Crypto-Gram

June 15, 2018

by Bruce Schneier
CTO, IBM Resilient
schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <https://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <https://www.schneier.com/crypto-gram/archives/2018/...>. These same essays and news items appear in the "Schneier on Security" blog at <https://www.schneier.com/>, along with a lively and intelligent comment section. An RSS feed is available.


In this issue:


Important: Crypto-Gram Is Moving to MailChimp

tl;dr: I'm moving this mailing list to MailChimp. If you still want to get Crypto-Gram, you don't have to do anything. I'm moving the list over.

I have to move Crypto-Gram now, because my long-time host is getting out of the hosting business. Truthfully, I've been having trouble with hosting such a large list for a long time. And the subscription management for the list wasn't very user-friendly for people who weren't already used to old-school mailing lists. I hope this change will make things more user-friendly for everyone.

After looking at the various options out there, I've decided to go with MailChimp. They are willing to work with me to ensure that open tracking and click tracking are disabled -- so no web bugs. Google Analytics on the MailChimp site will track you if you subscribe, unsubscribe, or change your preferences; I can't eliminate that.

Changing hosts may cause some e-mail programs to filter Crypto-Gram differently. For example, Gmail will probably put it in your "Promotions" tab. You can change this by dragging it into your primary tab, but you'll have to manage that yourself. I see no way to avoid this.

If you don't like MailChimp and don't want to be a subscriber, you can unsubscribe using the personalized unsubscribe link in the footer of this email until July 1. After July 1, please visit this page to unsubscribe:

https://www.schneier.com/crypto-gram/unsubscribe.html

If Mailman's unsubscribe system is too annoying, please e-mail me at listowner@schneier.com and I'll make sure you're removed.

You can also read the monthly edition of Crypto-Gram on my website, or read the individual articles as they come out on my blog. That URL is:

https://www.schneier.com

I'm also going to start sending out Crypto-Gram in HTML instead of plain text. It will be very simple, plain HTML with no images, so the newsletter won't look all that different. But this change will allow me to use bold and italics, and to keep links in their natural place within the text instead of dumping them into a long ugly list of URLs at the end. Those of you who've disabled HTML display in your e-mail clients for security reasons will still see a plain text version.

I have resisted making this change for several years, but now I really have no choice. I apologize for any inconvenience.


Router Vulnerability and the VPNFilter Botnet

On May 25, the FBI asked us all to reboot our routers. The story behind this request is one of sophisticated malware and unsophisticated home-network security, and it's a harbinger of the sorts of pervasive threats -- from nation-states, criminals and hackers -- that we should expect in coming years.

VPNFilter is a sophisticated piece of malware that infects mostly older home and small-office routers made by Linksys, MikroTik, Netgear, QNAP and TP-Link. It's an impressive piece of work. It can eavesdrop on traffic passing through the router -- specifically, login credentials and SCADA traffic, which is a networking protocol that controls power plants, chemical plants and industrial systems -- attack other targets on the Internet and destructively "kill" its infected device. It is one of a very few pieces of malware that can survive a reboot, even though that's what the FBI has requested. It has a number of other capabilities, and it can be remotely updated to provide still others. More than 500,000 routers in at least 54 countries have been infected since 2016.

Because of the malware's sophistication, VPNFilter is believed to be the work of a government. The FBI suggested the Russian government was involved for two circumstantial reasons. One, a piece of the code is identical to one found in another piece of malware, called BlackEnergy, that was used in the December 2015 attack against Ukraine's power grid. Russia is believed to be behind that attack. And two, the majority of those 500,000 infections are in Ukraine and controlled by a separate command-and-control server. There might also be classified evidence, as an FBI affidavit in this matter identifies the group behind VPNFilter as Sofacy, also known as APT28 and Fancy Bear. That's the group behind a long list of attacks, including the 2016 hack of the Democratic National Committee.

Two companies, Cisco and Symantec, seem to have been working with the FBI during the past two years to track this malware as it infected ever more routers. The infection mechanism isn't known, but we believe it targets known vulnerabilities in these older routers. Pretty much no one patches their routers, so the vulnerabilities have remained, even if they were fixed in new models from the same manufacturers.

On May 30, the FBI seized control of toknowall.com, a critical VPNFilter command-and-control server. This is called "sinkholing," and serves to disrupt a critical part of this system. When infected routers contact toknowall.com, they will no longer be contacting a server owned by the malware's creators; instead, they'll be contacting a server owned by the FBI. This doesn't entirely neutralize the malware, though. It will stay on the infected routers through reboot, and the underlying vulnerabilities remain, making the routers susceptible to reinfection with a variant controlled by a different server.

