Home / Robin's Newsletter

Robin’s Newsletter #112

 Vol. 3  Iss. 32  09/08/2020, last updated 16/08/2020   Robin Oldham  ~9 Minutes

This week

Some Cydea related news for you from this week…

Introducing cydea.Tools

We launched cydea.Tools, a collection of the tools we use in our client work and that are now freely available under open source licences for any infosec team to pick up and accelerate their cyber security programme. It’s a resource we’re going to continue adding to.

One of the resources available — and something that client’s have asked from us — is an example of what a good incident response plan looks like.

The Cyber Security Breaches Survey 2020 found approaches to incident response are typically not very comprehensive. Only two in ten businesses (21%) and a quarter of charities (24%) say they have clear responsibilities, log incidents, and investigate the source and severity of security incidents.

Knowing (and practicing!) what you’ll do in a crisis is a great way to improve your resilience. Available on cydea.tools is a free cyber incident response plan that ticks all of these boxes (and more!)

Check out more on cydea.tools and the open-source IR Plan.

It’s also the annual Black Hat security conference this week. Here’s some of the virtual talks that caught my eye…

Balancing bounties

Microsoft released figures for the last 12 months from their bug bounty programmes this week. The headline figure is that Redmond has issued over $13.7 million in bounties to security researchers for finding vulnerabilities in Microsoft products and services. In an interview with The Register, Katie Moussouris (who architected the original scheme) worries that at that level the incentives are misaligned. Internal security investments may be deferred and critical hires to build internal security teams overlooked. Worse, internal team members may leave on the basis they can earn more by working externally. Bug bounty programmes have helped, especially in large enterprises, to formalise and provide a channel for external security researchers to report security issues without fear of legal reprisal. As bounties soar up to $1 million, perhaps that core disclosure principle is being lost. Whilst it less than 0.01% of Microsoft’s revenues many security teams can probably achieve far more with a cool $14 million. theregister.com

Insecure satellite Internet

In a presentation at the virtual Black Hat conference, Oxford PhD candidate James Pavur presented his research on the security of satellite broadband used on many planes and ships. TL;DR it’s (still) bad. He was able to intercept a huge amount of data from authentication information for wind turbines in the South of France, reports of faults and personal information of repair engineers for an Egyptian oil tanker, emails from lawyers and airline avionics data using a satellite TV decoder card and a dish that cost $300. While requests from vessels are difficult to intercept, responses beamed down from satellites are, by design, broadcast over an area covering tens of millions of square kilometres. Any unencrypted data is easy for practically anyone to eavesdrop on. arstechnica.com

Manipulating energy markets for profit with IoT botnets

When I was working on the UK smart metering programme lots of concern was rightly given to the ability to control, and disconnect, energy supplies of users. The ability of an adversary — foreign power in a worse care scenario — to literally ‘turn the lights off’ was something that warranted a range of safeguards and complex public key infrastructure. Now researchers Tohid Shekari, Celine Irvine and Raheem Beyah say Internet of Things devices that draw significant energy load, such as air conditioning units, car chargers and thermostats could be targeted by cybercriminals looking to manipulate energy demand and profit from fluctuations on the energy markets. They estimate that manipulating usage three hours per day, for one-third of a year, criminals could take home $24 million a year. A ‘determined saboteur’ could wreak $350 million in annual economic damage. As few as 50,000 devices are required to be successful. For reference, the Mirai botnet contains millions of devices. wired.com

Interesting stats

Election intelligence bug-bounties… $10M reward offered by US Department of State for information leading to the identification of illegal cyber activities of foreign powers interfering in elections zdnet.com

87% of 1,000 Americans surveyed by KPMG believe data privacy to be a human right zdnet.com

$25M extorted by Netwalker ransomware gang in the last five months, according to McAffee bleepingcomputer.com

£10.4M financial consequences to Redcar and Cleveland Council following their ransomware incident earlier this year (vol. 3, iss. 8) bbc.co.uk

Other newsy bits

UK Trade papers were obtained by Russia from personal email of Liam Fox

The former trade minister, Liam Fox, was the source of leaked papers discussing US-UK trade negotiations. The papers were leaked and pushed to the opposition Labour Party by a Russian group during the UK’s general election in November 2019. The classified documents appear to have been forwarded by Fox to a personal email account where he fell for a spear-phishing attack, giving the threat actors access to his email for over three months. reuters.com

Australian police crack Blackberry fives years after seizure

A story that serves as an interesting reminder of the ‘march of time.’ Australian police have used ‘new technologies’ to access an encrypted Blackberry device that they seized five years ago. The content, including 3,000 messages from a one-month period, is critical to the arrest and forthcoming prosecution of Frank Farrugia and Deniz Kanmez for their parts in an AU$1.5BN criminal syndicate importing drugs and laundering money. Law enforcement is adapting to new technologies and particularly to encrypted messaging apps they say leave them ‘in the dark.’ As both technology and techniques evolve, any recovered or seized devices may provide crucial evidence that is the undoing of criminal activities. smh.com.au

