• CRYPTO-GRAM, January 15, 2023

    From TCOB1@21:1/229 to All on Tue Jan 17 12:20:50 2023
    Crypto-Gram
    January 15, 2023

    by Bruce Schneier
    Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com https://www.schneier.com

    A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

    For back issues, or to subscribe, visit Crypto-Gram's web page.

    Read this issue on the web

    These same essays and news items appear in the Schneier on Security blog, along with a lively and intelligent comment section. An RSS feed is available.

    ** *** ***** ******* *********** *************

    In this issue:

    If these links don't work in your email client, try reading this issue of Crypto-Gram on the web.

    A Security Vulnerability in the KmsdBot Botnet Apple Patches iPhone Zero-Day
    As Long as WeΓÇÖre on the Subject of CAPTCHAs How to Surrender to a Drone Trojaned Windows Installer Targets Ukraine Ukraine Intercepting Russian Soldiers' Cell Phone Calls Critical Microsoft Code-Execution Vulnerability Hacking the JFK Airport Taxi Dispatch System LastPass Breach
    Arresting IT Administrators
    QR Code Scam
    Recovering Smartphone Voice from the Accelerometer Breaking RSA with a Quantum Computer Decarbonizing Cryptocurrencies through Taxation Remote Vulnerabilities in Automobiles Schneier on Security Audiobook Sale Identifying People Using Cell Phone Location Data ChatGPT-Written Malware
    Experian Privacy Vulnerability
    Threats of Machine-Generated Text
    Booklist Review of A HackerΓÇÖs Mind Upcoming Speaking Engagements
    ** *** ***** ******* *********** *************

    A Security Vulnerability in the KmsdBot Botnet

    [2022.12.15] Security researchers found a software bug in the KmsdBot cryptomining botnet:

    With no error-checking built in, sending KmsdBot a malformed command -- like its controllers did one day while Akamai was watching -- created a panic crash with an ΓÇ£index out of rangeΓÇ¥ error. Because thereΓÇÖs no persistence, the bot stays down, and malicious agents would need to reinfect a machine and rebuild the botΓÇÖs functions. It is, as Akamai notes, ΓÇ£a nice storyΓÇ¥ and
    ΓÇ£a strong example of the fickle nature of technology.ΓÇ¥

    ** *** ***** ******* *********** *************

    Apple Patches iPhone Zero-Day

    [2022.12.16] The most recent iPhone update -- to version 16.2 -- patches a zero-day vulnerability that ΓÇ£may have been actively exploited against versions of iOS released before iOS 15.1.ΓÇ¥

    News:

    Apple said security researchers at GoogleΓÇÖs Threat Analysis Group, which investigates nation state-backed spyware, hacking and cyberattacks, discovered and reported the WebKit bug.

    WebKit bugs are often exploited when a person visits a malicious domain in their browser (or via the in-app browser). ItΓÇÖs not uncommon for bad actors to find vulnerabilities that target WebKit as a way to break into the deviceΓÇÖs operating system and the userΓÇÖs private data. WebKit bugs can be
    ΓÇ£chainedΓÇ¥ to other vulnerabilities to break through multiple layers of a deviceΓÇÖs defenses.

    ** *** ***** ******* *********** *************

    As Long as WeΓÇÖre on the Subject of CAPTCHAs

    [2022.12.16] There are these.





    ** *** ***** ******* *********** *************

    How to Surrender to a Drone

    [2022.12.19] The Ukrainian army has released an instructional video explaining how Russian soldiers should surrender to a drone:

    ΓÇ£Seeing the drone in the field of view, make eye contact with it,ΓÇ¥ the video instructs. Soldiers should then raise their arms and signal theyΓÇÖre ready to follow.

    After that the drone will move up and down a few meters, before heading off at walking pace in the direction of the nearest representatives of UkraineΓÇÖs army, it says.

    The video also warns that the droneΓÇÖs battery may run low, in which case it will head back to base and the soldiers should stay put and await a fresh one.

    That one, too, should be met with eye contact and arms raised, it says.

    Incredible.

