<h2>More on the Chinese Zero-Day Microsoft Exchange Hack</h2>

<a href="https://www.schneier.com/blog/archives/2021/03/more-on-the-chinese-zero-day-microsoft-exchange-hack.html"><strong>[2021.03.10]</strong></a> Nick Weaver has an <a href="https://www.lawfareblog.com/microsoft-exchange-hack-and-great-email-robbery">excellent post</a> on the Microsoft Exchange hack: <blockquote>The investigative journalist Brian Krebs has produced a <a href="https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-hack/">handy timeline of events</a> and a few things stand out from the chronology. The attacker was first detected by one group on Jan. 5 and another on Jan. 6, and Microsoft acknowledged the problem immediately. During this time the attacker appeared to be relatively subtle, exploiting particular targets (although we generally lack insight into who was targeted). Microsoft determined on Feb. 18 that it would patch these vulnerabilities on the March 9th “Patch Tuesday” release of fixes. Somehow, the threat actor either knew that the exploits would soon become worthless or simply guessed that they would. So, in late February, the attacker changed strategy. Instead of simply exploiting targeted Exchange servers, the attackers stepped up their pace considerably by targeting tens of thousands of servers to install the web shell, an exploit that allows attackers to have remote access to a system. Microsoft then released the patch with very little warning on Mar. 2, at which point the attacker simply sought to compromise almost every vulnerable Exchange server on the Internet. The result? Virtually every vulnerable mail server received the web shell as a backdoor for further exploitation, making the patch effectively useless against the Chinese attackers; almost all of the vulnerable systems were exploited before they were patched. This is a rational strategy for any actor who doesn’t care about consequences. When a zero-day is confidential and undiscovered, the attacker tries to be careful, only using it on attackers of sufficient value. But if the attacker knows or has reason to believe their vulnerabilities may be patched, they will increase the pace of exploits and, once a patch is released, there is no reason to not try to exploit everything possible.</blockquote> We know that Microsoft shares advance information about updates with some organizations. I have long believed that they give the NSA a few weeks’ notice to do basically what the Chinese did: use the exploit widely, because you don’t have to worry about losing the capability. Estimates on the number of affected networks continues to rise. At least <a href="https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/">30,000</a> in the US, and <a href="https://arstechnica.com/gadgets/2021/03/tens-of-thousands-of-us-organizations-hit-in-ongoing-microsoft-exchange-hack/">100,000</a> worldwide. More? And the vulnerabilities: <blockquote>The Chinese actors were not using a single vulnerability but actually a sequence of four “zero-day” exploits. The first allowed an unauthorized user to basically tell the server “let me in, I’m the server” by tricking the server into contacting itself. After the unauthorized user gained entry, the hacker could use the second vulnerability, which used a malformed voicemail that, when interpreted by the server, allowed them to execute arbitrary commands. Two further vulnerabilities allow the attacker to write new files, which is a common primitive that attackers use to increase their access: An attacker uses a vulnerability to write a file and then uses the arbitrary command execution vulnerability to execute that file. Using this access, the attackers could read anybody’s email or indeed take over the mail server completely. Critically, they would almost always do more, introducing a “<a href="https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html">web shell</a>,” a program that would enable further remote exploitation even if the vulnerabilities are patched.</blockquote> The details of that web shell matter. If it was sophisticated, it implies that the Chinese hackers were planning on installing it from the beginning of the operation. If it’s kind of slapdash, it implies a last-minute addition when they realized their exploit window was closing. Now comes the criminal attacks. Any unpatched network is still vulnerable, and we know from history that lots of networks will remain vulnerable for a long time. Expect the ransomware gangs to weaponize this attack within days. EDITED TO ADD (3/12): Right on schedule, criminal hacker groups are <a href="https://www.reuters.com/article/us-usa-cyber-microsoft-idCAKBN2B224O">exploiting the vulnerabilities</a>. EDITED TO ADD (3/13): And now the <a href="https://arstechnica.com/gadgets/2021/03/ransomware-gangs-hijack-7000-exchange-servers-first-hit-by-chinese-hackers/">ransomware</a>.

<h2>Fast Random Bit Generation</h2>

<a href="https://www.schneier.com/blog/archives/2021/03/fast-random-bit-generation.html"><strong>[2021.03.11]</strong></a> <i>Science</i> has a <a href="https://science.sciencemag.org/content/371/6532/948.abstract">paper</a> (and <a href="https://science.sciencemag.org/content/371/6532/889.abstract">commentary</a>) on generating 250 random terabits per second with a laser. I don’t know how cryptographically secure they are, but that can be cleaned up with something like <a href="https://www.schneier.com/academic/fortuna/">Fortuna</a>. EDITED TO ADD (3/12): Here are free versions of the <a href="https://arxiv.org/abs/2004.07157">paper</a> and the <a href="https://u.osu.edu/quantinfo/files/2021/02/Science371-889-2021.pdf">commentary</a>.

