Crypto-Gram

September 15, 2017

by Bruce Schneier
CTO, IBM Resilient
schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <https://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <https://www.schneier.com/crypto-gram/archives/2017/...>. These same essays and news items appear in the "Schneier on Security" blog at <https://www.schneier.com/>, along with a lively and intelligent comment section. An RSS feed is available.


In this issue:


On the Equifax Data Breach

Last Thursday, Equifax reported a data breach that affects 143 million US customers, about 44% of the population. It's an extremely serious breach; hackers got access to full names, Social Security numbers, birth dates, addresses, driver's license numbers -- exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, and other businesses vulnerable to fraud.

Many sites posted guides to protecting yourself now that it's happened. But if you want to prevent this kind of thing from happening again, your only solution is government regulation (as unlikely as that may be at the moment).

The market can't fix this. Markets work because buyers choose between sellers, and sellers compete for buyers. In case you didn't notice, you're not Equifax's customer. You're its product.

This happened because your personal information is valuable, and Equifax is in the business of selling it. The company is much more than a credit reporting agency. It's a data broker. It collects information about all of us, analyzes it all, and then sells those insights.

Its customers are people and organizations who want to buy information: banks looking to lend you money, landlords deciding whether to rent you an apartment, employers deciding whether to hire you, companies trying to figure out whether you'd be a profitable customer -- everyone who wants to sell you something, even governments.

It's not just Equifax. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about you -- almost all of them companies you've never heard of and have no business relationship with.

Surveillance capitalism fuels the Internet, and sometimes it seems that everyone is spying on you. You're secretly tracked on pretty much every commercial website you visit. Facebook is the largest surveillance organization mankind has created; collecting data on you is its business model. I don't have a Facebook account, but Facebook still keeps a surprisingly complete dossier on me and my associations -- just in case I ever decide to join.

I also don't have a Gmail account, because I don't want Google storing my e-mail. But my guess is that it has about half of my e-mail anyway, because so many people I correspond with have accounts. I can't even avoid it by choosing not to write to gmail.com addresses, because I have no way of knowing if newperson@company.com is hosted at Gmail.

And again, many companies that track us do so in secret, without our knowledge and consent. And most of the time we can't opt out. Sometimes it's a company like Equifax that doesn't answer to us in any way. Sometimes it's a company like Facebook, which is effectively a monopoly because of its sheer size. And sometimes it's our cell phone provider. All of them have decided to track us and not compete by offering consumers privacy. Sure, you can tell people not to have an e-mail account or cell phone, but that's not a realistic option for most people living in 21st-century America.

The companies that collect and sell our data don't need to keep it secure in order to maintain their market share. They don't have to answer to us, their products. They know it's more profitable to save money on security and weather the occasional bout of bad press after a data loss. Yes, we are the ones who suffer when criminals get our data, or when our private information is exposed to the public, but ultimately why should Equifax care?

Yes, it's a huge black eye for the company -- this week. Soon, another company will have suffered a massive data breach and few will remember Equifax's problem. Does anyone remember last year when Yahoo admitted that it exposed personal information of a billion users in 2013 and another half billion in 2014?

This market failure isn't unique to data security. There is little improvement in safety and security in any industry until government steps in. Think of food, pharmaceuticals, cars, airplanes, restaurants, workplace conditions, and flame-retardant pajamas.

Market failures like this can only be solved through government intervention. By regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative. They can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.

By all means, take the recommended steps to protect yourself from identity theft in the wake of Equifax's data breach, but recognize that these steps are only effective on the margins, and that most data security is out of your hands. Perhaps the Federal Trade Commission will get involved, but without evidence of "unfair and deceptive trade practices," there's nothing it can do. Perhaps there will be a class-action lawsuit, but because it's hard to draw a line between any of the many data breaches you're subjected to and a specific harm, courts are not likely to side with you.

If you don't like how careless Equifax was with your data, don't waste your breath complaining to Equifax. Complain to your government.

This essay previously appeared on CNN.com.
http://www.cnn.com/2017/09/11/opinions/...

Note: In the early hours of this breach, I did a radio interview where I minimized the ramifications of this. I didn't know the full extent of the breach, and thought it was just another in an endless string of breaches. I wondered why the press was covering this one and not many of the others. I don't remember which radio show interviewed me. I kind of hope it didn't air.

http://money.cnn.com/2017/09/07/technology/business/...
https://arstechnica.com/information-technology/2017/...

How to protect yourself:
https://www.wired.com/story/...

Congress is unlikely to act:
http://money.cnn.com/2017/09/11/technology/business/...

What Equifax does:
https://go.forrester.com/blogs/...

Data brokers:
http://www.newsweek.com/...

Facebook keeping data on non-users:
https://www.wsj.com/articles/...

Yahoo breaches:
https://arstechnica.com/information-technology/2016/...
https://arstechnica.com/information-technology/2016/...


