• CRYPTO-GRAM, January 15, 2023

    From TCOB1@618:500/14 to All on Tuesday, January 17, 2023 12:20:50
    Crypto-Gram
    January 15, 2023

    by Bruce Schneier
    Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com https://www.schneier.com

    A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

    For back issues, or to subscribe, visit Crypto-Gram's web page.

    Read this issue on the web

    These same essays and news items appear in the Schneier on Security blog, along with a lively and intelligent comment section. An RSS feed is available.

    ** *** ***** ******* *********** *************

    In this issue:

    If these links don't work in your email client, try reading this issue of Crypto-Gram on the web.

    A Security Vulnerability in the KmsdBot Botnet Apple Patches iPhone Zero-Day
    As Long as WerCOre on the Subject of CAPTCHAs How to Surrender to a Drone Trojaned Windows Installer Targets Ukraine Ukraine Intercepting Russian Soldiers' Cell Phone Calls Critical Microsoft Code-Execution Vulnerability Hacking the JFK Airport Taxi Dispatch System LastPass Breach
    Arresting IT Administrators
    QR Code Scam
    Recovering Smartphone Voice from the Accelerometer Breaking RSA with a Quantum Computer Decarbonizing Cryptocurrencies through Taxation Remote Vulnerabilities in Automobiles Schneier on Security Audiobook Sale Identifying People Using Cell Phone Location Data ChatGPT-Written Malware
    Experian Privacy Vulnerability
    Threats of Machine-Generated Text
    Booklist Review of A HackerrCOs Mind Upcoming Speaking Engagements
    ** *** ***** ******* *********** *************

    A Security Vulnerability in the KmsdBot Botnet

    [2022.12.15] Security researchers found a software bug in the KmsdBot cryptomining botnet:

    With no error-checking built in, sending KmsdBot a malformed command -- like its controllers did one day while Akamai was watching -- created a panic crash with an rCLindex out of rangerCY error. Because thererCOs no persistence, the bot stays down, and malicious agents would need to reinfect a machine and rebuild the botrCOs functions. It is, as Akamai notes, rCLa nice storyrCY and
    rCLa strong example of the fickle nature of technology.rCY

    ** *** ***** ******* *********** *************

    Apple Patches iPhone Zero-Day

    [2022.12.16] The most recent iPhone update -- to version 16.2 -- patches a zero-day vulnerability that rCLmay have been actively exploited against versions of iOS released before iOS 15.1.rCY

    News:

    Apple said security researchers at GooglerCOs Threat Analysis Group, which investigates nation state-backed spyware, hacking and cyberattacks, discovered and reported the WebKit bug.

    WebKit bugs are often exploited when a person visits a malicious domain in their browser (or via the in-app browser). ItrCOs not uncommon for bad actors to find vulnerabilities that target WebKit as a way to break into the devicerCOs operating system and the userrCOs private data. WebKit bugs can be
    rCLchainedrCY to other vulnerabilities to break through multiple layers of a devicerCOs defenses.

    ** *** ***** ******* *********** *************

    As Long as WerCOre on the Subject of CAPTCHAs

    [2022.12.16] There are these.





    ** *** ***** ******* *********** *************

    How to Surrender to a Drone

    [2022.12.19] The Ukrainian army has released an instructional video explaining how Russian soldiers should surrender to a drone:

    rCLSeeing the drone in the field of view, make eye contact with it,rCY the video instructs. Soldiers should then raise their arms and signal theyrCOre ready to follow.

    After that the drone will move up and down a few meters, before heading off at walking pace in the direction of the nearest representatives of UkrainerCOs army, it says.

    The video also warns that the dronerCOs battery may run low, in which case it will head back to base and the soldiers should stay put and await a fresh one.

    That one, too, should be met with eye contact and arms raised, it says.

    Incredible.