<h2>Metadata Left in Security Agency PDFs</h2>

<a href="https://www.schneier.com/blog/archives/2021/03/metadata-left-in-security-agency-pdfs.html"><strong>[2021.03.12]</strong></a> Really interesting <a href="https://arxiv.org/abs/2103.02707">research</a>: <blockquote>“Exploitation and Sanitization of Hidden Data in PDF Files” <b>Abstract:</b> Organizations publish and share more and more electronic documents like PDF files. Unfortunately, most organizations are unaware that these documents can compromise sensitive information like authors names, details on the information system and architecture. All these information can be exploited easily by attackers to footprint and later attack an organization. In this paper, we analyze hidden data found in the PDF files published by an organization. We gathered a corpus of 39664 PDF files published by 75 security agencies from 47 countries. We have been able to measure the quality and quantity of information exposed in these PDF files. It can be effectively used to find weak links in an organization: employees who are running outdated software. We have also measured the adoption of PDF files sanitization by security agencies. We identified only 7 security agencies which sanitize few of their PDF files before publishing. Unfortunately, we were still able to find sensitive information within 65% of these sanitized PDF files. Some agencies are using weak sanitization techniques: it requires to remove all the hidden sensitive information from the file and not just to remove the data at the surface. Security agencies need to change their sanitization methods. </blockquote> Short summary: no one is doing great.

<h2>Upcoming Speaking Engagements</h2>

<a href="https://www.schneier.com/blog/archives/2021/03/upcoming-speaking-engagements-6.html"><strong>[2021.03.14]</strong></a> This is a current list of where and when I am scheduled to speak: <ul> <li>I’m speaking at the <a href="https://cyberconference.com.au/canberra/">Australian Cyber Conference 2021</a> on March 17 and 18, 2021.</li> <li>I’m keynoting the (all-virtual) <a href="https://www.rsaconference.com/events/2021-usa">RSA Conference 2021</a>, May 17-20, 2021.</li> <li>I’ll be speaking at an <a href="https://www.informa.com/">Informa</a> event on September 14, 2021. Details to come.</li> </ul> The list is maintained on <a href="https://www.schneier.com/events/">this page</a>.

<h2>Security Analysis of Apple's "Find My..." Protocol</h2>

<a href="https://www.schneier.com/blog/archives/2021/03/security-analysis-of-apples-find-my-protocol.html"><strong>[2021.03.15]</strong></a> Interesting research: “<a href="https://arxiv.org/abs/2103.02282">Who Can Find My Devices? Security and Privacy of Apple’s Crowd-Sourced Bluetooth Location Tracking System</a>“: <blockquote><b>Abstract:</b> Overnight, Apple has turned its hundreds-of-million-device ecosystem into the world’s largest crowd-sourced location tracking network called offline finding (OF). OF leverages online finder devices to detect the presence of missing offline devices using Bluetooth and report an approximate location back to the owner via the Internet. While OF is not the first system of its kind, it is the first to commit to strong privacy goals. In particular, OF aims to ensure finder anonymity, untrackability of owner devices, and confidentiality of location reports. This paper presents the first comprehensive security and privacy analysis of OF. To this end, we recover the specifications of the closed-source OF protocols by means of reverse engineering. We experimentally show that unauthorized access to the location reports allows for accurate device tracking and retrieving a user’s top locations with an error in the order of 10 meters in urban areas. While we find that OF’s design achieves its privacy goals, we discover two distinct design and implementation flaws that can lead to a location correlation attack and unauthorized access to the location history of the past seven days, which could deanonymize users. Apple has partially addressed the issues following our responsible disclosure. Finally, we make our research artifacts publicly available.</blockquote> There is also <a href="https://github.com/seemoo-lab/openhaystack">code available</a> on GitHub, which allows arbitrary Bluetooth devices to be tracked via Apple’s Find My network.

<h2>On the Insecurity of ES&S Voting Machines' Hash Code</h2>

<a href="https://www.schneier.com/blog/archives/2021/03/on-the-insecurity-of-ess-voting-machines-hash-code.html"><strong>[2021.03.16]</strong></a> Andrew Appel and Susan Greenhalgh have a <a href="https://freedom-to-tinker.com/2021/03/05/voting-machine-hashcode-testing-unsurprisingly-insecure-and-surprisingly-insecure/">blog post</a> on the insecurity of ES&amp;S’s software authentication system: <blockquote>It turns out that ES&S has bugs in their hash-code checker: <b>if the “reference hashcode” is completely missing, then it’ll say “yes, boss, everything is fine” instead of reporting an error.</b> It’s simultaneously <b>shocking</b> and <b>unsurprising</b> that ES&S’s hashcode checker could contain such a blunder and that it would go unnoticed by the U.S. Election Assistance Commission’s federal certification process. It’s unsurprising because testing naturally tends to focus on “does the system work right when used as intended?” Using the system in unintended ways (which is what hackers would do) is not something anyone will notice.</blockquote> Also: <blockquote>Another gem in Mr. Mechler’s report is in Section 7.1, in which he reveals that acceptance testing of voting systems is done by the <i>vendor</i>, not by the customer. Acceptance testing is the process by which a customer checks a delivered product to make sure it satisfies requirements. To have the vendor do acceptance testing pretty much defeats the purpose.</blockquote>

