[NetBehaviour] Fwd: Crypto-Gram, September 15, 2020
Alan Sondheim
sondheim at gmail.com
Sat Sep 19 04:41:52 CEST 2020
Another invaluable resource here I think - you can subscribe directly to it
- Alan -
---------- Forwarded message ---------
From: Bruce Schneier <schneier at schneier.com>
Date: Tue, Sep 15, 2020 at 5:41 AM
Subject: Crypto-Gram, September 15, 2020
To: <sondheim at panix.com>
Crypto-Gram
September 15, 2020
by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School
schneier at schneier.com
https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit Crypto-Gram's web page
<https://www.schneier.com/crypto-gram.html>.
Read this issue on the web
<https://www.schneier.com/crypto-gram/archives/2020/0915.html>
These same essays and news items appear in the Schneier on Security
<https://www.schneier.com/> blog, along with a lively and intelligent
comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
1. Robocall Results from a Telephony Honeypot
<#m_6045089125423427863_cg1>
2. Vaccine for Emotet Malware <#m_6045089125423427863_cg2>
3. Using Disinformation to Cause a Blackout <#m_6045089125423427863_cg3>
4. Copying a Key by Listening to It in Action
<#m_6045089125423427863_cg4>
5. Yet Another Biometric: Bioacoustic Signatures
<#m_6045089125423427863_cg5>
6. DiceKeys <#m_6045089125423427863_cg6>
7. Identifying People by Their Browsing Histories
<#m_6045089125423427863_cg7>
8. Amazon Supplier Fraud <#m_6045089125423427863_cg8>
9. Cory Doctorow on *The Age of Surveillance Capitalism*
<#m_6045089125423427863_cg9>
10. US Postal Service Files Blockchain Voting Patent
<#m_6045089125423427863_cg10>
11. Seny Kamara on "Crypto for the People" <#m_6045089125423427863_cg11>
12. North Korea ATM Hack <#m_6045089125423427863_cg12>
13. Insider Attack on the Carnegie Library <#m_6045089125423427863_cg13>
14. 2017 Tesla Hack <#m_6045089125423427863_cg14>
15. Hacking AI-Graded Tests <#m_6045089125423427863_cg15>
16. More on NIST's Post-Quantum Cryptography
<#m_6045089125423427863_cg16>
17. US Space Cybersecurity Directive <#m_6045089125423427863_cg17>
18. The Third Edition of Ross Anderson's *Security Engineering*
<#m_6045089125423427863_cg18>
19. Ranking National Cyber Power <#m_6045089125423427863_cg19>
20. Interesting Attack on the EMV Smartcard Payment Standard
<#m_6045089125423427863_cg20>
21. Upcoming Speaking Engagements <#m_6045089125423427863_cg21>
** *** ***** ******* *********** *************
Robocall Results from a Telephony Honeypot
*[2020.08.17]*
<https://www.schneier.com/blog/archives/2020/08/robocall_result.html> A
group of researchers set up a telephony honeypot and tracked robocall
behavior
<https://www.zdnet.com/article/a-simple-telephony-honeypot-received-1-5-million-robocalls-across-11-months/>
:
NCSU researchers said they ran 66,606 telephone lines between March 2019
and January 2020, during which time they said to have received 1,481,201
unsolicited calls -- even if they never made their phone numbers public via
any source.
The research team said they usually received an unsolicited call every 8.42
days, but most of the robocall traffic came in sudden surges they called
“storms” that happened at regular intervals, suggesting that robocallers
operated using a tactic of short-burst and well-organized campaigns.
In total, the NCSU team said it tracked 650 storms over 11 months, with
most storms being of the same size.
Research paper <https://www.usenix.org/system/files/sec20-prasad.pdf>.
USENIX talk
<https://www.usenix.org/conference/usenixsecurity20/presentation/prasad>.
Slashdot thread
<https://tech.slashdot.org/story/20/08/14/2345211/a-simple-telephony-honeypot-received-15-million-robocalls-across-11-months>
.
