<a href="https://www.schneier.com/blog/archives/2021/09/rot8000.html"><strong>[2021.09.23]</strong></a> <a href="http://rot8000.com/Index">ROT8000</a> is the Unicode equivalent of <a href="https://en.wikipedia.org/wiki/ROT13">ROT13</a>. What’s clever about it is that normal English looks like Chinese, and not like ciphertext (to a typical Westerner, that is).
<h2>The Proliferation of Zero-days</h2>
<a href="https://www.schneier.com/blog/archives/2021/09/the-proliferation-of-zero-days.html"><strong>[2021.09.24]</strong></a> The <i>MIT Technology Review</i> is <a href="https://www.technologyreview.com/2021/09/23/1036140/2021-record-zero-day-hacks-reasons/">reporting</a> that 2021 is a blockbuster year for zero-day exploits:
<blockquote>One contributing factor in the higher rate of reported zero-days is the rapid global proliferation of hacking tools.
Powerful groups are all pouring heaps of cash into zero-days to use for themselves — and they’re reaping the rewards.
At the top of the food chain are the government-sponsored hackers. China alone is suspected to be responsible for nine zero-days this year, says Jared Semrau, a director of vulnerability and exploitation at the American cybersecurity firm FireEye Mandiant. The US and its allies clearly possess some of the most <a href="https://www.technologyreview.com/2021/03/26/1021318/google-security-shut-down-counter-terrorist-us-ally/">sophisticated hacking capabilities</a>, and there is rising talk of <a href="https://www.nytimes.com/2021/09/20/opinion/ransomware-biden-russia.html">using those tools more aggressively</a>.
Few who want zero-days have the capabilities of Beijing and Washington. Most countries seeking powerful exploits don’t have the talent or infrastructure to develop them domestically, and so they purchase them instead.
It’s easier than ever to buy zero-days from the growing exploit industry. What was once prohibitively expensive and high-end is now more widely accessible.
And <a href="https://www.bleepingcomputer.com/news/security/new-ransomware-group-uses-sonicwall-zero-day-to-breach-networks/">cybercriminals, too, have used zero-day</a> attacks to make money in recent years, finding flaws in software that allow them to run valuable ransomware schemes.
“Financially motivated actors are more sophisticated than ever,” Semrau says. “One-third of the zero-days we’ve tracked recently can be traced directly back to financially motivated actors. So they’re playing a significant role in this increase which I don’t think many people are giving credit for.”
No one we spoke to believes that the total number of zero-day attacks more than doubled in such a short period of time — just the number that have been caught. That suggests defenders are becoming better at catching hackers in the act.
You can look at the data, such as <a href="https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0">Google’s zero-day spreadsheet</a>, which tracks nearly a decade of significant hacks that were caught in the wild.
One change the trend may reflect is that there’s more money available for defense, not least from larger bug bounties and rewards put forward by tech companies for the discovery of new zero-day vulnerabilities. But there are also better tools.</blockquote>
<h2>I Am Not Satoshi Nakamoto</h2>
<a href="https://www.schneier.com/blog/archives/2021/09/i-am-not-satoshi-nakamoto.html"><strong>[2021.09.24]</strong></a> This isn’t the first time I’ve received an e-mail like this:
<blockquote>Hey! I’ve done my research and looked at a lot of facts and old forgotten archives. I know that you are Satoshi, I do not want to tell anyone about this. I just wanted to say that you created weapons of mass destruction where niches remained poor and the rich got richer! When bitcoin first appeared, I was small, and alas, my family lost everything on this, you won’t find an apple in the winter garden, people only need strength and money. Sorry for the English, I am from Russia, I can write with errors. You are an amazingly intelligent person, very intelligent, but the road to hell is paved with good intentions. Once I dreamed of a better life for myself and my children, but this will never come …</blockquote>
I like the bit about “old forgotten archives,” by which I assume he’s referring to the <a href="https://en.wikipedia.org/wiki/Cryptography_newsgroups">sci.crypt Usenet group</a> and the <a href="https://cryptochainuni.com/cypherpunks-mailing-list-archive/">Cypherpunks mailing list</a>. (I posted to the latter a lot, and the former rarely.)
