Vol. 3 Iss. 29 19/07/2020, last updated 26/07/2020 Robin Oldham ~10 Minutes
I send out a weekly information security newsletter of cyber/infosc security and privacy articles, events or topics that have caught my eye, some intersting stats, plus a summary of other news.
Subscribers get it direct to their inbox, every Sunday, at 7:00pm.
The battle for tech and data dominance
Tech and data are becoming increasingly politicised as nations seek ‘digital dominance.’ A few big cyber and data stories this week that tie into the geopolitical themes of Digital Balkanisation / Divide, critical infrastructure protection and national interest.
This is a massive, and fascinating, area that warrants more time than I can devote to a single Sunday. That said, seeing all these interesting stories break I didn’t want to miss the chance to take a look at them more ‘in the round,’ rather than individually.
Part 1: EU-US Privacy Shield struck down in Schrems II judgement, in the battle for tech and data dominance
This week the EU Court of Justice struck down the EU-US Privacy Shield arrangement that governs data transfers between organisations in the European Union and the United States.
Privacy Shield was a framework under which the EU declared an ‘adequacy decision’ that US legal and regulatory framework afforded similar-enough protections to EU law. (The same as will be required for the UK following the end of the Brexit transition period.)
At its core is a fundamental disconnect between the EU citizen’s rights and US federal rights. The judgement found “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country,” and that EU data subjects are not granted “actionable rights before the courts against the US authorities.”
The result is that once an EU citizen’s data enters the US, they have little legal recourse to enforce rights granted to them under GDPR. That needn’t come as a huge surprise given that the US lacks any coordinated data protection regulation.
The Court did uphold ‘Standard Contract Clauses’ (or SCCs) though. These provide an alternative set of (you guessed it) contract terms that organisations can adopt with controllers or processors outside of the EU. Microsoft, for example, reassured customers that their services were covered by explicitly both Privacy Shield and SCCs.
SCCs must be in contracts governed by the local laws of the exporting organisation, giving the EU Courts jurisdiction.
‘Necessary transfers’ - such as handing over personal data when making a hotel reservation - are not affected.
One of the concerns raised by Austrian privacy activist Max Schrems was that once his data was inside the US three-letter agencies could help themselves to that data.
His concerns are founded: in a related story, this week Thomas Brewster at Forbes cast light on the relationship between the FBI and Sabre, a company that provides backend infrastructure that supports one-third of the worlds flight and hotel bookings.
Under the All Writs Act the FBI has compelled Sabre to turnover data on passenger movements and on ‘at least’ one occasion provide real-time updates on an individual’s movements.
Tech companies are often quick to adopt the opportunities of a larger digital-market and slow to address the risks applying legislation and regulation well beyond the physical boundaries of their originating jurisdiction.
Law enforcement needs powers to investigate and some of that may necessitate secrecy. It’s an area undergoing significant transformation as the nature of criminal investigations and surveillance adapt to a digital world.
As a result tech and data policy and sanctions are increasingly forming part of international diplomacy and the battleground to protect national dominance.
Part 2: UK reverse decision on Huawei in 5G rollout, COVID-cure hacking, market dynamics and the national interest
Another example is the UK’s reversal of a decision to allow Chinese-firm Huawei to provide non-core equipment as part of the UK’s 5G mobile networks.
Earlier this year (vol. 3, iss. 5) the UK government published advice on the use of ‘High Risk Vendors’ in critical infrastructure, and specific mitigations to would allow the use of Huawei equipment safely in the country’s 5g networks.
This week that decision was reversed and now UK telecoms providers will have to remove all Huawei equipment from their 5g networks by 2027.
The changing calculus for the National Cyber Security Centre (NCSC) was the US decision to apply sanctions that would restrict Huawei’s ability to use many existing chip designers and manufacturers that themselves use US technology.
In doing so, Huawei will either face a huge shortage of components or have to re-design and ‘re-tool’ to use alternative supply chain. Both create seemingly insurmountable reliability concerns. It’s availability, not confidentiality and integrity at play here.
US sanctions reach far beyond their 50 states and are regularly used to amplify pressure on regimes at-odds with the US, such as Russia, Iran and North Korea.
For the BBC, Rory Cellan-Jones makes the point that the UK has been ‘laissez-faire’ in protecting UK-based technology businesses either by incentivising domestic technology companies, or preventing the sale or takeover by foreign investors, instead it has been left to ‘the market.’
Such market dynamics can be at conflict with the national interest. For example, this week the UK, US and Canada accused Russia of hacking organisations developing a COVID-19 vaccination, meanwhile, UK-Swedish AstraZeneca, working with Oxford University, signed a commercial deal with Russia’s R-Pharm for its manufacture. “There’s nothing that needs to be stolen,” Kirill Dmitriev, head of the Russian Direct Investment Fund (RDIF), told Reuters, “it’s all going to be given to Russia.”
It’s a flippant comment and, clearly, there are benefits to the intellectual property in advance of its manufacture. Though much like a disinformation campaign though, it is built around a kernel of truth.
In the same vein, Chatham House has an interesting read on the ‘why the West is losing the tech race.’ They argue state-investment is a way to actively pursue an agenda as opposed to passively letting market economics decide.
The latter should, in theory, not matter for ‘commodity’ services. Though perhaps this is an awakening that there was more value in these services than previously thought.
