Home / Robin's Newsletter

Robin’s Newsletter #135

WhatsApp bungles privacy policy update; U.K. police unintentionally delete 213,000 records; and 'imposing costs' the 'Brexit means Brexit' or cyber.

 Vol. 4  Iss. 3  17/01/2021, last updated 31/01/2021   Robin Oldham  ~6 Minutes

Subscribe to Robin's Newsletter

This week

WhatsApp pushes back privacy changes three months

WhatsApp has pushed back privacy policy changes it is forcing on users for three months. The bungled rollout was characterised by an ultimatum to ‘accept or delete’ the app, and an impenetrable, 4000-word privacy tome.

Ironically the Facebook-owned company characterised the confusion as the result of ‘misinformation’ as millions of people shared and read articles decrying the changes on… Facebook and via WhatsApp groups.

(I’ll jump in here and add ‘misinformation’ to the list of security and privacy cliches, along with ‘taking your security seriously’ and ‘sophisticated actors’.)

So… what are the changes then? Well, the company says that they don’t change the privacy or security of personal messages or group chats. They do apply to conversations between users and business accounts. In these situations business will (obviously) be able to see what is being messaged, and also may use this to tailor marketing to those users.

Ultimately, Facebook would love for those organisations to be able to take ‘signals’ and data from those chats and - you guessed it - buy targeted ads on other Facebook properties.

Your personal experience of WhatsApp and interactions with business (if any) will probably differ from those in countries like India and Brazil where businesses make greater use of advanced features on their accounts. They can show product catalogues and even have built-in checkout facilities to interact and transact with customers from within the app.

If you fancy delving into the details, The Verge and Gizmodo both have good reads on the topic.

The confusion over WhatsApp’s privacy intentions has been a boon for privacy-focused competitors like Telegram and Signal. Excitement over the growth of the latter, long-favoured by the security community, has been palpable. The app was downloaded over 5 million times last weekend, and at the time of writing is still top of the AppStore free charts (in fact briefly the top 4 were entirely devoid of Facebook or Google-owned apps!)

It’s important to look at that number in context though: 5 million people downloaded Signal last weekend; WhatsApp is used by over 2 billion. From a personal perspective, while I’ve got lots of ‘now on Signal’ notifications, none of my WhatsApp groups is showing any intention of packing their bags and heading anywhere else.

Three months may be sufficient for the whole thing to blow over… Or as Duck Duck Go surpasses 100M daily search (see Stats below) perhaps the age of privacy is truly upon us?

theverge.com, gizmodo.com

Interesting stats

$3.8Bn (at mid-Jan ’21 prices) in cryptocurrency stolen in 122 attacks during 2020, according to Atlas VPN zdnet.com

46% of healthcare data breaches caused by ransomware, according to researchers at Tenable zdnet.com

102,251,307 daily searches conducted on DuckDuckGo this week, as the privacy-focussed alternative to Google Search passes milestone duckduckgo.com

Other newsy bits

U.K. Police loose 213,000 records

Fingerprint, DNA and arrest histories have been wiped from the Police National Computer (PNC) this week after ‘human error’ resulted in the records being flagged for deletion. The ‘weeding system’ has been running since November, according to a letter from the National Police Chiefs’ Council, that also confirmed 213,000 records had been deleted (more than a third more than Home Secretary Priti Patel had previously announced). The ‘coding errors’ meant that flagged records were deleted from databases before checks were carried out to confirm if the data could (and presumably should) be lawfully retained. bbc.co.uk

Companies are buying enormous cyber insurance policies

This piece, authored by Tom Johansmeyer of Verisk (a data analytics company), looks at the problem of concentration in cyber insurance. While it’s true that cyber loss data is nowhere near the level of, for example, that of automobile accident and theft, the bit that stood out for me was research into the levels of insurance. It’s estimated that 250 companies have policies providing cover of over $200 million, representing approximately 20% of the $5 billion cyber insurance market. A further 500 companies are believed to have $100-200 million in cover. Ultimately insurance companies can protect themselves (and their margins) by the amount of cover and its caps and limits upfront, and then by careful investigation and adjustment of claims down the line. hbr.org

