Clive Robinson • September 16, 2019 2:14 AM

@ Bruce, and the usual suspects,

The “Low Hanging Fruit” appears to have changed in Ransomware attacks accordong to F-Secure,

https://www.zdnet.com/article/ransomware-attacks-weak-passwords-are-now-your-biggest-risk/

In an investigation earlier this year they found that fishing attacks are now not as popular as weak password techniques.

Why this is the case is not investigated in the ZDNet article, however it is important information if it can be deduced.

My personal view is it probably is related to the increasing number of entrants into the Ransomware area of criminality due to the fact that “pay-or-die” is realy the only option for most organisations that get hit.

The simple fact is that Ransomware attacks work because for what ever reason organisations do not take steps to mitigate it and attack are a quite real existential threat to way to many entities.

Whilst the usual industry argument is “AV and patching” people should realise that neither of those work against Zero-Day based attacks. As we saw with WannaCry there are often reasons why patching can not happen and the history of AV software is that covarage of known malware is often not compleate by any given vendor.

Thus it’s reasonable to assume that Ransomware will get past the “AV and patching” defences and will only get worse if Governments get their “backdoors” (some already think that some Governments have applied coercion to AV companies to do this already).

There are however mitigations that are known to work or atleast minimize damage. So if people design their systems with these mitigations in mind they will have greater resilience.

Clive Robinson • September 17, 2019 3:28 AM

More troubles in Linux Random

In a saga that appears to never end Linux has problems with it’s source of randomness and the way people (ab)use it. So there is the following that has popped up,

https://lore.kernel.org/linux-ext4/20190915081747.GA1058@darwi-home-pc/

For those not close to or in the loop on “random in *nix” distributions, get a hot cup of your favourite “Brownian Motion Generator” sit back relax and read on,

Historically like all Commercial OS’s from the miriad of platform vendors of the time that had a random generator built in, *nix /dev/random was a very fast but very insecure algorithm often a simple “add C, mod N” linear generator (see Vol 2 of Knuth for a discussion of the failings).

Sort of great if you are doing simulations and needed to do things the same way twice or more, but usless for doing anything even remotely secure where “The difference between determanistic and nondetermanistic behavior in the observed output is very important”[3].

The random problems became so obvious, that at some point all *nix needed to change but by then the various commercial *nix were in the thick of fighting pyric wars etc. So like a stop motion film of a fragmentation grenade nearly all *nix went their own way doing considerable damage in the process… Which in turn started a history of hack upon hack as people realised it was not an easy problem with so many corner cases that you had to assume nearly every use case was a corner case unless you could definitely show otherwise. So a real problem even if you were developing quite simple code for multiple platforms.

To this day there is still no commonality of function across the various *nix platforms and historically the Linux one that appeared worst was the Debian GNU/Linux as that’s where a lot of the problems –that other *nix had as well– first showed up.

Well it appears that Linux random(4) is still unsuprisingly having teething problems after several decades…

An ever changing part of the problem is “Where do you get entropy from?”, and that alone is a subject of great philisophical as well as technical debate. Especially as technology keeps changing (think mechanical HD’s to Solid State HD’s as just one of a myriad of such changes where nondeterminism from physical sources effectively disapears).

In Linux, there was –prior to 4.8 when a CS-PRNG was added to the mix– a random entropy pool and the only difference between /dev/urandom and /dev/random was what happens when the base random process thought there was insufficient entropy in the system /dev/random fails closed and returns with a value, /dev/urandom fails open and blocks waiting on the entropy count unless you made inadvisable changes via the IO Control (ioctl) mechanism. Basically both drivers were getting their mechanical and other nondetermanistic entropy from add_disk_randomness(), add_interrupt_randomness(), and add_input_randomness()[0].

Other *nix’s actually fudge around this lack of entropy during re-boot by reading in entropy stored in a file (you can in theory do this on Linux via the ioctl call but I don’t know of anyone who has tried it). However this does not work on “First power up” on embedded and similar systems such as network appliances as the “file” either would not exist or have “Content known by others”. Such as the manufacturer or worse the likes of the NSA, GCHQ and any other entity that decides to take an intetest.

Another part of the problem is “documentation” it’s often out of date or plain wrong. This has given rise to a whole myth based view not just of “Here be Dragons” but how you should use the Linux random system. So much so it has it’s own documentation[1] that people should read.

At one point the correct advice given in the random(4) man page[2] was,

When read during early boot time, /dev/urandom may return data prior to the entropy pool being initialized. If this is of concern in your application, use getrandom(2) or /dev/random instead.

The /dev/random device is a legacy interface which dates back to a time where the cryptographic primitives used in the implementation of /dev/urandom were not widely trusted. It will return random bytes only within the estimated number of bits of fresh noise in the entropy pool, blocking if necessary. /dev/random is suitable for applications that need high quality randomness, and can afford indeterminate delays.

