May 15, 2017
by Bruce Schneier
CTO, IBM Resilient
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit <https://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at <https://www.schneier.com/crypto-gram/archives/2017/...>. These same essays and news items appear in the "Schneier on Security" blog at <http://www.schneier.com/blog>, along with a lively and intelligent comment section. An RSS feed is available.
In this issue:
- Who is Publishing NSA and CIA Secrets, and Why?
- The Quick vs. the Strong: Commentary on Cory Doctorow's "Walkaway"
- Securing Elections
- Schneier News
- Surveillance and our Insecure Infrastructure
There's something going on inside the intelligence communities in at least two countries, and we have no idea what it is.
Consider these three data points. One: someone, probably a country's intelligence organization, is dumping massive amounts of cyberattack tools belonging to the NSA onto the Internet. Two: someone else, or maybe the same someone, is doing the same thing to the CIA.
Three: in March, NSA Deputy Director Richard Ledgett described how the NSA penetrated the computer networks of a Russian intelligence agency and was able to monitor them as they attacked the US State Department in 2014. Even more explicitly, a US ally -- my guess is the UK -- was not only hacking the Russian intelligence agency's computers, but also the surveillance cameras inside their building. "They [the US ally] monitored the [Russian] hackers as they maneuvered inside the U.S. systems and as they walked in and out of the workspace, and were able to see faces, the officials said."
Countries don't often reveal intelligence capabilities: "sources and methods." Because it gives their adversaries important information about what to fix, it's a deliberate decision done with good reason. And it's not just the target country who learns from a reveal. When the US announces that it can see through the cameras inside the buildings of Russia's cyber warriors, other countries immediately check the security of their own cameras.
With all this in mind, let's talk about the recent leaks at NSA and the CIA.
Last year, a previously unknown group called the Shadow Brokers started releasing NSA hacking tools and documents from about three years ago. They continued to do so this year -- five sets of files in all -- and have implied that more classified documents are to come. We don't know how they got the files. When the Shadow Brokers first emerged, the general consensus was that someone had found and hacked an external NSA staging server. These are third-party computers that the NSA's TAO hackers use to launch attacks from. Those servers are necessarily stocked with TAO attack tools. This matched the leaks, which included a "script" directory and working attack notes. We're not sure if someone inside the NSA made a mistake that left these files exposed, or if the hackers that found the cache got lucky.
That explanation stopped making sense after the latest Shadow Brokers release, which included attack tools against Windows, PowerPoint presentations, and operational notes -- documents that are definitely not going to be on an external NSA staging server. A credible theory, which I first heard from Nicholas Weaver, is that the Shadow Brokers are publishing NSA data from multiple sources. The first leaks were from an external staging server, but the more recent leaks are from inside the NSA itself.
So what happened? Did someone inside the NSA accidentally mount the wrong server on some external network? That's possible, but seems very unlikely. Did someone hack the NSA itself? Could there be a mole inside the NSA, as Kevin Poulsen speculated?
If it is a mole, my guess is that he's already been arrested. There are enough individualities in the files to pinpoint exactly where and when they came from. Surely the NSA knows who could have taken the files. No country would burn a mole working for it by publishing what he delivered. Intelligence agencies know that if they betray a source this severely, they'll never get another one.
That points to two options. The first is that the files came from Hal Martin. He's the NSA contractor who was arrested in August for hoarding agency secrets in his house for two years. He can't be the publisher, because the Shadow Brokers are in business even though he is in prison. But maybe the leaker got the documents from his stash: either because Martin gave the documents to them or because he himself was hacked. The dates line up, so it's theoretically possible, but the contents of the documents speak to someone with a different sort of access. There's also nothing in the public indictment against Martin that speaks to his selling secrets to a foreign power, and I think it's exactly the sort of thing that the NSA would leak. But maybe I'm wrong about all of this; Occam's Razor suggests that it's him.
The other option is a mysterious second NSA leak of cyberattack tools. The only thing I have ever heard about this is from a Washington Post story about Martin: "But there was a second, previously undisclosed breach of cybertools, discovered in the summer of 2015, which was also carried out by a TAO employee, one official said. That individual also has been arrested, but his case has not been made public. The individual is not thought to have shared the material with another country, the official said." But "not thought to have" is not the same as not having done so.
On the other hand, it's possible that someone penetrated the internal NSA network. We've already seen NSA tools that can do that kind of thing to other networks. That would be huge, and explain why there were calls to fire NSA Director Mike Rogers last year.
