This is a multi-part message in MIME format
--_----------=_MCPart_210457518
Content-Type: text/plain; charset="utf-8"; format="fixed" Content-Transfer-Encoding: quoted-printable
** CRYPTO-GRAM
JANUARY 15=2C 2025
------------------------------------------------------------
by Bruce Schneier
Fellow and Lecturer=2C Harvard Kennedy School
schneier@schneier.com
https://www.schneier.com
A free monthly newsletter providing summaries=2C analyses=2C insights=2C a=
nd commentaries on security: computer and otherwise.
For back issues=2C or to subscribe=2C visit Crypto-Gram's web page [https= ://www.schneier.com/crypto-gram/].
Read this issue on the web [
https://www.schneier.com/crypto-gram/archives= /2025/0115.html]
These same essays and news items appear in the Schneier on Security [http= s://www.schneier.com/] blog=2C along with a lively and intelligent comment=
section. An RSS feed is available.
** *** ***** ******* *********** *************
** IN THIS ISSUE:
------------------------------------------------------------
1. Short-Lived Certificates Coming to Let=E2=80=99s Encrypt
2. Hacking Digital License Plates
3. New Advances in the Understanding of Prime Numbers
4. Mailbox Insecurity
5. Criminal Complaint against LockBit Ransomware Writer
6. Spyware Maker NSO Group Found Liable for Hacking WhatsApp
7. Scams Based on Fake Google Emails
8. Casino Players Using Hidden Cameras for Cheating
9. Salt Typhoon=E2=80=99s Reach Continues to Grow
10. Gift Card Fraud
11. Google Is Allowing Device Fingerprinting
12. ShredOS
13. Privacy of Photos.app=E2=80=99s Enhanced Visual Search
14. US Treasury Department Sanctions Chinese Company Over Cyberattack=
s
15. Zero-Day Vulnerability in Ivanti VPN
16. Apps That Are Spying on Your Location
17. Microsoft Takes Legal Action Against AI =E2=80=9CHacking as a Ser= vice=E2=80=9D Scheme
18. The First Password on the Internet
19. Upcoming Speaking Engagements
** *** ***** ******* *********** *************
** SHORT-LIVED CERTIFICATES COMING TO LET=E2=80=99S ENCRYPT ------------------------------------------------------------
[2024.12.16] [
https://www.schneier.com/blog/archives/2024/12/short-lived= -certificates-coming-to-lets-encrypt.html] Starting next year [
https://le= tsencrypt.org/2024/12/11/eoy-letter-2024/]:
Our longstanding offering won=E2=80=99t fundamentally change next year=
=2C but we are going to introduce a new offering that=E2=80=99s a big shif=
t from anything we=E2=80=99ve done before -- short-lived certificates. Spe= cifically=2C certificates with a lifetime of six days. This is a big upgra=
de for the security of the TLS ecosystem because it minimizes exposure tim=
e during a key compromise event.
Because we=E2=80=99ve done so much to encourage automation over the past=
decade=2C most of our subscribers aren=E2=80=99t going to have to do much=
in order to switch to shorter lived certificates. We=2C on the other hand=
=2C are going to have to think about the possibility that we will need to=
issue 20x as many certificates as we do now. It=E2=80=99s not inconceivab=
le that at some point in our next decade we may need to be prepared to iss=
ue 100=2C000=2C000 certificates per day.
That sounds sort of nuts to me today=2C but issuing 5=2C000=2C000 certif=
icates per day would have sounded crazy to me ten years ago.
This is an excellent idea.
Slashdot thread [
https://it.slashdot.org/story/24/12/15/0059216/lets-encr= ypt-announces-new-certificate-every-6-days-offering].
** *** ***** ******* *********** *************
** HACKING DIGITAL LICENSE PLATES ------------------------------------------------------------
[2024.12.17] [
https://www.schneier.com/blog/archives/2024/12/hacking-dig= ital-license-plates.html] Not everything needs to be digital and =E2=80=9C= smart.=E2=80=9D License plates=2C for example [
https://www.wired.com/stor= y/digital-license-plate-jailbreak-hack/]:
Josep Rodriguez=2C a researcher at security firm IOActive=2C has reveale=
d a technique to =E2=80=9Cjailbreak=E2=80=9D digital license plates sold b=
y Reviver=2C the leading vendor of those plates in the US with 65=2C000 pl= ates already sold. By removing a sticker on the back of the plate and atta= ching a cable to its internal connectors=2C he=E2=80=99s able to rewrite a=
Reviver plate=E2=80=99s firmware in a matter of minutes. Then=2C with tha=
t custom firmware installed=2C the jailbroken license plate can receive co= mmands via Bluetooth from a smartphone app to instantly change its display=
to show any characters or image.
[...]
Because the vulnerability that allowed him to rewrite the plates=E2=80=
=99 firmware exists at the hardware level -- in Reviver=E2=80=99s chips th= emselves -- Rodriguez says there=E2=80=99s no way for Reviver to patch the=
issue with a mere software update. Instead=2C it would have to replace th=
ose chips in each display.
The whole point of a license plate is that it can=E2=80=99t be modified. W=
hy in the world would anyone think that a digital version is a good idea?
** *** ***** ******* *********** *************
** NEW ADVANCES IN THE UNDERSTANDING OF PRIME NUMBERS ------------------------------------------------------------
[2024.12.18] [
https://www.schneier.com/blog/archives/2024/12/new-advance= s-in-the-understanding-of-prime-numbers.html] Really interesting research=
[
https://www.quantamagazine.org/mathematicians-uncover-a-new-way-to-coun= t-prime-numbers-20241211/] into the structure of prime numbers. Not immedi= ately related to the cryptanalysis of prime-number-based public-key algori= thms=2C but every little bit matters.