For the record, I am not Satoshi Nakamoto. I suppose I could have invented the bitcoin protocols, but I wouldn’t have done it in secret. I would have drafted a paper, showed it to a lot of smart people, and improved it based on their comments. And then I would have published it under my own name. Maybe I would have realized how <a href="https://www.wired.com/story/theres-no-good-reason-to-trust-blockchain-technology/">dumb the whole idea is</a>. I doubt I would have predicted that it would become so popular and contribute materially to global climate change. In any case, I did nothing of the sort.
Read the <a href="http://satoshinakamoto.me/bitcoin.pdf">paper</a>. It doesn’t even sound like me.
Of course, this will convince no one who doesn’t already believe. Such is the nature of conspiracy theories.
<h2>Tracking Stolen Cryptocurrencies</h2>
<a href="https://www.schneier.com/blog/archives/2021/09/tracking-stolen-cryptocurrencies.html"><strong>[2021.09.27]</strong></a> Good <a href="https://www.washingtonpost.com/technology/2021/09/22/stolen-crypto/">article</a> about the current state of cryptocurrency forensics.
<h2>Check What Information Your Browser Leaks</h2>
<a href="https://www.schneier.com/blog/archives/2021/09/check-what-information-your-browser-leaks.html"><strong>[2021.09.28]</strong></a> These <a href="https://ipleak.net/">two</a> <a href="https://dnsleaktest.com/">sites</a> tell you what sorts of information you’re leaking from your browser.
<h2>Hardening Your VPN</h2>
<a href="https://www.schneier.com/blog/archives/2021/09/hardening-your-vpn.html"><strong>[2021.09.30]</strong></a> The NSA and CISA have <a href="https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2791320/nsa-cisa-release-guidance-on-selecting-and-hardening-remote-access-vpns/">released</a> a <a href="https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF">document</a> on how to harden your VPN.
<h2>A Death Due to Ransomware</h2>
<a href="https://www.schneier.com/blog/archives/2021/10/a-death-due-to-ransomware.html"><strong>[2021.10.01]</strong></a> The <i>Wall Street Journal</i> is <a href="https://www.wsj.com/articles/ransomware-hackers-hospital-first-alleged-death-11633008116">reporting</a> on a baby’s death at an Alabama hospital in 2019, which they argue was a direct result of the ransomware attack the hospital was undergoing.
<blockquote>Amid the hack, fewer eyes were on the heart monitors — normally tracked on a large screen at the nurses’ station, in addition to inside the delivery room. Attending obstetrician Katelyn Parnell texted the nurse manager that she would have delivered the baby by caesarean section had she seen the monitor readout. “I need u to help me understand why I was not notified.” In another text, Dr. Parnell wrote: “This was preventable.”
[The mother] Ms. Kidd has sued Springhill [Medical Center], alleging information about the baby’s condition never made it to Dr. Parnell because the hack wiped away the extra layer of scrutiny the heart rate monitor would have received at the nurses’ station. If proven in court, the case will mark the first confirmed death from a ransomware attack.</blockquote>
What will be interesting to see is whether the courts rule that the hospital was negligent in its security, contributing to the success of the ransomware and by extension the death of the infant.
<blockquote>Springhill declined to name the hackers, but Allan Liska, a senior intelligence analyst at Recorded Future, said it was likely the Russianbased Ryuk gang, which was singling out hospitals at the time.</blockquote>
They’re certainly never going to be held accountable.
Another <a href="https://threatpost.com/babys-death-linked-ransomware/175232/">article</a>.
<h2>Cheating on Tests</h2>
<a href="https://www.schneier.com/blog/archives/2021/10/cheating-on-tests.html"><strong>[2021.10.04]</strong></a> Interesting <a href="https://boingboing.net/2021/10/02/test-takers-busted-for-using-bluetooth-connected-flip-flops-to-cheat.html">story</a> of test-takers in India using Bluetooth-connected flip-flops to communicate with accomplices while taking a test.
What’s interesting is how this cheating was discovered. It’s not that someone noticed the communication devices. It’s that the proctors noticed that cheating test takers were acting <a href="https://www.schneier.com/essays/archives/2004/11/profile_hinky.html">hinky</a>.