<h2>Illegal Content and the Blockchain</h2>

<a href="https://www.schneier.com/blog/archives/2021/03/illegal-content-and-the-blockchain.html"><strong>[2021.03.17]</strong></a> Security researchers have recently discovered a botnet with a novel defense against takedowns. Normally, authorities can disable a botnet by taking over its command-and-control server. With nowhere to go for instructions, the botnet is rendered useless. But over the years, botnet designers have come up with ways to make this counterattack harder. Now the content-delivery network Akamai has <a href="https://blogs.akamai.com/sitr/2021/02/bitcoins-blockchains-and-botnets.html">reported</a> on a new method: a botnet that uses the Bitcoin blockchain ledger. Since the blockchain is globally accessible and hard to take down, the botnet’s operators appear to be safe. It’s best to avoid explaining the mathematics of Bitcoin’s blockchain, but to understand the colossal implications here, you need to understand one concept. Blockchains are a type of “distributed ledger”: a record of all transactions since the beginning, and everyone using the blockchain needs to have access to — and reference — a copy of it. What if someone puts illegal material in the blockchain? Either everyone has a copy of it, or the blockchain’s security fails. To be fair, not absolutely everyone who uses a blockchain holds a copy of the entire ledger. Many who buy cryptocurrencies like Bitcoin and Ethereum don’t bother using the ledger to verify their purchase. Many don’t actually hold the currency outright, and instead trust an exchange to do the transactions and hold the coins. But people need to continually verify the blockchain’s history on the ledger for the system to be secure. If they stopped, then it would be trivial to forge coins. That’s how the system works. Some years ago, people <a href="http://www.righto.com/2014/02/ascii-bernanke-wikileaks-photographs.html">started noticing</a> all sorts of things embedded in the Bitcoin blockchain. There are digital images, including one of Nelson Mandela. There’s the Bitcoin logo, and the original paper describing Bitcoin by its alleged founder, the pseudonymous Satoshi Nakamoto. There are advertisements, and several prayers. There’s even <a href="https://www.accenture.com/_acnmedia/pdf-33/accenture-editing-uneditable-blockchain.pdf">illegal pornography and leaked classified documents</a>. All of these were put in by anonymous Bitcoin users. But none of this, so far, appears to seriously threaten those in power in governments and corporations. Once someone adds something to the Bitcoin ledger, it becomes sacrosanct. Removing something requires a fork of the blockchain, in which Bitcoin fragments into multiple parallel cryptocurrencies (and associated blockchains). Forks happen, rarely, but never yet because of legal coercion. And repeated forking would destroy Bitcoin’s stature as a stable(ish) currency. The botnet’s designers are using this idea to create an unblockable means of coordination, but the implications are much greater. Imagine someone using this idea to evade government censorship. <a href="https://cbeci.org/mining_map">Most</a> <a href="https://www.forbes.com/sites/rogerhuang/2021/12/29/the-chinese-mining-centralization-of-bitcoin-and-ethereum/?sh=19f1b5142f66">Bitcoin</a> mining happens in <a href="https://www.barrons.com/articles/bitcoin-mining-in-xinjiang-china-could-be-a-red-flag-for-regulators-51613764881">China</a>. What if someone added a bunch of Chinese-censored <a href="https://www.economist.com/the-economist-explains/2018/09/05/what-is-falun-gong">Falun Gong</a> texts to the blockchain?&lt; What if someone added a type of political speech that Singapore routinely censors? Or cartoons that Disney holds the copyright to? In Bitcoin’s and most other public blockchains there are no central, trusted authorities. Anyone in the world can perform transactions or become a miner. Everyone is equal to the extent that they have the hardware and electricity to perform cryptographic computations. This openness is also a vulnerability, one that opens the door to asymmetric threats and small-time malicious actors. Anyone can put information in the one and only Bitcoin blockchain. Again, that’s how the system works. Over the last three decades, the world has witnessed the power of open networks: <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3356098">blockchains</a>, social media, the very web itself. What makes them so powerful is that their value is related not just to the number of users, but <em>the number of potential links between users</em>. This is Metcalfe’s law — value in a network is quadratic, not linear, in the number of users — and every open network since has followed its prophecy. As Bitcoin has grown, its monetary value has skyrocketed, even if its <a href="https://www.wired.com/story/theres-no-good-reason-to-trust-blockchain-technology">uses remain unclear</a>. With no barrier to entry, the blockchain space has been a Wild West of innovation and lawlessness. But today, many prominent advocates suggest Bitcoin should become a global, universal currency. In this context, asymmetric threats like embedded illegal data become a major challenge. The philosophy behind Bitcoin traces to the earliest days of the open internet. Articulated in John Perry Barlow’s 1996 <a href="https://www.eff.org/cyberspace-independence">Declaration of the Independence of Cyberspace</a>, it was and is the ethos of tech startups: Code is more trustworthy than institutions. Information is meant to be free, and nobody has the right — and should not have the ability — to control it. But information must reside somewhere. Code is written by and for people, stored on computers located within countries, and embedded within the institutions and societies we have created. To trust information is to <a href="https://zeynep.substack.com/p/the-pandemic-heroes-who-gave-us-the">trust its chain of custody</a> and the <a href="https://zeynep.substack.com/p/lessons-from-a-pandemic-anniversary">social context</a> it <a href="https://zeynep.substack.com/p/critical-thinking-isnt-just-a-process">comes from</a>. Neither code nor information is value-neutral, nor