April 15, 2018
by Bruce Schneier
CTO, IBM Resilient
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit <https://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at <https://www.schneier.com/crypto-gram/archives/2018/...>. These same essays and news items appear in the "Schneier on Security" blog at <https://www.schneier.com/>, along with a lively and intelligent comment section. An RSS feed is available.
In this issue:
- Facebook and Cambridge Analytica
- Israeli Security Company Attacks AMD by Publishing Zero-Day Exploits
- Schneier News
- Obscure E-Mail Vulnerability
- The Digital Security Exchange Is Live
In the wake of the Cambridge Analytica scandal, news articles and commentators have focused on what Facebook knows about us. A lot, it turns out. It collects data from our posts, our likes, our photos, things we type and delete without posting, and things we do while not on Facebook and even when we're offline. It buys data about us from others. And it can infer even more: our sexual orientation, political beliefs, relationship status, drug use, and other personality traits -- even if we didn't take the personality test that Cambridge Analytica developed.
But for every article about Facebook's creepy stalker behavior, thousands of other companies are breathing a collective sigh of relief that it's Facebook and not them in the spotlight. Because while Facebook is one of the biggest players in this space, there are thousands of other companies that spy on and manipulate us for profit.
Harvard Business School professor Shoshana Zuboff calls it "surveillance capitalism." And as creepy as Facebook is turning out to be, the entire industry is far creepier. It has existed in secret far too long, and it's up to lawmakers to force these companies into the public spotlight, where we can all decide if this is how we want society to operate and -- if not -- what to do about it.
There are 2,500 to 4,000 data brokers in the United States whose business is buying and selling our personal data. Last year, Equifax was in the news when hackers stole personal information on 150 million people, including Social Security numbers, birth dates, addresses, and driver's license numbers.
You certainly didn't give it permission to collect any of that information. Equifax is one of those thousands of data brokers, most of them you've never heard of, selling your personal information without your knowledge or consent to pretty much anyone who will pay for it.
Surveillance capitalism takes this one step further. Companies like Facebook and Google offer you free services in exchange for your data. Google's surveillance isn't in the news, but it's startlingly intimate. We never lie to our search engines. Our interests and curiosities, hopes and fears, desires and sexual proclivities, are all collected and saved. Add to that the websites we visit that Google tracks through its advertising network, our Gmail accounts, our movements via Google Maps, and what it can collect from our smartphones.
That phone is probably the most intimate surveillance device ever invented. It tracks our location continuously, so it knows where we live, where we work, and where we spend our time. It's the first and last thing we check in a day, so it knows when we wake up and when we go to sleep. We all have one, so it knows who we sleep with. Uber used just some of that information to detect one-night stands; your smartphone provider and any app you allow to collect location data knows a lot more.
Surveillance capitalism drives much of the internet. It's behind most of the "free" services, and many of the paid ones as well. Its goal is psychological manipulation, in the form of personalized advertising to persuade you to buy something or do something, like vote for a candidate. And while the individualized profile-driven manipulation exposed by Cambridge Analytica feels abhorrent, it's really no different from what every company wants in the end. This is why all your personal information is collected, and this is why it is so valuable. Companies that can understand it can use it against you.
None of this is new. The media has been reporting on surveillance capitalism for years. In 2015, I wrote a book about it. Back in 2010, the Wall Street Journal published an award-winning two-year series about how people are tracked both online and offline, titled "What They Know."
Surveillance capitalism is deeply embedded in our increasingly computerized society, and if the extent of it came to light there would be broad demands for limits and regulation. But because this industry can largely operate in secret, only occasionally exposed after a data breach or investigative report, we remain mostly ignorant of its reach.
This might change soon. In 2016, the European Union passed the comprehensive General Data Protection Regulation, or GDPR. The details of the law are far too complex to explain here, but some of the things it mandates are that personal data of EU citizens can only be collected and saved for "specific, explicit, and legitimate purposes," and only with explicit consent of the user. Consent can't be buried in the terms and conditions, nor can it be assumed unless the user opts in. This law will take effect in May, and companies worldwide are bracing for its enforcement.
Because pretty much all surveillance capitalism companies collect data on Europeans, this will expose the industry like nothing else. Here's just one example. In preparation for this law, PayPal quietly published a list of over 600 companies it might share your personal data with. What will it be like when every company has to publish this sort of information, and explicitly explain how it's using your personal data? We're about to find out.
