Robin’s Newsletter #186

9 January 2022. Volume 5, Issue 2
Potential FTC legal action over Log4shell. Phishing using Google Docs. New UK Information Commissioner. Reframing cybersecurity.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

The US Federal Trade Commission has indicated that it may “use its full legal authority,” including potential legal action, against companies that “fail to take reasonable steps to protect consumer data from exposure” resulting from Log4j and other similar future vulnerabilities.

This is both a non-story — of course, a regulator is expected to enforce regulation using its full power — but also particularly assertive. Analysis by Google (vol. 4, iss. 51) showed that in more than 1/4 cases Log4j is a dependency nested five packages deep. Many organisations don’t know what their first level of dependencies is, let alone their fifth.

One of the most overlooked, but effective, ways of mitigating against Log4Shell (and indeed many cyber threats) is ensuring that you have egress filtering/outbound firewall rules that limit access to legitimate, trusted sources only.

Interesting stats

I missed this back in October, however…

98% profit margin for ransomware actors, according to Coveware, who compared digital criminal enterprise to that of cocaine trafficking in the ‘90s (91% profit margin for the drug dealers)

Other newsy bits

Phishing attacks using Google Docs

Reports of phishing attacks that use the comments feature of Google Docs to send messages to victims. The attacker creates a document and then adds a comment and tags the victim’s email address. A notification is generated by Google that includes a preview of the message, including any hyperlinks that the attacker wants to direct the victim to. Because the messages are ‘legitimately’ generated by Google they’re difficult to block (without blocking all Google messages) and the notifications also don’t show the originating account email - effectively masking the attacker. Notification abuse isn’t a new technique and is something that companies should be aware of when developing products that include user-generated content. 

Related: You do phishing tests? Why? ”[In] almost all cases, you’re essentially giving them a detention, rather than a lesson” (h/t Nick!)

New UK Information Commission begins five-year term

John Edwards has taken over from Elizabeth Denham as the UK’s Information Commissioner, and begins a five-year term responsible for data protection and freedom of information, amongst the other responsibilities of the role. Previously Edwards was Privacy Commissioner in New Zealand. Concerns exist (vol. 4, iss. 27, vol. 4, iss. 35) around the future direction of UK data protection regulation, not least Denham who gave a warning over the importance of independent governance of the ICO.

Twenty years of Trustworthy Computing

While chief executive of Microsoft, Bill Gates periodically wrote memos to all staff for high priority items that staff at Redmond and around the world should focus on. Twenty years ago his theme was trustworthy computing and it marked the beginning of Microsoft getting on top of the (seemingly) endless security issues affecting the Windows operating system.

“Our new design approaches need to dramatically reduce the number of such issues that come up in the software that Microsoft, its partners and its customers create.” — Bill Gates

Trustworthy computing had a profound e nffect on the way that Microsoft designed, built, tested and shipped its flagship operating system.

Today, security is still a key strategy for Microsoft, with revenues for their security business surpassing $10 billion this time last year (a 40% year-on-year growth). While a product line in its own right — rather than table stakes as Gates worried — the recent vulnerabilities in Azure are perhaps indicative of the need for a reboot of-sorts at Redmond?

Longer reads

Reframing cybersecurity to build a safer net

Great article from Dr Melanie Garson. If ‘cyber is a team sport’ then we need to ensure that, at every level, people want to be part of our team. Sovereign ‘splinternets’ are counter to this and increase digital divides.

As game theorist and Nobel laureate Thomas C. Schelling noted “there is a tendency in our planning to confuse the unfamiliar with the improbable … what is improbable need not be considered seriously.”