    ** *** ***** ******* *********** *************

    Trojaned Windows Installer Targets Ukraine

    [2022.12.20] Mandiant is reporting on a trojaned Windows installer that targets Ukrainian users. The installer was left on various torrent sites, presumably ensnaring people downloading pirated copies of the operating system:

    Mandiant uncovered a socially engineered supply chain operation focused on Ukrainian government entities that leveraged trojanized ISO files masquerading as legitimate Windows 10 Operating System installers. The trojanized ISOs were hosted on Ukrainian- and Russian-language torrent file sharing sites. Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it. At a subset of victims, additional tools are deployed to enable further intelligence gathering. In some instances, we discovered additional payloads that were likely deployed following initial reconnaissance including the STOWAWAY, BEACON, and SPAREPART backdoors.

    One obvious solution would be for Microsoft to give the Ukrainians Windows licenses, so they donΓÇÖt have to get their software from sketchy torrent sites.

    ** *** ***** ******* *********** *************

    Ukraine Intercepting Russian Soldiers' Cell Phone Calls

    [2022.12.21] TheyΓÇÖre using commercial phones, which go through the Ukrainian telecom network:

    ΓÇ£You still have a lot of soldiers bringing cellphones to the frontline who want to talk to their families and they are either being intercepted as they go through a Ukrainian telecommunications provider or intercepted over the air,ΓÇ¥ said Alperovitch. ΓÇ£That doesnΓÇÖt pose too much difficulty for the Ukrainian security services.ΓÇ¥

    [...]

    ΓÇ£Security has always been a mess, both in the army and among defence officials,ΓÇ¥ the source said. ΓÇ£For example, in 2013 they tried to get all the staff at the ministry of defence to replace our iPhones with Russian-made Yoto smartphones.

    ΓÇ£But everyone just kept using the iPhone as a second mobile because it was much better. We would just keep the iPhone in the carΓÇÖs glove compartment for when we got back from work. In the end, the ministry gave up and stopped caring. If the top doesnΓÇÖt take security very seriously, how can you expect any discipline in the regular army?ΓÇ¥

    This isnΓÇÖt a new problem and it isnΓÇÖt a Russian problem. HereΓÇÖs a more general article on the problem from 2020.

    ** *** ***** ******* *********** *************

    Critical Microsoft Code-Execution Vulnerability

    [2022.12.22] A critical code-execution vulnerability in Microsoft Windows was patched in September. It seems that researchers just realized how serious it was (and is):

    Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, itΓÇÖs wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems. The wormability of EternalBlue allowed WannaCry and several other attacks to spread across the world in a matter of minutes with no user interaction required.

    But unlike EternalBlue, which could be exploited when using only the SMB, or server message block, a protocol for file and printer sharing and similar network activities, this latest vulnerability is present in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability.

    [...]

    Microsoft fixed CVE-2022-37958 in September during its monthly Patch Tuesday rollout of security fixes. At the time, however, Microsoft researchers believed the vulnerability allowed only the disclosure of potentially sensitive information. As such, Microsoft gave the vulnerability a designation of
    ΓÇ£important.ΓÇ¥ In the routine course of analyzing vulnerabilities after theyΓÇÖre patched, Palmiotti discovered it allowed for remote code execution in much the way EternalBlue did. Last week, Microsoft revised the designation to critical and gave it a severity rating of 8.1, the same given to EternalBlue.

    ** *** ***** ******* *********** *************

    Hacking the JFK Airport Taxi Dispatch System

    [2022.12.23] Two men have been convicted of hacking the taxi dispatch system at the JFK airport. This enabled them to reorder the taxis on the list; they charged taxi drivers $10 to cut the line.

    ** *** ***** ******* *********** *************

    LastPass Breach

    [2022.12.26] Last August, LastPass reported a security breach, saying that no customer information -- or passwords -- were compromised. Turns out the full story is worse:

    While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

    [...]

    To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

    The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

    ThatΓÇÖs bad. ItΓÇÖs not an epic disaster, though.

    These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each userΓÇÖs master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.

    So, according to the company, if you chose a strong master password -- hereΓÇÖs my advice on how to do it -- your passwords are safe. That is, you are secure as long as your password is resilient to a brute-force attack. (That they lost customer data is another story....)

    Fair enough, as far as it goes. My guess is that many LastPass users do not have strong master passwords, even though the compromise of your encrypted password file should be part of your threat model. But, even so, note this unverified tweet:

    I think the situation at @LastPass may be worse than they are letting on. On Sunday the 18th, four of my wallets were compromised. The losses are not significant. Their seeds were kept, encrypted, in my lastpass vault, behind a 16 character password using all character types.

