Security Week 44: Legislators and Security, Cryptography and Intelligence

If there is a topic in the field of information security that is more complicated than cryptography, then this is legislation. Any research work on encryption, its main conclusions and possible consequences can be understood. In many cases, this will require a couple of years of intensive training in core and related topics, and another ten years as a security expert. But you can understand. It is not always possible to understand what the consequences of the law governing the field of information security, even if it is read carefully. Even if you are fluent in the language in which it is written.

Nevertheless, it is necessary to understand, because the legislation can seriously affect security issues, in one direction or another. Good, fit initiatives motivate companies to better defend themselves against cyber threats, protect bank customers from losing money in the event of online fraud, improve the security of the state structures themselves and our data processed by them, fight against crime. Bad laws at best do not change the landscape of threats, at worst - allow cybercriminals to go free, even after arrest and with convincing evidence of guilt, make it difficult for researchers to work, and make private data a little less private than we would like.

In this series of digest we will talk about two important news in the field of American information security law, and also continue the discussion of cryptography, this time thanks to the NSA agency, who decided to participate in the discussion of encryption issues. Which, however, is also not far from politics. Rules: Every week, the editors of the news site Threatpost chooses three of the most significant news, to which I add an extended and ruthless comment. All episodes of the series can be found by tag .

US Senate Approves CISA Bill, Despite Criticism on Personal Information Protection
News Sources The text of the bill. Extended Comment EFF.
')
What happened?
The US Senate voted to adopt a cybersecurity information sharing law, the Cybersecurity Information Sharing Act. The final adoption of the law is still far away - in March of this year, the Protecting Cyber ​​Networks Act was passed in the House of Representatives, which almost coincides with the CISA, but not quite. So ahead is an exciting joint work of the Congress to mix two bills of four letters into one of three . Already, CISA is causing serious debates in the American IT industry and more. The reason is simple: Experts, in particular, from the EFF Foundation, who are concerned about the privacy of the data of American citizens (after Snowden and not only), see the new legal loopholes for spying on users in the draft law.

What is the bill about?
The initiative of American lawmakers, supported, which happens infrequently, by representatives of two major political parties in the United States, is intended to change the situation with the security of American business in front of cyber threats. And what, just so bad? Sufficiently: the hacking of such large companies as JP Morgan , Sony Pictures Entertainment , Target , and even the human resources department of the US government itself does not give cause for optimism. Senator Susan Collins, one of the authors of the bill, compared the degree of US preparedness for protection against cyber threats from September 10, 2001, and readiness for protection against terrorist attacks at that time.

Since in the US Congress, let's say, few experts on cyber threats work, the bill basically consists of instructing agencies such as the US Department of Homeland Security to “study”, “develop”, “ensure”, “coordinate” , “Develop procedures” and so on - all with the aim of creating a working system for the exchange of information on cyber threats. Among the many subparagraphs of the law there are such interesting things as, for example, “explore the issue of cyber threats against mobile devices” and “develop a plan for implementing a technology to protect mobile devices”, and also “develop a strategy of international relations on cyberspace”.


Photos from the article on Slate.com. There is also a detailed story about what the bill is bad for.

But the main task of the draft law is to facilitate the exchange of information on certain “cyber threat indicators” to American companies. Translated from legal language to normal: to enable both businesses and government agencies to share information about cyber attacks, so that they can be more effectively protected from them together. If a private business exchanges such information with a government agency (the same DHS), confidentiality is guaranteed to the business, and in general it is done in such a way that companies are encouraged. Business is obliged to follow a huge number of other bills, and some of them, for various reasons, can be punished for this kind of data exchange, therefore the topic of cybersecurity is put in a separate category. It seems even not bad, right?

So what's the problem?
The problem, according to privacy advocates in cyberspace, is that the “translation from legal” above is only one of the possible ones. In general, the vague wording of the bill can be interpreted to someone as convenient. For example: if the law states that it is possible to exchange information “for the sake of security”, but there is no clear definition, then you can exchange any data at all with anyone, in the name of the great goal of fighting cyberterrorism. Well, for example, a large web site with the purpose of protecting users may merge information about these users of another company, which is an ad agency by accident. Share confidentially! Or a certain state agency will be able to collect data on cyber attacks, but it will not be obliged to disclose information to the public, and what some government agencies can do with, say, information on fresh wildlife, is already known to everyone.

In general, it is the question of privacy, in one sense or another, that worries all critics of the draft law. But the substantive part of the news ends here, and the heated debate continues. Companies such as Apple, Microsoft, Adobe and IBM first supported the bill (collectively, as part of the BSA alliance), and then (in a slightly different composition) ceased to support.

