image of breaking badness
Breaking Badness
Breaking Badness

165. Gorillas in the NIST

Coming up this week on Breaking Badness: A Mammoth Scam, I Get the NIST of It, and Gold, Guidance, and Grievances.

Here are a few highlights from each article we discussed:

A Mammoth Scam

  • We’re looking at an analysis of a Telegram bot that helps cybercriminals scam people on online marketplaces
  • These tools are easy to use and the actors use their charm to gain the trust of their victims
    • With LLMs, bad actors will likely scale their ability to charm victims in the future 
    • With generative images, there will likely be an increase in fake documents and harder to discern what’s legitimate 
  • Telekopye
    • The ESET team is coming in with teams that have been around for a while – it’s been around since 2015
    • The name is a portmanteau of telegram and ‘kopye’ which is the Russian word for spearphishing 
    • The targets are primarily Russian as it stands now 
    • It does a good job of showing places to pop in credit cards 
  • What exactly does the toolkit do?
    • It’s got a lot of levels of access for people using it – there’s admin people doing the technical work and building the templates to intercept credit card payments
    • They you have the scammers – they’re called ‘Neanderthals’ and then those who are being scammed are called ‘Mammoths’ 
    • They’re spoofing different marketplaces to find targets and then they develop the phishkit based on the platform they’re using 
    • Sometimes they target people with fake items or fake purchases 
    • There’s a whole section on how the scammers get paid – they get a cut of what is stolen and when they hit a certain level of scamming they get paid out 
    • This platform allows these folks to level up 
    • Is this process of payment different than what we’ve seen before – it’s pretty complex
      • It’s how the technical folks want to interact with the scammers – they want levels in between them 
      • They have people considered higher reputation and this allows them to automate their processes and scale out 
  • Can a mammoth avoid being scammed by a neanderthal
    • It’s sophisticated – they can do SMS phishing, they can do image generation, there’s experimental features like QR support
    • In terms of tips – don’t do your purchases in these unofficial channels – do you business offline as much as possible 
    • Easiest way to tell is looking at the language, but that might not be great advice 6 months from now

I Get the NIST of It

  • Publication of the first draft PQC (Post-Quantum Cryptography) standards opens a 90-day period for public comment and paves the way for interoperability testing
  • NIST (the National Institute of Standards and Technology) very recently published three of the four algorithms the standards body selected last year – why is this such an important milestone?
    • It has to do with a train we’ve seen coming down the ole cryptographic track for some time now, with RSA and elliptic curve being the damsels tied to the rails: the notion that quantum computing renders current encryption algorithms endangered species because breaking current encryption with standard computing would take many years (thousands in some cases), will be able to be done in trivial amounts of time with quantum computing – relatively speaking
    • One estimate is that a sufficiently large and fault-tolerant system could break RSA in 104 days of compute time. That may seem like a long time to wait, but a) it’s not, when you consider what’s being done, and b) that number obviously will shrink as quantum platforms mature
  • It’s noted that the release of the draft standard opens 90 days for public comment – what sort of feedback are they hoping to receive
    • Our assumption is that there is a pretty small population of humans that are qualified to provide meaningful technical feedback on these algorithms; there just aren’t that many top-flight cryptographers to begin with, and then you take the slice of those that are able to work with the kinds of algorithms that are under review and it’s just not a ton of folks
    • But as with any standards, they want more sets of eyes on them to find potential weaknesses or compatibility problems that the developers thus far have not identified
  • These draft standards mean that engineers can now start working on prototypes of various capabilities – like how secure email and the implementation of TLS might work in the future – why is this so important and why couldn’t they start these prototypes before these draft standards were released?
    • It’s not a super huge stretch to say that a lot of how society works presently is tied intimately to the integrity of secure communications, which is to say essentially unbreakable cryptography (just talking about brute-force attacking the algorithms, not talking about running password dumps and dictionary attacks and such)
    • Once the current crypto standards are not safe to use, either we’re going to have new ones that are, or we’re going to have some major problems. So it really is like that train coming at us – the sooner we can get started on real-world implementation of the post-quantum crypto algorithms, the safer we are from being run over by the 3:10 to Yuma
  • Competitors and friends are coming together to ensure their reading on the standards match – how often do competitors come together to ensure agreeability on these matters?
    • Whenever they’re sufficiently freaked out, but also whenever their place in the ecosystem is under threat
    • Any one organization could win the horse race, but if they’re the only ones at the dance, it’s not much of a dance, because as much as the big players (google, MSFT, Apple, etc) would love to have a lock on all computing, they don’t—interoperability is critical
    • Tim also thinks that among the western nations, all of these competitors recognize that they have a competitor in common—China. So he thinks a certain amount of the cooperation is acknowledging that they’re in the same boat in some ways
  • There’s a debate on when quantum computing capabilities could surface – some say within the next decade and others say sooner
    • The big unknowns in this are the national-security-level efforts by government research in the major powers—they’re not going to say as much about how far along they are as the private sector companies who will be competing on the basis of demand for quantum processing
    • So on that latter point, IBM released a quantum computing roadmap earlier this summer that looks out to 2026, and by that time they say that they aim to get to the scale of 10,000 to 100k qubits; to put that in perspective, most of the processors being produced now are in the range of a few dozen qubits
    • (The qubit is the fundamental unit of quantum computing, analogous to the bit in conventional computing)
    • And IBM says they have developed their first quantum-safe mainframe system to employ quantum-safe cryptography, something they call the z16. Now if Tim’s being pedantic, sooner than within the next decade is still within the next decade, so put me in camp “less-than-a-decade.” There’s speculation that China is already using quantum computing, and while he thinks that’s premature, in October of 2022, a Chinese team did report that its light-based Jiuzhang 2 processor could complete a task in one millisecond that a conventional computer would require 30 trillion years to finish—that’s according to an article in DefenseOne
    • These speed stunts, he has to note, are not the same as practical application, so the machines currently being developed are platforms for solving the problems that stand in the way of practical quantum computing, rather than platforms for doing applied work. Still, we’re looking at, from what he’s reading, not a lot of years
    • It does mention in the article that Adi Shamir (who is the S in RSA) thinks we’re still 30 years out, but he’s acknowledged as something of an outlier among the major pundits on this
  • The NSA had issued an order mandating government agencies to ensure their systems are migrated to the NIST-selected quantum-resistant algorithms by 2035 – what are the ramifications of not migrating?
    • It depends on how right he is in his earlier prediction—if practical quantum computing, with RSA-busting power, is available sufficiently widely before 2035, then we’ll need a radical rethinking of electronic security paradigms, because what can’t happen is that we live for a while in a world where encrypted transmissions can routinely be cracked
    • The implications on national security, economic stability, privacy, and a host of other issues are pretty grim to contemplate. It’s like if you had a planet that was good for sustaining life and then you started burning everything and heating up that planet to a point where it would become unlivable, and not doing anything about it until it was too late. Obviously that’s farfetched, but….oh wait…

This Week’s Hoodie/Goodie Scale

A Mammoth Scam

[Taylor]: 3.14/10 Hoodies
[Tim]: 3/10 Hoodies

I Get the NIST of It

[Taylor]: 10/10 Goodies
[Tim]: 5/10 Goodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!