** *** ***** ******* *********** *************
** MAILBOX INSECURITY ------------------------------------------------------------
[2024.12.19] [
https://www.schneier.com/blog/archives/2024/12/mailbox-ins= ecurity.html] It turns out that all cluster mailboxes in the Denver area h=
ave the same master key. So if someone robs a [
https://www.denver7.com/ne= ws/investigations/thieves-target-cluster-mailboxes-in-denvers-green-valley= -ranch-north-neighborhood] postal carrier [
https://www.msn.com/en-us/news= /us/information-in-denver-postal-carrier-robbery-could-carry-150k-reward/a= r-AA1tw3sJ]=2C they can open any mailbox.
I get that a single master key makes the whole system easier=2C but it=E2= =80=99s very fragile security.
** *** ***** ******* *********** *************
** CRIMINAL COMPLAINT AGAINST LOCKBIT RANSOMWARE WRITER ------------------------------------------------------------
[2024.12.23] [
https://www.schneier.com/blog/archives/2024/12/criminal-co= mplaint-against-lockbit-ransomware-writer.html] The Justice Department has=
published [
https://www.theverge.com/2024/12/20/24326156/us-lockbit-ranso= mware-developer-charges] the criminal complaint [
https://www.justice.gov/= opa/media/1381806/dl] against Dmitry Khoroshev=2C for building and maintai= ning the LockBit ransomware.
** *** ***** ******* *********** *************
** SPYWARE MAKER NSO GROUP FOUND LIABLE FOR HACKING WHATSAPP ------------------------------------------------------------
[2024.12.24] [
https://www.schneier.com/blog/archives/2024/12/spyware-mak= er-nso-group-found-liable-for-hacking-whatsapp.html] A judge has found tha=
t NSO Group=2C maker of the Pegasus spyware=2C has violated [
https://www.= theguardian.com/technology/2024/dec/20/whatsapp-pegasus-spyware-nso-group-= hacking] the US Computer Fraud and Abuse Act by hacking WhatsApp in order=
to spy on people using it.
Jon Penney and I wrote [
https://www.schneier.com/wp-content/uploads/2022/= 03/Platforms-Encryption-and-the-CFAA-1.pdf] a legal paper on the case.
** *** ***** ******* *********** *************
** SCAMS BASED ON FAKE GOOGLE EMAILS ------------------------------------------------------------
[2024.12.26] [
https://www.schneier.com/blog/archives/2024/12/scams-based= -on-fake-google-emails.html] Scammers are hacking Google Forms to send ema=
il to victims that come from google.com.
Brian Krebs reports [
https://krebsonsecurity.com/2024/12/how-to-lose-a-fo= rtune-with-just-one-bad-click/] on the effects.
Boing Boing post [
https://boingboing.net/2024/12/20/father-of-2-young-boy= s-loses-5-million-after-falling-for-terrifying-new-google-scam.html].
** *** ***** ******* *********** *************
** CASINO PLAYERS USING HIDDEN CAMERAS FOR CHEATING ------------------------------------------------------------
[2024.12.27] [
https://www.schneier.com/blog/archives/2024/12/casino-play= ers-using-hidden-cameras-for-cheating.html] The basic strategy [
https://w= ww.wired.com/story/miniature-camera-poker-cheating/] is to place a device=
with a hidden camera in a position to capture normally hidden card values=
=2C which are interpreted by an accomplice off-site and fed back to the pl= ayer via a hidden microphone. Miniaturization is making these devices hard=
er to detect. Presumably AI will soon obviate the need for an accomplice.
** *** ***** ******* *********** *************
** SALT TYPHOON=E2=80=99S REACH CONTINUES TO GROW ------------------------------------------------------------
[2024.12.30] [
https://www.schneier.com/blog/archives/2024/12/salt-typhoo= ns-reach-continues-to-grow.html] The US government has identified [https:= //apnews.com/article/united-states-china-hacking-espionage-c5351ef7c220778= 5b76c8c62cde6c513] a ninth telecom that was successfully hacked by Salt Ty= phoon.
** *** ***** ******* *********** *************
** GIFT CARD FRAUD
------------------------------------------------------------
[2024.12.31] [
https://www.schneier.com/blog/archives/2024/12/gift-card-f= raud.html] It=E2=80=99s becoming an organized crime tactic [
https://www.p= ropublica.org/article/chinese-organized-crime-gift-cards-american-retail]:
Card draining is when criminals remove gift cards from a store display=
=2C open them in a separate location=2C and either record the card numbers=
and PINs or replace them with a new barcode. The crooks then repair the p= ackaging=2C return to a store and place the cards back on a rack. When a c= ustomer unwittingly selects and loads money onto a tampered card=2C the cr= iminal is able to access the card online and steal the balance.
[...]
In card draining=2C the runners assist with removing=2C tampering and re=
stocking of gift cards=2C according to court documents and investigators.
A single runner driving from store to store can swipe or return thousand=
s of tampered cards to racks in a short time. =E2=80=9CWhat they do is the=
y just fly into the city and they get a rental car and they just hit every=
big-box location that they can find along a corridor off an interstate=2C= =E2=80=9D said Parks.
** *** ***** ******* *********** *************
** GOOGLE IS ALLOWING DEVICE FINGERPRINTING ------------------------------------------------------------
[2025.01.02] [
https://www.schneier.com/blog/archives/2025/01/google-is-a= llowing-device-fingerprinting.html] Lukasz Olejnik writes [
https://blog.l= ukaszolejnik.com/biggest-privacy-erosion-in-10-years-on-googles-policy-cha= nge-towards-fingerprinting/] about device fingerprinting=2C and why Google= =E2=80=99s policy change to allow it in 2025 is a major privacy setback.
