<h2>How China Uses Stolen US Personnel Data</h2>
<a href="https://www.schneier.com/blog/archives/2020/12/how-china-uses-stolen-us-personnel-data.html"><strong>[2020.12.24]</strong></a> Interesting <a href="https://foreignpolicy.com/2020/12/21/china-stolen-us-data-exposed-cia-operatives-spy-networks/">analysis</a> of China’s efforts to identify US spies:
<blockquote>By about 2010, two former CIA officials recalled, the Chinese security services had instituted a sophisticated travel intelligence program, developing databases that tracked flights and passenger lists for espionage purposes. “We looked at it very carefully,” said the former senior CIA official. China’s spies “were actively using that for counterintelligence and offensive intelligence. The capability was there and was being utilized.” China had also stepped up its hacking efforts targeting biometric and passenger data from transit hubs…
To be sure, China had stolen plenty of data before discovering how deeply infiltrated it was by U.S. intelligence agencies. However, the shake-up between 2010 and 2012 gave Beijing an impetus not only to go after bigger, riskier targets, but also to put together the infrastructure needed to process the purloined information. It was around this time, said a former senior NSA official, that Chinese intelligence agencies transitioned from merely being able to steal large datasets en masse to actually rapidly sifting through information from within them for use….
For U.S. intelligence personnel, these new capabilities made China’s successful hack of the U.S. Office of Personnel Management (OPM) that much more chilling. During the OPM breach, Chinese hackers stole detailed, often highly sensitive personnel data from 21.5 million current and former U.S. officials, their spouses, and job applicants, including health, residency, employment, fingerprint, and financial data. In some cases, details from background investigations tied to the granting of security clearances — investigations that can delve deeply into individuals’ mental health records, their sexual histories and proclivities, and whether a person’s relatives abroad may be subject to government blackmail — were stolen as well….
When paired with travel details and other purloined data, information from the OPM breach likely provided Chinese intelligence potent clues about unusual behavior patterns, biographical information, or career milestones that marked individuals as likely U.S. spies, officials say. Now, these officials feared, China could search for when suspected U.S. spies were in certain locations — and potentially also meeting secretly with their Chinese sources. China “collects bulk personal data to help it track dissidents or other perceived enemies of China around the world,” Evanina, the top U.S. counterintelligence official, said.
But after the OPM breach, anomalies began to multiply. In 2012, senior U.S. spy hunters began to puzzle over some “head-scratchers”: In a few cases, spouses of U.S. officials whose sensitive work should have been difficult to discern were being approached by Chinese and Russian intelligence operatives abroad, according to the former counterintelligence executive. In one case, Chinese operatives tried to harass and entrap a U.S. official’s wife while she accompanied her children on a school field trip to China. “The MO is that, usually at the end of the trip, the lightbulb goes on [and the foreign intelligence service identifies potential persons of interest]. But these were from day one, from the airport onward,” the former official said.
Worries about what the Chinese now knew precipitated an intelligence community-wide damage assessment surrounding the OPM and other hacks, recalled Douglas Wise, a former senior CIA official who served deputy director of the Defense Intelligence Agency from 2014 to 2016. Some worried that China might have purposefully secretly altered data in individuals’ OPM files to later use as leverage in recruitment attempts. Officials also believed that the Chinese might sift through the OPM data to try and craft the most ideal profiles for Chinese intelligence assets seeking to infiltrate the U.S. government — since they now had granular knowledge of what the U.S. government looked for, and what it didn’t, while considering applicants for sensitive positions. U.S. intelligence agencies altered their screening procedures to anticipate new, more finely tuned Chinese attempts at human spying, Wise said.</blockquote>
<h2>Russia's SolarWinds Attack</h2>
<a href="https://www.schneier.com/blog/archives/2020/12/russias-solarwinds-attack.html"><strong>[2020.12.28]</strong></a> Recent news articles have all been talking about the massive <a href="https://thehill.com/homenews/administration/530962-pompeo-russia-pretty-clearly-behind-massive-cyberattack">Russian</a> cyberattack against the United States, but that’s wrong on two accounts. It wasn’t a cyberattack in international relations terms, it was espionage. And the victim wasn’t just the US, it was the entire world. But it was massive, and it is dangerous.
<a href="https://www.theguardian.com/world/espionage">Espionage</a> is internationally allowed in peacetime. The problem is that both espionage and cyberattacks require the same computer and network intrusions, and the difference is only a few keystrokes. And since this Russian operation isn’t at all targeted, the entire world is at risk — and not just from Russia. Many countries carry out these sorts of operations, none more extensively than the US. The solution is to prioritize security and defense over espionage and attack.
Here’s what we know: <a href="https://www.solarwinds.com/solutions/orion">Orion</a> is a network management product from a company named SolarWinds, with over 300,000 customers worldwide. Sometime before March, hackers working for the Russian SVR — previously known as the KGB — hacked into SolarWinds and slipped a backdoor into an Orion software update. (We don’t know how, but last year the company’s update server was <a href="https://www.reuters.com/article/global-cyber-solarwinds/hackers-at-center-of-sprawling-spy-campaign-turned-solarwinds-dominance-against-it-idUSKBN28P2N8">protected</a> by the password “solarwinds123” — something that speaks to a lack of security culture.) Users who downloaded and installed that corrupted update between March and June unwittingly gave SVR hackers access to their networks.
This is called a supply-chain attack, because it targets a supplier to an organization rather than an organization itself — and can affect all of a supplier’s customers. It’s an increasingly common way to attack networks. Other examples of this sort of attack include <a href="https://www.komando.com/security-privacy/check-your-phone-now-for-these-data-stealing-counterfeit-apps/576207/">fake apps</a> in the Google Play store, and <a href="https://www.theverge.com/2017/8/21/16177916/malicious-replacement-touch-screens-control-smart-phone">hacked replacement screens</a> for your smartphone.
SolarWinds has removed its customer list from its website, but the Internet Archive <a href="https://web.archive.org/web/20201214143046/https:/www.solarwinds.com/company/customers">saved it</a>: all five branches of the US military, the state department, the White House, the NSA, 425 of the Fortune 500 companies, all five of the top five accounting firms, and hundreds of universities and colleges. In an SEC filing, SolarWinds <a href="https://sec.report/Document/0001628280-20-017451/">said</a> that it believes “fewer than 18,000” of those customers installed this malicious update, another way of saying that more than 17,000 did.
That’s a lot of vulnerable networks, and it’s inconceivable that the SVR penetrated them all. Instead, it chose carefully from its cornucopia of targets. Microsoft’s <a href="https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/">analysis</a> identified 40 customers who were infiltrated using this vulnerability. The great majority of those were in the US, but networks in Canada, Mexico, Belgium, Spain, the UK, Israel and the UAE were also targeted. This list includes governments, government contractors, IT companies, thinktanks, and NGOs — and it will certainly grow.