Cybercriminals in your Teams

Enterprise collaboration apps like Teams and Slack have seen enormous growth in the last year. Their ‘trusted’ nature makes them ripe for cybercriminals to exploit, according to this piece on SC Magazine, that also looks at how tactics differ from traditional email phishing attacks. Compromising credentials, then biding their time to drop in files when requested, or changing avatars and display names have been reported in attacks. scmagazine.com

In brief

Attacks, incidents & breaches

  • Networking equipment manufacturer Ubiquiti emailed customers that they “cannot be certain” that customer info, including usernames and hashed, salted passwords, weren’t accessed in a breach at a third-party cloud provider. Customer’s are urged to change their passwords and enable 2FA (H/T, and Happy Birthday, to Tom)) techcrunch.com
  • ‘Low single digits’ of Mimecast users Microsoft 365 accounts compromised after ‘sophisticated threat actor’ stole certificate used to authenticate connections. Possibly connected to Solorigate actors zdnet.com, arstechnica.com
  • Doctored (ahem) COVID-19 vaccine data published online in hack-and-leak disinformation campaign techcrunch.com

Threat intel

  • Kaspersky find overlap in Sunburst / Solorigate code with previous malware Kazuar, tied to Turla / Russia’s FSB securelist.com
  • Decrypter available for DarkSide ransomware zdnet.com
  • Scam-as-a-service offering ‘classiscam’ may be making $6.5M annually from fraudulent classified ad scams zdnet.com
  • Joker’s Stash carding site being shutdown in 30 days as admin ‘retires’ (having made an estimated $1Bn)bleepingcomputer.com

Security engineering

  • Google’s reCAPTCHA still easily defeated using their own speech-to-text API thehackernews.com
  • EDR capabilities for Microsoft Defender for Endpoint (Linux) released bleepingcomputer.com
  • Microsoft Sysmon 13.0 can detect when malware tampers with running processes. Detected process hollowing, herpaderping are logged to the event log with Event ID of 25 zdnet.com
  • Intel adds ransomware, cryptomining, polymorphic and fillers malware detection to Threat Detection Technology and Hardware Shield in 11th gen Core CPUs; announces partnership with Cyberreason to integration into the security vendors software bleepingcomputer.com

Privacy

  • “Opt-in” (class action) case against British Airways becomes largest in the U.K. as over 16,000 sign up for potential settlement over 2018 data breach ft.com

Public policy

  • The U.K. Hight Court has overturned a ruling from the Investigatory Powers Tribunal (the ‘spy agency court’) that MI5, SIS and GCHQ could use a single ‘general warrant’ to conduct ‘equipment interference’ (aka hacking) at scale theregister.com

Law enforcement

  • RAC employee given eight month suspended sentence, ordered to pay £25,000 and undertake 100 hours unpaid work after pleaded guilty to selling customer data to a third-party ‘accident management firm’ theregister.com
  • DarkMarket, the ‘world’s largest online marketplace’ for drugs, stolen data and other illegal goods, has been taken down by German law enforcement, 34-year-old Australian man arrested in conjunction near the German-Danish border cyberscoop.com

Mergers, acquisitions and investments

  • Accenture buys Rio-headquartered Real Protect to strengthen managed security business in Latin America zdnet.com

And finally

Interesting and insightful this week…

‘Imposing costs’ the “Brexit means Brexit” of cyber

An excellent read from the ex-NCSC chief, Ciaran Martin, over at Lawfare on cyber deterrence: “‘Imposing costs’ has become the ‘Brexit means Brexit’ of the cyber domain: a catchy, useful political slogan devoid of meaning, substance and—consequently—impact.” When it comes to espionage, it’s difficult to take the moral high ground while you’re engaged in similar activities against your enemies (and friends). That’s why there is consensus that, in the Solorigate breach, the U.S. was harmed, but not wronged. “Beware… the snake-oil sales pitch of offensive cyber as a deterrent. Defending a free and open digital society is a difficult, challenging, long-term, whole-of-society problem.” lawfareblog.com