Home / Robin's Newsletter

Robins Newsletter #104

 Vol. 3  Iss. 24  14/06/2020, last updated 21/06/2020   Robin Oldham  ~9 Minutes

It’s the Open Security Summit this week and I’ll be presenting on the CISO and Risk Management and Threat Modelling tracks, along with Phil Huggins:

No surprises, it’s virtual, and is not too late to get a ticket for the whole week (£50, or FREE for students, charities and Ladies Hacking Society members!)

This week

Snowstorm in a Dark Basin: commercial espionage

Cyber-espionage is often aligned to national interests and stories or incidents attributed to foreign intelligence services and so-called Advanced Persistent Threat (APT) actors.

This week a report by Citizen Lab looking shines a light on the growing world of hackers-for-hire and a group they have dubbed ‘Dark Basin’ that operates on an industrial scale.

One part of the groups hacking infrastructure, a URL shortener, was enumerated and showed over 28,000 pages tailored for different spear-phishing campaigns.

Dark Basin (aka Snowstorm) has been linked to an Indian company called BellTroX InfoTech. A director of BellTroX, Sumit Gupta, was indicted, along with four U.S. private investors for similar charges in 2015.

The group targeted anyone and everyone: from government officials and political candidates to financial services firms to pharmaceutical companies. Citizen Lab took up the investigation after finding the group was also targeting individuals including campaigners and journalists covering issues on civil rights, climate change and net neutrality.

Fortunately (for the investigation) the techniques and skill used by Dark Basin were simple. That made it easier to identify and track their activities.

The report highlights those campaigning against ExxonMobile and German financial services firm Wirecard AG who are being investigated for fraud.

It’s a worry, given the corporate resources available for these companies can be turned on individuals. And that is where the MDR Cyber team expand on Citizen Labs’ report. They provide insight into a case they have been involved with for one of their clients, Matthew Earl, a financial analyst holding a ‘short’ position against a large corporate.

“The receipt of aggressive legal correspondence, targeted physical surveillance and sophisticated digital hacking are each, at a singular level, stressful enough. However, the sudden and coordinated combination of all three was traumatising for my family and myself. Especially in light of the scale and significant resources that were used."

There are a few contexts in which to consider this story:

As a company (victim), where the threat of commercial corporate espionage may be higher than you think.

As an individual (victim), particularly vocal campaigners or journalists, who lack the significant resources of a large corporation.

As a company (source), where you may not necessarily be knowingly sanctioning the action, but as a by-product of investigations you commission via investigators.

For victims it is concerning the deep corporate pockets may be funding such campaigns, especially for individuals.

For companies commissioning investigations, it’s important to consider how you may be the source of this action and the risk of an ‘errant investigator’. That is, after all, where the demand stems from.

Citizen Lab has shared details with the targets of Dark Basin as well as the U.S. Department of Justice.

@jsrailton tweets, citizenlab.ca, mishcon.com, ft.com

Interesting stats

This is interested against a backdrop of poorly secured AWS S3 buckets, MongoDB and ElasticSearch instances. This research casts doubt on ‘no evidence of compromise’ statements that often accompany remediation of these misconfigurations:

18x a day an unsecured ‘honeypot’ ElasticSearch database containing fake personal information was attacked, including a dozen before being indexed by search engines comparitech.com

Antivirus companies have done a pretty good job of adding in detection for vile stalkerware apps used to spy or further domestic abuse (something up 40% through 2019):

75% - 95% detection rate for antivirus apps on Android 9, 10, up from just… 30% in November 2019, according to AV-Comparatives and the Electronic Frontier Foundation zdnet.com

Other newsy bits

Babylon Health & risk avoidance

Babylon Health announced a data breach this week when it came to light that a user of their virtual GP app was able to see video recordings of other patient’s consultations.

Thankfully it does not appear to have been exploited for malicious purposes and has quickly been rectified.

If you’re going to store videos of user’s sensitive information, considering digital rights management, or an encryption scheme so that, if your access controls fail (as they seem to have done in this instance) that other users may see metadata, but not access the content. After all, WhatsApp can end-to-end encrypt messages to prevent third parties (like the FBI) from reading its content. Similar protections must be considered for such sensitive personal information.

Taking a step back though it also stands out as an example of where ‘risk avoidance’ decisions can be made during product development:

There is no doubt that video calling is useful for facilitating ‘virtual’ GP appointments and aiding in diagnosis. That functionality does not, in itself, mean you need to record the session. It’s not without user benefit, perhaps for those that find talking to a doctor stressful, or who struggle to remember lots of information. However written notes from consultations are a common feature of such apps (and, of course, physical GP appointments!) and storing video recordings adds an extra dimension to the risk assessment of the service.