Once inside a network, SVR hackers followed a <a href="https://www.helpnetsecurity.com/2017/03/06/cyber-attack-lifecycle/">standard playbook</a>: establish persistent access that will remain even if the initial vulnerability is fixed; move laterally around the network by compromising additional systems and accounts; and then exfiltrate data. Not being a SolarWinds customer is no guarantee of security; this SVR operation used <a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">other initial infection vectors and techniques</a> as well. These are sophisticated and patient hackers, and we’re only just learning some of the techniques involved here.
Recovering from this attack <a href="https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network">isn’t easy</a>. Because any SVR hackers would establish persistent access, the only way to ensure that your network isn’t compromised is to <a href="https://www.startribune.com/hacked-networks-will-need-to-be-burned-down-to-the-ground/600002742/">burn it to the ground</a> and rebuild it, similar to reinstalling your computer’s operating system to recover from a bad hack. This is how a lot of sysadmins are going to spend their Christmas holiday, and even then they can&;t be sure. There are many ways to establish persistent access that survive rebuilding individual computers and networks. We know, for example, of an <a href="https://www.schneier.com/blog/archives/2014/01/iratemonk_nsa_e.html">NSA exploit</a> that remains on a hard drive even after it is reformatted. Code for that exploit <a href="https://www.networkworld.com/article/2885814/has-equation-group-hacked-your-hard-drives-you-won-t-be-able-to-tell.html">was part of</a> the Equation Group tools that the Shadow Brokers — again believed to be Russia — stole from the NSA and published in 2016. The SVR probably has the same kinds of tools.
Even without that caveat, many network administrators won’t go through the long, painful, and potentially expensive rebuilding process. They’ll just hope for the best.
It’s hard to overstate how bad this is. We are still learning about US government organizations breached: the <a href="https://www.washingtonpost.com/national-security/dhs-is-third-federal-agency-hacked-in-major-russian-cyberespionage-campaign/2020/12/14/41f8fc98-3e3c-11eb-8bc0-ae155bee4aff_story.html">state department</a>, the <a href="https://www.reuters.com/article/BigStory12/idUSKBN28N0PG">treasury department</a>, <a href="https://www.washingtonpost.com/national-security/dhs-is-third-federal-agency-hacked-in-major-russian-cyberespionage-campaign/2020/12/14/41f8fc98-3e3c-11eb-8bc0-ae155bee4aff_story.html">homeland security</a>, the <a href="https://siliconangle.com/2020/12/17/solarwinds-latest-victims-allegedly-include-nuclear-weapons-agency-microsoft/">Los Alamos and Sandia National Laboratories</a> (where nuclear weapons are developed), the <a href="https://www.politico.com/news/2020/12/17/nuclear-agency-hacked-officials-inform-congress-447855">National Nuclear Security Administration</a>, the <a href="https://www.washingtonpost.com/national-security/dhs-is-third-federal-agency-hacked-in-major-russian-cyberespionage-campaign/2020/12/14/41f8fc98-3e3c-11eb-8bc0-ae155bee4aff_story.html">National Institutes of Health</a>, and <a href="https://www.zdnet.com/article/microsoft-was-also-breached-in-recent-solarwinds-supply-chain-hack-report/">many more</a>. At this point, there’s no indication that any classified networks were penetrated, although that could change easily. It will take years to learn which networks the SVR has penetrated, and where it still has access. Much of that will probably be classified, which means that we, the public, will never know.
And now that the Orion vulnerability is public, other governments and cybercriminals will use it to penetrate vulnerable networks. I can guarantee you that the NSA is using the SVR’s hack to infiltrate other networks; why would they not? (Do any Russian organizations use Orion? Probably.)
While this is a security failure of enormous proportions, it is not, as Senator Richard Durban <a href="https://thehill.com/policy/cybersecurity/530461-durbin-says-alleged-russian-hack-virtually-a-declaration-of-war">said</a>, “virtually a declaration of war by Russia on the United States.” While President-elect Biden said he will make this a <a href="https://www.bloomberg.com/news/articles/2020-12-17/biden-calls-cybersecurity-a-top-priority-after-russian-hack">top priority</a>, it’s unlikely that he will do much to <a href="https://www.axios.com/biden-fireeye-solarwinds-hack-retaliation-1d9eac1e-a454-43cf-9241-10c05b2d7586.html">retaliate</a>.
The reason is that, by international norms, Russia did nothing wrong. This is the normal state of affairs. Countries spy on each other all the time. There are no rules or even norms, and it’s basically “buyer beware.” The US regularly fails to retaliate against espionage operations — such as China’s <a href="https://www.lawfareblog.com/why-opm-hack-far-worse-you-imagine">hack</a> of the Office of Personal Management (OPM) and previous <a href="https://www.vice.com/en/article/vvk83b/moonlight-maze-turla-link">Russian hacks</a> — because we do it, too. Speaking of the OPM hack, the then director of national intelligence, James Clapper, <a href="https://www.nbcnews.com/tech/security/clapper-china-leading-suspect-opm-hack-n381881">said</a>: “You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”
We don’t, and I’m sure NSA employees are grudgingly impressed with the SVR. The US has by far the most extensive and aggressive intelligence operation in the world. The NSA’s <a href="https://fas.org/irp/budget/">budget</a> is the largest of any intelligence agency. It aggressively leverages the US’s position controlling most of the internet backbone and most of the major internet companies. Edward Snowden <a href="https://www.lawfareblog.com/snowden-revelations">disclosed</a> many targets of its efforts around 2014, which then <a href="http://www.washingtonpost.com/world/national-security/court-gave-nsa-broad-leeway-in-surveillance-documents-show/2014/06/30/32b872ec-fae4-11e3-8176-f2c941cf35f1_story.html">included</a> 193 countries, the World Bank, the IMF and the International Atomic Energy Agency. We are undoubtedly running an offensive operation on the scale of this SVR operation right now, and it’ll probably never be made public. In 2016, President Obama <a href="https://obamawhitehouse.archives.gov/the-press-office/2016/09/05/press-conference-president-obama-after-g20-summit">boasted</a> that we have “more capacity than anybody both offensively and defensively.”
He may have been too optimistic about our defensive capability. The US prioritizes and spends <a href="https://www.lawfareblog.com/cyber-budget-shows-what-us-values%E2%80%94and-it-isnt-defense">many times more</a> on offense than on defensive cybersecurity. In recent years, the NSA has <a href="https://www.npr.org/2019/08/26/747248636/persistent-engagement-the-phrase-driving-a-more-assertive-u-s-spy-agency">adopted</a> <a href="https://www.eweek.com/security/nsa-director-praises-persistent-engagement-approach-to-limit-risks">a</a> <a href="https://www.schneier.com/blog/archives/2019/02/gen_nakasone_on.html">strategy</a> of “persistent engagement,” sometimes called “defending forward.” The idea is that instead of passively waiting for the enemy to attack our networks and infrastructure, we go on the offensive and disrupt attacks before they get to us. This strategy was credited with <a href="https://www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-11e9-af5b-b51b7ff322e9_story.html">foiling a plot</a> by the Russian Internet Research Agency to disrupt the 2018 elections.