    If thatΓÇÖs true, it means that LastPass has some backdoor -- possibly unintentional -- into the password databases that the hackers are accessing. (Or that @CryptopathicΓÇÖs ΓÇ£16 character password using all character typesΓÇ¥ is something like ΓÇ£P@ssw0rdP@ssw0rd.ΓÇ¥)

    My guess is that weΓÇÖll learn more during the coming days. But this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for ΓÇ£someone elseΓÇÖs computer,ΓÇ¥ and you need to understand how much or how little you trust that computer.

    If youΓÇÖre changing password managers, look at my own Password Safe. Its main downside is that you canΓÇÖt synch between devices, but thatΓÇÖs because I donΓÇÖt use the cloud for anything.

    News articles. Slashdot thread.

    EDITED TO ADD: People choose lousy master passwords.

    ** *** ***** ******* *********** *************

    Arresting IT Administrators

    [2022.12.27] This is one way of ensuring that IT keeps up with patches:

    Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by alleged Iranian hackers.

    Prosecutors said the five IT officials of the public administration department had failed to check the security of the system and update it with the most recent antivirus software.

    The next step would be to arrest managers at software companies for not releasing patches fast enough. And maybe programmers for writing buggy code. I donΓÇÖt know where this line of thinking ends.

    ** *** ***** ******* *********** *************

    QR Code Scam

    [2022.12.28] An enterprising individual made fake parking tickets with a QR code for easy payment.

    ** *** ***** ******* *********** *************

    Recovering Smartphone Voice from the Accelerometer

    [2022.12.30] Yet another smartphone side-channel attack: ΓÇ£EarSpy: Spying Caller Speech and Identity through Tiny Vibrations of Smartphone Ear SpeakersΓÇ£:

    Abstract: Eavesdropping from the userΓÇÖs smartphone is a well-known threat to the userΓÇÖs safety and privacy. Existing studies show that loudspeaker reverberation can inject speech into motion sensor readings, leading to speech eavesdropping. While more devastating attacks on ear speakers, which produce much smaller scale vibrations, were believed impossible to eavesdrop with zero-permission motion sensors. In this work, we revisit this important line of reach. We explore recent trends in smartphone manufacturers that include extra/powerful speakers in place of small ear speakers, and demonstrate the feasibility of using motion sensors to capture such tiny speech vibrations. We investigate the impacts of these new ear speakers on built-in motion sensors and examine the potential to elicit private speech information from the minute vibrations. Our designed system EarSpy can successfully detect word regions, time, and frequency domain features and generate a spectrogram for each word region. We train and tes
    t the extracted data using classical machine learning algorithms and convolutional neural networks. We found up to 98.66% accuracy in gender detection, 92.6% detection in speaker detection, and 56.42% detection in digit detection (which is 5X more significant than the random selection (10%)). Our result unveils the potential threat of eavesdropping on phone conversations from ear speakers using motion sensors.

    ItΓÇÖs not great, but itΓÇÖs an impressive start.

    ** *** ***** ******* *********** *************

    Breaking RSA with a Quantum Computer

    [2023.01.03] A group of Chinese researchers have just published a paper claiming that they can -- although they have not yet done so -- break 2048-bit RSA. This is something to take seriously. It might not be correct, but itΓÇÖs
    not obviously wrong.

    We have long known from ShorΓÇÖs algorithm that factoring with a quantum computer is easy. But it takes a big quantum computer, on the orders of millions of qbits, to factor anything resembling the key sizes we use today. What the researchers have done is combine classical lattice reduction factoring techniques with a quantum approximate optimization algorithm. This means that they only need a quantum computer with 372 qbits, which is well within whatΓÇÖs possible today. (The IBM Osprey is a 433-qbit quantum computer, for example. Others are on their way as well.)

    The Chinese group didnΓÇÖt have that large a quantum computer to work with. They were able to factor 48-bit numbers using a 10-qbit quantum computer. And while there are always potential problems when scaling something like this up by a factor of 50, there are no obvious barriers.

    Honestly, most of the paper is over my head -- both the lattice-reduction math and the quantum physics. And thereΓÇÖs the nagging question of why the Chinese government didnΓÇÖt classify this research. But...wow...maybe...and yikes! Or not.

