A Taxonomy of Access Control

My personal definition of a brilliant idea is one that is immediately obvious once it’s explained, but no one has thought of it before. I can’t believe that no one has described this taxonomy of access control before Ittay Eyal laid it out in this paper. The paper is about cryptocurrency wallet design, but the ideas are more general. Ittay points out that a key—or an account, or anything similar—can be in one of four states:

• loss No one has access,
• safe Only the user has access,
• leak Both the user and the adversary have access, or
• theft Only the adversary has access.
• [disclosed everybody has access]

Once you know these states, you can assign probabilities of transitioning from one state to another (someone hacks your account and locks you out, you forgot your own password, etc.) and then build optimal security and reliability to deal with it. It’s a truly elegant way of conceptualizing the problem.

The moral is the need for cryptographic agility. It’s not enough to implement a single standard; it’s vital that our systems be able to easily swap in new algorithms when required. We’ve learned the hard way how algorithms can get so entrenched in systems that it can take many years to update them: in the transition from DES to AES, and the transition from MD4 and MD5 to SHA, SHA-1, and then SHA-3.

We need to do better. In the coming years we’ll be facing a double uncertainty. The first is quantum computing. When and if quantum computing becomes a practical reality, we will learn a lot about its strengths and limitations. It took a couple of decades to fully understand von Neumann computer architecture; expect the same learning curve with quantum computing. Our current understanding of quantum computing architecture will change, and that could easily result in new cryptanalytic techniques.

The second uncertainly is in the algorithms themselves. As the new cryptanalytic results demonstrate, we’re still learning a lot about how to turn hard mathematical problems into public-key cryptosystems. We have too much math and an inability to add more muddle, and that results in algorithms that are vulnerable to advances in mathematics. More cryptanalytic results are coming, and more algorithms are going to be broken.

We can’t stop the development of quantum computing. Maybe the engineering challenges will turn out to be impossible, but it’s not the way to bet. In the face of all that uncertainty, agility is the only way to maintain security.

Researchers have unearthed never-before-seen malware that hackers from North Korea have been using to surreptitiously read and download email and attachments from infected users' Gmail and AOL accounts.

The malware, dubbed SHARPEXT by researchers from security firm Volexity, uses clever means to install a browser extension for the Chrome and Edge browsers, Volexity reported in a blog post. The extension can't be detected by the email services, and since the browser has already been authenticated using any multifactor authentication protections in place, this increasingly popular security measure plays no role in reining in the account compromise. The extension isn't available in Google's Chrome Web Store, Microsoft's add-ons page, or any other known third-party source and doesn't rely on flaws in Gmail or AOL Mail to get installed.

From the what-could-possibly-go-wrong files comes this: People hawking password-cracking software are targeting the hardware used in industrial-control facilities with malicious code that makes their systems part of a botnet, a researcher reported.

Thought experiment story of someone who lost everything in a house fire, and now can’t log into anything:

But to get into my cloud, I need my password and 2FA. And even if I could convince the cloud provider to bypass that and let me in, the backup is secured with a password which is stored in—you guessed it—my Password Manager.

I am in cyclic dependency hell. To get my passwords, I need my 2FA. To get my 2FA, I need my passwords.

It’s a one-in-a-million story, and one that’s hard to take into account in system design.

This is where we reach the limits of the “Code Is Law” movement.

In the boring analogue world—I am pretty sure that I’d be able to convince a human that I am who I say I am. And, thus, get access to my accounts. I may have to go to court to force a company to give me access back, but it is possible.

But when things are secured by an unassailable algorithm—I am out of luck. No amount of pleading will let me without the correct credentials. The company which provides my password manager simply doesn’t have access to my passwords. There is no-one to convince. Code is law.

Of course, if I can wangle my way past security, an evil-doer could also do so.

So which is the bigger risk?

• An impersonator who convinces a service provider that they are me?
• A malicious insider who works for a service provider?

• Me permanently losing access to all of my identifiers?