But if persistent engagement is so effective, how could it have missed this massive SVR operation? It seems that pretty much the entire US government was unknowingly sending information back to Moscow. If we <em>had</em> been watching everything the Russians were doing, we would have seen some evidence of this. The Russians’ success under the watchful eye of the NSA and US Cyber Command shows that this is a failed approach.
And how did US defensive capability miss this? The only reason we know about this breach is because, earlier this month, the security company FireEye <a href="https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html">discovered</a> that it had been hacked. During its own audit of its network, it <a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html">uncovered</a> the Orion vulnerability and alerted the US government. Why don’t organizations like the Departments of State, Treasury and Homeland Wecurity regularly conduct that level of audit on their own systems? The government’s intrusion detection system, Einstein 3, <a href="https://www.washingtonpost.com/national-security/ruusian-hackers-outsmarted-us-defenses/2020/12/15/3deed840-3f11-11eb-9453-fc36ba051781_story.html">failed here</a> because it doesn’t detect new sophisticated attacks — a deficiency <a href="https://www.gao.gov/assets/700/696105.pdf" >pointed out</a> in 2018 but never fixed. We shouldn’t have to rely on a private cybersecurity company to alert us of a major nation-state attack.
If anything, the US’s prioritization of offense over defense makes us less safe. In the interests of surveillance, the NSA has pushed for an <a href="https://www.washingtonpost.com/business/technology/by-cracking-cellphone-code-nsa-has-capacity-for-decoding-private-conversations/2013/12/13/e119b598-612f-11e3-bf45-61f69f54fc5f_story.html">insecure</a> cell phone encryption standard and a <a href="https://www.wired.com/2013/09/nsa-backdoor/">backdoor</a> in random number generators (important for secure encryption). The DoJ has never relented in its <a href="https://www.technologyreview.com/2019/07/24/134062/trumps-justice-department-calls-for-encryption-backdoor-law/">insistence</a> that the world’s popular encryption systems be made insecure through back doors — another hot point where attack and defense are in conflict. In other words, we allow for insecure standards and systems, because we can use them to spy on others.
We need to adopt a <a href="https://www.atlanticcouncil.org/wp-content/uploads/2015/08/AC_StrategyPapers_No8_Saving_Cyberspace_WEB.pdf">defense-dominant strategy</a>. As computers and the internet become increasingly essential to society, cyberattacks are likely to be the <a href="https://www.schneier.com/blog/archives/2018/08/future_cyberwar.html">precursor</a> to actual war. We are simply too vulnerable when we prioritize offense, even if we have to give up the advantage of using those insecurities to spy on others.
Our vulnerability is magnified as eavesdropping may bleed into a direct attack. The SVR’s access allows them not only to eavesdrop, but also to modify data, degrade network performance, or erase entire networks. The first might be normal spying, but the second certainly could be considered an act of war. Russia is almost certainly laying the groundwork for future attack.
This preparation would not be unprecedented. There’s a lot of attack going on in the world. In 2010, the US and Israel <a href="https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">attacked</a> the Iranian nuclear program. In 2012, Iran <a href="https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html">attacked</a> the Saudi national oil company. North Korea <a href="https://www.nytimes.com/2017/10/15/world/asia/north-korea-hacking-cyber-sony.html">attacked</a> Sony in 2014. Russia attacked the Ukrainian power grid in <a href="https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/">2015</a> and <a href="https://www.wired.com/story/russian-hackers-attack-ukraine/">2016</a>. Russia is <a href="https://www.vox.com/world/2018/3/28/17170612/russia-hacking-us-power-grid-nuclear-plants">hacking</a> the US power grid, and the US is <a href="https://www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html">hacking</a> Russia’s power grid — just in case the capability is needed someday. All of these attacks began as a spying operation. Security vulnerabilities have <a href="https://www.schneier.com/books/click-here/">real-world consequences</a>.
We’re not going to be able to secure our networks and systems in this no-rules, free-for-all every-network-for-itself world. The US needs to willingly give up part of its offensive advantage in cyberspace in exchange for a vastly more secure global cyberspace. We need to invest in securing the world’s supply chains from this type of attack, and to <a href="https://www.project-syndicate.org/commentary/soladwinds-cyber-norms-must-be-upheld-by-michael-chertoff-et-al-2020-12">press for international norms</a> and agreements prioritizing cybersecurity, like the 2018 <a href="https://pariscall.international/en/principles" >Paris Call for Trust and Security in Cyberspace</a> or the <a href="https://cyberstability.org/">Global Commission on the Stability of Cyberspace</a>. Hardening widely used software like Orion (or the core internet protocols) helps everyone. We need to dampen this offensive arms race rather than exacerbate it, and work towards <a href="https://www.cyberpeace.org/">cyber peace</a>. Otherwise, <a href="https://thedispatch.com/p/self-delusion-on-the-russia-hack">hypocritically</a> criticizing the Russians for doing the same thing we do every day won’t help create the safer world in which we all want to live.
This essay <a href="https://www.theguardian.com/commentisfree/2020/dec/23/cyber-attack-us-security-protocols">previously appeared</a> in the <i>Guardian</i>.
<h2>On the Evolution of Ransomware</h2>
<a href="https://www.schneier.com/blog/archives/2020/12/on-the-evolution-of-ransomware.html"><strong>[2020.12.30]</strong></a> Good article on the <a href="https://www.wired.com/story/ransomware-2020-headed-down-dire-path/">evolution of ransomware</a>:
<blockquote>Though some researchers say that the scale and severity of ransomware attacks crossed a bright line in 2020, others describe this year as simply the next step in a gradual and, unfortunately, predictable devolution. After years spent honing their techniques, attackers are growing bolder. They’ve begun to incorporate other types of extortion like blackmail into their arsenals, by exfiltrating an organization’s data and then threatening to release it if the victim doesn’t pay an additional fee. Most significantly, ransomware attackers have transitioned from a model in which they hit lots of individuals and accumulated many small ransom payments to one where they carefully plan attacks against a <a href="https://www.wired.com/2017/02/ransomware-turns-big-targets-even-bigger-fallout/">smaller group of large targets</a> from which they can demand massive ransoms. The antivirus firm Emsisoft found that the average requested fee has increased from about $5,000 in 2018 to about $200,000 this year.</blockquote>
Ransomware is a decades-old idea. Today, it’s increasingly profitable and professional.
<h2>Brexit Deal Mandates Old Insecure Crypto Algorithms</h2>
<a href="https://www.schneier.com/blog/archives/2020/12/brexit-deal-mandates-old-insecure-crypto-algorithms.html"><strong>[2020.12.31]</strong></a> In what is surely an unthinking cut-and-paste issue, page 921 of the Brexit deal <a href="https://www.theverge.com/2020/12/29/22204624/brexit-eu-uk-netscape-communicator-4-crytography-email-data-dna-trade-deal">mandates</a> <a href="https://www.bbc.com/news/technology-55475433">the</a> use of SHA-1 and 1024-bit RSA:
<blockquote>The open standard s/MIME as extension to de facto e-mail standard SMTP will be deployed to encrypt messages containing DNA profile information. The protocol s/MIME (V3) allows signed receipts, security labels, and secure mailing lists… The underlying certificate used by s/MIME mechanism has to be in compliance with X.509 standard…. The processing rules for s/MIME encryption operations… are as follows:
<ol><li>the sequence of the operations is: first encryption and then signing,
<li>the encryption algorithm AES (Advanced Encryption Standard) with 256 bit key length and RSA with 1,024 bit key length shall be applied for symmetric and asymmetric encryption respectively,
<li>the hash algorithm SHA-1 shall be applied.