If you want to make sure your router is no longer infected, you need to do more than reboot it, the FBI's warning notwithstanding. You need to reset the router to its factory settings. That means you need to reconfigure it for your network, which can be a pain if you're not sophisticated in these matters. If you want to make sure your router cannot be reinfected, you need to update the firmware with any security patches from the manufacturer. This is harder to do and may strain your technical capabilities, though it's ridiculous that routers don't automatically download and install firmware updates on their own. Some of these models probably do not even have security patches available. Honestly, the best thing to do if you have one of the vulnerable models is to throw it away and get a new one. (Your ISP will probably send you a new one free if you claim that it's not working properly. And you *should* have a new one, because if your current one is on the list, it's probably at least 10 years old.)

So if it won't clear out the malware, why is the FBI asking us to reboot our routers? It's mostly just to get a sense of how bad the problem is. The FBI now controls toknowall.com. When an infected router gets rebooted, it connects to that server to get fully reinfected, and when it does, the FBI will know. Rebooting will give it a better idea of how many devices out there are infected.

Should you do it? It can't hurt.

Internet of Things malware isn't new. The 2016 Mirai botnet, for example, created by a lone hacker and not a government, targeted vulnerabilities in Internet-connected digital video recorders and webcams. Other malware has targeted Internet-connected thermostats. Lots of malware targets home routers. These devices are particularly vulnerable because they are often designed by ad hoc teams without a lot of security expertise, stay around in networks far longer than our computers and phones, and have no easy way to patch them.

It wouldn't be surprising if the Russians targeted routers to build a network of infected computers for follow-on cyber operations. I'm sure many governments are doing the same. As long as we allow these insecure devices on the Internet -- and short of security regulations, there's no way to stop them -- we're going to be vulnerable to this kind of malware.

And next time, the command-and-control server won't be so easy to disrupt.

Addendum: The malware is more capable than we previously thought.
https://arstechnica.com/information-technology/2018/...

This essay previously appeared in the "Washington Post."
https://www.washingtonpost.com/news/posteverything/...

https://arstechnica.com/information-technology/2018/...
https://www.wired.com/story/...

Vulnerable routers:
https://www.symantec.com/blogs/threat-intelligence/...

BlackEnergy:
https://usa.kaspersky.com/resource-center/threats/...

FBI's affidavit:
http://www.kingpin.cc/wp-content/uploads/2018/05/...
https://www.justice.gov/opa/pr/...

Cisco's post:
https://blog.talosintelligence.com/2018/05/...

FBI sinkholes command-and-control system:
https://amp.thedailybeast.com/...

Updating your router firmware:
https://krebsonsecurity.com/2018/05/...

FBI's request:
https://www.nytimes.com/2018/05/27/technology/...
https://www.ic3.gov/media/2018/180525.aspx

Should you do it?:
https://www.cnet.com/how-to/...


E-Mail Vulnerabilities and Disclosure

Last week, researchers disclosed vulnerabilities in a large number of encrypted e-mail clients: specifically, those that use OpenPGP and S/MIME, including Thunderbird and AppleMail. These are serious vulnerabilities: An attacker who can alter mail sent to a vulnerable client can trick that client into sending a copy of the plaintext to a web server controlled by that attacker. The story of these vulnerabilities and the tale of how they were disclosed illustrate some important lessons about security vulnerabilities in general and e-mail security in particular.

But first, if you use PGP or S/MIME to encrypt e-mail, you need to check the list and see if you are vulnerable. If you are, check with the vendor to see if they've fixed the vulnerability. (Note that some early patches turned out not to fix the vulnerability.) If not, stop using the encrypted e-mail program entirely until it's fixed. Or, if you know how to do it, turn off your e-mail client's ability to process HTML e-mail or -- even better -- stop decrypting e-mails from within the client. There's even more complex advice for more sophisticated users, but if you're one of those, you don't need me to explain this to you.

Consider your encrypted e-mail insecure until this is fixed.

All software contains security vulnerabilities, and one of the primary ways we all improve our security is by researchers discovering those vulnerabilities and vendors patching them. It's a weird system: Corporate researchers are motivated by publicity, academic researchers by publication credentials, and just about everyone by individual fame and the small bug-bounties paid by some vendors.

Software vendors, on the other hand, are motivated to fix vulnerabilities by the threat of public disclosure. Without the threat of eventual publication, vendors are likely to ignore researchers and delay patching. This happened a lot in the 1990s, and even today, vendors often use legal tactics to try to block publication. It makes sense; they look bad when their products are pronounced insecure.