EDITED TO ADD (1/12): Shashdot thread [
https://tech.slashdot.org/story/25= /01/12/0519240/google-wants-to-track-your-digital-fingerprints-again].
** *** ***** ******* *********** *************
** SHREDOS
------------------------------------------------------------
[2025.01.03] [
https://www.schneier.com/blog/archives/2025/01/shredos.htm=
l] ShredOS is a stripped-down operating system designed to destroy data [=
https://boingboing.net/2025/01/02/shredos-is-an-entire-os-just-for-destroy= ing-data.html].
GitHub page here [
https://github.com/PartialVolume/shredos.x86_64].
** *** ***** ******* *********** *************
** PRIVACY OF PHOTOS.APP=E2=80=99S ENHANCED VISUAL SEARCH ------------------------------------------------------------
[2025.01.06] [
https://www.schneier.com/blog/archives/2025/01/privacy-of-= photos-apps-enhanced-visual-search.html] Initial speculation [
https://mjt= sai.com/blog/2025/01/01/privacy-of-photos-apps-enhanced-visual-search/] ab=
out a new Apple feature.
** *** ***** ******* *********** *************
** US TREASURY DEPARTMENT SANCTIONS CHINESE COMPANY OVER CYBERATTACKS ------------------------------------------------------------
[2025.01.07] [
https://www.schneier.com/blog/archives/2025/01/us-treasury= -department-sanctions-chinese-company-over-cyberattacks.html] From the Was= hington Post [
https://www.msn.com/en-us/technology/cybersecurity/treasury= -sanctions-chinese-cyber-firm-behind-mass-attack-on-u-s-routers/ar-AA1wVSH=
a]:
The sanctions target Beijing Integrity Technology Group [https://home.t=
reasury.gov/news/press-releases/jy2769]=2C which U.S. officials say employ=
ed workers responsible for the Flax Typhoon attacks [
https://www.washingt= onpost.com/technology/2024/09/18/china-tech-spy-network/] which compromise=
d devices including routers and internet-enabled cameras to infiltrate gov= ernment and industrial targets in the United States=2C Taiwan=2C Europe an=
d elsewhere.
** *** ***** ******* *********** *************
** ZERO-DAY VULNERABILITY IN IVANTI VPN ------------------------------------------------------------
[2025.01.09] [
https://www.schneier.com/blog/archives/2025/01/zero-day-vu= lnerability-in-ivanti-vpn.html] It=E2=80=99s being actively exploited [ht= tps://techcrunch.com/2025/01/09/hackers-are-exploiting-a-new-ivanti-vpn-se= curity-bug-to-hack-into-company-networks/].
** *** ***** ******* *********** *************
** APPS THAT ARE SPYING ON YOUR LOCATION ------------------------------------------------------------
[2025.01.10] [
https://www.schneier.com/blog/archives/2025/01/apps-that-a= re-spying-on-your-location.html] 404 Media and Wired are reporting [https= ://www.wired.com/story/gravy-location-data-app-leak-rtb/] on all the apps=
that are spying on your location=2C based on a hack of the location data=
company Gravy Analytics:
The thousands of apps=2C included in hacked files [https://www.404media=
=2Eco/hackers-claim-massive-breach-of-location-data-giant-threaten-to-leak-d= ata/] from location data company Gravy Analytics=2C include everything fro=
m games like Candy Crush to dating apps like Tinder=2C to pregnancy tracki=
ng and religious prayer apps across both Android and iOS. Because much of=
the collection is occurring through the advertising ecosystem -- not code=
developed by the app creators themselves -- this data collection is likel=
y happening both without users=E2=80=99 and even app developers=E2=80=99 k= nowledge.
** *** ***** ******* *********** *************
** MICROSOFT TAKES LEGAL ACTION AGAINST AI =E2=80=9CHACKING AS A SERVICE= =E2=80=9D SCHEME
------------------------------------------------------------
[2025.01.13] [
https://www.schneier.com/blog/archives/2025/01/microsoft-t= akes-legal-action-against-ai-hacking-as-a-service-scheme.html] Not sure th=
is will matter in the end=2C but it=E2=80=99s a positive move [
https://ar= stechnica.com/security/2025/01/microsoft-sues-service-for-creating-illicit= -content-with-its-ai-platform/]:
Microsoft is accusing three individuals of running a =E2=80=9Chacking-as=
-a-service=E2=80=9D scheme that was designed to allow the creation of harm=
ful and illicit content using the company=E2=80=99s platform for AI-genera=
ted content.
The foreign-based defendants developed tools specifically designed to by=
pass safety guardrails Microsoft has erected to prevent the creation of ha= rmful content through its generative AI services=2C said [
https://blogs.m= icrosoft.com/on-the-issues/2025/01/10/taking-legal-action-to-protect-the-p= ublic-from-abusive-ai-generated-content/] Steven Masada=2C the assistant g= eneral counsel for Microsoft=E2=80=99s Digital Crimes Unit. They then comp= romised the legitimate accounts of paying customers. They combined those t=
wo things to create a fee-based platform people could use.
It was a sophisticated scheme:
The service contained a proxy server that relayed traffic between its cu=
stomers and the servers providing Microsoft=E2=80=99s AI services=2C the s=
uit alleged. Among other things=2C the proxy service used undocumented Mic= rosoft network application programming interfaces (APIs) to communicate wi=
th the company=E2=80=99s Azure computers. The resulting requests were desi= gned to mimic legitimate Azure OpenAPI Service API requests and used compr= omised API keys to authenticate them.