** *** ***** ******* *********** *************
Vaccine for Emotet Malware
*[2020.08.18]*
<https://www.schneier.com/blog/archives/2020/08/vaccine_for_emo.html>
Interesting story
<https://www.zdnet.com/article/for-six-months-security-researchers-have-secretly-distributed-an-emotet-vaccine-across-the-world/>
of a vaccine for the Emotet malware:
Through trial and error and thanks to subsequent Emotet updates that
refined how the new persistence mechanism worked, Quinn was able to put
together a tiny PowerShell script that exploited the registry key mechanism
to crash Emotet itself.
The script, cleverly named EmoCrash, effectively scanned a user’s computer
and generated a correct -- but malformed -- Emotet registry key.
When Quinn tried to purposely infect a clean computer with Emotet, the
malformed registry key triggered a buffer overflow in Emotet’s code and
crashed the malware, effectively preventing users from getting infected.
When Quinn ran EmoCrash on computers already infected with Emotet, the
script would replace the good registry key with the malformed one, and when
Emotet would re-check the registry key, the malware would crash as well,
preventing infected hosts from communicating with the Emotet
command-and-control server.
[...]
The Binary Defense team quickly realized that news about this discovery
needed to be kept under complete secrecy, to prevent the Emotet gang from
fixing its code, but they understood EmoCrash also needed to make its way
into the hands of companies across the world.
Compared to many of today’s major cybersecurity firms, all of which have
decades of history behind them, Binary Defense was founded in 2014, and
despite being one of the industry’s up-and-comers, it doesn’t yet have the
influence and connections to get this done without news of its discovery
leaking, either by accident or because of a jealous rival.
To get this done, Binary Defense worked with Team CYMRU
<https://team-cymru.com/>, a company that has a decades-long history of
organizing and participating in botnet takedowns.
Working behind the scenes, Team CYMRU made sure that EmoCrash made its way
into the hands of national Computer Emergency Response Teams (CERTs), which
then spread it to the companies in their respective jurisdictions.
According to James Shank, Chief Architect for Team CYMRU, the company has
contacts with more than 125 national and regional CERT teams, and also
manages a mailing list through which it distributes sensitive information
to more than 6,000 members. Furthermore, Team CYMRU also runs a biweekly
group dedicated to dealing with Emotet’s latest shenanigans.
This broad and well-orchestrated effort has helped EmoCrash make its way
around the globe over the course of the past six months.
[...]
Either by accident or by figuring out there was something wrong in its
persistence mechanism, the Emotet gang did, eventually, changed its entire
persistence mechanism on Aug. 6 -- exactly six months after Quinn made his
initial discovery.
EmoCrash may not be useful to anyone anymore, but for six months, this tiny
PowerShell script helped organizations stay ahead of malware operations --
a truly rare sight in today’s cyber-security field.
** *** ***** ******* *********** *************
Using Disinformation to Cause a Blackout
*[2020.08.18]*
<https://www.schneier.com/blog/archives/2020/08/using_disinform.html>
Interesting paper: “How weaponizing disinformation can bring down a city’s
power grid
<https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0236517>
“:
*Abstract*: Social media has made it possible to manipulate the masses via
disinformation and fake news at an unprecedented scale. This is
particularly alarming from a security perspective, as humans have proven to
be one of the weakest links when protecting critical infrastructure in
general, and the power grid in particular. Here, we consider an attack in
which an adversary attempts to manipulate the behavior of energy consumers
by sending fake discount notifications encouraging them to shift their
consumption into the peak-demand period. Using Greater London as a case
study, we show that such disinformation can indeed lead to unwitting
consumers synchronizing their energy-usage patterns, and result in
blackouts on a city-scale if the grid is heavily loaded. We then conduct
surveys to assess the propensity of people to follow-through on such
notifications and forward them to their friends. This allows us to model
how the disinformation may propagate through social networks, potentially
amplifying the attack impact. These findings demonstrate that in an era
when disinformation can be weaponized, system vulnerabilities arise not
only from the hardware and software of critical infrastructure, but also
from the behavior of the consumers.
I’m not sure the attack is practical, but it’s an interesting idea.
** *** ***** ******* *********** *************
Copying a Key by Listening to It in Action
*[2020.08.20]*
<https://www.schneier.com/blog/archives/2020/08/copying_a_key_b.html>
Researchers are using recordings
<https://cacm.acm.org/news/246744-picking-locks-with-audio-technology/fulltext>
of keys being used in locks to create copies.