In the wake of this scandal, even Mark Zuckerberg said that his industry probably should be regulated, although he's certainly not wishing for the sorts of comprehensive regulation the GDPR is bringing to Europe.
He's right. Surveillance capitalism has operated without constraints for far too long. And advances in both big data analysis and artificial intelligence will make tomorrow's applications far creepier than today's. Regulation is the only answer.
The first step to any regulation is transparency. Who has our data? Is it accurate? What are they doing with it? Who are they selling it to? How are they securing it? Can we delete it? I don't see any hope of Congress passing a GDPR-like data protection law anytime soon, but it's not too far-fetched to demand laws requiring these companies to be more transparent in what they're doing.
One of the responses to the Cambridge Analytica scandal is that people are deleting their Facebook accounts. It's hard to do right, and doesn't do anything about the data that Facebook collects about people who don't use Facebook. But it's a start. The market can put pressure on these companies to reduce their spying on us, but it can only do that if we force the industry out of its secret shadows.
This essay previously appeared on CNN.com.
What Facebook collects and knows:
Uber's data analysis on one-night stands:
My book, "Data and Goliath":
Why deleting Facebook won't help:
This is a good article on the complicated story of hacker Marcus Hutchins.
Dan Geer on the dangers of computer-only systems:
Interesting paper "A first look at browser-based cryptojacking":
Some details about the iPhone unlocker from the US company Greyshift, with photos.
Zeynep Tufekci is particularly cogent about Facebook and Cambridge Analytica.
Interesting research from 2014 into undetectably adding backdoors into computer chips during manufacture: "Stealthy dopant-level hardware Trojans: extended version." The moral is that this kind of technique is *very* difficult to detect.
Ross Anderson has a really interesting paper on tracing stolen bitcoin.
Brad Templeton wrote about this years ago:
Researchers have exploited a flaw in the cryptocurrency Monero to break the anonymity of transactions.
When Spectre and Meltdown were first announced earlier this year, pretty much everyone predicted that there would be many more attacks targeting branch prediction in microprocessors. Here's another one:
It's routine for US police to unlock iPhones with the fingerprints of dead people. It seems only to work with recently dead people.
Interesting history of musical ciphers.
The US Consumer Product Safety Commission is holding hearings on IoT risks:
This is a really interesting research result. This paper proves that two parties can create a secure communications channel using a communications system with a backdoor. It's a theoretical result, so it doesn't talk about how easy that channel is to create. And the assumptions on the adversary are pretty reasonable: that each party can create his own randomness, and that the government isn't literally eavesdropping on every single part of the network at all times.
This result reminds me a lot of the work about subliminal channels from the 1980s and 1990s, and the notions of how to build an anonymous communications system on top of an identified system. Basically, it's always possible to overlay a system around and outside any closed system.
DARPA is launching a program aimed at vulnerability discovery via human-assisted AI. The new DARPA program is called CHESS (Computers and Humans Exploring Software Security), and they're holding a proposers day in a week and a half.
This is the kind of thing that can dramatically change the offense/defense balance.
Good article about how difficult it is to insure an organization against Internet attacks, and how expensive the insurance is.
Interesting research: "'Won't Somebody Think of the Children?' Examining COPPA Compliance at Scale":
Last week, the Israeli security company CTS-Labs published a series of exploits against AMD chips. The publication came with the flashy website, detailed whitepaper, cool vulnerability names -- RYZENFALL, MASTERKEY, FALLOUT, and CHIMERA -- and logos we've come to expect from these sorts of things. What's new is that the company only gave AMD a day's notice, which breaks with every norm about responsible disclosure. CTS-Labs didn't release details of the exploits, only high-level descriptions of the vulnerabilities, but it is probably still enough for others to reproduce their results. This is incredibly irresponsible of the company.
Moreover, the vulnerabilities are kind of meh. Nicholas Weaver explains:
In order to use any of the four vulnerabilities, an attacker must already have *almost* complete control over the machine. For most purposes, if the attacker already has this access, we would generally say they've already won. But these days, modern computers at least attempt to protect against a rogue operating system by having separate secure subprocessors. CTS-Labs discovered the vulnerabilities when they looked at AMD's implementation of the secure subprocessor to see if an attacker, having already taken control of the host operating system, could bypass these last lines of defense.
In a "Clarification," CTS-Labs kind of agrees:
The vulnerabilities described in amdflaws.com could give an attacker that has already gained initial foothold into one or more computers in the enterprise a significant advantage against IT and security teams.
