Robin’s Newsletter #214

24 July 2022. Volume 5, Issue 30
Should climate change feature on cyber risk registers? FBI gets a warrant to force-unlock encrypted app. Alibaba execs hauled in by Shanghai police.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

UK heatwave causes outages at Google, Oracle, as data centres struggle in the heat

Early in my cyber security career, I conducted lots of risk assessments for UK government systems. The ‘IS1’ standard that we used often resulted in the inclusion of physical risks from fire, flood and other natural disasters. In the last decade though these sorts of risk scenarios have featured less and less: first as organisations became (mostly) better at hosting things in proper data centres, rather than under desks and in cleaner’s cupboards, and latterly with the advent of ‘the cloud’ where the shared responsibility model makes that somebody else’s problem.

That ‘somebody else’ is likely to be the likes of Amazon, Microsoft, Google or Oracle, but with temperatures rising due to climate change, these physical threats may need to be reevaluated by cloud providers and their tenants.

As the temperature in London soared above 40°c (104°f) for the first time, both Google and Oracle experienced outages as the cooling systems that keep their servers operating at safe and efficient levels failed, leaving customers in their respective europe-west2-a and UK South (London) zones facing problems.

Meanwhile, other data centre operators in the UK’s capital were resorting to ‘Heath Robinson solutions’ like using hosepipes to spray air conditioning units with water to cool them down and keep them within operational limits.

Other critical infrastructures, such as railways, were similarly tested by relatively ‘extreme’ heat that exceeded design limits.

The abstract nature, opaqueness, and apparent abundance, of cloud services, often minimise the concerns over their resilience, especially when multiple ‘availability zones’ are offered, though these can provide a certain level of mitigation.

Cyber insurers have long worried about this risk aggregation, however usually in the form of a critical vulnerability. Perhaps the discussion of physical threats, such as those from climate change, will be making a resurgence at cyber insurers and companies alike in the coming years.

protocol.comtheguardian.combloomberg.com

Interesting stats

$4.98 billion the combined cost of telcos ripping and replacing Huawei and ZTE gear from their networks, following a US government decision to order the removal of Chinese-manufactured kit on national security grounds, that is  $3 billion over the $1.9 billion Congress approved for the Reimbursement Programme in September 2020 (vol. 3, iss. 36) theregister.com

Research on brand phishing attempts by Check Point may surprise you:

45% impersonate LinkedIn,  13% spoof Microsoft, with  12% pretending to be DHL, the top five is rounded out by  9% Amazon and 3% Apple bleepingcomputer.com

Other newsy bits

  • The FBI forced someone to use their face to unlock their Wickr messaging app to gain access to the encrypted messages. The suspect, in this case, was part of a group sharing child sexual abuse material, though Jerome Grecco, a public defender at the Legal Aid Society, thinks the diverging case law will soon force the US Supreme Court to rule on the matter. “Passcodes, unlike biometric information, are legally considered “testimonial,” and citizens are not obliged to provide such testimony because the Fifth Amendment protects you from self-incrimination. But body parts are, by their nature, not as private as a person’s thoughts,” Thomas Brewster writes. As Thomas points out on Twitter though, this sort of case undermines the need for encryption backdoors: the FBI were able to find the group, identify a suspect, and compel them to unlock a device without artificially weakening message protection forbes.com, @iblametom

  • Senior executives from Alibaba Cloud — a Chinese equivalent to AWS — have been summoned by Shanghai police following a data breach of one billion Chinese citizens (vol. 5, iss. 28). The breach is thought to have originated from an elastic search cluster that the firm hosted for the Shanghai National Policy and that may have been left configured with default credentials. While Alibaba may not be responsible for the misconfiguration of the database, you can be sure that execs getting arrested will result in some changes to the default security stance of the company’s services. As the folks on the Risky Business podcast joked: imagine how quickly S3 buckets would have been private by default if Jeff Bezos had got hauled in by the FBI every time an AWS customer had accidentally left them public nikkei.com