<h2>Facebook Is Down</h2>
<a href="https://www.schneier.com/blog/archives/2021/10/facebook-is-down.html"><strong>[2021.10.04]</strong></a> Facebook — along with Instagram and WhatsApp — went <a href="https://www.nytimes.com/2021/10/04/technology/facebook-down.html">down globally</a> today. Basically, someone <a href="https://krebsonsecurity.com/2021/10/what-happened-to-facebook-instagram-whatsapp/">deleted</a> their BGP records, which made their DNS <a href="https://twitter.com/GossiTheDog/status/1445065065527394321">fall apart</a>.
<blockquote>…at approximately 11:39 a.m. ET today (15:39 UTC), someone at Facebook caused an update to be made to the company’s Border Gateway Protocol (BGP) records. BGP is a mechanism by which Internet service providers of the world share information about which providers are responsible for routing Internet traffic to which specific groups of Internet addresses.
In simpler terms, sometime this morning Facebook took away the map telling the world’s computers how to find its various online properties. As a result, when one types Facebook.com into a web browser, the browser has no idea where to find Facebook.com, and so returns an error page.
In addition to stranding billions of users, the Facebook outage also has stranded its employees from communicating with one another using their internal Facebook tools. That’s because Facebook’s email and tools are all managed in house and via the same domains that are now stranded. </blockquote>
What I heard is that none of the employee <a href="https://twitter.com/sheeraf/status/1445099150316503057?s=21">keycards work</a>, since they have to ping a now-unreachable server. So people can’t get into buildings and offices.
And every third-party site that relies on “log in with Facebook” is stuck as well.
The fix <a href="https://www.zdnet.com/article/what-took-facebook-down-major-global-outage-drags-on/">won’t be quick</a>:
<blockquote>As a former network admin who worked on the internet at this level, I anticipate Facebook will be down for hours more. I suspect it will end up being Facebook’s longest and most severe failure to date before it’s fixed.</blockquote>
We all know the security risks of <a href="https://www.schneier.com/blog/archives/2010/12/software_monocu.html">monocultures</a>.
EDITED TO ADD (10/6): Good <a href="https://blog.cloudflare.com/october-2021-facebook-outage/">explanation</a> of what happened. Shorter from <a href="https://twitter.com/zittrain/status/1445117965205000208?s=20">Jonathan Zittrain</a>: “Facebook basically locked its keys in the car.”
<a href="https://www.schneier.com/blog/archives/2021/10/synaverse-hack.html"><strong>[2021.10.06]</strong></a> <a href="https://www.vice.com/en/article/z3xpm8/company-that-routes-billions-of-text-messages-quietly-says-it-was-hacked">This</a> is interesting:
<blockquote>A company that is a critical part of the global telecommunications infrastructure used by AT&T, T-Mobile, Verizon and several others around the world such as Vodafone and China Mobile, quietly disclosed that hackers were inside its systems for years, impacting more than 200 of its clients and potentially millions of cellphone users worldwide.</blockquote>
I’ve never heard of the company.
No details about the hack. It could be nothing. It could be a national intelligence service looking for information.
<h2>The European Parliament Voted to Ban Remote Biometric Surveillance</h2>
<a href="https://www.schneier.com/blog/archives/2021/10/the-european-parliament-voted-to-ban-remote-biometric-surveillance.html"><strong>[2021.10.11]</strong></a> It’s not actually banned in the EU yet — the legislative process is much more complicated than that — but it’s a step: a <a href="https://techcrunch.com/2021/10/06/european-parliament-backs-ban-on-remote-biometric-surveillance/">total ban</a> on biometric mass surveillance.
<blockquote>To respect “privacy and human dignity,” MEPs said that EU lawmakers should pass a permanent ban on the automated recognition of individuals in public spaces, saying citizens should only be monitored when suspected of a crime.
