The Bruce Schneier Cryptogram Oct 2018

The Bruce Schneier Cryptogram Oct 2018

Every time I think about doing a monthly roundup of security issues I’m reminded of how good Bruce’s is.

In this issue:

  1. NSA Attacks Against Virtual Private Networks
  2. Public Shaming of Companies for Bad Security
  3. Pegasus Spyware Used in 45 Countries
  4. Security Vulnerability in ESS ExpressVote Touchscreen Voting Computer
  5. AES Resulted in a $250-Billion Economic Benefit
  6. New Findings About Prime Number Distribution Almost Certainly Irrelevant to Cryptography
  7. New Variants of Cold-Boot Attack
  8. Evidence for the Security of PKCS #1 Digital Signatures
  9. Counting People through a Wall with Wi-Fi
  10. Yet Another IoT Cybersecurity Document
  11. Major Tech Companies Finally Endorse Federal Privacy Regulation
  12. More on the Five Eyes Statement on Encryption and Backdoors
  13. Facebook Is Using Your Two-Factor Authentication Phone Number to Target Advertising
  14. Sophisticated Voice Phishing Scams
  15. Terahertz Millimeter-Wave Scanners
  16. The Effects of GDPR’s 72-Hour Notification Rule
  17. Helen Nissenbaum on Data Privacy and Consent
  18. Chinese Supply Chain Hardware Attack
  19. Conspiracy Theories around the “Presidential Alert”
  20. Detecting Credit Card Skimmers
  21. Defeating the “Deal or No Deal” Arcade Game
  22. The US National Cyber Strategy
  23. Access Now Is Looking for a Chief Security Officer
  24. Security Vulnerabilities in US Weapons Systems
  25. Another Bloomberg Story about Supply-Chain Hardware Attacks from China
  26. Security in a World of Physically Capable Computers
  27. Upcoming Speaking Engagements

Here’s this month’s web version of it. Good Hunting.


Patch Tuesday October 2018

Patch Tuesday October 2018

Krebs (you read Krebs right?,you should…) has a great write up on this month’s Windows patches.

Microsoft this week released software updates to fix roughly 50 security problems with various versions of its Windows operating system and related software, including one flaw that is already being exploited and another for which exploit code is publicly available.

We’re not big proponents of waiting for free bug and security releases to be applied. Get to testing and apply them!

Are you a phish in barrel?

Are you a phish in barrel?

It doesn’t matter how much money you have spent on security, there is a very high probability that your security perimeter can be penetrated. Unfortunately, this is a reality we have learned to live with… but we don’t have to.

It all started with the CWRT research team spoofing emails from certain very high-level politicians, CEOs, and other famous people. We only spoofed each other for educational reasons…Evil thoughts ranged from starting the next “me too” movement to exfiltrating secrets by impersonating someone’s boss and requesting they save the data to USB, save to a Dropbox, or open an infected file. It was soon apparent that we could manipulate nearly any situation with a strategically spoofed email. When done correctly it’s nearly impossible, even for the best-trained user, to distinguish real from forged emails.

Want your own proof that spoofing will work on your company? We thought you might, so we made this tool, enter your corporate email and press the button and see what spoofs will work and how to fix them.

Check it for yourself.

Did you get any of the 5 test emails the page sent? Did any of them end up in spam?

If they made it into spam or into your inbox, you could easily be spoofed. This means an attacker can email any number of tricks into your user-base and be successful. The email security checks should prevent the email server connection, and the email will not be accepted by your mail servers… -not even into spam.

How big of an issue is this?

To many, email is a boring security conversation. Those of us in security understand clearly that email can be easily faked. We may not realize that the rest of the world is going about daily operations with reasonably critical business processes happening via email communication. We trust that communications from our co-workers, bosses, and partners are all subject to email manipulation.

We were able to impersonate highly classified email addresses where we should not have been able to.

How big of an issue is this?

General attacks
Commercial Federal
Email 95% 90%
Web 4% 1%
Other 1% 9%
Direct Attacks
Email 90% 70%
Web 7% 1%
Other 3% 29%

*stats are estimates from real-world threat intelligence by ADi Cyber Warfare Research Team (CWRT)

Wouldn’t it make sense to close the email threat gap?

We have all seen the recent uptick of phish-me type products to train your users.

Training is an excellent idea and really works in the security world. Treating people well and having a great culture is also useful.

There are email security controls that all modern email systems support, just ask DHS BOD 18-01 that mandates these controls as of last year. Below is a snippet from BOD 18-01:

“Federal agency “cyber hygiene” greatly impacts user security. By implementing specific security standards that have been widely adopted in industry, federal agencies can ensure the integrity and confidentiality of internet-delivered data, minimize spam, and better protect users who might otherwise fall victim to a phishing email that appears to come from a government-owned system.”

…way overdue if you ask me.

In 2006-2014 SPF was slowly rolled out as an industry recommended technology but many have not implemented the basics of protection as of 2018. We are finding in many cases we are able to spoof even when checks are enabled. Very few have all of the email security checks and completely pass our simple tests on

The fix:

  • SPF
  • DKIM
  • Authentication
  • Reverse DNS

With all tech there are challenges, and each of the above solutions has its own. It can be very complicated to implement each one if you aren’t experienced. We tested many firms with all of those protections at least partially enabled, only to find out the protections didn’t work at all. That’s why we created

Hopefully, you passed the email spoof test, if not, you have some work to do.

Happy Hunting,