<li>s/MIME functionality is built into the vast majority of modern e-mail software packages including Outlook, Mozilla Mail as well as Netscape Communicator 4.x and inter-operates among all major e-mail software packages.</ol></blockquote>
And s/MIME? Bleah.
<h2>Amazon Has Trucks Filled with Hard Drives and an Armed Guard</h2>
<a href="https://www.schneier.com/blog/archives/2021/01/amazon-has-trucks-filled-with-hard-drives-and-an-armed-guard.html"><strong>[2021.01.04]</strong></a> From an <a href="https://logicmag.io/commons/inside-the-whale-an-interview-with-an-anonymous-amazonian/">interview</a> with an Amazon Web Services security engineer:
<blockquote>So when you use AWS, part of what you’re paying for is security.
Right; it’s part of what we sell. Let’s say a prospective customer comes to AWS. They say, “I like pay-as-you-go pricing. Tell me more about that.” We say, “Okay, here’s how much you can use at peak capacity. Here are the savings we can see in your case.”
Then the company says, “How do I know that I’m secure on AWS?” And this is where the heat turns up. This is where we get them. We say, “Well, let’s take a look at what you’re doing right now and see if we can offer a comparable level of security.” So they tell us about the setup of their data centers.
We say, “Oh my! It seems like we have level five security and your data center has level three security. Are you really comfortable staying where you are?” The customer figures, not only am I going to save money by going with AWS, I also just became aware that I’m not nearly as secure as I thought.
Plus, we make it easy to migrate and difficult to leave. If you have a ton of data in your data center and you want to move it to AWS but you don’t want to send it over the internet, we’ll send an eighteen-wheeler to you filled with hard drives, plug it into your data center with a fiber optic cable, and then drive it across the country to us after loading it up with your data.
What? How do you do that?
We have a product called Snowmobile. It’s a gas-guzzling truck. There are no public pictures of the inside, but it’s pretty cool. It’s like a modular datacenter on wheels. And customers rightly expect that if they load a truck with all their data, they want security for that truck. So there’s an armed guard in it at all times.
It’s a pretty easy sell. If a customer looks at that option, they say, yeah, of course I want the giant truck and the guy with a gun to move my data, not some crappy system that I develop on my own.</blockquote>
Lots more about how AWS views security, and Keith Alexander’s position on Amazon’s board of directors, in the interview.
Found on <a href="https://slashdot.org/story/21/01/01/1742221/an-interview-with-an-anonymous-amazonian">Slashdot</a>.
<h2>Military Cryptanalytics, Part III</h2>
<a href="https://www.schneier.com/blog/archives/2021/01/military-cryptanalytics-part-iii.html"><strong>[2021.01.04]</strong></a> The NSA has just <a href="https://www.governmentattic.org/39docs/NSAmilitaryCryptalyticsPt3_1977.pdf">declassified and released</a> a redacted version of <i>Military Cryptanalytics</i>, Part III, by Lambros D. Callimahos, October 1977.
Parts I and II, by Lambros D. Callimahos and William F. Friedman, were released decades ago — I believe repeatedly, in increasingly unredacted form — and published by the late Wayne Griswold Barker’s Agean Park Press. I own them in hardcover.
Like Parts I and II, Part III is primarily concerned with pre-computer ciphers. At this point, the document only has historical interest. If there is any lesson for today, it’s that modern cryptanalysis is possible primarily because people make mistakes
The monograph took a while to become public. The cover page says that the initial FOIA request was made in July 2012: eight and a half years ago.
And there’s more books to come. Page 1 starts off:
<blockquote>This text constitutes the third of six basic texts on the science of cryptanalytics. The first two texts together have covered most of the necessary fundamentals of cryptanalytics; this and the remaining three texts will be devoted to more specialized and more advanced aspects of the science.</blockquote>
Presumably, volumes IV, V, and VI are still hidden inside the classified libraries of the NSA.
And from page ii:
<blockquote>Chapters IV-XI are revisions of seven of my monographs in the <i>NSA Technical Literature Series, viz</i>: Monograph No. 19, “The Cryptanalysis of Ciphertext and Plaintext Autokey Systems”; Monograph No. 20, “The Analysis of Systems Employing Long or Continuous Keys”; Monograph No. 21, “The Analysis of Cylindrical Cipher Devices and Strip Cipher Systems”; Monograph No. 22, “The Analysis of Systems Employing Geared Disk Cryptomechanisms”; Monograph No.23, “Fundamentals of Key Analysis”; Monograph No. 15, “An Introduction to Teleprinter Key Analysis”; and Monograph No. 18, “Ars Conjectandi: The Fundamentals of Cryptodiagnosis.”</blockquote>
This points to a whole series of still-classified monographs whose titles we do not even know.
EDITED TO ADD: I have been informed by a reliable source that Parts 4 through 6 were never completed. There may be fragments and notes, but no finished works.
<h2>Latest on the SVR's SolarWinds Hack</h2>
<a href="https://www.schneier.com/blog/archives/2021/01/latest-on-the-svrs-solarwinds-hack.html"><strong>[2021.01.05]</strong></a> The <i>New York Times</i> has an in-depth <a href="https://www.nytimes.com/2021/01/02/us/politics/russian-hacking-government.html">article</a> on the latest information about the SolarWinds hack (not a great name, since it’s much more far-reaching than that).
<blockquote>Interviews with key players investigating what intelligence agencies believe to be an operation by Russia’s S.V.R. intelligence service revealed these points:
<ul><li>The breach is far broader than first believed. Initial estimates were that Russia sent its probes only into a few dozen of the 18,000 government and private networks they gained access to when they inserted code into network management software made by a Texas company named SolarWinds. But as businesses like Amazon and Microsoft that provide cloud services dig deeper for evidence, it now appears Russia exploited multiple layers of the supply chain to gain access to as many as 250 networks.
<li>The hackers managed their intrusion from servers inside the United States, exploiting legal prohibitions on the National Security Agency from engaging in domestic surveillance and eluding cyberdefenses deployed by the Department of Homeland Security.
<li>“Early warning” sensors placed by Cyber Command and the National Security Agency deep inside foreign networks to detect brewing attacks clearly failed. There is also no indication yet that any human intelligence alerted the United States to the hacking.
<li>The government’s emphasis on election defense, while critical in 2020, may have diverted resources and attention from long-brewing problems like protecting the “supply chain” of software. In the private sector, too, companies that were focused on election security, like FireEye and Microsoft, are now revealing that they were breached as part of the larger supply chain attack.