The only thing the attacker would need after the initial local compromise is local admin privileges and an affected machine. To clarify misunderstandings -- there is no need for physical access, no digital signatures, no additional vulnerability to reflash an unsigned BIOS. Buy a computer from the store, run the exploits as admin -- and they will work (on the affected models as described on the site).
AMD's response today agrees that all four bug families are real and are found in the various components identified by CTS. The company says that it is developing firmware updates for the three PSP flaws. These fixes, to be made available in "coming weeks," will be installed through system firmware updates. The firmware updates will also mitigate, in some unspecified way, the Chimera issue, with AMD saying that it's working with ASMedia, the third-party hardware company that developed Promontory for AMD, to develop suitable protections. In its report, CTS wrote that, while one CTS attack vector was a firmware bug (and hence in principle correctable), the other was a hardware flaw. If true, there may be no effective way of solving it.
The weirdest thing about this story is that CTS-Labs describes one of the vulnerabilities, Chimera, as a backdoor. Although it doesn't come out and say that this was deliberately planted by someone, it does make the point that the chips were designed in Taiwan. This is an incredible accusation, and honestly needs more evidence before we can evaluate it.
The upshot of all of this is that CTS-Labs played this for maximum publicity: over-hyping its results and minimizing AMD's ability to respond. And it may have an ulterior motive. From Wired:
But CTS's website touting AMD's flaws also contained a disclaimer that threw some shadows on the company's motives: "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports," reads one line. WIRED asked in a follow-up email to CTS whether the company holds any financial positions designed to profit from the release of its AMD research specifically. CTS didn't respond.
We all need to demand better behavior from security researchers. I know that any publicity is good publicity, but I am pleased to see the stories critical of CTS-Labs outnumbering the stories praising it.
I'm speaking at the RSA Conference on April 17-18 in San Francisco:
I'm speaking at an IBM event in Mumbai on May 3.
I'm speaking at an IBM event in Istanbul on May 9.
I'm speaking at an IBM event in London on May 15.
This vulnerability is a result of an interaction between two different ways of handling e-mail addresses. Gmail ignores dots in addresses, so email@example.com is the same as firstname.lastname@example.org is the same as email@example.com. (Note: I do not own any of those email addresses -- if they're even valid.) Netflix doesn't ignore dots, so those are all unique e-mail addresses and can each be used to register an account. This difference can be exploited.
I was almost fooled into perpetually paying for Eve's Netflix access, and only paused because I didn't recognize the declined card. More generally, the phishing scam here is:
1. Hammer the Netflix signup form until you find a gmail.com address which is "already registered". Let's say you find the victim jameshfisher.
2. Create a Netflix account with address james.hfisher.
3. Sign up for free trial with a throwaway card number.
4. After Netflix applies the "active card check", cancel the card.
5. Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.
6. Hope Jim reads the email to james.hfisher, assumes it's for his Netflix account backed by jameshfisher, then enters his card **** 1234.
7. Change the email for the Netflix account to firstname.lastname@example.org, kicking Jim's access to this account.
8. Use Netflix free forever with Jim's card **** 1234!
Obscure, yes? A problem, yes?
James Fisher, who wrote the post, argues that it's Google's fault. Ignoring dots might give people an enormous number of different email addresses, but it's not a feature that people actually want. And as long as other sites don't follow Google's lead, these sorts of problems are possible.
I think the problem is more subtle. It's an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we're going to see a lot more of these. And like this Google/Netflix interaction, it's going to be hard to figure out who to blame and who -- if anyone -- has the responsibility of fixing it.
Last year, I wrote about the Digital Security Exchange. The project is live:
The DSX works to strengthen the digital resilience of U.S. civil society groups by improving their understanding and mitigation of online threats.
We do this by pairing civil society and social sector organizations with credible and trustworthy digital security experts and trainers who can help them keep their data and networks safe from exposure, exploitation, and attack. We are committed to working with community-based organizations, legal and journalistic organizations, civil rights advocates, local and national organizers, and public and high-profile figures who are working to advance social, racial, political, and economic justice in our communities and our world.
If you are either an organization who needs help, or an expert who can provide help, visit their website.
Note: I am on their advisory committee.
My previous blog post:
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <https://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 12 books -- including "Liars and Outliers: Enabling the Trust Society Needs to Survive" -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and CTO of IBM Resilient and Special Advisor to IBM Security. See <https://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of IBM Resilient.
Copyright (c) 2018 by Bruce Schneier.