Once they have a key-insertion audio file, SpiKey’s inference software gets
to work filtering the signal to reveal the strong, metallic clicks as key
ridges hit the lock’s pins [and you can hear those filtered clicks online
here
<https://photos.google.com/share/AF1QipPCvxzJ2hT2WiBh_ftwyOfcbdoAFictB6723mR1iJW6F967pkgTPu2Nprb9tmUvVQ/photo/AF1QipOf4qj8CzuV5HTTEZ12r3zHnx0oQhLXv8zrru4w?key=MkxTb2lad3hON1BiTTVWb2w2QWZpdEF0U1gyVlJB>].
These clicks are vital to the inference analysis: the time between them
allows the SpiKey software to compute the key’s inter-ridge distances and
what locksmiths call the “bitting depth” of those ridges: basically, how
deeply they cut into the key shaft, or where they plateau out. If a key is
inserted at a nonconstant speed, the analysis can be ruined, but the
software can compensate for small speed variations.
The result of all this is that SpiKey software outputs the three most
likely key designs that will fit the lock used in the audio file, reducing
the potential search space from 330,000 keys to just three. “Given that the
profile of the key is publicly available for commonly used [pin-tumbler
lock] keys, we can 3D-print the keys for the inferred bitting codes, one of
which will unlock the door,” says Ramesh.
** *** ***** ******* *********** *************
Yet Another Biometric: Bioacoustic Signatures
*[2020.08.21]*
<https://www.schneier.com/blog/archives/2020/08/yet_another_bio_1.html>
Sound waves through the body are unique enough
<https://spectrum.ieee.org/the-human-os/telecom/security/the-bioacoustic-signatures-of-our-bodies-can-reveal-our-identities>
to be a biometric:
“Modeling allowed us to infer what structures or material features of the
human body actually differentiated people,” explains Joo Yong Sim, one of
the ETRI researchers who conducted the study. “For example, we could see
how the structure, size, and weight of the bones, as well as the stiffness
of the joints, affect the bioacoustics spectrum.”
[...]
Notably, the researchers were concerned that the accuracy of this approach
could diminish with time, since the human body constantly changes its
cells, matrices, and fluid content. To account for this, they acquired the
acoustic data of participants at three separate intervals, each 30 days
apart.
“We were very surprised that people’s bioacoustics spectral pattern
maintained well over time, despite the concern that the pattern would
change greatly,” says Sim. “These results suggest that the bioacoustics
signature reflects more anatomical features than changes in water, body
temperature, or biomolecule concentration in blood that change from day to
day.”
It’s not great. A 97% accuracy is worse than fingerprints and iris scans,
and while they were able to reproduce the biometric in a month it almost
certainly changes as we age, gain and lose weight, and so on. Still,
interesting.
** *** ***** ******* *********** *************
DiceKeys
*[2020.08.24]*
<https://www.schneier.com/blog/archives/2020/08/dicekeys.html> DiceKeys
<https://www.wired.com/story/dicekeys-cryptography/> is a physical
mechanism for creating and storing a 192-bit key. The idea is that you roll
a special set of twenty-five dice, put them into a plastic jig, and then
use an app to convert those dice into a key. You can then use that key for
a variety of purposes, and regenerate it from the dice if you need to.
This week Stuart Schechter, a computer scientist at the University of
California, Berkeley, is launching DiceKeys, a simple kit for physically
generating a single super-secure key that can serve as the basis for
creating all the most important passwords in your life for years or even
decades to come. With little more than a plastic contraption that looks a
bit like a Boggle set and an accompanying web app to scan the resulting
dice roll, DiceKeys creates a highly random, mathematically unguessable
key. You can then use that key to derive master passwords for password
managers, as the seed to create a U2F key for two-factor authentication, or
even as the secret key for cryptocurrency wallets
<https://www.wired.com/story/how-to-keep-bitcoin-safe-and-secure/>. Perhaps
most importantly, the box of dice is designed to serve as a permanent,
offline key to regenerate that master password, crypto key, or U2F token if
it gets lost, forgotten, or broken.
[...]
