Robin’s Newsletter #264

9 July 2023. Volume 6, Issue 28
Japan's busiest port halted by ransomware. Academics write open letter over Online Safety Bill concerns. JumpCloud resets API keys.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Japan’s busiest port stopped for two days by ransomware

  • The Port of Nagoya, Japan’s busiest shipping port that handles around 10% of Japan’s trade volume, has been unable to receive shipping containers for two days following a ransomware attack.
  • Japanese media are reporting that the LockBit cybercrime gang is behind the attack, which affected the computer system that operates the port’s five container terminals.
  • Toyota says that it cannot load or unload automotive parts, but car production has not been disrupted.

Academics publish open letter criticising the Online Safety Bill

  • Over 70 academics have written about the potential harms to online safety posed by the UK government’s Online Safety Bill.
  • The Online Safety Bill proposes various responsibilities be placed on a wide range of service providers (any ‘user-to-user service’) around harmful language, illegal pornography and fraudulent advertising.
  • As part of these, “routine monitoring” of user-to-user content is required, which, in essence, requires breaking end-to-end encryption or on-device scanning that the letter says is akin to having a “police officer in your pocket”.
  • Apple (vol. 6, iss. 27), WhatsApp and Signal (vol. 6, iss. 9) have all previously expressed concerns with, or that they will exit the UK market over, the legislation. Signal has gone on to describe the bill, a mix of previous ill-fated legislation, as “magical thinking”. Politico described the bill’s passage as a “political omnishambles” (vol. 6, iss. 16).

Interesting stats

459,000 fewer takedowns of cryptocurrency investment scams by NCSC’s takedown service in 2022 than the previous year, with 1 hour median availability of these scams, according to NCSC

Other newsy bits / in brief

  • JumpCloud, a cloud-based directory service, has reset customer’s API keys out of an “abundance of caution” while investigating an incident. The step is sensible if the company believes attackers gained sufficient access to access the keys and may be using them to perpetrate further attacks. JumpCloud’s API can feed other identity and authentication services like Azure AD, Opta, and various HR information systems.

  • Capita’s own pension scheme was amongst that lost in its March breach (vol. 6, iss. 17). PwC’s pension fund, also managed by Capita, has written to all its members advising them that their names and national insurance numbers could have been compromised, adding that Capita “could not confirm to us that this information was final, complete and accurate”.

  • TootRoot: Mastodon has patched a critical vulnerability in the code used by the ~12,000 instances that make up the decentralised social network. The bug, which Kevin Beaumont dubbed TootRoot, is related to how message attachments are processed and could apparently result in attackers gaining root web shell access.

  • MOVEit: Progress Software, the company behind the MOVEit file transfer software, has released a patch for three newly discovered vulnerabilities in its software. The most serious allows unauthenticated attackers access to the application’s database.

  • China: US warns over new Chinese counter-espionage law, while others say it just doubled down on previously “broad and unworkably vague” legislation.

  • Bangladesh: A government website in Bangladesh is leaking the names, phone numbers, email addresses and national ID numbers of its citizens. A security research says they discovered the leak when the data turned up as links in Google search results.

  • Microsoft is denying claims that 30 million customer accounts have been compromised. Anonymous Sudan, the Russia-linked group, says it “successfully hacked Microsoft”, while Microsoft says it is “not a legitimate claim” and has “seen no evidence” of customer data compromise.

  • Manifest confusion: tool released to check for inconsistencies in Node Package Manager (NPM) packages that hint of malicious intent. Github.

  • TeamsPhisher: A member of the US Navy has released a tool that automates phishing attacks against Microsoft Teams users. The tool exploits a security vulnerability in how Teams renders links for files (vol. 6, iss. 26), making malicious content appear to be being loaded from ‘safe’ internal sources.

  • AI: A reminder from Tonya Riley at CyberScoop that the US Federal Trade Commission (FTC) already has powers that it can use to compel a company to delete models and products built on data it has misused.

And finally

  • Link rot: With sites like Gfycat shutting down, millions of posts, messages and sites with embedded content may be left exposed. The closure of services like this should be a particular concern for publishers; however, if your company had to remove all embedded content from your website or social media account, how would you go about it?

  Robin's Newsletter - Volume 6

  LockBit Port Logistics Operational Technology (OT) Online Safety Bill End-to-End Encryption (E2EE) Child Sexual Abuse Material (CSAM) Capita MOVEit File Transfer Progress Software Counter-Espionage Digital Identity Microsoft Phishing Artificial Intelligence (AI) Regulation Link Rot