1. Forum
  2. Micronet
  3. MIN COMP

  • CRYPTO-GRAM, December 15, 2024 Part 1

    From Sean Rima@618:500/14.1 to All on Mon Dec 23 11:41:16 2024


    ** CRYPTO-GRAM DECEMBER 15, 2024 ------------------------------------------------------------

    by Bruce Schneier Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com https://www.schneier.com

    A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

    For back issues, or to subscribe, visit Crypto-Gram's web page [https://www.schneier.com/crypto-gram/].

    Read this issue on the web [https://www.schneier.com/crypto-gram/archives/2024/1215.html]

    These same essays and news items appear in the Schneier on Security [https://www.schneier.com/] blog, along with a lively and intelligent
    comment section. An RSS feed is available.

    ** *** ***** ******* *********** *************


    ** IN THIS ISSUE:
    ------------------------------------------------------------

    1. Good Essay on the History of Bad Password Policies 2. Most of
    2023’s Top Exploited Vulnerabilities Were Zero-Days 3. Why Italy Sells
    So Much Spyware 4. Steve Bellovin’s Retirement Talk 5. Secret Service
    Tracking People’s Locations without Warrant 6. The Scale of
    Geoblocking by Nation 7. Security Analysis of the MERGE Voting
    Protocol 8. What Graykey Can and Can’t Unlock 9. NSO Group Spies on
    People on Behalf of Governments 10. Race Condition Attacks against
    LLMs 11. Details about the iOS Inactivity Reboot Feature 12.
    Algorithms Are Coming for Democracy—but It’s Not All Bad 13. AI and
    the 2024 Elections 14. Detecting Pegasus Infections 15. Trust Issues
    in AI 16. Full-Face Masks to Frustrate Identification 17. Jailbreaking
    LLM-Controlled Robots 18. Ultralytics Supply-Chain Attack 19. Upcoming
    Speaking Events

    ** *** ***** ******* *********** *************


    ** GOOD ESSAY ON THE HISTORY OF BAD PASSWORD POLICIES ------------------------------------------------------------

    [2024.11.15] [https://www.schneier.com/blog/archives/2024/11/good-essay-on-the-history-of-bad-password-policies.html]
    Stuart Schechter makes some good points [https://stuartschechter.org/posts/password-history/] on the history of bad password policies:

    Morris and Thompson’s work brought much-needed data to highlight a
    problem that lots of people suspected was bad, but that had not been
    studied scientifically. Their work was a big step forward, if not for two mistakes that would impede future progress in improving passwords for
    decades. > > First, was Morris and Thompson’s confidence that their solution, a password policy, would fix the underlying problem of weak passwords. They incorrectly assumed that if they prevented the specific categories of weakness that they had noted, that the result would be
    something strong. After implementing a requirement that password have
    multiple characters sets or more total characters, they wrote: > >

    These improvements make it exceedingly difficult to find any
    individual password. The user is warned of the risks and if he cooperates,
    he is very safe indeed. > > As should be obvious now, a user who chooses “p@ssword” to comply with policies such as those proposed by Morris and Thompson is not very safe indeed. Morris and Thompson assumed their intervention would be effective without testing its efficacy, considering
    its unintended consequences, or even defining a metric of success to test against. Not only did their hunch turn out to be wrong, but their second mistake prevented anyone from proving them wrong.

    That second mistake was convincing sysadmins to hash passwords, so there
    was no way to evaluate how secure anyone’s password actually was. And it wasn’t until hackers started stealing and publishing large troves of actual passwords that we got the data: people are terrible at generating secure passwords, even with rules.

    ** *** ***** ******* *********** *************


    ** MOST OF 2023’S TOP EXPLOITED VULNERABILITIES WERE ZERO-DAYS ------------------------------------------------------------

    [2024.11.18] [https://www.schneier.com/blog/archives/2024/11/most-of-2023s-top-exploited-vulnerabilities-were-zero-days.html]
    Zero-day vulnerabilities are more commonly used [https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a], according to the Five Eyes:

    Key Findings > > In 2023, malicious cyber actors exploited more zero-day
    vulnerabilities to compromise enterprise networks compared to 2022,
    allowing them to conduct cyber operations against higher-priority targets.
    In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when
    less than half of the top exploited vulnerabilities were exploited as a zero-day. > > Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as
    more systems are patched or replaced. Malicious cyber actors find less
    utility from zero-day exploits when international cybersecurity efforts
    reduce the lifespan of zero-day vulnerabilities.

    ** *** ***** ******* *********** *************


    ** WHY ITALY SELLS SO MUCH SPYWARE ------------------------------------------------------------

    [2024.11.19] [https://www.schneier.com/blog/archives/2024/11/why-italy-sells-so-much-spyware.html]
    Interesting analysis [https://therecord.media/how-italy-became-an-unexpected-spyware-hub]:

    Although much attention is given to sophisticated, zero-click spyware
    developed by companies like Israel’s NSO Group, the Italian spyware marketplace has been able to operate relatively under the radar by
    specializing in cheaper tools. According to an Italian Ministry of Justice
    ---
    * Origin: High Portable Tosser at my node (618:500/14.1)