Robin’s Newsletter #210

26 June 2022. Volume 5, Issue 26
Infosec 2022 thoughts and trends. Privacy and reproductive rights. Cyber-warefare and lessons from the Ukraine conflict. Plus Cyber 911?
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Infosecurity Europe 2022 

It was the Infosec conference and exhibition this week, held for the first time at London’s ExCel exhibition centre, after the move was delayed by the suspension of in-person events the last two years because of Covid-19. It was a great opportunity to catch up with and make new, friends and peers despite rail strikes affecting attendance on the first and third days.

For me, a standout session was on ESG, or environmental, social and governance, that’s usually the reserve of listed company annual reports waxing lyrical about commitments to reduce carbon footprints and give back to local communities. It’s the first time I’ve seen ESG on a cyber security conference agenda.

Valentina Raineri from OneTrust proposed bringing together traditional governance, risk and compliance (GRC), privacy, ethics and ESG siloes into what she termed ‘trust by design’. Convenient, coming from a company called OneTrust? Yes, but with the ‘trust economy’ forming such an important part of digital business there certainly seems merit.

Another great session was on CISO communication with the board, featuring a panel of Paul McKay (Forrester), Jon Townsend (National Trust), Samantha Hart (Davies Group), and Toks Oladuti (Dentons). It seems straightforward, but Jon made an excellent, oft-overlooked statement that “if your only claim [to the board] is that ‘we haven’t experienced a major breach’ then that’s a very hard sell [to ask for more investment].” Tips for improving communication involved understanding what’s important to the business, the board, and the leadership and framing your updates around those interests and focussing on risk — the impact, likelihood — but moving that along to risk quantification as a tool to help prioritise and justify.

Compared to RSA Conference in the US, it’s obvious that Infosec is a trade show first, conference second. The stages aren’t in anywhere near the same league and the programme was dominated by sponsored sessions. Perhaps a product of the Covid delays, but it would be great to see this addressed in future years. (As would some better signage: inside the exhibition hall it was practically non-existent.)

Mikko (hello!) asked a great question of me on LinkedIn, about what ‘inevitable’ solution now exists that didn’t in 2019 and, for me, that’s the introduction of ‘cloud backup’ solutions. Not to backup your local files to the cloud, because that’s where they are increasingly already are but to backup those cloud files to other places. That’s certainly worth thinking about as ransomware attacks persist and accidental or malicious insiders can render data inaccessible.

I recorded a short video with Tony Smith on our top three takeaways from the event, as well as my answer to Mikko and Paul Brucciani’s comparison to previous years, all on LinkedIn: top three takeawaysinevitable solutionPaul’s comparison.

As Paul likens the event to parc fermé due to the number of Formula 1 cars on vendor stands, here’s a bonus photo of me with a McLaren F1 car from 2013, because at Detica we were a good nine years ahead of the curve!

A McLaren Mercedes formula 1 car is mounted vertically to Detica’s 2013 stand at Infosec dwarfing Robin in the foreground pointing at it

Interesting stats

2029 the earliest at which ‘IE mode’ will cease to be supported in Microsoft’s newer web browser, Edge. Internet Explorer is dead! Long live Internet Explorer!

24.6 billion username and password pairs available for sale on the dark web, of which 6.7 billion are unique, according to Digital Shadows

Be afraid, decentralised aficionados, the US government is coming for your crypto! ;-) 60% of all Bitcoin traffic traverses just three internet service providers (ISPs) says cyber security research and consulting firm, Trail of Bits in a study conducted for the US Defense Advanced Research Projects Agency (DARPA), while just 4 gateway nodes from mining pools represent less than 0.004% of the network, but account for 51% of the hash rate of Bitcoin, whose consensus model requires a simple majority to agree on what transactions have occurred, and in what order

Other newsy bits

What can we learn about cyber-warfare from the conflict in Ukraine?