  • Interesting read from the international affairs think tank the Atlantic Council on the importance of cyber security for innovative small and medium enterprises and academia to protect against intellectual property theft. Zero-trust, cloud security and threat hunting are all identified as key, along with a plea to establish tax credits for investment in cyber security to help bridge the funding gap faced by these sorts of organisations (h/t Wendy) atlanticcouncil.org

  • A look inside Ukraine’s ‘IT Army’ and how it may have changed the future of cyber-warfare with its decentralised, volunteer base. While still largely engaging in what may be characterised as ‘nuisance’ denial of service attacks, the group is now producing its own tooling vice.com

  • Meanwhile, the Turla APT group, linked to the Kremlin, has released its own ‘DDoS App’ to the group that — surprise, surprise — doesn’t DDoS anyone, but does report back to Moscow those that install such an app vice.com

In brief

Attacks, incidents & breaches

  • Public services in Albania are unavailable after the country’s e-Albania portal, Parliament and Prime Minister’s Office websites have all been taken offline by a “synchronised and sophisticated cybercriminal attack” therecord.media
  • MageCart style web skimmers have been detected by Recorded Future on three US online ordering platforms for restaurants. Around 50,000 payment cards are believed to have been stolen from 300 restaurants bleepingcomputer.com
  • A German manufacturer responsible for over 80% of the world’s plasterboard (drywall) is experiencing disruption to deliveries and business operations following a ransomware attack by the Black Basta group. Knauf Group, which operates 150 sites around the globe, had to shut down systems, including its corporate email, at the end of June to help mitigate the attack bleepingcomputer.com
  • Hacktivists in favour of women’s rights have leaked 74GB of data about evangelical organisations to “bring about some much needed radical transparency” to the funding of far-right and anti-abortion activists by church ministries (such donations are allowed to be kept a secret) cyberscoop.com
  • Virtual pet site Neopets (think Tamagotchi) is investigating a potential breach that may include personal data of uptown 69 million users theguardian.com
  • A Ukrainian media company that operates nine radio stations was compromised this week and used to spread a message that the Ukrainian President, Volodymyr Zelensky, was in critical condition and under intensive care cyberscoop.com
  • Twitter is investigating the authenticity of data being sold on a forum that claims to be the email addresses and phone numbers associated with 5.4 million Twitter accounts including “celebrities, companies, randoms, DOGs, etc” therecord.media
  • Digital identity and certificate authority Entrust was breached in June and “an unauthorized party accessed certain of our systems used for internal operations” bleepingcomputer.com 
  • The Belgium government claims that three Chinese-linked APT groups — APT 27, 30 and 31 AKA UNSC 2814, GALLIUM and SOFTCELL — have attacked public services and defence forces. Further details were not provided; I guess spies are gonna spy theregister.com

Threat intel

  • Palo Alto Networks says that Cozy Bear (the cyber unit of Russia’s Foreign Intelligence Service (SVR)) are using Dropbox and Google Drive to deliver their malware to victims due to the ‘ubiquitous nature’ of these services in corporate environments. Google says that it is “aware of the activity identified in this report, and had already proactively taken steps to protect any potential targets.” cyberscoop.com
  • US Cyber Command has disclosed malware used in attacks against Ukraine, including 20 previously unseen variants therecord.media

Vulnerabilities

Use, well, anything made by Atlassian? You’ve probably got to patch it:

  • Bamboo, Bitbucket, Confluence, Fisheye, Crucible and, of course, Jira all have patches to address a critical vulnerability (CVE-2022-26136) that “allows a remote, unauthenticated attacker to bypass authentication used by third-party apps” theregister.com
  • VOIP systems built using the open source telephony system FreePBX are being compromised by exploiting the 9.8/10 critical vulnerability (CVE-2021-45461) arstechnica.con
  • Cisco has patched a critical vulnerability (CVE-2022-20857) in its Nexus Dashboard data centre management solution that would allow attackers to execute arbitrary remote commands as the root user bleepingcomputer.com

