From the Mind of Trevor Stone

Encryption Turns a Network Security Problem Into a Key Management Problem

2021-08-10T06:33:56Z

After over a decade, the time has finally come…
someone sent me an email encrypted with my PGP public key.

Based on the timestamp on my website, I set up GnuPG in 2007, which is two computers and about four hard drives ago. And while I'm a digital pack rat, those were the days that "copy your entire old computer to your new computer" would still cramp your new computer's space. So I would manually copy the home directory contents I knew I'd want like Documents and .vimrc but I probably didn't notice my private key file.

So for more than a decade I've been advertising a way to send me an email that no one can intercept and decrypt… including myself. 🤦‍♂️

comments

Heads Up: Potential LiveJournal Password Breach

2018-10-11T04:12:48Z

I received the following email today, addressed to the plain text LiveJournal password I've had for over a decade. If you have or had a LiveJournal account, consider changing your password, and the password of any site which shared a password.

Received: from [197.29.14.197] (unknown [197.29.14.197]) by my.smtp.host (Postfix) with ESMTP id 1336F87C71 for <my-livejournal-address@my-host>; Wed, 10 Oct 2018 18:03:34 +0000 (UTC) Message-ID: <5BBE4D0A.8030000@my-host> Date: Wed, 10 Oct 2018 19:03:38 +0000 From: <my-livejournal-address@my-host> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.4) Gecko/20100608 Thunderbird/3.1 MIME-Version: 1.0 To: "my-livejournal-password" <my-livejournal-address@my-host> Subject: Security Warning Content-Type: text/plain; charset=CP-850; format=flowed Content-Transfer-Encoding: 8bit

8Hello!
I'm a member of an international hacker group.

As you could probably have guessed, your account my-livejournal-address@my-host was hacked, because I sent message you from your account.

Now I have access to all your accounts!
For example, your password for my-livejournal-address@my-host: my-livejournal-password

Within a period from July 30, 2018 to October 9, 2018, you were infected by the virus we've created, through an adult website you've visited.
So far, we have access to your messages, social media accounts, and messengers.
Moreover, we've gotten full damps of these data.

We are aware of your little and big secrets...yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..

But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!
I think you are not interested show this video to your friends, relatives, and your intimate one...

Transfer $800 to our Bitcoin wallet: 1GdegtNpYcvoCPsMmyiSkZARDdAmYuXGXU
If you don't know about Bitcoin please input in Google "buy BTC". It's really easy.

I guarantee that after that, we'll erase all your "data" :)

A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount.

Your data will be erased once the money are transferred.
If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.

You should always think about your security.
We hope this case will teach you to keep secrets.
Take care of yourself.

A couple notes:

LiveJournal is the only site I've used this password on. Dreamwidth also has a copy of the password, so that it can crosspost.
I suspect that this extortion attempt is based on access to a LiveJournal user database or dump (rather than intercepted from a Dreamwidth crosspost request) because it was sent to an email address I only use with LiveJournal, and which I don't think Dreamwidth knows, nor (I think) is it publicly available on the LJ site.
The sender didn't change my password on LiveJournal and doesn't appear to have performed any vandalism, so I suspect they didn't log in with the compromised password.
A good indication that sending bitcoin would be a bad idea: the email gives no way to tell the recipient whose "data" to delete.
Other than the password itself, none of the claims in the email are true. Googling the bitcoin address leads to a report that this scam is going around (it's a variant of one that's about a year old) and a couple dozen reports on bitcoinabuse.com.
So far, that address has received two transactions, with a total value of about eight dollars… maybe not as lucrative as the scammer had hoped.

So it sounds like LiveJournal's password database was compromised… at some point in the last decade or so. Probably in the last few months, though. If you've got an LJ account, it would be a good idea to change it (and update your DW crosspost settings). If you used the same password on other sites, change those passwords as well (to something different).

ETA October 20 I got another email with the username and password of a second LiveJournal account that I created years ago and mostly forgot about. This makes me fairly certain that the scammers are either operating with an exfiltrated LJ user password database or they had an implant in the site many years ago but have only made use of it now. Whoever answered the support ticket I filed to alert about the security incident was fairly dismissive, though. Hopefully someone at LJ will take the breach seriously and at least notify affected users.

The new email content is a little different, and its bitcoin address 1AzdzwWHaJXytimxenzi45JVtY4FsXwLZZ has not yet received any payments and it's got several abuse reports. The address on the first email I got has received about 1.12 bitcoin; I guess $7200 is enough of a spam payout to keep a scammer motivated to keep cracking passwords.

ETA October 28 Another address, with two messages on October 22nd: 1JTtwbvmM7ymByxPYCByVYCwasjH49J3Vj has received over 4.7 bitcoin which is over $30,000 at current exchange rates. It's received nearly 300 abuse reports.