    ** *** ***** ******* *********** *************

    Trojaned Windows Installer Targets Ukraine

    [2022.12.20] Mandiant is reporting on a trojaned Windows installer that targets Ukrainian users. The installer was left on various torrent sites, presumably ensnaring people downloading pirated copies of the operating system:

    Mandiant uncovered a socially engineered supply chain operation focused on Ukrainian government entities that leveraged trojanized ISO files masquerading as legitimate Windows 10 Operating System installers. The trojanized ISOs were hosted on Ukrainian- and Russian-language torrent file sharing sites. Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it. At a subset of victims, additional tools are deployed to enable further intelligence gathering. In some instances, we discovered additional payloads that were likely deployed following initial reconnaissance including the STOWAWAY, BEACON, and SPAREPART backdoors.

    One obvious solution would be for Microsoft to give the Ukrainians Windows licenses, so they donrCOt have to get their software from sketchy torrent sites.

    ** *** ***** ******* *********** *************

    Ukraine Intercepting Russian Soldiers' Cell Phone Calls

    [2022.12.21] TheyrCOre using commercial phones, which go through the Ukrainian telecom network:

    rCLYou still have a lot of soldiers bringing cellphones to the frontline who want to talk to their families and they are either being intercepted as they go through a Ukrainian telecommunications provider or intercepted over the air,rCY said Alperovitch. rCLThat doesnrCOt pose too much difficulty for the Ukrainian security services.rCY

    [...]

    rCLSecurity has always been a mess, both in the army and among defence officials,rCY the source said. rCLFor example, in 2013 they tried to get all the staff at the ministry of defence to replace our iPhones with Russian-made Yoto smartphones.

    rCLBut everyone just kept using the iPhone as a second mobile because it was much better. We would just keep the iPhone in the carrCOs glove compartment for when we got back from work. In the end, the ministry gave up and stopped caring. If the top doesnrCOt take security very seriously, how can you expect any discipline in the regular army?rCY

    This isnrCOt a new problem and it isnrCOt a Russian problem. HererCOs a more general article on the problem from 2020.

    ** *** ***** ******* *********** *************

    Critical Microsoft Code-Execution Vulnerability

    [2022.12.22] A critical code-execution vulnerability in Microsoft Windows was patched in September. It seems that researchers just realized how serious it was (and is):

    Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, itrCOs wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems. The wormability of EternalBlue allowed WannaCry and several other attacks to spread across the world in a matter of minutes with no user interaction required.

    But unlike EternalBlue, which could be exploited when using only the SMB, or server message block, a protocol for file and printer sharing and similar network activities, this latest vulnerability is present in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability.

    [...]

    Microsoft fixed CVE-2022-37958 in September during its monthly Patch Tuesday rollout of security fixes. At the time, however, Microsoft researchers believed the vulnerability allowed only the disclosure of potentially sensitive information. As such, Microsoft gave the vulnerability a designation of
    rCLimportant.rCY In the routine course of analyzing vulnerabilities after theyrCOre patched, Palmiotti discovered it allowed for remote code execution in much the way EternalBlue did. Last week, Microsoft revised the designation to critical and gave it a severity rating of 8.1, the same given to EternalBlue.

    ** *** ***** ******* *********** *************

    Hacking the JFK Airport Taxi Dispatch System

    [2022.12.23] Two men have been convicted of hacking the taxi dispatch system at the JFK airport. This enabled them to reorder the taxis on the list; they charged taxi drivers $10 to cut the line.

    ** *** ***** ******* *********** *************

    LastPass Breach

    [2022.12.26] Last August, LastPass reported a security breach, saying that no customer information -- or passwords -- were compromised. Turns out the full story is worse:

    While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

    [...]

    To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

    The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

    ThatrCOs bad. ItrCOs not an epic disaster, though.

    These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each userrCOs master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.

    So, according to the company, if you chose a strong master password -- hererCOs my advice on how to do it -- your passwords are safe. That is, you are secure as long as your password is resilient to a brute-force attack. (That they lost customer data is another story....)

    Fair enough, as far as it goes. My guess is that many LastPass users do not have strong master passwords, even though the compromise of your encrypted password file should be part of your threat model. But, even so, note this unverified tweet:

    I think the situation at @LastPass may be worse than they are letting on. On Sunday the 18th, four of my wallets were compromised. The losses are not significant. Their seeds were kept, encrypted, in my lastpass vault, behind a 16 character password using all character types.

