This week
Three things for you to do this week
First up, in three weeks Robin’s Newsletter will celebrate its third birthday. (They grow up so quickly!) And I’d love to hear a bit about why you subscribe, or how it is helping you. I’d like to publish a few anonymous examples from readers, alongside my reasons for writing it every week.
So hit reply, and drop me a quick sentence or two about why you subscribe, and how you’d like yourself described, please!
Do it now :-)
Have you done it?
OK, then two more things that require explicit opt-outs, if you do not wish to participate:
If you live in the U.S: Decide if you would like Amazon sharing your broadband connection with your neighbours Amazon devices via their new ‘Sidewalk’ mesh networking feature arstechnica.com
If you live in the U.K: Decide if you want to opt out of your identifiable patient data being shared for purposes other than your medical care, such as medical research. The NHS Digital website does a good job of explaining what, why, and how, but the who is decidedly absent from the frequently asked questions. Details of how to submit a ‘Type 1 Opt-out’ are available on the NHS website nhs.uk
Interesting stats
3 years since General Data Protection Regulation (GDPR) came into effect, with 59% of total fine value being attributed to ‘insufficient legal basis for data processing’, and 23% to ‘insufficient technical and organisational measures to ensure information security’ coming in second, h/t Simon Goldsmith
Increase from 26% to 47% between 2016-2020 of cyber insurance uptake amongst Marsh McLennan’s clients. $2,000-$3,500 per $1M limit paid for premiums in high-risk industries with revenues of up to $5M, increasing to $5,000-$10,000 per $1M limit for those with revenues of $100M-$250M. 10% increase in premiums at the end of 2020, according to the U.S. Government Accountability Office zdnet.com
624% year-on-year growth of Russian language ‘Hydra’ dark web marketplace, with transactions topping $1.37BN in 2020, and may account for 75% of dark web marketplace activity, according to analysis by Flashpoint and Chainalysis cyberscoop.com
$500,000 annual losses for companies that suffer compromised cloud accounts, according to research by Proofpoint and the Ponemon Institute scmagazine.com
Other newsy bits
Use of online flashcard sites exposes U.S. nuclear weapons secrets
The operational security of U.S. nuclear weapons was put at risk by the use of online ‘flash card’ apps that allow students to create tests on different topics for each other.
You’ll be pleased to learn that there is a lot to learn for those U.S. service men and women that guard its nuclear weapons. That’s understandable: if there is an incident or action is required, you need everyone on-base to spring into action and know what the hell they’re meant to be doing.
Which ‘vaults’ have live weapons in them, the security protocols around their guarding, and response codes (including those that indicate they are under duress), is a lot to learn, especially when you are going to be tested on it to confirm you know how to act.
Unfortunately, unwitting squaddies have turned to online flashcard apps to help them study for these tests. And the services all appear to have defaulted to making sets of flashcards public, rather than requiring sharing to be enabled by users. That’s meant that lots of operational information have been sitting in the public domain for quite some time.
An investigation by Bellingcat goes on to show how this information can be used to pinpoint the location of U.S. nuclear weapons, including those on European soil where politicians enjoy a certain level of ambiguity that prevents open debate about the rights and wrongs.
Fortunately, the offending material has now been taken down, following Bellingcat notifying the U.S. Department of Defense, and no incidents appear to have transpired as a result of the information being online. bellingcat.com
Email security tools are working, and that’s driving new tactics from attackers
Some good news this week (hi Graham!): email security tools that detect and block malicious emails seem to have gotten pretty good.
Cybercriminals operate for financial gain and so the economics of attacks play a crucial part: they won’t invest significant efforts for small returns and will usually take the easiest path.
Traditionally that has been dropping dodgy links or malicious attachments into emails and sending them to victims in the hope they would get through security defences and be clicked or opened by unsuspecting users. But the efforts that cybercriminals are taking are increasing, and that suggests that the returns they have been able to get from these previous techniques are diminishing.
In an example in Wired this week they cover a group that created an entirely fake online video streaming site (a-la Netflix or Disney+) with the sole purpose of duping victims into installing their malware. The lures were still emails, but they contained no links, just mention of the service and a payment due to be taken ‘due to the end of a trial period’.
There’s also an increasing use of fake call centres to coerce victims into installing malware over the phone, and in doing so side-stepping email and other detection and prevention mechanisms. Again, they start with an email but don’t have dodgy attachments or links, instead perhaps using a fake invoice and leaving the mark to call a phoney accounts payable team.
Long reads
What will U.K’s National Cyber Force do?
H/t Nick for bringing this to my attention. A delve into the U.K. National Cyber Force (announced last year (vol. 3, iss. 47)), how it is comprised and what it will actually do. That’s important because the new National Cyber Strategy is due later this year.
From countering ransomware criminals to coordinating public attribution of malevolent state actor cyber operations, the future of the United Kingdom’s cyber strategy should be international by design. That means coordinating as closely as possible with allies like the United States, helping to build the cyber capacity of other states, and keeping a watchful eye on the cyber campaigns pursued by adversaries. The new National Cyber Force has a role to play in all of that, but it is only one player in the United Kingdom’s wider cyber ecosystem.