The parliament has also called for a ban on the use of private facial recognition databases — such as the <a href="https://techcrunch.com/2021/02/03/clearview-ai-ruled-illegal-by-canadian-privacy-authorities/">controversial AI system created by U.S. startup Clearview</a> (also already in use by <a href="https://techcrunch.com/2021/02/12/swedens-data-watchdog-slaps-police-for-unlawful-use-of-clearview-ai/">some police forces in Europe</a>) — and said predictive policing based on behavioural data should also be outlawed.
MEPs also want to ban social scoring systems which seek to rate the trustworthiness of citizens based on their behaviour or personality.</blockquote>
<h2>Airline Passenger Mistakes Vintage Camera for a Bomb</h2>
<a href="https://www.schneier.com/blog/archives/2021/10/airline-passenger-mistakes-vintage-camera-for-a-bomb.html"><strong>[2021.10.12]</strong></a> I feel sorry for the <a href="https://www.nydailynews.com/new-york/nyc-crime/ny-camera-laguardia-airport-emergency-landing-20211010-pjumgje6k5a6xpggp3axo3bj3y-story.html ">accused</a>:
<blockquote>The “security incident” that forced a New-York bound flight to make an emergency landing at LaGuardia Airport on Saturday turned out to be a misunderstanding — after an airline passenger mistook another traveler’s camera for a bomb, sources said Sunday.
American Airlines Flight 4817 from Indianapolis — operated by Republic Airways — made an emergency landing at LaGuardia just after 3 p.m., and authorities took a suspicious passenger into custody for several hours.
It turns out the would-be “bomber” was just a vintage camera aficionado and the woman who reported him made a mistake, sources said.</blockquote>
Why in the world was the passenger in custody for “several hours”? They didn’t do anything wrong.
Back in 2007, I called this the “<a href="https://www.schneier.com/blog/archives/2007/11/the_war_on_the.html">war on the unexpected</a>.” It’s why “see something, say something” doesn’t work. If you put amateurs in the front lines of security, don’t be surprised when you get amateur security. I have <a href="https://www.schneier.com/tag/war-on-the-unexpected/">lots of examples</a>.
<h2>Suing Infrastructure Companies for Copyright Violations</h2>
<a href="https://www.schneier.com/blog/archives/2021/10/suing-infrastructure-companies-for-copyright-violations.html"><strong>[2021.10.13]</strong></a> It’s a matter of going after those with deep pockets. From <a href="https://www.wired.com/story/cloudflare-copyright-infringement-ruling/">Wired</a>:
<blockquote>Cloudflare was <a href="https://storage.courtlistener.com/recap/gov.uscourts.cand.339512/gov.uscourts.cand.339512.1.0.pdf">sued in November 2018</a> by Mon Cheri Bridals and Maggie Sottero Designs, two wedding dress manufacturers and sellers that alleged Cloudflare was guilty of contributory copyright infringement because it didn’t terminate services for websites that infringed on the dressmakers’ copyrighted designs….
[Judge] Chhabria noted that the dressmakers have been harmed “by the proliferation of counterfeit retailers that sell knock-off dresses using the plaintiffs’ copyrighted images” and that they have “gone after the infringers in a range of actions, but to no avail — every time a website is successfully shut down, a new one takes its place.” Chhabria continued, “In an effort to more effectively stamp out infringement, the plaintiffs now go after a service common to many of the infringers: Cloudflare. The plaintiffs claim that Cloudflare contributes to the underlying copyright infringement by providing infringers with caching, content delivery, and security services. Because a reasonable jury could not — at least on this record — conclude that Cloudflare materially contributes to the underlying copyright infringement, the plaintiffs’ motion for summary judgment is denied and Cloudflare’s motion for summary judgment is granted.”</blockquote>
I was an expert witness for Cloudflare in this case, basically explaining to the court how the service works.