Is not exactly clear, but yes /dev/random is both depreciated and required for certain security related tasks…

Often Crypto tasks such as making key certificates and starting up certain crypto processes all of which if done at boot time or early in the powered up state will not work correctly. Because the entropy estimator has blocked /dev/random and developers do the wrong thing such as use /dev/urandom or getrandom(2) to keep users happy…

This is actually a realy bad security issue in the likes of “embbeded systems” or “network appliances” especially at “first power up out of the box”. Which is a time when all the PKcerts and other Master Secrets are usually generated… Something I’m sure the NSA, GCHQ et al must love.

Well things have not been good in that respect for some time. Nearly all mechanical sources of entropy are virtually gone in many systems, as is user input, the harware RNG’s in CPU’s are either broken or untrusted and due to fundemental choices in design Linux’s RNG blocks during the boot process often waiting what feels like eons on entropy which is fatal on “Network Appliances” and the like.

So the Linux random system is far from what it could be which is why it’s on the move again, if they get it right or not is however “A toss of a coin, in a moment of time”.

[0] For information on the actual sources of mechanical and nondetermanistic input to the main entropy pool on your distribution and revision of GNU/Linux, you will need to take a look at /drivers/char/random.c in your kernel source tree.

[1] https://www.2uo.de/myths-about-urandom/

[2] http://man7.org/linux/man-pages/man4/random.4.html

[3] Why is a nondetermanistic output so crucial, well because you often use it for creating PKcerts and Master Secrets/Keys on which your security rests. You can read further on the subject from our host @Bruce, who’s docs on Fortuna and Yarrow can be found at,

https://www.schneier.com/academic/fortuna/

Also further reading is to be found in “Mind your P’s and Q’s”

https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final228.pdf

Clive Robinson • September 20, 2019 9:37 PM

@ gordo, ALL,

How Long Will Unbreakable Commercial Encryption Last?
By Stewart Baker

A word of caution Mr Baker is Ex-NSA legal council who over saw the implementation and hiding of much that Ed Snowden came to reveal via his trove.

If you read other of Mr Baker’s outpourings, you will probably conclude he has a definite interest in seeing such a distopyian future, in fact he actively expresses the view that it is a right and proper one (just as famous politicians of the past did over the slaves they owned and abused either directly or indirectly).

In essence Mr Barker has “paymaster views” and in part earns a living by preaching an Orwellian future is not just inevitable but that we the rats in the maze should be gratefull. That is a future where you have no right to privacy, your entire life bought and sold by people who will lie to you, cheat you, and steal from you, and further with no qualms what so ever take your liberty and life and every other freedom and right you think you might have, if it’s convenient for them to do so. Where you do not have the same rights as him and those who pay him, because they have not just your life on record, but the life of every one you have ever had contact with, even be it just you were once on the same busy street twenty years ago and even though you never even saw the persons face let alone had interaction with them, they will find someone to dress it up and make you look guilty in front of a jury that has been selected because they realy only want to be home watching the fiction of “reality TV” and “Soap Operas” that are the new “Opioid of the masses”. Such entertainments quite deliberatly tuned to almost an individual message level to breed compliance in you. Of course this will be reinforced via “Social Scoring”, and this will all be called “The New Social Contract” to snow you into thinking that you have some kind of equality under the eyes of the law.

Be that good or bad for you, your children, and their children Mr Barker actually sees it as good not just because it makes him wealthy and in a prominent position, and even in the public eye, but worse much worse also in a paternalistic way that is in reality quite divorced from the actuality of daily life by far the majority do and will live and die in.

If you read through the article carefully you will find Mr Baker’s bias sown through it. He starts off with factual statments about what other countries are apparently doing, in a way that would make you think that it is of their own free will. But he does not tell you about the anti-encrption campaigns the FBI and NSA ran against these countries, with the likes of FBI Director Louis Freeh’s secret round of visits preaching doom and gloom with a side order of threats[1] three decades or so ago as just part of a well established policy going back decades before that. Thus subsequently as the policy started to grind, the other Five-Eye SigInt, Law Enforcement and Inteligence Community entities campaigning against the democratically elected leaders in an almost never ending grind of half truths and lies of omission[2].

Thrm Mr Baker moves on to presenting false information by quoting others as though what they were saying is factual when Mr Baker full well knows it is not. For instance Mr Barr is known to make factually incorrect statments and neither accept he has made them or take any steps to correct them. He just comes up with new ones as the truth of his previous falsehoods become inconvenient to him. Such behaviour was once dubbed “Real Politic”.

Mr Baker full well knows Mr Barr’s statments are false but he in turn makes no effort to correct them.

I could carry on but you get the idea Mr Baker is painting a fantasy by selective use of partial facts and other’s lies, to push his agenda.

As always “When supping with the devil use a long spoon” oh and first check what’s on the menu it might just be you…

[1] The threats from the the FBI and NSA were the usual bullying tactics of “our way or no way”. In essence the tactics of drug dealers and similar are employed of “we currently have a working relationship, where you are dependent on us, we are going to change it by making you bleed more, if you don’t agree the working relationship will cease and we will cut off your supply”. The other nations entities were first however pushed into that state of dependency by the short term stupidity of politicians, just remember that every time you here them talking of “The Special Relationship”. It’s the way that certain people interpret Theodore Roosevelt’s “Speak softly and carry a big stick” which goes along with General Curtis LeMay’s “we’re going to bomb them back to the stone ages” when in charge of the US nuclear arsenal.