Schechter is also building a separate app that will integrate with DiceKeys
to allow users to write a DiceKeys-generated key to their U2F two-factor
authentication token. Currently the app works only with the open-source
SoloKey U2F token, but Schechter hopes to expand it to be compatible with
more commonly used U2F tokens before DiceKeys ship out. The same API that
allows that integration with his U2F token app will also allow
cryptocurrency wallet developers to integrate their wallets with DiceKeys,
so that with a compatible wallet app, DiceKeys can generate the
cryptographic key that protects your crypto coins too.
Here’s the DiceKeys website <https://dicekeys.com/> and app
<https://dicekeys.app/>. Here’s a short video demo
<https://vimeo.com/449522920>. Here’s a longer SOUPS talk
<https://player.vimeo.com/video/449676252>.
Preorder a set here <https://www.crowdsupply.com/dicekeys/dicekeys>.
Note: I am an adviser on the project.
Another news article
<https://www.forbes.com/sites/daveywinder/2020/08/22/how-25-dice-in-a-box-solve-the-secure-password-conundrum-introducing-dicekeys/#7f6730bf3b0c>.
Slashdot thread
<https://it.slashdot.org/story/20/08/21/2139207/dicekeys-creates-a-master-password-for-life-with-one-roll>.
Hacker News thread <https://news.ycombinator.com/item?id=24234212>. Reddit
thread
<https://www.reddit.com/r/technology/comments/idw4j5/dicekeys_creates_a_master_password_for_life_with/>
.
** *** ***** ******* *********** *************
Identifying People by Their Browsing Histories
*[2020.08.25]*
<https://www.schneier.com/blog/archives/2020/08/identifying_peo_9.html>
Interesting paper: “Replication: Why We Still Can’t Browse in Peace: On the
Uniqueness and Reidentifiability of Web Browsing Histories
<https://www.usenix.org/system/files/soups2020-bird.pdf>”:
We examine the threat to individuals’ privacy based on the feasibility of
reidentifying users through distinctive profiles of their browsing history
visible to websites and third parties. This work replicates and extends the
2012 paper *Why Johnny Can’t Browse in Peace: On the Uniqueness of Web
Browsing History Patterns*[48 <https://hal.inria.fr/hal-00747841/document>].
The original work demonstrated that browsing profiles are highly
distinctive and stable. We reproduce those results and extend the original
work to detail the privacy risk posed by the aggregation of browsing
histories. Our dataset consists of two weeks of browsing data from ~52,000
Firefox users. Our work replicates the original paper’s core findings by
identifying 48,919 distinct browsing profiles, of which 99% are unique.
High uniqueness hold seven when histories are truncated to just 100 top
sites. We then find that for users who visited 50 or more distinct domains
in the two-week data collection period, ~50% can be reidentified using the
top 10k sites. Reidentifiability rose to over 80% for users that browsed
150 or more distinct domains. Finally, we observe numerous third parties
pervasive enough to gather web histories sufficient to leverage browsing
history as an identifier.
One of the authors of the original study comments
<https://blog.lukaszolejnik.com/web-browsing-histories-are-private-personal-data-now-what/>
on the replication.
** *** ***** ******* *********** *************
Amazon Supplier Fraud
*[2020.08.26]*
<https://www.schneier.com/blog/archives/2020/08/amazon_supplier.html>
Interesting story
<https://www.wired.com/story/how-four-brothers-allegedly-fleeced-19-million-amazon/>
of an Amazon supplier fraud:
According to the indictment, the brothers swapped ASINs for items Amazon
ordered to send large quantities of different goods instead. In one
instance, Amazon ordered 12 canisters of disinfectant spray costing $94.03.
The defendants allegedly shipped 7,000 toothbrushes costing $94.03 each,
using the code for the disinfectant spray, and later billed Amazon for over
$650,000.
In another instance, Amazon ordered a single bottle of designer perfume for
$289.78. In response, according to the indictment, the defendants sent 927
plastic beard trimmers costing $289.79 each, using the ASIN for the
perfume. Prosecutors say the brothers frequently shipped and charged Amazon
for more than 10,000 units of an item when it had requested fewer than 100.
Once Amazon detected the fraud and shut down their accounts, the brothers
allegedly tried to open new ones using fake names, different email
addresses, and VPNs to obscure their identity.