Over the past few years, researchers have started to choreograph vulnerability announcements to make a big press splash. Clever names -- the e-mail vulnerability is called "Efail" -- websites, and cute logos are now common. Key reporters are given advance information about the vulnerabilities. Sometimes advance teasers are released. Vendors are now part of this process, trying to announce their patches at the same time the vulnerabilities are announced.

This simultaneous announcement is best for security. While it's always possible that some organization -- either government or criminal -- has independently discovered and is using the vulnerability before the researchers go public, use of the vulnerability is essentially guaranteed after the announcement. The time period between announcement and patching is the most dangerous, and everyone except would-be attackers wants to minimize it.

Things get much more complicated when multiple vendors are involved. In this case, Efail isn't a vulnerability in a particular product; it's a vulnerability in a standard that is used in dozens of different products. As such, the researchers had to ensure both that everyone knew about the vulnerability in time to fix it and that no one leaked the vulnerability to the public during that time. As you can imagine, that's close to impossible.

Efail was discovered sometime last year, and the researchers alerted dozens of different companies between last October and March. Some companies took the news more seriously than others. Most patched. Amazingly, news about the vulnerability didn't leak until the day before the scheduled announcement date. Two days before the scheduled release, the researchers unveiled a teaser -- honestly, a really bad idea -- which resulted in details leaking.

After the leak, the Electronic Frontier Foundation posted a notice about the vulnerability without details. The organization has been criticized for its announcement, but I am hard-pressed to find fault with its advice. (Note: I am a board member at EFF.) Then, the researchers published -- and lots of press followed.

All of this speaks to the difficulty of coordinating vulnerability disclosure when it involves a large number of companies or -- even more problematic -- communities without clear ownership. And that's what we have with OpenPGP. It's even worse when the bug involves the interaction between different parts of a system. In this case, there's nothing wrong with PGP or S/MIME in and of themselves. Rather, the vulnerability occurs because of the way many e-mail programs handle encrypted e-mail. GnuPG, an implementation of OpenPGP, decided that the bug wasn't its fault and did nothing about it. This is arguably true, but irrelevant. They should fix it.

Expect more of these kinds of problems in the future. The Internet is shifting from a set of systems we deliberately use -- our phones and computers -- to a fully immersive Internet-of-things world that we live in 24/7. And like this e-mail vulnerability, vulnerabilities will emerge through the interactions of different systems. Sometimes it will be obvious who should fix the problem. Sometimes it won't be. Sometimes it'll be two secure systems that, when they interact in a particular way, cause an insecurity. In April, I wrote about a vulnerability that arose because Google and Netflix make different assumptions about e-mail addresses. I don't even know who to blame for that one.

It gets even worse. Our system of disclosure and patching assumes that vendors have the expertise and ability to patch their systems, but that simply isn't true for many of the embedded and low-cost Internet of things software packages. They're designed at a much lower cost, often by offshore teams that come together, create the software, and then disband; as a result, there simply isn't anyone left around to receive vulnerability alerts from researchers and write patches. Even worse, many of these devices aren't patchable at all. Right now, if you own a digital video recorder that's vulnerable to being recruited for a botnet -- remember Mirai from 2016? -- the only way to patch it is to throw it away and buy a new one.

Patching is starting to fail, which means that we're losing the best mechanism we have for improving software security at exactly the same time that software is gaining autonomy and physical agency. Many researchers and organizations, including myself, have proposed government regulations enforcing minimal security standards for Internet-of-things devices, including standards around vulnerability disclosure and patching. This would be expensive, but it's hard to see any other viable alternative.

Getting back to e-mail, the truth is that it's incredibly difficult to secure well. Not because the cryptography is hard, but because we expect e-mail to do so many things. We use it for correspondence, for conversations, for scheduling, and for record-keeping. I regularly search my 20-year e-mail archive. The PGP and S/MIME security protocols are outdated, needlessly complicated and have been difficult to properly use the whole time. If we could start again, we would design something better and more user-friendly -- but the huge number of legacy applications that use the existing standards mean that we can't. I tell people that if they want to communicate securely with someone, to use one of the secure messaging systems: Signal, Off-the-Record, or -- if having one of those two on your system is itself suspicious -- WhatsApp. Of course they're not perfect, as last week's announcement of a vulnerability (patched within hours) in Signal illustrates. And they're not as flexible as e-mail, but that makes them easier to secure.

This essay previously appeared on Lawfare.com.
https://www.lawfareblog.com/...

Efail vulnerability:
https://efail.de/
https://efail.de/efail-attack-paper.pdf

EFF post:
https://www.eff.org/deeplinks/2018/05/...