<li>SolarWinds, the company that the hackers used as a conduit for their attacks, had a history of lackluster security for its products, making it an easy target, according to current and former employees and government investigators. Its chief executive, Kevin B. Thompson, who is leaving his job after 11 years, has sidestepped the question of whether his company should have detected the intrusion.
<li>Some of the compromised SolarWinds software was engineered in Eastern Europe, and American investigators are now examining whether the incursion originated there, where Russian intelligence operatives are deeply rooted.</ul></blockquote>
Separately, it seems that the SVR <a href="https://news.yahoo.com/hackers-last-year-conducted-a-dry-run-of-solar-winds-breach-215232815.html">conducted</a> a dry run of the attack five months before the actual attack:
<blockquote>The hackers distributed malicious files from the SolarWinds network in October 2019, five months before previously reported files were sent to victims through the company’s software update servers. The October files, distributed to customers on Oct. 10, did not have a backdoor embedded in them, however, in the way that subsequent malicious files that victims downloaded in the spring of 2020 did, and these files went undetected until this month.
“This tells us the actor had access to SolarWinds’ environment much earlier than this year. We know at minimum they had access Oct. 10, 2019. But they would certainly have had to have access longer than that,” says the source. “So that intrusion [into SolarWinds] has to originate probably at least a couple of months before that - probably at least mid-2019 [if not earlier].”
The files distributed to victims in October 2019 were signed with a legitimate SolarWinds certificate to make them appear to be authentic code for the company’s Orion Platform software, a tool used by system administrators to monitor and configure servers and other computer hardware on their network.</blockquote>
<h2>Backdoor in Zyxel Firewalls and Gateways</h2>
<a href="https://www.schneier.com/blog/archives/2021/01/backdoor-in-zyxel-firewalls-and-gateways.html"><strong>[2021.01.06]</strong></a> This is <a href="https://www.zdnet.com/article/backdoor-account-discovered-in-more-than-100000-zyxel-firewalls-vpn-gateways/">bad</a>:
<blockquote>More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel.
Installing patches removes the backdoor account, which, according to Eye Control researchers, uses the “zyfwp” username and the “PrOw!aN_fXp” password.
“The plaintext password was visible in one of the binaries on the system,” the Dutch researchers said in a <a href="https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html">report</a> published before the Christmas 2020 holiday.</blockquote>
<h2>Extracting Personal Information from Large Language Models Like GPT-2</h2>
<a href="https://www.schneier.com/blog/archives/2021/01/extracting-personal-information-from-large-language-models-like-gpt-2.html"><strong>[2021.01.07]</strong></a> Researchers have been able to find all sorts of personal information within GPT-2. This information was part of the training data, and can be extracted with the right sorts of queries.
Paper: “<a href="https://arxiv.org/abs/2012.07805">Extracting Training Data from Large Language Models</a>.”
<blockquote><b>Abstract:</b> It has become common to publish large (billion parameter) language models that have been trained on private datasets. This paper demonstrates that in such settings, an adversary can perform a training data extraction attack to recover individual training examples by querying the language model.
We demonstrate our attack on GPT-2, a language model trained on scrapes of the public Internet, and are able to extract hundreds of verbatim text sequences from the model’s training data. These extracted examples include (public) personally identifiable information (names, phone numbers, and email addresses), IRC conversations, code, and 128-bit UUIDs. Our attack is possible even though each of the above sequences are included in just one document in the training data.
We comprehensively evaluate our extraction attack to understand the factors that contribute to its success. For example, we find that larger models are more vulnerable than smaller models. We conclude by drawing lessons and discussing possible safeguards for training large language models.</blockquote>
From a blog <a href="https://bair.berkeley.edu/blog/2020/12/20/lmmem/">post</a>:
<blockquote>We generated a total of 600,000 samples by querying GPT-2 with three different sampling strategies. Each sample contains 256 tokens, or roughly 200 words on average. Among these samples, we selected 1,800 samples with abnormally high likelihood for manual inspection. Out of the 1,800 samples, we found 604 that contain text which is reproduced verbatim from the training set.</blockquote>
The rest of the blog post discusses the types of data they found.
<h2>Russia's SolarWinds Attack and Software Security</h2>
<a href="https://www.schneier.com/blog/archives/2021/01/russias-solarwinds-attack-and-software-security.html"><strong>[2021.01.08]</strong></a> The information that is emerging about Russia’s <a href="https://www.cnn.com/2020/12/16/politics/us-government-agencies-hack-uncertainty/index.html">extensive cyberintelligence operation</a> against the <a href="https://www.theguardian.com/commentisfree/2020/dec/23/cyber-attack-us-security-protocols">United States</a> and<a href="https://www.cnbc.com/2020/12/18/suspected-russian-hack-on-us-is-much-worse-than-first-feared.html"> other countries</a> should be increasingly alarming to the public. The magnitude of the hacking, now believed to have affected more than <a href="https://www.nytimes.com/2021/01/02/us/politics/russian-hacking-government.html">250 federal agencies and businesses</a> — primarily through a malicious update of the SolarWinds network management software — may have slipped under most people’s radar during the holiday season, but its implications are stunning.
According to a <a href="https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html">Washington Post report</a>, this is a massive intelligence coup by Russia’s foreign intelligence service (SVR). And a massive security failure on the part of the United States is also to blame. Our insecure Internet infrastructure has become a critical national security risk — one that we need to take seriously and spend money to reduce.
President-elect Joe Biden’s initial response <a href="https://news.yahoo.com/biden-says-us-will-respond-in-kind-for-solar-wind-hacking-blamed-on-russia-215116852.html">spoke of retaliation</a>, but there really isn’t much the United States can do beyond what it already does. Cyberespionage is <a href="https://thedispatch.com/p/self-delusion-on-the-russia-hack">business as usual</a> among countries and governments, and the United States is aggressively offensive in this regard. We benefit from the lack of norms in this area and are unlikely to push back too hard because we don’t want to limit our own offensive actions.
Biden took a <a href="https://thehill.com/policy/cybersecurity/531868-biden-calls-for-modernizing-us-defenses-following-massive-hack">more realistic tone</a> last week when he spoke of the need to improve US defenses. The initial focus will likely be on how to clean the hackers out of our networks, why the National Security Agency and US Cyber Command <a href="https://www.washingtonpost.com/national-security/ruusian-hackers-outsmarted-us-defenses/2020/12/15/3deed840-3f11-11eb-9453-fc36ba051781_story.html">failed to detect</a> this intrusion and whether the 2-year-old Cybersecurity and Infrastructure Security Agency has the <a href="https://www.cnn.com/2021/01/02/politics/hack-goverment-cyber-struggle-respond-fallout/index.html">resources necessary</a> to defend the United States against attacks of this caliber. These are important discussions to have, but we also need to address the economic incentives that led to SolarWinds being breached and how that insecure software ended up in so many critical US government networks.
Software has become incredibly complicated. Most of us almost don’t know all of the software running on our laptops and what it’s doing. We don’t know where it’s connecting to on the Internet — not even which countries it’s connecting to — and what data it’s sending. We typically don’t know what third party libraries are in the software we install. We don’t know what software any of our cloud services are running. And we’re rarely alone in our ignorance. Finding all of this out is incredibly difficult.