ever free of human context. Today, Barlow’s vision is a mere shadow; every society controls the information its people can access. Some of this control is through overt censorship, as China controls information about Taiwan, Tiananmen Square, and the Uyghurs. Some of this is through civil laws designed by the powerful for their benefit, as with Disney and US copyright law, or UK libel law. Bitcoin and blockchains like it are on a collision course with these laws. What happens when the interests of the powerful, with the law on their side, are pitted against an open blockchain? Let’s imagine how our various scenarios might play out. China first: In response to Falun Gong texts in the blockchain, the People’s Republic decrees that any miners processing blocks with banned content will be taken offline — their IPs will be blacklisted. This causes a hard fork of the blockchain at the point just before the banned content. China might do this under the guise of a “patriotic” messaging campaign, publicly stating that it’s merely maintaining financial sovereignty from Western banks. Then it uses paid influencers and moderators on social media to pump the China Bitcoin fork, through both partisan comments and transactions. Two distinct forks would soon emerge, one behind China’s Great Firewall and one outside. Other countries with similar governmental and media ecosystems — Russia, Singapore, Myanmar — might consider following suit, creating multiple national Bitcoin forks. These would operate independently, under mandates to censor unacceptable transactions from then on. Disney’s approach would play out differently. Imagine the company announces it will sue any ISP that hosts copyrighted content, starting with networks hosting the biggest miners. (Disney has sued to enforce its intellectual property rights in China before.) After some legal pressure, the networks cut the miners off. The miners reestablish themselves on another network, but Disney keeps the pressure on. Eventually miners get pushed further and further off of mainstream network providers, and resort to tunneling their traffic through an anonymity service like Tor. That causes a major slowdown in the already slow (because of the mathematics) Bitcoin network. Disney might issue takedown requests for Tor exit nodes, causing the network to slow to a crawl. It could persist like this for a long time without a fork. Or the slowdown could cause people to jump ship, either by forking Bitcoin or switching to another cryptocurrency without the copyrighted content. And then there’s illegal pornographic content and leaked classified data. These have <a href="https://www.accenture.com/_acnmedia/pdf-33/accenture-editing-uneditable-blockchain.pdf">been on</a> the Bitcoin blockchain for over five years, and nothing has been done about it. Just like the botnet example, it may be that these do not threaten existing power structures enough to warrant takedowns. This could easily change if Bitcoin becomes a popular way to share child sexual abuse material. Simply having these illegal images on your hard drive is a felony, which could have significant repercussions for anyone involved in Bitcoin. Whichever scenario plays out, this may be the Achilles heel of Bitcoin as a global currency. If an open network such as a blockchain were threatened by a powerful organization — China’s censors, Disney’s lawyers, or the FBI trying to take down a more dangerous botnet — it could fragment into multiple networks. That’s not just a nuisance, but an existential risk to Bitcoin. Suppose Bitcoin were fragmented into 10 smaller blockchains, perhaps by geography: one in China, another in the US, and so on. These fragments might retain their original users, and by ordinary logic, nothing would have changed. But Metcalfe’s law implies that the overall value of these blockchain fragments <em>combined</em> would be a mere tenth of the original. That is because the value of an open network relates to how many others you can communicate with — and, in a blockchain, transact with. Since the security of bitcoin currency is achieved through expensive computations, fragmented blockchains are also easier to attack in a conventional manner — through a 51 percent attack — by an organized attacker. This is especially the case if the smaller blockchains all use the same hash function, as they would here. Traditional currencies are generally not vulnerable to these sorts of asymmetric threats. There are no viable small-scale attacks against the US dollar, or almost any other fiat currency. The institutions and beliefs that <a href="https://www.thisamericanlife.org/423/the-invention-of-money">give money its value</a> are deep-seated, despite instances of <a href="https://en.wikipedia.org/wiki/Hyperinflation#Notable_hyperinflationary_periods">currency hyperinflation</a>. The only notable attacks against fiat currencies are in the form of counterfeiting. Even in the past, when counterfeit bills were common, attacks <a href="https://time.com/3774327/lincoln-history-secret-service">could be thwarted</a>. Counterfeiters require specialized equipment and are vulnerable to law enforcement discovery and arrest. Furthermore, most money today — even if it’s nominally in a fiat currency — doesn’t exist in paper form. Bitcoin attracted a following for its openness and immunity from government control. Its goal is to create a world that replaces cultural power with cryptographic power: verification in code, not trust in people. But there is no such world. And today, that feature is a vulnerability. We really don’t know what will happen when the human systems of trust come into conflict with the trustless verification that make blockchain currencies unique. Just last week we saw <a href="https://twitter.com/TrustlessState/status/1365844883756314627">this exact attack</a> on smaller blockchains — not Bitcoin yet. We are watching a public socio-technical experiment in the making, and we will witness its success or failure in the not-too-distant future. This essay was written with Barath Raghavan, and <a href="https://www.wired.com/story/opinion-bitcoins-greatest-feature-is-also-its-existential-threat/">previously appeared</a> on Wired.com.

