Home / Robin's Newsletter

Robin’s Newsletter #144

Rerouting a victims SMS for $16. UK defence review: nuclear response for cyber attack. Who is buying all the data generated by your car?

 Vol. 4  Iss. 12  21/03/2021, last updated 28/03/2021   Robin Oldham  ~7 Minutes

Subscribe to Robin's Newsletter

This week

I founded Cydea with a mission to bring positive security to the world and have always known that supporting charities - who hold large amounts of (sensitive) data - was going to be an important part of that. So I’m feeling really proud this week to be making that commitment publicly: both in the form of pro-bono consulting, and grants for the purchase of security hardware, software and services. You can read more Cydea x Good Causes, and follow Cydea on LinkedIn and Twitter for more updates.

SMS Multi-factor authentication and account recovery

A hand reaches out of the cracked screen of a smart phone, grabbing it its app icons

Source: Vice / Michelle Urra

Joseph Cox at Vice Motherboard has a write up of how a hacker was able to take over lots of his accounts for just $16 by exploiting lax security practices at commercial SMS companies. The company chosen by Lucky255 for their attack is called Sakari and, for a pinky-promise that they are the person in question, honest they company will ask telco providers to reroute SMS messages to their service. Normal phone service continues unaffected. Being the recipient of SMS messages means that multi-factor authentication codes and, crucially, account recovery messages, can be intercepted, passwords reset and accounts accessed.

”A few minutes after they entered my T-Mobile number into Sakari, Lucky225 started receiving text messages that were meant for me. I received no call or text notification from Sakari asking to confirm that my number would be used by their service. I simply stopped getting texts.” — Joseph Cox

The story prompted a heated debate on infosec Twitter about the viability of SMS MFA, with Google Project Zero’s Tavis Ormandy labelling it “harmful and literally doesn’t work”. His argument boils down to users either having the option of SMS-MFA or a unique password. The latter would be great, however, the cost imposed on an attacker, even if it is just $16, shouldn’t be underestimated. Yes, a dedicated authenticator app or physical key is a more robust solution, however, untargeted attackers will not entertain paying that much and high-volume requests and mass-payments would draw attention to their activities. If you’re likely to be targeted by more sophisticated attackers then clearly your risk management decision will be different (and you’ll be happy with taking additional steps to protect your accounts).

SMS Account recovery is a bad idea and you should set a PIN on services that just use your mobile number to identify/authenticate you (looking at you, WhatsApp, Signal). Beyond that, it’s clear that the telco industry needs to put in place better checks to prevent this kind of ‘Wild West’ behaviour to protect customers’ privacy and security. vice.com, krebsonsecurity.com, @taviso

Interesting stats

The FBI released its 2020 Internet Crime Report this week: 791,790 complaints received in 2020 (+69% on 2019) $4.2BN total value of reported losses $1.8BN (43%) attributed to Business Email Compromise (BEC) scams ic3.gov (PDF)

Other newsy bits

U.K. Defence review commits to ‘full-spectrum’ approach to cyber capabilities

In its Integrated Review into defence and security policy, the U.K. government has indicated that it will increasingly “use cyber capabilities to influence events in the real world”.

The review commits to a “full spectrum” approach to “supporting a UK research base that can compete with allies and adversaries” as well as supporting the development of “innovative and effective cyber security products”. That should be welcome news to research organisations, defence contractors and the commercial cyber services sector. The National Cyber Security Centre (NCSC) and recently created National Cyber Force both get a mention.

Less optimistically it also “reserves the right to review this assurance if the future threat of mass destruction, such as chemical and biological capabilities, or emerging technologies that could have a comparable impact, makes it necessary” somewhat alarmingly leaving the door open for nuclear retaliation for cyber security attacks.

A new National Cyber Strategy is due later this year. thetimes.co.uk, ft.com, theregister.com

Microsoft draws Congressional questions after $150M earmarked for cyber spending with the company

Microsoft stands to net a $150M payday as the U.S. Cybersecurity and Infrastructure Agency (CISA) plans to spend a quarter of their $650M “secure cloud platform” budget with the Redmond-based company. The spending in part of the response to the Solorigate breach and will be spent upgrading government departments to Microsoft’s top ‘E5’ licence tier. The E5 licence tier is needed if organisations wish to access the full range of logs and security protections. Microsoft has turned its security features into a significant growth engine and generating 40% growth to $10BN in revenue last year.

