Crypto-Gram
September 15, 2022

by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit Crypto-Gram's web page.

Read this issue on the web

These same essays and news items appear in the Schneier on Security blog, along with a lively and intelligent comment section. An RSS feed is available.

** *** ***** ******* *********** *************
In this issue:

If these links don't work in your email client, try reading this issue of Crypto-Gram on the web.

$23 Million YouTube Royalties Scam
Remotely Controlling Touchscreens
Zoom Exploit on MacOS
USB "Rubber Ducky" Attack Tool
Hyundai Uses Example Keys for Encryption System
Signal Phone Numbers Exposed in Twilio Hack
Mudge Files Whistleblower Complaint against Twitter
Man-in-the-Middle Phishing Attack
Security and Cheap Complexity
Levels of Assurance for DoD Microelectronics
FTC Sues Data Broker
High-School Graduation Prank Hack
Clever Phishing Scam Uses Legitimate PayPal Messages
Montenegro Is the Victim of a Cyberattack
The LockBit Ransomware Gang Is Surprisingly Professional
Facebook Has No Idea What Data It Has
Responsible Disclosure for Cryptocurrency Security
New Linux Cryptomining Malware
FBI Seizes Stolen Cryptocurrencies
Weird Fallout from Peiter ZatkoΓÇÖs Twitter Whistleblowing
Upcoming Speaking Engagements

** *** ***** ******* *********** *************
$23 Million YouTube Royalties Scam

[2022.08.15] Scammers were able to convince YouTube that other peopleΓÇÖs music was their own. They successfully stole $23 million before they were caught.

No one knows how common this scam is, and how much money total is being stolen in this way. Presumably this is not an uncommon fraud.

While the size of the heist and the breadth of the scheme may be very unique, itΓÇÖs certainly a situation that many YouTube content creators have faced before. YouTubeΓÇÖs Content ID system, meant to help creators, has been weaponized by bad faith actors in order to make money off content that isnΓÇÖt theirs. While some false claims are just mistakes caused by automated systems, the MediaMuv case is a perfect example of how fraudsters are also purposefully taking advantage of digital copyright rules.

YouTube attempts to be cautious with who it provides CMS and Content ID tool access because of how powerful these systems are. As a result, independent creators and artists cannot check for these false copyright claims nor do they have the power to directly act on them. They need to go through a digital rights management company that does have access. And it seems like thieves are doing the same, falsifying documents to gain access to these YouTube tools through these third parties that are ΓÇ£trustedΓÇ¥ with these tools by YouTube.

** *** ***** ******* *********** *************
Remotely Controlling Touchscreens

[2022.08.16] This is more of a demonstration than a real-world vulnerability, but researchers can use electromagnetic interference to remotely control touchscreens.

From a news article:

ItΓÇÖs important to note that the attack has a few key limitations. Firstly, the hackers need to know the targetΓÇÖs phone passcode, or launch the attack while the phone is unlocked. Secondly, the victim needs to put the phone face down, otherwise the battery and motherboard will block the electromagnetic signal. Thirdly, the antenna array has to be no more than four centimeters (around 1.5 inches) away. For all these reasons the researchers themselves admit that the ΓÇ£invisible fingerΓÇ¥ technique is a proof of concept that at this point is far from being a threat outside of a university lab.

EDITED TO ADD (9/12): The project has a website.

** *** ***** ******* *********** *************
Zoom Exploit on MacOS

[2022.08.17] This vulnerability was reported to Zoom last December:

The exploit works by targeting the installer for the Zoom application, which needs to run with special user permissions in order to install or remove the main Zoom application from a computer. Though the installer requires a user to enter their password on first adding the application to the system, Wardle found that an auto-update function then continually ran in the background with superuser privileges.

When Zoom issued an update, the updater function would install the new package after checking that it had been cryptographically signed by Zoom. But a bug in how the checking method was implemented meant that giving the updater any file with the same name as ZoomΓÇÖs signing certificate would be enough to pass the test -- so an attacker could substitute any kind of malware program and have it be run by the updater with elevated privilege.

