• CRYPTO-GRAM, September 15, 202 Part 3

    From Sean Rima@21:1/229.1 to All on Tuesday, October 01, 2024 21:52:08

    At this point, we realized we had discovered a very serious problem. Anyone with basic knowledge of SQL injection could login to this site and
    add anyone they wanted to KCM and CASS, allowing themselves to both skip security screening and then access the cockpits of commercial airliners.

    We ended up finding several more serious issues but began the
    disclosure process immediately after finding the first issue.

    ** *** ***** ******* *********** *************
    List of Old NSA Training Videos

    [2024.09.03] The NSA’s “National Cryptographic School Television Catalogue” from 1991 lists about 600 COMSEC and SIGINT training videos.

    There are a bunch explaining the operations of various cryptographic equipment, and a few code words I have never heard of before.

    ** *** ***** ******* *********** *************
    Security Researcher Sued for Disproving Government Statements

    [2024.09.04] This story seems straightforward. A city is the victim of a ransomware attack. They repeatedly lie to the media about the severity of
    the breach. A security researcher repeatedly proves their statements to be lies. The city gets mad and sues the researcher.

    Let’s hope the judge throws the case out, but -- still -- it will serve as
    a warning to others.

    ** *** ***** ******* *********** *************
    Long Analysis of the M-209

    [2024.09.05] Really interesting analysis of the American M-209 encryption device and its security.

    ** *** ***** ******* *********** *************
    YubiKey Side-Channel Attack

    [2024.09.06] There is a side-channel attack against YubiKey access tokens
    that allows someone to clone a device. It’s a complicated attack,
    requiring the victim’s username and password, and physical access to their YubiKey -- as well as some technical expertise and equipment.

    Still, nice piece of security analysis.

    ** *** ***** ******* *********** *************
    Australia Threatens to Force Companies to Break Encryption

    [2024.09.09] In 2018, Australia passed the Assistance and Access Act,
    which -- among other things -- gave the government the power to force companies to break their own encryption.

    The Assistance and Access Act includes key components that outline investigatory powers between government and industry. These components include:

    Technical Assistance Requests (TARs): TARs are voluntary requests
    for assistance accessing encrypted data from law enforcement to teleco and technology companies. Companies are not legally obligated to comply with a
    TAR but law enforcement sends requests to solicit cooperation.
    Technical Assistance Notices (TANs): TANS are compulsory notices
    (such as computer access warrants) that require companies to assist within their means with decrypting data or providing technical information that a
    law enforcement agency cannot access independently. Examples include
    certain source code, encryption, cryptography, and electronic hardware.
    Technical Capability Notices (TCNs): TCNs are orders that require
    a company to build new capabilities that assist law enforcement agencies
    in accessing encrypted data. The Attorney-General must approve a TCN by confirming it is reasonable, proportionate, practical, and technically feasible.

    It’s that final one that’s the real problem. The Australian government can force tech companies to build backdoors into their systems.

    This is law, but near as anyone can tell the government has never used
    that third provision.

    Now, the director of the Australian Security Intelligence Organisation
    (ASIO) -- that’s basically their CIA -- is threatening to do just that:

    ASIO head, Mike Burgess, says he may soon use powers to compel tech companies to cooperate with warrants and unlock encrypted chats to aid in national security investigations.

    [...]

    But Mr Burgess says lawful access is all about targeted action against individuals under investigation.

    “I understand there are people who really need it in some countries,
    but in this country, we’re subject to the rule of law, and if you’re doing nothing wrong, you’ve got privacy because no one’s looking at it,” Mr Burgess said.

    “If there are suspicions, or we’ve got proof that we can justify you’re doing something wrong and you must be investigated, then actually
    we want lawful access to that data.”

    Mr Burgess says tech companies could design apps in a way that allows
    law enforcement and security agencies access when they request it without comprising the integrity of encryption.

    “I don’t accept that actually lawful access is a back door or systemic weakness, because that, in my mind, will be a bad design. I believe you
    can these are clever people design things that are secure, that give
    secure, lawful access,” he said.

    We in the encryption space call that last one “nerd harder.” It, and the rest of his remarks, are the same tired talking points we’ve heard again
    and again.

    It’s going to be an awfully big mess if Australia actually tries to make Apple, or Facebook’s WhatsApp, for that matter, break its own encryption
    for its “targeted actions” that put every other user at risk.

    ** *** ***** ******* *********** *************
    New Chrome Zero-Day

    [2024.09.10] According to Microsoft researchers, North Korean hackers have been using a Chrome zero-day exploit to steal cryptocurrency.
    ---
    * Origin: High Portable Tosser at my node (21:1/229.1)