Robin’s Newsletter #128

29 November 2020. Volume 3, Issue 48
RCEP, cyber cooperation and Asian data sovereignty; UK National Cyber Force; Microsoft's 'Pluton' and US Special Forces buying location tracking data
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Cyber public health

I’ve been embracing my inner geek this week with an interesting lecture from the ‘Cyber Security in the Age of Large-Scale Adversaries’ group at Ruhr University Bochum.

In it, Adam Shostack, formerly of Microsoft and responsible for a lot of their threat modelling focus, makes the case for ‘cyber public health’ against a backdrop of COVID-19 and the role that public health has played in combating coronavirus.

Data collection forms an important part of public health and these statistical methods are built-in from local levels through regional groups up to national bodies that can track outbreaks of disease, describe trends, and strategically invest in research to these areas.

“In hearing about information sharing we often assume that the right information is being gathered and shared. But again the information is too often about indicators, and less often about problems or mechanisms. The information which is shared rarely enables further research or results in new discoveries.” — Adam Shostack

Public health output includes scientifically proven guidance, with results available for peer analysis and review. The same is not true for cyber. Security experts rarely give consistent advice (password manager or 2FA? What about patches and updates?) and it is rarely as simple as “wash your hands”. This disagreement can lead people to become confused and give up - something that would certainly be seen as a failure in public health terms.

The U.K. National Cyber Security Centre, E.U. ENISA and U.S. Cybersecurity and Infrastructure Agency are all seen as focal points, though their missions are not the cyber equivalents of public health bodies.

Of course, an entirely like-for-like comparison is not entirely appropriate. For one, in public health, there is a shared adversary: nature. That helps to overcome, rather than build, national barriers that constrain existing country agencies.

However, there is a consensus on what needs to be measured and why. Shostack makes the point that we are unclear on the underlying problems we are trying to solve, and therefore what is meaningful to measure.

Indicators of compromise — the fingerprints of malware or attackers — aid in detection, but do not aid in understanding the broader category of harm. (Does a malware infection count? What about if you can just restore from a backup?)

It’s a fascinating subject and a topic that I’m sure will receive continued interest and focus.

Let me know what you think about ‘cyber public health’ on linkedin or twitter!

Interesting stats

$17.5 million settlement for Home Depot’s breach of 56 million payment cards in 2014. They also have to employ an experienced CISO, provide security training and maintain security policies, in adding to the $179 million that the company estimate the breach to have already cost them

€50 million negative impact on operating margin to Sopra Steria following their ransomware incident in October, equivalent to -5.0% organic revenue growth

Other newsy bits

GoDaddy’s vishing attack

Attackers duped GoDaddy employees into making changes to customer DNS records over the phone. The changes allowed attackers to intercept traffic going to a cryptocurrency exchange. SC Magazine takes a look at how vishing (voice phishing) is on the rise. Live attacks give much less opportunity or time for call centre workers to spot tell-tale signs, especially where the attackers have conducted reconnaissance and have personal details to hand. Biometric outfit Pindrop Security claim they have seen fraudulent calls increase from 1/3,000 to 1/600 over the last five years.,

RUSI on the U.K. National Cyber Force

An interesting read from Conrad Prince at RUSI (Royal United Services Institute; a defence and security think tank) on the U.K National Cyber Force that was announced last week (vol. 3, iss. 47). The framework within which U.K. offensive cyber operations need to comply is discussed and used to identify the likely activities and targets. There’s also a reminder, that won’t be unfamiliar to regular readers, of the economics of ‘nation-state’ operations. It is very easy to believe these groups have infinite resource and personnel — and certainly, they are typically far better funded than most organisations cyber teams — however, there are real costs to launching cyber operations. Developing ‘cyber weapons’ that do not have infinite used is expensive: tactics and techniques being exposure and countermeasures or patches can be developed. There’s a business case, and equities process, to satisfy.

One month ’til the UK leaves EU data protection regulations

There is just over a month to go until the end of the UK’s transition period out of the European Union. Organisations that transfer data between the EU and UK need to be planning for the UK to become a ‘third-party’ under data protection regulations. One of the points to note from this blog post looking at Brexit and GDPR by Jon Baines and the team at MDR is the change to the ‘one-stop shop’ principle. Organisations will need to interface with both the UK ICO and a regulator within the EU.

In brief

Attacks, incidents & breaches

  • Sydney-based Levitas Capital has closed following a Business Email Compromise scam where attackers stole AUD $8M, and that caused investors to pull out their funds
  • 4.2M user accounts of event organising platform Peatix leaked online
  • Xbox Live trust and safety portal could be used to find the private email address behind a gamer tag
  • “Small subset” of Sophos customer’s data exposed following database misconfiguration
  • Protected health information taken from U.S. Fertility network as part of ransomware attack, delayed notification of the breach for two months

Threat intel

  • Ransomware gangs increasingly on the search for the tax information of victims to leverage in negotiations
  • New Android WAPDropper malware signs victims up to premium-rate services in Thailand, Malaysia
  • MobileIron vulnerability (CVE 2020-15505; patched in June) under active exploit by multiple actors
  • ‘Hundreds’ of username and password combinations for CEO’s and top executives for sale on cyber-crime forum for $100-$1,500


  • Brute-force vulnerability in cPanel’s web hosting product circumvents multi-factor authentication in minutes
  • Critical vulnerability in VMWare Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector allows for command execution. Requires valid credentials and access to port 8443, workarounds are available
  • Out-of-band security update available for Drupal content management system to fix arbitrary code execution bug

Internet of Things

  • Beware cheap IoT devices in Black Friday and Cyber Monday sales
  • Using an old ECU to conduct a bluetooth attack on Tesla Model X key fobs


  • Australian intelligence agencies “incidentally” collected COVID-19 contact tracing data, though there is “no evidence” they “decrypted, accessed or used any COVID app data”.

Law enforcement

  • Three arrested in join Interpol, Group-IB and Nigeria Police Force Operation Falcon for part in the ‘TMT’ cyber-crime group believed to have infected over 50,000 organisations with malware

And finally

A favour to ask…

As we come towards the end of the year and I start reflecting on the stories that have made the year, I’m also thinking about what’s important and how I can improve this newsletter. I’d really appreciate if you can let me know why you subscribe and how it helps you! »>


  Robin's Newsletter - Volume 3

  Cyber public health Public health Measurement Home Depot Sopra Steria Breach costs Vishing UK National Cyber Force (NCF) Brexit Data protection GDPR