It seems that itΓÇÖs not entirely fixed:

Following responsible disclosure protocols, Wardle informed Zoom about the vulnerability in December of last year. To his frustration, he says an initial fix from Zoom contained another bug that meant the vulnerability was still exploitable in a slightly more roundabout way, so he disclosed this second bug to Zoom and waited eight months before publishing the research.

EDITED TO ADD: Disclosure works. The vulnerability seems to be patched now.

** *** ***** ******* *********** *************
USB "Rubber Ducky" Attack Tool

[2022.08.18] The USB Rubber Ducky is getting better and better.

Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a userΓÇÖs login credentials or causing Chrome to send all saved passwords to an attackerΓÇÖs webserver. But these attacks had to be carefully crafted for specific operating systems and software versions and lacked the flexibility to work across platforms.

The newest Rubber Ducky aims to overcome these limitations. It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this... then that).

That means, for example, the new Ducky can run a test to see if itΓÇÖs plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect.

Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, ΓÇ£Sorry, I guess that USB drive is broken,ΓÇ¥ and take it back with all their passwords saved.

** *** ***** ******* *********** *************
Hyundai Uses Example Keys for Encryption System

[2022.08.22] This is a dumb crypto mistake I had not previously encountered:

A developer says it was possible to run their own software on the car infotainment hardware after discovering the vehicleΓÇÖs manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples.

[...]

ΓÇ£Turns out the [AES] encryption key in that script is the first AES 128-bit CBC example key listed in the NIST document SP800-38A [PDF]ΓÇ¥.

[...]

Luck held out, in a way. ΓÇ£Greenluigi1ΓÇ¥ found within the firmware image the RSA public key used by the updater, and searched online for a portion of that key. The search results pointed to a common public key that shows up in online tutorials like ΓÇ£RSA Encryption & Decryption Example with OpenSSL in C.ΓÇ£

EDITED TO ADD (8/23): Slashdot post.

** *** ***** ******* *********** *************
Signal Phone Numbers Exposed in Twilio Hack

[2022.08.23] Twilio was hacked earlier this month, and the phone numbers of 1,900 Signal users were exposed:

HereΓÇÖs what our users need to know:

All users can rest assured that their message history, contact lists, profile information, whom theyΓÇÖd blocked, and other personal data remain private and secure and were not affected.
For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal. This attack has since been shut down by Twilio. 1,900 users is a very small percentage of SignalΓÇÖs total users, meaning that most were not affected.

We are notifying these 1,900 users directly, and prompting them to re-register Signal on their devices.

If you were not notified, donΓÇÖt worry about it. But it does bring up the old question: Why does Signal require a phone number to use? It doesnΓÇÖt have to be that way.

** *** ***** ******* *********** *************
Mudge Files Whistleblower Complaint against Twitter

[2022.08.24] Peiter Zatko, aka Mudge, has filed a whistleblower complaint with the SEC against Twitter, claiming that it violated an eleven-year-old FTC settlement by having lousy security. And he should know; he was TwitterΓÇÖs chief security officer until he was fired in January.

The Washington Post has the scoop (with documents) and companion backgrounder. This CNN story is also comprehensive.

EDITED TO ADD: Another news article. Slashdot thread.

EDITED TO ADD (9/2): More info.

** *** ***** ******* *********** *************
Man-in-the-Middle Phishing Attack

[2022.08.25] HereΓÇÖs a phishing campaign that uses a man-in-the-middle attack to defeat multi-factor authentication:

Microsoft observed a campaign that inserted an attacker-controlled proxy site between the account users and the work server they attempted to log into. When the user entered a password into the proxy site, the proxy site sent it to the real server and then relayed the real serverΓÇÖs response back to the user. Once the authentication was completed, the threat actor stole the session cookie the legitimate site sent, so the user doesnΓÇÖt need to be reauthenticated at every new page visited. The campaign began with a phishing email with an HTML attachment leading to the proxy server.