Restricting access to core security features isn’t a good look (I’ve seen some firms charging for ‘enterprise packages’ to enable basic controls like multi-factor authentication). Giving customer’s access to feeds fo activity data seems to fall into that core category, though cloud services, in general, are difficult to obtain feed to use for security purposes. venturebeat.com

How is the data generated by your car used?

Mobile phone companies have profited from selling location data for a long time, not wanting to be left out the automotive sector is jumping on the location bandwagon. One company that wants to sell real-time info of vehicle locations to the U.S. military has drawn that data collection into the spotlight.

Modern cars are bristling with sensors and provide regular updates on vehicle location and status back to the manufacturer. This is used in product development, however, using the equipment on cars as an (unwittingly) crowd-sourced ‘sensors-as-a-service’ capability opens up new revenues schemes. Details on road signs, potholes, accident hotspots, quality of road markings could all be valuable to various public and private organisations.

And it doesn’t have to be the manufacturer that is the source of that data. It may be available from quite a few different organisations. Take navigation data which is variously available from the manufacturer, the mapping provider, infotainment system developer, any traffic data provider.

In related news, China has banned employees that work for the military and ‘state-owned enterprises in sensitive industries’ from driving cars from Tesla. vice.com, theverge.com

In brief

Attacks, incidents & breaches

  • Mimecast confirms “limited number of our source code repositories” were accessed and code downloaded in Solorigate breach cyberscoop.com
  • REvil operator demanding $50M ransom after compromising electronic manufacturer Acer bleepingcomputer.com
  • NHS boss’ Twitter account compromised, used in PS5 scam, is a reminder of the value cybercriminals place on high-profile social media accounts bbc.co.uk

Threat intel

  • A look at China Chopper the ‘slick’ web shell used by Hafnium in the recent Exchange attacks zdnet.com
  • Fake TabBarInteraction Xcode project aims to infect iOS app developers with trojan arstechnica.com
  • Finnish Security and Intelligence Service says Chinese-linked APT31 group was behind attack on Finland’s parliament in 2020 cyberscoop.com
  • REvil ransomware seen forcing reboots to Windows safe mode to encrypt files and attempt to evade security software bleepingcomputer.com
  • Attackers scanning for recently patched and critical F5 BIG-IP vulnerability arstechnica.com

Security engineering

  • You can now use security keys with Facebook’s iOS and Android apps zdnet.com
  • Microsoft Defender Antivirus will now automatically mitigate Exchange Server vulnerabilities zdnet.com

Privacy

  • State-backed China Advertising Association testing workaround to new Apple restrictions on tracking with Tencent and TikTok arstechnica.com

Public policy

  • Lord Holmes joins calls for reform of the U.K. Computer Misuse Act theregister.com

Law enforcement

  • The Florida teenager that pushed a bitcoin scam after compromising celebrity twitter accounts(vol. 3, iss. 29) has pled guilty and been sentenced to three years cyberscoop.com
  • Russian national Egor Igorevich Kriuchkov pleads guilty for attempting to recruit Tesla employee to implant malware for $1M (vol. 3, iss. 35) bleepingcomputer.com

Mergers, acquisitions and investments

  • RecordFuture inks deal to acquire Gemini Advisory for $52M for expansion into fraud analytics market zdnet.com

And finally

It’s always DNS. Unless it’s expired certs. (Azure AD outage)

A ‘subset’ of Microsoft customers was unable to login to Office, Teams, Xbox Live and other services for roughly 14 hours this week after an “error occurred in the rotation of keys” used for OpenID and other authentication protocols supports by Azure AD. As Lee quipped to me on Twitter: “A cert is just a post dated sev1.” The issues appear to have resulted in SharePoint and OneDrive files for some users being deleted to the Recycle Bin as Teams and OneDrive apps resynchronised after the outage. zdnet.com, twitter.com, bleepingcomputer.com