<h2>Exploiting Spectre Over the Internet</h2>

<a href="https://www.schneier.com/blog/archives/2021/03/exploiting-spectre-over-the-internet.html"><strong>[2021.03.18]</strong></a> Google has <a href="https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html">demonstrated</a> exploiting the <a href="https://www.schneier.com/blog/archives/2018/01/spectre_and_mel.html">Spectre CPU attack</a> remotely over the web: <blockquote>Today, we’re sharing proof-of-concept (PoC) code that confirms the practicality of Spectre exploits against JavaScript engines. We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome, and we expect that other modern browsers are similarly vulnerable to this exploitation vector. We have developed an interactive demonstration of the attack available at <a href="https://leaky.page">https://leaky.page/ </a>; the code and a more detailed writeup are published on Github <a href="https://github.com/google/security-research-pocs/tree/master/spectre.js">here</a>. The demonstration website can leak data at a speed of 1kB/s when running on Chrome 88 on an Intel Skylake CPU. Note that the code will likely require minor modifications to apply to other CPUs or browser versions; however, in our tests the attack was successful on several other processors, including the Apple M1 ARM CPU, without any major changes.</blockquote>

<h2>Easy SMS Hijacking</h2>

<a href="https://www.schneier.com/blog/archives/2021/03/easy-sms-hijacking.html"><strong>[2021.03.19]</strong></a> Vice is <a href="https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber">reporting</a> on a cell phone vulnerability caused by commercial SMS services. One of the things these services permit is text message forwarding. It turns out that with a little bit of anonymous money — in this case, $16 off an anonymous prepaid credit card — and a few lies, you can forward the text messages from any phone to any other phone. <blockquote>For businesses, sending text messages to hundreds, thousands, or perhaps millions of customers can be a laborious task. Sakari streamlines that process by letting business customers import their own number. A <a href="https://beetexting.com/">wide ecosystem of these companies exist</a>, each advertising their own ability to run text messaging for other businesses. Some firms say they only allow customers to reroute messages for business landlines or VoIP phones, while others allow mobile numbers too. Sakari offers a free trial to anyone wishing to see what the company’s dashboard looks like. The cheapest plan, which allows customers to add a phone number they want to send and receive texts as, is where the $16 goes. Lucky225 provided Motherboard with screenshots of Sakari’s interface, which show a red “+” symbol where users can add a number. While adding a number, Sakari provides the Letter of Authorization for the user to sign. Sakari’s LOA says that the user should not conduct any unlawful, harassing, or inappropriate behaviour with the text messaging service and phone number. But as Lucky225 showed, a user can just sign up with someone else’s number and receive their text messages instead.</blockquote> This is much easier than SMS hijacking, and causes the same security vulnerabilities. Too many networks use SMS as an authentication mechanism. <blockquote>Once the hacker is able to reroute a target’s text messages, it can then be trivial to hack into other accounts associated with that phone number. In this case, the hacker sent login requests to Bumble, WhatsApp, and Postmates, and easily accessed the accounts.</blockquote> Don’t focus too much on the particular company in this article. <blockquote>But Sakari is only one company. And there are plenty of others available in this overlooked industry. Tuketu said that after one provider cut-off their access, “it took us two minutes to find another.”</blockquote> Slashdot <a href="https://yro.slashdot.org/story/21/03/15/1950245/a-hacker-got-all-my-texts-for-16">thread</a>. And Cory Doctorow’s <a href="https://pluralistic.net/2021/03/16/wage-theft/#override-service-registry">comments</a>.