<h2>Recovering Real Faces from Face-Generation ML System</h2>
<a href="https://www.schneier.com/blog/archives/2021/10/recovering-real-faces-from-face-generation-ml-system.html"><strong>[2021.10.14]</strong></a> New paper: “<a href="https://arxiv.org/pdf/2107.06018.pdf">This Person (Probably) Exists. Identity Membership Attacks Against GAN Generated Faces.</a>
<blockquote><b>Abstract:</b> Recently, generative adversarial networks (GANs) have achieved stunning realism, fooling even human observers. Indeed, the popular tongue-in-cheek website http://thispersondoesnotexist.com, taunts users with GAN generated images that seem too real to believe. On the other hand, GANs do leak information about their training data, as evidenced by membership attacks recently demonstrated in the literature. In this work, we challenge the assumption that GAN faces really are novel creations, by constructing a successful membership attack of a new kind. Unlike previous works, our attack can accurately discern samples sharing the same identity as training samples without being the same samples. We demonstrate the interest of our attack across several popular face datasets and GAN training procedures. Notably, we show that even in the presence of significant dataset diversity, an over represented person can pose a privacy concern.</blockquote>
News <a href="https://www.technologyreview.com/2021/10/12/1036844/ai-gan-fake-faces-data-privacy-security-leak/">article</a>. Slashdot <a href="https://yro.slashdot.org/story/21/10/13/2116205/ai-fake-face-generators-can-be-rewound-to-reveal-the-real-faces-they-trained-on">post</a>.
<h2>Upcoming Speaking Engagements</h2>
<a href="https://www.schneier.com/blog/archives/2021/10/upcoming-speaking-engagements-13.html"><strong>[2021.10.14]</strong></a> This is a current list of where and when I am scheduled to speak:
<li>I’ll be speaking at an <a href="https://www.informa.com/">Informa</a> event on November 29, 2021. Details to come.</li>
The list is maintained on <a href="https://www.schneier.com/events/">this page</a>.
<h2>Security Risks of Client-Side Scanning</h2>
<a href="https://www.schneier.com/blog/archives/2021/10/security-risks-of-client-side-scanning.html"><strong>[2021.10.15]</strong></a> Even before Apple made <a href="https://www.apple.com/child-safety/">its announcement</a>, law enforcement shifted their battle for backdoors to client-side scanning. The idea is that they wouldn’t touch the cryptography, but instead eavesdrop on communications and systems before encryption or after decryption. It’s not a cryptographic backdoor, but it’s still a backdoor — and brings with it all the insecurities of a backdoor.
I’m part of a group of cryptographers that has just published a <a href="https://arxiv.org/abs/2110.07450">paper</a> discussing the security risks of such a system. (It’s substantially the same group that wrote a similar paper about <a href="https://www.schneier.com/wp-content/uploads/2016/02/paper-key-escrow.pdf">key escrow</a> in 1997, and other <a href="https://www.schneier.com/wp-content/uploads/2016/09/paper-keys-under-doormats-CSAIL.pdf">“exceptional access” proposals</a> in 2015. We seem to have to do this every decade or so.) In our paper, we examine both the efficacy of such a system and its potential security failures, and conclude that it’s a really bad idea.
We had been working on the paper well before Apple’s announcement. And while we do talk about Apple’s system, our focus is really on the idea in general.
Ross Anderson wrote a <a href="https://www.lightbluetouchpaper.org/2021/10/15/bugs-in-our-pockets/">blog post</a> on the paper. (It’s always great when Ross writes something. It means I don’t have to.) So did <a href="https://www.lawfareblog.com/bugs-our-pockets-risks-client-side-scanning">Susan Landau</a>. And there’s press coverage in the <i><a href="https://www.nytimes.com/2021/10/14/business/apple-child-sex-abuse-cybersecurity.html">New York Times</a></i>, the <i><a href="https://www.theguardian.com/world/2021/oct/15/apple-plan-scan-child-abuse-images-tears-heart-of-privacy">Guardian</a></i>, <i><a href="https://www.computerweekly.com/news/252508198/Apple-scheme-to-detect-child-abuse-creates-serious-privacy-and-security-risks-say-scientists">Computer Weekly</a></i>, the <i><a href="https://www.ft.com/content/64a74bde-4d64-4940-8c03-e01eeecc6e54">Financial Times</a></i>, <i><a href="https://www.forbes.com/sites/emmawoollacott/2021/10/15/experts-slam-apples-child-protection-phone-scanning-technology/?sh=7e1edf163f7a">Forbes</a></i>, <i><a href="https://elpais.com/tecnologia/2021-10-15/en-tu-movil-no-debe-entrar-nadie-un-grupo-global-de-expertos-pide-proteger-la-ultima-frontera-de-la-privacidad.html">El Pais</a></i> (English <a href="https://elpais-com.translate.goog/tecnologia/2021-10-15/en-tu-movil-no-debe-entrar-nadie-un-grupo-global-de-expertos-pide-proteger-la-ultima-frontera-de-la-privacidad.html?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=nui">translation</a>), <i><a href="https://nrkbeta.no/2021/10/15/ledende-eksperter-advarer-mot-a-skanne-mobiler-for-overgrepsmateriale/">NRK</a></i> (English <a href="https://nrkbeta-no.translate.goog/2021/10/15/ledende-eksperter-advarer-mot-a-skanne-mobiler-for-overgrepsmateriale/?_x_tr_sl=no&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=nui">translation</a>), and — this is the best article of them all — the <i><a href="https://www.theregister.com/2021/10/15/clientside_side_scanning/">Register</a></i>. See also <a href="https://www.lawfareblog.com/law-and-policy-client-side-scanning">this analysis</a> of the law and politics of client-side scanning from last year.
