severe" vulnerabilities in the device that allow for a host of possible attacks. One flaw is the use of unencrypted HTTP communications that makes it possible for remote hackers to conduct adversary-in-the-middle attacks that intercept or change requests sent between the mobile application and supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that can allow attackers to access the hardcoded key for locking down the trackers and the ability to use a custom IP address that makes it possible for hackers to monitor and control all communications to and from the device.
The security firm said it first contacted Micodus in September to notify company officials of the vulnerabilities. BitSight and CISA finally went public with the findings on Tuesday after trying for months to privately engage with the manufacturer. As of the time of writing, all of the vulnerabilities remain unpatched and unmitigated.
These are computers and computer vulnerabilities, but because the computers are attached to cars, the vulnerabilities become potentially life-threatening. CISA writes:
These vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.
I wouldn't have buried "vehicle control" in the middle of that sentence.
** *** ***** ******* *********** *************
Apple's Lockdown Mode
[2022.07.26] I haven't written about Apple's Lockdown Mode yet, mostly because I haven't delved into the details. This is how Apple describes it:
Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware. Turning on Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura further hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware.
At launch, Lockdown Mode includes the following protections:
Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
Wired connections with a computer or accessory are blocked when iPhone is locked.
Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.
What Apple has done here is really interesting. It's common to trade security off for usability, and the results of that are all over Apple's operating systems -- and everywhere else on the Internet. What they're doing with Lockdown Mode is the reverse: they're trading usability for security. The result is a user experience with fewer features, but a much smaller attack surface. And they aren't just removing random features; they're removing features that are common attack vectors.
There aren't a lot of people who need Lockdown Mode, but it's an excellent option for those who do.
News article.
EDITED TO ADD (7/31): An analysis of the effect of Lockdown Mode on Safari.
** *** ***** ******* *********** *************
Securing Open-Source Software
[2022.07.27] Good essay arguing that open-source software is a critical national-security asset and needs to be treated as such:
Open source is at least as important to the economy, public services, and national security as proprietary code, but it lacks the same standards and safeguards. It bears the qualities of a public good and is as indispensable as national highways. Given open source's value as a public asset, an institutional structure must be built that sustains and secures it.
This is not a novel idea. Open-source code has been called the "roads and bridges" of the current digital infrastructure that warrants the same "focus and funding." Eric Brewer of Google explicitly called open-source software "critical infrastructure" in a recent keynote at the Open Source Summit in Austin, Texas. Several nations have adopted regulations that recognize open-source projects as significant public assets and central to their most important systems and services. Germany wants to treat open-source software as a public good and launched a sovereign tech fund to support open-source projects "just as much as bridges and roads," and not just when a bridge collapses. The European Union adopted a formal open-source strategy that encourages it to "explore opportunities for dedicated support services for open source solutions [it] considers critical."
Designing an institutional framework that would secure open source requires addressing adverse incentives, ensuring efficient resource allocation, and imposing minimum standards. But not all open-source projects are made equal. The first step is to identify which projects warrant this heightened level of scrutiny -- projects that are critical to society. CISA defines critical infrastructure as industry sectors "so vital to the United States that [its] incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety." Efforts should target the open-source projects that share those features.
** *** ***** ******* *********** *************
New UEFI Rootkit
[2022.07.28] Kaspersky is reporting on a new UEFI rootkit that survives reinstalling the operating system and replacing the hard drive. From an article:
The firmware compromises the UEFI, the low-level and highly opaque chain of firmware required to boot up nearly every modern computer. As the software that bridges a PC's device firmware with its operating system, the UEFI -- short for Unified Extensible Firmware Interface -- is an OS in its own right. It's located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch the code. Because it's the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows.
Both links have lots of technical details; the second contains a list of previously discovered UEFI rootkits. Also relevant are the NSA's capabilities -- now a decade old -- in this area.
** *** ***** ******* *********** *************
Microsoft Zero-Days Sold and Then Used
[2022.07.29] Yet another article about cyberweapons arms manufacturers and their particular supply chain. This one is about Windows and Adobe Reader zero-day exploits sold by an Austrian company named DSIRF.
There's an entire industry devoted to undermining all of our security. It needs to be stopped.
** *** ***** ******* *********** *************
Ring Gives Videos to Police without a Warrant or User Consent
[2022.08.01] Amazon has revealed that it gives police videos from its Ring doorbells without a warrant and without user consent.
Ring recently revealed how often the answer to that question has been yes. The Amazon company responded to an inquiry from US Senator Ed Markey (D-Mass.), confirming that there have been 11 cases in 2022 where Ring complied with police "emergency" requests. In each case, Ring handed over private recordings, including video and audio, without letting users know that police had access to -- and potentially downloaded -- their data. This raises many concerns about increased police reliance on private surveillance, a practice that has long gone unregulated.
