CRYPTO-GRAM, November 15, 2024 Part 4
From
Sean Rima@21:1/229.1 to
All on Fri Nov 15 16:13:30 2024
Tor has written about this.
Hacker News thread.
** *** ***** ******* *********** ************* Simson Garfinkel on Spooky Cryptographic Action at a Distance
[2024.10.30] Excellent read. One example:
Consider the case of basic public key cryptography, in which a person’s
public and private key are created together in a single operation.
These two keys are entangled, not with quantum physics, but with math.
When I create a virtual machine server in the Amazon cloud, I am
prompted for an RSA public key that will be used to control access to
the machine. Typically, I create the public and private keypair on my
laptop and upload the public key to Amazon, which bakes my public key
into the server’s administrator account. My laptop and that remove
server are thus entangled, in that the only way to log into the server
is using the key on my laptop. And because that administrator account
can do anything to that server -- read the sensitivity data, hack the
web server to install malware on people who visit its web pages, or
anything else I might care to do -- the private key on my laptop
represents a security risk for that server.
Here’s why it’s impossible to evaluate a server and know if it is
secure: as long that private key exists on my laptop, that server has a
vulnerability. But if I delete that private key, the vulnerability goes
away. By deleting the data, I have removed a security risk from the
server and its security has increased. This is true entanglement! And
it is spooky: not a single bit has changed on the server, yet it is
more secure.
Read it all.
** *** ***** ******* *********** ************* Tracking World Leaders Using Strava
[2024.10.31] Way back in 2018, people noticed that you could find secret military bases using data published by the Strava fitness app. Soldiers and other military personal were using them to track their runs, and you could
look at the public data and find places where there should be no people running.
Six years later, the problem remains. Le Monde has reported that the same Strava data can be used to track the movements of world leaders. They don’t wear the tracking device, but many of their bodyguards do.
** *** ***** ******* *********** ************* Roger Grimes on Prioritizing Cybersecurity Advice
[2024.10.31] This is a good point:
Part of the problem is that we are constantly handed lists...list of
required controls...list of things we are being asked to fix or
improve...lists of new projects...lists of threats, and so on, that are
not ranked for risks. For example, we are often given a cybersecurity
guideline (e.g., PCI-DSS, HIPAA, SOX, NIST, etc.) with hundreds of
recommendations. They are all great recommendations, which if followed,
will reduce risk in your environment.
What they do not tell you is which of the recommended things will have
the most impact on best reducing risk in your environment. They do not
tell you that one, two or three of these things...among the hundreds
that have been given to you, will reduce more risk than all the others.
[...]
The solution?
Here is one big one: Do not use or rely on un-risk-ranked lists.
Require any list of controls, threats, defenses, solutions to be
risk-ranked according to how much actual risk they will reduce in the
current environment if implemented.
[...]
This specific CISA document has at least 21 main recommendations, many
of which lead to two or more other more specific recommendations.
Overall, it has several dozen recommendations, each of which
individually will likely take weeks to months to fulfill in any
environment if not already accomplished. Any person following this
document is...rightly...going to be expected to evaluate and implement
all those recommendations. And doing so will absolutely reduce risk.
The catch is: There are two recommendations that WILL DO MORE THAN ALL
THE REST ADDED TOGETHER TO REDUCE CYBERSECURITY RISK most efficiently:
patching and using multifactor authentication (MFA). Patching is listed
third. MFA is listed eighth. And there is nothing to indicate their
ability to significantly reduce cybersecurity risk as compared to the
other recommendations. Two of these things are not like the other, but
how is anyone reading the document supposed to know that patching and
using MFA really matter more than all the rest?
** *** ***** ******* *********** ************* Sophos Versus the Chinese Hackers
[2024.11.04] Really interesting story of Sophos’s five-year war against Chinese hackers.
** *** ***** ******* *********** ************* AIs Discovering
Vulnerabilities
[2024.11.05] I’ve been writing about the possibility of AIs automatically discovering code vulnerabilities since at least 2018. This is an ongoing
area of research: AIs doing source code scanning, AIs finding zero-days in
the wild, and everything in between. The AIs aren’t very good at it yet,
but they’re getting better.
Here’s some anecdotal data from this summer:
Since July 2024, ZeroPath is taking a novel approach combining deep
program analysis with adversarial AI agents for validation. Our
methodology has uncovered numerous critical vulnerabilities in
production systems, including several that traditional Static
Application Security Testing (SAST) tools were ill-equipped to find.
This post provides a technical deep-dive into our research methodology
and a living summary of the bugs found in popular open-source tools.
* Origin: High Portable Tosser at my node (21:1/229.1)