Integrity in the UK Test & Trace scheme; ransomware attacks up 50%; a different type of lock-down.
Vol. 3 Iss. 41 11/10/2020, last updated 18/10/2020 Robin Oldham ~8 Minutes
Subscribe to Robin's Newsletter
## This week
Integrity: test & trace
One of the main stories in the UK this week was that an ‘IT error’ in the COVID-19 Test & Trace programme had cause 15,841 cases to go unreported and not been passed to contact tracing teams. The missing data accumulated over eight days, much longer than the 48-hour ‘ideal time limit’ for contacting tracing following a positive test result, and potentially contributing to the continuing ‘second wave’ of cases.
Details of test results between the ‘pillar 2’ testing organisations (privately operated once by the likes of Deloitte and Serco) and Public Health England was sent in comma-separated value (CSV) format. PHE would then take the data into an Excel template before being passed on to contact tracers.
The problem stemmed because they were using an old file format for Excel that limits the rows and columns of data that can be included. With each test result requiring multiple lines in the file that meant the Excel template being used could handle ~1,400 results. Beyond this limit, the data would just be ‘chopped off’ the end of the file when it was sent. Less than ideal.
I’m sure it will go on to be a classic example for the importance of integrity — an oft-overlooked part of cyber security’s CIA triad (confidentiality; integrity; availability). Both security and software engineering professionals tend to take ‘correctness’ for granted. when given focus it is usually on the malicious manipulation of data and systems rather than the ineffectiveness of people and process.
PHE does not appear to have been doing validation checks on the daily import and export of data. For automated transfers, checksums and cryptographic signatures are used to confirm data received matches what was sent. Even in manually processes simple checks could have spotted the issue sooner: just counting the number of unique test results in and comparing it with a count of the results sent on for tracing. Though some broader checks like this must have been in place to catch the growing issue after eight days. (Relatively quick in the world of cyber security incidents!)
This is also an example of a supply chain security issue. Supply chain security programmes tend to focus on losing company IP, or third parties being the vector by which your organisation can become exposed. Data transfers, especially those between organisations using different software and systems, is one of the main places where issues can arise.
The portability of Excel will have been an attractive feature when setting up a method to exchange data between multiple organisations under huge time pressures. A later version of Excel would have increased the limitation 14-fold, though thankfully a decision to replace the system was made two months ago. Hopefully, a more robust replacement will soon be in use.
## Interesting stats
27.9% of organisations were able to maintain full compliance with PCI-DSS, down from… 55.4% of organisations in 2016, according to Verizon’s 2020 Payment Security Report verizon.com I suspect that this (significant!) reduction is driven by an increase in businesses processing transactions online, rather than significant ‘backwards steps’ by those that have achieved compliance.
## Other newsy bits
Ransomware attacks up 50% in Q3
Ransomware attacks have seen significant growth through 2020. This is fuelled by a variety of business models, some that lower the bar to entry, as well as more established players seeking ‘big game’ payouts.
PwC has a great write up on the ransomware scene more broadly, and the dynamics of different schemes: private, where more advanced groups have comprehensive skills to carry out all parts of the attack and retain full profits, ransomware-as-a-service schemes where criminals are buying software and retain the profits, and affiliate schemes that split the proceeds between malware authors and those carrying out the leg work of an attack.
The group behind Ryuk/Conti are one of the most prolific, with Check Point estimating them being behind an average of 20 attacks every week.
IBM believes REvil/Sodinokibi has netted an estimated $81M in ransom payments so far this year, with demands ranging from a couple of thousand to over $40 million. The malware authors retain 30%-40% of those proceeds.
The trend for leaking data continues to rise and PwC estimate that the data of over 600 victims have been posted to leak sites.
Affiliate schemes are competing for partners, offering different benefits, proceeds split, and support packages. Combined with RaaS offerings too, the number of groups, and attacks, has increased 50% in Q3 2020.
That will have knock-ons throughout the cybercrime economy. Some specialist ‘service providers’ just fulfil a role finding and selling access points to ransomware operators, for example. Proceeds from attacks (beyond the private schemes) will trickle down through all these different players.
The US Treasury guidance, issued last week (vol. 3, iss. 40), while targeted at the top of the pyramid, hopefully, will have a chilling effect on some participants, as well as discouraging victims from paying - with cyber insurance policies often picking up the tabs for these costs.
Organisations should ensure that their external accounts, such as Remote Desktop or VPN have multi-factor authentication enabled. Applying the latest patches is also good hygiene as is keeping regular, offline, backups. It’s worth testing those backups routinely too to have confidence you can restore from them. pwc.co.uk, bleepingcomputer.com
Why is detection so hard?
