Robin’s Newsletter #266

23 July 2023. Volume 6, Issue 30
Microsoft responds to pressure over pay-for security logs. UK Online Safety Bill progresses through the Lords. PwC client data stolen in MOVEit breach.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Microsoft responds to Chinese compromise, but questions remain

  • Microsoft has caved to pressure that critical cloud security audit logs were restricted behind premium-priced plans. “Over the coming months,” the Microsoft post says, “we will include access to wider cloud security logs for our worldwide customers at no additional cost.” The logs in question would have allowed victims of the Chinese attack on Microsoft’s cloud platform (vol. 6, iss. 29) to detect the unusual activity.
  • Microsoft’s pricing still locks many security features well out of reach of many businesses below the ‘security poverty line’: for example, enabling compliance reporting against Cyber Essentials costs around £10,000 annually, despite the certification being aimed at small businesses.
  • Meanwhile security researchers at Wiz have found that the compromised signing key could be used far beyond the two applications Microsoft said were affected, though Microsoft disputes Wiz’s report. I suspect that the full extent of the attack is still unknown.
  • Trey Herr looks at three unanswered questions that Microsoft has avoided (or doesn’t know) about the breach: where did the attackers obtain the Microsoft account consumer signing (MSA) key? Did attackers use the same MSA key in multiple customer environments? How did the attackers move between O365 Government and O365 Commercial infrastructures?

Some amendments made to UK’s Online Safety Bill at Lords’ report stage

  • The UK’s Online Safety Bill — encompassing a variety of things from age-verification to view pornography to breaking end-to-end encryption on messaging apps — is on its third reading at the House of Lords, and the government is making amendments to the controversial, and arguably flawed, legislation.
  • One welcome amendment is to broaden the definition of ‘harm’ with Baroness Kidron making the point that it is “a category error not to see harm in the round. Views on content can always differ but the outcome on a child is definitive. It is harm, not harmful content, that the Bill should measure.”
  • There’s been no meaningful shift in position over breaking end-to-end encryption. Clause 122(2)(a)(iii) requires ‘user-to-user’ services (like WhatsApp, Signal, iMessage) to “use accredited technology to identify [Child Sexual Abuse Material] content” that is communicated “publicly or privately”. The ‘accredited’ technology is subject to determination by telecoms regulator Ofcom, and may include ‘human moderators’.
  • Encryption is designed to protect the privacy of content. Reviewing encrypted messages will require a ‘backdoor’ or routed via an unencrypted clearing system. This is not just Orwellian (every message being scanned to find the needle in the haystack); it also introduces a weakness that will be targeted by foreign intelligence and cybercriminals who covert access to private communications. Deliberately weakening encryption is one concern; another is that, once implemented for CSAM, it would be trivial to extend powers to other materials or keywords.
  • If you feel strongly, you can use mySociety’s WriteToThem to find a lord to write to and express your concerns.

PwC, EY, and more caught up in MOVEit compromise

  • Professional services firms PwC and EY have both been caught up in the mass-compromise of Progress Software’s MOVEit file transfer appliances. At PwC, the cybercriminals seem to have accessed a significant volume of client files, which the Cl0p cybercriminals are releasing.
  • UK telco regulator Ofcom has also confirmed that the personal data of 412 employees was compromised, with almost 400 organisations and over 20 million individuals affected by the breaches.
  • Coverware expect the Cl0p gang to earn “over $75 million” from extorting MOVEit customer.
  • The US government is offering a $10 million reward for information on the Cl0p ransomware gang who claimed responsibility (vol. 6, iss. 25) for the attacks.
  • Cynthia Kaiser, deputy assistant director in the FBI’s Cyber Division, has spoken about how the FBI fights ransomware, in particular avoiding ‘whack-a-mole’ approaches in favour of ‘tightening the net’ around the cybercriminal ecosystem more generally.

Interesting stats

8.5% of 337,171 Docker Hub images analysed by researchers from RWTH Aachen University in German were found to contain sensitive information such as private keys and API secrets.

600% increase in distributed denial of service (DDOS) attacks against cryptocurrency websites in Q2 2023, according to Cloudflare.

Other newsy bits / in brief

And finally

Mistyped military messages misdirected to Mali

  • Millions of US military emails have been misdirected to Mali due to typos. The West African country’s top-level domain (.ml) is similar to that of the US military (.mil). Johannes Zuurbier, the current operator, has collected around 117,000 emails since January alone and has warned of the issue for a decade but doesn’t feel the US government has taken the matter seriously.
  • Apparently, none of the messages are classified, but could be extremely useful to foreign intelligence regardless as it does include X-rays and medical data, identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations into bullying, official travel itineraries, bookings, and tax and financial records.
  • Zuurbier’s contract for operating .ml changes hands from a Dutch entrepreneur to the Mali government, closely allied with Russia, this coming Monday.

Tributes to Kevin Mitnick, who died this week

  • Kevin Mitnick, the world’s ‘most wanted’ hacker, has died from pancreatic cancer aged 59. Mitnick was sometimes controversial, though respected, especially for his social engineering skills. Hundreds of tributes have been made from those who knew him across the industry.

  Robin's Newsletter - Volume 6

  Online Safety Bill End-to-End Encryption (E2EE) Cl0p Progress Software MOVEit Citrix Adobe Microsoft Security Poverty Line PwC EY JumpCloud Security Labels Data Brokers