SNOOPING ON MEMORY, KEYSTROKES AND CRYPTOCOINS
No audio player below? Listen directly on Soundcloud.
With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge.
You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.
READ THE TRANSCRIPT
DOUG. Crocodilian cryptocrime, the BWAIN streak continues, and a reason to learn to touch-type.
All that, and more, on the Naked Security podcast.
[MUSICAL MODEM]
Welcome to the podcast, everybody.
I am Doug Aamoth; he is Paul Ducklin.
Paul, a very happy day to you, my friend.
DUCK. And a very happy day to you, Doug.
I know what’s coming at the end of the podcast, and all I’m saying is…
…hang in there, because it is exciting, if mildly alarming!
DOUG. But first, let’s start with Tech History.
This week, on 07 August 1944, IBM presented the Automatic Sequence Controlled Calculator to Harvard University.
You may better know this machine as the Mark I, which was a Frankenputer of sorts that mixed punch cards with electromechanical components and measured 51 feet long by 8 feet high, or roughly 15.5 metres by 2.5 metres.
And, Paul, the computer itself was almost obsolete before they got all the shrink-wrap off of it.
DUCK. Yes, it was done towards the tail end of the Second World War…
…of course, American computer designers at that time didn’t know that the British had already successfully built high performance digital electronic computers using thermionic valves, or vacuum tubes.
And they were sworn to secrecy after the war (for reasons we didn’t understand last time we spoke about it!), so there was still this feeling in the States that valve or tube computers could be more trouble than they were worth.
Because thermionic valves run really hot; they’re quite large; they require large amounts of power.
Would they be reliable enough, even though they’re loads and loads faster than relays (thousands of times faster in switching)?
So there was still that feeling that maybe there was time and space for electromagnetic relays.
The guy who designed the Colossus computers for Bletchley Park in the UK was sworn to silence, and he wasn’t allowed to tell anybody after the war, “Yes, you *can* make a computer out of valves. It will work, and the reason I know that is I did it.”
He wasn’t allowed to tell anybody!
DOUG. [LAUGHS] That’s fascinating…
DUCK. So we did get the Mark I, and I guess it was the last mainstream digital computer that had a driveshaft, Doug, operated by an electrical motor. [LAUGHTER]
It is a thing of absolute beauty, isn’t it?
It’s Art Deco… if you go to Wikipedia, there are some really high-quality pics of it.
Like the ENIAC computer (which came out in, what, 1946, and did use valves)… both those computers were in a little bit of an evolutionary dead-end, in that they worked in decimal, not in binary.
DOUG. I should have also mentioned that, although it was obsolete the moment it hit the floor, it was an important moment in computing history, so let’s not discount it.
DUCK. Indeed.
It could do arithmetic with 18 significant decimal digits of precision.
Contemporary 64-bit IEEE floating-point numbers only have 53 binary digits of precision, which is just under 16 decimal digits.
DOUG. All right, well, let’s talk about our new BWAIN.
This is another Bug With An Impressive Name, or BWAIN as we like to call them.
This is three weeks in a row now, so we’ve got a good streak going!
This one is called Downfall, and is caused by memory optimisation features in Intel processors.
Tell me if that sounds familiar, that some sort of optimisation feature in a processor is causing cybersecurity problems.
DUCK. Well, if you’re a regular Naked Security podcast listener, you’ll know that we touched on Zenbleed just a couple of short weeks ago, didn’t we?
Which was a similar sort of bug in AMD Zen 2 processors.
Google, which was involved in both the Downfall and the Zenbleed research, has just published an article in which they talk about Downfall alongside Zenbleed.
It’s a similar sort of bug such that optimisation inside the CPU can inadvertently leak information about its internal state that is never supposed to escape.
Unlike Zenbleed, which can leak the top 128 bits of 256-bit vector registers, Downfall can leak the entire register by mistake.
It doesn’t work in quite the same way, but it’s the same sort of idea… if you remember Zenbleed, that worked because of a special accelerated vector instruction called VZEROUPPER.
https://nakedsecurity.sophos.com/2023/07/26/zenbleed-how-the-quest-for-cpu-performance-could-put-your-passwords-at-risk/
That’s where one instruction goes and writes zero-bits to all of the vector registers simultaneously, all in one go, which obviously means you don’t have to have a loop that goes around the registers one by one.
So it increases performance, but reduces security.
Downfall is a similar sort of problem that relates to an instruction that, rather than clearing data, goes out to collect it.
And that instruction is called GATHER.
GATHER can actually take a list of memory addresses and collect all this stuff together and stick it in the vector registers so you can do processing.
And, much like Zenbleed, there is a slip twixt the cup and the lip that can allow state information about other people’s data, from other processes, to leak out and be collected by somebody running alongside you on the same processor.