It all worked because Amazon is so huge that everything is automated.
** *** ***** ******* *********** *************
Cory Doctorow on *The Age of Surveillance Capitalism*
*[2020.08.27]*
<https://www.schneier.com/blog/archives/2020/08/cory_doctorow_o_2.html>
Cory Doctorow has writtten an extended rebuttal
<https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59>
of *The Age of Surveillance Capitalism*
<https://www.publicaffairsbooks.com/titles/shoshana-zuboff/the-age-of-surveillance-capitalism/9781610395694/>
by Shoshana Zuboff. He summarized the argument
<https://twitter.com/doctorow/status/1298631104983740417> on Twitter.
Shorter summary: it’s not the surveillance part, it’s the fact that these
companies are monopolies.
I think it’s both. Surveillance capitalism has some unique properties that
make it particularly unethical and incompatible with a free society, and
Zuboff makes them clear in her book. But the current acceptance of
monopolies in our society is also extremely damaging -- which Doctorow
makes clear.
** *** ***** ******* *********** *************
US Postal Service Files Blockchain Voting Patent
*[2020.08.28]*
<https://www.schneier.com/blog/archives/2020/08/us_postal_servi.html> The
US Postal Service has filed a patent
<https://pdfaiw.uspto.gov/.aiw?PageNum=0&docid=20200258338> on a blockchain
voting method:
*Abstract:* A voting system can use the security of blockchain and the mail
to provide a reliable voting system. A registered voter receives a computer
readable code in the mail and confirms identity and confirms correct ballot
information in an election. The system separates voter identification and
votes to ensure vote anonymity, and stores votes on a distributed ledger in
a blockchain
I wasn’t going to bother blogging this, but I’ve received enough emails
about it that I should comment.
As is pretty much always the case
<https://www.schneier.com/blog/archives/2019/02/blockchain_and_.html>,
blockchain adds nothing. The security of this system has nothing to do with
blockchain, and would be better off without it. For voting in particular,
blockchain adds to the insecurity. Matt Blaze is most succinct
<https://twitter.com/mattblaze/status/1034486679925678080> on that point:
Why is blockchain voting a dumb idea?
Glad you asked.
For starters:
- It doesn’t solve any problems civil elections actually have.
- It’s basically incompatible with “software independence”, considered
an essential property.
- It can make ballot secrecy difficult or impossible.
Both Ben Adida <https://benlog.com/2017/12/28/blockchain-and-voting/>
and Matthew
Green
<https://twitter.com/matthew_d_green/status/1034549236535152641?ref_src=twsrc%5Etfw>
have written longer pieces on blockchain and voting.
News <https://fortune.com/2020/08/17/usps-patent-voting-by-phone/> articles
<https://www.digitaltrends.com/news/usps-mail-in-voting-blockchain-election/>
.
** *** ***** ******* *********** *************
Seny Kamara on "Crypto for the People"
*[2020.08.31]*
<https://www.schneier.com/blog/archives/2020/08/seny_kamara_on_.html> Seny
Kamara gave an excellent keynote talk
<https://www.youtube.com/watch?v=Ygq9ci0GFhA> this year at the (online) CRYPTO
Conference <https://crypto.iacr.org/2020/>. He talked about solving
real-world crypto problems for marginalized communities around the world,
instead of crypto problems for governments and corporations. Well worth
watching and listening to.
** *** ***** ******* *********** *************
North Korea ATM Hack
*[2020.09.01]*
<https://www.schneier.com/blog/archives/2020/09/north_korea_atm.html> The
US Cybersecurity and Infrastructure Security Agency (CISA) published a long
and technical alert <https://us-cert.cisa.gov/ncas/alerts/aa20-239a>
describing a North Korea hacking scheme against ATMs in a bunch of
countries worldwide:
This joint advisory is the result of analytic efforts among the
Cybersecurity and Infrastructure Security Agency (CISA), the Department of
the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S.
Cyber Command (USCYBERCOM). Working with U.S. government partners, CISA,
Treasury, FBI, and USCYBERCOM identified malware and indicators of
compromise (IOCs) used by the North Korean government in an automated
teller machine (ATM) cash-out scheme -- referred to by the U.S. Government
as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.”