    If thatrCOs true, it means that LastPass has some backdoor -- possibly unintentional -- into the password databases that the hackers are accessing. (Or that @CryptopathicrCOs rCL16 character password using all character typesrCY is something like rCLP@ssw0rdP@ssw0rd.rCY)

    My guess is that werCOll learn more during the coming days. But this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for rCLsomeone elserCOs computer,rCY and you need to understand how much or how little you trust that computer.

    If yourCOre changing password managers, look at my own Password Safe. Its main downside is that you canrCOt synch between devices, but thatrCOs because I donrCOt use the cloud for anything.

    News articles. Slashdot thread.

    EDITED TO ADD: People choose lousy master passwords.

    ** *** ***** ******* *********** *************

    Arresting IT Administrators

    [2022.12.27] This is one way of ensuring that IT keeps up with patches:

    Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by alleged Iranian hackers.

    Prosecutors said the five IT officials of the public administration department had failed to check the security of the system and update it with the most recent antivirus software.

    The next step would be to arrest managers at software companies for not releasing patches fast enough. And maybe programmers for writing buggy code. I donrCOt know where this line of thinking ends.

    ** *** ***** ******* *********** *************

    QR Code Scam

    [2022.12.28] An enterprising individual made fake parking tickets with a QR code for easy payment.

    ** *** ***** ******* *********** *************

    Recovering Smartphone Voice from the Accelerometer

    [2022.12.30] Yet another smartphone side-channel attack: rCLEarSpy: Spying Caller Speech and Identity through Tiny Vibrations of Smartphone Ear SpeakersrCL:

    Abstract: Eavesdropping from the userrCOs smartphone is a well-known threat to the userrCOs safety and privacy. Existing studies show that loudspeaker reverberation can inject speech into motion sensor readings, leading to speech eavesdropping. While more devastating attacks on ear speakers, which produce much smaller scale vibrations, were believed impossible to eavesdrop with zero-permission motion sensors. In this work, we revisit this important line of reach. We explore recent trends in smartphone manufacturers that include extra/powerful speakers in place of small ear speakers, and demonstrate the feasibility of using motion sensors to capture such tiny speech vibrations. We investigate the impacts of these new ear speakers on built-in motion sensors and examine the potential to elicit private speech information from the minute vibrations. Our designed system EarSpy can successfully detect word regions, time, and frequency domain features and generate a spectrogram for each word region. We train and tes
    t the extracted data using classical machine learning algorithms and convolutional neural networks. We found up to 98.66% accuracy in gender detection, 92.6% detection in speaker detection, and 56.42% detection in digit detection (which is 5X more significant than the random selection (10%)). Our result unveils the potential threat of eavesdropping on phone conversations from ear speakers using motion sensors.

    ItrCOs not great, but itrCOs an impressive start.

    ** *** ***** ******* *********** *************

    Breaking RSA with a Quantum Computer

    [2023.01.03] A group of Chinese researchers have just published a paper claiming that they can -- although they have not yet done so -- break 2048-bit RSA. This is something to take seriously. It might not be correct, but itrCOs
    not obviously wrong.

    We have long known from ShorrCOs algorithm that factoring with a quantum computer is easy. But it takes a big quantum computer, on the orders of millions of qbits, to factor anything resembling the key sizes we use today. What the researchers have done is combine classical lattice reduction factoring techniques with a quantum approximate optimization algorithm. This means that they only need a quantum computer with 372 qbits, which is well within whatrCOs possible today. (The IBM Osprey is a 433-qbit quantum computer, for example. Others are on their way as well.)

    The Chinese group didnrCOt have that large a quantum computer to work with. They were able to factor 48-bit numbers using a 10-qbit quantum computer. And while there are always potential problems when scaling something like this up by a factor of 50, there are no obvious barriers.

