This week marks the Fourth Birthday of Robin’s Newsletter! It’s the 209th Sunday on the trot I’ve pulled together the ‘need to know’ security news, stats and thinking from the last seven days. By the time this lands in your inbox I’ll be enjoying an Arran Distilleries single malt from my recent trip to Scotland. So join me in raising a glass (or mug if you’re reading this on Monday morning) and let me know why you subscribe on LinkedIn or Twitter. Thank you for subscribing and sharing with your networks.
Inspired by Anthony’s question on LinkedIn, I’ve taken a look back over the four years, what the themes have been and how things have changed. I’ve consciously tried to write a summary, rather than a lengthy (series) of blog post(s).
It’s hard to avoid ‘the r-word’. Ransomware has evolved significantly from simplistic, automated attacks against individuals to a more complex and sophisticated ecosystem of operators. It has regularly dominated trade and national press with increasingly audacious attacks against large corporations, critical infrastructure, and even a whole country. At least one person has died as a direct result of cybercriminals’ financial greed. Double extortion schemes are designed to amplify pressure, as are tactics to notify individuals and mobilise them against the victim organisation.
The headlines play to availability heuristics and recency biases — and the consequences can be extreme as I’ve said — however in absolute terms there are only so many bad guys and policymakers and law enforcement are getting better at identifying perpetrators and gathering evidence against them: cryptocurrency was seen as anonymous four years ago; now it’s obvious that having a public ledger of every transaction gives great insight into illicit schemes. Cooperation is increasing and it’s great to see thousands of arrests across tens of countries regularly making the headlines.
Supply chain security has gained interest but I was writing about it since the first edition. Businesses are complex and digital transformation is accelerating the pace of everything. A seemingly simple banner, these issues manifest in many different places: the provenance of software, the consolidation of cyber risk in commodity service providers and decisions to trust outsourced providers with business processes and reputations all have a bearing on cyber resilience.
We’re still trying to work out what is ‘normal’ for nations in cyberspace. Cyber has proven to be an important part of force projection in support of national interests. It’s also been used to gather intelligence and source content for information warfare (aimed at manipulating public opinion, rather than cyber warfare seeking kinetic results). This is also driving the ‘Balkanisation’ of the Internet as authoritarian regimes seek greater control over how people communicate, what information is available and manage foreign dependency.
Privacy and data protection have cut through to the mainstream. Landmark regulations like the EU’s General Data Protection Regulations (GDPR) and the California Consumer Privacy Act (CCPA) have raised awareness and enshrined the rights of individuals to how their data is used and protected. The balance of rights between the individual, national security and business interests hasn’t been found yet. In fact, there are two major announcements on the regulation of personal data just this week from either side of the pond.
Surveillance crops up repeatedly in the individual privacy sense and often gets conflated with the government three-letter agency sense of the term. The former is more concerned about targeting adverts at you (in a manner that probably harms the traditional press more than it harms an individual). Progress is being made here as we work out what is, and isn’t acceptable behaviour. An interesting question will be if we care where these decisions are made: in Google’s cloud, or on the iPhone in the palm of your hand? The adoption of digital communications has been a blessing and a curse to the latter. Never has so much information been right there in front of intelligence agencies, but tantalising out of reach thanks to end-to-end encryption. The ‘crypto wars’ and calls for encryption backdoors have moved from national security interests to emotionally charged pleas to curb child sexual exploitation. Child sexual abuse material is a nexus that joins these two different strands back together, with questions over Apple’s proposal to have on-device scanning for CSAM.
The meta-narrative here I think is this huge shift in how and who we can communicate with and what we choose to say. Today, 5 billion people are online. As we grapple with the scale and pace of that change and the full spectrum of the human condition, Carl Sagan’s Pale Blue Dot rings in my ears. “To me, it underscores our responsibility to deal more kindly with one another, and to preserve and cherish the pale blue dot, the only home we’ve ever known.”
Thanks for subscribing.
