Robin’s Newsletter #252

16 April 2023. Volume 6, Issue 16
US classified documents leaked on Discord. UK Online Safety Bill may 'damage reputation'. The 2019 Oldsmar ICS incident was human error.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

🚨 A new emergency alert system will be tested in the UK next Sunday, 23rd April, at 15:00. During the test, mobile phones will emit a loud siren noise and display a test message advising no further action is necessary. The alerts are enabled on all phones by default; therefore, this could alert an abuser to a concealed device. Refuge has a video on how to disable the alerts on iPhone and Android, plus the rest of the Refuge Tech Safety site has additional guides for those facing domestic violence.

This week

Arrest made over US classified documents leak

  • Jack Teixeira, a 21-year-old US air national guardsman, has been arrested by the FBI for sharing classified US defence information on Discord. Teixeira appeared in court, charged with the unauthorised removal and retention of classified documents. Hundreds of photographs of documents were shared with around 25 others on a private Discord server called “Thug Shaker Central” over months. The leak came to light after one of the server members forwarded some of the images to another community.
  • As a ‘cyber transport systems specialist’ in the 102nd intelligence wing, it appears that Teixeira may have had access to classified intelligence briefings and shared the documents to impress the rest of the group, rather than act as a whistleblower or affect a particular foreign policy outcome.
  • President Biden downplayed the significance of the leak, expressing concern that the leak happened but adding “there’s nothing contemporaneous that I’m aware of that is of any consequence.”

https://arstechnica.com/tech-policy/2023/04/report-discord-admin-who-leaked-military-docs-idd-as-national-guard-airman/ https://techcrunch.com/2023/04/13/classified-intel-leaked-to-discord-server-leads-to-21-year-olds-arrest/ https://www.theguardian.com/us-news/2023/apr/14/jack-teixeira-to-appear-in-court-accused-of-pentagon-leaks

UK’s Online Safety Bill may ‘damage reputation’ and ‘never be used’

  • The UK’s Online Safety Bill, which the government describes as “a new regulatory framework to tackle harmful content online,” is making its way through the committee stage in the House of Lords. It includes a wide range of provisions, from age checks on social media sites, to restricting the sale of firearms, to preventing the distribution of child sexual abuse material.
  • Some aspects are welcome: urging tech companies to consider a broader range of harms that their products and services could be used for is a sensible step (though it’s unclear how or what action would be taken as a result). In contrast, other aspects, such as restricting ‘legal but harmful’ content, have been dropped, facing censorship concerns across the political spectrum.
  • This week, the FT published an opinion piece by Ciaran Martin, former CEO of NCSC and now a professor at Oxford University’s Blavatnik School of Government, arguing that the provisions in the online safety bill to ‘scan’ messages for child abuse images are ill thought through. Both WhatsApp and Signal have threatened to exit the UK market rather than be forced to comply.

”What’s more probable is that parliament will pass a hugely controversial power that damages Britain’s reputation for online security — and then never use it.” — Ciaran Martin

  • If the Online Safety Bill feels like it’s been a long time coming, that’s because it has. The legislation was first introduced in 2019, and since then the UK has had four prime ministers and five digital ministers. Politico describes it as a “political omnishambles” in their good summary of its history.
  • Despite, or perhaps as a result of all the concessions, the bill is expected to pass later this year, but the path to implementation looks no less fraught than the years it has taken to get to this point.

Interesting stats

40% of IT security professionals say they’ve been told not to report a data leak, according to a survey of 400 by Bitdefender

47.8% of cloud compromises in Q4 2022 we caused by weak or no credentials,  19.6% from API compromise, 13.0% stemmed from software issues,  10.9% resulted from misconfiguration, and  8.7% were leaked credentials, according to Google’s April 2023 Threat Horizons Report (PDF)

5,000 cyber attacks have been launched by NATO countries against Russian critical infrastructure since the start of 2022, according to the Federal Security Service (FSB)

Other newsy bits / in brief

  • Juice jacking: Nothing to worry about here. There hasn’t been any rise in ‘juice jacking’, and FBI and FCC tweets on the topic were a ‘public service announcement’ based on a dated advisory, according to an investigation by Snopes (h/t KrebsOnSecurity).