    Honestly, most of the paper is over my head -- both the lattice-reduction math and the quantum physics. And thererCOs the nagging question of why the Chinese government didnrCOt classify this research. But...wow...maybe...and yikes! Or not.

    rCLFactoring integers with sublinear resources on a superconducting quantum processorrCY

    Abstract: ShorrCOs algorithm has seriously challenged information security based on public key cryptosystems. However, to break the widely used RSA-2048 scheme, one needs millions of physical qubits, which is far beyond current technical capabilities. Here, we report a universal quantum algorithm for integer factorization by combining the classical lattice reduction with a quantum approximate optimization algorithm (QAOA). The number of qubits required is O(logN/loglogN ), which is sublinear in the bit length of the integer N , making it the most qubit-saving factorization algorithm to date. We demonstrate the algorithm experimentally by factoring integers up to 48 bits with 10 superconducting qubits, the largest integer factored on a quantum device. We estimate that a quantum circuit with 372 physical qubits and a depth of thousands is necessary to challenge RSA-2048 using our algorithm. Our study shows great promise in expediting the application of current noisy quantum computers, and paves the way to fact or large integers of realistic cryptographic significance.

    In email, Roger Grimes told me: rCLApparently what happened is another guy who had previously announced he was able to break traditional asymmetric encryption using classical computers...but reviewers found a flaw in his algorithm and that guy had to retract his paper. But this Chinese team realized that the step that killed the whole thing could be solved by small quantum computers. So they tested and it worked.rCY

    EDITED TO ADD: One of the issues with the algorithm is that it relies on a recent factoring paper by Claus Schnorr. ItrCOs a controversial paper; and despite the rCLthis destroys the RSA cryptosystemrCY claim in the abstract, it does nothing of the sort. SchnorrrCOs algorithm works well with smaller moduli
    -- around the same order as ones the Chinese group has tested -- but falls apart at larger sizes. At this point, nobody understands why. The Chinese paper claims that their quantum techniques get around this limitation (I think thatrCOs whatrCOs behind GrimesrCOs comment) but donrCOt give any details -- and they havenrCOt tested it with larger moduli. So if itrCOs true that the Chinese paper depends on this Schnorr technique that doesnrCOt scale, the techniques in this Chinese paper wonrCOt scale, either. (On the other hand, if it does scale then I think it also breaks a bunch of lattice-based public-key cryptosystems.)

    I am much less worried that this technique will work now. But this is something the IBM quantum computing people can test right now.

    EDITED TO ADD (1/4): A reporter just asked me my gut feel about this. I replied that I donrCOt think this will break RSA. Several times a year the cryptography community received rCLbreakthroughsrCY from people outside the community. ThatrCOs why we created the RSA Factoring Challenge: to force people to provide proofs of their claims. In general, the smart bet is on the new techniques not working. But someday, that bet will be wrong. Is it today? Probably not. But it could be. WerCOre in the worst possible position right now: we donrCOt have the facts to know. Someone needs to implement the quantum algorithm and see.

    EDITED TO ADD (1/5): Scott AaronsonrCOs take is a rCLnorCY:

    In the new paper, the authors spend page after page saying-without-saying that it might soon become possible to break RSA-2048, using a NISQ (i.e., non-fault-tolerant) quantum computer. They do so via two time-tested strategems:

    the detailed exploration of irrelevancies (mostly, optimization of the number of qubits, while ignoring the number of gates), and complete silence about the one crucial point. Then, finally, they come clean about the one crucial point in a single sentence of the Conclusion section:

    It should be pointed out that the quantum speedup of the algorithm is unclear due to the ambiguous convergence of QAOA.

    rCLUnclearrCY is an understatement here. It seems to me that a miracle would be required for the approach here to yield any benefit at all, compared to just running the classical SchnorrrCOs algorithm on your laptop. And if the latter were able to break RSA, it wouldrCOve already done so.

    All told, this is one of the most actively misleading quantum computing papers IrCOve seen in 25 years, and IrCOve seen ... many.

    EDITED TO ADD (1/7): More commentary. Again: no need to panic.

    EDITED TO ADD (1/12): Peter Shor has suspicions.

    ** *** ***** ******* *********** *************

    Decarbonizing Cryptocurrencies through Taxation

    [2023.01.04] Maintaining bitcoin and other cryptocurrencies causes about 0.3 percent of global CO2 emissions. That may not sound like a lot, but itrCOs more than the emissions of Switzerland, Croatia, and Norway combined. As many cryptocurrencies crash and the FTX bankruptcy moves into the litigation stage, regulators are likely to scrutinize the cryptocurrency world more than ever before. This presents a perfect opportunity to curb their environmental damage.