  • An interesting read on the potential implications of Ukraine’s ‘IT Army’ of volunteers. Perceptions of the group differ between the West and Russia, the former seeing it as a group carrying out nuisance denial of service attacks, while the latter see it as inherently state-back aggression. Certainly, if the sides were reversed and ‘random Russians’ were attacking the US, there would be an outcry. Cyber-warfare is said to take place in ‘grey zones’ and perhaps we shouldn’t underestimate the impact that loosely controlled volunteer groups may have on future ‘cyberwars’. Individuals may draw groups or countries into conflict. There’s lots more to unpack on the effect of fledgling cyber-norms from Stefan Soesanto’s research, (PDF)
  • As an example of companies being drawn into the conflict, Google has been fined 68 million rubles ($1.2 million) for spreading “unreliable” information on the conflict in Ukraine and failing to remove the ~7,000 objectionable videos from YouTube. In May 7.22 billion rubles ($133 million) were seized from Google’s accounts by Russian bailiffs for refusing to delete content banned in Russia
  • Lastly, Microsoft has published a blog post on ‘early lessons’ from defending Ukraine. Amongst the five conclusions drawn, two stood out for me: physical data centres were early targets for cruise missile attacks in an attempt to disrupt government services and operations (Ukraine sustained these by quickly ‘disbursing’ into the cloud), and that endpoint protection and prompt threat intelligence sharing has helped detect and protect against a high percentage of destructive wiper attacks

Reproductive and privacy rights collide

  • The US Supreme Court’s overturning of Roe v. Wade, a case that affirmed a constitutional right to abortion, has prompted renewed calls for increased privacy and protection of personal data so that this can’t be used against them to prosecute individuals for seeking medical help, while President Biden has said “privacy is on the ballot,” referring to US mid-term elections being held later this year (The Electronic Frontier Foundation has published digital safety tips for people seeking an abortion:
  • Technology companies are finding themselves thrust into the debate due to the surveillance that underpins targeted advertising. The “unfair and deceptive practices by enabling the collection and sale of hundreds of millions of mobile phone users’ personal data” should be investigated by the Federal Trade Commission, according to a group of Democratic senators. Social harms do not traditionally feature as a consequence of most cyber or privacy risk assessments and this rapid change in policy should give cause to reevaluate what and how data is sourced, processed and shared

In brief

Attacks, incidents & breaches

  • Two cloud outages this week: Microsoft Exchange Online was affected for nine hours, causing some users to be unable to view mailboxes, send emails and use other features like Teams and SharePoint; Cloudflare experienced a ~90-minute outage during an upgrade to move nineteen data centres to (ironically) a “more flexible and resilient architecture.” Interestingly, these nineteen locations make up just 4% of its total network, but they account for 50% of the HTTP requests the company handles 
  • Michigan-headquartered Flagstaff Bank has disclosed a security incident that occurred in December 2021 and resulted in the personal data of 1.5 million customers being exposed. Flagstaff was a customer of Accellion whose file transfer appliances were compromised at scale in early 2021 (vol. 4, iss. 9) and resulted in the Cl0p ransomware group trying to extort the bank by releasing details on its employees (vol. 4, iss. 11)
  • UK courier Yodel is suffering delays following a ‘cyber incident’ that appears to have started last weekend, with customers reporting packages being over four days late, and persists at the time of writing, with the firm’s customer service team remaining ‘unavailable’ a week later
  • Personal data of Halfords, a UK bike and car parts shop, customers could be accessed by just an incrementing order ID or email address
  • $100 million was stolen from crypto startup Harmony’s Horizon Bridge service that allows transfers between cryptocurrencies
  • US subsidiary of Japanese automotive manufacturer Nichirin has resorted to manual production following a ransomware attack