** *** ***** ******* *********** *************
Security and Cheap Complexity

[2022.08.26] IΓÇÖve been saying that complexity is the worst enemy of security for a long time now. (HereΓÇÖs me in 1999.) And itΓÇÖs been true for a long time.

In 2018, Thomas Dullien of GoogleΓÇÖs Project Zero talked about ΓÇ£cheap complexity.ΓÇ¥ Andrew Appel summarizes:

The anomaly of cheap complexity. For most of human history, a more complex device was more expensive to build than a simpler device. This is not the case in modern computing. It is often more cost-effective to take a very complicated device, and make it simulate simplicity, than to make a simpler device. This is because of economies of scale: complex general-purpose CPUs are cheap. On the other hand, custom-designed, simpler, application-specific devices, which could in principle be much more secure, are very expensive.

This is driven by two fundamental principles in computing: Universal computation, meaning that any computer can simulate any other; and MooreΓÇÖs law, predicting that each year the number of transistors on a chip will grow exponentially. ARM Cortex-M0 CPUs cost pennies, though they are more powerful than some supercomputers of the 20th century.

The same is true in the software layers. A (huge and complex) general-purpose operating system is free, but a simpler, custom-designed, perhaps more secure OS would be very expensive to build. Or as Dullien asks,
ΓÇ£How did this research code someone wrote in two weeks 20 years ago end up in a billion devices?ΓÇ¥

This is correct. Today, itΓÇÖs easier to build complex systems than it is to build simple ones. As recently as twenty years ago, if you wanted to build a refrigerator you would create custom refrigerator controller hardware and embedded software. Today, you just grab some standard microcontroller off the shelf and write a software application for it. And that microcontroller already comes with an IP stack, a microphone, a video port, Bluetooth, and a whole lot more. And since those features are there, engineers use them.

** *** ***** ******* *********** *************
Levels of Assurance for DoD Microelectronics

[2022.08.29] The NSA has has published criteria for evaluating levels of assurance required for DoD microelectronics.

The introductory report in a DoD microelectronics series outlines the process for determining levels of hardware assurance for systems and custom microelectronic components, which include application-specific integrated circuits (ASICs), field programmable gate arrays (FPGAs) and other devices containing reprogrammable digital logic.

The levels of hardware assurance are determined by the national impact caused by failure or subversion of the top-level system and the criticality of the component to that top-level system. The guidance helps programs acquire a better understanding of their system and components so that they can effectively mitigate against threats.

The report was published last month, but I only just noticed it.

** *** ***** ******* *********** *************
FTC Sues Data Broker

[2022.08.30] This is good news:

The Federal Trade Commission (FTC) has sued Kochava, a large location data provider, for allegedly selling data that the FTC says can track people at reproductive health clinics and places of worship, according to an announcement from the agency.

ΓÇ£DefendantΓÇÖs violations are in connection with acquiring consumersΓÇÖ precise geolocation data and selling the data in a format that allows entities to track the consumersΓÇÖ movements to and from sensitive locations, including, among others, locations associated with medical care, reproductive health, religious worship, mental health temporary shelters, such as shelters for the homeless, domestic violence survivors, or other at risk populations, and addiction recovery,ΓÇ¥ the lawsuit reads.

** *** ***** ******* *********** *************
High-School Graduation Prank Hack

[2022.08.31] This is a fun story, detailing the hack a group of high school students perpetrated against an Illinois school district, hacking 500 screens across a bunch of schools.

During the process, the group broke into the schoolΓÇÖs IT systems; repurposed software used to monitor studentsΓÇÖ computers; discovered a new vulnerability (and reported it); wrote their own scripts; secretly tested their system at night; and managed to avoid detection in the schoolΓÇÖs network. Many of the techniques were not sophisticated, but they were pretty much all illegal.