    The good news is that cryptocurrencies donrCOt have to be carbon intensive. In fact, some have near-zero emissions. To encourage polluting currencies to reduce their carbon footprint, we need to force buyers to pay for their environmental harms through taxes.

    The difference in emissions among cryptocurrencies comes down to how they create new coins. Bitcoin and other high emitters use a system called rCLproof of workrCL: to generate coins, participants, or rCLminers,rCY have to solve math problems that demand extraordinary computing power. This allows currencies to maintain their decentralized ledger -- the blockchain -- but requires enormous amounts of energy.

    Greener alternatives exist. Most notably, the rCLproof of stakerCY system enables participants to maintain their blockchain by depositing cryptocurrency holdings in a pool. When the second-largest cryptocurrency, Ethereum, switched from proof of work to proof of stake earlier this year, its energy consumption dropped by more than 99.9% overnight.

    Bitcoin and other cryptocurrencies probably wonrCOt follow suit unless forced to, because proof of work offers massive profits to miners -- and theyrCOre the ones with power in the system. Multiple legislative levers could be used to entice them to change.

    The most blunt solution is to ban cryptocurrency mining altogether. China did this in 2018, but it only made the problem worse; mining moved to other countries with even less efficient energy generation, and emissions went up. The only way for a mining ban to meaningfully reduce carbon emissions is to enact it across most of the globe. Achieving that level of international consensus is, to say the least, unlikely.

    A second solution is to prohibit the buying and selling of proof-of-work currencies. The European ParliamentrCOs Committee on Economic and Monetary Affairs considered making such a proposal, but voted against it in March. This is understandable; as with a mining ban, it would be both viewed as paternalistic and difficult to implement politically.

    Employing a tax instead of an outright ban would largely skirt these issues. As with taxes on gasoline, tobacco, plastics, and alcohol, a cryptocurrency tax could reduce real-world harm by making consumers pay for it.

    Most ways of taxing cryptocurrencies would be inefficient, because theyrCOre easy to circumvent and hard to enforce. To avoid these pitfalls, the tax should be levied as a fixed percentage of each proof-of-work-cryptocurrency purchase. Cryptocurrency exchanges should collect the tax, just as merchants collect sales taxes from customers before passing the sum on to governments. To make it harder to evade, the tax should apply regardless of how the proof-of-work currency is being exchanged -- whether for a fiat currency or another cryptocurrency. Most important, any state that implements the tax should target all purchases by citizens in its jurisdiction, even if they buy through exchanges with no legal presence in the country.

    This sort of tax would be transparent and easy to enforce. Because most people buy cryptocurrencies from one of only a few large exchanges -- such as Binance, Coinbase, and Kraken -- auditing them should be cheap enough that it pays for itself. If an exchange fails to comply, it should be banned.

    Even a small tax on proof-of-work currencies would reduce their damage to the planet. Imagine that yourCOre new to cryptocurrency and want to become a first-time investor. YourCOre presented with a range of currencies to choose from: bitcoin, ether, litecoin, monero, and others. You notice that all of them
    except ether add an environmental tax to your purchase price. Which one do you buy?

    Countries donrCOt need to coordinate across borders for a proof-of-work tax on their own citizens to be effective. But early adopters should still consider ways to encourage others to come on board. This has precedent. The European Union is trying to influence global policy with its carbon border adjustments, which are designed to discourage people from buying carbon-intensive products abroad in order to skirt taxes. Similar rules for a proof-of-work tax could persuade other countries to adopt one.

    Of course, some people will try to evade the tax, just as people evade every other tax. For example, people might buy tax-free coins on centralized exchanges and then swap them for polluting coins on decentralized exchanges. To some extent, this is inevitable; no tax is perfect. But the effort and technical know-how needed to evade a proof-of-work tax will be a major deterrent.

