Crypto-Gram

October 15, 2017

by Bruce Schneier
CTO, IBM Resilient
schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <https://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <https://www.schneier.com/crypto-gram/archives/2017/...>. These same essays and news items appear in the "Schneier on Security" blog at <https://www.schneier.com/>, along with a lively and intelligent comment section. An RSS feed is available.


In this issue:


Yet Another Russian Hack of the NSA -- This Time with Kaspersky's Help

The Wall Street Journal has a bombshell of a story. Yet another NSA contractor took classified documents home with him. Yet another Russian intelligence operation stole copies of those documents. The twist this time is that the Russians identified the documents because the contractor had Kaspersky Labs anti-virus installed on his home computer.

This is either an example of the Russians subverting a perfectly reasonable security feature in Kaspersky's products, or Kaspersky adding a plausible feature at the request of Russian intelligence. In the latter case, it's a nicely deniable Russian information operation. In either case, it's an impressive Russian information operation.

This is a huge deal, both for the NSA and Kaspersky. The Wall Street Journal article contains no evidence, only unnamed sources. But I am having trouble seeing how the already embattled Kaspersky Labs survives this.

What's getting a lot less press is yet another NSA contractor stealing top-secret cyberattack software. What is it with the NSA's inability to keep anything secret anymore?

And it seems that Israeli intelligence penetrated the Kaspersky network and noticed the operation.

https://www.wsj.com/articles/... (link behind paywall)
https://www.wsj.com/articles/... (link behind paywall)

https://arstechnica.com/information-technology/2017/...
https://www.nytimes.com/2017/10/05/us/politics/...
https://www.wired.com/story/...
http://www.slate.com/blogs/future_tense/2017/10/05/...
https://motherboard.vice.com/en_us/article/kz755a/...

Israel's involvement:
https://www.nytimes.com/2017/10/10/technology/...
https://www.washingtonpost.com/world/...


Changes in Password Best Practices

NIST recently published its four-volume SP800-63-3 Digital Identity Guidelines. Among other things, it makes three important suggestions when it comes to passwords:

* Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.

* Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.

* Let people use password managers. This is how we deal with all the passwords we need.

These password rules were failed attempts to fix the user. Better we fix the security systems.

http://nvlpubs.nist.gov/nistpubs/...

Why password complexity rules are bad:
https://www.wsj.com/articles/... (link behind paywall)

Why password expiration is bad:
https://securingthehuman.sans.org/blog/2017/03/23/...

Stop trying to fix the user:
http://ieeexplore.ieee.org/document/7676198/


News

A bunch of Bluetooth vulnerabilities are being reported, some pretty nasty.
https://www.armis.com/blueborne/

This is a good interview with Apple's SVP of Software Engineering about FaceID.
https://techcrunch.com/2017/09/15/...
More stories:
https://www.wired.com/story/iphone-x-faceid-security/
https://www.darkreading.com/...
http://www.popsci.com/...
https://www.kaspersky.com/blog/...

New York Times reporter Charlie Savage writes about some bad statistics we're all using about what the NSA collects under its Section 702 authority:
https://www.charliesavage.com/?p=1714

The ISO has decided not to approve two NSA-designed block encryption algorithms: Speck and Simon. It's because the NSA is not trusted to put security ahead of surveillance.
http://mobile.reuters.com/article/amp/idUSKCN1BW0GV
Speck and Simon:
https://www.schneier.com/blog/archives/2013/07/...

The Boston Red Sox admitted to eavesdropping on the communications channel between catcher and pitcher.
https://www.schneier.com/blog/archives/2017/09/...

Wired has a story about a possible GPS spoofing attack by Russia:
https://www.wired.co.uk/article/...

Under European law, service providers like Tinder are required to show users what information they have on them when requested. This author requested, and wrote about what she received:
https://www.theguardian.com/technology/2017/sep/26/...
It's not Tinder. Surveillance is the business model of the Internet. Everyone does this.

There's a newly discovered bug in Internet Explorer that allows any currently visited website to learn the contents of the address bar when the user hits enter. This feels important; the site I am at now has no business knowing where I go next.
https://arstechnica.com/information-technology/2017/...

The large accountancy firm Deloitte was hacked, losing client e-mails and files. The hackers had access inside the company's networks for months. Deloitte is doing its best to downplay the severity of this hack, but Brian Krebs reports that the hack "involves the compromise of all administrator accounts at the company as well as Deloitte's entire internal email system."
https://www.theguardian.com/business/2017/sep/25/...
https://krebsonsecurity.com/2017/09/...
So far, the hackers haven't published all the data they stole.

This report discusses the new trend of remote malware attacks against ATMs.
https://documents.trendmicro.com/assets/...

Interesting survey paper on the privacy implications of e-mail tracking.
https://senglehardt.com/papers/...

In the wake of the Equifax break, I've heard calls to replace Social Security numbers. Steve Bellovin explains why this is hard.
https://motherboard.vice.com/en_us/article/pakwnb/...