At least Apple did it, along with representatives of Twitter, Yelp, Wikipedia and others. As often happens, companies supported one thing (collective security), and were criticized for another (supposedly existing failures in terms of privacy). DHS itself (the Ministry, which should develop, implement and study everything, but it is advisable to study before implementation) back in August of this year spoke against the draft law in its current form - both for privacy and inefficiency. Bees against honey! However, DHS’s readings differ: the same Deputy Minister Alejandro Majorcas, who was formerly against, this July, suddenly turned out to be in favor in October. Politics sir!



And most importantly, no one really argues with the fact that security and business, and government agencies need to be increased, how much can you read about data leaks in gigabytes and millions of records? The adoption of the law by the Senate, although it reduces the chances of amending, but does not exclude such a possibility in principle. Have you heard the industry and activists before? If we take a similar law, passed in March through the House of Representatives, then no - there were also claims there, and they were not something that was carefully listened to. But a couple of previous bills that are dubious from the point of view of privacy remained draft. Specifically, CISPA , also raising the topic of information exchange on cyber threats, as well as SOPA - a bill aimed at combating piracy on the Internet. In general, we stock up on popcorn, this story will last a long time.

For jailbreaking and hacking car safety studies, exceptions are made to the DMCA law
News Previous news. Blogpost EFF.

The Digital Millennium Copyright Act or DMCA copyright law was passed a long time ago, in 1998. Its main task is the fight against network piracy, and a side effect of its adoption was the ban on hacking of systems protecting digital media from being copied. That is, everything on paper was logical: if you cannot copy and distribute digital copies of movies or music, then in order to enforce this prohibition, we make it illegal to break protection systems.

In practice, a lot of problems have arisen, and first of all for security researchers: in order to understand whether protection is good, you need to try to break it, which is illegal. One of the first high-profile cases in this area was the prosecution of Russian programmer Dmitry Sklyarov in 2001 for hacking into the protection of Adobe e-books. You can also recall the unsuccessful attempts to remove from the network an algorithm for circumventing DVD protection — DeCSS , the library on the basis of which was the only way to play protected discs on Linux. The answer to the requirements of techies to remove the algorithm code from the network was the appearance of a simple criminal number - a 1401-digit number, which contains all the code of the DeCSS algorithm. Accordingly, the distribution of this prime number is also illegal.

However, enough history. This summer, researchers Charlie Miller and Chris Valasek showed how to hack a car through the radio, and remotely seize control. In itself, such a study, if its authors do not plan an apocalypse on the nearest highway, is not something illegal, but there is a nuance. On-board computers are also equipped with copy protection systems, like DVDs. To explore such systems is to circumvent protection, and the DMCA makes it a crime. Car manufacturers can thus use DMCA to complicate the lives of researchers, who, respectively, complicate the lives of automakers themselves. For cybercriminals who break the law by definition, they will not be able to make life difficult.

Fortunately, there are exceptions in the DMCA that allow a certain type of bypass of protection systems in specific devices, usually for a three-year period - just to resolve such collisions. About why the law itself should not be rewritten, let's talk some other time, and now let's discuss two fresh exceptions: jailbreak and automotive computer systems research. With a jailbreak, everything is simple: an exception was introduced in 2012, mainly to allow smartphone owners (but not tablets!) To use the device as they wish, and not as the vendor decided for them. This year they simply confirmed - “it is possible” - for the next three years.

And with the cars turned out for the first time, and the loud news about the hacking of Chrysler Uconnect certainly influenced the decision. It is curious that one of the opponents of the new exception was the environmental protection agency, which motivated it by the fact that the “jailbreak” of cars is often used to increase power or reduce fuel consumption, which in turn badly affects emissions and violates another law - about Fresh Air (well, clean). But then ... Then this happened:



It turned out that the problem is not in amateurs of chip-tuning, but quite the contrary. And they found some oddities in Volkswagen diesel cars, not supervisory authorities, and not the EPA, but some kind of independent group of comrades with a very non-standard approach to testing. It is for such groups in striped swimsuits that the exception to the DMCA is intended, although it is not completely clear whether diesel gate influenced the Library of Congress (yes, the library makes such decisions in the USA!). Do not forget that exceptions to this law are limited in time, so specifically for the “autohack” a year-end stitching is given — apparently so that automakers can close the most blatant holes themselves.

In a sense, I really want the delay to be used for this.

The NSA is in favor of cryptographic protection from quantum computers. Experts smell the catch.
News Unscientific research . Blogpost Communiqué (ui!) US National Security Agency.