This is even more true for software that runs our large government networks, or even the <a href="https://www.pcmag.com/encyclopedia/term/internet-backbone">Internet backbone</a>. Government software comes from large companies, small suppliers, open source projects and everything in between. Obscure software packages can have hidden vulnerabilities that affect the security of these networks, and sometimes the entire Internet. Russia’s SVR leveraged one of those vulnerabilities when it gained access to SolarWinds’ update server, tricking thousands of customers into<a href="https://sec.report/Document/0001628280-20-017451/"> downloading a malicious software update</a> that gave the Russians access to those networks.
The fundamental problem is one of economic incentives. The market rewards quick development of products. It rewards new features. It rewards spying on customers and users: collecting and selling individual data. The market does not reward security, safety or transparency. It doesn’t reward reliability past a bare minimum, and it doesn’t reward resilience at all.
This is what happened at SolarWinds. A <a href="https://www.nytimes.com/2021/01/02/us/politics/russian-hacking-government.html"><i>New York Times</i> report</a> noted the company ignored basic security practices. It moved software development to Eastern Europe, where Russia has more influence and could potentially subvert programmers, because it’s cheaper.
Short-term profit was seemingly prioritized over product security.
Companies have the right to make decisions like this. The real question is why the US government bought such shoddy software for its critical networks. This is a problem that Biden can fix, and he needs to do so immediately.
The United States needs to <a href="https://www.politico.com/news/2020/12/19/how-federal-hack-happened-448602">improve government software procurement</a>. Software is now critical to national security. Any system for acquiring software needs to evaluate the security of the software and the security practices of the company, in detail, to ensure they are sufficient to meet the security needs of the network they’re being installed in. Procurement contracts need to include security controls of the software development process. They need security attestations on the part of the vendors, with substantial penalties for misrepresentation or failure to comply. The government needs detailed best practices for government and other companies.
Some of the groundwork for an approach like this has already been laid by the federal government, which has sponsored the development of a “<a href="https://csrc.nist.gov/CSRC/media/Projects/cyber-supply-chain-risk-management/documents/SSCA/Spring_2019/8MayAM2.2_SSCA_May_2019_SBOM_Friedman.pdf">Software Bill of Materials</a>” that would set out a process for software makers to identify the components used to assemble their software.
This scrutiny can’t end with purchase. These security requirements need to be monitored throughout the software’s life cycle, along with what software is being used in government networks.
None of this is cheap, and we should be prepared to pay substantially more for secure software. But there’s a benefit to these practices. If the government evaluations are public, along with the list of companies that meet them, all network buyers can benefit from them. The US government acting purely in the realm of procurement can improve the security of nongovernmental networks worldwide.
This is important, but it isn’t enough. We need to set minimum safety and security standards for all software: from the code in that Internet of Things appliance you just bought to the code running our critical national infrastructure. It’s all one network, and a vulnerability in your refrigerator’s software <a href="https://securityintelligence.com/how-an-iot-botnet-could-breach-the-power-grid-and-cause-widespread-blackouts/">can be used</a> to attack the national power grid.
The <a href="https://www.securitymagazine.com/articles/94123-iot-cybersecurity-improvement-act-signed-into-law">IOT Cybersecurity Improvement Act</a>, signed into law last month, is a start in this direction.
The Biden administration should prioritize minimum security standards for all software sold in the United States, not just to the government but to everyone. Long gone are the days when we can let the software industry decide how much emphasis to place on security. Software security is now a matter of personal safety: whether it’s ensuring your car isn’t <a href="https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/">hacked over the Internet</a> or that the national power grid isn’t <a href="https://www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112">hacked by the Russians</a>.
This regulation is the only way to force companies to provide safety and security features for customers — just as legislation was necessary to mandate <a href="https://www.fda.gov/animal-veterinary/animal-food-feeds/food-safety-modernization-act-and-animal-food">food safety measures</a> and require auto manufacturers to install life-saving features such as <a href="https://www.history.com/this-day-in-history/federal-legislation-makes-airbags-mandatory">seat belts and air bags</a>. Smart regulations that incentivize innovation create a market for security features. And they improve security for everyone.
It’s true that creating software in this sort of regulatory environment is more expensive. But if we truly value our personal and national security, we need to be prepared to pay for it.
The truth is that we’re already paying for it. Today, software companies increase their profits by secretly pushing risk onto their customers. We pay the cost of insecure personal computers, just as the government is now paying the cost to clean up after the SolarWinds hack. Fixing this requires both transparency and regulation. And while the industry will resist both, they are essential for national security in our increasingly computer-dependent worlds.
This essay <a href="https://www.cnn.com/2021/01/05/opinions/solarwinds-hack-what-should-be-done-schneier/index.html ">previously appeared</a> on CNN.com.
<a href="https://www.schneier.com/blog/archives/2021/01/apt-horoscope.html"><strong>[2021.01.08]</strong></a> This <a href="https://www.atlanticcouncil.org/blogs/new-atlanticist/which-hacker-group-is-most-like-your-astrological-sign/">delightful essay</a> matches APT hacker groups up with astrological signs. This is me:
<blockquote>Capricorn is renowned for its discipline, skilled navigation, and steadfastness. Just like Capricorn, <a href="https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/">Helix Kitten</a> (also known as APT 35 or OilRig) is a skilled navigator of vast online networks, maneuvering deftly across an array of organizations, including those in aerospace, energy, finance, government, hospitality, and telecommunications. Steadfast in its work and objectives, Helix Kitten has a consistent track record of developing meticulous spear-phishing attacks.</blockquote>
<ul><li>User phone numbers</li>
<li>Other people’s phone numbers stored in address books</li>
<li>Profile pictures and</li>
<li>Status message including when a user was last online</li>
<li>Diagnostic data collected from app logs</li></ul>
Under the new terms, Facebook reserves the right to share collected data with its <a href="https://faq.whatsapp.com/general/security-and-privacy/the-facebook-companies">family of companies</a>.</blockquote>
EDITED TO ADD (1/13): WhatsApp <a href="https://www.theverge.com/2021/1/12/22226792/whatsapp-privacy-policy-response-signal-telegram-controversy-clarification">tries to explain</a>.
<h2>Cloning Google Titan 2FA keys</h2>
<a href="https://www.schneier.com/blog/archives/2021/01/cloning-google-titan-2fa-keys.html"><strong>[2021.01.12]</strong></a> This is a <a href="https://arstechnica.com/information-technology/2021/01/hackers-can-clone-google-titan-2fa-keys-using-a-side-channel-in-nxp-chips/">clever</a> side-channel attack:
<blockquote>The cloning works by using a hot air gun and a scalpel to remove the plastic key casing and expose the NXP <a href="https://media.digikey.com/pdf/Data%20Sheets/NXP%20PDFs/A700x_Rev3.1.pdf">A700X chip</a>, which acts as a secure element that stores the cryptographic secrets. Next, an attacker connects the chip to hardware and software that take measurements as the key is being used to authenticate on an existing account. Once the measurement-taking is finished, the attacker seals the chip in a new casing and returns it to the victim.