    ΓÇ£Factoring integers with sublinear resources on a superconducting quantum processorΓÇ¥

    Abstract: ShorΓÇÖs algorithm has seriously challenged information security based on public key cryptosystems. However, to break the widely used RSA-2048 scheme, one needs millions of physical qubits, which is far beyond current technical capabilities. Here, we report a universal quantum algorithm for integer factorization by combining the classical lattice reduction with a quantum approximate optimization algorithm (QAOA). The number of qubits required is O(logN/loglogN ), which is sublinear in the bit length of the integer N , making it the most qubit-saving factorization algorithm to date. We demonstrate the algorithm experimentally by factoring integers up to 48 bits with 10 superconducting qubits, the largest integer factored on a quantum device. We estimate that a quantum circuit with 372 physical qubits and a depth of thousands is necessary to challenge RSA-2048 using our algorithm. Our study shows great promise in expediting the application of current noisy quantum computers, and paves the way to fact or large integers of realistic cryptographic significance.

    In email, Roger Grimes told me: ΓÇ£Apparently what happened is another guy who had previously announced he was able to break traditional asymmetric encryption using classical computers...but reviewers found a flaw in his algorithm and that guy had to retract his paper. But this Chinese team realized that the step that killed the whole thing could be solved by small quantum computers. So they tested and it worked.ΓÇ¥

    EDITED TO ADD: One of the issues with the algorithm is that it relies on a recent factoring paper by Claus Schnorr. ItΓÇÖs a controversial paper; and despite the ΓÇ£this destroys the RSA cryptosystemΓÇ¥ claim in the abstract, it does nothing of the sort. SchnorrΓÇÖs algorithm works well with smaller moduli
    -- around the same order as ones the Chinese group has tested -- but falls apart at larger sizes. At this point, nobody understands why. The Chinese paper claims that their quantum techniques get around this limitation (I think thatΓÇÖs whatΓÇÖs behind GrimesΓÇÖs comment) but donΓÇÖt give any details -- and they havenΓÇÖt tested it with larger moduli. So if itΓÇÖs true that the Chinese paper depends on this Schnorr technique that doesnΓÇÖt scale, the techniques in this Chinese paper wonΓÇÖt scale, either. (On the other hand, if it does scale then I think it also breaks a bunch of lattice-based public-key cryptosystems.)

    I am much less worried that this technique will work now. But this is something the IBM quantum computing people can test right now.

    EDITED TO ADD (1/4): A reporter just asked me my gut feel about this. I replied that I donΓÇÖt think this will break RSA. Several times a year the cryptography community received ΓÇ£breakthroughsΓÇ¥ from people outside the community. ThatΓÇÖs why we created the RSA Factoring Challenge: to force people to provide proofs of their claims. In general, the smart bet is on the new techniques not working. But someday, that bet will be wrong. Is it today? Probably not. But it could be. WeΓÇÖre in the worst possible position right now: we donΓÇÖt have the facts to know. Someone needs to implement the quantum algorithm and see.

    EDITED TO ADD (1/5): Scott AaronsonΓÇÖs take is a ΓÇ£noΓÇ¥:

    In the new paper, the authors spend page after page saying-without-saying that it might soon become possible to break RSA-2048, using a NISQ (i.e., non-fault-tolerant) quantum computer. They do so via two time-tested strategems:

    the detailed exploration of irrelevancies (mostly, optimization of the number of qubits, while ignoring the number of gates), and complete silence about the one crucial point. Then, finally, they come clean about the one crucial point in a single sentence of the Conclusion section:

    It should be pointed out that the quantum speedup of the algorithm is unclear due to the ambiguous convergence of QAOA.

    ΓÇ£UnclearΓÇ¥ is an understatement here. It seems to me that a miracle would be required for the approach here to yield any benefit at all, compared to just running the classical SchnorrΓÇÖs algorithm on your laptop. And if the latter were able to break RSA, it wouldΓÇÖve already done so.

    All told, this is one of the most actively misleading quantum computing papers IΓÇÖve seen in 25 years, and IΓÇÖve seen ... many.

    EDITED TO ADD (1/7): More commentary. Again: no need to panic.

    EDITED TO ADD (1/12): Peter Shor has suspicions.