<h2>Details of a Computer Banking Scam</h2>

<a href="https://www.schneier.com/blog/archives/2021/03/details-of-a-computer-banking-scam.html"><strong>[2021.03.22]</strong></a> This is a <a href="https://www.youtube.com/watch?v=VrKW58MS12g">longish video</a> that describes a profitable computer banking scam that’s run out of call centers in places like India. There’s a lot of fluff about glitterbombs and the like, but the details are interesting. The scammers convince the victims to give them remote access to their computers, and then that they’ve mistyped a dollar amount and have received a large refund that they didn’t deserve. Then they convince the victims to send cash to a drop site, where a money mule retrieves it and forwards it to the scammers. I found it interesting for several reasons. One, it illustrates the complex business nature of the scam: there are a lot of people doing specialized jobs in order for it to work. Two, it clearly shows the psychological manipulation involved, and how it preys on the unsophisticated and vulnerable. And three, it’s an evolving tactic that gets around banks increasingly flagging blocking suspicious electronic transfers.

<h2>Accellion Supply Chain Hack</h2>

<a href="https://www.schneier.com/blog/archives/2021/03/accellion-supply-chain-hack.html"><strong>[2021.03.23]</strong></a> A vulnerability in the Accellion <a href="https://www.accellion.com/products/fta/">file-transfer program</a> is being used by criminal groups to <a href="https://apnews.com/article/donald-trump-politics-europe-eastern-europe-new-zealand-f318ba1ffc971eb17371456b015206a5">hack networks</a> worldwide. There’s much in the article about when Accellion knew about the vulnerability, when it alerted its customers, and when it patched its software. <blockquote>The governor of New Zealand’s central bank, Adrian Orr, says Accellion failed to warn it after first learning in mid-December that the nearly 20-year-old FTA application — using antiquated technology and set for retirement — had been breached. Despite having a patch available on Dec. 20, Accellion did not notify the bank in time to prevent its appliance from being breached five days later, <a href="https://www.rbnz.govt.nz/our-response-to-data-breach">the bank said</a>.</blockquote> CISA <a href="https://us-cert.cisa.gov/ncas/alerts/aa21-055a">alert</a>.

<h2>Determining Key Shape from Sound</h2>

<a href="https://www.schneier.com/blog/archives/2021/03/determining-key-shape-from-sound.html"><strong>[2021.03.24]</strong></a> It’s not yet very accurate or practical, but under ideal conditions it is <a href="https://www.comp.nus.edu.sg/~junhan/papers/SpiKey_HotMobile20_CamReady.pdf">possible</a> to figure out the shape of a house key by listening to it being used. <blockquote>Listen to Your Key: Towards Acoustics-based Physical Key Inference <b>Abstract:</b> Physical locks are one of the most prevalent mechanisms for securing objects such as doors. While many of these locks are vulnerable to lock-picking, they are still widely used as lock-picking requires specific training with tailored instruments, and easily raises suspicion. In this paper, we propose <i>SpiKey</i>, a novel attack that significantly lowers the bar for an attacker as opposed to the lock-picking attack, by requiring only the use of a smartphone microphone to infer the shape of victim’s key, namely bittings(or cut depths) which form the secret of a key. When a victim inserts his/her key into the lock, the emitted sound is captured by the attacker’s microphone.<i>SpiKey</i> leverages the time difference between audible clicks to ultimately infer the bitting information, i.e., shape of the physical key. As a proof-of-concept, we provide a simulation, based on real-world recordings, and demonstrate a significant reduction in search spacefrom a pool of more than 330 thousand keys to three candidate keys for the most frequent case.</blockquote> Scientific American <a href="https://www.scientificamerican.com/podcast/episode/smartphones-can-hear-the-shape-of-your-door-keys/">podcast</a>: <blockquote>The strategy is a long way from being viable in the real world. For one thing, the method relies on the key being inserted at a constant speed. And the audio element also poses challenges like background noise.</blockquote> Boing Boing <a href="https://boingboing.net/2021/03/18/phone-app-can-figure-out-the-shape-of-your-house-key-by-listening-to-you-use-it.html">post</a>.

<h2>Hacking Weapons Systems</h2>

<a href="https://www.schneier.com/blog/archives/2021/03/hacking-weapons-systems.html"><strong>[2021.03.26]</strong></a> Lukasz Olejnik has a <a href="https://www.wired.com/story/dire-possibility-cyberattacks-weapons-systems/">good essay</a> on hacking weapons systems. Basically, there is no reason to believe that software in weapons systems is any more vulnerability free than any other software. So now the question is whether the software can be accessed over the Internet. Increasingly, it is. This is likely to become a bigger problem in the near future. We need to think about future wars where the tech simply doesn’t work.