NSA location privacy advice

The National Security Agency has issued an advisory on ‘limiting location data exposure.’ There’s a reminder that location services are much more than just GPS: cell towers, wifi networks and other wireless protocols like Bluetooth can be used to determine the location of a device. Mostly the advice is aimed at operatives conducting clandestine operations. You’ll struggle to use fitness tracking apps, navigation or maps, and other consumer functions if you follow the NSA guidance yourself. When it comes to connected vehicles, the NSA guidance is to “use vehicles without built-in wireless communication capabilities” for mission transportation. arstechnica.com

In brief

Attacks, incidents & breaches

  • NSO Group ‘Pegasus’ spyware used to target Catholic Church in Togo vice.com
  • 20GB of source code and design docs pilfered from Intel’s partner portal theregister.com

Threat intel

  • ‘Design flaw’ in Microsoft Teams allows attackers to use updater.exe to install malware from other local sources according to Trustwave bleepingcomputer.com
  • Passwords for over 900 Pulse Secure VPN servers leaked to cybercrime forum zdnet.com
  • Analysis of WastedLocker ransomware by Sophos shows ’sophisticate understanding of Windows inner-workings and uses memory-mapped I/O to encrypt cached documents transparently without causing additional disk I/O zdnet.com

Vulnerabilities

 - 400 vulnerabilities in Qualcomm’s Snapdragon range of chips has been discovered by Check Point. The issues are in how the ‘digital signal processing’ (DSP) part of the chips, used in more than 1BN Android phones, render video and audio and if exploited allows attackers to monitor locations, access the microphone and exfiltrate photos and videos. Qualcomm has issued a fix but no clear timelines have been given for its implementation into Android by Google or other manufacturers arstechnica.com

  • 295 Chrome extensions that were downloaded more than 80 million times have been pulled from the Chrome Web Store. Browser extensions can present a data exfiltration risk to organisations that rely heavily on web apps zdnet.com

Security engineering

  • The Linux Foundation, with IBM, GitHub, Google, JPMorgan Chase, Microsoft, NCC Group, and Red Hat, has merged some overlapping initiatives to form the _Open Source Security Foundation (OpenSSF). Focus will include improving security tooling and identifying security threats to open source projects theregister.com, openssf.org
  • Facebook open sources Pysa python security tool that discovered 44% of Instagram’s server-side code issues zdnet.com
  • NCSC guidance on buying cyber insurance as part of a cyber risk mitigation programme ncsc.gov.uk

Internet of Things

  • 19 vulnerabilities in Mercedes-Benz E-Class allowed researchers to unlock doors and start the engine. Interestingly in doing so they discovered that the password for the manufacturer’s certificates in China was a much weaker password than Europe, pointing to either different regional policies, or varying assurance processes techcrunch.com
  • Interfering with cycling app allows for Italian Job style interference with smart city traffic lights wired.com

Privacy

  • UK Information Commissioner’s Office struggling to ‘make fines stick,’ according to an interview with Mishcon de Reya data protection law expert Jon Baines as BA and Marriott both set aside less than half the proposed penalties. ““It’s worth remembering that the process was already delayed before COVID hit,” said Baines. Only one firm has been fined by the ICO under GDPR and that is subject to appeal theregister.com

Public policy

  • The Australian Signals Directorate intelligence agency will be allowed to target Australians in support of law enforcement under Australia’s new $1.6BN cyber strategy theguardian.com
  • US secretary of state Mike Pompeo announces the ‘Clean Network Plan’ to “[guard] our citizens’ privacy and our companies’ most sensitive information from… the Chinese Communist Party (CCP)” theregister.com

Regulatory

  • Twitter has set aside $250M for the Federal Trade Commission’s investigation into its use of mobile phone numbers for advertising purposes after they were explicitly collected just for security purposes. Merging data sets of bunging everything in a data lake can have significant consequences if you misuse customer data for other purposes without their consent ft.com
  • Capital One fined $80M for “[failing] to establish effective risk assessment processes” by the US Treasury Office of the Comptroller of the Currency (OCC) theregister.com

Mergers, acquisitions and investments

  • Device search engine Censys raises $15.5M series A funding techcrunch.com
  • Google has invested $450M for a 6.6% stake in physical security firm ADT who will now exclusively install Nest devices theverge.com

And finally

Bond hearing of alleged Twitter hacker ‘zoom-bombed’

The Hillsborough County, Florida criminal court was hearing the case of 17-year-old Graham Clark, accused of the recent Twitter hack (vol. 3, iss. 29) were disrupted this week. The court had failed to secure their virtual conference, being conducted over Zoom, and participants audio was able to be heard. The hearing was suspended after someone started screen sharing a pornographic video clip. The judge was administering the conference himself and can’t have been familiar with Zoom’s best practices for securing conferences! krebsonsecurity.com, zoom.us (PDF)