Slashdot thread [
https://yro.slashdot.org/story/25/01/11/073210/foreign-c= ybercriminals-bypassed-microsofts-ai-guardrails-lawsuit-alleges].
** *** ***** ******* *********** *************
** THE FIRST PASSWORD ON THE INTERNET ------------------------------------------------------------
[2025.01.14] [
https://www.schneier.com/blog/archives/2025/01/the-first-p= assword-on-the-internet.html] It was created [
https://theconversation.com= /how-britain-got-its-first-internet-connection-by-the-late-pioneer-who-cre= ated-the-first-password-on-the-internet-45404] in 1973 by Peter Kirstein:
So from the beginning I put password protection on my gateway. This had=
been done in such a way that even if UK users telephoned directly into th=
e communications computer provided by Darpa in UCL=2C they would require a=
password.
In fact this was the first password on Arpanet. It proved invaluable in=
satisfying authorities on both sides of the Atlantic for the 15 years I r=
an the service during which no security breach occurred over my link. I a=
lso put in place a system of governance that any UK users had to be approv=
ed by a committee which I chaired but which also had UK government and Bri= tish Post Office representation.
I wish he=E2=80=99d told us what that password was.
** *** ***** ******* *********** *************
** UPCOMING SPEAKING ENGAGEMENTS ------------------------------------------------------------
[2025.01.14] [
https://www.schneier.com/blog/archives/2025/01/upcoming-sp= eaking-engagements-42.html] This is a current list of where and when I am=
scheduled to speak:
* I=E2=80=99m speaking on =E2=80=9CAI: Trust & Power=E2=80=9D at Capr= icon 45 [
https://capricon.org/] in Chicago=2C Illinois=2C USA=2C at 11:30=
AM on February 7=2C 2025. I=E2=80=99m also signing books there on Saturda= y=2C February 8=2C starting at 1:45 PM.
* I=E2=80=99m speaking at Boskone 62 [
https://boskone.org/] in Bosto=
n=2C Massachusetts=2C USA=2C which runs from February 14-16=2C 2025.
* I=E2=80=99m speaking at the Rossfest Symposium [
https://www.cl.cam= =2Eac.uk/events/rossfest/] in Cambridge=2C UK=2C on March 25=2C 2025.
The list is maintained on this page [
https://www.schneier.com/events/].
** *** ***** ******* *********** *************
Since 1998=2C CRYPTO-GRAM has been a free monthly newsletter providing sum= maries=2C analyses=2C insights=2C and commentaries on security technology.=
To subscribe=2C or to read back issues=2C see Crypto-Gram's web page [ht= tps://www.schneier.com/crypto-gram/].
You can also read these articles on my blog=2C Schneier on Security [http= s://www.schneier.com].
Please feel free to forward CRYPTO-GRAM=2C in whole or in part=2C to colle= agues and friends who will find it valuable. Permission is also granted to=
reprint CRYPTO-GRAM=2C as long as it is reprinted in its entirety.
Bruce Schneier is an internationally renowned security technologist=2C cal=
led a security guru by the _Economist_. He is the author of over one dozen=
books -- including his latest=2C _A Hacker=E2=80=99s Mind_ [
https://www.= schneier.com/books/a-hackers-mind/] -- as well as hundreds of articles=2C=
essays=2C and academic papers. His newsletter and blog are read by over 2= 50=2C000 people. Schneier is a fellow at the Berkman Klein Center for Inte= rnet & Society at Harvard University; a Lecturer in Public Policy at the H= arvard Kennedy School; a board member of the Electronic Frontier Foundatio= n=2C AccessNow=2C and the Tor Project; and an Advisory Board Member of the=
Electronic Privacy Information Center and VerifiedVoting.org. He is the C= hief of Security Architecture at Inrupt=2C Inc.
Copyright (c) 2025 by Bruce Schneier.
** *** ***** ******* *********** *************
Mailing list hosting graciously provided by MailChimp [
https://mailchimp.= com/]. Sent without web bugs or link tracking.
This email was sent to:
cryptogram@toolazy.synchro.net
_You are receiving this email because you subscribed to the Crypto-Gram ne= wsletter._
Unsubscribe from this list:
https://schneier.us18.list-manage.com/unsubscr= ibe?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&t=3Db&e=3D70f249ec14&c=3D1= b9d74aac5
Update subscription preferences:
https://schneier.us18.list-manage.com/pro= file?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3D70f249ec14&c=3D1b9d74= aac5
Bruce Schneier
Harvard Kennedy School
1 Brattle Square
Cambridge=2C MA 02138
USA
--_----------=_MCPart_210457518
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html><html lang=3D"en"><head><meta charset=3D"UTF-8"><title>Cryp= to-Gram=2C January 15=2C 2025</title></head><body>
<div class=3D"preview-text" style=3D"display:none !important;mso-hide:all;= font-size:1px;line-height:1px;max-height:0px;max-width:0px;opacity:0;overf= low:hidden;">A monthly newsletter about cybersecurity and related topics.<= /div>
<h1 style=3D"font-size:140%">Crypto-Gram <br>
<span style=3D"display:block;padding-top:.5em;font-size:80%">January 15=2C=
2025</span></h1>
<p>by Bruce Schneier
<br>Fellow and Lecturer=2C Harvard Kennedy School
<br>
schneier@schneier.com
<br><a href=3D"
https://www.schneier.com">https://www.schneier.com</a>
<p>A free monthly newsletter providing summaries=2C analyses=2C insights=
=2C and commentaries on security: computer and otherwise.</p>
<p>For back issues=2C or to subscribe=2C visit <a href=3D"
https://www.schn= eier.com/crypto-gram/">Crypto-Gram's web page</a>.</p>
<p><a href=3D"
https://www.schneier.com/crypto-gram/archives/2025/0115.html= ">Read this issue on the web</a></p>