The level of detail is impressive, as seems to be common in CISA’s alerts
<https://us-cert.cisa.gov/ncas/alerts> and analysis reports
<https://us-cert.cisa.gov/ncas/analysis-reports>.
** *** ***** ******* *********** *************
Insider Attack on the Carnegie Library
*[2020.09.02]*
<https://www.schneier.com/blog/archives/2020/09/insider_attack_3.html> Greg
Priore, the person in charge of the rare book room at the Carnegie
Library, stole
from it
<https://www.smithsonianmag.com/arts-culture/theft-carnegie-library-books-maps-artworks-180975506/>
for almost two decades before getting caught.
It’s a perennial problem: trusted insiders have to be trusted.
** *** ***** ******* *********** *************
2017 Tesla Hack
*[2020.09.03]*
<https://www.schneier.com/blog/archives/2020/09/2017_tesla_hack.html>
Interesting story
<https://electrek.co/2020/08/27/tesla-hack-control-over-entire-fleet/> of a
class break against the entire Tesla fleet.
** *** ***** ******* *********** *************
Hacking AI-Graded Tests
*[2020.09.04]*
<https://www.schneier.com/blog/archives/2020/09/hacking_ai-grad.html> The
company Edgenuity sells AI systems for grading tests. Turns out that they just
search for keywords
<https://www.theverge.com/2020/9/2/21419012/edgenuity-online-class-ai-grading-keyword-mashing-students-school-cheating-algorithm-glitch>
without doing any actual semantic analysis.
** *** ***** ******* *********** *************
More on NIST's Post-Quantum Cryptography
*[2020.09.08]*
<https://www.schneier.com/blog/archives/2020/09/more_on_nists_p.html> Back
in July, NIST selected third-round algorithms
<https://www.schneier.com/blog/archives/2020/07/update_on_nists.html> for
its post-quantum cryptography standard.
Recently, Daniel Apon of NIST gave a talk
<https://www.scribd.com/document/474476570/PQC-Overview-Aug-2020-NIST>
detailing the selection criteria. Interesting stuff.
** *** ***** ******* *********** *************
US Space Cybersecurity Directive
*[2020.09.09]*
<https://www.schneier.com/blog/archives/2020/09/us-space-cybersecurity-directive.html>
The Trump Administration just published “Space Policy Directive – 5
<https://www.whitehouse.gov/wp-content/uploads/2020/09/2020SPD5.mem_.pdf>“:
“Cybersecurity Principles for Space Systems.” It’s pretty general:
Principles. (a) Space systems and their supporting infrastructure,
including software, should be developed and operated using risk-based,
cybersecurity-informed engineering. Space systems should be developed to
continuously monitor, anticipate,and adapt to mitigate evolving malicious
cyber activities that could manipulate, deny, degrade, disrupt,destroy,
surveil, or eavesdrop on space system operations. Space system
configurations should be resourced and actively managed to achieve and
maintain an effective and resilient cyber survivability posture throughout
the space system lifecycle.
(b) Space system owners and operators should develop and implement
cybersecurity plans for their space systems that incorporate capabilities
to ensure operators or automated control center systems can retain or
recover positive control of space vehicles. These plans should also ensure
the ability to verify the integrity, confidentiality,and availability of
critical functions and the missions, services,and data they enable and
provide.
These unclassified directives are typically so general that it’s hard to
tell whether they actually matter.
News article
<https://www.theverge.com/2020/9/4/21423087/space-policy-directive-5-cybersecurity-threats-satellites>
.
** *** ***** ******* *********** *************
The Third Edition of Ross Anderson's *Security Engineering*
*[2020.09.10]*
<https://www.schneier.com/blog/archives/2020/09/the_third_editi.html> Ross
Anderson’s fantastic textbook, *Security Engineering*
<https://www.amazon.com/Security-Engineering-Building-Dependable-Distributed/dp/0470068523/>,
will have a third edition
<https://www.amazon.com/Security-Engineering-Building-Dependable-Distributed-dp-1119642787/dp/1119642787/ref=dp_ob_title_bk>.
The book won’t be published until December, but Ross has been making drafts
of the chapters available online <https://www.cl.cam.ac.uk/~rja14/book.html>
as he finishes them. Now that the book is completed, I expect the publisher
to make him take the drafts off the Internet.