Threat intel

  • UK citizens are being targeted with phishing campaigns that exploit the cost of living crisis and claim recipients are due refunds on a ‘miscalculation’ of energy bills, says consumer group Which?
  • In some cases, Abode Acrobat Reader is checking and blocking thirty antivirus programs from inspecting PDF files following incompatibilities with a component used to interact with web content, such as e-signatures. That’s important because PDF files have previously been used as a common method for spreading malware and in phishing campaigns. It’s not clear what circumstances require the compatibility workaround, however, you can check your Windows systems by checking the HKEY_CURRENT_USER registry hive if “SOFTWARE\Adobe\Adobe Acrobat\DC\DLLInjection\bBlockDllInjection” is set to 1 (in which case they check/block will take place)
  • Office 365 account details are being targeted in a new wave of phishing emails pretending to link to new voicemail messages. The campaign is targeting cyber security firms, US military, healthcare and manufacturing sectors, and even features CAPTCHA tests to increase the realism to victims, says Zscaler
  • Credit card data still being stolen from the web browsers of online shoppers on compromised websites, says Malwarebytes following analysis of new code
  • Researchers at Lookout say they have traced an Android spyware app they’re calling ‘Hermit’ and used in Kazakhstan, Syria and Italy to an Italian vendor called RCS Lab Google’s Threat Analysis Group also has a writeup
  • Secureworks says Chinese-backed espionage groups are stealing data under the guise of ransomware attacks
  • Conti ransomware group dark web site goes offline as the group ‘shuts down’. In reality, this is just the brand disappearing: the group is reported reorganised into small teams working alongside other cybercriminals

Cyber defence

  • US, UK and NZ cyber agencies recommend properly configuring and monitoring Microsoft’s PowerShell management tool, which is often used by attackers, rather than removing or disabling it
  • Government services need to be aware of bots ‘scalping’ appointment slots and selling them on for profit, says Akamai, with bookings on the Israeli government’s MyVisit platform selling for $100 as citizens are unable to get appointments to access passport, utility, post office and national insurance services

Security engineering

  • Weaknesses in cloud storage provider Mega’s cryptographic design mean it is possible to recover encryption keys after 512 logins, negating claims of ‘end-to-end’ encryption, say researchers from ETH Zurich
  • ‘Private Access Tokens’ are coming to iOS16 and macOS Ventura as a potential replacement for CAPTCHA human verification (those ‘click all the X’ photo grids when you try to log in). The standard is being worked on with Google as well, though no announcements have been made by Mountain View on when hardware will be released that supports the mechanism

Operational technology

  • Forescout researchers have found 56 vulnerabilities in operational technology (OT) equipment manufactured by Siemens, Motorola, Honeywell and seven other vendors. Disclosure of the vulnerabilities was coordinated with national cyber authorities, such as CISA and NCSC, and grouped to “illustrate how the opaque and proprietary nature  of these systems,” and “the suboptimal vulnerability management surrounding them,” according to Forescout. Collectively being called ICEFALL, they include broken authentication mechanisms, insecure firmware update processes and remote code execution. As with these vulnerabilities, many industrial control system (ICS) protocols were not designed with security in mind

Law enforcement

  • Paige Thompson has been found guilty of wire fraud and five counts of unauthorised access to a product computer for stealing 100 million customer’s data from Capital One (vol. 2, iss. 31), as her defence of ‘ethical security research’ fails to win over the jury. The former AWS engineer not only stole data but installed crypto-mining malware, in total accessing more than 30 companies’ systems. The breach cost Capital One an $80 million fine from the Department of Treasury and $190 million to settle customer lawsuits
  • The US, Germany, Netherlands and UK say they have dismantled a Russian botnet. The millions of compromised Internet of Things (IoT) devices, known as RSOCKS, were used as a ‘proxy service’ allowing users of the service to bounce their connections off the internet connections of legitimate users, thereby concealing their real IP address and location. The IoT devices had mostly been compromised by repeatedly trying known default passwords

Mergers, acquisitions and investments

  • GreyNoise raises $15 million Series A funding round to scale its ‘anti-threat intelligence’ product that is akin to a spam filter for TI
  • Attack surface management company RapidFort closes $8.5 million seed round

And finally

Cyber 911

  • No, not the cliched Cyber 9/11, but a dedicated phone line for cyber emergencies. I think I like this CISA advisory committee proposal to introduce a ‘311’ emergency call line for SMBs experiencing cyber security incidents

  Robin's Newsletter - Volume 5

  Infosecurity Europe Infosec2022 Trust Environmental, Social and Governance (ESG) Formula 1 Ukraine Cyber Warefare Cyber-Norms Reproductive rights Privacy Targeted advertising Cyber Incident Phoneline