<p>These same essays and news items appear in the <a href=3D"
https://www.s= chneier.com/">Schneier on Security</a> blog=2C along with a lively and int= elligent comment section. An RSS feed is available.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"toc"><a name=3D"toc">I=
n this issue:</a></h2>
<p><em>If these links don't work in your email client=2C try <a href=3D"ht= tps://www.schneier.com/crypto-gram/archives/2025/0115.html">reading this i= ssue of Crypto-Gram on the web.</a></em></p>
<li><a href=3D"#cg1">Short-Lived Certificates Coming to Let=E2=80=99s Encr= ypt</a></li>
<li><a href=3D"#cg2">Hacking Digital License Plates</a></li>
<li><a href=3D"#cg3">New Advances in the Understanding of Prime Numbers</a= ></li>
<li><a href=3D"#cg4">Mailbox Insecurity</a></li>
<li><a href=3D"#cg5">Criminal Complaint against LockBit Ransomware Writer<= /a></li>
<li><a href=3D"#cg6">Spyware Maker NSO Group Found Liable for Hacking What= sApp</a></li>
<li><a href=3D"#cg7">Scams Based on Fake Google Emails</a></li>
<li><a href=3D"#cg8">Casino Players Using Hidden Cameras for Cheating</a><=
<li><a href=3D"#cg9">Salt Typhoon=E2=80=99s Reach Continues to Grow</a></l=
<li><a href=3D"#cg10">Gift Card Fraud</a></li>
<li><a href=3D"#cg11">Google Is Allowing Device Fingerprinting</a></li>
<li><a href=3D"#cg12">ShredOS</a></li>
<li><a href=3D"#cg13">Privacy of Photos.app=E2=80=99s Enhanced Visual Sear= ch</a></li>
<li><a href=3D"#cg14">US Treasury Department Sanctions Chinese Company Ove=
r Cyberattacks</a></li>
<li><a href=3D"#cg15">Zero-Day Vulnerability in Ivanti VPN</a></li>
<li><a href=3D"#cg16">Apps That Are Spying on Your Location</a></li>
<li><a href=3D"#cg17">Microsoft Takes Legal Action Against AI =E2=80=9CHac= king as a Service=E2=80=9D Scheme</a></li>
<li><a href=3D"#cg18">The First Password on the Internet</a></li>
<li><a href=3D"#cg19">Upcoming Speaking Engagements</a></li>
</ol>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg1"><a name=3D"cg1">S= hort-Lived Certificates Coming to Let=E2=80=99s Encrypt</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2024/12/short-lived-c= ertificates-coming-to-lets-encrypt.html"><strong>[2024.12.16]</strong></a=
Starting <a href=3D"https://letsencrypt.org/2024/12/11/eoy-letter-2024/"=
next year</a>:</p>
<blockquote><p>Our longstanding offering won=E2=80=99t fundamentally chang=
e next year=2C but we are going to introduce a new offering that=E2=80=99s=
a big shift from anything we=E2=80=99ve done before -- short-lived certif= icates. Specifically=2C certificates with a lifetime of six days. This is=
a big upgrade for the security of the TLS ecosystem because it minimizes=
exposure time during a key compromise event.</p>
<p>Because we=E2=80=99ve done so much to encourage automation over the pas=
t decade=2C most of our subscribers aren=E2=80=99t going to have to do muc=
h in order to switch to shorter lived certificates. We=2C on the other han= d=2C are going to have to think about the possibility that we will need to=
issue 20x as many certificates as we do now. It=E2=80=99s not inconceivab=
le that at some point in our next decade we may need to be prepared to iss=
ue 100=2C000=2C000 certificates per day.</p>
<p>That sounds sort of nuts to me today=2C but issuing 5=2C000=2C000 certi= ficates per day would have sounded crazy to me ten years ago.</p></blockqu=
<p>This is an excellent idea.</p>
<p>Slashdot <a href=3D"
https://it.slashdot.org/story/24/12/15/0059216/lets= -encrypt-announces-new-certificate-every-6-days-offering">thread</a>.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg2"><a name=3D"cg2">H= acking Digital License Plates</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2024/12/hacking-digit= al-license-plates.html"><strong>[2024.12.17]</strong></a> Not everything=
needs to be digital and =E2=80=9Csmart.=E2=80=9D License plates=2C <a hre= f=3D"
https://www.wired.com/story/digital-license-plate-jailbreak-hack/">fo=
r example</a>:</p>
<blockquote><p>Josep Rodriguez=2C a researcher at security firm IOActive=
=2C has revealed a technique to =E2=80=9Cjailbreak=E2=80=9D digital licens=
e plates sold by Reviver=2C the leading vendor of those plates in the US w=
ith 65=2C000 plates already sold. By removing a sticker on the back of the=
plate and attaching a cable to its internal connectors=2C he=E2=80=99s ab=
le to rewrite a Reviver plate=E2=80=99s firmware in a matter of minutes. T= hen=2C with that custom firmware installed=2C the jailbroken license plate=
can receive commands via Bluetooth from a smartphone app to instantly cha=
nge its display to show any characters or image.</p>
<p>[...]</p>
<p>Because the vulnerability that allowed him to rewrite the plates=E2=80=
=99 firmware exists at the hardware level -- in Reviver=E2=80=99s chips th= emselves -- Rodriguez says there=E2=80=99s no way for Reviver to patch the=
issue with a mere software update. Instead=2C it would have to replace th=
ose chips in each display.</p></blockquote>
<p>The whole point of a license plate is that it can=E2=80=99t be modified=
=2E Why in the world would anyone think that a digital version is a good ide= a?</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg3"><a name=3D"cg3">N=
ew Advances in the Understanding of Prime Numbers</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2024/12/new-advances-= in-the-understanding-of-prime-numbers.html"><strong>[2024.12.18]</strong>=
</a> Really interesting <a href=3D"
https://www.quantamagazine.org/mathemat=
icians-uncover-a-new-way-to-count-prime-numbers-20241211/">research</a> in=
