This week
UK government anti end-to-end encryption PR campaign
There’s been condemnation of a campaign launched aimed at preventing social media companies from implementing end-to-end encryption in messaging apps. The ‘No Place to Hide’ campaign pits the protection of our daily communication and transactions against horrendous child sexual abuse.
What makes the campaign notable isn’t that it is playing the ’think of the children’ card, but it’s funded by the Home Office — the UK government department responsible for “immigration and passports, drugs policy, crime, fire, counter-terrorism and police.”
While the ‘About Us’ section of the campaign site makes reference to children’s charities, safeguarding experts, and child sexual abuse survivors, it neglects to mention the involvement of the UK government who, in small print at the bottom of the site, are identified as funding the £534,000 bill for the campaign.
The ‘think of the children’ card has increasingly been played against encryption which, it is argued, “turns out the lights” on intelligence and law enforcement access to messages. That same encryption is exactly what companies are encouraged to use to protect our data in transit and at rest.
End-to-end encryption doesn’t mean that authorities are entirely blind: the metadata covering who messages who, when, and other characterises such as messages size, are all still available. Nor does it mean other methods are not available to law enforcement, in fact stealthily taking over and running criminal messaging services, such as Encrochat (vol. 3, iss. 27) and An0m (vol. 4, iss. 24), have been hugely successful, providing intelligence on 50,000 users that has resulted in over 1,600 arrests and the seizure of over 40 tonnes of drugs and $500 million in cash.
I don’t disagree that sexual abuse crimes against anyone, but especially children, are abhorrent. That’s what makes it so disgusting when used as a cover for primarily ulterior motives. There are arguments to be made for and against E2E encryption in both child abuse and intelligence arenas.
Stephen Bonner, executive director for innovation and technology at the ICO, agrees, citing the imbalance in the debate between the costs, without sufficient focus on the benefits:
“E2EE serves an important role both in safeguarding our privacy and online safety. It strengthens children’s online safety by not allowing criminals and abusers to send them harmful content or access their pictures or location. It is also crucial for businesses, enabling them to share information securely and fosters consumer confidence in digital services.” — Stephen Bonner
So let’s have those debates and have them rationally, rather than through shadow campaigns seeking to elicit an emotional response. (And certainly, let’s not spend taxpayer money on this sort of advertising campaign.)
therecord.media, theregister.com, theguardian.com, bbc.co.uk, and… noplacetohide.org.uk
Interesting stats
23% of phishing lures in Q4 2021 imitated DHL parcel delivery notifications, presumably capitalising on Black Friday and Christmas shopping habits, with 20% pretending to be Microsoft (previous top-spot holder), and 11% using WhatsApp branding, according to Check Point bleepingcomputer.com
77 state and municipal governments, 1,043 schools, and 1,203 healthcare providers affected by ransomware attacks in 2021, according to Emsisoft zdnet.com
53% of internet-connected medical devices found to have a known vulnerability, with 73% of infusion (IV) pumps vulnerable, according to a study by Cynerio of 10M medical devices at 300 global hospitals zdnet.com
Other newsy bits
UK government consulting on the cyber security profession
The UK government is consulting with cyber professionals over proposals to “recognise cyber as a profession similar to the more established fields such as accounting, law, and engineering.” Think of this akin to having formal ‘chartered’ status being required for certain roles, as it is for chartered accountants or chartered engineers.
If you’re in the UK, I urge you to participate in the consultation and take the chance to share your views on the proposals. The consultation is open ’til 11:45 pm on 20th March 2022.
Merck win $1.4B case over cyber insurance ‘act of war’ clause
Global pharmaceutical company Merck won a landmark ruling in a legal dispute with their insurers. Merck’s claim for $1.4 billion in damages stemming from the NotPetya attack in June 2017 that insurers including Allianz and Zurich have refused on the ground that it constitutes an ‘act of war’.
Two key points jumped out when I read the ruling from New Jersey Superior Court:
- the wording for “hostile or warlike action” should be given their ‘plain and ordinary’ meaning, i.e. that of armed conflict, and
- because the terms had not been explicitly negotiated and those template terms remained unchanged for many years (despite the rise in cyber attacks) it was reasonable for Merck to expect cover.
Basically, insurers can write their own terms and, while the world has undergone digital transformation, if an insurer’s legal language hasn’t, that’s on them: there have been plenty of opportunities for them to update it.
Don’t expect that to stick with current policies: Insurers have recently been updating policy language, standard terms (vol. 4, iss. 48), and making it clearer on what cyber events will and won’t be covered by their general policies.