The CIA leak is both similar and different. It consists of a series of attack tools from about a year ago. The most educated guess amongst people who know stuff is that the data is from an almost-certainly air-gapped internal development wiki -- a Confluence server -- and either someone on the inside was somehow coerced into giving up a copy of it, or someone on the outside hacked into the CIA and got themselves a copy. They turned the documents over to WikiLeaks, which continues to publish it.
This is also a really big deal, and hugely damaging for the CIA. Those tools were new, and they're impressive. I have been told that the CIA is desperately trying to hire coders to replace what was lost.
For both of these leaks, one big question is attribution: who did this? A whistleblower wouldn't sit on attack tools for years before publishing. A whistleblower would act more like Snowden or Manning, publishing immediately -- and publishing documents that discuss what the US is doing to whom, not simply a bunch of attack tools. It just doesn't make sense. Neither does random hackers. Or cybercriminals. I think it's being done by a country or countries.
My guess was, and is still, Russia in both cases. Here's my reasoning. Whoever got this information years before and is leaking it now has to 1) be capable of hacking the NSA and/or the CIA, and 2) willing to publish it all. Countries like Israel and France are certainly capable, but wouldn't ever publish. Countries like North Korea or Iran probably aren't capable. The list of countries who fit both criteria is small: Russia, China, and...and...and I'm out of ideas. And China is currently trying to make nice with the US.
Last August, Edward Snowden guessed Russia, too.
So Russia -- or someone else -- steals these secrets, and presumably uses them to both defend its own networks and hack other countries while deflecting blame for a couple of years. For it to publish now means that the intelligence value of the information is now lower than the embarrassment value to the NSA and CIA. This could be because the US figured out that its tools were hacked, and maybe even by whom; which would make the tools less valuable against US government targets, although still valuable against third parties.
The message that comes with publishing seems clear to me: "We are so deep into your business that we don't care if we burn these few-years-old capabilities, as well as the fact that we have them. There's just nothing you can do about it." It's bragging.
Which is exactly the same thing Ledgett is doing to the Russians. Maybe the capabilities he talked about are long gone, so there's nothing lost in exposing sources and methods. Or maybe he too is bragging: saying to the Russians that he doesn't care if they know. He's certainly bragging to every other country that is paying attention to his remarks. (He may be bluffing, of course, hoping to convince others that the US has intelligence capabilities it doesn't.)
What happens when intelligence agencies go to war with each other and don't tell the rest of us? I think there's something going on between the US and Russia that the public is just seeing pieces of. We have no idea why, or where it will go next, and can only speculate.
This essay previously appeared on Lawfare.com.
Snowden on Shadow Brokers:
Kevin Poulsen's speculation:
The second NSA leaker:
Calls to fire NSA Director Mike Rogers:
Technological advances change the world. That's partly because of what they are, but even more because of the social changes they enable. New technologies upend power balances. They give groups new capabilities, increased effectiveness, and new defenses. The Internet decades have been a never-ending series of these upendings. We've seen existing industries fall and new industries rise. We've seen governments become more powerful in some areas and less in others. We've seen the rise of a new form of governance: a multi-stakeholder model where skilled individuals can have more power than multinational corporations or major governments.
Among the many power struggles, there is one type I want to particularly highlight: the battles between the nimble individuals who start using a new technology first, and the slower organizations that come along later.
In general, the unempowered are the first to benefit from new technologies: hackers, dissidents, marginalized groups, criminals, and so on. When they first encountered the Internet, it was transformative. Suddenly, they had access to technologies for dissemination, coordination, organization, and action -- things that were impossibly hard before. This can be incredibly empowering. In the early decades of the Internet, we saw it in the rise of Usenet discussion forums and special-interest mailing lists, in how the Internet routed around censorship, and how Internet governance bypassed traditional government and corporate models. More recently, we saw it in the SOPA/PIPA debate of 2011-12, the Gezi protests in Turkey and the various "color" revolutions, and the rising use of crowdfunding. These technologies can invert power dynamics, even in the presence of government surveillance and censorship.
But that's just half the story. Technology magnifies power in general, but the rates of adoption are different. Criminals, dissidents, the unorganized -- all outliers -- are more agile. They can make use of new technologies faster, and can magnify their collective power because of it. But when the already-powerful big institutions finally figured out how to use the Internet, they had more raw power to magnify.