<h2>Missouri Governor Doesn't Understand Responsible Disclosure</h2>
<a href="https://www.schneier.com/blog/archives/2021/10/the-missouri-governor-doesnt-understand-responsible-disclosure.html"><strong>[2021.10.18]</strong></a> The Missouri governor <a href="https://missouriindependent.com/2021/10/14/missouri-governor-vows-criminal-prosecution-of-reporter-who-found-flaw-in-state-website/">wants to prosecute</a> the reporter who discovered a security vulnerability in a state’s website, and then reported it to the state.
<blockquote>The newspaper agreed to hold off publishing any story while the department fixed the problem and protected the private information of teachers around the state.
According to the Post-Dispatch, one of its reporters discovered the flaw in a web application allowing the public to search teacher certifications and credentials. No private information was publicly visible, but teacher Social Security numbers were contained in HTML source code of the pages.
The state removed the search tool after being notified of the issue by the Post-Dispatch. It was unclear how long the Social Security numbers had been vulnerable.
Chris Vickery, a California-based data security expert, told The Independent that it appears the department of education was “publishing data that it shouldn’t have been publishing.
“That’s not a crime for the journalists discovering it,” he said. “Putting Social Security numbers within HTML, even if it’s ‘non-display rendering’ HTML, is a stupid thing for the Missouri website to do and is a type of boneheaded mistake that has been around since day one of the Internet. No exploit, hacking or vulnerability is involved here.”
In explaining how he hopes the reporter and news organization will be prosecuted, [Gov.] Parson pointed to a state statute defining the crime of <a href="https://revisor.mo.gov/main/OneSection.aspx?section=569.095">tampering with computer data</a>. Vickery said that statute wouldn’t work in this instance because of a recent decision by the U.S. Supreme Court in the case of Van Buren v. United States.</blockquote>
One hopes that someone will calm the governor down.
Brian Krebs <a href="https://krebsonsecurity.com/2021/10/missouri-governor-vows-to-prosecute-st-louis-post-dispatch-for-reporting-security-vulnerability/">has more</a>.
<h2>Ransomware Attacks against Water Treatment Plants</h2>
<a href="https://www.schneier.com/blog/archives/2021/10/ransomware-attacks-against-water-treatment-plants.html"><strong>[2021.10.19]</strong></a> According to a <a href="https://us-cert.cisa.gov/ncas/alerts/aa21-287a">report</a> from CISA last week, there were three ransomware attacks against water treatment plants last year.
<blockquote>WWS Sector cyber intrusions from 2019 to early 2021 include:
<ul><li>In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
<li>In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.
<li>In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim’s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).</ul></blockquote>
<h2>Using Machine Learning to Guess PINs from Video</h2>
<a href="https://www.schneier.com/blog/archives/2021/10/using-machine-learning-to-guess-pins-from-video.html"><strong>[2021.10.19]</strong></a> Researchers <a href="https://www.bleepingcomputer.com/news/security/credit-card-pins-can-be-guessed-even-when-covering-the-atm-pad/">trained a machine-learning system</a> on videos of people typing their PINs into ATMs:
<blockquote>By using three tries, which is typically the maximum allowed number of attempts before the card is withheld, the researchers reconstructed the correct sequence for 5-digit PINs 30% of the time, and reached 41% for 4-digit PINs.</blockquote>
This works even if the person is covering the pad with their hands.