Though that doesn’t mean the knock-on implications of the case won’t be insignificant. Food and beverage group Mondelez International also sued its insurer, Zurich, for not paying out over similar ‘act of war’ clauses (vol. 3, iss. 4). That complaint was filed in October 2018, almost three and a half years ago, for the $100 million in damages that the company claims to have suffered as a result of the NotPetya attack.
bloomberglaw.com (inc. link to ruling), therecord.media
Crypto.com ‘security incident’ led $34M being stolen
Cryptocurrency exchange Crypto.com confirmed that it suffered a compromise this week after users reported missing funds from their wallets. The unnamed attackers were apparently able to bypass the requirement for multi-factor authentication on withdrawals.
In total 483 users were affected, losing a total of over $34 million in crypto-currencies. The company has promised that ‘no user will be out of pocket’ and has reengineered the offending code.
Further reading
Microsoft reflections celebrating 20 years of Trustworthy Computing
In volume 5, issue 2 of this newsletter I covered Bill Gates’ famous memo on ‘trustworthy computing’ was published two decades ago. This week Microsoft’s security team reflect on what that means to them personally and the company more broadly.
In brief
Attacks, incidents & breaches
- Details of more than 515,000 ‘highly vulnerable’ people compromised in an attack against a supplier to the International Committee of the Red Cross (ICRC) theguardian.com
Threat intel
- Potential espionage campaign targeting renewable energy companies bleepingcomputer.com
- Cyber attacks in Ukraine continue as tensions with Russia rise: ‘wiper’ malware, masquerading as ransomware, discovered by Microsoft on networks of government, nonprofit and technology companies arstechnica.com
- ‘MoonBounce’ UEFI malware discovered by Kaspersky researchers, that hides in the motherboards SPI flash memory, tied to Chinese Winnti/APT41 group espionage campaigns therecord.media
Vulnerabilities
- Three critical (one scoring 9.8) vulnerabilities in Western Digital’s My Cloud OS patched that may allow attackers to remotely access devices and steal data arstechnica.com
- Vulnerability in the latest version of Safari on macOS, iOS and iPadOS allows tabs across what websites are open in other tabs of the same browser instance arstechnica.com
- Winter Olympics ‘My2022’ app contains privacy, security vulnerabilities that may allow user data to be leaked zdnet.com
- FBI says Diavol ransomware is linked to the TrickBot crime group bleepingcomputer.com
- McAfee Agent prior to version 5.7.5 are vulnerable to privilege escalation (to Windows SYSTEM level) and code execution bleepingcomputer.com
Security engineering
- Useful tips from NCSC on building SMS or telephone comms into your business services ncsc.gov.uk
- DNS4EU: European Union looks to build EU-based DNS resolver for EU and member institutions and members of the public after seeing consolidation of DNS companies outside the block. The service would include filters for known malicious domains contributed by national CERT teams and court-ordered blocks for content, such as child pornography therecord.media
- New GitHub Workflow Action from Open Source Security Foundation, GitHub and Google automatically scans and scores changes to open source projects zdnet.com
Regulatory
- UK small and medium managed service providers in the scope of Network and Information Systems Regulations (aka NIS Directive) under proposed UK government changes theregister.com
Law enforcement
- VPNLab seized by joint investigation between law enforcement from German, The Netherlands, Canada, seven other countries following ties to Ryuk ransomware campaigns and “the anonymous commission of high-value cybercrime cases” cyberscoop.com
- Eleven arrested in Nigeria with alleged connections to 50,000 business email compromise targets; the laptop of one of the suspects contained over 800,000 domains credentials bleepingcomputer.com
- First is was REvil, now Russian authorities have picked up Andrey Novak, the administrator of the UniCC forum that facilitated the sale of stolen payment card details, that announced it was closing down 10 days ago (vol. 5, iss. 3) therecord.media
Mergers, acquisitions and investments
- Deloitte vomits buzzwords in new outsource ‘MXDR’ security operations offering: the “integrated, unified, composable and modular managed detection and response” service will build on tech from CrowdStrike, Exabeam, Chronicle, ServiceNow, Splunk and ZScaler zdnet.com
- Permiso, a ‘cloud identity detection and response’ firm launches with $10M seed funding round techcrunch.com
- Password and secrets manager 1Password closes $620M Series C funding round on a $6.8B valuation techcrunch.com
- Following the merger in October last year, McAfee Enterprise and FireEye has been rebranded as ‘Trellix’ zdnet.com
And finally
Numbers station hijacked to play memes
Pirate radio broadcasters have been flooding the frequency of a famous Russian ‘numbers station’ with noise and generating pictures of memes on spectrum analysers.
Props for rick-rolling listeners — assumed to be spies in the field — however top marks go for synthesising transmissions that when viewed through a spectrum analyser draw pictures such as Guy Fawkes masks and troll faces.
