Home / Robin's Newsletter

Robins Newsletter #107

 Vol. 3  Iss. 27  05/07/2020, last updated 12/07/2020   Robin Oldham  ~7 Minutes

This week

Encrochat and evolving law enforcement tactics prove there is a different want to encryption backdoors

Details of the pan-European law enforcement operation that took down an encrypted phone service (vol. 3, iss. 25, 26) came to light this week.
 French authorities infiltrated the EncroChat mobile network operated popular among organised criminal gangs. Over 60,000 people used the service, that cost €1,000 for a customised Android handset with the microphone and GPS disabled, and then €1,500 for a six-month subscription. Over 10,000 EncroChat users were in the United Kingdom.
 The French operation installed malware on thousands of EncroChat handsets to gain access to messages being sent and received on the devices at either end of the encrypted messaging service and gather other intelligence.

Vice Motherboard has a great writeup of the operation that has already led to over 800 arrests across Europe, 8 tonnes of cocaine being seized in the Netherlands, synthetic drug labs being dismantled, and over £70 million in cash seized.

Access to the messages used for ‘command and control’ and many European organised crime gangs is obviously a huge intelligence boon for law enforcement. The full extent of the will take many years to be realised as millions of messages are analysed and acted on. Many defendants are expected to claim the evidence against them — obtained via mass hacking — is not legally admissible.
 I think it is also a hugely important development in the policy debate around encryption backdoors. Especially in the United States where legislation reached the Senate this week that can be used to force tech companies to undermine encryption techniques in order to comply with warrants (CNET).
 The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act, aka EARN IT, focusses on the preventing harms against vulnerable children by online predators — obviously something that any policymaker should be in favour of — however, the way they are approaching that goal is to create disincentives for tech companies to implement end-to-end encryption, or to introduce encryption backdoors that would allow access to anyone’s communications.

It is naive to assume backdoors will not remain unknown to criminals and other bad actors. Corruption within agencies or corporations is not insignificant and much of today’s digital business relies on being able to trust the confidentiality and integrity of online transactions. Introducing such vulnerabilities into the system flies in the face of other government calls for improving cyber resilience.

The French operation against Encrochat proves that an encryption backdoor is not required and that there is a force-multiplier for gaining access to a whole system, something hugely more beneficial than ‘tapping individual communications.’
 Far more than the introduction of encryption has changed in the world of communications too. The telephone, fax and mail services of 50 years ago have given way to thousands of messaging applications. The idea that encryption across all of these apps, with developers from widely differing countries and jurisdictions, can be controlled is, I think, absurd.

Instead, law enforcement does need to move with the times not by trying to apply legacy lawful access techniques to modern systems but by updating their own tactics, techniques and procedures to match a world of commodity platforms and communication ecosystems.
 Criminal enterprises, especially those conducting cyber-crime, have been quick to adopt agile practices and build such ecosystems and platform businesses. They leverage new technologies to operate at increasing scale. You don’t tackle those with individual warrants: you tackle the systemic elements that act as the force-multipliers.

Many competing services are clamouring to fill the void left by Encrochat and no-doubt criminals will not revert to being so care-free in the way they communicate on replacement services. That, in part though, is part of the victory for law enforcement here: disrupting operations and increasing the cost to criminals.

europa.eu, bbc.co.uk, vice.com, cnet.com

Interesting stats

47% of MongoDB instances, left online without a password, are being ransomed in an example of automated attacks zdnet.com

Organisations that have more than 50 security tools self-reported a -8% ability to detect security incidents, and -7% ability to respond to security incidents, according to a study of 3,400 IT and security professionals by Ponemon for IBM Security ibm.com

Other newsy bits

Natanz explosion draws suggestions of ‘Stuxnet 2’

An explosion at the Natanz uranium enrichment facility, one of the main nuclear sites in Iran, has drawn speculation of a cyber-attack. It’s the same facility that was the subject of American and Israeli Stuxnet cyber-attack that was uncovered over ten years ago. Unconfirmed reports from both Iran and Israel claim it to be the result of another cyber-attack, though Occam’s razor suggests a run-of-the-mill accident from human or process error to be a more plausible cause. It’s really too early to tell, though given the rising tensions between Israel, Iran and the United States, is definitely one to keep an eye on. forbes.com

Is efficiency the opposite of resilience?

An interesting essay on efficiency and resilience in systems:

“This drive for efficiency leads to brittle systems that function properly when everything is normal but break under stress.” — Bruce Schneier

qz.com

The ABCDE of data protection for orgs collecting customer data to re-open safely

Some clear and straightforward guidance from the UK Information Commissioner’s Office for organisations that have to collect personal information to support contract tracing:

  • Ask for only what is needed
  • Be transparent with customers
  • Carefully store the data
  • Don’t use it for other purposes (e.g. marketing!)
  • Erase it in line with government guidance

ico.org.uk

Are IoT regulations focussing at the wrong end of the chain?

In a paper published by the Atlantic Council, Nathaniel Kim, Trey Herr, and Bruce Schneier suggest that Internet of Things (IoT) technical standards have been focussing at the wrong end of the supply chain. Instead of starting at the source and regulating or certifying manufacturers, that are frequently in other countries and supplying products into many different regulatory regimes, the responsibility of products being up to scratch should be borne by the distributor. Typically, they argue, distributors have operations that are within the same legal and regulatory framework of the country they operate in. By applying pressure to the good they can sell, this will trickle back up to the source and products being designed and manufactured. Be that nanny cams, fridges, or any other connected device. atlanticcouncil.org, lawfareblog.com

In brief

Attacks, incidents & breaches

  • The BBC witnessed negotiations between the University of California San Francisco and Netwalker criminal gang as they agreed to pay $1.14M in ransom attack bbc.co.uk

Threat intel

  • Technical writeup of how a Trickbot infection evolved into a Ryuk ransomware deployment over two weeks sentinelone.com
  • ThiefQuest ransomware targets MacOS, includes key logger to grab passwords, payment card details wired.com, bleepingcomputer.com

Vulnerabilities

It’s been a busy week for US Cyber Command and firewall providers:

… both allow for remote code execution over the Internet. If you have either Palo Alto or F5 firewalls, check and apply the update ASAP!

  • Not wanting to be left out, a cross-site scripting bug in Cisco’s small business VPN routers can result in similar takeover, though requires an administrator to click on a malicious email link theregister.com
  • Guacamole, open-source remote desktop software from Apache, vulnerable to credential compromise and hijacking theregister.com

Security engineering

  • National Security Agency guidance on deploying IPSec VPNs securely defense.gov (PDF)

Internet of Things

  • EKANS ransomware targeting Industrial Control Systems fortinet.com

Public policy

  • Federal Communications Commission (FCC) names Huawei, ZTE ‘national security threat’ preventing $8.5BN ‘Universal Service Fund’ from being spent with the Chinese companies as US carriers upgrade their infrastructure techcrunch.com

And finally

It’s not a good look to serve your website from the Internet Archive

UK-bank Barclays was caught this week loading one of the JavaScript files needed for its website from a copy of its website hosted by the non-profit Internet Archive (IA). Presumably, someone at Barclays lost the file and managed to ‘restore’ the right version in a rather… unorthodox manner. As Internet librarians, IA maintains copies of webpages, and protecting the integrity and availability of those files is paramount to that mission. The possibility of tampering is there, however, and bound to go down poorly with regulators. Moreover, it paints a picture of software development process lacking code reviews, and practices that miss common sense technical protections, such as content security policy and sub-resource integrity checks, you’d expect from a bank. (H/T Rob K) theregister.com