  • Non-event: The 2019 incident (vol. 4, iss. 7) at an Oldsmar, Florida, water treatment plant was human error](https://www.vice.com/en/article/y3wddv/much-hyped-water-plant-hack-wasnt-a-hack-was-actually-user-error-official-says): “The FBI concluded there was nothing, no evidence of any access from the outside, and that it was likely the same employee that was purported to be a hero for catching it, was actually banging on his keyboard,” said Al Braithwaite, Oldsmar former Oldsmar city manager at a conference.

  • Disrupt and degrade: Dutch police have sent warning emails to members of the now defunct RaidForums. The message advises the recipient to delete and stolen data, cease their illegal activities and warns that they are “less anonymous online than [they] think.” The user database was seized as part of Operation Tourniquet in early 2022 (vol. 5, iss. 16).

  • Secure-by-Design: CISA, the FBI, and NSA, together with Five Eyes cyber authorities and Germany and Netherlands, have issued guidance on creating safe and secure technology. Software vendors should have secure default baseline configurations, embrace ‘radical transparency and accountability’ by publishing details of vulnerabilities, and provide executive level prioritisation of security during product development.

  • Azure Shared Access Keys may be used as a backdoor into an organisation’s cloud tenant. Microsoft has changed the default behaviour, but existing users may want to disable Shared Key authorisation for Azure Storage accounts.

  • PowerShell exfiltration: The Vice Society ransomware gang is using a tool written in PowerShell to exfiltrate data from victim’s networks, according to Palo Alto Networks. PowerShell is built into Microsoft Windows, and such ‘living off the land’ techniques may help it to avoid detection by some security tools.

  • Point of sale business NCR Corporation has suffered a BlackCat ransomware attack that has left some Aloha POS customers resorting to pen and paper and ‘huge migraines’.

  • North Korea was behind the attack on 3CX last month), according to Mandiant’s investigation for the VOIP telephony provider.

  • Russia is targeting CCTV cameras in Ukraine coffee shops to gather intelligence on aid convoys, according to NSA director Rob Joyce.

  • DarkTrace says “there has been no compromise of our systems or any of our affiliate systems,” in response to LockBit leak site post. The London-listed firm reported a 6.3% drop in annual recurring revenue growth, compared to the same period last year this week and warned that “current macro-economic environment continues to pose challenges to winning new customers, as requirements to hold or cut spend have made prospects more reluctant to run product trials.”

AI: RecordedFuture has announced a generative AI feature that uses OpenAI’s GPT model, combined with the firm’s data, to create summaries of new threat intelligence data.

  • Verification: Microsoft is rolling out a new way for LinkedIn users to verify their identity. It’s part of a broader push into ‘credentialing’ where Microsoft Entra Verified ID credentials can be used to attest user identity for digital services. The setup for an organisation isn’t just checking a single box, though.

And finally

Coming soon: iDeath!

  • From my LinkedIn feed this week… Apple’s Digital Legacy programme allows nominated contacts access to your iCloud account in the event of your death. In a slight proof-reading faux pas, the Cupertino company seems to advise customers that their death will be “coming later this year.”

Apple’s Digital Legacy program “lets you designate people as Legacy Contacts so they can access your account in the event of your death.* (*Coming later this year)”

  • Thankfully, the offending wording appeared in 2021), so there is no need for iPhone users to perform a life-saving scramble to Android 😉
Robin

  Robin's Newsletter - Volume 6

  Data breach Online Safety Bill Industrial Control Systems Operational Technology Juice Jacking Cloud Security RaidForums Verification