<h2>System Update: New Android Malware</h2>

<a href="https://www.schneier.com/blog/archives/2021/03/system-update-new-android-malware.html"><strong>[2021.03.30]</strong></a> Researchers have <a href="https://blog.zimperium.com/new-advanced-android-malware-posing-as-system-update/">discovered</a> a new Android app called “System Update” that is a sophisticated Remote-Access Trojan (RAT). From a <a href="https://gizmodo.com/dangerous-android-app-pretends-to-be-a-system-update-to-1846574044">news article</a>: <blockquote>The broad range of data that this sneaky little bastard is capable of stealing is pretty horrifying. It includes: instant messenger messages and database files; call logs and phone contacts; Whatsapp messages and databases; pictures and videos; all of your text messages; and information on pretty much everything else that is on your phone (it will inventory the rest of the apps on your phone, for instance). The app can also monitor your GPS location (so it knows exactly where you are), hijack your phone’s camera to take pictures, review your browser’s search history and bookmarks, and turn on the phone mic to record audio. The app’s spying capabilities are triggered whenever the device receives new information. Researchers write that the RAT is constantly on the lookout for “any activity of interest, such as a phone call, to immediately record the conversation, collect the updated call log, and then upload the contents to the C&C server as an encrypted ZIP file.” After thieving your data, the app will subsequently erase evidence of its own activity, hiding what it has been doing.</blockquote> This is a sophisticated piece of malware. It feels like the product of a national intelligence agency or — and I think more likely — one of the cyberweapons arms manufacturers that sells this kind of capability to governments around the world.

<h2>Fugitive Identified on YouTube By His Distinctive Tattoos</h2>

<a href="https://www.schneier.com/blog/archives/2021/04/fugitive-identified-on-youtube-by-his-distinctive-tattoos.html"><strong>[2021.04.01]</strong></a> A mafia fugitive hiding out in the Dominican Republic was <a href="https://arstechnica.com/tech-policy/2021/03/alleged-mafia-fugitive-posted-cooking-videos-to-youtube-leading-to-arrest/">arrested</a> when investigators found his YouTube cooking channel and identified him by his distinctive arm tattoos.

<h2>Malware Hidden in <i>Call of Duty</i> Cheating Software</h2>

<a href="https://www.schneier.com/blog/archives/2021/04/malware-hidden-in-call-of-duty-cheating-software.html"><strong>[2021.04.02]</strong></a> News <a href="https://gizmodo.com/hackers-are-hiding-malware-inside-fake-call-of-duty-wa-1846592851">article</a>: <blockquote>Most troublingly, Activision says that the “cheat” tool has been advertised multiple times on a popular cheating forum under the title “new COD hack.” (Gamers looking to flout the rules will typically go to such forums to find new ways to do so.) While the report doesn’t mention which forum they were posted on (that certainly would’ve been helpful), it does say that these offerings have popped up a number of times. They have also been seen advertised in YouTube videos, where instructions were provided on how gamers can run the “cheats” on their devices, and the report says that “comments [on the videos] seemingly indicate people had downloaded and attempted to use the tool.” Part of the reason this attack could work so well is that game cheats typically require a user to disable key security features that would otherwise keep a malicious program out of their system. The hacker is basically getting the victim to do their own work for them. “It is common practice when configuring a cheat program to run it the with the highest system privileges,” the report notes. “Guides for cheats will typically ask users to disable or uninstall antivirus software and host firewalls, disable kernel code signing, etc.”</blockquote> Detailed <a href="https://www.activision.com/cdn/research/cheating_cheaters_final.pdf">report</a>.

<h2>Wi-Fi Devices as Physical Object Sensors</h2>

<a href="https://www.schneier.com/blog/archives/2021/04/wi-fi-devices-as-physical-object-sensors.html"><strong>[2021.04.05]</strong></a> The <a href="https://www.theregister.com/2021/03/31/wifi_devices_monitoring/">new 802.11bf standard</a> will turn Wi-Fi devices into object sensors: <blockquote>In three years or so, the Wi-Fi specification is scheduled to get an upgrade that will turn wireless devices into sensors capable of gathering data about the people and objects bathed in their signals. “When 802.11bf will be finalized and introduced as an IEEE standard in September 2024, Wi-Fi will cease to be a communication-only standard and will legitimately become a full-fledged sensing paradigm,” explains Francesco Restuccia, assistant professor of electrical and computer engineering at Northeastern University, in <a href="https://arxiv.org/abs/2103.14918">a paper</a> summarizing the state of the Wi-Fi Sensing project (<a href="https://beyondstandards.ieee.org/ieee-802-11bf-aims-to-enable-a-new-application-of-wlan-technology-wlan-sensing/">SENS</a>) currently being developed by the Institute of Electrical and Electronics Engineers (IEEE). SENS is envisioned as a way for devices capable of sending and receiving wireless data to use Wi-Fi signal interference differences to measure the range, velocity, direction, motion, presence, and proximity of people and objects.</blockquote> More detail in the article. Security and privacy controls are still to be worked out, which means that there probably won’t be any.

<h2>Phone Cloning Scam</h2>

<a href="https://www.schneier.com/blog/archives/2021/04/phone-cloning-scam.html"><strong>[2021.04.06]</strong></a> A newspaper in Malaysia is <a href="https://www.thestar.com.my/news/nation/2021/04/03/10-e-hailing-drivers-conned-by-same-man">reporting</a> on a cell phone cloning scam. The scammer convinces the victim to lend them their cell phone, and the scammer quickly clones it. What’s clever about this scam is that the victim is an Uber driver and the scammer is the passenger, so the driver is naturally busy and can’t see what the scammer is doing.