Cyber defence

  • The US Cybersecurity and Infrastructure Agency (CISA) is to open a branch office in London, UK therecord.media
  • Google Workspace can now filter calendar invites from ‘known senders’. Options are available to allow from your domain, contacts list, or people you have previously interacted with bleepingcomputer.com
  • Microsoft will now block Office VBA macros by default. The change was announced in February (vol. 5, iss. 7) and Redmond faced backlash after putting the change on hold two weeks ago (vol. 5, iss. 28) therecord.media
  • Windows 11 will now block brute-force attacks against Remote Desktop (RDP) connections. That’s good news given how many ransomware attacks begin with compromising remote access systems, such as RDP, but won’t prevent malicious logins where users or administrators have fallen victim to phishing scams bleepingcomputer.com

Operational technology

  • A popular GPS vehicle tracker, the MV720 manufactured by Shenzen-based MiCODUS, can be exploited to track and remotely cut the engines of over one million vehicles. The vendor has not fixed the vulnerabilities since being notified of them by BitSight researchers in September last year and includes a default password of 123456, plus another hardcoded credential, amongst others techcrunch.com

Privacy

  • The purchase and use of mobile location data by Department of Homeland Security agencies are of a ‘much larger scale’ than previously thought, according to the American Civil Liberties Union (ACLU) after it obtained documents in an ongoing freedom of information lawsuit techcrunch.com
  • A German citizen is suing the European Commission for allegedly violating data protection rules. Information about the individual was transferred to the United States while visiting the EC website, and two requests as a data subject were partially and not responded to. As a side note, it may surprise you to know that the EU institutions aren’t bound by GDPR, but by another, [similar regulation](similar regulation). The European Court’s ruling may have a similar effect to the Schrems II ruling (vol. 3, iss. 29) (h/t Ashley) euractiv.com
  • Chinese ride-sharing app Didi has been fined 8 billion yuan ($1.1 billion) for breaking China’s cyber security and data security laws by illegally collecting facial recognition biometrics, photos and text messages. (The Chinese government operates its own extensive facial recognition camera network) zdnet.com

Public policy

  • The FBI is pushing for greater guidance from the US Treasury over which groups or entities are subject to sanctions to help companies navigate ransomware payments therecord.media
  • As federal data protection legislation progresses, some lawmakers are concerned about loopholes in the American Data Privacy Protection Act (ADPPA). One would allow a carve-out for compliance with local, and state laws and another that allows for the sale of ‘de-identified’ data, while such practices have been proven to often be trivial to reverse at scale cyberscoop.com
  • Russia and Iran have pledged to explore collaboration in information security and digital government theregister.com
  • The Dutch Ministry of Education has banned the use of Google 

Regulatory

  • Russian telco regulator Roskomnadzor has issued a $374 million fine to Google for “repeated failure” to remove “fake” videos from YouTube that call the Russian invasion of Ukraine “unjustified and unprovoked”. Earlier in the year Roskomnadzor ordered media to only publish information on the ‘special military operation’ that came from official sources arstechnica.com

Mergers, acquisitions and investments

  • Managed security provider Huntress has announced the acquisition of security raining platform curricula for $22 million therecord.media

And finally

  • The folks at Israel’s Ben-Gurion University are pretty good at cooking up new ways to bridge air-gapped systems (see: RAM, monitor brightness and fans). Their latest research uses disk read and write commands to turn the SATA cable between the computer’s motherboard and a hard disk into an antenna. Transmissions are limited to just a few feet by the bit error rate. Below is a view of the signals generated to transmit the word ‘SECRET’ bleepingcomputer.com

A spectrum graph showing distinct transmissions encoding the letters S E C R E T (source: Mordechai Guri)

Robin

  Robin's Newsletter - Volume 5

  Climate change Data centre Outage Google Oracle Risk aggregation Cyber insurance Federal Bureau of Investigation (FBI) Biometrics FaceID Encryption Backdoors Alibaba Cloud misconfiguration Data exfiltration
Next:
Robin’s Newsletter #215
Previous:
Robin’s Newsletter #213