This is true for both governments and corporations. We now know that governments all over the world are militarizing the Internet, using it for surveillance, censorship, and propaganda. Large corporations are using it to control what we can do and see, and the rise of winner-take-all distribution systems only exacerbates this.
This is the fundamental tension at the heart of the Internet, and information-based technology in general. The unempowered are more efficient at leveraging new technology, while the powerful have more raw power to leverage. These two trends lead to a battle between the quick and the strong: the quick who can make use of new power faster, and the strong who can make use of that same power more effectively.
This battle is playing out today in many different areas of information technology. You can see it in the security vs. surveillance battles between criminals and the FBI, or dissidents and the Chinese government. You can see it in the battles between content pirates and various media organizations. You can see it where social-media giants and Internet-commerce giants battle against new upstarts. You can see it in politics, where the newer Internet-aware organizations fight with the older, more established, political organizations. You can even see it in warfare, where a small cadre of military can keep a country under perpetual bombardment -- using drones -- with no risk to the attackers.
This battle is fundamental to Cory Doctorow's new novel "Walkaway." Our heroes represent the quick: those who have checked out of traditional society, and thrive because easy access to 3D printers enables them to eschew traditional notions of property. Their enemy is the strong: the traditional government institutions that exert their power mostly because they can. This battle rages through most of the book, as the quick embrace ever-new technologies and the strong struggle to catch up.
It's easy to root for the quick, both in Doctorow's book and in the real world. And while I'm not going to give away Doctorow's ending -- and I don't know enough to predict how it will play out in the real world -- right now, trends favor the strong.
Centralized infrastructure favors traditional power, and the Internet is becoming more centralized. This is true both at the endpoints, where companies like Facebook, Apple, Google, and Amazon control much of how we interact with information. It's also true in the middle, where companies like Comcast increasingly control how information gets to us. It's true in countries like Russia and China that increasingly legislate their own national agenda onto their pieces of the Internet. And it's even true in countries like the US and the UK, that increasingly legislate more government surveillance capabilities.
At the 1996 World Economic Forum, cyber-libertarian John Perry Barlow issued his "Declaration of the Independence of Cyberspace," telling the assembled world leaders and titans of Industry: "You have no moral right to rule us, nor do you possess any methods of enforcement that we have true reason to fear." Many of us believed him a scant 20 years ago, but today those words ring hollow.
But if history is any guide, these things are cyclic. In another 20 years, even newer technologies -- both the ones Doctorow focuses on and the ones no one can predict -- could easily tip the balance back in favor of the quick. Whether that will result in more of a utopia or a dystopia depends partly on these technologies, but even more on the social changes resulting from these technologies. I'm short-term pessimistic but long-term optimistic.
This essay previously appeared on Crooked Timber.
Power and the Internet:
Declaration of the Independence of Cyberspace
Hacking a smart TV via the broadcast signal.
The US Drug Enforcement Agency has purchased zero-day exploits from the cyberweapons arms manufacturer Hacking Team.
Brian Krebs traces spam from the e-mail headers:
Ad blockers represent the largest consumer boycott in human history. They're also an arms race between the blockers and the blocker blockers. This article discusses a new ad-blocking technology that represents another advance in this arms race. I don't think it will "put an end to the ad-blocking arms race," as the title proclaims, but it will definitely give the blockers the upper hand.
Now if we could only block the data collection as well.
There's a really interesting new paper analyzing over 100 different cyber insurance policies.
Interesting paper: "The rise of reading analytics and the emerging calculus of reading privacy in the digital world," by Clifford Lynch.
There has been a flurry of research into using the various sensors on your phone to steal data in surprising ways. Here's another: using the phone's ambient light sensor to detect what's on the screen. It's a proof of concept, but the paper's general conclusions are correct: "There is a lesson here that designing specifications and systems from a privacy engineering perspective is a complex process: decisions about exposing sensitive APIs to the web without any protections should not be taken lightly. One danger is that specification authors and browser vendors will base decisions on overly general principles and research results which don't apply to a particular new feature (similarly to how protections on gyroscope readings might not be sufficient for light sensor data)."
Researchers have configured two computers to talk to each other using a laser and a scanner. The setup is that there's malware on the computer connected to the scanner, and that computer isn't on the Internet. This technique allows an attacker to communicate with that computer. For extra coolness, the laser can be mounted on a drone.