Press articles:
https://arstechnica.com/information-technology/2018/...
https://www.wired.com/story/...
https://www.washingtonpost.com/news/the-switch/wp/...
https://arstechnica.com/information-technology/2018/...
https://motherboard.vice.com/en_us/article/3k4nd9/...

Early patches fail:
https://twitter.com/hanno/status/997138771194859521

More complex advice for securing your router:
https://lists.gnupg.org/pipermail/gnupg-users/...

Initial discovery of the vulnerability:
http://flaked.sockpuppet.org/2018/05/16/...

Teaser from the researchers:
https://twitter.com/seecurity/status/995906576170053633

Details leaking:
https://lists.gnupg.org/pipermail/gnupg-users/...

EFF criticism:
https://www.riskbasedsecurity.com/2018/05/...
https://protonmail.com/blog/pgp-vulnerability-efail/

EFF defense:
https://blog.cryptographyengineering.com/2018/05/17/...

OpenPGP and Efail:
https://medium.com/@cipherpunk/...
https://lists.gnupg.org/pipermail/gnupg-users/...

Google/Netflix vulnerability:
https://www.schneier.com/blog/archives/2018/04/...

The unpatchability of IOT devices:
https://www.wired.com/2014/01/...

Mirai botnet:
https://www.csoonline.com/article/3258748/security/...

E-mail security:
https://www.theatlantic.com/technology/archive/2018/...
https://blog.hboeck.de/archives/...
https://blog.cryptographyengineering.com/2014/08/13/...
https://people.eecs.berkeley.edu/~tygar/papers/...

Signal:
https://signal.org/

Off-the-Record:
https://otr.cypherpunks.ca/

WhatsApp:
https://www.whatsapp.com/

WhatsApp vulnerability:
https://ivan.barreraoro.com.ar/...


News

Securus Technologies gives police the ability to track cell phone locations without a warrant:
https://www.nytimes.com/2018/05/10/technology/...
https://arstechnica.com/tech-policy/2018/05/...
https://boingboing.net/2018/05/12/...

Securus was hacked:
https://motherboard.vice.com/en_us/article/gykgv9/...
https://www.cnet.com/news/securus-reportedly-hacked/

The White House has eliminated the cybersecurity coordinator position. This seems like a spectacularly bad idea.
https://www.nytimes.com/2018/05/15/technology/...
https://politicalwire.com/2018/05/15/...
https://www.wired.com/story/...
https://www.lawfareblog.com/...

Someone changed the address of the UPS corporate headquarters to his own apartment in Chicago. The company discovered it three months later. The problem, of course, is that in the US there isn't any authentication of change-of-address submissions.
http://www.chicagotribune.com/news/local/breaking/...

The Intercept has a long article on Japan's equivalent of the NSA: the Directorate for Signals Intelligence. Interesting, but nothing really surprising.
https://theintercept.com/2018/05/19/...

The rise of self-checkout has caused a corresponding rise in shoplifting.
https://www.theguardian.com/global/2018/may/20/...

Interesting research in steganography at the font level.
http://www.cs.columbia.edu/~cxz/publications/...
https://securityboulevard.com/2018/05/...
https://www.sciencedaily.com/releases/2018/05/...
https://www.wired.com/story/...

Interesting research on lie detecting through mouse movements.
http://journals.plos.org/plosone/article?id=10.1371/...
https://boingboing.net/2018/05/24/...

Fake kidnapping fraud:
http://mobile.abc.net.au/news/2018-05-28/...

Interesting article about numbers stations.
https://warontherocks.com/2018/05/...

A great story of the first cyberattack -- from 1834 -- against a telegraph network.
https://www.1843magazine.com/technology/rewind/...
https://nakedsecurity.sophos.com/2018/05/31/...

Playing a sound over the speakers can cause computers to crash and possibly even physically damage the hard drive.
https://arstechnica.com/information-technology/2018/...
https://spqr.eecs.umich.edu/papers/...

Ross Anderson has a new paper on cryptocurrency exchanges and regulating Bitcoin.
https://www.lightbluetouchpaper.org/2018/06/01/...
https://weis2018.econinfosec.org/wp-content/uploads/...

We all know that it happens: when we see a security warning too often -- and without effect -- we start tuning it out. A new paper uses fMRI, eye tracking, and field studies to prove it.
https://neurosecurity.byu.edu/misq-longitudinal-2018/
https://neurosecurity.byu.edu/media/...

iOS 12, the next release of Apple's iPhone operating system, may include features to prevent someone from unlocking your phone without your permission. This is part of a bunch of security enhancements in iOS 12.
https://motherboard.vice.com/en_us/article/zm8ya4/...