On October 22nd, the first address, along with 8 others, transferred 1.656 bitcoin (about $10,000) to an intermediate address which transferred it on to an account which now has exactly 5 bitcoin ($3200) and another which seems to be part of a further web of intermediate accounts. The second address I got a threat from only got 0.376 bitcoin ($2400) with no transactions since the 22nd, and hasn't yet cashed out. Assuming these accounts are all part of the same spam push, over $60k from people who are savvy enough to figure out how to buy and send bitcoin but aren't savvy enough to realize this is a hoax seems like a pretty good return.

comments

Letter to My Senators: Allow Americans to Opt Out of Data Collection by Insecure Credit Bureaus

2017-10-03T04:48:10Z

Senator Bennet,

Thank you for introducing the Energy Storage Tax Incentive and Deployment Act. Distributed electricity storage helps make our power system more robust and can help lessen the impact when our normally-reliable electrical grid suffers an outage.

Senator Gardner,

Thank you for your letter last week in support of assistance to Puerto Rico to reestablish electric power in the aftermath of Hurricane Maria. As someone affected by the 2013 Colorado floods, I know how challenging it is to deal with a disruption to infrastructure that we take for granted. I hope the people of Puerto Rico can soon experience the same ecstatic relief I felt when power was restored after the flood.

I am writing you today about another sort of infrastructure that Americans rarely think about until there’s a problem. As you know, the credit bureau Equifax’s computer systems were compromised in May, allowing the intruders to exfiltrate data about tens of millions of Americans for more than two months. The response to the incident from Equifax has been, frankly, awful. They waited to inform the American people about the breach for five weeks. And once the incident was announced, Equifax was unable to handle the public taking action to secure their data: among other problems, the company did not properly deploy the web encryption standard SSL and the site allowing users to freeze their credit file was unable to handle the demand, leaving many Americans frustrated and frightened about what might done with their data. The cybercriminals who have purloined this data are now able to commit identity and financial fraud in the name of these people, none of whom personally entrusted their data to Equifax.

Credit bureaus like Equifax are not subject to the same market pressures as other companies who collect data from consumers. I am a software engineer working in the cloud storage industry. I am proud that our customers trust us with some of their most private data, and it is crucial for efficient market function that they can delete their data and cancel their account when they choose, whether due to distrust of our security practices or because the data are no longer needed. Likewise, a bank which does not prioritize cybersecurity can expect to lose customers. Unfortunately, credit bureaus which collect and data on nearly every American are not subject to significant financial repercussions when they mishandle that data. The people whose data was stolen did not choose to give that data to the credit bureau, nor are they permitted to remove their data from the company which cannot protect it. The bureaus’ main paying customers—companies seeking data about Americans—are likewise not incentivized to prefer companies with the best security practices, since these paying customers do not suffer the consequences when an American’s identity is stolen.

I urge you to work with the Senate to bring clarity to the American people on what data credit bureaus collect on Americans, how it is stored, and how we can better protect it. I further urge you to work to refine the laws under which credit bureaus operate and ensure that Americans can opt out of having their data collected, and require companies to delete non-public data about Americans upon request. Individual Americans stand to lose the most when their identity is stolen, so they must have the tools to safeguard that identity data, including the ability to revoke it from a company whose security process they do not trust.

Thank you for your service and for your consideration on this matter,
Trevor Stone

Ironically, I had to try several times to submit this through Senator Cory Gardner's website, sine senate.gov kept returning an error that said

Request not Accepted - Security Risk Detected
Request not Accepted
Your submitted request contained a potential security risk.

Please try your submission again using natively composed plain text (not copied and pasted from another document), with few or no hyperlinks, or other syntax that may be interpreted as computer code (examples: '--', '&').

*As stated in the privacy policy, unauthorized attempts to upload or change information are strictly prohibited.

So yeah, Equifax aren't the only ones who are bad at cybersecurity. My first guess was that the site was choking on smart quotes. Then on the em-dash above. Nope: you're not allowed to email a colon (:) to your Republican Senator. Senator Michael Bennet's submission form accepted the text without finding any threatening punctuation.

comments

Cyberattacks and Open Discourse

2017-03-12T08:13:17Z

The New York Times published a set of articles this week about U.S. military efforts to hack North Korean weapon systems to stymie the regime's goal of demonstrating an ICBM which could deliver a nuclear bomb to a city in the United States. The attempts so far seem to have been fairly successful, causing failures in most launch attempts of the current generation of North Korean rockets.

