Home / Robin's Newsletter

Robin’s Newsletter #167

Microsoft's $20BN investment is on its own products, and they need the investment. Future of the UK's 'post-Brexit' data protection regime and new Information Commissioner. Samsung can remotely disable its smart TVs.

 Vol. 4  Iss. 35  29/08/2021   Robin Oldham  ~10 Minutes

Subscribe to Robin's Newsletter

This week

Azure Cosmos DB data available for world + dog

Security researchers at Wiz this week disclosed a vulnerability in Microsoft Azure’s Cosmos DB that gave read and write access to every database on the service.

The vulnerability stems from a feature added by Microsoft in 2019 to allow interoperability with Jupiter Notebooks. Full details are not available yet, but involves privilege escalation that gives a user access to their, or any other Cosmos DB’s primary keys.

Microsoft closed the vulnerability last week and has notified 30% of Cosmos DB customers have been notified that they need to change their encryption keys.

It sounds like there was a load of extra stuff returned by the API for that feature that shouldn’t have been. It shouldn’t be difficult to test for “hey folks, our private keys are being returned by this customer function, is that desired behaviour?”

Seriously though: secure defaults, please! I bet a fraction of users actually used the Jupyter Notebooks feature.

It speaks volumes to the culture, principles and patterns that the Azure team, and broader Microsoft engineers, are applying to their world.

There was another similar issue this week in Redmond’s Power Apps platform which offers a ‘low code’ way to build business applications. More than 1,000 Power Apps exposing 38 million records were accessible on the internet. Insecure defaults meant that users had to opt-in to prevent data from being made publicly accessible.

A bug report to Microsoft was closed as “this behavior is considered to be by design.” That doesn’t say much for your design.

The good news is that Microsoft has taken steps to address both issues, but it’s worth keeping these instances in mind when considering the $20BN promised by CEO Satya Nadella (below).

This is the sort of aggregated, or concentrated, cyber risk event that cyber insurance providers worry about. As more and more businesses make use of common compute platforms these kind of ‘platform-level’ vulnerabilities are particularly worrisome.

With great power comes great liability.

arstechnica.com, theregister.com (Power Apps)

Interesting stats

75% of cyber insurance claims are for ransomware, according to AM Best cyberscoop.com

$11.5BN in venture capital financing made to cyber startups in the first half of 2021, up from $4.7BN for the same period in 2020, according to Momentum Cyber techcrunch.com

Other newsy bits

Preferred candidate for next UK Information Commissioner announced, along with new data protection regime

The UK Department for Digital, Culture, Media and Sport unveiled ‘post-Brexit data plans’ this week that it says will boost growth, increase trade and improve healthcare. The accompanied it with a black, white and green graphic reminiscent of The Matrix, so you know it’s gonna be good.

Secretary of State Oliver Dowden promised to reform “our own data laws so that they’re based on common sense, not box-ticking,” adding that “[The ICO] will be empowered to go beyond the regulator’s traditional role of focusing only on protecting data rights, with a clear mandate to take a balanced approach that promotes further innovation and economic growth.”

It’s important to balance regulation, but at the same time the nature of it is about keeping companies in check and preventing abuse. That becomes pretty hard to do when you’re given a conflict of interest in promoting those companies, too.

A lot of the rhetoric builds upon a report from the “TIGRR team” report (vol. 4, iss. 27) written by MP’s Sir Iain Duncan Smith, Theresa Villiers and George Freeman. These tech and data luminaries quickly came to the conclusion that ‘consumer data’ (note: that’s definitely not personal data) is “highly profitable” and that protecting individuals’ rights is just a bit ‘too burdensome’ for business.

Data adequacy arrangements will be sought with the US, Australia, Singapore, India, and Brazil, amongst others, that by nature of ‘adequacy’ will need to match those of the European Union’s GDPR, or see the UK regime diverge.

The ‘healthcare’ addition is important to note given the postponed decision to share NHS patient data following a public backlash in June this year (vol. 4, iss. 24).