It has a happy ending: no one was prosecuted.

A spokesperson for the D214 school district tells WIRED they can confirm the events in DuongΓÇÖs blog post happened. They say the district does not condone hacking and the ΓÇ£incident highlights the importance of the extensive cybersecurity learning opportunities the District offers to students.ΓÇ¥

ΓÇ£The District views this incident as a penetration test, and the students involved presented the data in a professional manner,ΓÇ¥ the spokesperson says, adding that its tech team has made changes to avoid anything similar happening again in the future.

The school also invited the students to a debrief, asking them to explain what they had done. ΓÇ£We were kind of scared at the idea of doing the debrief because we have to join a Zoom call, potentially with personally identifiable information,ΓÇ¥ Duong says. Eventually, he decided to use his real name, while other members created anonymous accounts. During the call, Duong says, they talked through the hack and he provided more details on ways the school could secure its system.

EDITED TO ADD (9/13): HereΓÇÖs Minh DuongΓÇÖs Defcon slides. You can see the table of contents of their report on page 59, and the schoolΓÇÖs response on page 60.

** *** ***** ******* *********** *************
Clever Phishing Scam Uses Legitimate PayPal Messages

[2022.09.01] Brian Krebs is reporting on a clever PayPal phishing scam that uses legitimate PayPal messaging.

Basically, the scammers use the PayPal invoicing system to send the email. The email lists a phone number to dispute the charge, which is not PayPal and quickly turns into a request to download and install a remote-access tool.

** *** ***** ******* *********** *************
Montenegro Is the Victim of a Cyberattack

[2022.09.02] Details are few, but Montenegro has suffered a cyberattack:

A combination of ransomware and distributed denial-of-service attacks, the onslaught disrupted government services and prompted the countryΓÇÖs electrical utility to switch to manual control.

[...]

But the attack against MontenegroΓÇÖs infrastructure seemed more sustained and extensive, with targets including water supply systems, transportation services and online government services, among many others.

Government officials in the country of just over 600,000 people said certain government services remained temporarily disabled for security reasons and that the data of citizens and businesses were not endangered.

The Director of the Directorate for Information Security, Dusan Polovic, said 150 computers were infected with malware at a dozen state institutions and that the data of the Ministry of Public Administration was not permanently damaged. Polovic said some retail tax collection was affected.

Russia is being blamed, but I havenΓÇÖt seen any evidence other than ΓÇ£theyΓÇÖre the obvious perpetrator.ΓÇ¥

EDITED TO ADD (9/12): The Montenegro government is hedging on that Russia attribution. It seems to be a regular criminal ransomware attack. The Cuba Ransomware gang has Russian members, but thatΓÇÖs not the same thing as the government.

** *** ***** ******* *********** *************
The LockBit Ransomware Gang Is Surprisingly Professional

[2022.09.07] This article makes LockBit sound like a legitimate organization:

The DDoS attack last weekend that put a temporary stop to leaking Entrust data was seen as an opportunity to explore the triple extortion tactic to apply more pressure on victims to pay a ransom.

LockBitSupp said that the ransomware operator is now looking to add DDoS as an extortion tactic on top of encrypting data and leaking it.

ΓÇ£I am looking for dudosers [DDoSers] in the team, most likely now we will attack targets and provide triple extortion, encryption + date leak + dudos, because I have felt the power of dudos and how it invigorates and makes life more interesting,ΓÇ¥ LockBitSupp wrote in a post on a hacker forum.

The gang also promised to share over torrent 300GB of data stolen from Entrust so ΓÇ£the whole world will know your secrets.ΓÇ¥

LockBitΓÇÖs spokesperson said that they would share the Entrust data leak privately with anyone that contacts them before making it available over torrent.

TheyΓÇÖre expanding: locking people out of their data, publishing it if the victim doesnΓÇÖt pay, and DDoSing their network as an additional incentive.