  I don’t know the answer to that.

Those risks are in the order of most common to least common, but that doesn’t necessarily mean that they are in risk order. They probably are, but then we’re left with no good way to handle someone who has lost all their digital credentials—computer, phone, backup, hardware token, wallet with ID cards—in a catastrophic house fire.

I want to remind readers that this isn’t a true story. It didn’t actually happen. It’s a thought experiment. //

Kent Brockman • June 28, 2022 11:04 AM

Any plan should take into account the possibility of memory loss (permanent or otherwise) due to shock or physical injury from an incident (car crash,fire, etc.,etc.) which would render moot a passphrase, plan, etc. unless written down and distributed to others (trusted implicitly, of course). This is to my mind at least, possibly the largest risk to even a well thought out scheme.

Ape • June 28, 2022 4:01 PM

It seems to me that the impact of the thought experiment resides in this: we have evolved backwards. Rather than insisting that it is robots who have to prove they are humans, we have evolved into a situation where humans have to prove they are not robots. Whatever happened to cognito ergo sum? It is now: I exist because the robot says I exist. If the robot says I don’t exist, I don’t exist. There is probably some fancy Latin way of saying it. So the heart of the problem is not “code is law”. The heart of the problem is that we have devolved law to programmers. Not just law, either, but the reality of our lives.

Now let’s imagine a different thought experiment. One where a person physically exists so they have an identity. In that cultural reality the question is not a question of token verification but a question of “Who is this person?”. They must be somebody. So we go about deciphering who they are. It is humans who have control, not the code, not the programmers, not the token. Maybe we even decide that the person is not the person who he was before the house burned down. Does it matter if the victim cannot regain his old identity if we give him a new one? Why the need for convergence on the old, on perpetuation?

It is time to regain control of our own identity.

Security Sam • June 28, 2022 11:25 AM

For safety the security abhors
With a mutually exclusive rule
Just like the set of double doors
Located in every bank vestibule.

How Apple, Google, and Microsoft will kill passwords and phishing in one stroke

You've heard for years that easier, more secure logins are imminent. That day is here.

Vulnerability in 3rd-party libraries can send devices' users to malicious sites. //

The flaw makes it possible for hackers with access to the connection between an affected device and the Internet to poison DNS requests used to translate domains to IP addresses, researchers from security firm Nozomi Networks said Monday. By feeding a vulnerable device fraudulent IP addresses repeatedly, the hackers can force end users to connect to malicious servers that pose as Google or another trusted site.

The vulnerability, which was disclosed to vendors in January and went public on Monday, resides in uClibc and uClibc fork uClibc-ng, both of which provide alternatives to the standard C library for embedded Linux. Nozomi said 200 vendors incorporate at least one of the libraries into wares that, according to the uClibc-ng maintainer, include the following:

Linksys WRT54G - Wireless-G Broadband Router
NetGear WG602 wireless router
Most Axis network cameras
Embedded Gentoo
Buildroot, a configurable means for building busybox/uClibc-based systems
LEAF Bering-uClibc, the successor of the Linux Router Project that supports gateways, routers, and firewalls
Tuxscreen Linux Phone

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit and it’s been a huge change to the whole industry. Now, when everyone has adopted the idea of free SSL certificates, the logical evolution step is at hand — managed certificates. What are the options across major cloud providers?

While the method is convincing, it has a few weaknesses that should give savvy visitors a foolproof way to detect that something is amiss. Genuine OAuth or payment windows are in fact separate browser instances that are distinct from the primary page. That means a user can drag them anywhere, including over the address bar of the primary window.

BitB windows, by contrast, aren’t a separate browser instance at all. Instead, they’re illustratons rendered by custom HTML and CSS and contained in the primary window. That means the fake pages can’t be cover the address bar of the primary browser window.

Unfortunately, as mr.d0x pointed out, these checks might be difficult to teach “because now we move away from the ‘check the URL’” advice that’s standard. “You’re teaching users to do something they never do.”