    ** *** ***** ******* *********** *************

    Decarbonizing Cryptocurrencies through Taxation

    [2023.01.04] Maintaining bitcoin and other cryptocurrencies causes about 0.3 percent of global CO2 emissions. That may not sound like a lot, but itΓÇÖs more than the emissions of Switzerland, Croatia, and Norway combined. As many cryptocurrencies crash and the FTX bankruptcy moves into the litigation stage, regulators are likely to scrutinize the cryptocurrency world more than ever before. This presents a perfect opportunity to curb their environmental damage.

    The good news is that cryptocurrencies donΓÇÖt have to be carbon intensive. In fact, some have near-zero emissions. To encourage polluting currencies to reduce their carbon footprint, we need to force buyers to pay for their environmental harms through taxes.

    The difference in emissions among cryptocurrencies comes down to how they create new coins. Bitcoin and other high emitters use a system called ΓÇ£proof of workΓÇ£: to generate coins, participants, or ΓÇ£miners,ΓÇ¥ have to solve math problems that demand extraordinary computing power. This allows currencies to maintain their decentralized ledger -- the blockchain -- but requires enormous amounts of energy.

    Greener alternatives exist. Most notably, the ΓÇ£proof of stakeΓÇ¥ system enables participants to maintain their blockchain by depositing cryptocurrency holdings in a pool. When the second-largest cryptocurrency, Ethereum, switched from proof of work to proof of stake earlier this year, its energy consumption dropped by more than 99.9% overnight.

    Bitcoin and other cryptocurrencies probably wonΓÇÖt follow suit unless forced to, because proof of work offers massive profits to miners -- and theyΓÇÖre the ones with power in the system. Multiple legislative levers could be used to entice them to change.

    The most blunt solution is to ban cryptocurrency mining altogether. China did this in 2018, but it only made the problem worse; mining moved to other countries with even less efficient energy generation, and emissions went up. The only way for a mining ban to meaningfully reduce carbon emissions is to enact it across most of the globe. Achieving that level of international consensus is, to say the least, unlikely.

    A second solution is to prohibit the buying and selling of proof-of-work currencies. The European ParliamentΓÇÖs Committee on Economic and Monetary Affairs considered making such a proposal, but voted against it in March. This is understandable; as with a mining ban, it would be both viewed as paternalistic and difficult to implement politically.

    Employing a tax instead of an outright ban would largely skirt these issues. As with taxes on gasoline, tobacco, plastics, and alcohol, a cryptocurrency tax could reduce real-world harm by making consumers pay for it.

    Most ways of taxing cryptocurrencies would be inefficient, because theyΓÇÖre easy to circumvent and hard to enforce. To avoid these pitfalls, the tax should be levied as a fixed percentage of each proof-of-work-cryptocurrency purchase. Cryptocurrency exchanges should collect the tax, just as merchants collect sales taxes from customers before passing the sum on to governments. To make it harder to evade, the tax should apply regardless of how the proof-of-work currency is being exchanged -- whether for a fiat currency or another cryptocurrency. Most important, any state that implements the tax should target all purchases by citizens in its jurisdiction, even if they buy through exchanges with no legal presence in the country.

    This sort of tax would be transparent and easy to enforce. Because most people buy cryptocurrencies from one of only a few large exchanges -- such as Binance, Coinbase, and Kraken -- auditing them should be cheap enough that it pays for itself. If an exchange fails to comply, it should be banned.

    Even a small tax on proof-of-work currencies would reduce their damage to the planet. Imagine that youΓÇÖre new to cryptocurrency and want to become a first-time investor. YouΓÇÖre presented with a range of currencies to choose from: bitcoin, ether, litecoin, monero, and others. You notice that all of them
    except ether add an environmental tax to your purchase price. Which one do you buy?

    Countries donΓÇÖt need to coordinate across borders for a proof-of-work tax on their own citizens to be effective. But early adopters should still consider ways to encourage others to come on board. This has precedent. The European Union is trying to influence global policy with its carbon border adjustments, which are designed to discourage people from buying carbon-intensive products abroad in order to skirt taxes. Similar rules for a proof-of-work tax could persuade other countries to adopt one.

    Of course, some people will try to evade the tax, just as people evade every other tax. For example, people might buy tax-free coins on centralized exchanges and then swap them for polluting coins on decentralized exchanges. To some extent, this is inevitable; no tax is perfect. But the effort and technical know-how needed to evade a proof-of-work tax will be a major deterrent.

