Home / Robin's Newsletter

Robin’s Newsletter #134

Cyber implications of the Capitol insurrection. Solorigate 'likely' the work of Russia. SolarWinds hires Krebs Stamos Group. Microsoft throws some shade.

 Vol. 4  Iss. 2  10/01/2021, last updated 17/01/2021   Robin Oldham  ~6 Minutes

Subscribe to Robin's Newsletter

This week

Capitol occupation and cyber security

The Capitol insurrection by pro-Trump supporters shocked the world this week. It was a substantial breach of security at the Capitol complex that, arguably, should have been seen coming by intelligence agencies. As The Grugq put it “Thousands of people who’s grasp of operations security is so minuscule that they literally live stream their crimes… achieved strategic surprise against US security forces.”

As members of congress were hurriedly moved to safety, their computers were left unlocked and photos circulated online of Speaker Nancy Pelosi’s desktop, with Outlook open and a notification of the evacuation on the screen and, in a separate incident, a laptop was stolen from another congressional office.

“I’ll lock my computer” is something many users struggle with day-to-day, let alone when you’re being ushered out of your office because an armed militia has broken into your office building. In that sort of situation, I’m not sure it would be the first thing that sprung to my mind, either.

Having hundreds of unauthorised people swarming through your office building isn’t ideal, however, it’s important to keep in mind the context. Members of Congress have lots of visitors. If you want to bug a room or computer system, you’ve probably already done it rather than chance that you’ll be able to get in under cover of an angry mob.

As Lesley Carhart points out, the Capitol building is essentially full of over 500 senior executives - far more than you’d find in a typical business - and these ‘powerful non-techy’ people are unlikely to have the most secure computing environment.

Nor do they need it for most of their work: open democratic debate is… well, open. Turn on C-SPAN. Where they do have classified briefings and information this tends to be restricted to separate networks and “Sensitive Compartmented Information Facilities”. There have been no reports that classified data or rooms were compromised.

The discussions and planning on far-right message boards don’t point to the motives being planting malware or stealing data, rather ‘showing force’ to intimidate lawmakers. Access to machines was opportunistic. Forwarding emails being an easy way to exfiltrate data, and will be easy to trace to a destination mailbox. A high-risk method for even those with little-to-no OPSEC.

So what are the cyber consequences of the Capitol insurrection?

There will, I’m sure, be cyber incident response work in the wake of the insurrection, and I’m sure they will find something as part of it. Perhaps resulting from the events of this week, or perhaps long-undetected. It seems unlikely that a full rip-and-replace is required.

Screensaver timeouts have been oft-cited about Pelosi’s unlocked desktop. Timeouts could be set lower, though that would have made systems unusable in day-to-day business, outside of the ‘armed-militia’ scenario where they turn up in the office less than 5 minutes after the Speaker was evacuated. There will always be exceptions and edge cases.

It’s our job as information security professionals to make security work for our organisations. To make as much of security happy automatically for the user, or easy and intuitive if not. It’s not to make every possible bad situation impossible to occur. That is the nature of risk management.

After all, apparently, the juicy stuff is far more likely to be in the personal email accounts.

independent.co.uk, lawfareblog.com, @hacks4pancakes

Interesting stats

45% global increase in attacks against the healthcare sector since November, versus a 22% increase against all industries, according to Check Point zdnet.com

31% less, the average cyber security salaries paid to female employees than their male counterparts, according to Exabeam scmagazine.com

1/4 malware command and control servers run using open source pen testing tools Cobalt Strike and Metasploit zdnet.com

$150M believed to have been earned by the Ryuk ransomware group, according to analysis by AdvIntel zdnet.com

Other newsy bits

Solorigate attack linked to Russia by FBI, NSA

The ‘Cyber Unified Coordination Group’ consisting of the FBI, CISA, ODNI and NSA has issued a statement that the Solorigate / SUNBURST attack on U.S. federal agencies (vol. 3, iss. 51) is “likely Russian in origin” and that it will require (unsurprisingly) a “sustained and dedicated effort” to remedy the on-going breach. techcrunch.com, cisa.gov

SolarWinds hires Chris Krebs and Alex Stamos

The duo will help the company respond to the fallout of the Solorigate breach and improve security at the Texas-headquartered software firm. Krebs and Stamos are widely respected, having previously led the U.S. Cybersecurity and Infrastructure Agency and Facebook’s security teams respectively, and who have joined forces to work together as KS Group. Definitely ‘one to watch’. ft.com, ks.group

What’s your APT horoscope

Apparently, as an Aquarius, I am “a progressive sign that loves innovation and humanitarianism. It’s this willingness to innovate that makes Aquarius most like Mustang Panda, an APT that often targets NGOs, US-based think tanks (gulp), and minority groups in China for intelligence collection. Mustang Panda has demonstrated an ability to rapidly assimilate new strategies into its operations and even mix malware with legitimate tools.” You can find yours linked from this post. schneier.com

In brief

Attacks, incidents & breaches

  • Limited info at the time of writing: The Reserve Bank of New Zealand (NZ’s central bank) is investigating a breach of a third-party file sharing site used to store sensitive information bloomberg.com
  • Source code of car maker Nissan’s mobile apps and internal tools has been leaked, allegedly after leaving a git server online with ‘admin/admin’ credentials zdnet.com
  • Details of 10,000 American Express customers in Mexico posted online bleepingcomputer.com

Threat intel

  • Surge in credentials being posted for video games companies as industry approaches $200Bn in revenues zdnet.com
  • Attackers now searching for ZyXel routers with hardcoded usernames and passwords (vol. 4, iss. 1) arstechnica.com
  • Side-channel attack can be used to clone FIDO U2F security keys, but requires 10 hours, $12K worth of equipment and ‘advanced background in electrical engineering’ and knowing your password to pull off, meaning you probably don’t need to worry about it artechnica.com
  • TeamTNT malware steals Docker, AWS API credentials to run crypto-mining malware zdnet.com

Vulnerabilities

  • Vulnerability in Zend Framework may allow remote code execution on websites built on PHP bleepingcomputer.com

Internet of Things

  • White House unveils maritime cyber strategy that is largely a plan-for-a-plan, sets out need for workforce, standards, etc scmagazine.com
  • Source code posted for ‘ChastityLock’ ransomware that targets ‘smart’ sex toy Qiui Cellmante with woeful security bleepingcomputer.com

Privacy

  • Singapore says police empowered to obtain contact tracing data for use in criminal investigations cyberscoop.com
  • If you’re switching to Telegram, be wary of the People Nearby feature that can be used to triangulate your exact location. Developer claims the feature is ‘working as intended’ arstechnica.com

Public policy

  • U.S. Department of State launches Bureau of Cyberspace Security and Emerging Technologies (CSET) to lead diplomatic efforts and foreign policy on cyber conflict zdnet.com

Mergers, acquisitions and investments

  • F5 to acquire container security outfit Volterra for $500M zdnet.com

And finally

It is now safe to turn off your computer

I’ll leave it to you to decide if this tweet from Microsoft (“It’s now safe to turn off your computer.”) has anything to do with Donald Trump being banned from Twitter 54 minutes earlier or not ;-) @Microsoft, @TwitterSafety