For many years, I have said that complexity is the worst enemy of security. At CyCon earlier this month, Thomas Dullien gave an excellent talk on the subject with far more detail than I've ever provided.
https://www.err.ee/836236/...
https://docs.google.com/presentation/d/...


Russian Censorship of Telegram

Internet censors have a new strategy in their bid to block applications and websites: pressuring the large cloud providers that host them. These providers have concerns that are much broader than the targets of censorship efforts, so they have the choice of either standing up to the censors or capitulating in order to maximize their business. Today's Internet largely reflects the dominance of a handful of companies behind the cloud services, search engines and mobile platforms that underpin the technology landscape. This new centralization radically tips the balance between those who want to censor parts of the Internet and those trying to evade censorship. When the profitable answer is for a software giant to acquiesce to censors' demands, how long can Internet freedom last?

The recent battle between the Russian government and the Telegram messaging app illustrates one way this might play out. Russia has been trying to block Telegram since April, when a Moscow court banned it after the company refused to give Russian authorities access to user messages. Telegram, which is widely used in Russia, works on both iPhone and Android, and there are Windows and Mac desktop versions available. The app offers optional end-to-end encryption, meaning that all messages are encrypted on the sender's phone and decrypted on the receiver's phone; no part of the network can eavesdrop on the messages.

Since then, Telegram has been playing cat-and-mouse with the Russian telecom regulator Roskomnadzor by varying the IP address the app uses to communicate. Because Telegram isn't a fixed website, it doesn't need a fixed IP address. Telegram bought tens of thousands of IP addresses and has been quickly rotating through them, staying a step ahead of censors. Cleverly, this tactic is invisible to users. The app never sees the change, or the entire list of IP addresses, and the censor has no clear way to block them all.

A week after the court ban, Roskomnadzor countered with an unprecedented move of its own: blocking 19 million IP addresses, many on Amazon Web Services and Google Cloud. The collateral damage was widespread: The action inadvertently broke many other web services that use those platforms, and Roskomnadzor scaled back after it became clear that its action had affected services critical for Russian business. Even so, the censor is still blocking millions of IP addresses.

More recently, Russia has been pressuring Apple not to offer the Telegram app in its iPhone App Store. As of this writing, Apple has not complied, and the company has allowed Telegram to download a critical software update to iPhone users (after what the app's founder called a delay last month). Roskomnadzor could further pressure Apple, though, including by threatening to turn off its entire iPhone app business in Russia.

Telegram might seem a weird app for Russia to focus on. Those of us who work in security don't recommend the program, primarily because of the nature of its cryptographic protocols. In general, proprietary cryptography has numerous fatal security flaws. We generally recommend Signal for secure SMS messaging, or, if having that program on your computer is somehow incriminating, WhatsApp. (More than 1.5 billion people worldwide use WhatsApp.) What Telegram has going for it is that it works really well on lousy networks. That's why it is so popular in places like Iran and Afghanistan. (Iran is also trying to ban the app.)

What the Russian government doesn't like about Telegram is its anonymous broadcast feature -- channel capability and chats -- which makes it an effective platform for political debate and citizen journalism. The Russians might not like that Telegram is encrypted, but odds are good that they can simply break the encryption. Telegram's role in facilitating uncontrolled journalism is the real issue.

Iran attempts to block Telegram have been more successful than Russia's, less because Iran's censorship technology is more sophisticated but because Telegram is not willing to go as far to defend Iranian users. The reasons are not rooted in business decisions. Simply put, Telegram is a Russian product and the designers are more motivated to poke Russia in the eye. Pavel Durov, Telegram's founder, has pledged millions of dollars to help fight Russian censorship.

For the moment, Russia has lost. But this battle is far from over. Russia could easily come back with more targeted pressure on Google, Amazon and Apple. A year earlier, Zello used the same trick Telegram is using to evade Russian censors. Then, Roskomnadzor threatened to block all of Amazon Web Services and Google Cloud; and in that instance, both companies forced Zello to stop its IP-hopping censorship-evasion tactic.

Russia could also further develop its censorship infrastructure. If its capabilities were as finely honed as China's, it would be able to more effectively block Telegram from operating. Right now, Russia can block only specific IP addresses, which is too coarse a tool for this issue. Telegram's voice capabilities in Russia are significantly degraded, however, probably because high-capacity IP addresses are easier to block.