Extracting and later resealing the chip takes about four hours. It takes another six hours to take measurements for each account the attacker wants to hack. In other words, the process would take 10 hours to clone the key for a single account, 16 hours to clone a key for two accounts, and 22 hours for three accounts.
By observing the local electromagnetic radiations as the chip generates the digital signatures, the researchers exploit a <a href="https://en.wikipedia.org/wiki/Side-channel_attack">side channel vulnerability</a> in the NXP chip. The exploit allows an attacker to obtain the long-term <a href="https://cryptobook.nakov.com/digital-signatures/ecdsa-sign-verify-messages">elliptic curve digital signal algorithm</a> private key designated for a given account. With the crypto key in hand, the attacker can then create her own key, which will work for each account she targeted.</blockquote>
The attack isn’t free, but it’s not expensive either:
<blockquote>A hacker would first have to steal a target’s account password and also gain covert possession of the physical key for as many as 10 hours. The cloning also requires up to $12,000 worth of equipment and custom software, plus an advanced background in electrical engineering and cryptography. That means the key cloning — were it ever to happen in the wild — would likely be done only by a nation-state pursuing its highest-value targets. </blockquote>
That last line about “nation-state pursuing its highest-value targets” is just not true. There are many other situations where this attack is feasible.
Note that the attack isn’t against the Google system specifically. It exploits a side-channel attack in the NXP chip. Which means that other systems are probably vulnerable:
<blockquote>While the researchers performed their attack on the Google Titan, they believe that other hardware that uses the A700X, or chips based on the A700X, may also be vulnerable. If true, that would include Yubico’s YubiKey NEO and several 2FA keys made by Feitian.</blockquote>
<h2>On US Capitol Security -- By Someone Who Manages Arena-Rock-Concert Security</h2>
<a href="https://www.schneier.com/blog/archives/2021/01/on-us-capitol-security-by-someone-who-manages-arena-rock-concert-security.html"><strong>[2021.01.13]</strong></a> Smart <a href="https://www.nbcnews.com/think/opinion/capitol-police-were-so-unprepared-week-event-planner-me-could-ncna1253531 ">commentary</a>:
<blockquote>…I was floored on Wednesday when, glued to my television, I saw police in some areas of the U.S. Capitol using little more than those same mobile gates I had the ones that look like bike racks that can hook together to try to keep the crowds away from sensitive areas and, later, push back people intent on accessing the grounds. (A <a href="https://www.nbcnews.com/video/fencing-goes-up-around-white-house-complex-one-day-after-capitol-riots-99106885915">new fence that appears to be made of sturdier material</a> was being erected on Thursday.) That’s the same equipment and approximately the same amount of force I was able to use when a group of fans got a little feisty and tried to get backstage at a Vanilla Ice show.
There’s not ever going to be enough police or security at any event to stop people if they all act in unison; if enough people want to get to Vanilla Ice at the same time, they’re going to get to Vanilla Ice. Social constructs and basic decency, not lightweight security gates, are what hold everyone except the outliers back in a typical crowd.
When there are enough outliers in a crowd, it throws the normal dynamics of crowd control off; everyone in my business knows this. Citizens tend to hold each other to certain standards which is why my 40,000-person town does not have 40,000 police officers, and why the 8.3 million people of New York City aren’t policed by 8.3 million police officers.
Social norms are the fabric that make an event run smoothly — and, really, hold society together. There aren’t enough police in your town to handle it if everyone starts acting up at the same time.</blockquote>
I like that she uses the term “outliers,” and I make much the same points in <a href="https://www.schneier.com/books/liars-and-outliers/"><i>Liars and Outliers</i></a>.
<h2>Finding the Location of Telegram Users</h2>
<a href="https://www.schneier.com/blog/archives/2021/01/finding-the-location-of-telegram-users.html"><strong>[2021.01.14]</strong></a> Security researcher Ahmed Hassan has shown that spoofing the Android’s “People Nearby” feature allows him to <a href="https://arstechnica.com/information-technology/2021/01/telegram-feature-exposes-your-precise-address-to-hackers/">pinpoint</a> the physical location of Telegram users:
<blockquote>Using readily available software and a rooted Android device, he’s able to spoof the location his device reports to Telegram servers. By using just three different locations and measuring the corresponding distance reported by People Nearby, he is able to pinpoint a user’s precise location.
A proof-of-concept video the researcher sent to Telegram showed how he could discern the address of a People Nearby user when he used a free GPS spoofing app to make his phone report just three different locations. He then drew a circle around each of the three locations with a radius of the distance reported by Telegram. The user’s precise location was where all three intersected.
Fixing the problem — or at least making it much harder to exploit it — wouldn’t be hard from a technical perspective. Rounding locations to the nearest mile and adding some random bits generally suffices. When the Tinder app had a similar disclosure vulnerability, developers used this kind of technique to fix it.</blockquote>
<h2>Upcoming Speaking Engagements</h2>
<a href="https://www.schneier.com/blog/archives/2021/01/upcoming-speaking-engagements-5.html"><strong>[2021.01.14]</strong></a> This is a current list of where and when I am scheduled to speak:
<li>I’m speaking (online) as part of Western Washington University’s <a href="https://cs.wwu.edu/internet-studies-lecture-series-securing-world-physically-capable-computers">Internet Studies Lecture Series</a> on January 20, 2021.</li>
<li>I’m speaking (online) at ITU Denmark on February 2, 2021. Details to come.</li>
<li>I’m being interviewed by Keith Cronin as part of The Center for Innovation, Security, and New Technology’s <a href="https://www.eventbrite.com/e/csint-conversations-data-surveillance-internet-security-bruce-schneier-tickets-136623288935">CSINT Conversations</a> series, February 10, 2021 from 11:00 AM – 11:30 AM CST.</li>
<li>I’ll be speaking at an <a href="https://www.informa.com/">Informa</a> event on February 28, 2021. Details to come.</li>
The list is maintained on <a href="https://www.schneier.com/events/">this page</a>.
<h2>Cell Phone Location Privacy</h2>
<a href="https://www.schneier.com/blog/archives/2021/01/cell-phone-location-privacy.html"><strong>[2021.01.15]</strong></a> We all know that our cell phones constantly give our location away to our mobile network operators; that’s how they work. A group of researchers has figured out a way to fix that. “Pretty Good Phone Privacy” (PGPP) protects both user identity and user location using the existing cellular networks. It protects users from fake cell phone towers (IMSI-catchers) and surveillance by cell providers.
It’s a clever system. The players are the user, a traditional mobile network operator (MNO) like AT&T or Verizon, and a new mobile virtual network operator (MVNO). MVNOs aren’t new. They’re intermediaries like Cricket and Boost.
Here’s how it works:
<ol><li>One-time setup: The user’s phone gets a new SIM from the MVNO. All MVNO SIMs are identical.
<li>Monthly: The user pays their bill to the MVNO (credit card or otherwise) and the phone gets anonymous authentication (using Chaum blind signatures) tokens for each time slice (e.g., hour) in the coming month.