Clearly, that is not supposed to happen.
DOUG. Unlike Zenbleed, where you could just turn that feature off…
DUCK. …the mitigation will countermand the performance improvements that the GATHER instruction was supposed to bring, namely collecting data from all over memory without requiring you to do it in some kind of indexed loop of your own.
Obviously, if you notice that the mitigation has slowed down your workload, you kind of have to suck it up, because if you don’t, you could be at risk from someone else on the same computer as you.
DOUG. Exactly.
DUCK. Sometimes life is like that, Doug.
DOUG. It is!
We will keep an eye on this… this is, I take it, for the Black Hat conference that we’ll get more info about, including any fixes coming out.
Let’s move on to, “When it comes to cybersecurity, we know that every little bit helps, right?”
So if we could all just take up touch-typing, the world would actually be a safer place, Paul.
https://nakedsecurity.sophos.com/2023/08/08/serious-security-why-learning-to-touch-type-could-protect-you-from-audio-snooping/
DUCK. This probably could have been a BWAIN if the authors wanted (I can’t think of a catchy name off the top of my head)…
…but they didn’t give it a BWAIN; they just wrote a paper about it and published it the week before Black Hat.
So I guess it just came out when it was ready.
It’s not a new topic of research, but there were some interesting insights in the paper, which is what minded me to write it up.
And it basically goes around the question of when you are recording a meeting with lots of people in it, then obviously there is a cybersecurity risk, in that people may say things that they do not want recorded for later, but that you get to record anyway.
But what about the people who don’t say anything that is controversial or that matters if it were to be released, but nevertheless just happen to sit there on their laptop typing away?
Can you figure out what they’re typing on their keyboard?
When they press the S key, does it sound different from when they press the M key, and is that different from P?
What if they decide, in the middle of a meeting (because their computer’s locked or because their screen saver kicked in)… what if they decide suddenly to type in their password?
Could you make it out, say, on the other side of a Zoom call?
This research seems to suggest that you may well be able to do that.
DOUG. It was interesting that they used a 2021 MacBook Pro, the 16 inch version, and they found out that basically, for the most part, all MacBook keyboards sound the same.
If you and I have the same type of MacBook, your keyboard is going to sound just like mine.
DUCK. If they take really carefully sampled “sound signatures” from their own MacBook Pro, under ideal circumstances, that sound signature data is probably good enough for most, if not all other MacBooks… at least from that same model range.
You can see why they would tend to be much more similar than different.
DOUG. Luckily for you, there are some things you can do to avoid such malfeasance.
According to the researchers, you can learn to touch-type.
DUCK. I think they intended that as a slightly humorous note, but they did note that previous research, not their own, has discovered that touch-typers tend to be much more regular about the way that they type.
And that means that individual keystrokes are much harder to differentiate.
I’d imagine that’s because when someone is touch-typing, they’re generally using a lot less energy, so they’re likely to be quieter, and they’re probably pressing all the keys in a very similar way.
So, apparently touch-typing makes you much more of a moving target, if you like, as well as helping you type much faster, Doug.
It seems it is a cybersecurity skill as well as a performance benefit!
DOUG. Great.
And they noted that the Shift key causes trouble.
DUCK. Yes, I guess that’s because when you’re doing Shift (unless you’re using Caps Lock and you have a long sequence of capital letters), you’re basically going, “Press Shift, press key; release key, release Shift.”
And it seems that that overlap of two keystrokes actually messes up the data in a way that makes it much harder to tell keystrokes apart.
My thinking on that is, Doug, that maybe those really annoying, pesky password complexity rules have some purpose after all, albeit not the one that we first thought. [LAUGHTER]
DOUG. OK, then there’s some other things you can do.
You can use 2FA. (We talk about that a lot: “Use 2FA wherever you can.”)
Don’t type in passwords or other confidential information during a meeting.
And mute your microphone as much as you can.
DUCK. Obviously, for a sound-sniffing password phisher, knowing your 2FA code this time isn’t going to help them next time.
Of course, the other thing about muting your microphone…
…remember that doesn’t help if you’re in a meeting room with other people, because one of them could be surreptitiously recording what you’re doing just by having their phone sitting upwards on the desk.
Unlike a camera, it doesn’t need to be pointing directly at you.
But if you’re on something like a Zoom or a Teams call where it’s just you on your side, it is common sense to mute your microphone whenever you don’t need to speak.
It’s polite to everybody else, and it also stops you leaking stuff that you might otherwise have thought entirely irrelevant or unimportant.
DOUG. OK, last but not least…
…you may know her as Razzlekhan or the Crocodile of Wall Street, or not at all.