Lots of positive security here :-)

Assessment of EDR solutions

In An Empirical Assessment of Endpoint Security Systems Against Advanced Persistent Threats Attack Vectors, George Karantzas and Constantinos Patsakis of the Universally of Piraeus and Athena Research Center in Greece look at the performance of common endpoint detection and response (EDR) solutions and their ability to detect and block behaviours often associated with advanced persistent threats (APTs). H/t Catalin Cimpanu (PDF)

In brief

Attacks, incidents & breaches

  • Data breach at Florida healthcare provider Broward Health in October 2021 resulted in the compromise of 1.3M people’s patient data
  • McMenamins, a craft brewer who run over 60 bars, venues and hotels, lost over 20 years of employee data during a ransomware attack. It’s interesting because, while storing these records for such a long time, many were inevitably out of date, making it difficult to contact the affected ex-employees. Know what data you’re storing, why, and how long you need to retain it for
  • Websites for over 5,000 schools hosted by Finalsite, a vendor who offers ‘an easier way to market your school and manage communications’ have been affected by a ransomware incident
  • Online calendar bookings tool FlexBooker has announced a breach affecting 3.7 million users’ names, email addresses, phone numbers, password hashes and partial credit card information

Threat intel

  • Cyber-criminals are using a modified version of Atera’s remote monitoring and management (RMM) software to install info-stealing malware and ransomware payloads
  • This is almost comically brilliant: North Korea trying to infect Russian embassies with trojanised screensavers masquerading as new year greetings. The screeners themselves are 90s WordArt-tastic
  • MageCart / card skimming gangs compromised Brightcove’s cloud video service to steal information from ‘over one hundred’ sites that embedded video content on their site. Your checkout flow should have minimal third-party content loaded on it, and use subresource integrity (SRI) checks to detect unauthorised changes
  • Not strictly cyber, however, Sweden has launched a ‘physiological defence agency’ to counter misinformation. It strikes me that the magic trick of persistent misinformation is ‘forcing’ liberal democracies into more authoritarian action and stances that undermine public trust and neutralise the ‘bad authoritarian regime’ card they love to play
  • Security researchers at ZecOps have published a proof of concept that blocks and then simulates the reboot function of an iOS device. Many iOS spyware and malware strains are unable to achieve persistence, meaning a reboot of a device would require an attacker to re-compromise the device. Intercepting and spoofing that reboot fools the user into thinking the reboot has occurred and removes the need to achieve that persistence


  • Setting a long (500,000+ character) name for an Apple HomeKit device leads to denial of service

Cyber defence

  • Sonicwall email and firewall products have been not logging events properly and preventing access to junk mailboxes because of the way the firm handles date stamps and the ‘Y2K22’ bug affecting the maximum size of an integer (see also, Honda, below) 

Operational technology

  • Some car models manufactured by Honda and Acura have been struck by the ‘Y2K22’ bug, resetting the clock in their navigation systems to 2002. Engineers from Honda believe the issue will self-resolve in August 2022, though they are working on a fix to ‘correct it sooner’

Mergers, acquisitions and investments

  • Recorded Future has acquired SecurityTrails (having previously invested in the firm) who collect and log domain and IP address information for $65M
  • Google has acquired security orchestration outfit Siemplify for $500M and will integrate these automation capabilities into its Chronicle offering

And finally

Norton AV now comes bundled with a crypto-miner

As I covered back in June last year (vol. 4, iss. 23), NortonLifeLock decided that what their antivirus customers really needed was the ability for their AV to mine crypto-currency when their computer ‘is not in use’.

The feature is now live and, quelle surprise, users aren’t happy with one thread on Norton’s customer support forum describing how they are “absolutely furious” at the company and that “Norton should be DETECTING and killing off crypto mining hijacking, not installing their own.”

On a more serious note, Norton has ~80 million users, of which over 20 million paying customers, and the feature is also being rolled out to their Avira subsidiary who has over 500 million users on their free AV product. Norton is merging with Avast, who bring a further 435 million users to the party (though no news on any crypto features for Avast AV yet). That’s a huge number of people to be introduced to crypto-currency, and places a big responsibility on the company to be educating users on the risks and protections necessary to safeguard their digital assets.

I think there is also a significant question outstanding for the board of NortonLifeLock whose environmental, social and governance (ESG) priorities include establishing “NortonLifeLock as an environmentally responsible business.” Giving over half a billion users the option to dramatically increase their electricity consumption would seem counter to that objective. Still, they have planted 3,500 trees.


  Robin's Newsletter - Volume 5

  Federal Trade Commission (FTC) Log4Shell Log4j Ransomware Phishing Google Docs UK Information Commissioner Positive Security NortonLifeLock Crypto-mining