I’ve found it useful to consider five aspects when discussing security operations capabilities: mission, people, process, technology, and data. Anton Chuvakin has a neat write up on why organisations find detection so difficult that covers off a few of these aspects.
Too often, organisations do not understand their IT estates, without which it can be impossible to understand the coverage and capability required.
These challenges shouldn’t put organisations off: they’re more useful as a guide of what to consider when embarking on a journey to implement or improve, security detection. It’s important to have, and crucially communicate, coverage and capability expectations. medium.com
October is cyber security awareness month and Stuart Peck of ZerodayLabs has a series of tweets on some of the things and techniques you can do to improve your own personal security hygiene. @cybersecstu thread
## In brief
Attacks, incidents & breaches
- US Mobile virtual network operator Boom! victim of MageCart skimming attack, running unsupported PHP bleepingcomputer.com
- Details of a $15M business email compromise fraud against a US company bleepingcomputer.com
- Indian company Dr Lal PathLabs left spreadsheets containing personal health data, test results, for thousands of patients on public S3 bucket techcrunch.com
- German firm Software AG hit by demand for $20M following ransomware attack zdnet.com
- Write up of five folks that spent three months scouring Apple’s web properties for bug bounty vulnerabilities arstechnica.com
- US Cyber Command behind activities that have disrupted the Trickbot botnet, allegedly to prevent election interference krebsonsecurity.com
- Five-years after Hacking Team leaks, Kaspersky have found UEFI malware - MosiacRegressor - in the wild based on the group’s VectorEDK code wired.com, arstechnica.com
- Emotet the ‘most prevalent ongoing threats’ to US state and local governments, according to CISA cisa.gov
- Android ransomware locking Russian victims out of phones (rather than encrypting files), charging $13 to unlock cyberscoop.com
- Iranian state actors exploiting ZeroLogon vulnerability according to Microsoft zdnet.com
- ‘Unpatchable’ vulnerabilities in hardware of Apple’s T2 security chip open door to ‘evil maid’ type attacks during reboot via USB-C and debug interface zdnet.com
- Microsoft tool allows you to update Defender database in your installation images zdnet.com
- A raft of pretty good security policies and standards from Department of Work and Pensions, h/t Jon Hawes! gov.uk
Internet of Things
- New botnet dubbed Ttint (and based on Mirai) adds remote access tools, reconfigure DNS, is exploiting unpatched vulnerabilities in Tenda’s router products zdnet.com
- Comcast Xfinity voice remote compromised to listen on user’s conversations theregister.com
- H&M fined $41.5M for violating GDPR, collecting sensitive personal information and using it to make staff employment and performance decisions scmagazine.com
- UK ICO audit, conducted in February 2020, of Department for Education makes 139 recommendations, 60% of them ‘urgent or high’ as “data protection was not being prioritised” at the department. Since then the DfE has also been criticised for handling data-heavy handling of exam results (vol. 3, iss. 33). ico.org.uk
- Cambridge Analytica used “well recognised processes using commonly available technology,” largely purchased commercially available data on US citizens, and ‘exaggerated’ its data sets and capabilities, ICO investigation finds ft.com, ico.org.uk (PDF)
Mergers, acquisitions and investments
- IBM split in two, will focus on Cloud and AI, while ‘NewCo’ picks up managed service customers arstechnica.com
- Strike Graph has raised $3.9M to automate audit prep for SOC II, ISO27001 audits techcrunch.com
- Cisco to buy Tel Aviv-based Portshift for undisclosed sum to boost container security offering scmagazine.com
## And finally
Check-mate, Cell Mate
Smart devices are popping up in all walks of life, and not wanting to be left behind the digital revolution ‘teledildonics’ company Cell Mate has made the “world’s first app controlled chastity device.” It didn’t take the folks at Pen Test Partners long to find that they. Plus cause the device to lock closed, permanently, for any user. Potentially leaving the ‘submissive’ with an embarrassing trip to the hospital, or risk cutting the device off their penis with a pair of bolt cutters or angle grinder themselves. IoT companies racing to be the first market mover may, as in this case, not have devoted quite enough resource to building systems that are, err, secure-by-design. techcrunch.com
Get this weekly information security newsletter of cyber security and privacy articles, events and topics that have caught my eye, some intersting stats, plus a summary of other news.
There are hundreds of subscribers who get it direct to their inbox, every Sunday, at 7:00pm. They tell me it's pretty good, is an interesting read, and saves them time.