to the structure of prime numbers. Not immediately related to the cryptana= lysis of prime-number-based public-key algorithms=2C but every little bit=
matters.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg4"><a name=3D"cg4">M= ailbox Insecurity</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2024/12/mailbox-insec= urity.html"><strong>[2024.12.19]</strong></a> It turns out that all clust=
er mailboxes in the Denver area have the same master key. So if someone <a=
href=3D"
https://www.denver7.com/news/investigations/thieves-target-cluste= r-mailboxes-in-denvers-green-valley-ranch-north-neighborhood">robs a</a> <=
a href=3D"
https://www.msn.com/en-us/news/us/information-in-denver-postal-c= arrier-robbery-could-carry-150k-reward/ar-AA1tw3sJ">postal carrier</a>=2C=
they can open any mailbox.</p>
<p>I get that a single master key makes the whole system easier=2C but it= =E2=80=99s very fragile security.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg5"><a name=3D"cg5">C= riminal Complaint against LockBit Ransomware Writer</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2024/12/criminal-comp= laint-against-lockbit-ransomware-writer.html"><strong>[2024.12.23]</stron= g></a> The Justice Department has <a href=3D"
https://www.theverge.com/2024= /12/20/24326156/us-lockbit-ransomware-developer-charges">published</a> the=
<a href=3D"
https://www.justice.gov/opa/media/1381806/dl">criminal complai= nt</a> against Dmitry Khoroshev=2C for building and maintaining the LockBi=
t ransomware.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg6"><a name=3D"cg6">S= pyware Maker NSO Group Found Liable for Hacking WhatsApp</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2024/12/spyware-maker= -nso-group-found-liable-for-hacking-whatsapp.html"><strong>[2024.12.24]</= strong></a> A judge has found that NSO Group=2C maker of the Pegasus spywa= re=2C has <a href=3D"
https://www.theguardian.com/technology/2024/dec/20/wh= atsapp-pegasus-spyware-nso-group-hacking">violated</a> the US Computer Fra=
ud and Abuse Act by hacking WhatsApp in order to spy on people using it.</=
<p>Jon Penney and I <a href=3D"
https://www.schneier.com/wp-content/uploads= /2022/03/Platforms-Encryption-and-the-CFAA-1.pdf">wrote</a> a legal paper=
on the case.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg7"><a name=3D"cg7">S= cams Based on Fake Google Emails</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2024/12/scams-based-o= n-fake-google-emails.html"><strong>[2024.12.26]</strong></a> Scammers are=
hacking Google Forms to send email to victims that come from google.com.<=
<p>Brian Krebs <a href=3D"
https://krebsonsecurity.com/2024/12/how-to-lose-= a-fortune-with-just-one-bad-click/">reports</a> on the effects.</p>
<p>Boing Boing <a href=3D"
https://boingboing.net/2024/12/20/father-of-2-yo= ung-boys-loses-5-million-after-falling-for-terrifying-new-google-scam.html= ">post</a>.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg8"><a name=3D"cg8">C= asino Players Using Hidden Cameras for Cheating</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2024/12/casino-player= s-using-hidden-cameras-for-cheating.html"><strong>[2024.12.27]</strong></=
The <a href=3D"https://www.wired.com/story/miniature-camera-poker-cheat=
ing/">basic strategy</a> is to place a device with a hidden camera in a po= sition to capture normally hidden card values=2C which are interpreted by=
an accomplice off-site and fed back to the player via a hidden microphone=
=2E Miniaturization is making these devices harder to detect. Presumably AI=
will soon obviate the need for an accomplice.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg9"><a name=3D"cg9">S=
alt Typhoon=E2=80=99s Reach Continues to Grow</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2024/12/salt-typhoons= -reach-continues-to-grow.html"><strong>[2024.12.30]</strong></a> The US g= overnment has <a href=3D"
https://apnews.com/article/united-states-china-ha= cking-espionage-c5351ef7c2207785b76c8c62cde6c513">identified</a> a ninth t= elecom that was successfully hacked by Salt Typhoon.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg10"><a name=3D"cg10"= >Gift Card Fraud</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2024/12/gift-card-fra= ud.html"><strong>[2024.12.31]</strong></a> It=E2=80=99s becoming an <a hr= ef=3D"
https://www.propublica.org/article/chinese-organized-crime-gift-card= s-american-retail">organized crime tactic</a>:</p>
<blockquote><p>Card draining is when criminals remove gift cards from a st=
ore display=2C open them in a separate location=2C and either record the c=
ard numbers and PINs or replace them with a new barcode. The crooks then r= epair the packaging=2C return to a store and place the cards back on a rac=
k. When a customer unwittingly selects and loads money onto a tampered car= d=2C the criminal is able to access the card online and steal the balance.=
<p>[...]</p>
<p>In card draining=2C the runners assist with removing=2C tampering and r= estocking of gift cards=2C according to court documents and investigators.=
<p>A single runner driving from store to store can swipe or return thousan=
ds of tampered cards to racks in a short time. =E2=80=9CWhat they do is th=
ey just fly into the city and they get a rental car and they just hit ever=
y big-box location that they can find along a corridor off an interstate= =2C=E2=80=9D said Parks.</p></blockquote>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg11"><a name=3D"cg11"= >Google Is Allowing Device Fingerprinting</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2025/01/google-is-all= owing-device-fingerprinting.html"><strong>[2025.01.02]</strong></a> Lukas=
