SN 989: Cascading Bloom Filters - Key Card Backdoors, Fake Cisco Gear

The security landscape continues to evolve with new challenges emerging, as highlighted by the discovery of a Chinese backdoor in RFID access key cards and the implementation of cascading bloom filters for certificate revocation detection. During this episode of Security Now, Steve Gibson and Leo Laporte delve into these topics, with Steve explaining the concept of cascading bloom filters and their promise of instantaneous and local certificate revocation detection. The discussion also covers the most epic fail award given to CrowdStrike's president and the discovery of a Chinese backdoor in RFID access key cards, which raises concerns about supply chain security. Listeners are encouraged to stay informed and take necessary precautions to protect their systems and data.

Transparency and accountability are crucial in the tech industry, even during times of failure or error. This was demonstrated by CrowdStrike's president accepting the "most epic fail" award at DEFCON for their faulty security update that caused widespread disruption. The gesture received praise from the cybersecurity community and shows that owning up to mistakes can help rebuild trust. Additionally, a security researcher discovered secret hardware backdoors in RFID key cards manufactured by Shanghai Fundan Microelectronics, highlighting the importance of ongoing security research and improvement. These incidents serve as reminders for companies to prioritize transparency, security, and continuous improvement.

The discovery of a universal backdoor authentication key for RF access cards, which goes back as far as 2007, highlights the danger of outsourcing and importing proprietary microelectronics that cannot be readily audited. This backdoor capability was deliberately installed into supposedly secure access cards from various companies, including Infineon and Philips (now NXP. This is not just a theoretical threat, but a real one that could lead to significant damages to customers and networks. The extreme integration of technology today makes it difficult to audit the design and operation of chips, making it easier for counterfeiters to hide backdoors. The case of a CEO charged with selling counterfeit Cisco devices to government and health orgs illustrates this risk. The ease with which these devices were passed off as genuine highlights the importance of thorough auditing and verification processes in the supply chain. The consequences of not doing so could lead to significant damages and compromises to critical networks.

As more and more devices and apps are used outside of IT's control, traditional security solutions fall short. One password, extended access management offers a solution by securing every sign-in for every app on every device, bringing unmanaged devices, apps, and identities under IT's control. This ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible. This is crucial for companies that use authentication systems like Octa, Microsoft Entra, or Google Workspace. Additionally, tools like Spinrite can help restore the performance of SSDs affected by the SSD problem known as re-disturb. This issue causes the storage levels in the bit cells to be disturbed when neighboring regions are read, resulting in poor performance. By rewriting all the data, SpinRite's Level 3 restores the drive to its original factory speed.

It's essential to be aware of potential confusion between similar entities, such as Bing and Microsoft Edge, and to double-check sources for accuracy. Another important lesson is that not all data breach search websites are created equal. The National Public Data Breach Search Facility at pentesters.com requires users to choose a U.S. state, which may exclude non-U.S. listeners. A different site, NPD breach.com, allows users to check their information using their name and address or social security number, but the data is hashed locally on the browser for privacy. It's crucial to check multiple sources and be persistent in searching for one's information on data breach websites. Additionally, it's worth noting that some websites, like TransUnion, may intentionally make the process of freezing credit difficult to discourage users from doing so. Overall, staying informed and vigilant about data breaches and taking appropriate steps to protect personal information is key.

The Security Now podcast, with its in-depth explanations of complex IT concepts, has been a valuable resource for listeners, even as technology has advanced. Darren from New South Wales, Australia, shared his experience of listening to the podcast from the beginning and finding the older episodes just as relevant today. He also praised the podcast's ability to make abstract concepts understandable and used the examples in his work as an RF engineer. The listener's feedback highlights the enduring value of the Security Now podcast and the importance of clear, accessible explanations in the ever-evolving field of IT. Additionally, the listener suggested that newcomers to the podcast should start from the beginning to fully appreciate the context and progression of the topics covered. The podcast's archives are readily available online, making it easy for listeners to explore the rich history of Security Now.

