Crypto-Gram
January 15, 2022
by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School
schneier@schneier.com https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit Crypto-Gram's web page.
Read this issue on the web
These same essays and news items appear in the Schneier on Security blog, along with a lively and intelligent comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
If these links don't work in your email client, try reading this issue of Crypto-
Gram on the web.
More Log4j News
More on NSO Group and Cytrox: Two Cyberweapons Arms Manufacturers Stolen Bitcoins Returned
Apple AirTags Are Being Used to Track People and Cars More Russian Cyber Operations against Ukraine People Are Increasingly Choosing Private Web Search NortonÆs Antivirus Product Now Includes an Ethereum Miner Fake QR Codes on Parking Meters
AppleÆs Private Relay Is Being Blocked Faking an iPhone Reboot
Using Foreign Nationals to Bypass US Surveillance Restrictions Using EM Waves to Detect Malware
Upcoming Speaking Engagements
** *** ***** ******* *********** *************
More Log4j News
[2021.12.16] Log4j is being exploited by all sorts of attackers, all over the Internet:
At that point it was reported that there were over 100 attempts to exploit the vulnerability every minute. ôSince we started to implement our protection we prevented over 1,272,000 attempts to allocate the vulnerability, over 46% of those attempts were made by known malicious groups,ö said cybersecurity company Check Point.
And according to Check Point, attackers have now attempted to exploit the flaw on
over 40% of global networks.
And a second vulnerability was found, in the patch for the first vulnerability. This is likely not to be the last.
** *** ***** ******* *********** *************
More on NSO Group and Cytrox: Two Cyberweapons Arms Manufacturers
[2021.12.20] Citizen Lab published another report on the spyware used against two
Egyptian nationals. One was hacked by NSO GroupÆs Pegasus spyware. The other was
hacked both by Pegasus and by the spyware from another cyberweapons arms manufacturer: Cytrox.
We havenÆt heard a lot about Cytrox and its Predator spyware. According to Citzen
Lab:
We conducted Internet scanning for Predator spyware servers and found likely Predator customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi
Arabia, and Serbia.
Cytrox was reported to be part of Intellexa, the so-called ôStar Alliance of spyware,ö which was formed to compete with NSO Group, and which describes itself
as ôEU-based and regulated, with six sites and R&D labs throughout Europe.ö
In related news, GoogleÆs Project Zero has published a detailed analysis of NSO GroupÆs zero-click iMessage exploit: FORCED ENTRY.
Based on our research and findings, we assess this to be one of the most technically sophisticated exploits weÆve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to
only a handful of nation states.
By the way, this vulnerability was patched on 13 Sep 2021 in iOS 14.8.
** *** ***** ******* *********** *************
Stolen Bitcoins Returned
[2021.12.22] The US has returned $154 million in bitcoins stolen by a Sony employee.
However, on December 1, following an investigation in collaboration with Japanese
law enforcement authorities, the FBI seized the 3879.16242937 BTC in IshiiÆs wallet after obtaining the private key, which made it possible to transfer all the bitcoins to the FBIÆs bitcoin wallet.
** *** ***** ******* *********** *************
Apple AirTags Are Being Used to Track People and Cars
[2021.12.31] This development suprises no one who has been paying attention:
Researchers now believe AirTags, which are equipped with Bluetooth technology, could be revealing a more widespread problem of tech-enabled tracking. They emit
a digital signal that can be detected by devices running AppleÆs mobile operating
system. Those devices then report where an AirTag has last been seen. Unlike similar tracking products from competitors such as Tile, Apple added features to
prevent abuse, including notifications like the one Ms. Estrada received and automatic beeping. (Tile plans to release a feature to prevent the tracking of people next year, a spokeswoman for that company said.)
[...]
A person who doesnÆt own an iPhone might have a harder time detecting an unwanted
AirTag. AirTags arenÆt compatible with Android smartphones. Earlier this month, Apple released an Android app that can scan for AirTags -- but you have to be vigilant enough to download it and proactively use it.
Apple declined to say if it was working with Google on technology that would allow Android phones to automatically detect its trackers.