I personally find both the electronic and paper versions to be incredibly
useful. Grab an electronic copy now while you still can.
** *** ***** ******* *********** *************
Ranking National Cyber Power
*[2020.09.11]*
<https://www.schneier.com/blog/archives/2020/09/ranking-national-cyber-power.html>
Harvard Kennedy School’s Belfer Center published the “National Cyber Power
Index 2020: Methodology and Analytical Considerations
<https://www.belfercenter.org/sites/default/files/2020-09/NCPI_2020.pdf>.”
The rankings: 1. US, 2. China, 3. UK, 4. Russia, 5. Netherlands, 6. France,
7. Germany, 8. Canada, 9. Japan, 10. Australia, 11. Israel. More countries
are in the document.
We could -- and should -- argue about the criteria and the methodology, but
it’s good that someone is starting this conversation.
*Executive Summary*: The Belfer National Cyber Power Index (NCPI) measures
30 countries’ cyber capabilities in the context of seven national
objectives, using 32 intent indicators and 27 capability indicators with
evidence collected from publicly available data.
In contrast to existing cyber related indices, we believe there is no
single measure of cyber power. Cyber Power is made up of multiple
components and should be considered in the context of a country’s national
objectives. We take an all-of-country approach to measuring cyber power. By
considering “all-of-country” we include all aspects under the control of a
government where possible. Within the NCPI we measure government
strategies, capabilities for defense and offense, resource allocation, the
private sector, workforce, and innovation. Our assessment is both a
measurement of proven power and potential, where the final score assumes
that the government of that country can wield these capabilities
effectively.
The NCPI has identified seven national objectives that countries pursue
using cyber means. The seven objectives are:
1. Surveilling and Monitoring Domestic Groups;
2. Strengthening and Enhancing National Cyber Defenses;
3. Controlling and Manipulating the Information Environment;
4. Foreign Intelligence Collection for National Security;
5. Commercial Gain or Enhancing Domestic Industry Growth;
6. Destroying or Disabling an Adversary’s Infrastructure and
Capabilities; and,
7. Defining International Cyber Norms and Technical Standards.
In contrast to the broadly held view that cyber power means destroying or
disabling an adversary’s infrastructure (commonly referred to as offensive
cyber operations), offense is only one of these seven objectives countries
pursue using cyber means.
** *** ***** ******* *********** *************
Interesting Attack on the EMV Smartcard Payment Standard
*[2020.09.14]*
<https://www.schneier.com/blog/archives/2020/09/interesting-attack-on-the-emv-smartcard-payment-standard.html>
It’s complicated <https://arxiv.org/pdf/2006.08249.pdf>, but it’s basically
a man-in-the-middle attack that involves two smartphones. The first phone
reads the actual smartcard, and then forwards the required information to a
second phone. That second phone actually conducts the transaction on the
POS terminal. That second phone is able to convince the POS terminal to
conduct the transaction without requiring the normally required PIN.
>From a news article
<https://techxplore.com/news/2020-09-outsmarting-pin-code.html>:
The researchers were able to demonstrate that it is possible to exploit the
vulnerability in practice, although it is a fairly complex process. They
first developed an Android app and installed it on two NFC-enabled mobile
phones. This allowed the two devices to read data from the credit card chip
and exchange information with payment terminals. Incidentally, the
researchers did not have to bypass any special security features in the
Android operating system to install the app.
To obtain unauthorized funds from a third-party credit card, the first
mobile phone is used to scan the necessary data from the credit card and
transfer it to the second phone. The second phone is then used to
simultaneously debit the amount at the checkout, as many cardholders do
nowadays. As the app declares that the customer is the authorized user of
the credit card, the vendor does not realize that the transaction is
fraudulent. The crucial factor is that the app outsmarts the card’s
security system. Although the amount is over the limit and requires PIN
verification, no code is requested.
The paper: “The EMV Standard: Break, Fix, Verify
<https://arxiv.org/pdf/2006.08249.pdf>.”
*Abstract:* EMV is the international protocol standard for smartcard
payment and is used in over 9 billion cards worldwide. Despite the
standard’s advertised security, various issues have been previously
uncovered, deriving from logical flaws that are hard to spot in EMV’s
lengthy and complex specification, running over 2,000 pages.