EFF writes:
Police are not the customers for Ring; the people who buy the devices are the customers. But Amazon's long-standing relationships with police blur that line. For example, in the past Amazon has given coaching to police to tell residents to install the Ring app and purchase cameras for their homes -- an arrangement that made salespeople out of the police force. The LAPD launched an investigation into how Ring provided free devices to officers when people used their discount codes to purchase cameras.
Ring, like other surveillance companies that sell directly to the general public, continues to provide free services to the police, even though they don't have to. Ring could build a device, sold straight to residents, that ensures police come to the user's door if they are interested in footage -- but Ring instead has decided it would rather continue making money from residents while providing services to police.
CNet has a good explainer.
Slashdot thread.
** *** ***** ******* *********** *************
Surveillance of Your Car
[2022.08.02] TheMarkup has an extensive analysis of connected vehicle data and the companies that are collecting it.
The Markup has identified 37 companies that are part of the rapidly growing connected vehicle data industry that seeks to monetize such data in an environment with few regulations governing its sale or use.
While many of these companies stress they are using aggregated or anonymized data, the unique nature of location and movement data increases the potential for violations of user privacy.
** *** ***** ******* *********** *************
Drone Deliveries into Prisons
[2022.08.03] Seems it's now common to sneak contraband into prisons with a drone.
** *** ***** ******* *********** *************
SIKE Broken
[2022.08.04] SIKE is one of the new algorithms that NIST recently added to the post-quantum cryptography competition.
It was just broken, really badly.
We present an efficient key recovery attack on the Supersingular Isogeny Diffie-Hellman protocol (SIDH), based on a "glue-and-split" theorem due to Kani. Our attack exploits the existence of a small non-scalar endomorphism on the starting curve, and it also relies on the auxiliary torsion point information that Alice and Bob share during the protocol. Our Magma implementation breaks the instantiation SIKEp434, which aims at security level 1 of the Post-Quantum Cryptography standardization process currently ran by NIST, in about one hour on a single core.
News article.
** *** ***** ******* *********** *************
NIST's Post-Quantum Cryptography Standards
[2022.08.08] Quantum computing is a completely new paradigm for computers. A quantum computer uses quantum properties such as superposition, which allows a qubit (a quantum bit) to be neither 0 nor 1, but something much more complicated. In theory, such a computer can solve problems too complex for conventional computers.
Current quantum computers are still toy prototypes, and the engineering advances required to build a functionally useful quantum computer are somewhere between a few years away and impossible. Even so, we already know that that such a computer could potentially factor large numbers and compute discrete logs, and break the RSA and Diffie-Hellman public-key algorithms in all of the useful key sizes.
Cryptographers hate being rushed into things, which is why NIST began a competition to create a post-quantum cryptographic standard in 2016. The idea is to standardize on both a public-key encryption and digital signature algorithm that is resistant to quantum computing, well before anyone builds a useful quantum computer.
NIST is an old hand at this competitive process, having previously done this with symmetric algorithms (AES in 2001) and hash functions (SHA-3 in 2015). I participated in both of those competitions, and have likened them to demolition derbies. The idea is that participants put their algorithms into the ring, and then we all spend a few years beating on each other's submissions. Then, with input from the cryptographic community, NIST crowns a winner. It's a good process, mostly because NIST is both trusted and trustworthy.
In 2017, NIST received eighty-two post-quantum algorithm submissions from all over the world. Sixty-nine were considered complete enough to be Round 1 candidates. Twenty-six advanced to Round 2 in 2019, and seven (plus another eight alternates) were announced as Round 3 finalists in 2020. NIST was poised to make final algorithm selections in 2022, with a plan to have a draft standard available for public comment in 2023.
Cryptanalysis over the competition was brutal. Twenty-five of the Round 1 algorithms were attacked badly enough to remove them from the competition. Another eight were similarly attacked in Round 2. But here's the real surprise: there were newly published cryptanalysis results against at least four of the Round 3 finalists just months ago -- moments before NIST was to make its final decision.
One of the most popular algorithms, Rainbow, was found to be completely broken. Not that it could theoretically be broken with a quantum computer, but that it can be broken today -- with an off-the-shelf laptop in just over two days. Three other finalists, Kyber, Saber, and Dilithium, were weakened with new techniques that will probably work against some of the other algorithms as well. (Fun fact: Those three algorithms were broken by the Center of Encryption and Information Security, part of the Israeli Defense Force. This represents the first time a national intelligence organization has published a cryptanalysis result in the open literature. And they had a lot of trouble publishing, as the authors wanted to remain anonymous.)
That was a close call, but it demonstrated that the process is working properly. Remember, this is a demolition derby. The goal is to surface these cryptanalytic results before standardization, which is exactly what happened. At this writing, NIST has chosen a single algorithm for general encryption and three digital-signature algorithms. It has not chosen a public-key encryption algorithm, and there are still four finalists. Check NIST's webpage on the project for the latest information.