    Even if only a few countries implement this tax -- and even if some people evade it -- the desirability of bitcoin will fall globally, and the environmental benefit will be significant. A high enough tax could also cause a self-reinforcing cycle that will drive down these cryptocurrenciesrCO prices. Because the value of many cryptocurrencies rely largely on speculation, they are dependent on future buyers. When speculators are deterred by the tax, the lack of demand will cause the price of bitcoin to fall, which could prompt more current holders to sell -- further lowering prices and accelerating the effect. Declining prices will pressure the bitcoin community to abandon proof of work altogether.

    Taxing proof-of-work exchanges might hurt them in the short run, but it would not hinder blockchain innovation. Instead, it would redirect innovation toward greener cryptocurrencies. This is no different than how government incentives for electric vehicles encourage carmakers to improve green alternatives to the internal combustion engine. These incentives donrCOt restrict innovation in automobiles -- they promote it.

    Taxing environmentally harmful cryptocurrencies can gain support across the political spectrum, from people with varied interests. It would benefit blockchain innovators and cryptocurrency researchers by shifting focus from environmental harm to beneficial uses of the technology. It has the potential to make our planet significantly greener. It would increase government revenues.

    Even bitcoin maximalists have reason to embrace the proposal: it would offer the bitcoin community a chance to prove it can survive and grow sustainably.

    This essay was written with Christos Porios, and previously appeared in the Atlantic.

    ** *** ***** ******* *********** *************

    Remote Vulnerabilities in Automobiles

    [2023.01.06] This group has found a ton of remote vulnerabilities in all sorts of automobiles.

    ItrCOs enough to make you want to buy a car that is not Internet-connected. Unfortunately, that seems to be impossible.

    ** *** ***** ******* *********** *************

    Schneier on Security Audiobook Sale

    [2023.01.06] IrCOm not sure why, but Audiobooks.com is offering the audiobook version of Schneier on Security at 50% off until January 17.



    EDITED TO ADD: The audiobook of We Have Root is 50% off until January 27 if you use this link.

    ** *** ***** ******* *********** *************

    Identifying People Using Cell Phone Location Data

    [2023.01.09] The two people who shut down four Washington power stations in December were arrested. This is the interesting part:

    Investigators identified Greenwood and Crahan almost immediately after the attacks took place by using cell phone data that allegedly showed both men in the vicinity of all four substations, according to court documents.

    Nowadays, it seems like an obvious thing to do -- although the search is probably unconstitutional. But way back in 2012, the Canadian CSEC -- thatrCOs their NSA -- did some top-secret work on this kind of thing. The document is part of the Snowden archive, and I wrote about it:

    The second application suggested is to identify a particular person whom you know visited a particular geographical area on a series of dates/times. The example in the presentation is a kidnapper. He is based in a rural area, so he canrCOt risk making his ransom calls from that area. Instead, he drives to an urban area to make those calls. He either uses a burner phone or a pay phone, so he canrCOt be identified that way. But if you assume that he has some sort of smart phone in his pocket that identifies itself over the Internet, you might be able to find him in that dataset. That is, he might be the only ID that appears in that geographical location around the same time as the ransom calls and at no other times.

    ThererCOs a whole lot of surveillance you can do if you can follow everyone, everywhere, all the time. I donrCOt even think turning your cell phone off would help in this instance. How many people in the Washington area turned their phones off during exactly the times of the Washington power station attacks? Probably a small enough number to investigate them all.

    ** *** ***** ******* *********** *************

    ChatGPT-Written Malware

    [2023.01.10] I donrCOt know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild.

    ...within a few weeks of ChatGPT going live, participants in cybercrime forums -- some with little or no coding experience -- were using it to write software and emails that could be used for espionage, ransomware, malicious spam, and other malicious tasks.

    rCLItrCOs still too early to decide whether or not ChatGPT capabilities will become the new favorite tool for participants in the Dark Web,rCY company researchers wrote. rCLHowever, the cybercriminal community has already shown significant interest and are jumping into this latest trend to generate malicious code.rCY

    Last month, one forum participant posted what they claimed was the first script they had written and credited the AI chatbot with providing a rCLnice [helping] hand to finish the script with a nice scope.rCY

    The Python code combined various cryptographic functions, including code signing, encryption, and decryption. One part of the script generated a key using elliptic curve cryptography and the curve ed25519 for signing files. Another part used a hard-coded password to encrypt system files using the Blowfish and Twofish algorithms. A third used RSA keys and digital signatures, message signing, and the blake2 hash function to compare various files.