z Olejnik <a href=3D"
https://blog.lukaszolejnik.com/biggest-privacy-erosio= n-in-10-years-on-googles-policy-change-towards-fingerprinting/">writes</a>=
about device fingerprinting=2C and why Google=E2=80=99s policy change to=
allow it in 2025 is a major privacy setback.</p>
<p>EDITED TO ADD (1/12): Shashdot <a href=3D"
https://tech.slashdot.org/sto= ry/25/01/12/0519240/google-wants-to-track-your-digital-fingerprints-again"= >thread</a>.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg12"><a name=3D"cg12"= >ShredOS</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2025/01/shredos.html"= ><strong>[2025.01.03]</strong></a> ShredOS is a stripped-down operating s= ystem designed to <a href=3D"
https://boingboing.net/2025/01/02/shredos-is-= an-entire-os-just-for-destroying-data.html">destroy data</a>.</p>
<p>GitHub page <a href=3D"
https://github.com/PartialVolume/shredos.x86_64"= >here</a>.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg13"><a name=3D"cg13"= >Privacy of Photos.app=E2=80=99s Enhanced Visual Search</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2025/01/privacy-of-ph= otos-apps-enhanced-visual-search.html"><strong>[2025.01.06]</strong></a>=
Initial <a href=3D"
https://mjtsai.com/blog/2025/01/01/privacy-of-photos-a= pps-enhanced-visual-search/">speculation</a> about a new Apple feature.</p=
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg14"><a name=3D"cg14"=
US Treasury Department Sanctions Chinese Company Over Cyberattacks</a></h=
<p><a href=3D"
https://www.schneier.com/blog/archives/2025/01/us-treasury-d= epartment-sanctions-chinese-company-over-cyberattacks.html"><strong>[2025= =2E01.07]</strong></a> From the <a href=3D"
https://www.msn.com/en-us/technol= ogy/cybersecurity/treasury-sanctions-chinese-cyber-firm-behind-mass-attack= -on-u-s-routers/ar-AA1wVSHa">Washington Post</a>:</p>
<blockquote><p>The <a href=3D"
https://home.treasury.gov/news/press-release= s/jy2769">sanctions target Beijing Integrity Technology Group</a>=2C which=
U.S. officials say employed workers responsible for the <a href=3D"https:= //www.washingtonpost.com/technology/2024/09/18/china-tech-spy-network/">Fl=
ax Typhoon attacks</a> which compromised devices including routers and int= ernet-enabled cameras to infiltrate government and industrial targets in t=
he United States=2C Taiwan=2C Europe and elsewhere.</p></blockquote>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg15"><a name=3D"cg15"= >Zero-Day Vulnerability in Ivanti VPN</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2025/01/zero-day-vuln= erability-in-ivanti-vpn.html"><strong>[2025.01.09]</strong></a> It=E2=80=
=99s being <a href=3D"
https://techcrunch.com/2025/01/09/hackers-are-exploi= ting-a-new-ivanti-vpn-security-bug-to-hack-into-company-networks/">activel=
y exploited</a>.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg16"><a name=3D"cg16"= >Apps That Are Spying on Your Location</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2025/01/apps-that-are= -spying-on-your-location.html"><strong>[2025.01.10]</strong></a> 404 Medi=
a and Wired are <a href=3D"
https://www.wired.com/story/gravy-location-data= -app-leak-rtb/">reporting</a> on all the apps that are spying on your loca= tion=2C based on a hack of the location data company Gravy Analytics:</p>
<blockquote><p>The thousands of apps=2C <a href=3D"
https://www.404media.co= /hackers-claim-massive-breach-of-location-data-giant-threaten-to-leak-data= /">included in hacked files</a> from location data company Gravy Analytics=
=2C include everything from games like Candy Crush to dating apps like Tin= der=2C to pregnancy tracking and religious prayer apps across both Android=
and iOS. Because much of the collection is occurring through the advertis=
ing ecosystem -- not code developed by the app creators themselves -- this=
data collection is likely happening both without users=E2=80=99 and even=
app developers=E2=80=99 knowledge.</p></blockquote>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg17"><a name=3D"cg17"= >Microsoft Takes Legal Action Against AI =E2=80=9CHacking as a Service=E2= =80=9D Scheme</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2025/01/microsoft-tak= es-legal-action-against-ai-hacking-as-a-service-scheme.html"><strong>[202= 5.01.13]</strong></a> Not sure this will matter in the end=2C but it=E2=80= =99s a <a href=3D"
https://arstechnica.com/security/2025/01/microsoft-sues-= service-for-creating-illicit-content-with-its-ai-platform/">positive move<= /a>:</p>
<blockquote><p>Microsoft is accusing three individuals of running a =E2=80= =9Chacking-as-a-service=E2=80=9D scheme that was designed to allow the cre= ation of harmful and illicit content using the company=E2=80=99s platform=
for AI-generated content.</p>
<p>The foreign-based defendants developed tools specifically designed to b= ypass safety guardrails Microsoft has erected to prevent the creation of h= armful content through its generative AI services=2C <a href=3D"
https://bl= ogs.microsoft.com/on-the-issues/2025/01/10/taking-legal-action-to-protect-= the-public-from-abusive-ai-generated-content/">said</a> Steven Masada=2C t=
he assistant general counsel for Microsoft=E2=80=99s Digital Crimes Unit.=
They then compromised the legitimate accounts of paying customers. They c= ombined those two things to create a fee-based platform people could use.<= /p></blockquote>
