Home / Robin's Newsletter

Robin’s Newsletter #110

 Vol. 3  Iss. 30  26/07/2020, last updated 02/08/2020   Robin Oldham  ~7 Minutes

This week

Garmin ‘ran somewhere’

Fitness enthusiasts around the world have been unable to prove their achievements on social media this week after GPS tracking company Garmin suffered a ransomware attack.

The company’s website and all customer services, including phone lines, online chat and email are down, though in a statement they claim that no personal data is believed to have been compromised.

They are believed to be victims of the WastedLocker ransomware, operated by a group called ‘Evil Corp.’ The group is subject to US sanctions and thus this will likely prevent Garmin from considering paying the demands.

While you probably know Garmin from wearables - smart watches and other fitness trackers - this only accounts for 26% of the company’s revenues (2018 annual report.) The rest of the business comprises of outdoor, automotive, marine and aviation product lines include chart plotters, depth sounders, transponders and autopilot systems.

The flyGarmin aviation database is also offline, preventing pilots from downloading the latest version, which is a legal requirement for flying.

The intellectual property behind the systems, some of which are used in military applications, though fortunately the WastedLocker malware is not believed to contain the abilities to exfiltrate data that other ransomware strains have recently added.

That the entire organisation was taken offline suggests poor internal segregation and control between networks and systems, requiring them all to be taken offline in an attempt to stop the spread, or execution, of the ransomware.

Even if this tactic was successful in containing the infection the subsequent reviewing - or rebuilding - each one and then returning them to an operational state is what will likely be taking the time, with the delay resulting from the bottleneck of requiring to manually ‘reboot’ and verify the entire organisation.

The lack of communications is undermining confidence in the company’s response preparedness and grasp of the situation. What’s more, Garmin is due to report its financial results this coming Wednesday. Investors will likely be more difficult to avoid.

theguardian.com, techcrunch.com, bleepingcomputer.com, zdnet.com

Interesting stats

21 terabytes of code has been deposited at the Artic World Archive in Svalbard, Norway to backup and protect open-source code vice.com 1,000+ people had access to the admin interface at Twitter, or almost 22% of their workforce, used to takeover prominent accounts and promote cryptocurrency scams reuters.com

Sport is big-business: 70% of UK sports institutions suffer a cyber incident every 12 months (2X the UK business average) with 30% of those experiencing financial losses £10,000 the average direct financial impact, and £4M the maximum, according to NCSC (see Threat Intel, below)

Telco-security: 988M (~0.026%) of telco ‘User Hours’ were lost to security incidents in 2019, across 153 incidents that warranted reporting to national regulators. 5% were attributed to malicious actions (including non-technical events such as arson), according to ENISA europa.eu

Other newsy bits

UK Test & Trace programme didn’t conduct data protection impact assessment

The UK Department of Health and Social Care (DHSC) confirmed this week that a ‘data protection impact assessment’ (DPIA) had not been completed, despite assurances that one would be submitted to the ICO in early June.

DPIA’s are required by law where “processing is likely to result in a high risk to the rights and freedoms of individuals.” There is no set format - organisations can define their own process - though the ICO make a straightforward, 8-page example available for organisations to use. It identifies the controller of the data, the scope and nature of the processing, the risks and potential mitigations, and is signed-off by senior management.

The risk management aspect is particularly important in reducing the frequency and severity of any harm. By conducting a DPIA up-front you help to build in ‘privacy-by-design’ aspects to any processes and IT systems.

That important given that Test & Trace now has over 27,000 people working on the programme and, as Twitter found out last week, you cannot rely on thousands of people to always do the right thing. Technical limitations, checks and balances are important.

Taking an ‘agile’ approach could also have been possible: iterating and improving the assessment (and protections) as requirements for the rapidly evolving programme emerged.

It’s also more cost-effective to build protections in (both security and privacy) rather than retrofit controls or make last-minute changes found during acceptance testing. bbc.co.uk, theregister.com, ico.org.uk (info + template)

In brief

Attacks, incidents & breaches

  • Fundraising and finance software firm Blackbaud has suffered a breach resulting in personal data on students and donors to over 10 UK, US and Canadian universities being compromised bbc.co.uk
  • ‘Meow’ attack has wiped over 4,000 insecure Elasticsearch, MongoDB databases bleepingcomputer.com

Threat intel

  • Sports institutions are increasingly being targeted, with incidents including business email compromise (targeting transfer fees), spoofed adverts for grounds equipment and ransomware targeting game-day systems ncsc.gov.uk
  • Criminals are experimenting with ‘deep fake audio’ to synthesise phone calls that lend authenticity to business email compromise (BEC) scams vice.com
  • Morgan Stanley is preventing interns in China from accessing the bank’s systems remotely in response to the perceived threat from the county’s cyber security laws ft.com

Vulnerabilities

  • Details of five significant vulnerabilities in D-Link routers and some will not be patched because they are ‘end of life.’ Amongst them, the company thought having a flag like NO_NEED_AUTH=1 was a good idea. bleepingcomputer.com (The manufacturer is facing ten years of security audits for lax security practices (vol. 2, iss. 27))

Security engineering

  • Twilio SDK compromised with malware because of write permissions on their AWS S3 buckets theregister.com
  • The US Department of Energy is building a ‘quantum internet’ to be completed within the next 10 years and that can be used to protect critical infrastructure forbes.com

Internet of Things

  • Sooraj Shah has a good primer on e-mobility and connected vehicles for the FT. Device charging stations, smart bikes/e-scooters directly, but also the integrity of data in route finding apps and potential for traffic jams (The Italian Job really was ahead of its time!) ft.com
  • Drone-maker DJI’s Android app found collecting significant personal information and obfuscating code that allowed the firm to download and install software bypassing the Google Play store arstechnica.com

Privacy

  • DNA site GEDmatch is offline following a data breach that also reset user’s ‘opt-in’ permissions to be included in law enforcement searches techcrunch.com
  • ‘Fawkes’ project alters pixels of images posted online to prevent and disrupt facial recognition algorithms zdnet.com

Compliance

  • First American charged for first violation of NYDFS Cybersecurity regulations (New York Department of Financial Services) reuters.com, theregister.com

Law enforcement

  • US DoJ has indicted two Chinese citizens for stealing source code, and other intellectual property from three computer games companies in 2017 and 2018. A group dubbed ‘Winnti’ with similar ties to the Chinese Ministry of State Security has been active this year too (vol. 3, iss. 21) vice.com
  • German and Polish authorities pick up criminal gang for stealing over 30 vehicles by cracking keyless ignition systems cyberscoop.com

Mergers, acquisitions and investments

  • Fraud detection company Quantexa closed a $65M series C funding round techcrunch.com
  • Fortinet has acquired OPAQ Networks to boost ‘SASE’ portfolio (secure access service edge / ‘zero trust’) zdnet.com
  • Early-stage investments in cyber firms down 37.7%, according to DataTribe, linking the downturn to COVID-19 amongst other factors cyberscoop.com

And finally

Someone is replacing malware payloads with meme and GIFs

Two weeks ago TrickBot was warning victims, this week someone has taken to replacing Emotet malware with memes and GIFs. Emotet use compromised websites to serve up malware to the victims that have been tricked into opening boobytrapped email attachments. Securing this misappropriated infrastructure isn’t high on their todo list and the web shells that they use often reuse common passwords. It seems like someone is taking advantage of that to disrupt their operations. For the time being, that’s helping to keep people safe. bleepingcomputer.com, doublepulsar.com