But she and her husband have been ensnared in the jaws of justice, Paul.
https://nakedsecurity.sophos.com/2023/08/04/crocodile-of-wall-street-and-her-husband-plead-guilty-to-giant-sized-cryptocrimes/
DUCK. Yes, we’ve written about this couple before a couple of times on Naked Security, and spoken about them on the podcast.
Razzlekhan, a.k.a. the Crocodile of Wall Street, in real life is Heather Morgan.
She’s married to a chap called Ilya Lichtenstein.
They live, or they lived, in New York City, and they were implicated or connected to the infamous Bitfinex cryptocurrency heist of 2016, where about 120,000 Bitcoins were stolen.
And at the time, everyone sais, “Wow, $72 million gone just like that!”.
Amazingly, after a few years of very clever and detailed investigative works by US law enforcement, they were tracked down and arrested.
But by the time of their arrest, the value of Bitcoins had gone up so much that their heist was worth close to $4 billion ($4000 million), up from $72 million.
It seems that one of the things that they hadn’t banked on is just how difficult it can be to cash out those ill-gotten gains.
Technically, they were worth $72 million in stolen money…
…but there was no retiring to Florida or a Mediterranean island in the lap of luxury for the rest of their lives.
They couldn’t get the money out.
And their efforts to do so created a sufficient trail of evidence that they were caught, and they’ve now decided to plead guilty.
They haven’t been sentenced yet, but it seems that she faces up to 10 years, and he faces up to 20 years.
I believe he is likely to get a higher sentence because he is much more directly implicated in the original hacking into the Bitfinex cryptocurrency exchange – in other words, getting hold of the money in the first place.
And then he and his wife went out of their way to do the money laundering.
In one fascinating part of the story (well, I thought it was fascinating!), one of the ways that she tried to launder some of the money was that she traded it out for gold.
And taking a leaf out of pirates (Arrrrr!) from hundreds of years ago, she buried it.
DOUG. That begs the question, what happens if I had 10 Bitcoins stolen from me in 2016?
They have now surfaced, so do I get 10 Bitcoins back or do I get the value of 10 Bitcoins in 2016?
Or when the bitcoins are seized, are they automatically converted to cash and given back to me no matter what?
DUCK. I don’t know the answer to that, Doug.
I think, at the moment, they’re just sitting in a secure cupboard somewhere…
…presumably the gold that they dug up [LAUGHTER], and any money that they seized and other property, and the Bitcoins that they did recover.
Because they were able to get back about 80% of them (or something) by cracking the password on a cryptocurrency wallet that Ilya Lichtenstein had in his possession.
Stuff that he hadn’t been able to launder yet.
What would be intriguing, Doug, is if the “know your customer” data showed that it was actually your Bitcoin was the one that got cashed out for gold and buried…
…do you get the gold back?
DOUG. Gold has gone up too.
DUCK. Yes, but it hasn’t gone up anywhere near as much!
DOUG. Yes…
DUCK. So I wonder if some people will get gold back, and feel quite good, because I think they’ll have made a 2x or 3x improvement on what they lost at the time…
…but yet wish they got the Bitcoins, because they’re more like 50x the value.
So very much a question of “watch this space”, isn’t it?
DOUG. [LAUGHS] It is with great pleasure that I say, “We will keep an eye on this.”
And now it’s time to hear from one of our readers.
Strap in for this one!
On this article. Hey Helpdesk Guy writes:
“Razzlekhan” was the answer to a question during a cybersecurity class I took.
Because I knew that I won a $100 hacker gift card.
No one knew who she was.
So, after the question, the instructor played her rap song and the entire class was horrified, haha.
Which prompted me to go look up some of her rap songs on YouTube.
And “horrified” is the perfect word.
Really bad!
DUCK. You know how there are some things in social history that are so bad they’re good…
…like the Police Academy movies?
So I always assumed that there was an element of that in anything, including music.
That it was possible to be so bad that you came in at the other end of the spectrum.
But these rap videos prove that is false.
There are things that are so bad…
[DEADPAN] …that they are bad.
DOUG. [LAUGHING] And this is it!
All right, thanks for sending that in, Hey Helpdesk Guy.
If you have an interesting story, comment or question you’d like to submit, we’d love to read it on the podcast.
You can email tips@sophos.com, you can comment on any one of our articles, or you can hit us up on social: @nakedsecurity.
That’s our show for today; thank you very much for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you until next time to…
BOTH. Stay secure!
[MUSICAL MODEM]
Gabriel
*Clack* *Clack* *Clack*
John, you only have a three-character password?
Paul Ducklin
In-keyboard programmable macros FTW :-)
(No, that is not a good idea because it leaves your plaintext password one accidental keycombo away from getting shoved into the wrong web form, into an email you’re typing, or into the source code comment you’re editing.)