Amongst the announcement was news that New Zealand Privacy Commissioner John Edwards is the preferred candidate to be the UK’s next Information Commissioner.

gov.uk, zdnet.com

Presidential summit on cyber, Microsoft’s investment largely ‘security theatre’

Chief execs from Apple, Alphabet/Google, Microsoft, IBM and Amazon were amongst the twenty-strong representatives from the tech industry at a summit hosted by US President Biden on cyber security this week.

Biden’s opening remarks identified that “most of our critical infrastructure is owned and operated by the private sector.” The National Institute of Standards and Technology (NIST) will collaborate with industry on guidelines for how to build secure technology. The event was meant to be a ‘call to action’ and there was certainly lots of hay being made with splashy announcements after the summit.

The biggest one making the news this week was Microsoft CEO Satya Nadella’s social media posts promising to invest $20BN over the next five years. It’s worth considering that cybersecurity is a profit centre for Microsoft ($10B revenue last year) and while this investment in security solutions is headline-grabbing, it is in the things they sell.

For example, to enable basic… sorry, ahem “Premium” profiles like National Cyber Security Centre’s #CyberEssentials in Microsoft’s Compliance Manager tool costs £22,623.60 per year!

It’s the same story for other schemes aimed at small businesses like Canada’s CyberSecure and Australia’s Essential 8, or CIS’ group 1. They are all “premium templates” that must be purchased as a costly add-on or an expensive E5 licensed.

Yes, there are costs to these things, however I’ve seen an increasing number of companies using basic security features like MFA and SSO to prop up the ‘value’ of more expensive tiers.

Investing in the security of the world’s most popular operating system and office productivity suite should be a given. It’s good business, not something to celebrate.

If Microsoft really wants to live up to the spirit of this announcement it would be great to see them making these ‘essential’ schemes as just that and making them available to those that would really benefit from them. In the meantime it’s just announcing that it thinks a $4BN annual investment in cyber products and solutions will net it a profitable return.

ft.com, cyberscoop.com, therecord.media

T-Mobile attacker comes forward

A 21-year-old originally from Virginia and now living in Turkey has come forward to the Wall Street Journal to take responsibility for the most recent T-Mobile data breach (vol. 4, iss. 32), claiming it is retaliation for being kidknapped by the CIA and calling T-Mobile’s security “awful.” John Binns says he gained access via an ‘unprotected router’ to a data centre where he spent the next week trawling through 100 servers looking for information before exfiltrating millions of files undetected.

wsj.com, zdnet.com

Long reads

Targeting US military personnel

Lawfare has an interesting read on data brokers and the issues stemming from lax US’ data protection regulation. Should ‘anyone’ be able to buy a list of people based on their preferences, employment, other attributes?

There are many legitimate reasons for wanting to target Air Force personnel: there’s (probably) a strong correlation for an interest in aviation. Another Podcast with Benedict Evans and Toni Cowan-Brown did an interesting episode on adtech in March this year: previously if you wanted to target CEO you’d take out an expensive ad in the FT because that was how you targeted CEO’s…

“You want your advertising to be seen by somebody that it’s relevant to. You put car ads in car magazines not in children’s comics because children don’t buy cars.”

… but now you can buy cheaper adds in other places based on the person you want to advertise to.

A lot of the issues raise by Lawfare come down to compromising operational security, and potentially making it easier for foreign intelligence to find individuals sympathetic to their causes.

Regulating data brokers would make it more difficult, but with the proliferation of interest groups on social media it is easier than even to quickly find groups of ‘likeminded’ individuals. And these are within reach of your parents, so not difficult for a well-resourced foreign power.