<h2>Signal Adds Cryptocurrency Support</h2>

<a href="https://www.schneier.com/blog/archives/2021/04/wtf-signal-adds-cryptocurrency-support.html"><strong>[2021.04.07]</strong></a> According to <a href="https://www.wired.com/story/signal-mobilecoin-payments-messaging-cryptocurrency/">Wired</a>, Signal is adding support for the cryptocurrency MobileCoin, “a form of digital cash designed to work efficiently on mobile devices while protecting users’ privacy and even their anonymity.” <blockquote>Moxie Marlinspike, the creator of Signal and CEO of the nonprofit that runs it, describes the new payments feature as an attempt to extend Signal’s privacy protections to payments with the same seamless experience that Signal has offered for encrypted conversations. “There’s a palpable difference in the feeling of what it’s like to communicate over Signal, knowing you’re not being watched or listened to, versus other communication platforms,” Marlinspike told WIRED in an interview. “I would like to get to a world where not only can you feel that when you talk to your therapist over Signal, but also when you pay your therapist for the session over Signal.”</blockquote> I think this is an incredibly bad idea. It’s not just the bloating of what was a clean secure communications app. It’s not just that blockchain is <a href="https://www.schneier.com/blog/archives/2019/02/blockchain_and_.html">just plain stupid</a>. It’s not even that Signal is choosing to tie itself to a specific blockchain currency. It’s that adding a cryptocurrency to an end-to-end encrypted app muddies the morality of the product, and invites all sorts of government investigative and regulatory meddling: by the IRS, the SEC, FinCEN, and probably the FBI. And I see no good reason to do this. Secure communications and secure transactions can be separate apps, even separate apps from the same organization. End-to-end encryption is already at risk. Signal is the best app we have out there. Combining it with a cryptocurrency means that the whole system dies if any part dies. EDITED TO ADD: <a href="https://www.stephendiehl.com/blog/signal.html">Commentary</a> from Stephen Deihl: <blockquote>I think I speak for many technologists when I say that any bolted-on cryptocurrency monetization scheme smells like a giant pile of rubbish and feels enormously user-exploitative. We’ve seen this before, after all Telegram tried the same thing in an ICO that imploded when SEC shut them down, and Facebook famously tried and failed to monetize WhatsApp through their decentralized-but-not-really digital money market fund project. […] Signal is a still a great piece of software. Just do one thing and do it well, be the trusted de facto platform for private messaging that empowers dissidents, journalists and grandma all to communicate freely with the same guarantees of privacy. Don’t become a dodgy money transmitter business. This is not the way.</blockquote>

<h2>Google's Project Zero Finds a Nation-State Zero-Day Operation</h2>

<a href="https://www.schneier.com/blog/archives/2021/04/googles-project-zero-finds-a-nation-state-zero-day-operation.html"><strong>[2021.04.08]</strong></a> Google’s Project <a href="https://googleprojectzero.blogspot.com/2021/03/in-wild-series-october-2020-0-day.html">Zero</a> <a href="https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html">discovered</a>, and caused to be patched, eleven zero-day exploits against Chrome, Safari, Microsoft Windows, and iOS. This seems to have been <a href="https://www.technologyreview.com/2021/03/26/1021318/google-security-shut-down-counter-terrorist-us-ally/">exploited by</a> “Western government operatives actively conducting a counterterrorism operation”: <blockquote>The exploits, which went back to early 2020 and used never-before-seen techniques, were “watering hole” attacks that used infected websites to deliver malware to visitors. They caught the attention of cybersecurity experts thanks to their scale, sophistication, and speed. […] It’s true that Project Zero does not formally attribute hacking to specific groups. But the Threat Analysis Group, which also worked on the project, does perform attribution. Google omitted many more details than just the name of the government behind the hacks, and through that information, the teams knew internally who the hacker and targets were. It is not clear whether Google gave advance notice to government officials that they would be publicizing and shutting down the method of attack.</blockquote>

<h2>Backdoor Added -- But Found -- in PHP</h2>

<a href="https://www.schneier.com/blog/archives/2021/04/backdoor-added-but-found-in-php.html"><strong>[2021.04.09]</strong></a> Unknown hackers attempted to add <a href="https://news-web.php.net/php.internals/113838">a</a> <a href="https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/">backdoor</a> to the PHP source code. It was two <a href="https://github.com/php/php-src/commit/c730aa26bd52829a49f2ad284b181b7e82a68d7d">malicious</a> <a href="https://github.com/php/php-src/commit/2b0f239b211c7544ebc7a4cd2c977a5b7a11ed8a">commits</a>, with the subject “fix typo” and the names of known PHP developers and maintainers. They were discovered and removed before being pushed out to any users. But since 79% of the Internet’s websites use PHP, it’s scary. Developers have moved PHP to GitHub, which has better authentication. Hopefully it will be enough — PHP is a juicy target.