** *** ***** ******* *********** *************
Facebook Has No Idea What Data It Has

[2022.09.08] This is from a court deposition:

FacebookΓÇÖs stonewalling has been revealing on its own, providing variations on the same theme: It has amassed so much data on so many billions of people and organized it so confusingly that full transparency is impossible on a technical level. In the March 2022 hearing, Zarashaw and Steven Elia, a software engineering manager, described Facebook as a data-processing apparatus so complex that it defies understanding from within. The hearing amounted to two high-ranking engineers at one of the most powerful and resource-flush engineering outfits in history describing their product as an unknowable machine.

The special master at times seemed in disbelief, as when he questioned the engineers over whether any documentation existed for a particular Facebook subsystem. ΓÇ£Someone must have a diagram that says this is where this data is stored,ΓÇ¥ he said, according to the transcript. Zarashaw responded: ΓÇ£We have a somewhat strange engineering culture compared to most where we donΓÇÖt generate a lot of artifacts during the engineering process. Effectively the code is its own design document often.ΓÇ¥ He quickly added, ΓÇ£For what itΓÇÖs worth, this is terrifying to me when I first joined as well.ΓÇ¥

[...]

FacebookΓÇÖs inability to comprehend its own functioning took the hearing up to the edge of the metaphysical. At one point, the court-appointed special master noted that the ΓÇ£Download Your InformationΓÇ¥ file provided to the suitΓÇÖs plaintiffs must not have included everything the company had stored on those individuals because it appears to have no idea what it truly stores on anyone. Can it be that FacebookΓÇÖs designated tool for comprehensively downloading your information might not actually download all your information? This, again, is outside the boundaries of knowledge.

ΓÇ£The solution to this is unfortunately exactly the work that was done to create the DYI file itself,ΓÇ¥ noted Zarashaw. ΓÇ£And the thing I struggle with here is in order to find gaps in what may not be in DYI file, you would by definition need to do even more work than was done to generate the DYI files in the first place.ΓÇ¥

The systemic fogginess of FacebookΓÇÖs data storage made answering even the most basic question futile. At another point, the special master asked how one could find out which systems actually contain user data that was created through machine inference.

ΓÇ£I donΓÇÖt know,ΓÇ¥ answered Zarashaw. ΓÇ£ItΓÇÖs a rather difficult conundrum.ΓÇ¥

IΓÇÖm not surprised. These systems are so complex that no humans understand them anymore. That allows us to do things we couldnΓÇÖt do otherwise, but itΓÇÖs also a problem.

EDITED TO ADD: Another article.

** *** ***** ******* *********** *************
Responsible Disclosure for Cryptocurrency Security

[2022.09.09] Stewart Baker discusses why the industry-norm responsible disclosure for software vulnerabilities fails for cryptocurrency software.

Why canΓÇÖt the cryptocurrency industry solve the problem the way the software and hardware industries do, by patching and updating security as flaws are found? Two reasons: First, many customers donΓÇÖt have an ongoing relationship with the hardware and software providers that protect their funds
-- nor do they have an incentive to update security on a regular basis. Turning to a new security provider or using updated software creates risks; leaving everything the way it was feels safer. So users wonΓÇÖt be rushing to pay for and install new security patches.

Second, cryptocurrency is famously and deliberately decentralized, anonymized, and low friction. That means that the company responsible for hardware or software security may have no way to identify who used its product, or to get the patch to those users. It also means that many wallets with security flaws will be publicly accessible, protected only by an elaborate password. Once word of the flaw leaks, the password can be reverse engineered by anyone, and the legitimate owners are likely to find themselves in a race to move their assets before the thieves do. Even in the software industry, hackers routinely reverse engineer MicrosoftΓÇÖs patches to find the security flaws they fix and then try to exploit them before the patches have been fully installed.