Meanwhile, for organisations operating across our connected world, their digital risk exposure should be considering the consequences of changing supplier that stem from geopolitical cyber and data risk.
18% of respondents to the Chartered Institute of Information Security’s survey of the profession had left a role due to overwork or burn-out ciisec.org
4 mins for Iranian-linked APT35 group to access and clone a gmail account, based on compromised credentials, according to a screen recording they accidentally left online that was found by IBM wired.com
Other newsy bits
The ‘Great Twitter Hack’
The incident, during which high-profile ‘verified’ accounts posted messages advertising a crypto-currency scam, was more to do with keeping it simple that complicated exploitation of vulnerabilities. Additionally, tools built to allow users to export their data were used to steal copies of eight victim’s profile, tweet and DM data.
KrebsOnSecurity and Vice Motherboard cut through a lot of the early wild speculation and have well-sourced write-ups, though comprehensive details have not been fully disclosed. Internal tools were used, apparently by socially engineering Twitter staff to change the addresses of the accounts. After changing the email address, the account passwords could be reset and the attackers were able to log in and post as those users.
It’s the same ‘insider threat’ afflicting many telcos, with corrupt customer service reps making money offering services on underground marketplaces to alter account details and allow ‘SIM jacking’ to take place (where a user’s phone number is assigned to a different SIM card.)
Technology companies often prioritise functionality over security and internal tools, originally used by small teams of trusted employees, can persist long into a companies growth. Uber’s ‘god mode’ admin panel allowed many of their staff to access full rider profile information and journey history, for example.
Access control over these internal tools, plus audit logs (and their review!) help to discourage these acts where otherwise law-abiding employees know that events can be tracked to them. ft.com, vice.com, krebsonsecurity.com
All. The. Vulnerabilities.
2020 is turning into quite the year for ‘perfect 10’ vulnerabilities. The 10/10 score on the Common Vulnerability Scoring System (CVSS) means that they are the most critical and typically require immediate attention from organisations. This week such vulnerabilities were reported in software by…
Microsoft Windows DNS / SigRed
A bug in Windows DNS Server, in code dating back seventeen years, could allow a remote attacker to take over a machine. Worse, CVE-2020-1350 is considered ‘wormable’ meaning that it could be used to self-propagate in the same way that the WannaCry malware did. The impact is exacerbated as Windows DNS typically runs alongside Active Directory services, used to control user accounts and set the security policies of organisations. The US Cybersecurity and Infrastructure Agency (CSIA) mandates all government bodies to patch the vulnerability immediately. Your organisation should do too if it hasn’t already. zdnet.com, checkpoint.com
SAP NetWeaver / RECON
Another 10/10 goes to SAP’s NetWeaver java tech stack has a bug in it which will grant full administrator accounts to any unauthenticated user that asks it nicely. CVE-2020-6287 affects SAP’s SCM, CRM, PI, Enterprise Portal and Solution Manager products, with over 40,000 customers worldwide. bleepingcomputer.com, onapsis.com
Not wanting to be left out, Cisco, Oracle and Apple all patch major vulnerabilities in their software this week too theregister.com
Attacks, incidents & breaches
- Data breach site DataViper has itself been breached. Worse, unlike Have I Been Pwned?, they kept all the details of the leaks, nicely consolidating them for attackers. The firm had slightly dubious practices (in some cases buying access from cybercriminals.) krebsonsecurity.com
- An availability incident at Cloudflare took down DownDetector, amongst others including Discord, Medium and Authy. bleepingcomputer.com
- UK, US, Canada ’95% sure’ Russia has targeted pharmaceutical and life science businesses researching cures to Coronavirus / COVID-19. Turns out, spies gonna spy. theguardian.com
- Trustwave has identified a pice of software mandated by Chinese banks for filing tax information contained a backdoor. The ‘Intelligence Tax’ software was being used by a UK defence contractor. cyberscoop.com
- Researchers at F-Secure describe the risk behind counterfeit Cisco equipment after a teardown for a customer. There’s large volumes of fake Cisco gear doing the rounds and I’ve come across situations where it has been supplied by ‘Gold’ resellers too. For especially sensitive networks you should verify the authenticity of devices before deployment wired.com
- Emotet spam trojan ‘surges’ back to life after five months with new spam modules bleepingcomputer.com
- Become a Microsoft Defender ATP ninja! A great collection of training resources made freely available by Microsoft here: microsoft.com
- Tin foil hat brigade rejoice! It turns out Ghislane Maxwell may have been on to something when she wrapped her phone in tin foil. (Though it’s probably not going to help if your threat model involves persistent threats) vice.com
- The authority to conduct retaliatory cyber strikes maybe being used by the CIA to conduct ‘hack-and-dump’ style operations more typically associated with Russia: “Our government is basically turning into fucking WikiLeaks” yahoo.com
- More digital divide: the US may ban TikTok wired.com
Mergers, acquisitions and investments
- Auth0 closes $120M series F funding round led by Salesforce Ventures techcrunch.com
- PropTech firm Openpath raise $36M for system that links physical building security in with digital accounts techcrunch.com
Cambridge student builds ‘cyclometer’
Filed under ‘cool’: Hal Evans, a masters student at Cambridge University, has built a working replica of a ‘cyclometer.’ The machine, originally invented by Polish cryptographer Marian Rejewski, informed a lot of the Allies Enigma code-breaking efforts in World War II. Top job, Hal, looks great! theregister.com