Politico reports that White House Chief of Staff John Kelly's cell phone was compromised back in December. I know this is news because of who he is, but I hope every major government official of any country assumes that their commercial off-the-shelf cell phone is compromised. Even allies spy on allies; remember the reports that the NSA tapped the cell phone of German Chancellor Angela Merkel?
http://www.politico.com/story/2017/10/05/...

PornHub is using machine learning algorithms to identify actors in different videos, so as to better index them. People are worried that it can really identify them, by linking their stage names to their real names.
https://techcrunch.com/2017/10/11/...
https://motherboard.vice.com/en_us/article/a3kmpb/...

Facebook somehow managed to link a sex worker's clients under her fake name to her real profile.
https://gizmodo.com/...
Sometimes people have legitimate reasons for having two identities. That is becoming harder and harder.


HP Shared ArcSight Source Code with Russians

Reuters is reporting that HP Enterprise gave the Russians a copy of the ArcSight source code.

The article highlights that ArcSight is used by the Pentagon to protect classified networks, but the security risks are much broader. Any weaknesses the Russians discover could be used against any ArcSight customer.

What is HP Enterprise thinking? Near as I can tell, they only gave it away because the Russians asked nicely.

Supply chain security is very difficult. The article says that Russia demands source code because it's worried about supply chain security: "One reason Russia requests the reviews before allowing sales to government agencies and state-run companies is to ensure that U.S. intelligence services have not placed spy tools in the software." That's a reasonable thing to worry about, considering what we know about NSA's interdiction of commercial hardware and software products. But how can Group A convince Group B of the integrity and security of hardware/software without putting itself at risk from Group B?

This is one of the areas where open-source software has a security edge. If everyone has access to the source code -- and security doesn't depend on its secrecy -- then there's no advantage in getting a copy. As long as companies rely on obscurity for their security, these sorts of attacks are possible and profitable.

I wonder what sorts of assurances HP Enterprise gave its customers that it would secure its source code, and if any of those customers have negligence options against HP Enterprise.

https://www.reuters.com/article/...
https://www.engadget.com/2017/10/02/...
https://www.extremetech.com/internet/...

Commentary:
https://www.lawfareblog.com/...


Schneier News

I'm speaking at the Privacy XChange Forum in Las Vegas on 24 October.
http://privacyxchangeforum.com/

I'm on a panel at HLS in the World, in Cambridge on 27 October.
http://200.hls.harvard.edu/events/hls-in-the-world/

I'm speaking at SecTor in Toronto on 15 November.
https://sector.ca/


My Writing

Crypto-Gram and blog regulars will notice that I haven't been writing and posting as much. There are two reasons. One, it feels harder to find things to write about. So often it's the same stories over and over. I don't like repeating myself. Two, I am busy writing a book. The title is still: "Click Here to Kill Everybody: Peril and Promise in a Hyper-Connected World." The book is a year late, and has a very different table of contents than it had in 2016. I have been writing steadily since mid-August. The book is due to the publisher at the end of March 2018, and will be published in the beginning of September.

This is the current table of contents:

  • Introduction: Everything is Becoming a Computer
  • Part 1: The Trends
    • 1. Capitalism Continues to Drive the Internet
    • 2. Customer/User Control is Next
    • 3. Government Surveillance and Control is Also Increasing
    • 4. Cybercrime is More Profitable Than Ever
    • 5. Cyberwar is the New Normal
    • 6. Algorithms, Automation, and Autonomy Bring New Dangers
    • 7. What We Know About Computer Security
    • 8. Agile is Failing as a Security Paradigm
    • 9. Authentication and Identification are Getting Harder
    • 10. Risks are Becoming Catastrophic
  • Part 2: The Solutions
    • 11. We Need to Regulate the Internet of Things
    • 12. We Need to Defend Critical Infrastructure
    • 13. We Need to Prioritize Defense Over Offense
    • 14. We Need to Make Smarter Decisions About Connecting
    • 15. What's Likely to Happen, and What We Can Do in Response
    • 16. Where Policy Can Go Wrong
  • Conclusion: Technology and Policy, Together

So that's what's been happening.

2016 book announcement:
https://www.schneier.com/blog/archives/2016/04/...


Department of Homeland Security to Collect Social Media of Immigrants and Citizens

New rules give the DHS permission to collect "social media handles, aliases, associated identifiable information, and search results" as part of people's immigration files. The Federal Register has the details, which seems to also include US citizens that communicate with immigrants.

This is part of the general trend to scrutinize people coming into the US more, but it's hard to get too worked up about the DHS accessing publicly available information. More disturbing is the trend of occasionally asking for social media passwords at the border.

https://www.buzzfeed.com/adolfoflores/...
https://www.federalregister.gov/documents/2017/09/...

US Immigration asking for social media passwords at the border:
https://www.theatlantic.com/technology/archive/2017/...


Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <https://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 12 books -- including "Liars and Outliers: Enabling the Trust Society Needs to Survive" -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and CTO of IBM Resilient and Special Advisor to IBM Security. See <https://www.schneier.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of IBM Resilient.

Copyright (c) 2017 by Bruce Schneier.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.