The Experts Exchange platform offers a safe space for humans to share knowledge without fear of corporations stealing it, and it's an efficient way to test whether an element is a member of a set using Bloom filters. Bloom filters, a probabilistic data structure invented in 1970, are used to test whether an element is a member of a set with high efficiency, but they come with the risk of false positives. However, the use of cascading Bloom filters can eliminate false positives. This technology is widely used in various fields, including content delivery networks and databases, to increase performance and efficiency. Experts Exchange is offering a free 90-day trial for users to explore its platform and learn more about this fascinating topic.

Mozilla is developing a new technology called CRLite, which uses Bloom filters and combines certificate transparency data and internet scan results to compress and effectively manage certificate revocation information. This is a response to the issues with unreliable Online Certificate Status Protocol (OCSP) and large, ineffective certificate revocation lists (CRLs). Mozilla's goal is to provide a reliable, easy-to-verify, and easy-to-update solution for certificate revocation, which is currently being implemented in Firefox Nightly. The benefits include faster performance, as local look-ups replace network queries, and improved security, as an adversary cannot block OCSP to achieve their ends. CRLite has the potential to replace OCSP and address the concerns with the current certificate revocation mechanisms. Additionally, Mozilla has expressed concerns about relying on certificate authorities' revocations and the potential for censorship, and they are considering their role in the web PKI security model.

Bloom filters, a deliberately lossy system like cryptographic hashing, are used to test whether an element is a member of a set based on a large array of binary bits. This system, which starts with all bits set to zero, uses the lowest 20 bits of a certificate's thumbprint hash to select a single bit in the array and sets it to one. However, due to collisions, where different certificates share the same lower 20 bits, fewer than expected bits will be set after adding a large number of certificates. To mitigate this inefficiency, Bloom realized that multiple bits could be set for each certificate by using successive 20-bit pieces of the certificate's thumbprint. This results in about half the bits being set due to collisions, allowing for the detection of collisions rather than the exact certificate. This system, while not perfect, offers a space-efficient solution for checking large sets of data for membership.

ITPro from ACI Learning offers an efficient and engaging way to get IT certification-ready through access to a vast library of up-to-date training, passionate trainers, practice tests, and virtual labs. The premium plans also provide fast and effective learning through the use of Bloom filters, which offer near-instant go/no-go determinations, despite the possibility of occasional false positives. This trade-off results in significant efficiency gains, as the same data can be compressed 25 times more with a Bloom filter compared to storing the data in a simple list. Overall, ITPro provides an excellent solution for those looking to start or advance their IT careers with effective, engaging, and efficient training.

Bloom filters offer an efficient and rapid way to test if an element is a member of a large set, even if false positives are allowed. However, for certificate revocation, zero false positives are required. To achieve this, a Bloom filter cascade is used, with each level trained on a different set of certificates. The first level is trained on revoked certificates, the second on valid certificates that were falsely identified as revoked, and the third on revoked certificates that were missed by the previous levels. This three-level Bloom filter cascade allows for efficient and accurate certificate revocation checking, with a small local classifier in the browser and regular updates from a central server. Despite the complexity, this approach is a significant improvement over traditional methods like OCSP and provides both low latency and total privacy for certificate revocation checks.

Google could quickly adopt a new technology called Bloom Filters, which uses server-side calculation to provide instantaneous results with minimal client-side processing. Bloom Filters can filter out errors and mistakes using a clever algorithm that only requires a few layers to guarantee accuracy. This technology was first proposed in the 1970s and has since been refined. Steve Gibbs, the expert discussed in the podcast, is a leading figure in this field and offers various tools and resources related to Bloom Filters and other computer science concepts on his website, GRC.com. The technology has potential applications in various fields, including data filtering and conversation termination at social events. Gibbs' company, Gibson Research Corporation, offers several tools and utilities that can enhance mass storage performance and provide security features. The podcast also mentions the availability of the full podcast archive, including audio and transcripts, on both the podcast's website and Gibbs' website. The podcast is recorded every Tuesday and can be watched live on various platforms, including Twitch, Discord, and YouTube, among others.