News

The US Supreme Court is deciding a case that will establish whether the police need a warrant to access cell phone location data. This week I signed on to an amicus brief from a wide array of security technologists outlining the technical arguments as why the answer should be yes. Susan Landau summarized our arguments.
https://assets.documentcloud.org/documents/3932663/...
https://www.lawfareblog.com/...
A bunch of tech companies also submitted a brief.
https://www.reuters.com/article/...

There is an unpatchable vulnerability that affects most modern cars. It's buried in the Controller Area Network (CAN).
https://www.bleepingcomputer.com/news/security/...
http://blog.trendmicro.com/...
https://tech.slashdot.org/story/17/08/17/1825227/...

Eddie Tipton, a programmer for the Multi-State Lottery Association, secretly installed software that allowed him to predict jackpots.
https://www.cnbc.com/2017/08/20/...
What's surprising to me is how many lotteries don't use real random number generators. What happened to picking ping-pong balls out of wind-blown steel cages on television?

Shonin is a personal bodycam up on Kickstarter.
https://www.kickstarter.com/projects/shonin/shonin
There are a lot of complicated issues surrounding bodycams -- for example, it's obvious that police bodycams reduce violence -- but the one thing everyone is certain about is that they will proliferate. I'm not sure society is fully ready for the ramifications of this level of recording.
https://www.theatlantic.com/technology/archive/2015/...
https://www.datasociety.net/pubs/dcr/...
https://www.aclu.org/blog/privacy-technology/...

There's a massive government data leak in Sweden. It seems to be incompetence rather than malice, but a good example of the dangers of blindly trusting the cloud.
https://www.privateinternetaccess.com/blog/2017/07/...

This very interesting essay looks at the future of military robotics and finds many analogs in nature:
https://warontherocks.com/2017/07/...

Researchers demonstrated a really clever hack: they hid malware in a replacement smartphone screen. The idea is that you would naively bring your smartphone in for repair, and the repair shop would install this malicious screen without your knowledge. The malware is hidden in touchscreen controller software, which is trusted by the phone.
https://arstechnica.com/information-technology/2017/...
https://iss.oy.ne.ro/Shattered.pdf
https://boingboing.net/2017/08/18/all-bets-off.html

Ross Anderson gave a talk on the history of the Crypto Wars in the UK. I am intimately familiar with the US story, but didn't know as much about Britain's version.
https://www.youtube.com/watch?v=LWwaVe1RF0c&t=2s
https://www.lightbluetouchpaper.org/2017/08/22/...

The NSA's 2014 media engagement and outreach plan has just been declassified. It's interesting post-Snowden reading.
http://www.governmentattic.org/25docs/...

New research: "Verified Correctness and Security of mbedTLS HMAC-DRBG," by Katherine Q. Ye, Matthew Green, Naphat Sanguansin, Lennart Beringer, Adam Petcher, and Andrew W. Appel.
http://www.cs.princeton.edu/~appel/papers/...

New paper: "Policy measures and cyber insurance: a framework," by Daniel Woods and Andrew Simpson, "Journal of Cyber Policy," 2017.
http://www.tandfonline.com/doi/full/10.1080/...

Research showing that journalists generally do not use secure communications, and why.
http://www.slate.com/articles/technology/...
I forgive them for not using secure e-mail. It's hard to use and confusing. But secure messaging is easy.

Kaspersky Labs exposed a highly sophisticated set of hacking tools from Russia called WhiteBear. One of the clever things the tool does is use hijacked satellite connections for command and control, helping it evade detection by broad surveillance capabilities like what the NSA uses. We've seen Russian attack tools that do this before. Given all the trouble Kaspersky is having because of its association with Russia, it's interesting to speculate on this disclosure. Either they are independent, and have burned a valuable Russian hacking toolset. Or the Russians decided that the toolset was already burned -- maybe the NSA knows all about it and has neutered it somehow -- and allowed Kaspersky to publish. Or maybe it's something in between. That's the problem with this kind of speculation: without any facts, your theories just amplify whatever opinion you had previously.
https://securelist.com/introducing-whitebear/81638/
https://threatpost.com/...

New techniques in fake reviews are described in this research paper: "Automated Crowdturfing Attacks and Defenses in Online Review Systems."
https://arxiv.org/pdf/1708.08151.pdf

There's a security flaw in the Estonian national ID card. We have no idea how bad this really is, but my guess is that it's worse than the politicians are saying. And because this system is so important in local politics, the effects are significant.
http://estonianworld.com/technology/...
https://www.politsei.ee/en/nouanded/...
This is exactly the sort of thing I worry about as ID systems become more prevalent and more centralized. Anyone want to place bets on whether a foreign country is going to try to hack the next Estonian election?

