Robin’s Newsletter #233

4 December 2022. Volume 5, Issue 49
UK managed security businesses to be regulated. Medibank attackers release data. Anker's Eufy smart camera 'local only' claims disputed.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

UK to regulate managed security providers alongside critical infrastructure

  • Outsourced security monitoring providers will be regulated under the UK’s Network and Information Systems (NIS) Regulations. The move will introduce minimum requirements and obligations to report security incidents affecting MSPs. Non-compliance may lead to penalties of up to £17 million ($20 million).
  • There has been a proliferation of providers in this space as IT outsourcers, pen test firms and consultancies chase recurring revenues. The bar to entry is pretty low, but it costs a lot to do properly, and it can be difficult for buyers to discern from a sales pitch. More than a few of them won’t be celebrating the news this week.
  • There will be an extra burden on these firms, though it’s warranted, given the privileged access that MSSP and MDR providers often have into their customer’s environments.
  • I wonder how many will seize the opportunity to differentiate themselves and demonstrate they are practising what they preach. Buyers may force them to share copies of their audits to see how they stack up. me on LinkedIn,,

Medibank attackers release data

  • The ransomware group behind the attack on Australia’s Medibank have released 5GB of compressed files they say is the data stolen from the insurer along with a statement saying “case closed”. Medibank had indicated it did not intend to pay the ransom after attackers took the personal data of 9.7 million current and former customers during the breach.
  • The Australian Prudential Regulation Authority (APRA) has announced it has “intensified” scrutiny of Medibank following the data breach. Increased costs, inefficiencies (from additional reporting or programmes) and damaged regulator relations are all consequences of breaches which aren’t always considered when analysing or costing cyber breaches.
  • The Medibank and Optus breaches have spurred prompt action from the Australian government: New privacy legislation passed this week increases privacy breach penalties from AU$2.22 million to AU$50 million, or three times the value of any benefit obtained by missing the information, or 30% of the company’s turnover.

Anker’s Eufy smart cameras in hot water over local storage claims 

  • Anker was found to be ‘lying’ about data that “never leaves the safety of your home” in their Eufy smart doorbell. In a video, researcher Paul Moore shows event thumbnails and, if you’ve added recognised faces, the ID and picture of the individual being hosted on Amazon’s content delivery network (CDN) using long, randomised filenames. 
  • Eufy will need to confirm, however it appears the files are used for notifications — so you get a preview when they pop up on your phone — and the same video confirmed that the files weren’t returned by the API when deleted locally. Though (by their nature), the CDN caches a copy of the images, presumably for a short period, so that it’s readily and easily accessible when needed. 
  • There is a disconnect between Eufy’s marketing rhetoric and the technical implementation, however, the chances of finding those thumbnails without being the intended user seem pretty small. It’s a classic tradeoff between security and usability.
  • Security engineering (and marketing) improvements are possible, however, I don’t think these issues are a product of secret schemes to harvest data or other bad-faith motives.

Interesting reads

  • The security pros and cons of Twitter vs Mastodon, and what to do about them.
  • The US Department of Defense has released its ‘zero trust’ strategy.

Interesting stats

32,541 personal data breaches have been notified to the UK Information Commissioner’s Officer since 2019, of which  37% have failed to meet the 72-hour reporting deadline, though  0 have resulted in a penalty for notifying without undue delay

Other newsy bits / in brief

Attacks, incidents & breaches

  • LastPass has notified users of a breach affecting “certain elements of… customers’ information”. The password manager says master passwords and customer vaults are unaffected due to a ‘zero knowledge’ architecture. The firm added that the ‘unauthorised party’ had gained access using information from the company’s August breach (vol. 5, iss. 35) where they stole source code from a developer’s account.
  • South Staffordshire Water has said that customer bank details may have been stolen during a ransomware attack in August (vol. 5, iss. 34). The company statement didn’t elaborate on how many of their 1.7 million customers were affected but did promise a “full package of support” for those who are.
  • **Twitter alternative Hive Social, which recently grew to over 2 million users, has abruptly shut down all of the company’s services after researchers from German collective Zerforschung reported issues that would “allow any attacker to access all data, including private posts, private messages, shared media and even deleted direct messages”.
  • A vulnerability in Florida’s state tax return website exposed taxpayers’ Social Security number and bank account details.
  • Samsung’s digital signing key, used to verify the integrity of their Android apps, has been compromised, is being used to sign malware, and Samsung hasn’t revoked it. Confusingly, malware samples dating back to 2016 have been signed using the key, a Samsung spokesperson has acknowledged the ‘potential vulnerability’ and stated patches had been released, but the affected key was still being used to sign Samsung apps this week.
  • Hosting provider Rackspace has said that an outage affecting some of their hosted Microsoft Exchange services is caused by a “security incident”.

Threat intel

  • Fake ‘unfilter’ software promising to reveal naked pictures from the viral TikTok ‘Invisible Challenge’ trend is info stealer malware.
  • Mandiant says that USB devices are being used to infiltrate networks in Southeast Asia, concentrating on targets in the Philippines. Mandiant says the origins suggest a ‘China nexus’, and the malware provides a reverse shell for attackers to gain access and self-replicate to any other UB devices inserted into the infected machines.
  • New campaign dubbed RansomBoggs detected within ‘multiple organisations un Ukraine’. The attacks use PowerShell scripts and .NET ransomware ‘almost identical’ to those of the April 2021 Industroyer2 attacks attributed to the Russian-affiliated Sandworm group, says ESET.
  • Google pins ‘Heliconia’ spyware on Spanish company Variston IT, which offers “tailor made Information Security Solutions” and may have exploited vulnerabilities in Chrome, Firefox and Microsoft Defender to deploy their malware.

Operational technology

  • Vulnerability in the SiriusXM Connected Vehicle Services platform that powers the MyHyundai and MyGenesis apps allows remote control of car door locks, engine, horn, and headlights in cars manufactured after 2012. Special characters foiled checks on email addresses. (H/T Will) @samwcyo,

Public policy

  • Over 90 rights groups warn of “laudable goals” but “unintended consequences” of the Kids Online Safety Act (KOSA), currently passing through the Senate, such as content filtering being used for political purposes to limit minors’ access to certain content online, such as sexual education resources., (PDF)  - The UK Parliament has lauded an inquiry into how effectively the UK national security strategy is addressing ransomware threats. The ‘majority’ of the UK’s emergency COBRA meetings now concern ransomware (vol. 5, iss. 47).
  • The US Cyber Safety Review Board is to investigate the high-profile breaches associated with the Lapsus$ group.

Law enforcement

  • The UK lacks a “clear and coherent national plan for improvement” to address ‘overwhelmed and ineffective’ digital forensics capabilities within British police forces, finds a new report from His Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS).
  • Spanish police have arrested 55 people in connection with the ‘Black Panthers’ cybercrime group who performed SIM swapping attacks.

And finally

  • Akamai researchers accidentally disabled the ‘KmsdBot’ botnet with a typo.
  • Secret code in a 500-year-old letter between Emperor Charles V and his ambassador in France cracked. Cryptographer Cécile Pierrot led the team from the Loria research lab in France that revealed concerns over an assassination plot.
  • Congrats to ClamAV, a popular command-line virus scanner for Linux that officially released version 1.0.0 of the open-source software after over 20 years of development.

  Robin's Newsletter - Volume 5

  Network and Information Systems (NIS) Reuglation Managed Security Service Provider (MSSP) Managed Detection and Response (MDR) Medibank Ransomware Privacy Anker Eufy LastPass Cryptography