    Check Point Research report.

    ChatGPT-generated code isnrCOt that good, but itrCOs a start. And the technology will only get better. Where it matters here is that it gives less skilled hackers -- script kiddies -- new capabilities.

    ** *** ***** ******* *********** *************

    Experian Privacy Vulnerability

    [2023.01.12] Brian Krebs is reporting on a vulnerability in ExperianrCOs website:

    Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, ExperianrCOs website allowed anyone to bypass these questions and go straight to the consumerrCOs report. All that was needed was the personrCOs name, address, birthday and Social Security number.

    ** *** ***** ******* *********** *************

    Threats of Machine-Generated Text

    [2023.01.13] With the release of ChatGPT, IrCOve read many random articles about this or that threat from the technology. This paper is a good survey of the field: what the threats are, how we might detect machine-generated text, directions for future research. ItrCOs a solid grounding amongst all of the hype.

    Machine Generated Text: A Comprehensive Survey of Threat Models and Detection Methods

    Abstract: Advances in natural language generation (NLG) have resulted in machine generated text that is increasingly difficult to distinguish from human authored text. Powerful open-source models are freely available, and user-friendly tools democratizing access to generative models are proliferating. The great potential of state-of-the-art NLG systems is tempered by the multitude of avenues for abuse. Detection of machine generated text is a key countermeasure for reducing abuse of NLG models, with significant technical challenges and numerous open problems. We provide a survey that includes both 1) an extensive analysis of threat models posed by contemporary NLG systems, and 2) the most complete review of machine generated text detection methods to date. This survey places machine generated text within its cybersecurity and social context, and provides strong guidance for future work addressing the most critical threat models, and ensuring detection systems themselves demonstrate trustworthiness through fa irness, robustness, and accountability.

    ** *** ***** ******* *********** *************

    Booklist Review of A HackerrCOs Mind

    [2023.01.14] Booklist reviews A HackerrCOs Mind:

    Author and public-interest security technologist Schneier (Data and Goliath, 2015) defines a rCLhackrCY as an activity allowed by a system rCLthat subverts the rules or norms of the system [...] at the expense of someone else affected by the system.rCY In accessing the security of a particular system, technologists such as Schneier look at how it might fail. In order to counter a hack, it becomes necessary to think like a hacker. Schneier lays out the ramifications of a variety of hacks, contrasting the hacking of the tax code to benefit the wealthy with hacks in realms such as sports that can innovate and change a game for the better. The key to dealing with hacks is being proactive and providing adequate patches to fix any vulnerabilities. SchneierrCOs fascinating work illustrates how susceptible many systems are to being hacked and how lives can be altered by these subversions. SchneierrCOs deep dive into this cross-section of technology and humanity makes for investigative gold.

    The book will be published on February 7. HererCOs the bookrCOs webpage. You can pre-order a signed copy from me here.

    ** *** ***** ******* *********** *************

    Upcoming Speaking Engagements

    [2023.01.14] This is a current list of where and when I am scheduled to speak:

    IrCOm speaking at Capricon, a four-day science fiction convention in Chicago. My talk is on rCLThe Coming AI HackersrCY and will be held Friday, February 3 at 1:00 PM.
    The list is maintained on this page.

    ** *** ***** ******* *********** *************

    Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security technology. To subscribe, or to read back issues, see Crypto-Gram's web page.

    You can also read these articles on my blog, Schneier on Security.

    Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

    Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of over one dozen books -- including his latest, We Have Root -- as well as hundreds of articles, essays, and academic papers. His newsletter and blog are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an Advisory Board Member of the Electronic Privacy Information Center and VerifiedVoting.org. He is the Chief of Security Architecture at Inrupt, Inc.

    Copyright -- 2023 by Bruce Schneier.

    --- BBBS/Li6 v4.10 Toy-5
    * Origin: TCOB1 - binkd.thecivv.ie (618:500/14)