<p>It was a sophisticated scheme:</p>
<blockquote><p>The service contained a proxy server that relayed traffic b= etween its customers and the servers providing Microsoft=E2=80=99s AI serv= ices=2C the suit alleged. Among other things=2C the proxy service used und= ocumented Microsoft network application programming interfaces (APIs) to c= ommunicate with the company=E2=80=99s Azure computers. The resulting reque=
sts were designed to mimic legitimate Azure OpenAPI Service API requests a=
nd used compromised API keys to authenticate them.</p></blockquote>
<p>Slashdot <a href=3D"
https://yro.slashdot.org/story/25/01/11/073210/fore= ign-cybercriminals-bypassed-microsofts-ai-guardrails-lawsuit-alleges">thre= ad</a>.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg18"><a name=3D"cg18"= >The First Password on the Internet</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2025/01/the-first-pas= sword-on-the-internet.html"><strong>[2025.01.14]</strong></a> It was <a h= ref=3D"
https://theconversation.com/how-britain-got-its-first-internet-conn= ection-by-the-late-pioneer-who-created-the-first-password-on-the-internet-= 45404">created</a> in 1973 by Peter Kirstein:</p>
<blockquote><p>So from the beginning I put password protection on my gatew=
ay. This had been done in such a way that even if UK users telephoned dire= ctly into the communications computer provided by Darpa in UCL=2C they wou=
ld require a password.</p>
<p>In fact this was the first password on Arpanet. It proved invaluable in=
satisfying authorities on both sides of the Atlantic for the 15 years I r=
an the service during which no security breach occurred over my link. I a=
lso put in place a system of governance that any UK users had to be approv=
ed by a committee which I chaired but which also had UK government and Bri= tish Post Office representation.</p></blockquote>
<p>I wish he=E2=80=99d told us what that password was.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg19"><a name=3D"cg19"= >Upcoming Speaking Engagements</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2025/01/upcoming-spea= king-engagements-42.html"><strong>[2025.01.14]</strong></a> This is a cur=
rent list of where and when I am scheduled to speak:</p>
<li>I=E2=80=99m speaking on =E2=80=9CAI: Trust & Power=E2=80=9D at=
<a href=3D"
https://capricon.org/">Capricon 45</a> in Chicago=2C Illinois=
=2C USA=2C at 11:30 AM on February 7=2C 2025. I=E2=80=99m also signing boo=
ks there on Saturday=2C February 8=2C starting at 1:45 PM.</li>
<li>I=E2=80=99m speaking at <a href=3D"
https://boskone.org/">Boskone 6= 2</a> in Boston=2C Massachusetts=2C USA=2C which runs from February 14-16=
=2C 2025.</li>
<li>I=E2=80=99m speaking at the <a href=3D"
https://www.cl.cam.ac.uk/ev= ents/rossfest/">Rossfest Symposium</a> in Cambridge=2C UK=2C on March 25=
=2C 2025.</li>
</ul>
<p>The list is maintained on <a href=3D"
https://www.schneier.com/events/">= this page</a>.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<p>Since 1998=2C CRYPTO-GRAM has been a free monthly newsletter providing=
summaries=2C analyses=2C insights=2C and commentaries on security technol= ogy. To subscribe=2C or to read back issues=2C see <a href=3D"
https://www.= schneier.com/crypto-gram/">Crypto-Gram's web page</a>.</p>
<p>You can also read these articles on my blog=2C <a href=3D"
https://www.s= chneier.com">Schneier on Security</a>.</p>
<p>Please feel free to forward CRYPTO-GRAM=2C in whole or in part=2C to co= lleagues and friends who will find it valuable. Permission is also granted=
to reprint CRYPTO-GRAM=2C as long as it is reprinted in its entirety.</p>
<p><span style=3D"font-style: italic">Bruce Schneier is an internationally=
renowned security technologist=2C called a security guru by the <cite sty= le=3D"font-style:normal">Economist</cite>. He is the author of over one do=
zen books -- including his latest=2C <a href=3D"
https://www.schneier.com/b= ooks/a-hackers-mind/"><cite style=3D"font-style:normal">A Hacker=E2=80=99s=
Mind</cite></a> -- as well as hundreds of articles=2C essays=2C and acade=
mic papers. His newsletter and blog are read by over 250=2C000 people. Sch= neier is a fellow at the Berkman Klein Center for Internet & Society at Ha= rvard University; a Lecturer in Public Policy at the Harvard Kennedy Schoo=
l; a board member of the Electronic Frontier Foundation=2C AccessNow=2C an=
d the Tor Project; and an Advisory Board Member of the Electronic Privacy=
Information Center and VerifiedVoting.org. He is the Chief of Security Ar= chitecture at Inrupt=2C Inc.</span></p>
<p>Copyright © 2025 by Bruce Schneier.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<p>Mailing list hosting graciously provided by <a href=3D"
https://mailchim= p.com/">MailChimp</a>. Sent without web bugs or link tracking.</p>
<p>This email was sent to:
cryptogram@toolazy.synchro.net
<br><em>You are receiving this email because you subscribed to the Crypto-= Gram newsletter.</em></p>
<p><a style=3D"display:inline-block" href=3D"
https://schneier.us18.list-ma= nage.com/unsubscribe?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&t=3Db&e= =3D70f249ec14&c=3D1b9d74aac5">unsubscribe from this list</a> &nbs= p; <a style=3D"display:inline-block" href=3D"
https://schneier.us18.li= st-manage.com/profile?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3D70f249ec14&c=3D1b9d74aac5">update subscription preferences</a>
<br>Bruce Schneier · Harvard Kennedy School · 1 Brattle Squa=
re · Cambridge=2C MA 02138 · USA</p>
</body></html>
--_----------=_MCPart_210457518--