The article doesn’t contain a link to the original research. If someone knows it, please put it in the comments.
Slashdot <a href="https://it.slashdot.org/story/21/10/18/2032220/credit-card-pins-can-be-guessed-even-when-covering-the-atm-pad">thread</a>.
<h2>Textbook Rental Scam</h2>
<a href="https://www.schneier.com/blog/archives/2021/10/textbook-rental-scam.html"><strong>[2021.10.20]</strong></a> Here’s a story of <a href="https://www.theregister.com/2021/10/15/amazon_textbook_rental/">someone</a> who, with three compatriots, rented textbooks from Amazon and then sold them instead of returning them. They used gift cards and prepaid credit cards to buy the books, so there was no available balance when Amazon tried to charge them the buyout price for non-returned books. They also used various aliases and other tricks to bypass Amazon’s fifteen-book limit. In all, they stole 14,000 textbooks worth over $1.5 million.
The article doesn’t link to the indictment, so I don’t know how they were discovered.
<h2>Problems with Multifactor Authentication</h2>
<a href="https://www.schneier.com/blog/archives/2021/10/problems-with-multifactor-authentication.html"><strong>[2021.10.21]</strong></a> Roger Grimes on why multifactor authentication <a href="https://www.linkedin.com/pulse/why-majority-our-mfa-so-phishable-roger-grimes">isn’t a panacea</a>:
<blockquote>The first time I heard of this issue was from a Midwest CEO. His organization had been hit by ransomware to the tune of $10M. Operationally, they were still recovering nearly a year later. And, embarrassingly, it was his most trusted VP who let the attackers in. It turns out that the VP had approved over 10 different push-based messages for logins that he was not involved in. When the VP was asked why he approved logins for logins he was not actually doing, his response was, “They (IT) told me that I needed to click on Approve when the message appeared!”
And there you have it in a nutshell. The VP did not understand the importance (“the WHY”) of why it was so important to ONLY approve logins that they were participating in. Perhaps they were told this. But there is a good chance that IT, when implementinthe new push-based MFA, instructed them as to what they needed to do to successfully log in, but failed to mention what they needed to do when they were not logging in if the same message arrived. Most likely, IT assumed that anyone would naturally understand that it also meant not approving unexpected, unexplained logins. Did the end user get trained as to what to do when an unexpected login arrived? Were they told to click on “Deny” and to contact IT Help Desk to report the active intrusion?
Or was the person told the correct instructions for both approving and denying and it just did not take? We all have busy lives. We all have too much to do. Perhaps the importance of the last part of the instructions just did not sink in. We can think we hear and not really hear. We can hear and still not care.</blockquote>
<h2>Nation-State Attacker of Telecommunications Networks</h2>
<a href="https://www.schneier.com/blog/archives/2021/10/nation-state-attacker-of-telecommunications-networks.html"><strong>[2021.10.22]</strong></a> Someone has been <a href="https://www.crowdstrike.com/blog/an-analysis-of-lightbasin-telecommunications-attacks/">hacking telecommunications networks</a> around the world:
<ul><li>LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.
<li>Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.
<li>The nature of the data targeted by the actor aligns with information likely to be of significant interest to signals intelligence organizations.
<li>CrowdStrike Intelligence assesses that LightBasin is a targeted intrusion actor that will continue to target the telecommunications sector. This assessment is made with high confidence and is based on tactics, techniques and procedures (TTPs), target scope, and objectives exhibited by this activity cluster. There is currently not enough available evidence to link the cluster’s activity to a specific country-nexus.</ul>
Some <a href="https://www.scmagazine.com/analysis/black-hat/trio-of-hacking-clusters-targeting-telcos-traced-back-to-chinese-state-espionage">relation to China</a> is reported, but this is not a definitive attribution.