Ian Cassels, British mathematician and World War II cryptanalyst, once said that "cryptography is a mixture of mathematics and muddle, and without the muddle the mathematics can be used against you." This mixture is particularly difficult to achieve with public-key algorithms, which rely on the mathematics for their security in a way that symmetric algorithms do not. We got lucky with RSA and related algorithms: their mathematics hinge on the problem of factoring, which turned out to be robustly difficult. Post-quantum algorithms rely on other mathematical disciplines and problems -- code-based cryptography, hash-based cryptography, lattice-based cryptography, multivariate cryptography, and so on -- whose mathematics are both more complicated and less well-understood. We're seeing these breaks because those core mathematical problems aren't nearly as well-studied as factoring is.
The moral is the need for cryptographic agility. It's not enough to implement a single standard; it's vital that our systems be able to easily swap in new algorithms when required. We've learned the hard way how algorithms can get so entrenched in systems that it can take many years to update them: in the transition from DES to AES, and the transition from MD4 and MD5 to SHA, SHA-1, and then SHA-3.
We need to do better. In the coming years we'll be facing a double uncertainty. The first is quantum computing. When and if quantum computing becomes a practical reality, we will learn a lot about its strengths and limitations. It took a couple of decades to fully understand von Neumann computer architecture; expect the same learning curve with quantum computing. Our current understanding of quantum computing architecture will change, and that could easily result in new cryptanalytic techniques.
The second uncertainly is in the algorithms themselves. As the new cryptanalytic results demonstrate, we're still learning a lot about how to turn hard mathematical problems into public-key cryptosystems. We have too much math and an inability to add more muddle, and that results in algorithms that are vulnerable to advances in mathematics. More cryptanalytic results are coming, and more algorithms are going to be broken.
We can't stop the development of quantum computing. Maybe the engineering challenges will turn out to be impossible, but it's not the way to bet. In the face of all that uncertainty, agility is the only way to maintain security.
This essay originally appeared in IEEE Security & Privacy.
EDITED TO ADD: One of the four public-key encryption algorithms selected for further research, SIKE, was just broken.
** *** ***** ******* *********** *************
Hacking Starlink
[2022.08.11] This is the first -- of many, I assume -- hack of Starlink. Leveraging a string of vulnerabilities, attackers can access the Starlink system and run custom code on the devices.
** *** ***** ******* *********** *************
A Taxonomy of Access Control
[2022.08.12] My personal definition of a brilliant idea is one that is immediately obvious once it's explained, but no one has thought of it before. I can't believe that no one has described this taxonomy of access control before Ittay Eyal laid it out in this paper. The paper is about cryptocurrency wallet design, but the ideas are more general. Ittay points out that a key -- or an account, or anything similar -- can be in one of four states:
safe Only the user has access,
loss No one has access,
leak Both the user and the adversary have access, or
theft Only the adversary has access.
Once you know these states, you can assign probabilities of transitioning from one state to another (someone hacks your account and locks you out, you forgot your own password, etc.) and then build optimal security and reliability to deal with it. It's a truly elegant way of conceptualizing the problem.
** *** ***** ******* *********** *************
Twitter Exposes Personal Information for 5.4 Million Accounts
[2022.08.12] Twitter accidentally exposed the personal information -- including phone numbers and email addresses -- for 5.4 million accounts. And someone was trying to sell this information.
In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter's systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter's systems, Twitter's systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.
In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.
This includes anonymous accounts.
This comment has it right:
So after forcing users to enter a phone number to continue using twitter, despite twitter having no need to know the users phone number, they then leak the phone numbers and associated accounts. Great.
But it gets worse... After being told of the leak in January, rather than disclosing the fact millions of users data had been open for anyone who looked, they quietly fixed it and hoped nobody else had found it.
It was only when the press started to notice they finally disclosed the leak.
That isn't just one bug causing a security leak -- it's a chain of bad decisions and bad security culture, and if anything should attract government fines for lax data security, this is it.
Twitter's blog post unhelpfully goes on to say:
If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.
Three news articles.
** *** ***** ******* *********** *************
Upcoming Speaking Engagements
[2022.08.14] This is a current list of where and when I am scheduled to speak:
I'm speaking as part of a Geneva Centre for Security Policy course on Cyber Security in the Context of International Security, online, on September 22, 2022.
I'm speaking at IT-Security INSIDE 2022 in Zurich, Switzerland, on September 22, 2022.
The list is maintained on this page.
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security technology. To subscribe, or to read back issues, see Crypto-Gram's web page.
You can also read these articles on my blog, Schneier on Security.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of over one dozen books -- including his latest, We Have Root -- as well as hundreds of articles, essays, and academic papers. His newsletter and blog are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an Advisory Board Member of the Electronic Privacy Information Center and VerifiedVoting.org. He is the Chief of Security Architecture at Inrupt, Inc.
Copyright ? 2022 by Bruce Schneier.
** *** ***** ******* *********** *************
---
* Origin: TCOB1 (618:500/14)