“Your scientists were so preoccupied with whether or not they could that they didn’t stop to think if they should.” — Dr Ian Malcolm (Jurassic Park 😁)

The real reason to push for video recordings is perhaps not for a direct user benefit at all: Babylon Health describes their technology as an ‘artificial intelligence’ that has “been designed around a doctor’s brain.”

Artificial intelligence (AI) needs ‘training data’ to help it understand the context and judgements it is expected to make. Training requires a data set of how doctor’s brains work.

Training AI is one thing that Apple, Amazon, Google and Microsoft know all too well, having repeatedly been in the news last year after out-cry over contractors listening to and transcribing private conversations with their voice assistants (vol. 2, iss. 15; vol. 2, iss. 31).

Babylon’s privacy policy tells us as much, and how ‘with consent’ personal data is used to ‘build a better Babylon.’ “Data improves the performance of our artificial intelligence” it states, continuing “we use a number of service providers who act as data processors on our behalf.”

Given the backlash over voice assistants, I wonder how many of Babylon’s users realise they are being used to create a Star Trek style Emergency Medical Hologram? bbc.co.uk, babylonhealth.com

Facebook helped the FBI to hack one of their users

Strap yourself in for a long read from Lorenzo at Motherboard as they delve into a case where Facebook paid a cybersecurity firm ‘six figures’ to develop an exploit for the FBI to target one of their users.

The target was Buster Hernandez, now a convicted paedophile, who pled guilty to 41 counts of producing child pornography, coercion and enticing a minor.

There is no doubt that Hernandez is a persistently abhorrent character (admitting to his victims he wanted to be “the worst cyberterrorist who ever lived.”)

The involvement of commercial organisations in developing zero-day exploits for law enforcement, military and foreign intelligence purposes is also well established.

This is, to my knowledge, the first time a platform has commissioned such action, to support law enforcement, and protect the users on their platform. Particularly as the vulnerability was developed for third-party software: the Tails operating system used by Hernandez (now patched.)

Let me know what you think by voting in my poll is it right for companies like Facebook to aid law enforcement in ‘lawful hacking’ of their users? on linkedin and twitter.

As more and more of our lives transition online or are facilitated by online services, more examples come to light of how platforms, such as Facebook, are being misused or abused beyond their intended purpose.

Product risk assessments should consider not just the confidentiality, integrity and availability of data, but a wide range of harms.

The U.K. government put the Age Appropriate Design Code before Parliament this week, where the Information Commisioner’s Office set out guidelines for those developing digital services for children. vice.com, linkedin poll, twitter poll, ico.org.uk (PDF)

In brief

Attacks, incidents & breaches

  • Honda forced to ‘suspend global production’ after suspected ransomware incident. Honda achieved revenues of JPY ¥15,4tn in 2018 ft.com
  • Suspected Chinese hackers were inside Australia’s A1 Telecom for six months, made “very specific [database] queries of location, phone numbers and other customer data for certain private A1 customers” zdnet.com
  • Staying down under, shortages of Guinness and Corona are forecast after brewer Lion suffered a ransomware attack. Some have theorised the “attack may have been linked to the takeover of Lion by a Chinese firm,” presumably to drive the price down theregister.com
  • U.S. insurance company Genworth admits data breach after agent credentials used to steal 1,600 customer’s data bleepingcomputer.com

Threat intel

Vulnerabilities

  • New side-channel speculative execution flaws in Intel CPUs dubbed SGAxe and CrossTalk arstechnica.com
  • Issues that would let an attack ‘scan network traffic’ and ‘steal session cookies’ in D-Link routers patched by the vendor cyberscoop.com
  • ‘High’ scoring vulnerability found in ConnectWise’s Automate product, sued by many IT outsourcers theregister.com

Security engineering

  • A long read through the looming issues of legacy certificate authorities from Scott Helme. It’s a problem not only for raging IoT devices that may not be receiving updates, but also for developers (like the BBC) who have to support such devices right now scotthelme.co.uk

Internet of Things

  • It took just three days for this honeypot ICS network to be filled with ransomware zdnet.com
  • U.S. Department of Homeland Security will ‘use data analytics, enhanced training, and better technology’ to better protect industrial control systems cyberscoop.com

Privacy

  • IBM is getting out of the facial recognition business and “will not condone uses of any technology, including facial recognition technology offered by other vendors, for mass surveillance, racial profiling, violations of basic human rights” arstechnica.com

And finally

Lightbulb moment

Not strictly cyber, however the folks at Israel’s Ben-Gurion University have added another piece of eavesdropping research to their bow. This time they reproduced conversations by observing the vibrations of a lightbulb hanging in a room 25 metres away. The technique, dubbed lampophone follows hot on the heels of other novels techniques to exfiltrate data including using flicker in LCD displays (vol. 3, iss. 6) and the fans in air-gapped PCs (vol. 3, iss. 16). The equipment cost less than $1,000 and, after processing, the recordings were good enough to use with Google’s speech-to-text API and Shazam’s music identification service. wired.com