Home / Robin's Newsletter

Robin’s Newsletter #117

 Vol. 3  Iss. 37  13/09/2020, last updated 20/09/2020   Robin Oldham  ~6 Minutes

This week

China’s data security initiative

China has published details of a ‘Global Initiative on Data Security’. The plans were unveiled by Wang Yi, a state councillor (equivalent to a cabinet-level position) at an International Seminar on Global Digital Governance event.

It’s a move by China to influence cyber-norms and combat Western restrictions on telecoms companies Huawei and ZTE and the US President’s looming bans on social media companies Tik Tok and WeChat. Anti-China tech sentiment is driving digital Balkanisation and is, obviously, commercially bad news for the companies involved.

The announcement outlined an eight-point code covering topics from interference in other States’ critical infrastructure to abusing systems for mass surveillance. Lots of the code related to data sovereignty: respective local laws and implying this should reside in the country of origin.

The proposal means that Chinese companies wouldn’t be compelled to share data from foreign operations where this would violate another nation’s laws.

It also explicitly says companies shouldn’t build backdoors into their products. That’s something the US has particularly accused Huawei of, though findings from the UK’s Huawei Cyber Security Evaluation Centre (HCSEC; a joint undertaking between Huawei and GCHQ) suggested vulnerabilities were likely the result of ineffective design and development processes than malice (vol. 2, iss. 13).

As ever, the devil will be in the detail, not least how ‘meeting the needs’ of law enforcement is to be interpreted. If the finger-pointing on all sides is to be believed, no nation would currently be meeting all of the proposed code.

wsj.com, bloomberg.com, arstechnica.com, theregister.com

Interesting stats

41% of cyber-insurance claims relate to ransomware, according to Coalition, based on 25,000 SMEs in the US and Canada cyberscoop.com

64% of CISOs say development out-pace their security teams, and 48% of developers believe security is important, but lack time to spend on it, according to a survey by bug bounty platform HackerOne cdntwrk.com (PDF)

Other newsy bits

Facebook ordered to stop sending personal data to the US by Irish data regulator

Facebook has been given a preliminary order by the Data Protection Commission in Ireland to cease its transfer of personal data across the Atlantic. The order is the result of an investigation by the data protection regulator in Facebook’s use of ‘Standard Contractual Clauses’ (SCCs) to govern the transfer of personal data.

The crux appears to be that the DPC does not believe Facebook can ensure the rights and freedoms given by the SCCs (and previously Privacy Shield) once the data arrives within the United States. It’s the same reasoning behind the EU-US Privacy Shield being struck down by the EU Court of Justice earlier this year (vol. 3, iss. 29).

Many companies have fallen back onto the use of SCCs as the legal mechanism to govern transfers of personal data between the EU and US. If they are deemed inappropriate then many businesses would find themselves in a position of having no legal way to transfer personal data.
independent.ie theregister.com

National Cyber Power Index 2020

A team from Harvard Kennedy School have published a Top of the Pops for national cyber programmes. It’s also useful as a framework and relative threat assessment of different state-actors. They look at ‘capability’ and ‘intent’ against seven different categories covering domestic and foreign intelligence, offence, defence, control, commercial gain, and defining cyber norms. The top five, in reverse order, are Netherlands, Russia, UK, China, with the US taking the top spot. (I suspect the Netherlands will come as a surprise to many.) France, Germany, Canada, Japan and Australia round out the top ten. China’s higher ranking than previous research is because of investment in their national cyber defence, commercial cyber sector and domestic surveillance programmes. There’s an interesting visualisation of intent (the Cyber Intent Index) by each of the seven categories below. North Korea ranks 16th, whilst Iran comes in at 23rd on the NCPI. The fundamentals of the framework seem sound, though I’m sure there will be some debate as to the full methodology and scoring. It’s a useful macro-level tool and a good read for anyone interesting in the geo-political end of the cyber-spectrum.

National Cyber Power Index: CII 2020 by Country

belfercenter.org (PDF)

In brief

Attacks, incidents & breaches

  • Chile’s BancoEstado closed all branches this week following a REvil/Sodinokibi ransomware outbreak. The bank is one of Chile’s three largest and, fortunately, online banking and ATM services continued to work zdnet.com
  • Data centre provider Equinix struck by ransomware on its internal networks cyberscoop.com
  • Allegedly three ‘grumpy old hackers’ from the Netherlands managed to access the @realDonaldTrump twitter accounts just days before the 2016 US election. He was using the same password as he did on his LinkedIn profile that was caught up in the business social network’s 2012 data breach theregister.com, vn.nl (Dutch; screenshots)
  • Newcastle, Northumbria universities dealing with fallout of ransomware attacks bbc.co.uk
  • Online store of gaming hardware retailer Razer left in unsecured database bleepingcomputer.com

Threat intel

  • Russia, China and Iran are targeting US presidential campaigns, according to Microsoft, with new techniques that route traffic via Tor, less reliant on phishing ft.com, theregister.com
  • Malsmoke group sneak exploit kit into adverts on porn sites zdnet.com

Vulnerabilities

  • Critical vulnerabilities found in Palo Alto Networks PAN-OS admin panel cyberscoop.com
  • Bluetooth 4.2-5.0, used in billions of devices, vulnerable to key overwrite attack, fortunately not easy to exploit at scale theregister.com
  • 23 critical vulnerabilities addresses in mega Patch Tuesday from Microsoft scmagazine.com

Security engineering

  • The third edition of Ross Anderson’s Security Engineering will be out soon, he has been working in a ‘collaborative authorship model’ in the open and you can still get a look at all the chapters online, until the book goes to print. H/T Bruce Schneier, cam.ac.uk
  • NCSC has published revised guidance on mitigating malware and ransomware attacks, in light of changing tactics ncsc.gov.uk
  • Zoom has enabled MFA for all accounts, here’s how to turn it on bleepingcomputer.com

Internet of Things

  • Just avoid smartwatches for kids: 5/6 brands tested would allow the tracking of, and in some cases eavesdropping on, children wired.com

Privacy

  • The UK ICO has published an Accountability Framework for organisations to assess and demonstrate their compliance with GDPR expectations. I expect this will start cropping up as the de-facto framework used by many consultancies for external privacy assessments ico.org.uk

Public policy

  • Operation Warp Speed: write-up of US government programme to protect the development of COVID-19 vaccinations cyberscoop.com

Mergers, acquisitions and investments

  • Some interesting data on the impact of cyber security during mergers and acquisitions, as well as overview of a typical deal process techcrunch.com
  • StackRox secures £26.5M series C funding round for Kubernetes security solutions techcrunch.com
  • ThreatConnect acquires Nehemiah Security for cyber risk quantification approaches zdnet.com
  • Secureworks acquire SaaS vulnerability management biz Delve zdnet.com

And finally

Lessons learned from Giggle disclosure

Lots of Twitter-drama around the disclosure of poor security practices at ‘female social network’ Giggle this week, culminating in both security researchers of Digital Interruption Security and CEO of Giggle admitting that they learned lessons from the events. Before a fix, Giggle’s API allowed unauthorised users to query their membership database and pull back phone numbers, photos used for verification and geo-location data. Having clear security contact details, and taking reported disclosures seriously, are important for companies. So too are disconnecting the personal politics of the company and its founders from the security facts being reported. theregister.com