1. Forum
  2. fsxNet
  3. FSX BOT

  • CRYPTO-GRAM, August 15, 2025 Part1

    From Sean Rima@21:1/229 to All on Fri Aug 15 15:03:40 2025
    Crypto-Gram
    August 15, 2025

    by Bruce Schneier
    Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com https://www.schneier.com

    A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

    For back issues, or to subscribe, visit Crypto-Gram's web page.

    Read this issue on the web

    These same essays and news items appear in the Schneier on Security blog, along with a lively and intelligent comment section. An RSS feed is available.

    ** *** ***** ******* *********** *************

    In this issue:

    If these links don't work in your email client, try reading this issue of Crypto-Gram on the web.

    Report from the Cambridge Cybercrime Conference Hacking Trains
    Security Vulnerabilities in ICEBlock New Mobile Phone Forensics Tool
    Another Supply Chain Vulnerability
    "Encryption Backdoors and the Fourth Amendment" Google Sues the Badbox Botnet Operators How the Solid Protocol Restores Digital Agency Subliminal Learning in AIs
    Microsoft SharePoint Zero-Day
    That Time Tom Lehrer Pranked the NSA Aeroflot Hacked
    Measuring the Attack/Defense Balance Cheating on Quantum Computing Benchmarks Spying on People Through Airportr Luggage Delivery Service First Sentencing in Scheme to Help North Koreans Infiltrate US Companies Surveilling Your Children with AirTags The Semiconductor Industry and Regulatory Compliance China Accuses Nvidia of Putting Backdoors into Their Chips Google Project Zero Changes Its Disclosure Policy Automatic License Plate Readers Are Coming to Schools The "Incriminating Video" Scam
    SIGINT During World War II
    AI Applications in Cybersecurity
    LLM Coding Integrity Breach
    ** *** ***** ******* *********** *************

    Report from the Cambridge Cybercrime Conference

    [2025.07.14] The Cambridge Cybercrime Conference was held on 23 June. Summaries of the presentations are here.

    ** *** ***** ******* *********** *************

    Hacking Trains

    [2025.07.16] Seems like an old system system that predates any care about security:

    The flaw has to do with the protocol used in a train system known as the End-of-Train and Head-of-Train. A Flashing Rear End Device (FRED), also known as an End-of-Train (EOT) device, is attached to the back of a train and sends data via radio signals to a corresponding device in the locomotive called the Head-of-Train (HOT). Commands can also be sent to the FRED to apply the brakes at the rear of the train.

    These devices were first installed in the 1980s as a replacement for caboose cars, and unfortunately, they lack encryption and authentication protocols. Instead, the current system uses data packets sent between the front and back of a train that include a simple BCH checksum to detect errors or interference. But now, the CISA is warning that someone using a software-defined radio could potentially send fake data packets and interfere with train operations.

    ** *** ***** ******* *********** *************

    Security Vulnerabilities in ICEBlock

    [2025.07.17] The ICEBlock tool has vulnerabilities:

    The developer of ICEBlock, an iOS app for anonymously reporting sightings of US Immigration and Customs Enforcement (ICE) officials, promises that it ?ensures user privacy by storing no personal data.? But that claim has come under scrutiny. ICEBlock creator Joshua Aaron has been accused of making false promises regarding user anonymity and privacy, being ?misguided? about the privacy offered by iOS, and of being an Apple fanboy. The issue isn?t what ICEBlock stores. It?s about what it could accidentally reveal through its tight
    integration with iOS.

    ** *** ***** ******* *********** *************

    New Mobile Phone Forensics Tool

    [2025.07.18] The Chinese have a new tool called Massistant.

    Massistant is the presumed successor to Chinese forensics tool, ?MFSocket?, reported in 2019 and attributed to publicly traded cybersecurity company, Meiya Pico.
    The forensics tool works in tandem with a corresponding desktop software. Massistant gains access to device GPS location data, SMS messages, images, audio, contacts and phone services. Meiya Pico maintains partnerships with domestic and international law enforcement partners, both as a surveillance hardware and software provider, as well as through training programs for law enforcement personnel. From a news article:

    The good news, per Balaam, is that Massistant leaves evidence of its compromise on the seized device, meaning users can potentially identify and delete the malware, either because the hacking tool appears as an app, or can be found and deleted using more sophisticated tools such as the Android Debug Bridge, a command line tool that lets a user connect to a device through their computer.

    The bad news is that at the time of installing Massistant, the damage is done, and authorities already have the person?s data.

    Slashdot thread.

    ** *** ***** ******* *********** *************

    Another Supply Chain Vulnerability

    [2025.07.21] ProPublica is reporting:

    Microsoft is using engineers in China to help maintain the Defense Department?s computer systems -- with minimal supervision by U.S. personnel -- leaving some of the nation?s most sensitive data vulnerable to hacking from its leading cyber adversary, a ProPublica investigation has found.

    The arrangement, which was critical to Microsoft winning the federal government?s cloud computing business a decade ago, relies on U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage.

    But these workers, known as ?digital escorts,? often lack the technical expertise to police foreign engineers with far more advanced skills, ProPublica found. Some are former military personnel with little coding experience who are paid barely more than minimum wage for the work.

    This sounds bad, but it?s the way the digital world works. Everything we do is international, deeply international. Making anything US-only is hard, and often infeasible.

    EDITED TO ADD: Microsoft has stopped the practice.

    ** *** ***** ******* *********** *************

    "Encryption Backdoors and the Fourth Amendment"

    [2025.07.22] Law journal article that looks at the Dual_EC_PRNG backdoor from a US constitutional perspective:

    Abstract: The National Security Agency (NSA) reportedly paid and pressured technology companies to trick their customers into using vulnerable encryption products. This Article examines whether any of three theories removed the Fourth Amendment?s requirement that this be reasonable. The first is that a challenge to the encryption backdoor might fail for want of a search or seizure. The Article rejects this both because the Amendment reaches some vulnerabilities apart from the searches and seizures they enable and because the creation of this vulnerability was itself a search or seizure. The second is that the role of the technology companies might have brought this backdoor within the private-search doctrine. The Article criticizes the doctrine particularly its origins in Burdeau v. McDowelland argues that if it ever should apply, it should not here. The last is that the customers might h

    --- BBBS/LiR v4.10 Toy-7
    * Origin: TCOB1: https/binkd/telnet binkd.rima.ie (21:1/229)