<li>Ongoing: When the phone talks to a tower (run by the MNO), it sends a token for the current time slice. This is relayed to a MVNO backend server, which checks the Chaum blind signature of the token. If it’s valid, the MVNO tells the MNO that the user is authenticated, and the user receives a temporary random ID and an IP address. (Again, this is now MVNOs like Boost already work.)
<li>On demand: The user uses the phone normally.</ol>
The MNO doesn’t have to modify its system in any way. The PGPP MVNO implementation is in software. The user’s traffic is sent to the MVNO gateway and then out onto the Internet, potentially even using a VPN.
All connectivity is data connectivity in cell networks today. The user can choose to be data-only (e.g., use Signal for voice), or use the MVNO or a third party for VoIP service that will look just like normal telephony.
The group prototyped and tested everything with real phones in the lab. Their approach adds essentially zero latency, and doesn’t introduce any new bottlenecks, so it doesn’t have performance/scalability problems like most anonymity networks. The service could handle tens of millions of users on a single server, because it only has to do infrequent authentication, though for resilience you’d probably run more.
The paper is <a href="https://raghavan.usc.edu/papers/pgpp-arxiv20.pdf">here</a>.
<h2><i>Click Here to Kill Everybody</i> Sale</h2>
<a href="https://www.schneier.com/blog/archives/2021/01/click-here-to-kill-everybody-sale.html"><strong>[2021.01.15]</strong></a> For a limited time, I am selling signed copies of <a href="https://www.schneier.com/product/click-here-to-kill-everybody-hardcover/"><i>Click Here to Kill Everybody</i></a> in hardcover for just $6, plus shipping.
Note that I have had occasional problems with international shipping. The book just disappears somewhere in the process. At this price, international orders are at the buyer’s risk. Also, the USPS keeps reminding us that shipping — both US and international — may be delayed during the pandemic.
I have 500 copies of the book available. When they’re gone, the sale is over and the price will revert to normal.
Order <a href="https://www.schneier.com/product/click-here-to-kill-everybody-hardcover/">here</a>.
EDITED TO ADD: I was able to get another 500 from the publisher, since the first 500 sold out so quickly.
Please be patient on delivery. There are already 550 orders, and that’s a lot of work to sign and mail. I’m going to be doing them a few at a time over the next several weeks. So all of you people reading this paragraph before ordering, understand that there are a lot of people ahead of you in line.
EDITED TO ADD (1/16): I am sold out. If I can get more copies, I’ll hold another sale after I sign and mail the 1,000 copies that you all purchased.
<h2>Injecting a Backdoor into SolarWinds Orion</h2>
<a href="https://www.schneier.com/blog/archives/2021/01/injecting-a-backdoor-into-solarwinds-orion.html"><strong>[2021.01.19]</strong></a> Crowdstrike is <a href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/">reporting</a> on a sophisticated piece of malware that was able to inject malware into the SolarWinds build process:
<ul><li>SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
<li>SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
<li>Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.</ul>
Analysis of a SolarWinds software build server provided insights into how the process was hijacked by StellarParticle in order to insert SUNBURST into the update packages. The design of SUNSPOT suggests StellarParticle developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers.</blockquote>
This, of course, reminds many of us of Ken Thompson’s thought experiment from his 1984 Turing Award lecture, “<a href="https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf">Reflections on Trusting Trust</a>.” In that talk, he suggested that a malicious C compiler might add a backdoor into programs it compiles.
<blockquote>The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect.</blockquote>
That’s all still true today.
<h2>Sophisticated Watering Hole Attack</h2>
<a href="https://www.schneier.com/blog/archives/2021/01/sophisticated-watering-hole-attack.html"><strong>[2021.01.20]</strong></a> Google’s Project Zero has <a href="https://arstechnica.com/information-technology/2021/01/hackers-used-4-0days-to-infect-windows-and-android-devices/">exposed</a> a sophisticated watering-hole attack targeting both Windows and Android:
<blockquote>Some of the exploits were zero-days, meaning they targeted vulnerabilities that at the time were unknown to Google, Microsoft, and most outside researchers (both companies have since patched the security flaws). The hackers delivered the exploits through watering-hole attacks, which compromise sites frequented by the targets of interest and lace the sites with code that installs malware on visitors’ devices. The boobytrapped sites made use of two exploit servers, one for Windows users and the other for users of Android
The use of zero-days and complex infrastructure isn’t in itself a sign of sophistication, but it does show above-average skill by a professional team of hackers. Combined with the robustness of the attack code — which chained together multiple exploits in an efficient manner — the campaign demonstrates it was carried out by a “highly sophisticated actor.”
The modularity of the payloads, the interchangeable exploit chains, and the logging, targeting, and maturity of the operation also set the campaign apart, the researcher said. </blockquote>
No attribution was made, but the list of countries likely to be behind this isn’t very large. If you were to ask me to guess based on available information, I would guess it was the US — specifically, the NSA. It shows a care and precision that it’s known for. But I have no actual evidence for that guess.
All the vulnerabilities were fixed by last April.
<h2>SVR Attacks on Microsoft 365</h2>
<a href="https://www.schneier.com/blog/archives/2021/01/svr-attacks-on-microsoft-365.html"><strong>[2021.01.21]</strong></a> FireEye is <a href="https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html">reporting</a> the current known tactics that the SVR used to compromise Microsoft 365 cloud data as part of its SolarWinds operation:
<blockquote>Mandiant has observed UNC2452 and other threat actors moving laterally to the Microsoft 365 cloud using a combination of four primary techniques:
<li>Steal the Active Directory Federation Services (AD FS) token-signing certificate and use it to forge tokens for arbitrary users (sometimes described as <a href="https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps">Golden SAML</a>). This would allow the attacker to authenticate into a federated resource provider (such as Microsoft 365) as any user, without the need for that user’s password or their corresponding multi-factor authentication (MFA) mechanism.</li>
<li>Modify or add trusted domains in Azure AD to add a new federated Identity Provider (IdP) that the attacker controls. This would allow the attacker to forge tokens for arbitrary users and has been described as an <a href="https://o365blog.com/post/aadbackdoor/">Azure AD</a> <a href="https://www.fireeye.com/blog/threat-research/2020/09/detecting-microsoft-365-azure-active-directory-backdoors.html">backdoor</a>.</li>
<li>Compromise the credentials of on-premises user accounts that are synchronized to Microsoft 365 that have high privileged directory roles, such as Global Administrator or Application Administrator.</li>
<li><a href="https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/">Backdoor</a> an existing Microsoft 365 application by adding a new application or service principal credential in order to use the legitimate permissions assigned to the application, such as the ability to read email, send email as an arbitrary user, access user calendars, etc.</li>
Lots of details <a href="https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf">here</a>, including information on remediation and hardening.
The more we learn about the this operation, the more sophisticated it becomes.
In related news, MalwareBytes was <a href="https://www.zdnet.com/article/malwarebytes-said-it-was-hacked-by-the-same-group-who-breached-solarwinds/">also targeted</a>.