Crypto-Gram
August 15, 2024

by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School
schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit Crypto-Gram's web page.

Read this issue on the web

These same essays and news items appear in the Schneier on Security blog, along with a lively and intelligent comment section. An RSS feed is available.

** *** ***** ******* *********** *************
In this issue:

If these links don't work in your email client, try reading this issue of Crypto-Gram on the web.

Hacking Scientific Citations
Cloudflare Reports that Almost 7% of All Internet Traffic Is Malicious
Criminal Gang Physically Assaulting People for Their Cryptocurrency
Brett Solomon on Digital Rights
Snake Mimics a Spider
2017 ODNI Memo on Kaspersky Labs
Robot Dog Internet Jammer
Data Wallets Using the Solid Protocol
The CrowdStrike Outage and Market-Driven Brittleness
Compromising the Secure Boot Process
New Research in Detecting AI-Generated Videos
Providing Security Updates to Automobile Software
Education in Secure Software Development
Leaked GitHub Python Token
New Patent Application for Car-to-Car Surveillance
On the Cyber Safety Review Board
Problems with Georgia's Voter Registration Portal
People-Search Site Removal Services Largely Ineffective
Taxonomy of Generative AI Misuse
On the Voynich Manuscript
Texas Sues GM for Collecting Driving Data without Consent
Upcoming Speaking Engagements

** *** ***** ******* *********** *************
Hacking Scientific Citations

[2024.07.15] Some scholars are inflating their reference counts by sneaking them into metadata:

Citations of scientific work abide by a standardized referencing system: Each reference explicitly mentions at least the title, authors' names, publication year, journal or conference name, and page numbers of the cited publication. These details are stored as metadata, not visible in the article's text directly, but assigned to a digital object identifier, or DOI -- a unique identifier for each scientific publication.

References in a scientific publication allow authors to justify methodological choices or present the results of past studies, highlighting the iterative and collaborative nature of science.

However, we found through a chance encounter that some unscrupulous actors have added extra references, invisible in the text but present in the articles' metadata, when they submitted the articles to scientific databases. The result? Citation counts for certain researchers or journals have skyrocketed, even though these references were not cited by the authors in their articles.

[...]

In the journals published by Technoscience Academy, at least 9% of recorded references were "sneaked references." These additional references were only in the metadata, distorting citation counts and giving certain authors an unfair advantage. Some legitimate references were also lost, meaning they were not present in the metadata.

In addition, when analyzing the sneaked references, we found that they highly benefited some researchers. For example, a single researcher who was associated with Technoscience Academy benefited from more than 3,000 additional illegitimate citations. Some journals from the same publisher benefited from a couple hundred additional sneaked citations.

Be careful what you're measuring, because that's what you'll get. Make sure it's what you actually want.

** *** ***** ******* *********** *************
Cloudflare Reports that Almost 7% of All Internet Traffic Is Malicious

[2024.07.17] 6.8%, to be precise.

From ZDNet:

However, Distributed Denial of Service (DDoS) attacks continue to be cybercriminals' weapon of choice, making up over 37% of all mitigated traffic. The scale of these attacks is staggering. In the first quarter of 2024 alone, Cloudflare blocked 4.5 million unique DDoS attacks. That total is nearly a third of all the DDoS attacks they mitigated the previous year.

But it's not just about the sheer volume of DDoS attacks. The sophistication of these attacks is increasing, too. Last August, Cloudflare mitigated a massive HTTP/2 Rapid Reset DDoS attack that peaked at 201 million requests per second (RPS). That number is three times bigger than any previously observed attack.

It wasn't just Cloudflare that was hit by the largest DDoS attack in its history. Google Cloud reported the same attack peaked at an astonishing 398 million RPS. So, how big is that number? According to Google, Google Cloud was slammed by more RPS in two minutes than Wikipedia saw traffic during September 2023.

** *** ***** ******* *********** *************
Criminal Gang Physically Assaulting People for Their Cryptocurrency

[2024.07.18] This is pretty horrific:

...a group of men behind a violent crime spree designed to compel victims to hand over access to their cryptocurrency savings. That announcement and the criminal complaint laying out charges against St. Felix focused largely on a single theft of cryptocurrency from an elderly North Carolina couple, whose home St. Felix and one of his accomplices broke into before physically assaulting the two victims -- both in their seventies -- and forcing them to transfer more than $150,000 in Bitcoin and Ether to the thieves' crypto wallets.

I think cryptocurrencies are more susceptible to this kind of real-world attack because they are largely outside the conventional banking system. Yet another reason to stay away from them.

** *** ***** ******* *********** *************
Brett Solomon on Digital Rights

[2024.07.19] Brett Solomon is retiring from AccessNow after fifteen years as its Executive Director. He's written a blog post about what he's learned and what comes next.

** *** ***** ******* *********** *************
Snake Mimics a Spider

[2024.07.22] This is a fantastic video. It's an Iranian spider-tailed horned viper (Pseudocerastes urarachnoides). Its tail looks like a spider, which the snake uses to fool passing birds looking for a meal.

** *** ***** ******* *********** *************
2017 ODNI Memo on Kaspersky Labs

[2024.07.23] It's heavily redacted, but still interesting.

Many more ODNI documents here.

** *** ***** ******* *********** *************
Robot Dog Internet Jammer

[2024.07.24] Supposedly the DHS has these:

The robot, called "NEO," is a modified version of the "Quadruped Unmanned Ground Vehicle" (Q-UGV) sold to law enforcement by a company called Ghost Robotics. Benjamine Huffman, the director of DHS's Federal Law Enforcement Training Centers (FLETC), told police at the 2024 Border Security Expo in Texas that DHS is increasingly worried about criminals setting "booby traps" with internet of things and smart home devices, and that NEO allows DHS to remotely disable the home networks of a home or building law enforcement is raiding. The Border Security Expo is open only to law enforcement and defense contractors. A transcript of Huffman's speech was obtained by the Electronic Frontier Foundation's Dave Maass using a Freedom of Information Act request and was shared with 404 Media.

"NEO can enter a potentially dangerous environment to provide video and audio feedback to the officers before entry and allow them to communicate with those in that environment," Huffman said, according to the transcript. "NEO carries an onboard computer and antenna array that will allow officers the ability to create a `denial-of-service' (DoS) event to disable `Internet of Things' devices that could potentially cause harm while entry is made."

Slashdot thread.

** *** ***** ******* *********** *************
Data Wallets Using the Solid Protocol

[2024.07.25] I am the Chief of Security Architecture at Inrupt, Inc., the company that is commercializing Tim Berners-Lee's Solid open W3C standard for distributed data ownership. This week, we announced a digital wallet based on the Solid architecture.

Details are here, but basically a digital wallet is a repository for personal data and documents. Right now, there are hundreds of different wallets, but no standard. We think designing a wallet around Solid makes sense for lots of reasons. A wallet is more than a data store -- data in wallets is for using and sharing. That requires interoperability, which is what you get from an open standard. It also requires fine-grained permissions and robust security, and that's what the Solid protocols provide.
---
* Origin: High Portable Tosser at my node (618:500/14.1)
* Synchronet * CAPCITY2 * capcity2.synchro.net * Telnet/SSH:2022/Rlogin/HTTP