Whatever its current frustrations, Russia might well win in the long term. By demonstrating its willingness to suffer the temporary collateral damage of blocking major cloud providers, it prompted cloud providers to block another and more effective anti-censorship tactic, or at least accelerated the process. In April, Google and Amazon banned -- and technically blocked -- the practice of "domain fronting," a trick anti-censorship tools use to get around Internet censors by pretending to be other kinds of traffic. Developers would use popular websites as a proxy, routing traffic to their own servers through another website -- in this case Google.com -- to fool censors into believing the traffic was intended for Google.com. The anonymous web-browsing tool Tor has used domain fronting since 2014. Signal, since 2016. Eliminating the capability is a boon to censors worldwide.

Tech giants have gotten embroiled in censorship battles for years. Sometimes they fight and sometimes they fold, but until now there have always been options. What this particular fight highlights is that Internet freedom is increasingly in the hands of the world's largest Internet companies. And while freedom may have its advocates -- the American Civil Liberties Union has tweeted its support for those companies, and some 12,000 people in Moscow protested against the Telegram ban -- actions such as disallowing domain fronting illustrate that getting the big tech companies to sacrifice their near-term commercial interests will be an uphill battle. Apple has already removed anti-censorship apps from its Chinese app store.

In 1993, John Gilmore famously said that "The Internet interprets censorship as damage and routes around it." That was technically true when he said it but only because the routing structure of the Internet was so distributed. As centralization increases, the Internet loses that robustness, and censorship by governments and companies becomes easier.

This essay previously appeared on Lawfare.com.
https://www.lawfareblog.com/...

Telegram:
https://telegram.org/

Russia's ban:
https://www.theguardian.com/world/2018/apr/13/...

Optional encryption:
http://telegra.ph/...

Roskomnadzor's IP blocking:
https://www.theguardian.com/world/2018/apr/17/...
https://www.techdirt.com/articles/20180417/...
https://techcrunch.com/2018/04/19/...
https://slate.com/technology/2018/04/...
https://usher2.club/en/

Apple's Telegram update:
https://www.engadget.com/2018/06/02/...
https://www.engadget.com/2018/05/31/...

Telegram's security flaws:
https://news.ycombinator.com/item?id=6913456
https://www.wired.com/story/...
https://medium.freecodecamp.org/...

Signal:
https://signal.org/

WhatsApp:
https://www.whatsapp.com/

Iranian Telegram ban:
https://www.reuters.com/article/...
https://www.nytimes.com/2018/05/01/world/middleeast/...

Telegram's broadcast feature:
https://www.androidpolice.com/2015/09/22/...

Telegram founder vs. Russia:
https://themoscowtimes.com/news/...

Zello and Telegram:
https://techcrunch.com/2018/04/17/...

Domain fronting:
https://www.theverge.com/2018/4/18/17253784/...
https://arstechnica.com/information-technology/2018/...
https://www.bamsoftware.com/papers/fronting/
https://blog.torproject.org/...
https://www.bamsoftware.com/papers/thesis/...
https://signal.org/blog/doodles-stickers-censorship/
https://www.bloomberg.com/view/articles/2018-05-03/...

ACLU:
https://twitter.com/ACLU/status/986702628334768128?...

Apple removed anti-censorship apps:
http://fortune.com/2017/07/29/...

Gilmore quote:
http://kirste.userpage.fu-berlin.de/outerspace/...


Security and Human Behavior (SHB 2018)

This year, Carnegie Mellon University hosted the eleventh Workshop on Security and Human Behavior. SHB is a small invitational gathering of people studying various aspects of the human side of security, organized each year by Alessandro Acquisti, Ross Anderson, and myself. The 50 or so people in the room included psychologists, economists, computer security researchers, sociologists, political scientists, neuroscientists, designers, lawyers, philosophers, anthropologists, business school professors, and a smattering of others. It's not just an interdisciplinary event; most of the people here are individually interdisciplinary.

The goal is to maximize discussion and interaction. We do that by putting everyone on panels, and limiting talks to 7-10 minutes. The rest of the time is left to open discussion. Four hour-and-a-half panels per day over two days equals eight panels; six people per panel means that 48 people get to speak. We also have lunches, dinners, and receptions -- all designed so people from different disciplines talk to each other.

I invariably find this to be the most intellectually stimulating conference of my year. It influences my thinking in many different, and sometimes surprising, ways.

Next year, I'll be hosting the event at Harvard.

Blog entry URL:
https://www.schneier.com/blog/archives/2018/05/...

The 2018 Workshop on Security and Human Behavior:
https://www.heinz.cmu.edu/~acquisti/SHB2018/index.htm

Ross Anderson's liveblog of the talks:
https://www.lightbluetouchpaper.org/2018/05/24/...