While the political and military tactics in this particular case and how the North Koreans may react or retaliate are fascinating, I'd like to take a step back and look at the bigger picture. The U.S. military is using "cyberweapons" and committing what one might term "cyberwarriors" in an offensive operation attacking infrastructure developed by a foreign state. This is also not a new policy: ample evidence indicates that U.S. and Israeli intelligence agencies built and deployed the Stuxnet worm to cause physical damage to nuclear centrifuges at Natanz in Iran, setting the Iranian government's nuclear ambitions back by a few years (and driving them batty in the process). The Stuxnet attack was authorized by George W. Bush and reauthorized by Barack Obama. The North Korean attacks were authorized by the Obama administration (probably the president himself) and is now under the direction of the Trump administration.

In many ways a "cyberweapon" is just a collection of software vulnerabilities packaged in a way that helps the attacker obtain information from or disrupt the operations of a particular network or computer system run by a target. A cyberwarrior and a common hacker use, by and large, the same tools–they differ primarily in motives and focus. The same vulnerability in, say, Microsoft Windows can be exploited to steal bank account credentials or to further infect an industrial control system and disrupt a nuclear fuel operation. The Stuxnet attack on Natanz and the current North Koraen attacks have had significant physical-world effects: large and dangerous objects were destroyed. Criminal and ideological hackers have thus far focused on digital payloads–stealing data, transferring money–but there's nothing preventing non-government attackers from creating havoc in the physical world, from disabling the power grid to releasing a flood of water from a dam to potentially triggering a nuclear meltdown.

Unlike the military hardware of the last century, governments, businesses, and individuals around the world generally use the same software and hardware from a small group of companies with worldwide scope. The Microsoft Windows on laptops, Android on smartphones, and firmware in Cisco routers is code that's used by people in every country. By and large, there's no "Iranian software," "North Korean software," or "American software"–with the Internet, it's all "world software." Every security bug that a military or intelligence agency discovers but doesn't disclose is one that goes unpatched by the vendor and could be exploited by another government or crime gang, harming the citizens, businesses, and government agencies that the military and spy agencies are tasked with protecting. This presents a particular problem for an organization like the NSA which have an explicit commitment to both defend American computer and communication networks while intercepting foreign communications of interest.

Physical war and military operations are, in large part, studied and debated in the open. The public and our elected representatives don't know the details of all military plans and technologies, but we're broadly aware of where military force is being used offensively and defensively and what sorts of tools and tactics we're comfortable with the military using. The country is able to have a public debate about topics like whether we should invade a country, how much money we're willing to spend to achieve military objectives, and whether we consider torture or cluster bombs to be acceptable tools of war making. (The pro-war advocates are often able to start their framing of the issues well before the public starts to engage in the debate, so we tend not to have a very effective public debate, but the opportunity is still there.)

"Cyberwar" and offensive security compromises by the government, by contrast, have been conducted under a thick veil of government secrecy. The people of the United States and our representatives in Congress have not had an opportunity to have a public debate about whether we're comfortable with the military, without declaring war, instigating digital battles with sovereign states. We haven't had a proper conversation about what sorts of cyberattacks we're comfortable and which are beyond the pale. We haven't effectively discussed the balance between concealing and weaponizing computer vulnerabilities for attack and defending our country's digital infrastructure by helping companies patch software when intelligence agencies find bugs. And we really haven't come to grips with what we'll do when a "cyberweapon" targeted at a narrow military objective is too effective and causes unintended damage elsewhere on the Internet, including to American assets. We also haven't taken an opportunity to establish treaties governing digital offensive activities, so other nations may take a cue from U.S. operations and decide that hacking is a legitimate tactic and invest in their own "cyberarmies" which attack and hurt American computer networks.

There are reasonable arguments both in favor of and opposed to offensive military hacking. Proponents can point out that a well-executed cyberattack has the potential to achieve its objective cheaper and with a lot less loss of life than a conventional military operation. Opponents can point out that a hacking operation that gets out of hand–as the Stuxnet worm did, infecting millions of computers around the world–it's a lot more work to halt than just calling off the bombers and withdrawing the troops. But so far these debates have been held quietly behind closed government doors and in memoranda stamped Top Secret. The public doesn't know what conclusions were reached and their interests were not well represented. Once Congress is done with their current project of attacking affordable health care and defunding public agencies, it would be great if they could demand that military, intelligence, and executive agencies include the American people in the conversation about the rules of engagement for offensive hacking. I'm not holding my breath, though.

Anyone interested in this topic should watch the fantastic documentary Zer0 Days. It features a detailed technical explanation of how the worm works from the security researchers who studied it (and impressive cinematic techniques to make this explanation engaging), insights from anonymous NSA employees, and some remarkably frank on-the-record interviews with government officials. I'd read the initial reporting on Stuxnet in 2010, but the movie exposed several fascinating facets of the story of which I was unaware. The interviews with government-associated figures help shape the views I expressed above, and some of the officials seem to share my position.

Bruce Schneier often writes well about this subject, too.

comments