We formalize a comprehensive symbolic model of EMV in Tamarin, a
state-of-the-art protocol verifier. Our model is the first that supports a
fine-grained analysis of all relevant security guarantees that EMV is
intended to offer. We use our model to automatically identify flaws that
lead to two critical attacks: one that defrauds the cardholder and another
that defrauds the merchant. First, criminals can use a victim’s Visa
contact-less card for high-value purchases, without knowledge of the card’s
PIN. We built a proof-of-concept Android application and successfully
demonstrated this attack on real-world payment terminals. Second, criminals
can trick the terminal into accepting an unauthentic offline transaction,
which the issuing bank should later decline, after the criminal has walked
away with the goods. This attack is possible for implementations following
the standard, although we did not test it on actual terminals for ethical
reasons. Finally, we propose and verify improvements to the standard that
prevent these attacks, as well as any other attacks that violate the
considered security properties.The proposed improvements can be easily
implemented in the terminals and do not affect the cards in circulation.
** *** ***** ******* *********** *************
Upcoming Speaking Engagements
*[2020.09.14]*
<https://www.schneier.com/blog/archives/2020/09/upcoming-speaking-engagements.html>
This is a current list of where and when I am scheduled to speak:
- I’m speaking at the Cybersecurity Law & Policy Scholars Virtual
Conference
<https://www.law.umn.edu/events/cybersecurity-law-policy-scholars-virtual-conference>
on September 17, 2020.
- I’m keynoting the Canadian Internet Registration Authority’s online
symposium, Canadians Connected
<https://member.cira.ca/Events/CanadiansConnected/Events/About.aspx>, on
Wednesday, September 23, 2020.
- I’m giving a webinar as part of the Online One Conference 2020
<https://one-conference.nl/> on September 29, 2020.
- I’m speaking at the (ISC)² Security Congress 2020
<https://www.isc2.org/Congress>, November 16-18, 2020.
The list is maintained on this page <https://www.schneier.com/events/>.
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security technology. To
subscribe, or to read back issues, see Crypto-Gram's web page
<https://www.schneier.com/crypto-gram.html>.
You can also read these articles on my blog, Schneier on Security
<https://www.schneier.com>.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues
and friends who will find it valuable. Permission is also granted to
reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
Bruce Schneier is an internationally renowned security technologist, called
a security guru by the Economist. He is the author of over one dozen books
-- including his latest, Click Here to Kill Everybody
<https://www.schneier.com/books/click_here/> -- as well as hundreds of
articles, essays, and academic papers. His newsletter and blog are read by
over 250,000 people. Schneier is a fellow at the Berkman Klein Center for
Internet and Society at Harvard University; a Lecturer in Public Policy at
the Harvard Kennedy School; a board member of the Electronic Frontier
Foundation, AccessNow, and the Tor Project; and an advisory board member of
EPIC and VerifiedVoting.org.
Copyright © 2020 by Bruce Schneier.
** *** ***** ******* *********** *************
Mailing list hosting graciously provided by MailChimp
<https://mailchimp.com/>. Sent without web bugs or link tracking.
This e-mail was sent to: sondheim at panix.com
*You are receiving this e-mail because you subscribed to the Crypto-Gram
newsletter.*
unsubscribe from this list
<https://schneier.us18.list-manage.com/unsubscribe?u=f99e2b5ca82502f48675978be&id=22184111ab&e=9954231fa6&c=fe203cbcf8>
update subscription preferences
<https://schneier.us18.list-manage.com/profile?u=f99e2b5ca82502f48675978be&id=22184111ab&e=9954231fa6>
Bruce Schneier · Harvard Kennedy School · 1 Brattle Square · Cambridge, MA
02138 · USA
--
*=====================================================*
*directory http://www.alansondheim.org <http://www.alansondheim.org> tel
718-813-3285**email sondheim ut panix.com <http://panix.com>, sondheim ut
gmail.com <http://gmail.com>*
*=====================================================*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.netbehaviour.org/pipermail/netbehaviour/attachments/20200918/7c8d119c/attachment-0001.htm>
More information about the NetBehaviour
mailing list