Fitbit evidence is cited in an arrest warrant, stating that the device monitored steps by the victim after the suspect claimed she died.
This is a good summary article about the horrible security of St. Jude pacemakers, and the history of the company not doing anything about it.
LyreBird is a system that can accurately reproduce the voice of someone, given a large amount of sample inputs. It's pretty good -- listen to the demo here -- and will only get better over time. The applications for recorded-voice forgeries are obvious, but I think the larger security risk will be real-time forgery. Imagine the social engineering implications of an attacker on the telephone being able to impersonate someone the victim knows. I don't think we're ready for this. We use people's voices to authenticate them all the time, in all sorts of different ways.
This is from 2003 on the topic:
I've been reading a bunch of anecdotal reports that the TSA is starting to scan paper separately:
This article says that the TSA has stopped doing this. They blamed it on their contractor, Akai Security.
I've previously written about ad networks using ultrasonic communications to jump from one device to another. The idea is for devices like televisions to play ultrasonic codes in advertisements and for nearby smartphones to detect them. This way the two devices can be linked. Creepy, yes. And also increasingly common, as this research demonstrates:
My previous post:
Facebook published a paper on the information operations it has seen, as well as some observations regarding the recent US election. It's interesting reading.
I've previously written about the serious vulnerabilities in the SS7 phone routing system. Basically, the system doesn't authenticate messages. Now, criminals are using it to hack smartphone-based two-factor authentication systems
My previous writings
Cybersecurity researcher Ross Anderson has a good interview on edge.org.
This is a weird article about criminals stealing voice prints to fool authentication systems. It feels like hyperbole to me.
Are there really banking systems that use voice recognition of the word "yes" to authenticate? I have never heard of that.
Turns out multi-million dollar yachts are no more secure than anything else out there:
Technology can do a lot more to make our elections more secure and reliable, and to ensure that participation in the democratic process is available to all. There are three parts to this process.
First, the voter registration process can be improved. The whole process can be streamlined. People should be able to register online, just as they can register for other government services. The voter rolls need to be protected from tampering, as that's one of the major ways hackers can disrupt the election.
Second, the voting process can be significantly improved. Voting machines need to be made more secure. There are a lot of technical details best left to the voting-security experts who can deal with the technical details, but such machines must include a paper ballot that provides a record verifiable by voters. The simplest and most reliable way to do that is already practiced in 37 states: optical-scan paper ballots, marked by the voters and counted by computer, but recountable by hand.
We need national security standards for voting machines, and funding for states to procure machines that comply with those standards.
This means no Internet voting. While that seems attractive, and certainly a way technology can improve voting, we don't know how to do it securely. We simply can't build an Internet voting system that is secure against hacking because of the requirement for a secret ballot. This makes voting different from banking and anything else we do on the Internet, and it makes security much harder. Even allegations of vote hacking would be enough to undermine confidence in the system, and we simply cannot afford that. We need a system of pre-election and post-election security audits of these voting machines to increase confidence in the system.
The third part of the voting process we need to secure is the tabulation system. After the polls close, we aggregate votes -- from individual machines, to polling places, to precincts, and finally to totals. This system is insecure as well, and we can do a lot more to make it reliable. Similarly, our system of recounts can be made more secure and efficient.
We have the technology to do all of this. The problem is political will. We have to decide that the goal of our election system is for the most people to be able to vote with the least amount of effort. If we continue to enact voter suppression measures like ID requirements, barriers to voter registration, limitations on early voting, reduced polling place hours, and faulty machines, then we are harming democracy more than we are by allowing our voting machines to be hacked.
We have already declared our election system to be critical national infrastructure. This is largely symbolic, but it demonstrates a commitment to secure elections and makes funding and other resources available to states. We can do much more. We owe it to democracy to do it.
This essay previously appeared on TheAtlantic.com.
Rigging an election is hard:
Tampering with the voter rolls:
Voting systems as critical national infrastructure:
I'm speaking at the Carnegie Council in New York on 5/17:
I'm speaking via Skype at the first meeting of the Big Data and Digital Clearinghouse event in Brussels on 5/29:
I'm speaking at Infosecurity Europe in London on 6/7:
Since Edward Snowden revealed to the world the extent of the NSA's global surveillance network, there has been a vigorous debate in the technological community about what its limits should be.
