Robin’s Newsletter #156

13 June 2021. Volume 4, Issue 24
EA games source code stolen. Apple's news privacy and security features. The FBI ran An0m encrypted comms app. Ransomware thinking.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

Wow. That happened quickly. Next week will be the third birthday of this newsletter! I’m looking forward to celebrating with y’all with cake and presents! If you know someone who really should have subscribed by now, or want to spread the news, then please share this with them :-)

This week

Electronic Arts breached, source code stolen

Attackers compromised the network of games publisher Electronic Arts and stolen over 780 GB of data, including source code for FIFA21 and the Frostbite game engine. EA says no customer/player data was stolen in the breach.

The compromise appears to have circumvented extensive protections after attackers were able to buy a session cookie for $10 that let them impersonate an EA employee and convince the company’s Helpdesk to obtain a multi-factor authentication code because they had ‘lost their phone at a party’ and were unable to login.

As @boffbowsh suggested on Twitter: in the age of remote working, using video calls to verify the authenticity of credential resets like this should be a minimum.

Lots of reports have focussed on the value of the source code, though I would be amazed if it was snapped up by a rival. (If anything, the retooling of a workforce would probably negate any saving on licensing it legitimately!)

It’s far more likely to be valuable to those developing cheats for games that can net their creators over $70M (vol. 4, iss. 23). 

Gaming is big business, with revenues expected to reach almost $200 billion in 2022, and a lot of that is being driven not by up-front sales, but in-game purchases. Not only can players buy extras for their digital avatars, but often they can trade them on marketplaces.

So as well as developing cheats, if you understand the algorithm by which games are matched, or items valued, you have a better understanding of how to profit by selling accounts and items on the black, or in-game marketplaces. 

bbc.co.uk, vice.com, bleepingcomputer.com, zdnet.com, @boffbowsh

Interesting stats

12 hours from password leak to attempted use in 50% of cases, according to researchers at Agari who seeded account details on forums popular with cyber criminals zdnet.com

$265BN projected cost of ransomware to victims by 2013, according to Cybersecurity Ventures cybersecurityventures.com ($265B is ~0.3% of 2019 global GDP (not factoring in inflation)… Seems high!)

245,771 unique phishing websites detected in January, according to Anti-Phishing Working Group therecord.media

Other newsy bits

Apple went big on privacy at WWDC21, plus some hidden security features

Some interesting new privacy features from Apple at their World Wide Developers Conference this week to improve mail privacy, proxy web browsing to hide location, shift Siri processing on-device and introduce App Privacy Reports as the next step in nutrition labels.

I’ve seen lots written on these it was the Account Recovery and Digital Legacy features that stood out to me. I ended up with a bit of a threat on Twitter that I’ve turned into a blog post (below). But while lots of people are pointing out that some of these privacy features are unavailable in countries where citizens need them the most, perhaps Apple has also realised it needs tools to comply with nations where Private Relay is allowed?

John Gruber has an interview with Apple execs Craig Federighi and Greg Joswiak and they take a deeper dive into some of these new features.

Also, it looks like iCloud Keychain is being made easier to access as ‘Passwords’ under system preferences and gaining support for authenticator apps baked-in, so it can generate and auto-fill multi-factor auth codes directly.

rto.me.uk, youtube.com, macrumors.com

The AFP, FBI and Europol ran an encrypted criminal communications network

Over 12,000 criminals from more than 300 gangs in 100 countries have been using an encrypted ‘secure phone’ service that was secretly being run by the FBI under Operation Trojan Shield / Ironside.
 While promising end-to-end encryption, the messages sent across the ‘An0m’ platform were encrypted using a master key known to the FBI and each message was essentially BCC’d to a service dubbed ‘iBot’ that decrypted and copied messages for law enforcement.
 9,000 officers took part in coordinated raids that have resulted in more than 800 people being arrested and 32 tonnes of drugs and $484M of proceeds being seized.
 Criminals fled to the service after previous services, such as Encrochat, were shut down in other operations (vol. 3, iss. 27). 

Far from the FBI being left ‘in the dark’ it’s another example weakening the law enforcement argument in the crypto-wars about needing backdoors built into messaging services. 

theregister.com, theguardian.com, therecord.media, wired.com (encryption debate)

Long reads

It’s a ransomware triple-header

Ransomware, in the wake of the Colonial Pipeline and Ireland’s Health Service Executive, has broken through to become a talking point in politics and media. G7 leaders even discussed ransomware (but not for the first time.)

Away from the seagulls of Carbis Bay, there’s been some really interesting writing on ‘the ransomware problem’ this week. Here’s three I learned from:

Sir Alex Younger, former head of the U.K’s Secret Intelligence Service (MI6) has a piece in the FT:

If one accepts that this is a national security problem, then it becomes hard to defend the suggestion that governments should simply leave these decisions to private citizens. As a first step, I think it should be mandatory to disclose payments publicly and in detail. Attackers seek to present payment as the easy option. We have to change that. 

ft.com, h/t Ciaran Martin

Adam Shostack reminds us that we need to address the systemic causes of ransomware.