The rise of crypto laundries
An interesting look into how cybercriminals launder their ill-gotten gains through cryptocurrency, ‘Treasure Men’ and other underground services to turn virtual hauls into hard cash. ft.com
In brief
Attacks, incidents & breaches
- Breach of Fujitsu ProjectWEB file sharing tool exposes 78,000 email addresses and proprietary information, including from Japanese government agencies including Ministry of Land, Infrastructure, Transport and Tourism and the National Cyber Security Center (NISC) bleepingcomputer.com
- Air India breach pointed at industry IT provider SITA cyberscoop.com
- Plaintext passwords for 8.3M users of DailyQuiz are circulating in the public domain following a breach in January 2021 therecord.media
- Walmart account registration process used to send racial abuse to thousands of people bleepingcomputer.com
Threat intel
- ClearSky has attributed a campaign of attacks on cryptocurrency exchanges (dubbed CryptoCore) to those of North Korea’s Lazarus group. The attacks are thought to have netted hundreds of millions of dollars in the last three years bleepingcomputer.com
- SentinelOne researchers pin ‘Apostle’ malware with disk-wiper and ransomware capabilities to Iranian-linked group dubbed Agrius targeting Israel and United Arab Emirates arstechnica.com
- Browser extensions are disabling website security headers to inject code and enable their functionality therecord.media
- APT29, Russia’s ‘Cozy Bear’, back to spear-phishing attacks, with campaign centred around a USAID ‘special alert’ of election fraud targeting government agencies, research institutions and NGOs in the U.S. and Europe. The campaign involved abusing USAID’s marketing platform, Constant Contact, to send the emails - a technique I’ve seen used elsewhere recently to target the customers of an organisation theguardian.com
- Four tools found to exploit vulnerabilities in Pulse Secure VPN products zdnet.com
- Cisco Talos suggests branding cybercrime gangs operating in jurisdictions where they are not prosecuted as ‘privateers’ cyberscoop.com
Vulnerabilities
- Immediate action required: “the ramifications of this vulnerability are serious,” says VMWare of a remote code execution vulnerability in default configuration of vSphere Center arstechnica.com
- XCSSET malware used logic bug in Apple’s macOS to inherit permissions to take screenshots of developer machines arstechnica.com
- Researchers at ANSSI discover vulnerabilities in low-power Bluetooth protocols that enable device impersonation attacks zdnet.com
- Google researchers find miniaturisation of DRAM chips increases susceptibility to Half-Double, a rowhammer-esque technique for bit flipping zdnet.com
Security engineering
- Learn from Peloton’s mistakes: strip the location metadata from photos uploaded to your service techcrunch.com
- U.K. National Cyber Security Centre (NCSC) has published guidance on asset management ncsc.gov.uk
- Ransomware gang’s decrypts often slower than restoring from backups bleepingcomputer.com
Internet of Things
- Low-sophistication attackers now more willing to ‘tinker’ with operational technology and industrial control systems, says Mandient, as attacks like that on Colonial Pipeline normalise behaviour scmagazine.com
- U.S. Department of Homeland Security issuing directive requiring pipeline operators to report cyber breaches to federal authorities washintonpost.com
Privacy
- Business Insider has covered of previous redacted documents from a lawsuit between Arizona and Google showing its own staff thought the company had ‘made it nearly impossible for users to keep their location private’ businessinsider.com
- The U.K. Court of Appeal has ruled that an exemption in the Data Protection Act disapplying data subject rights where personal data is processed for “the maintenance of effective immigration control” is unlawful. Under Article 32, an such exemptions must have ‘specific provisions’ that cover the purposes of processing, the scope of the restriction of rights and the safeguards to prevent abuse. mishcon.com
- Meanwhile the European Court of Human Rights has ruled that ‘dragnet surveillance’ operated by the U.K. GCHQ and revealed by Edward Snowden in 2013 “did not contain sufficient ‘end-to-end’ safeguards to provide adequate and effective guarantees against arbitrariness and the risk of abuse” and that “[the] bulk interception was in principle neither necessary nor proportionate within the meaning of [The European Convention on Human Rights]”. The British government has said changes to the U.K. Regulation of Investigatory Powers Act (RIPA) now mean the law is in full compliance with the ECHR. theregister.com
Public policy
- The German Federal Court of Justice (BGH) has ruled that an encrypted email provider must monitor and provide all incoming and outgoing messages from its service for two users involved in a blackmail case, setting potential precedent for treating email providers like telecommunication companies and end-to-end encrypted communications cyberscoop.com
- Proposed budget from Biden administration sees civilian cyber funding up 14% to $9.8BN, with almost two-thirds of that earmarked for responding to the ‘lessons learned’ from the Solarwinds breach cyberscoop.com
Regulatory
- DLA Piper has published a comprehensive and well-structured look at forthcoming European Union regulation of Artificial Intelligence. Certain ‘prohibited practices’ will be banned, ‘high-risk systems’ will face what is looking like quite complex compliance requiremenbts, while transparency regimes will be introduced for those posing ‘manipulation risks’. h/t Michael dlapiper.com (PDF)
Law enforcement
- Justin Sean Johnson, from Detroit, Michigan, has pleaded guilty to stealing the personally identifiable information (PII) of 65,000 employees of a health care provider and selling them on the dark web to criminals who would go on to submit $1.7M of fraudulent tax returns bleepingcomputer.com
Mergers, acquisitions and investments
- U.K. email protection startup Tessian closes $65M series C funding round, and a $500M valuation techcrunch.com
- Cloud security analytics platform Uptycs secures $50M series C funding to accelerate roadmap techcrunch.com
- HaveIBeenPwned goes open-source, will receive updates from FBI investigations zdnet.com
And finally
Say cheese: photo holding block of cheese leads to drug dealer’s arrest
Law enforcement has been busy conducting analyswiss of the data they obtained from infiltrating the EncroChat platform in 2020, widely seen as a safe space for open communication by criminals (vol. 3, iss. 27).
Carl Stewart was known for being up to no gouda and the police were able to caerphilly match his finger and palm print from a photo obtained from the EncroChat service to those on record. When it came to the trial, the court didn’t have to take the police’s curd for it: Stewart plead guilty to the crimes and will now face over 13 years briehind bars. Top digital detecting, Merseyside Police!