[2] It’s always the “think of the children” you hear, never the “think of the billions of daily transactions worth trillions that keeps us all alive” and much much more.

Clive Robinson • September 21, 2019 7:28 AM

@ gordo,

I suspect Libra will actually go nowhere, because it’s just to big a poison pill for any government to swallow at the end of the day. Because in effect it would be like replacing their currancy and the political control it gives them with that under anothers political control.

If you look back in history a little bit, you will see not only have several Southern European nations found out this is not a good idea with the Euro effectively under Franco/German control. But further back in 1992 the UK had the fact forced on them that sovereign nation goverments are now nolonger “above the market”.

The UK nearly joined the forerunner of what would become the Euro, via the European “Exchange Rate Mechanism” (ERM). It was under John Major’s leadership and the Government saw benifits in being in the European ERM for the stability of low inflation and growth (not what financial markets actually want). Many these days indicate that the UK actually more than met the requirments as later financial stability and low inflation showed, and that was probably the reason behind what happened.

Currancy traders saw in the UK attempted entry into the ERM a way to bleed the UK currancy reserves dry and make significant profit. Hungarian-born global financier George Soros, is reputed to have made at least a $1bn profit at Britain’s expense when he caused “Black Wednesday”. Which caused the UK to have hyper inflation, currency devaluation and be forced out of the ERM all in a single day[1] on the 16th of September 1992.

It’s for this reason others look misty eyed back to the days of the Bretton-Woods agreament… But it was destroyed by government greed with the invention of the Euro Bond market, which was one of the reasons the European Exchange Rate Mechanism was designed in the first place.

The problems with Money Markets is why some people say it’s nolonger possible to create Super Nations from smaller Sovereign Nations or even stable Federations when the participants have different economies. Such as in Europe and America with an Industrial Northan economy fed by an Agrarian Southern economy. Whilst money markets will certainly exploit such an opportunity it’s actually due to more fundemental issues. In part because differing economies types to pull in different directions to get higher socioeconomic standing for those in the econonu. Thus an Industrial economy wants low food import prices and high goods export prices, and an agrarian economy wants low goods import prices and high food export prices. Trying to equalise them causes wages to go down in the industrial economy and wages to go up in the agrarian economy with both causing unemployment and significant social disruption. You can actually see these effects in existing super nation’s internal economies such as the US, EU and China. The result is the differences play out most visably in international trade, where governments think they can still play the game to their advantage. I rather suspect that they will find they can not for almost the same reasons we have entropy and chaos becomes very localized and short lived[2] due to the diminishing of the distance metric (which economic theory tries to avoid).

[1] http://news.bbc.co.uk/1/hi/business/4249425.stm

[2] The more localised chaos becomes the less time there is to take advantage of it. Which is not what the money markets want as the potential profit is directly related to market chaos, thus would be too small for them to profit from thus exist as they currently do. They want regional or global chaos to maximise profit potential opportunities for reasonable time periods, especially where nations pit themselves against each other and normal trade breaks down. Though other markets such as the futures market in Aluminium are being quite deliberatly manipulated with what are in effect cartels trying to creat artificial shortages to creat profit. Others are inventing new markets such as the various algorithmic fast trading markets designed to optomise very short duration chaos for profit. All these markets are in fact artificial and quite deliberately designed for “rent seeking” purposes, the problem is the are “faux markets” that deliberately engender instability or chaos that ripples out and causes wider socioeconomic issues that lead inturn to political instability and eventually conflict be it civil or inter national. As faux markets benifit even more by such conflict we are entering a downward spiral. Quite a few are seeing this and thus believe rightly or wrongly we are approaching such a cusp and that some kind of social if not military upheaval is inevitable in the relatively near future. Hence the likes of Sillicon Valley Execs[3] buying up land and citizenship in the south of New Zealand also known as “the last bus stop to the south pole” or “the last bus stop to nowhere”. With those of lesser wealth buying up plots of land in wilderness areas and building their bunkers etc and learning new life skills such as how to be entirely self sufficient, make improvised weapons and much else that is seen as “fringe”. Unfortunately this in turn attracts extream politics which we are seeing is very much on the increase, and also create more instability and chaos.

[3] The joke of it all is that fiscal wealth and most of the assets people try to hold it in can not be eaten, drank, traded for medicine when you get sick, or in otherways protected… If society does break down we will ironically get an “information economy” because only those with the right knowledge to teach and practice certain skills we have all but forgotton will survive and thrive. The price of this of course is that millions if not billions who don’t have such knowledge will die as a consequence. If we look back to the likes of the Black Death and at the likes of the current tribal war lords in Africa etc we can see the consequences of “lack of knowledge”.