He doesnΓÇÖt have any good ideas to fix this. I donΓÇÖt either. Just add it to the pile of blockchainΓÇÖs many problems.

** *** ***** ******* *********** *************
New Linux Cryptomining Malware

[2022.09.12] ItΓÇÖs pretty nasty:

The malware was dubbed ΓÇ£ShikitegaΓÇ¥ for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to ΓÇ£mutateΓÇ¥ its code to avoid detection. Shikitega alters its code each time it runs through one of several decoding loops that AT&T said each deliver multiple attacks, beginning with an ELF file thatΓÇÖs just 370 bytes.

Shikitega also downloads Mettle, a Metasploit interpreter that gives the attacker the ability to control attached webcams and includes a sniffer, multiple reverse shells, process control, shell command execution and additional abilities to control the affected system.

[...]

The final stage also establishes persistence, which Shikitega does by downloading and executing five shell scripts that configure a pair of cron jobs for the current user and a pair for the root user using crontab, which it can also install if not available.

Shikitega also uses cloud hosting solutions to store parts of its payload, which it further uses to obfuscate itself by contacting via IP address instead of domain name. ΓÇ£Without [a] domain name, itΓÇÖs difficult to provide a complete list of indicators for detections since they are volatile and they will be used for legitimate purposes in a short period of time,ΓÇ¥ AT&T said.

Bottom line: Shikitega is a nasty piece of code. AT&T recommends Linux endpoint and IoT device managers keep security patches installed, keep EDR software up to date and make regular backups of essential systems.

Another article.

Slashdot thread.

** *** ***** ******* *********** *************
FBI Seizes Stolen Cryptocurrencies

[2022.09.13] The Wall Street Journal is reporting that the FBI has recovered over $30 million in cryptocurrency stolen by North Korean hackers earlier this year. ItΓÇÖs only a fraction of the $540 million stolen, but itΓÇÖs something.

The Axie Infinity recovery represents a shift in law enforcementΓÇÖs ability to trace funds through a web of so-called crypto addresses, the virtual accounts where cryptocurrencies are stored. These addresses can be created quickly without them being linked to a cryptocurrency company that could freeze the funds.

In its effort to mask the stolen crypto, Lazarus Group used more than 12,000 different addresses, according to Chainalysis. Unlike bank transactions that happen through private networks, movement between crypto accounts is visible to the world on the blockchain.

Advanced blockchain-monitoring tools and cooperation from centralized crypto exchanges enabled the FBI to trace the crypto to where Lazarus Group tried to cash out, investigators said.

The money was laundered through the Tornado Cash mixer.

** *** ***** ******* *********** *************
Weird Fallout from Peiter ZatkoΓÇÖs Twitter Whistleblowing

[2022.09.14] People are trying to dig up dirt on Peiter Zatko, better known as Mudge.

For the record, I have not been contacted. IΓÇÖm not sure if I should feel slighted.

** *** ***** ******* *********** *************
Upcoming Speaking Engagements

[2022.09.14] This is a current list of where and when I am scheduled to speak:

IΓÇÖm speaking as part of a Geneva Centre for Security Policy course on Cyber Security in the Context of International Security, online, on September 22, 2022.
IΓÇÖm speaking at IT-Security INSIDE 2022 in Zurich, Switzerland, on September 22, 2022.

The list is maintained on this page.

** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security technology. To subscribe, or to read back issues, see Crypto-Gram's web page.

You can also read these articles on my blog, Schneier on Security.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of over one dozen books -- including his latest, We Have Root -- as well as hundreds of articles, essays, and academic papers. His newsletter and blog are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an Advisory Board Member of the Electronic Privacy Information Center and VerifiedVoting.org. He is the Chief of Security Architecture at Inrupt, Inc.

Copyright © 2022 by Bruce Schneier.

** *** ***** ******* *********** *************

--- BBBS/Li6 v4.10 Toy-5
* Origin: TCOB1 - binkd.thecivv.ie (21:1/229)