    Even if only a few countries implement this tax -- and even if some people evade it -- the desirability of bitcoin will fall globally, and the environmental benefit will be significant. A high enough tax could also cause a self-reinforcing cycle that will drive down these cryptocurrenciesΓÇÖ prices. Because the value of many cryptocurrencies rely largely on speculation, they are dependent on future buyers. When speculators are deterred by the tax, the lack of demand will cause the price of bitcoin to fall, which could prompt more current holders to sell -- further lowering prices and accelerating the effect. Declining prices will pressure the bitcoin community to abandon proof of work altogether.

    Taxing proof-of-work exchanges might hurt them in the short run, but it would not hinder blockchain innovation. Instead, it would redirect innovation toward greener cryptocurrencies. This is no different than how government incentives for electric vehicles encourage carmakers to improve green alternatives to the internal combustion engine. These incentives donΓÇÖt restrict innovation in automobiles -- they promote it.

    Taxing environmentally harmful cryptocurrencies can gain support across the political spectrum, from people with varied interests. It would benefit blockchain innovators and cryptocurrency researchers by shifting focus from environmental harm to beneficial uses of the technology. It has the potential to make our planet significantly greener. It would increase government revenues.

    Even bitcoin maximalists have reason to embrace the proposal: it would offer the bitcoin community a chance to prove it can survive and grow sustainably.

    This essay was written with Christos Porios, and previously appeared in the Atlantic.

    ** *** ***** ******* *********** *************

    Remote Vulnerabilities in Automobiles

    [2023.01.06] This group has found a ton of remote vulnerabilities in all sorts of automobiles.

    ItΓÇÖs enough to make you want to buy a car that is not Internet-connected. Unfortunately, that seems to be impossible.

    ** *** ***** ******* *********** *************

    Schneier on Security Audiobook Sale

    [2023.01.06] IΓÇÖm not sure why, but Audiobooks.com is offering the audiobook version of Schneier on Security at 50% off until January 17.



    EDITED TO ADD: The audiobook of We Have Root is 50% off until January 27 if you use this link.

    ** *** ***** ******* *********** *************

    Identifying People Using Cell Phone Location Data

    [2023.01.09] The two people who shut down four Washington power stations in December were arrested. This is the interesting part:

    Investigators identified Greenwood and Crahan almost immediately after the attacks took place by using cell phone data that allegedly showed both men in the vicinity of all four substations, according to court documents.

    Nowadays, it seems like an obvious thing to do -- although the search is probably unconstitutional. But way back in 2012, the Canadian CSEC -- thatΓÇÖs their NSA -- did some top-secret work on this kind of thing. The document is part of the Snowden archive, and I wrote about it:

    The second application suggested is to identify a particular person whom you know visited a particular geographical area on a series of dates/times. The example in the presentation is a kidnapper. He is based in a rural area, so he canΓÇÖt risk making his ransom calls from that area. Instead, he drives to an urban area to make those calls. He either uses a burner phone or a pay phone, so he canΓÇÖt be identified that way. But if you assume that he has some sort of smart phone in his pocket that identifies itself over the Internet, you might be able to find him in that dataset. That is, he might be the only ID that appears in that geographical location around the same time as the ransom calls and at no other times.

    ThereΓÇÖs a whole lot of surveillance you can do if you can follow everyone, everywhere, all the time. I donΓÇÖt even think turning your cell phone off would help in this instance. How many people in the Washington area turned their phones off during exactly the times of the Washington power station attacks? Probably a small enough number to investigate them all.

    ** *** ***** ******* *********** *************

    ChatGPT-Written Malware

    [2023.01.10] I donΓÇÖt know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild.

    ...within a few weeks of ChatGPT going live, participants in cybercrime forums -- some with little or no coding experience -- were using it to write software and emails that could be used for espionage, ransomware, malicious spam, and other malicious tasks.

    ΓÇ£ItΓÇÖs still too early to decide whether or not ChatGPT capabilities will become the new favorite tool for participants in the Dark Web,ΓÇ¥ company researchers wrote. ΓÇ£However, the cybercriminal community has already shown significant interest and are jumping into this latest trend to generate malicious code.ΓÇ¥

    Last month, one forum participant posted what they claimed was the first script they had written and credited the AI chatbot with providing a ΓÇ£nice [helping] hand to finish the script with a nice scope.ΓÇ¥

    The Python code combined various cryptographic functions, including code signing, encryption, and decryption. One part of the script generated a key using elliptic curve cryptography and the curve ed25519 for signing files. Another part used a hard-coded password to encrypt system files using the Blowfish and Twofish algorithms. A third used RSA keys and digital signatures, message signing, and the blake2 hash function to compare various files.

