Robin’s Newsletter #215

31 July 2022. Volume 5, Issue 31
Facial recognition use at Co-Op convenience stores and 'secret blacklists' challenged in the UK. The opportunity cost in action bias. And protestware, the 'insider threat' of hacktivism.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

A system called ‘Facewatch’ is at the centre of a legal challenge brought by Big Brother Watch against the Southern Co-Op. The system of facial recognition cameras is in use a 35 out of 200 convenience stores across London and the south of England and captures biometric data of all shoppers who enter these stores.

The co-operative is defending the system saying that it only uses the system for crime prevention and staff protection in stores with a history of these incidents.

The use of facial recognition technology in retail and hospitality sectors isn’t unusual, though has seen an increase in use over the last decade. Facewatch also advertises Spar, Budgens and Sports Direct as customers on its website.

The Facewatch system creates ‘local intelligence’ by sharing watchlists amongst its subscribers in a local area, which the challenge says only serves to displace crime.

The Big Brother Watch challenge says that the use of the technology is not proportionate with the prevention of crime as images are not shared with the police, while calling the scheme “Orwellian” as these watchlists are secret, and supermarket staff can add any shopper as a ‘subject of interest’.

Interesting reading

  • Kelly Shortridge on the opportunity cost of action bias when responding to cyber incidents. In my experience, there are often situations that warrant further observation over direct action, to inform the hypothesis and understand the extent of compromise

  • Ax Sharma on the rise of protestware, where open source developers sabotage their own code to make political statements. Protestware is essentially the ‘insider threat’ of hacktivism

Interesting stats

The latest IBM/Ponemon data breach report is out

$4.35 million the average cost of a data breach, up  12.7% over the last two years, according to IBM, which adds that  60% of businesses who experience a breach opt to increase the price of their products or services to recoup these costs from customers.  62% of companies said they were insufficiently staffed to support their cyber needs, and this contributed to a  $550,000 increase in average costs for these organisations compared to those who had adequate staffing levels

Palo Alto Networks also published a report covering 600 recent incident response cases

37% of initial access results from phishing, followed by  31% via a software vulnerability, and  9% by password spraying or brute-forcing credentials

8.1% increase in demand for fibre-optic cable in the first half of 2022, driven by large digital infrastructure projects, leading to the cost of fibre optic cable rising to  $6.30 per fibre km as prices of helium, used in the manufacture of fibre-optic glass, have increased 135% after plant outages in Russia and the US, up from  $3.70 per fibre km 18 months ago, according to market analysts CRU Group

In brief

Attacks, incidents & breaches

  • Ransomware group LockBit claims to have breached Italy’s tax agency and stolen 100 GB of data. The incident is under investigation while a previous statement said that “no cyberattacks have occurred or data stolen from the financial administration’s technological platforms and infrastructures” therecord.mediea
  • Two former contractors arrested by Spanish police are accused of compromising the country’s radioactivity alert system and disabling over one-third of its sensors
  • US IT managed service provider NetStandard took its ‘MyAppsAnywhere’ services, including Dynamics, Exchange and Sharepoint, offline following a cyberattack, presumed to be a ransomware incident
  • Sealed court files may have been exposed in an ‘incredibly significant attack’ against the US court system in 2021, according to congressional representative Jerrold Lewis Nadler
  • The Hive ransomware group is allegedly demanding £500,000 (~$608,000) from two schools in the Wootton Academy Trust, having filtrated student data

Threat intel

  • UEFI malware found on ASUS and Gigabyte motherboards by Kaspersky and dubbed CosmicStrand, linked to a Chinese-language actor. Victims appear to be individuals, rather than organisations, in Russia, Vietnam and China. This type of malware may still be pretty advanced, but more widely used than previously thought
  • Digital marketing and Human Resources staff are being targeted by cybercriminals seeking to hijack Facebook Business accounts, according to WithSecure (the newly spun-out enterprise part of F-Secure) in a campaign they have dubbed Ducktail. Off successful, the threat actors redirect payments from the compromised account or use advertising balance to run Facebook Ads campaigns
  • Source code for a new info-stealer malware called Luca Stealer posted on GitHub
  • Write-up of ‘Lightning Framework’, a modular framework for targeting Linux systems, discovered by researchers at Intezer
  • ‘Raspberry Robin’ malware tied to Evil Corp by Microsoft

Cyber defence

  • Attackers are using malicious Internet Information Services (IIS) extensions to provide backdoor access into servers, says Microsoft
  • As Microsoft blocks macros by default, cybercriminals have been switching to containers (like .iso and .rar) attachments and Windows shortcut (.lnk) files, says Proofpoint
  • Cofense says a recent phishing campaign amps on pressure to manipulate victims into ‘changing their password’ using claims their account has been locked and a countdown timer to their account being deleted

Operational technology

  • Thinking about the need for a cyber security standard for electric vehicle (EV) charging stations. Being able to switch off/on a large number of charging stations simultaneously could lead to instability in the power grid that triggers safety shutdowns. Expect this topic to get a lot more coverage in the coming years as EVs continue to rise in popularity


  • Concerns that a new US/UK data sharing law opens a backdoor for “parallel systems” that would allow foreign governments to appeal for voluntary disclosure of information that would otherwise not be permitted under local laws
  • Third-party cookies — typically used for tracking and advertising — in Google Chrome will remain until ‘the second half of 2024’ after having originally committed to phasing them out in 2022

Public policy

  • US intelligence agencies to get expanded remit covering commercial spyware, such as the infamous Pegasus by NSO Group
  • White House says that Saudi Arabia is a critical partner in addressing the cyber threat from nationals like China and Iran


  • The National Credit Union Administration (NCUA) proposes a 72-hour deadline for US credit unions to report cyber-attacks

Law enforcement

  • T-Mobile reaches a $350 million settlement with victims of its 2021 data breach (vol. 4, iss. 34) and pledged to invest a further $150 million to upgrade its security
  • The No More Ransom project has celebrated its sixth birthday, with Europol estimating they have helped 1.5 million people and saved approximately $1.5 billion
  • German prosecutors name a Russian national for a role in 2017 attacks on the German energy sector

Mergers, acquisitions and investments

  • The Department of Justice has approved Google’s acquisition of Mandiant (vol. 5, iss. 11), though the deal is still subject to shareholder legal action
  • Resourcely closes $8 million Series A round to build out the product to simplify cloud security for developers

And finally 

Bad week for Microsoft Defender

Microsoft Defender is now a paid add-on for individuals following a ‘rebrand’, while the built-in, free anti-malware software that ships with Redmond’s OS is now called Windows Security. Both share the same icon and seemingly the transition isn’t going particularly smoothly, with confused consumers and contradictory advice being given by the paid-for tool being highlighted by Kevin Beaumont (@GossiTheDog):

A screenshot showing the new Microsoft Defender simultaneously telling the user their device is, and isn’t, protected (source: @GossiTheDog)

As well as the confusion around the ever-expanding ‘Defender’ product branding, Sentinel Labs says Microsoft Defender is being used to side-load Cobalt Strike beacons by cybercriminals @GossiTheDog,


  Robin's Newsletter - Volume 5

  Facial recognition Biometrics Privacy Facewatch Southern Co-Op Actoin bias Opportunity cost Microsoft Defender Data breach Electric Vehicles (EVs) Protestware Hacktivism