Robin’s Newsletter #177

7 November 2021. Volume 4, Issue 45
Trojan source vulnerbaility in the way compilers handle Unicode characters. Meta/Facebook to disable facial recnogition feature and delete faceprints.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Trojan Source

This was a ‘huh, well yeah, I guess that is a thing’ moment: great research from Ross Anderson et. al on how compilers treat Unicode characters, especially where they come across conflicting, bi-directional (e.g. both left-to-right and right-to-left languages) characters. The answer is that things that look like code comments to the human reader may be interpreted and compiled into the final application.

Apparently, basic versions of this technique are already being used to help disguise malware from email gateways, and I think we are a long way from “you can’t trust anything written” but it’s certainly a novel class of vulnerability that I’m sure has raised a few eyebrows within the intelligence communities.,,

Interesting stats

$9M-$12M expected reduction in revenue for following recent DDOS attack

77% of rootkits are used for cyber espionage, with 44% of attacks being targeted at government agencies, according to Positive Technologies

57% of ICO penalties issued by the Information Commissioner’s Office since January 2020, totalling £5.1M remain unpaid, as many firms use appeals to delay the process or go into liquidation

Other newsy bits

Meta shutters Facebook’s facial recognition features

Meta (the new name for Facebook’s parent company) has announced that it is disabling facial recognition features that saw it settle a case brought under Illinois’ Biometric Information Privacy Act last year for $650 million.

Citing ‘complex social issues,’ around facial recognition technology the social network will delete the ‘faceprints’ it had generated of 1 billion users, though will continue to work on technology that may have ‘positive use cases’, such as for the visually impaired or fraud prevention.,,

Thoughtful things

The ‘increasingly sophisticated threat’

… may more likely be our biases towards future uncertainty and complexity, according to the former head of MI5 Lord Evans. @ciaranmartinoxf

Security ‘sludge’ vs usability

I’ve never been a fan of ‘EXTERNAL EMAIL’ banners and labels on emails. They detract and desensitise the user from the threat, rather than long-term increase awareness. (Not to mention the environmental impact of storing all those extra characters in every reply and user’s inbox.) A good example here from a presentation by Richard Thaler.

“Cognitive detritus… often seems the default design in infosec.” — Kelly Shortridge


Beg bounties

A play on bug bounties and chuckle-worthy concept.

“I’ve identified a vulnerability in your web application. Waiting for your positive response.”


In brief

Attacks, incidents & breaches

  • National Bank of Pakistan suffers a ‘destructive’ cyber-attack, preventing computers from booting, as the government issues a statement to calm fears of a run on all banks
  • UK Labour Party supplier seemingly suffers ransomware attack as party supporters receive notifications saying the data held by the third-party has been ‘rendered inaccessible’
  • Toronto’s transit system disrupted by ransomware attack
  • Kaspersky has Amazon SES token compromised, used to send spear-phishing emails appearing to come from the company
  • More popular npm packages (co and rc) have been compromised with similar code to those last week (dnd the week before). They really need to enforce MFA on developer accounts

Threat intel

  • Groove ransomware gang was a hoax… or was it?
  • FBI warns of ransomware attempts targeting ‘sensitive financial events’ such as mergers and acquisitions (PDF)
  • BlackMatter ransomware group allegedly ‘shutting down’ … or rebranding due to law enforcement pressure… affiliates move victims to LockBit,
  • ProxyShell vulnerability being used to compromise Exchange servers and deploy Babuk ransomware
  • Be on the lookout for delivery phishing and smishing lures this holiday season
  • BlackBerry report on ’Zebra2104’ initial access broker (IAB) supplying ransomware and APT groups


  • GitLab vulnerability patched in April is still present in over 50% of deployments and is being actively exploited

Security engineering

  • Google has bugged auto-enrolling 150 million accounts to multi-factor authentication
  • Microsoft announces ‘Defender for Business’ endpoint detection and response tool aimed at organisations with fewer than 300 users, included with Business Premium plans, or as a $3/user/month add-on (this may make a huge difference to SMBs below the ‘security poverty’ line),

Internet of Things


  • More on China’s Personal Information Protection Law (PIPL)

Public policy

  • CISA orders US government agencies to patch 300 known, and exploited, vulnerabilities within the next six months
  • US puts Pegasus spyware company NSO Group on export blacklist,
  • The US is also offering a $10 million reward for information leading to the identification or arrest of Darkside ransomware group members

Mergers, acquisitions and investments

  • CrowdStrike to acquire SecureCircle in an all-cash deal that will boost data loss prevention capabilities of the firms Falcon endpoint agent
  • IBM acquires Extended Detection & Response (XDR) outfit ReaQta to expand Radar capabilities and provide “continuous monitoring and rapid response as part of a zero-trust approach”

And finally

“When God closes one door, he opens another”

Two news articles released one month apart, the first “Microsoft is disabling Excel 4.0 macros”, the second “Microsoft bring JavaScript to Excel” (source: @sshell_)

H/T: @sshell_


  Robin's Newsletter - Volume 4

  Trojan Source Unicode Meta/Facebook Facial recognition Personal Information Privacy Law (PIPL) China