That doesn’t mean it isn’t right to do, but perhaps is also akin to the proliferation of better mapping and satellite imagery that were once groundbreaking competitive advantages but are now taken for granted. In much the same was as a foreign power can ‘know the lay of the land’ before any invasion, perhaps the same is coming true of digital personas. How does that alter military strategy?

lawfareblog.com, simplecast.com (Another Podcast)

A new wave of hacktivism against surveillance states

Andrea Peterson has an interesting look at recent compromises of the Belarus’ security services, and Iran’s prison system (see below), and the ‘new wave’ of hacktivism turning surveillance states against themselves.

therecord.media

In brief

Attacks, incidents & breaches

  • Scenes that wouldn’t be out of place in a Hollywood blockbuster: hacktivists stolen video of abuse in Iran’s Evin prison, then took control of CCTV control room computers and played the clips back to watching security guards therecord.media
  • Microsoft lowers OneDrive for Business limits accidentally, forcing users to delete files to continue working bleepingcomputer.com
  • Business email compromise scammers steal $2.3M from Peterborough, New Hampshire, representing 15% of the towns annual budget therecord.media
  • LA man arrested for social engineering scam targeting “at least 306” victims, mostly women, and theft of over 600,000 photos arstechnica.com

Threat intel

  • Learning what data ransomware actors are after from their tooling: interesting list of keywords that they search for here that also help inform how they may try to extort a business bleepingcomputer.com
  • Phishing scam uses cross-site scripting (XSS) bug in UPS website to push macro-laden word document pretending to be an invoice bleepingcomputer.com
  • Scammers are impersonating Catherine de Bolle, head of Europol, to intimidate victims into handing over PayPal account details cyberscoop.com
  • Ragnarok ransomware operation ‘shuts down’ and releases decryptor and master key therecord.media
  • FBI warns of ransomware actors encouraging user’s to install malware via telephone cyberscoop.com

Vulnerabilities

  • Plug a Razer Synapse into a Windows 10 computer for SYSTEM privs… And this class of issue I suspect applies to many other software install packages bleepingcomputer.com
  • Atlassian Confluence Server scores 9.8 for arbitrary code execution vulnerability theregister.com

Security engineering

  • Some useful steps for individuals and families from NCSC on how to recover access to compromised social media and email accounts ncsc.gov.uk
  • CREST publishes statement on exam cheating (vol. 33, iss. 33), finds NCC Group ‘vicariously liable’ but otherwise deems ‘slap on wrist’ sufficient for historic misdemeanours theregister.com

Internet of Things

  • McAfee Enterprise finds vulnerabilities in medical infusion pump software that could be used to alter dosages, can wipe evidence by restarting the devices cyberscoop.com
  • Bug in Realtek chipset being targeted by Mirai botnet, affects over 200 wi-fi routers from 65 vendors zdnet.com
  • Synology warns of product impacted by OpenSSL remote-code execution vulnerabilities bleepingcomputer.com

Public policy

  • ‘Protection for critical infrastructure is too often awarded using outdated criteria’ - securing competitive advantage in academic research and funding ft.com

Regulatory

  • Roskomnadzor - Russia’s telecoms regulator - has announced fines totalling 36M rubles ($484K) for WhatsApp, Facebook and Twitter for not storing Russian citizen’s data within the country’s borders therecord.media

Law enforcement

  • Proofpoint awarded $14M in intellectual property theft case against ex-employee who shared secrets with new employer theregister.com
  • US man robbed of 16 Bitcoin is suing the parents of UK juvenile krebsonsecurity.com
  • Sounds sensible: US Department of Justice to train prosecutors in cyber topics therecord.media

Mergers, acquisitions and investments

  • Automotive cyber company Upstream closes $62M Series C round, looks to build out vehicle SOC services and fleet operators techcrunch.com
  • ForgeRock files S-1 with Securities and Exchange Commission in step towards IPO techcrunch.com

And finally

Samsung can disable its smart TVs remotely

I am sure that I won’t end up writing about how this has been abused any time soon. Samsung smart TVs come preloaded with ‘TV Block,’ a feature that checks the TV against a list of known stolen TVs maintained by Samsung. Ostensibly it’s to prevent black market resales, however the checks only work when connected to the Internet and so will be fine if you’re using a Fire TV stick or Apple TV, for example. If your device gets blocked by mistake, you can contact Samsung with proof of purchase and of a TV licence to get service restored within 48 hours.

bleepingcomputer.com