Ross Anderson's psychology and security resources page:
https://www.cl.cam.ac.uk/~rja14/psysec.html

Here are my posts on the first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, and tenth SHB workshops. Follow those links to find summaries, papers, and occasionally audio recordings of the various workshops.
http://www.schneier.com/blog/archives/2008/06/...
http://www.schneier.com/blog/archives/2009/06/...
http://www.schneier.com/blog/archives/2010/06/...
http://www.schneier.com/blog/archives/2011/06/...
https://www.schneier.com/blog/archives/2012/06/...
https://www.schneier.com/blog/archives/2013/06/...
https://www.schneier.com/blog/archives/2014/06/...
https://www.schneier.com/blog/archives/2015/06/...
https://www.schneier.com/blog/archives/2016/06/...
https://www.schneier.com/blog/archives/2017/05/...


Schneier News

I am speaking at Cyber Week in Tel Aviv, June 20-21:
https://cyberweek.tau.ac.il/2018/

I am speaking at FIRST conference in Kuala Lumpur on June 27:
https://www.first.org/conference/2018/kuala-lumpur


Another Spectre-Like CPU Vulnerability

Google and Microsoft researchers have disclosed another Spectre-like CPU side-channel vulnerability, called "Speculative Store Bypass." Like the others, the fix will slow the CPU down.

The German tech site Heise reports that more are coming.

I'm not surprised. Writing about Spectre and Meltdown in January, I predicted that we'd be seeing a lot more of these sorts of vulnerabilities.

Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they -- and the research into the Intel ME vulnerability -- have shown researchers where to look, more is coming -- and what they'll find will be worse than either Spectre or Meltdown.

I still predict that we'll be seeing lots more of these in the coming months and years, as we learn more about this class of vulnerabilities.

https://www.theverge.com/2018/5/21/17377994/...
https://www.us-cert.gov/ncas/alerts/TA18-141A
https://www.zdnet.com/article/...
https://www.heise.de/ct/artikel/...

My prediction:
https://www.schneier.com/blog/archives/2018/01/...


An Example of Deterrence in Cyberspace

In 2016, the US was successfully deterred from attacking Russia in cyberspace because of fears of Russian capabilities against the US.

I have two citations for this. The first is from the book "Russian Roulette: The Inside Story of Putin's War on America and the Election of Donald Trump," by Michael Isikoff and David Corn. Here's the quote:

The principals did discuss cyber responses. The prospect of hitting back with cyber caused trepidation within the deputies and principals meetings. The United States was telling Russia this sort of meddling was unacceptable. If Washington engaged in the same type of covert combat, some of the principals believed, Washington's demand would mean nothing, and there could be an escalation in cyber warfare. There were concerns that the United States would have more to lose in all-out cyberwar.
"If we got into a tit-for-tat on cyber with the Russians, it would not be to our advantage," a participant later remarked. "They could do more to damage us in a cyber war or have a greater impact." In one of the meetings, Clapper said he was worried that Russia might respond with cyberattacks against America's critical infrastructure -- and possibly shut down the electrical grid.

The second is from the book "The World as It Is," by President Obama's deputy national security advisor Ben Rhodes. Here's the New York Times writing about the book.

Mr. Rhodes writes he did not learn about the F.B.I. investigation until after leaving office, and then from the news media. Mr. Obama did not impose sanctions on Russia in retaliation for the meddling before the election because he believed it might prompt Moscow into hacking into Election Day vote tabulations. Mr. Obama did impose sanctions after the election but Mr. Rhodes's suggestion that the targets include President Vladimir V. Putin was rebuffed on the theory that such a move would go too far.

When people try to claim that there's no such thing as deterrence in cyberspace, this serves as a counterexample.

Isikoff/Corn book:
https://www.amazon.com/gp/product/B075WVX3MS

Rhodes book
https://www.motherjones.com/politics/2018/03/...

Cyberdeterrence skeptics:
https://www.thecipherbrief.com/column_article/...
https://www.sciencedirect.com/science/article/pii/...


New Data Privacy Regulations

When Marc Zuckerberg testified before both the House and the Senate last month, it became immediately obvious that few US lawmakers had any appetite to regulate the pervasive surveillance taking place on the Internet.

Right now, the only way we can force these companies to take our privacy more seriously is through the market. But the market is broken. First, none of us do business directly with these data brokers. Equifax might have lost my personal data in 2017, but I can't fire them because I'm not their customer or even their user. I could complain to the companies I do business with who sell my data to Equifax, but I don't know who they are. Markets require voluntary exchange to work properly. If consumers don't even know where these data brokers are getting their data from and what they're doing with it, they can't make intelligent buying choices.

This is starting to change, thanks to a new law in Vermont and another in Europe. And more legislation is coming.

Vermont first. At the moment, we don't know how many data brokers collect data on Americans. Credible estimates range from 2,500 to 4,000 different companies. Last week, Vermont passed a law that will change that.