On August 19, the NSA publishes a message on its website regarding the suite of encryption standards Suite B. Suite B is a set of standards officially recommended by the agency for encrypting secret correspondence and other important data, including, for example, the AES standard with a key of 128 or 256 bits. In addition to AES, Suite B includes secure key exchange systems, such as the Elliptic Curve Diffie-Hellman , an improved version of DH, the disadvantages of which were discussed in the previous series. Other protocols are mentioned in it with the use of elliptical cryptography , it will be discussed about it.



So, the NSA report says: “The progress in the study of quantum computing makes it clear that elliptical cryptography is not such a long-term solution [for data protection] as we would like.” Meanwhile, the same Elliptic Curve Diffie-Hellman is recommended as a replacement for theoretically compromised DH using large prime numbers. NSA recommendation: to use algorithms and protocols that will be difficult to break on quantum computers, for example, RSA with a key length of 3072 bits. And then the question arises: if there are no quantum computers in the shops of the city, and it is not foreseen, and the NSA proposes to throw out the Elliptic curve right now, then there may be some other meaning in the agency's message? Maybe they hint at something?

Researchers Neil Koblitz and Alfred Menezes hurry to help conspiracy therapists and investigate all the options for interpreting the NSA message, in their own words, completely unscientific scientific work . However, thanks to such unscientific, work is a very, very fascinating reading matter. The agency was remembered of Snowden, and attempts to drag through the broken cryptostandard, and much more. The lack of work is the lack of evidence of the reality of at least some hypothesis, since the NSA issues a communique (oi!), But does not comment. Let us run briefly on the hypotheses.

The NSA knows something about quantum computing that we don’t know.
It is unlikely, since, according to Snowden, the agency's budget for quantum computers is small, an order of magnitude less than, say, for breaking cryptography using traditional methods. Current forecast: the chances that quantum computers will appear by 2030 - 50/50. That is, they will either appear or not. Moreover, quoting authoritative sources, the authors of the study argue that if quantum computing methods sufficient for breaking into one of the “vulnerable” ciphers actually appear, they will also be sufficient for breaking the algorithm declared as more secure, for example, RSA 3072.

NSA broke one of the ciphers using elliptical cryptography
The agency advertised elliptical cryptography for a couple of decades, so much so that it may be suspicious: is the advertising campaign related to the fact that the NSA somehow broke the ECC while others could not? The answer to this question takes almost half of the research, but a short version: “unlikely.”

Elliptical cryptography is secure, but the new "strong" ciphers are not.
tl; dr Also unlikely.

Speech is not about encryption at all, there is a political task to distance oneself from ECC
But this is possible, especially thanks to the story around the algorithm Dual_EC_DRBG . There is a backdoor in it or not, it is not fully known, but in the early 2000s the NSA actively campaigned for the standardization of the algorithm, in 2007 there were suspicions about the presence of a backdoor, and in 2013 Snowden’s leaks confirmed that some program bookmarks, or propaganda of deliberately weakened algorithms, existed. Whether this applied to a specific cipher is not clear, but the sediment remained. That is, the NSA may be refusing the ECC, because now any of its reports on this topic will simply not be trusted.

And other messages will be? In any case, as Winston Churchill used to say, this is “a puzzle wrapped in mystery wrapped in a riddle”. This quotation was written by the authors of a non-scientific study in the title, although Churchill initially spoke about Russia. It would seem, where is Russia? In general, despite the great interest in this news, scandals, intrigues and politics in it are much more than useful information that really affects cryptographic protection. But this is a rare case when people who are knowledgeable about the subject understand intrigue, and there are plenty of interesting facts about cryptography. On this I, perhaps, round off.



What else happened:
It is theoretically possible to crack the public key system or arrange a DDoS attack due to the vulnerability of the NTP protocol, just roll back time. An interesting study with an excellent description of the process, something like this: “We tried to do it in one way or another, but the cache reset interfered, and then it just transferred the time, and I was like that!”. NTP for scaling DDoS-attacks used before .

The banking Trojan Dridex (in our classification - Cridex), which had previously risen from non-existence and attacked the British, has now set its sights on France. Quote: "When you open this document, a macro is activated, rewarding the victim with a malicious PID * R * S.exe file that establishes a connection with Japanese hosts through its command server." * = A.

Antiquities:
"Sylvia"

Nonresident innocent virus. It is written to the beginning of .COM files when an infected program is started. Searches files in the current directory of the current drive and drive C:, while infecting no more than 5 files. Does not infect COMMAND.COM, IBMBIO.COM and IBMDOS.COM files. If you correct the contents of the text contained in the virus (see below), it decodes and displays: “FUCK YOU LAMER !!! system halted ... ”, after which the system really hangs.

At the beginning of the virus contains the text:



Write letters!

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 84.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.