Less discussed is how many of these same surveillance techniques are used by other -- smaller and poorer -- more totalitarian countries to spy on political opponents, dissidents, human rights defenders; the press in Toronto has documented some of the many abuses, by countries like Ethiopia, the UAE, Iran, Syria, Kazakhstan, Sudan, Ecuador, Malaysia, and China.
That these countries can use network surveillance technologies to violate human rights is a shame on the world, and there's a lot of blame to go around.
We can point to the governments that are using surveillance against their own citizens.
We can certainly blame the cyberweapons arms manufacturers that are selling those systems, and the countries -- mostly European -- that allow those arms manufacturers to sell those systems.
There's a lot more the global Internet community could do to limit the availability of sophisticated Internet and telephony surveillance equipment to totalitarian governments. But I want to focus on another contributing cause to this problem: the fundamental insecurity of our digital systems that makes this a problem in the first place.
IMSI catchers are fake mobile phone towers. They allow someone to impersonate a cell network and collect information about phones in the vicinity of the device and they're used to create lists of people who were at a particular event or near a particular location.
Fundamentally, the technology works because the phone in your pocket automatically trusts any cell tower to which it connects. There's no security in the connection protocols between the phones and the towers.
IP intercept systems are used to eavesdrop on what people do on the Internet. Unlike the surveillance that happens at the sites you visit, by companies like Facebook and Google, this surveillance happens at the point where your computer connects to the Internet. Here, someone can eavesdrop on everything you do.
This system also exploits existing vulnerabilities in the underlying Internet communications protocols. Most of the traffic between your computer and the Internet is unencrypted, and what is encrypted is often vulnerable to man-in-the-middle attacks because of insecurities in both the Internet protocols and the encryption protocols that protect it.
There are many other examples. What they all have in common is that they are vulnerabilities in our underlying digital communications systems that allow someone -- whether it's a country's secret police, a rival national intelligence organization, or criminal group -- to break or bypass what security there is and spy on the users of these systems.
These insecurities exist for two reasons. First, they were designed in an era where computer hardware was expensive and inaccessibility was a reasonable proxy for security. When the mobile phone network was designed, faking a cell tower was an incredibly difficult technical exercise, and it was reasonable to assume that only legitimate cell providers would go to the effort of creating such towers.
At the same time, computers were less powerful and software was much slower, so adding security into the system seemed like a waste of resources. Fast forward to today: computers are cheap and software is fast, and what was impossible only a few decades ago is now easy.
The second reason is that governments use these surveillance capabilities for their own purposes. The FBI has used IMSI-catchers for years to investigate crimes. The NSA uses IP interception systems to collect foreign intelligence. Both of these agencies, as well as their counterparts in other countries, have put pressure on the standards bodies that create these systems to not implement strong security.
Of course, technology isn't static. With time, things become cheaper and easier. What was once a secret NSA interception program or a secret FBI investigative tool becomes usable by less-capable governments and cybercriminals.
Man-in-the-middle attacks against Internet connections are a common criminal tool to steal credentials from users and hack their accounts.
IMSI-catchers are used by criminals, too. Right now, you can go onto Alibaba.com and buy your own IMSI catcher for under $2,000.
Despite their uses by democratic governments for legitimate purposes, our security would be much better served by fixing these vulnerabilities in our infrastructures.
These systems are not only used by dissidents in totalitarian countries, they're also used by legislators, corporate executives, critical infrastructure providers, and many others in the US and elsewhere.
That we allow people to remain insecure and vulnerable is both wrongheaded and dangerous.
Earlier this month, two American legislators -- Senator Ron Wyden and Rep Ted Lieu -- sent a letter to the chairman of the Federal Communications Commission, demanding that he do something about the country's insecure telecommunications infrastructure.
They pointed out that not only are insecurities rampant in the underlying protocols and systems of the telecommunications infrastructure, but also that the FCC knows about these vulnerabilities and isn't doing anything to force the telcos to fix them.
Wyden and Lieu make the point that fixing these vulnerabilities is a matter of US national security, but it's also a matter of international human rights. All modern communications technologies are global, and anything the US does to improve its own security will also improve security worldwide.
Yes, it means that the FBI and the NSA will have a harder job spying, but it also means that the world will be a safer and more secure place.
This essay previously appeared on AlJazeera.com.
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <https://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 12 books -- including "Liars and Outliers: Enabling the Trust Society Needs to Survive" -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and CTO of IBM Resilient and Special Advisor to IBM Security. See <https://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of IBM Resilient.
Copyright (c) 2017 by Bruce Schneier.