People who said they have been tracked have called AppleÆs safeguards insufficient. Ms. Estrada said she was notified four hours after her phone first
noticed the rogue gadget. Others said it took days before they were made aware of
an unknown AirTag. According to Apple, the timing of the alerts can vary depending on the iPhoneÆs operating system and location settings.
** *** ***** ******* *********** *************
More Russian Cyber Operations against Ukraine
[2022.01.05] Both Russia and Ukraine are preparing for military operations in cyberspace.
** *** ***** ******* *********** *************
People Are Increasingly Choosing Private Web Search
[2022.01.06] DuckDuckGo has had a banner year:
And yet, DuckDuckGo. The privacy-oriented search engine netted more than 35 billion search queries in 2021, a 46.4% jump over 2020 (23.6 billion). ThatÆs big. Even so, the company, which bills itself as the ôInternet privacy company,ö
offering a search engine and other products designed to ôempower you to seamlessly take control of your personal information online without any tradeoffs,ö remains a rounding error compared to Google in search.
I use it. ItÆs not as a good a search engine as Google. Or, at least, Google often gets me what I want faster than DuckDuckGo does. To solve that, I use use the feature that allows me to use GoogleÆs search engine through DuckDuckGo: prepend ô!Googleö to searches. Basically, DuckDuckGo launders my search.
EDITED TO ADD (1/12): I was wrong. DuckDuckGo does not provide privacy protections when searching using Google.
** *** ***** ******* *********** *************
NortonÆs Antivirus Product Now Includes an Ethereum Miner
[2022.01.07] Norton 360 can now mine Ethereum. ItÆs opt-in, and the company keeps
15%.
ItÆs hard to uninstall this option.
** *** ***** ******* *********** *************
Fake QR Codes on Parking Meters
[2022.01.10] The City of Austin is warning about QR codes stuck to parking meters
that take people to fraudulent payment sites.
** *** ***** ******* *********** *************
AppleÆs Private Relay Is Being Blocked
[2022.01.11] Some European cell phone carriers, and now T-Mobile, are blocking AppleÆs Private Relay anonymous browsing feature.
This could be an interesting battle to watch.
Slashdot thread.
** *** ***** ******* *********** *************
Faking an iPhone Reboot
[2022.01.12] Researchers have figured how how to intercept and fake an iPhone reboot:
WeÆll dissect the iOS system and show how itÆs possible to alter a shutdown event, tricking a user that got infected into thinking that the phone has been powered off, but in fact, itÆs still running. The ôNoRebootö approach simulates a
real shutdown. The user cannot feel a difference between a real shutdown and a ôfake shutdown.ö There is no user-interface or any button feedback until the user
turns the phone back ôon.ö
ItÆs a complicated hack, but it works.
Uses are obvious:
Historically, when malware infects an iOS device, it can be removed simply by restarting the device, which clears the malware from memory.
However, this technique hooks the shutdown and reboot routines to prevent them from ever happening, allowing malware to achieve persistence as the device is never actually turned off.
I see this as another manifestation of the security problems that stem from all controls becoming software controls. Back when the physical buttons actually did
things -- like turn the power, the Wi-Fi, or the camera on and off -- you could actually know that something was on or off. Now that software controls those functions, you can never be sure.
** *** ***** ******* *********** *************
Using Foreign Nationals to Bypass US Surveillance Restrictions
[2022.01.13] Remember when the US and Australian police surreptitiously owned and
operated the encrypted cell phone app ANOM? They arrested 800 people in 2021 based on that operation.
New documents received by Motherboard show that over 100 of those phones were shipped to users in the US, far more than previously believed.
WhatÆs most interesting to me about this new information is how the US used the Australians to get around domestic spying laws:
For legal reasons, the FBI did not monitor outgoing messages from Anom devices determined to be inside the U.S. Instead, the Australian Federal Police (AFP) monitored them on behalf of the FBI, according to previously published court records. In those court records unsealed shortly before the announcement of the Anom operation, FBI Special Agent Nicholas Cheviron wrote that the FBI received Anom user data three times a week, which contained the messages of all of the users of Anom with some exceptions, including ôthe messages of approximately 15 Anom users in the U.S. sent to any other Anom device.ö
[...]