The law does several things to improve the security of Vermonters' data, but several provisions matter to all of us. First, the law requires data brokers that trade in Vermonters' data to register annually. And while there are many small local data brokers, the larger companies collect data nationally and even internationally. This will help us get a more accurate look at who's in this business. The companies also have to disclose what opt-out options they offer, and how people can request to opt out. Again, this information is useful to all of us, regardless of the state we live in. And finally, the companies have to disclose the number of security breaches they've suffered each year, and how many individuals were affected.

Admittedly, the regulations imposed by the Vermont law are modest. Earlier drafts of the law included a provision requiring data brokers to disclose how many individuals' data it has in its databases, what sorts of data it collects and where the data came from, but those were removed as the bill negotiated its way into law. A more comprehensive law would allow individuals to demand to exactly what information they have about them -- and maybe allow individuals to correct and even delete data. But it's a start, and the first statewide law of its kind to be passed in the face of strong industry opposition.

Vermont isn't the first to attempt this, though. On the other side of the country, Representative Norma Smith of Washington introduced a similar bill in both 2017 and 2018. It goes further, requiring disclosure of what kinds of data the broker collects. So far, the bill has stalled in the state's legislature, but she believes it will have a much better chance of passing when she introduces it again in 2019. I am optimistic that this is a trend, and that many states will start passing bills forcing data brokers to be increasingly more transparent in their activities. And while their laws will be tailored to residents of those states, all of us will benefit from the information.

A 2018 California ballot initiative could help. Among its provisions, it gives consumers the right to demand exactly what information a data broker has about them. If it passes in November, once it takes effect, lots of Californians will take the list of data brokers from Vermont's registration law and demand this information based on their own law. And again, all of us -- regardless of the state we live in -- will benefit from the information.

We will also benefit from another, much more comprehensive, data privacy and security law from the European Union. The General Data Protection Regulation (GDPR) was passed in 2016 and took effect on 25 May. The details of the law are far too complex to explain here, but among other things, it mandates that personal data can only be collected and saved for specific purposes and only with the explicit consent of the user. We'll learn who is collecting what and why, because companies that collect data are going to have to ask European users and customers for permission. And while this law only applies to EU citizens and people living in EU countries, the disclosure requirements will show all of us how these companies profit off our personal data.

It has already reaped benefits. Over the past couple of weeks, you've received many e-mails from companies that have you on their mailing lists. In the coming weeks and months, you're going to see other companies disclose what they're doing with your data. One early example is PayPal: in preparation for GDPR, it published a list of the over 600 companies it shares your personal data with. Expect a lot more like this.

Surveillance is the business model of the Internet. It's not just the big companies like Facebook and Google watching everything we do online and selling advertising based on our behaviors; there's also a large and largely unregulated industry of data brokers that collect, correlate and then sell intimate personal data about our behaviors. If we make the reasonable assumption that Congress is not going to regulate these companies, then we're left with the market and consumer choice. The first step in that process is transparency. These new laws, and the ones that will follow, are slowly shining a light on this secretive industry.

This essay originally appeared in the "Guardian."
https://www.theguardian.com/commentisfree/2018/jun/...
Blog entry URL:
https://www.schneier.com/blog/archives/2018/06/...

Zuckerberg testimonies:
https://www.washingtonpost.com/news/the-switch/wp/...
https://www.washingtonpost.com/news/the-switch/wp/...

Equifax breach:
https://www.theguardian.com/business/2018/mar/14/...

Data broker estimates:
http://www.newsweek.com/...

Vermont law:
https://vermontbiz.com/news/2018/may/25/...
http://ago.vermont.gov/blog/2018/05/24/...

Washington state bill:
https://www.seattletimes.com/opinion/...
https://www.geekwire.com/2017/...
http://lawfilesext.leg.wa.gov/biennium/2017-18/Pdf/...
http://lawfilesext.leg.wa.gov/biennium/2017-18/Pdf/...

California ballot initiative:
https://www.caprivacy.org/facts/information-control
https://www.nytimes.com/2018/05/13/business/...

General Data Protection Regulation:
https://www.eugdpr.org/
https://www.cennydd.com/writing/...

PayPal:
https://www.paypal.com/ie/webapps/mpp/ua/...
https://rebecca-ricks.com/paypal-data/


Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <https://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 12 books -- including "Liars and Outliers: Enabling the Trust Society Needs to Survive" -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and CTO of IBM Resilient and Special Advisor to IBM Security. See <https://www.schneier.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of IBM Resilient.

Copyright (c) 2018 by Bruce Schneier.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.