Focusing on fighting ransomware is like fighting a pandemic by focusing on masks. You fight a pandemic by focusing on reducing transmission and improving treatments. Reducing transmission does include masks, and also vaccines, distancing, contact tracing, quarantines, and various levels of restricting movement.

darkreading.com

And lastly, Kevin Beaumont takes a look at how we got here, the incentives, how many organisations don’t even have a security person, and crucially

Organizations are often purchasing tools upon tools they simply cannot even afford to patch routinely, let alone support and use — this includes security tools by under pressure security teams.

doublepulsar.com

In brief

Attacks, incidents & breaches

  • Volkswagen partner left details of 3.3 million U.S. and Canadian customers (including credit info on 90,000) online for 21 months techcrunch.com
  • Content delivery network (CDN) provider Fastly ‘broke the Internet’ for an hour this week after a customer configuration change took their whole service offline, impacting sites like the BBC, PayPal, Spotify and Giphy (the horror!) arstechnica.com
  • Email, phone and deliver addresses for McDonald’s customers in South Korea and Taiwan breached cyberscoop.com
  • U.S. truck manufacturer Navistar has suffered a data breach, according to SEC filings bleepingcomputer.com
  • Meatpacker JBS says it paid $11M to ransomware group to not leak data bleepingcomputer.com
  • Houston-based LineStar Integrity Services, a service provider to pipelines, was compromised around the same time as Colonial Pipeline, and had 70GB of data stolen wired.com
  • Colonial Pipeline CEO says their cyber response plans didn’t include ransomware scenario cyberscoop.com

Threat intel

  • More ransomware attacks on U.K. education sector, says NCSC ncsc.gov.uk
  • SentinelLabs throws shade on Chinese threat actors for sloppy coding in targeted attack on Russian government theregister.com
  • ‘BackdoorDiplomacy’ group has a taste for African, Middle East diplomats, according to ESET zdnet.com
  • Al Jazeera says it blocked attacks looking to disrupt and control its publishing platform therecord.media
  • ‘Prometheus’ ransomware group is targeting manufacturing, says Palo Alto cyberscoop.com
  • SonicWall permitter security devices becoming a beacon for ransomware groups, says Crowdstrike therecord.media
  • Avaddon ransomware groups ‘shuts down’ and provides decryption keys bleepingcomputer.com

Vulnerabilities

  • Linux distress vulnerable to ‘surprisingly easy’ exploit of polkit component bleepingcomputer.com
  • Fifty vulnerabilities in Microsoft’s patch Tuesday, including six currently being exploited theregister.com
  • Seventeen issues found in stock apps bundled on Samsung mobiles techcrunch.com

Security engineering

  • Cross-protocol attacks to exploit shared TLS certificates and steal login cookies arstechnica.com
  • Cambridge researchers successfully test quantum network over 600km of fibre zdnet.com

Privacy

  • The General Practice Data for Planning and Research (GPDPR) — that would see NHS patient data being shared with private organisations — has been postponed following growing public concern. The decision was ‘welcomed’ by the U.K. ICO ico.org.uk

Public policy

  • The U.S. has gained a ‘cyber safety board’ and I think there is a lot to like and learn about from the models behind transport safety and air crash investigations lawfareblog.com
  • Huawei announces new ‘transparency centre’ and launches a cyber security framework zdnet.com

Law enforcement

  • The U.S. Department of Justice has ‘recovered’ 63.7 or the 75 Bitcoin ransom paid by Colonial Pipeline, after the DarkSide crew’s payment server went offline bleepingcomputer.com
  • SlilPP portal, used by cybercriminals to sell more than 80M logins for 1,400 companies seized by U.S. authorities therecord.media

Mergers, acquisitions and investments

  • Deloitte has acquired ‘cloud security posture management’ company CloudQuest to “position Deloitte cyber as an unquestionable business enabler” zdnet.com
  • Network Detection and Response (NDR) provider ExtraHop acquired by Bain Capital and Crosspoint Capital Partners for $900M techcrunch.com
  • Outseer: RSA is spinning its fraud and risk business out into standalone company zdnet.com
  • RecordedFuture launches $20M fund to invest in startups developing data intelligence tools techcrunch.com

And finally

The ransomware song

One day I asked my teacher, What use is math to me? She answered: When you’re older, some day my boy you’ll see… There’s a world of computer systems out there Full of valuable data and not secured with care And you can make a fortune in ransomware…

youtube.com, @forrestbrazeal

(PS, There’s still time to apple for Cydea’s Cyber Risk Consultant role!)

Robin

  Robin's Newsletter - Volume 4

  Electronic Arts (EA) Computer games Apple Privacy An0m Crpyto-wars Ransomware General Practice Data for Planning and Reearch (GPDPR)