All users should protect their accounts with two-factor authentication. One other thing more experienced users can do is right click on the popup page and choose "inspect." If the window is a BitB spawn, its URL will be hardcoded into the HTML.

The Federal Communications Commission on Friday determined that security products from Kaspersky posed an unacceptable risk to US national security and added the company to a covered list of other firms not eligible for FCC funds.

The move adds Kaspersky to the same covered list that Huawei and ZTE landed on in 2021. Besides its Moscow headquarters, the company’s founder, Eugene Kaspersky, attended a KGB-sponsored technical college and has long been accused of having ties to Russian military and intelligence services.

Kaspersky, which was already banned from all US government networks, was one of three firms added to the covered list on Friday. China Mobile and China Telecom were the other two.

The main concern US politicians have raised about TikTok is that because it’s owned by China's ByteDance, the Chinese government could conceivably access any American data held by the company. The other big concern has been security risk. This deal would address both. Under the agreement, Oracle would store TikTok data for US users, ensure that data is not transferred to ByteDance, and be responsible for protecting user data from cybersecurity threats. Because this sensitive task will be performed by a US company with close ties to the government, TikTok should finally be able to put to rest the concern that its operations in the United States constitute a grave threat to American security. //

However, the agreement is almost certain to provide momentum to foreign governments who want to do exactly what the United States is doing: require companies to store data within their borders. Numerous countries have pushed these types of data localization requirements over the last decade, including Russia, India, and France. In response, the tech sector has made the case that this approach to data storage creates privacy risks, degrades performance, and imposes compliance costs that make it harder for small companies to compete.

If the US government succeeds in forcing TikTok to enter this local data-storing arrangement with Oracle, other governments will be more likely to impose comparable requirements on US companies operating within their borders. A principle that might be appealing to TikTok’s critics in the United States could seem much less desirable if it were applied to Apple, Meta, or Snap in countries like China or Russia. The war in Ukraine has highlighted why countries like Russia want to use localization to exert more control over global tech companies, and also why it’s so important that local data storage requirements remain the exception rather than the norm. //

In a written opinion halting President Trump’s ban, a federal judge found that while the government had successfully demonstrated that China posed a national security threat to the United States, its evidence linking TikTok to that threat was “less substantial.” TikTok currently has a data storage agreement with Google Cloud, and the government has not indicated why a hosting deal with Oracle provides better protection for US user data than the current agreement with Google.

TechCrunch first discovered the vulnerability as part of a wider exploration of consumer-grade spyware. The vulnerability is simple, which is what makes it so damaging, allowing near-unfettered remote access to a device’s data. But efforts to privately disclose the security flaw to prevent it from being misused by nefarious actors has been met with silence both from those behind the operation and from Codero, the web company that hosts the spyware operation’s back-end server infrastructure.

The nature of spyware means those targeted likely have no idea that their phone is compromised. With no expectation that the vulnerability will be fixed any time soon, TechCrunch is now revealing more about the spyware apps and the operation so that owners of compromised devices can uninstall the spyware themselves, if it’s safe to do so.

Given the complexities in notifying victims, CERT/CC, the vulnerability disclosure center at Carnegie Mellon University’s Software Engineering Institute, has also published a note about the spyware.

What follows are the findings of a months-long investigation into a massive stalkerware operation that is harvesting the data from some 400,000 phones around the world, with the number of victims growing daily, including in the United States, Brazil, Indonesia, India, Jamaica, the Philippines, South Africa and Russia.

On the front line of the operation is a collection of white-label Android spyware apps that continuously collect the contents of a person’s phone, each with custom branding, and fronted by identical websites with U.S. corporate personas that offer cover by obfuscating links to its true operator. Behind the apps is a server infrastructure controlled by the operator, which is known to TechCrunch as a Vietnam-based company called 1Byte.