Stewart Baker, partner at Steptoe & Johnson LLP, and Bryce Klehm, associate editor of Lawfare, previously wrote that ôThe æthreat to life; standard echoes the provision of U.S. law that allows communications providers to share user data
with law enforcement without legal process under 18 U.S.C. $ 2702. Whether the AFP was relying on this provision of U.S. law or a more general moral
imperative
to take action to prevent imminent threats is not clear.ö That section of law discusses the voluntary disclosure of customer communications or records.
When asked about the practice of Australian law enforcement monitoring devices inside the U.S. on behalf of the FBI, Senator Ron Wyden told Motherboard in a statement ôMultiple intelligence community officials have confirmed to me, in writing, that intelligence agencies cannot ask foreign partners to conduct surveillance that the U.S. would be legally prohibited from doing itself. The FBI
should follow this same standard. Allegations that the FBI outsourced warrantless
surveillance of Americans to a foreign government raise troubling questions about
the Justice DepartmentÆs oversight of these practices.ö
I and others have long suspected that the NSA uses foreign nationals to get around restrictions that prevent it from spying on Americans. It is interesting to see the FBI using the same trick.
** *** ***** ******* *********** *************
Using EM Waves to Detect Malware
[2022.01.14] I donÆt even know what I think about this. Researchers have developed a malware detection system that uses EM waves: ôObfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware Classification.ö
Abstract: The Internet of Things (IoT) is constituted of devices that are exponentially growing in number and in complexity. They use numerous customized firmware and hardware, without taking into consideration security issues, which make them a target for cybercriminals, especially malware authors.
We will present a novel approach of using side channel information to identify the kinds of threats that are targeting the device. Using our approach, a malware
analyst is able to obtain precise knowledge about malware type and identity, even
in the presence of obfuscation techniques which may prevent static or symbolic binary analysis. We recorded 100,000 measurement traces from an IoT device infected by various in-the-wild malware samples and realistic benign activity. Our method does not require any modification on the target device. Thus, it can be deployed independently from the resources available without any overhead. Moreover, our approach has the advantage that it can hardly be detected and evaded by the malware authors. In our experiments, we were able to predict three
generic malware types (and one benign class) with an accuracy of 99.82%. Even more, our results show that we are able to classify altered malware samples with
unseen obfuscation techniques during the training phase, and to determine what kind of obfuscations were applied to the binary, which makes our approach particularly useful for malware analysts.
This seems impossible. ItÆs research, not a commercial product. But itÆs fascinating if true.
** *** ***** ******* *********** *************
Upcoming Speaking Engagements
[2022.01.14] This is a current list of where and when I am scheduled to speak:
IÆm giving an online-only talk on ôSecuring a World of Physically Capable Computersö as part of TeleportÆs Security Visionaries 2022 series, on January 18,
2022.
IÆm speaking at IT-S Now 2022 in Vienna on June 2, 2022. IÆm speaking at the 14th International Conference on Cyber Conflict, CyCon 2022,
in Tallinn, Estonia on June 3, 2022. IÆm speaking at the RSA Conference 2022 in San Francisco, June 6-9, 2022. The list is maintained on this page.
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security technology. To subscribe, or to
read back issues, see Crypto-Gram's web page.
You can also read these articles on my blog, Schneier on Security.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-
GRAM, as long as it is reprinted in its entirety.
Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of over one dozen books -- including his latest, We Have Root -- as well as hundreds of articles, essays, and academic papers. His newsletter and blog are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a
board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an Advisory Board Member of the Electronic Privacy Information Center and VerifiedVoting.org. He is the Chief of Security Architecture at Inrupt, Inc.
Copyright C 2022 by Bruce Schneier.
** *** ***** ******* *********** *************
Mailing list hosting graciously provided by MailChimp. Sent without web bugs or link tracking.
--- BBBS/Li6 v4.10 Toy-5
* Origin: TCOB1 at tcob1.duckdns.org BinkP / Telnet (618:500/14)