Data protection policy developments on either side of the Atlantic this week:
The Department for Digital, Culture, Media & Sport has published the UK government’s response to its consultation on controversial plans to overhaul the UK’s data protection regime. Heather Burns has a long read on the changes proposed to UK GDPR and cookie popups and why the proposed changes may increase the burden on business and increase the number of popups you see (H/T Matt) gov.uk, webdevlaw.uk
Senator Elizabeth Warren and other Democrats have introduced ‘The Health and Location Data Protection Act’ to prohibit the sale or transfer of sensitive personal information. The bill is in response to the potential overturning of Roe v. Wade by the US Supreme Court, which would criminalise abortions in some states. While the protections are needed, the bill is unlikely to receive significant Republican backing due to the party lines over reproductive rights therecord.media
67% of CISOs say their information security budget has increased since last year (12% say it has more than doubled), while 30% report that their organisation doesn’t want, or can’t get cyber insurance coverage, according to ClubCISO clubciso.org
Other newsy bits
Law enforcement agencies around the world have been busy in the last few months: Interpol has announced Operation First Light 2022, which saw 76 countries take part in activities to crack down on social engineering scams, such as tech support and romance scams and business email compromise or invoice fraud. The operation has resulted in the arrest of 2,000 ‘operators, fraudsters and money launders’ and $50 million of illicit funds being intercepted theregister.com
Russia is re-routing Internet connectivity in Kherson and occupied areas of Ukraine through Crimea to Russian service providers to censor and monitor information. Unbranded ‘+7 Telecom’ SIM cards are also being sold to shift telecommunications onto Russian-owned infrastructure. This article by Matt Burgess covers some of the information and cyber conflict between Russia and Ukraine to date and why control over this critical infrastructure is so important arstechnica.com
Security researchers put pressure on Microsoft to improve disclosure and handling of security vulnerability reports following lacklustre response to Follina and recent Azure bugs arstechnica.com, therecord.media
The Wall Street Journal has a three-part podcast — Hack Me if You Can — telling the story of Russian cybercriminal Dmitry Smilyanets, who now works for Recorded Future wsj.com
- Continuous integration company Travis CI is leaking authentication tokens to customers’ AWS, GitHub, Docker and other services, according to Aqua Security. Similar incidents reported occurred in 2015, 2019 and 2021 arstechnica.com
- The hacktivist group Cyber Partisans have released the first of what they say is 1.5 terabytes of voice calls captured by Belarus’ intelligence agencies, including those between other embassies and consulates cyberscoop.com
- A beaver gnawed through a tree and took out power and fibre optic cables supplying internet to residents in Prince Rupert, a town in the northwest of Canada’s British Columbia province ctvnews.ca
- Shoprite Group, a supermarket chain operating across Southern Africa, has become a victim of the ‘RansomHouse’ ransomware group, encrypting and stealing “a specific subset” of data relating to “customers who engaged in money transfers” within Eswatini, Namibia and Zambia therecord.media
- Malaysian point of sale device company StoreHub left an Elasticsearch instance unprotected allowing access to 1.7 billion transactions generated by almost one million people theregister.com
- Microsoft blog post taking a deep dive into the BlackCat (aka ALPHV) ransomware, notable for being written in Rust, a more modern programming language, that’s been successful against both Linux and Windows systems. Traditionally details of victims and data held for extortion purposes are published on relatively obscure dark web sites, now Krebs on Security has coverage of a new tactic the cybercrime group are taking, publishing stolen personal data on the open internet for employees and guests of a recent hospitality victim to search for their data and put pressure on the luxury spa’s management team microsoft.com, krebsonsecurity.com
- Akamai says a new botnet it discovered in March and dubbed Panchan, is targeting the education sector using an SSH worm to install crypto-mining malware on Linux servers bleepingcomputer.com
- MaliBot malware targets Android handsets to steal passwords, cookies and steal multi-factor authentication codes received via SMS, says F5 zdnet.com
- Recorded Future says they have seen a ‘minor’ but ‘sustained’ increase in initial access brokers posting selling footholds in Latin American state and government organisations cyberscoop.com
- Proofpoint suggest that ransomware gangs could increase the effectiveness of attacks against files stored in cloud environments by reducing the number of recent versions stored of these files to one therecord.media
- Authentication bypass vulnerability in Sophos firewall being used by Chinese APTs targeting India and Pakistan, says Volexity and Sophos therecord.media
- Remote code execution vulnerability found in Anker’s Eufy Homebase 2 smart home controller bleepingcomputer.com
- Over 730,000 WordPress sites receive rare force-update to address code injection vulnerability in Ninja Forms plugin bleepingcomputer.com
- Cisco won’t fix a 9.8/10 remote code execution vulnerability in remote management of RV Series small business routers because they are end-of-life cisco.com
- Microsoft has announced ‘Microsoft Defender for individuals’ that provides families with malware protection across Windows, Mac and mobile devices and a security dashboard for alerts and recommendations microsoft.com
- Fifteen vulnerabilities found in Siemens ‘SINEC’ management system were reported this week, including two that can be used to gain SYSTEM level access by attackers therecord.media
- Microsoft is to acquire Miburo, a company specialising in the detection of foreign information operations, and integrate the team into its threat intelligence operations zdnet.com
- US defence contractor L3Harris is in talks to acquire the code and engineers behind NSO Group’s Pegasus spyware. NSO Group is currently subject to US sanctions and a White House official, commenting on a potential transaction, suggested extensive review would be required to ensure it does not present a counter-intelligence threat ft.com
Protecting employees: the missing dimension of security process development?
‘People, process and technology’ is a staple information security triplet. Despite the received wisdom of achieving balance, focus amongst these three almost always prioritises technology (preventative, detective or corrective solutions) and people (through training). Process is oft-forgotten. Mario Platt’s been championing the importance of building secure, usable processes for some time now and, in his blog post, this week raises the ethics of your business process design.
Processes usually protect the organisation’s interests, with some focus on protecting customers from harm too. Mario’s third dimension is around protecting the employee from personal liability.