People have gotten much savvier about computer security in the last decade or so. Most people know that sending a document with sensitive information in it is a no-no, so many people try to redact documents with varying levels of success. A common strategy is to replace text with a black box, but you sometimes see sophisticated users pixelate part of an image or document they want to keep private. If you do this for text, be careful. It is possible to unredact pixelated images through software.

audio isolator or data diode (one way data -- rs232)

Introduction
Yes, yes...it's yet another set of instructions for constructing your very own digital coaxial to optical converter. First off, why you would need such a device - you have a sound source with a coax digital output, and a digital recorder that accepts optical input (in most cases, everyone's favorite - the minidisc recorder). Total cost for this project will run $25-$30.

Now, does recording digitally make a difference? I would say that while analog recording sounds fine for general use, digital recording is very nice for devices where you would be better off bypassing the DACs. Digital to analog converters do exactly as they say - take digital values and produce a proportional analog voltage to feed your speakers/headphones. //

https://www.schneier.com/blog/archives/2022/02/bunnie-huangs-plausibly-deniable-database.html/#comment-400055

After many high-profile and widespread major data breaches – which have compromised millions of people – many people have come to understand more about password security and the fact that a simple password can’t keep their online profiles safe. That has led to the rise in the popularity of two-factor authentication, an additional layer of security that can keep online accounts secure.

A lone U.S. hacker who goes by the handle “P4x” is claiming responsibility for shutting down the entire North Korean internet twice last month.

The anonymous hacker says that he was taking revenge for a North Korean cyberattack on Western security researchers carried out by North Korean spies last year. He says he was frustrated by the lack of response from the U.S. over the attack and decided to take matters into his own hands.

https://www.wired.com/story/north-korea-hacker-internet-outage/

It’s doubtful that P4x’s actions had any effect on the North Korean state or government. Only a tiny fraction of their people have access to the internet. And the hackers that disrupted P4x’s work on security systems, for which he was exacting revenge, are probably not even located in North Korea. They are probably based in China, where Beijing has its own cyber warfare group, PLA Unit 61398.

Nevertheless, striking a blow against America’s enemies is always welcome — no matter where it comes from.

chmod u-s is the more technically correct way to do it, as you just want to remove the suid bit and not touch the read-write-execute permissions (which are 0755 by default but may or may not have been changed). And pkexec may or may not live in /usr/bin depending on your particular distro. //

You know what’s great about blinking an LED with a 555 instead of a raspi? 555s don’t need security updates. //

So to appropriately neuter pkexec and prevent it from ever being used in an attack chain I issued the following command (Debian based Linux ONLY):

$ sudo dpkg-statoverride –update –add root root 0711 /usr/bin/pkexec

WARN: This is essentially a permanent change until you reverse the procedure (see dpkg-statoverride(8)). No future install/upgrade of the PolicyKit package will change the permissions from those specified. One could also reformat and install another OS. If some program on your system actually needs to use pkexec to change users that program will be broken. But for the life of me I can’t figure out why my printer would need to masquerade as another user. Smells like malware to me.

A heap overflow bug was recently discovered in the Linux kernel. The patch is available now in most major Linux distributions. //

In this one, there's a heap overflow bug in the legacy_parse_param in the Linux kernel's fs/fs_context.c program. This parameter is used in Linux filesystems during superblock creation for mount and superblock reconfiguration for a remount. The superblock records all of a filesystem's characteristics such as file size, block size, empty and filled storage blocks. So, yeah, it's important.

The legacy_parse_param() "PAGE_SIZE - 2 - size" calculation was mistakenly made an unsigned type. This means a large value of "size" results in a high positive value instead of a negative value as expected. Whoops.

A local attacker can use it to escalate their user privileges or crash the system. This can be done with a specially crafted program that triggers this integer overflow. That done, it's trivial to execute arbitrary code and give the attacker root privileges.

To exploit it requires the CAP_SYS_ADMIN privilege to be enabled. If that's the case, an unprivileged local user can open a filesystem that does not support the File System Context application programming interface (API). In this situation, it drops back to legacy handling, and from there, the flaw can escalate an attacker's system privileges.