There are significant security vulnerabilities in Arris routers, sold or given away by AT&T. There are several security vulnerabilities, some of them very serious. They can be fixed, but because these are routers it takes some skill. We don't know how many routers are affected, and estimates range from thousands to 138,000.
https://phys.org/news/...
http://www.zdnet.com/article/...
https://www.tomsguide.com/us/...
http://securityaffairs.co/wordpress/62553/hacking/...
https://www.nomotion.net/blog/sharknatto/
https://twitter.com/0xDUDE/status/903139505603051520
I have written about router vulnerabilities, and why the economics of their production makes them inevitable.
https://www.wired.com/2014/01/...

Interesting research from "Nature Human Behaviour": "The devoted actor's will to fight and the spiritual dimension of human conflict":
https://www.nature.com/articles/s41562-017-0193-3

The ShadowBrokers released the manual for UNITEDRAKE, a sophisticated NSA Trojan that targets Windows machines. UNITEDRAKE was mentioned in several Snowden documents and also in the TAO catalog of implants. And Kaspersky Labs has found evidence of these tools in the wild, associated with the Equation Group -- generally assumed to be the NSA.
https://assets.documentcloud.org/documents/3987443/...
http://www.zdnet.com/article/...
https://thehackernews.com/2017/09/...
https://snowdenarchive.cjfe.org/greenstone/cgi-bin/...
https://snowdenarchive.cjfe.org/greenstone/collect/...
https://www.wired.com/2015/02/...

Andrew "bunnie" Huang and Edward Snowden have designed a hardware device that attaches to an iPhone and monitors it for malicious surveillance activities, even in instances where the phone's operating system has been compromised. They call it an Introspection Engine, and their use model is a journalist who is concerned about government surveillance. This looks like fantastic work, and they have a working prototype. Of course, this does nothing to stop all the legitimate surveillance that happens over a cell phone: location tracking, records of who you talk to, and so on.
https://www.pubpub.org/pub/direct-radio-introspection
https://boingboing.net/2017/09/08/...

A Raspberry Pi is a tiny computer designed for makers and all sorts of Internet-of-Things types of projects. Make magazine has an article about securing it. Reading it, I am struck by how much work it is to secure. I fear that this is beyond the capabilities of most tinkerers, and the result will be even more insecure IoT devices.
https://makezine.com/2017/09/07/...

Turns out that all the major voice assistants -- Siri, Google Now, Samsung S Voice, Huawei HiVoice, Cortana, and Alexa -- listen at audio frequencies the human ear can't hear. Hackers can hijack those systems with inaudible commands that their owners can't hear.
https://endchan.xyz/.media/...
https://boingboing.net/2017/09/07/...
https://www.fastcodesign.com/90139019/...

Researchers have demonstrated hacks against robots, taking over and controlling their camera, speakers, and movements.
http://blog.ioactive.com/2017/02/...
https://www.wired.co.uk/article/...


iPhone Changes to Frustrate the Police

A new feature in Apple's new iPhone operating system -- iOS 11 -- will allow users to quickly disable Touch ID. This is useful in situations where the police cannot compel you to divulge your password, but can compel you to press your finger on the reader.

There's another, more significant, change: iOS now requires a passcode before the phone will establish trust with another device.

In the current system, when you connect your phone to a computer, you're prompted with the question "Trust this computer?" and you can click yes or no. Now you have to enter in your passcode again. That means if the police have an unlocked phone, they can scroll through the phone looking for things but they can't download all of the contents onto a another computer without also knowing the passcode.

https://www.theverge.com/2017/8/17/16161758/...
https://blog.elcomsoft.com/2017/09/...
https://www.lawfareblog.com/...


Schneier News

I was interviewed in the Harvard Gazette:
https://www.schneier.com/news/archives/2017/08/...


My LinkedIn Account

I have successfully gotten the fake LinkedIn account in my name deleted. To prevent someone from doing this again, I signed up for LinkedIn. This is my first -- and only -- post on that account:

My Only LinkedIn Post (Yes, Really)
Welcome to my LinkedIn page. It looks empty because I'm never here. I don't log in, I never post anything, and I won't read any notes or comments you leave on this site. Nor will I accept any invitations or click on any "connect" links. I'm sure LinkedIn is a nice place; I just don't have the time.
If you're looking for me, visit my webpage at www.schneier.com. There you'll find my blog, and just about everything I've written. My e-mail address is schneier@schneier.com, if you want to talk to me personally.
I mirror my blog on my Facebook page (https://www.facebook.com/bruce.schneier/) and my Twitter feed (@schneierblog), but I don't visit those, either.

https://www.schneier.com/blog/archives/2017/08/...


Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <https://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 12 books -- including "Liars and Outliers: Enabling the Trust Society Needs to Survive" -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and CTO of IBM Resilient and Special Advisor to IBM Security. See <https://www.schneier.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of IBM Resilient.

Copyright (c) 2017 by Bruce Schneier.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.