• CRYPTO-GRAM, November 15, 2024 Part 4

    From Sean Rima@21:1/229.1 to All on Fri Nov 15 16:13:30 2024

    Tor has written about this.

    Hacker News thread.

    ** *** ***** ******* *********** ************* Simson Garfinkel on Spooky Cryptographic Action at a Distance

    [2024.10.30] Excellent read. One example:

    Consider the case of basic public key cryptography, in which a person’s
    public and private key are created together in a single operation.
    These two keys are entangled, not with quantum physics, but with math.

    When I create a virtual machine server in the Amazon cloud, I am
    prompted for an RSA public key that will be used to control access to
    the machine. Typically, I create the public and private keypair on my
    laptop and upload the public key to Amazon, which bakes my public key
    into the server’s administrator account. My laptop and that remove
    server are thus entangled, in that the only way to log into the server
    is using the key on my laptop. And because that administrator account
    can do anything to that server -- read the sensitivity data, hack the
    web server to install malware on people who visit its web pages, or
    anything else I might care to do -- the private key on my laptop
    represents a security risk for that server.

    Here’s why it’s impossible to evaluate a server and know if it is
    secure: as long that private key exists on my laptop, that server has a
    vulnerability. But if I delete that private key, the vulnerability goes
    away. By deleting the data, I have removed a security risk from the
    server and its security has increased. This is true entanglement! And
    it is spooky: not a single bit has changed on the server, yet it is
    more secure.

    Read it all.

    ** *** ***** ******* *********** ************* Tracking World Leaders Using Strava

    [2024.10.31] Way back in 2018, people noticed that you could find secret military bases using data published by the Strava fitness app. Soldiers and other military personal were using them to track their runs, and you could
    look at the public data and find places where there should be no people running.

    Six years later, the problem remains. Le Monde has reported that the same Strava data can be used to track the movements of world leaders. They don’t wear the tracking device, but many of their bodyguards do.

    ** *** ***** ******* *********** ************* Roger Grimes on Prioritizing Cybersecurity Advice

    [2024.10.31] This is a good point:

    Part of the problem is that we are constantly handed lists...list of
    required controls...list of things we are being asked to fix or
    improve...lists of new projects...lists of threats, and so on, that are
    not ranked for risks. For example, we are often given a cybersecurity
    guideline (e.g., PCI-DSS, HIPAA, SOX, NIST, etc.) with hundreds of
    recommendations. They are all great recommendations, which if followed,
    will reduce risk in your environment.

    What they do not tell you is which of the recommended things will have
    the most impact on best reducing risk in your environment. They do not
    tell you that one, two or three of these things...among the hundreds
    that have been given to you, will reduce more risk than all the others.

    [...]

    The solution?

    Here is one big one: Do not use or rely on un-risk-ranked lists.
    Require any list of controls, threats, defenses, solutions to be
    risk-ranked according to how much actual risk they will reduce in the
    current environment if implemented.

    [...]

    This specific CISA document has at least 21 main recommendations, many
    of which lead to two or more other more specific recommendations.
    Overall, it has several dozen recommendations, each of which
    individually will likely take weeks to months to fulfill in any
    environment if not already accomplished. Any person following this
    document is...rightly...going to be expected to evaluate and implement
    all those recommendations. And doing so will absolutely reduce risk.

    The catch is: There are two recommendations that WILL DO MORE THAN ALL
    THE REST ADDED TOGETHER TO REDUCE CYBERSECURITY RISK most efficiently:
    patching and using multifactor authentication (MFA). Patching is listed
    third. MFA is listed eighth. And there is nothing to indicate their
    ability to significantly reduce cybersecurity risk as compared to the
    other recommendations. Two of these things are not like the other, but
    how is anyone reading the document supposed to know that patching and
    using MFA really matter more than all the rest?

    ** *** ***** ******* *********** ************* Sophos Versus the Chinese Hackers

    [2024.11.04] Really interesting story of Sophos’s five-year war against Chinese hackers.

    ** *** ***** ******* *********** ************* AIs Discovering
    Vulnerabilities

    [2024.11.05] I’ve been writing about the possibility of AIs automatically discovering code vulnerabilities since at least 2018. This is an ongoing
    area of research: AIs doing source code scanning, AIs finding zero-days in
    the wild, and everything in between. The AIs aren’t very good at it yet,
    but they’re getting better.

    Here’s some anecdotal data from this summer:

    Since July 2024, ZeroPath is taking a novel approach combining deep
    program analysis with adversarial AI agents for validation. Our
    methodology has uncovered numerous critical vulnerabilities in
    production systems, including several that traditional Static
    Application Security Testing (SAST) tools were ill-equipped to find.
    This post provides a technical deep-dive into our research methodology
    and a living summary of the bugs found in popular open-source tools.

    * Origin: High Portable Tosser at my node (21:1/229.1)