    Check Point Research report.

    ChatGPT-generated code isnΓÇÖt that good, but itΓÇÖs a start. And the technology will only get better. Where it matters here is that it gives less skilled hackers -- script kiddies -- new capabilities.

    ** *** ***** ******* *********** *************

    Experian Privacy Vulnerability

    [2023.01.12] Brian Krebs is reporting on a vulnerability in ExperianΓÇÖs website:

    Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, ExperianΓÇÖs website allowed anyone to bypass these questions and go straight to the consumerΓÇÖs report. All that was needed was the personΓÇÖs name, address, birthday and Social Security number.

    ** *** ***** ******* *********** *************

    Threats of Machine-Generated Text

    [2023.01.13] With the release of ChatGPT, IΓÇÖve read many random articles about this or that threat from the technology. This paper is a good survey of the field: what the threats are, how we might detect machine-generated text, directions for future research. ItΓÇÖs a solid grounding amongst all of the hype.

    Machine Generated Text: A Comprehensive Survey of Threat Models and Detection Methods

    Abstract: Advances in natural language generation (NLG) have resulted in machine generated text that is increasingly difficult to distinguish from human authored text. Powerful open-source models are freely available, and user-friendly tools democratizing access to generative models are proliferating. The great potential of state-of-the-art NLG systems is tempered by the multitude of avenues for abuse. Detection of machine generated text is a key countermeasure for reducing abuse of NLG models, with significant technical challenges and numerous open problems. We provide a survey that includes both 1) an extensive analysis of threat models posed by contemporary NLG systems, and 2) the most complete review of machine generated text detection methods to date. This survey places machine generated text within its cybersecurity and social context, and provides strong guidance for future work addressing the most critical threat models, and ensuring detection systems themselves demonstrate trustworthiness through fa irness, robustness, and accountability.

    ** *** ***** ******* *********** *************

    Booklist Review of A HackerΓÇÖs Mind

    [2023.01.14] Booklist reviews A HackerΓÇÖs Mind:

    Author and public-interest security technologist Schneier (Data and Goliath, 2015) defines a ΓÇ£hackΓÇ¥ as an activity allowed by a system ΓÇ£that subverts the rules or norms of the system [...] at the expense of someone else affected by the system.ΓÇ¥ In accessing the security of a particular system, technologists such as Schneier look at how it might fail. In order to counter a hack, it becomes necessary to think like a hacker. Schneier lays out the ramifications of a variety of hacks, contrasting the hacking of the tax code to benefit the wealthy with hacks in realms such as sports that can innovate and change a game for the better. The key to dealing with hacks is being proactive and providing adequate patches to fix any vulnerabilities. SchneierΓÇÖs fascinating work illustrates how susceptible many systems are to being hacked and how lives can be altered by these subversions. SchneierΓÇÖs deep dive into this cross-section of technology and humanity makes for investigative gold.

    The book will be published on February 7. HereΓÇÖs the bookΓÇÖs webpage. You can pre-order a signed copy from me here.

    ** *** ***** ******* *********** *************

    Upcoming Speaking Engagements

    [2023.01.14] This is a current list of where and when I am scheduled to speak:

    IΓÇÖm speaking at Capricon, a four-day science fiction convention in Chicago. My talk is on ΓÇ£The Coming AI HackersΓÇ¥ and will be held Friday, February 3 at 1:00 PM.
    The list is maintained on this page.

    ** *** ***** ******* *********** *************

    Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security technology. To subscribe, or to read back issues, see Crypto-Gram's web page.

    You can also read these articles on my blog, Schneier on Security.

    Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

    Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of over one dozen books -- including his latest, We Have Root -- as well as hundreds of articles, essays, and academic papers. His newsletter and blog are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an Advisory Board Member of the Electronic Privacy Information Center and VerifiedVoting.org. He is the Chief of Security Architecture at Inrupt, Inc.

    Copyright © 2023 by Bruce Schneier.

    --- BBBS/Li6 v4.10 Toy-5
    * Origin: TCOB1 - binkd.thecivv.ie (21:1/229)