shift change 01-16-2024
Welcome to your shift change, reports from the off-going watch to the oncoming on anything interesting in privacy, security, or intelligence.
1. The Markup’s next suggestions for easy-to-implement personal privacy protections? Get a burner phone number—from Google!
If you need to go a bit further than a burner for convenience, they also a have a LevelUp series to take your personal protections beyond the easy-to-implement, check it out: here.
2. AirDrop is secured by hashes, and so vulnerable to rainbow tables, Apple knows but so far no encrypted changes to defeat this:
1) Your device hashes your identifier (Apple ID, phone number, email address).
2) The intended recipient hashes all the identifiers in their Contacts.
3) If your hashed identifier is in their hashed Contacts, their device accepts your file transfer through AirDrop.
The article notes:
There are several ways to carry out this attack, which falls under a general category of hash cracking known as dictionary attacks. The term derives from the concept of the list being a dictionary of sorts that defines each candidate hash available to the attacker. The dictionary attack—which is the opposite of brute-force attacks that hash every possible plain-text string (beginning, say, with “a” and ending with “zzzzzzzzzzzzzzzzzzzzzzzzz”—is possible because AirDrop can’t use a cryptographic salt, a unique set of characters added to each plain-text string before it’s hashed.
There are, in turn, several ways to perform a dictionary attack. Over the past decade, the most prevalent way for performing dictionary attacks at scale has been to use graphics cards to rapidly generate hashes for large lists of plain-text strings. For technical reasons, a more effective way to de-obfuscate AirDrop users at scale is by using rainbow tables. Since the Chinese officials specifically mention that approach, that’s likely the one used here, [Matthew] Green said.
Now, if no one knows your unique identifier (and so cannot run that value through the most common hash functions available) you are likely safe with Apple’s hash checking identification. But since that is almost no one, between email, phone, and Apple ID being commonly used by people and software, and the sheer volume of data breaches that expose the same or similar identifiers to the world, it’s not overly difficult for a well resourced attacker (say China) to compile those publicly accessible sensitive identifiers, build a rainbow table off that info by running the identifiers through hash functions, and then be read to toss that rainbow table against the identifiers it is looking for using AirDrop. If that sounds like a lot of monotonous and time consuming math, it is—but it’s the time consuming math computers are great at.
Is the solution a consumer fix? Should each individual person find a strategy to minimize their exposure to this design issue? No. This is a design flaw, and the real solution is to protect people’s identity with more than an easily bypassed hash scheme. Apple knows, what incentive keeps them from fixing it?
3. The United Kingdom’s national library system, helpfully named the British Library, continues to recover from a Rhysida-malware enabled incident. What is Rhysida, well other than how an American Bostonian pronounces the name of Darknet Diaries host? The FBI, CISA, and the Multi-State Information Sharing and Analysis Center have IOCs and a MITRE ATT&CK mapped write-up to catch Rhysida using threat actors in your network and devices.
But also if you wondered what an Information Sharing and Analysis Center is? Here.
## The shift change is a collection of timely stories of interest in the security, privacy, and intelligence worlds. Thanks for reading, and feel free to reach out to will@signaltonoise.fyi for any questions, comments, or thoughts on items you’d like to see highlighted.