Robin’s Newsletter #269

13 August 2023. Volume 6, Issue 33

UK Elections watchdog comopromsed two years ago. Detials of Northern Ireland police staff accidentally published. Zoom backtracks on AI training in terms of service.

Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

UK Electoral Commission reveals cyber-attack

“Hostile actors” gained unauthorised access to the Electoral Commission’s servers two years ago. The Electoral Commission is an independent agency charged with registering political parties, regulating party and election finance, managing electoral registrations, and setting the standards by which elections in the UK follow.
The incident was detected a year ago, and public notification was made this week. During the attack, which the Commission describes as “complex”, the attackers accessed their email, control systems and copies of the electoral registers.
No election results were affected however it makes for dramatic news, as the electoral register contains details on over 47 million people. While the volume of people affected is attention-grabbing, and data could be used to target disinformation, the harm to individuals is likely to be minimal, and I think it’s important to put this enormous number into context.
The electoral register data includes first and family names, addresses, and the date the person achieves voting age that year (if applicable).
As I tweeted, in 2017, there were 46.8 million registered electors in the UK and the Electoral Register contains first and family names, home address, and in some cases, the date on which that person achieves voting age.
Of those 46.8 million, 25 million (53%) had opted out of the ‘public register’. For the ~22 million people that hadn’t opted out, this was already information that was ‘public’ information. The ICO assessment is that Electoral Register information “does not in itself present a high risk to individuals”. And just because the attacker could access the data doesn’t mean that it’s now all been published.
Also, remember that, despite GDPR and rights to privacy, your existence is not private. Births, marriages, and deaths are all recorded and available to search (for example, on family tree websites).
The EC’s email server will, like any organisation’s, contain a lot of ‘unstructured’ data: daily chatter, meeting invites, plus any messages sent to or from the organisation. So while the data affected on the email server also includes email addresses, telephone numbers, ‘personal images’ and so on, this is only for those who have emailed the Commission or contacted them using the form on their website.
Russia is “first on the list” of suspects, according to former GCHQ director Sir David Omand, and my hunch is that the SVR (Russia’s foreign intelligence service) would be very interested in getting the inside track on any investigations into party finances which campaigners say are open to malign influence.
Questions remain over the time it has taken to notify the public of the breach — commercial organisations would rightly face a backlash if they waited two years to come clean — but remember that GDPR’s notification requirement is to the regulator (the ICO), not the public. The Electoral Commission may have met its reporting requirements. Given the potential national security nature and minimal potential for public harm, the determination may have been to take time to complete the investigation thoroughly without potentially tipping off the hostile actor or creating a media frenzy. I’d welcome further transparency on what happened, when, and the decisions that led to the timing of this notification.

Thousands of North Ireland police officers and civilian staff identified in breach

The Police Service of Northern Ireland (PSNI) has apologised after the names of 10,000 current and former police officers and civilian staff were published online. The breach occurred when responding to a freedom of information request: in addition to providing salary band information and counts of each grade, a second tab in the spreadsheet listed the surname and initials of staff, along with their employment grade. The file was online for two hours before being taken down.
The breach may have severe ramifications for those working undercover, in specific counter-terrorism roles, and those who may not have told their friends and family about their police employment. During the Troubles, police officers in Northern Ireland were regularly targeted, and some have been attacked since the Good Friday Agreement.
Adding to the PSNI embarrassment, a spreadsheet containing names of 200 current staff, a laptop and a radio were stolen from a vehicle last week.

Interesting stats

$549 million fines for US banks amid “widespread and longstanding failures” to preserve electronic communications by employees trying to covertly discuss business via Signal, WhatsApp and iMessage.

75% of businesses are considering, or implementing, bans on ChatGPT, according to a BlackBerry of 2,000 IT decision-makers in Australia, Japan, France, Germany, Canada, the Netherlands, US, and the UK.

130 approaches from individuals looking to monetise a Chrome extension with 300,000 installs over the last nine years. Most of these are offering revenue in exchange for embedding tracking code in the extension.

64,000 people have been detained in China for ‘personal data infringements’ in the last three years.

Other newsy bits / in brief

Microsoft has responded to Tenable CEO Amit Yoran’s scathing comments about the time and opacity it has taken them to address a vulnerability in Azure (vol. 6, iss. 32). The Redmond-headquartered company says the issue affected a “very small subset” of customers and that “[moving] too quickly could result in more customer disruption (in terms of availability) than the risk customers bear from an embargoed security vulnerability.” The latter is an interesting challenge for cloud/software-as-a-service providers, and we will, sooner or later, see a severe vulnerability that needs fixing promptly, but that would ultimately break customers’ use of the service.
Chris Krebs, former CISA director, thinks the SEC has overreached with its new cyber breach reporting rules and, in an option piece for the FT, says Congress should ‘reassert itself’ and reduce ‘overlapping, conflicting and counterproductive’ regulatory programmes.

_“We will soon have a cyber reporting mess on our hands. Due to jurisdictional turf battles and the absence of a unified constituency… Over the past decade, legislators have issued a hodgepodge of laws and authorised a never-ending stream of organisations.” — Chris Krebs, partner at Krebs Stamos Group.

The US’ Cyber Safety Review Board has published a report into the tactics used by Lapsus$. Recommendations include moving to passwordless authentication and for the FCC and FTC to better regulate the porting of phone numbers between SIMs.
The CSRB will now look at the recent compromise of Microsoft’s cloud (vol. 6, iss. 30) as part of the “malicious targeting of cloud computing environments”
The ICO has published a position paper on ‘ending damaging website design practices’ (dark patterns) and instead empowering users with choice and control.
Zoom updated its terms of service recently to give the video conferencing company a “perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license” to its customers’ content, to train its artificial intelligence models. There was a big outcry on social media this week, and now the company is backtracking on the changes and will not use data without explicit consent to do so.
Companies who monitor their employees should get consent to do so, says the results of a DSIT inquiry.
North Korean attackers appear to be behind a breach at NPO Mashinostroyeniya, a Russian missile manufacturer. North Korea—Russia relations had been warming following the invasion of Ukraine. Perhaps North Korea having to resort to targeting ‘friends’ means that Western defence supply chain security programmes are working?
Viasat’s chief information security officer, Mark Colaluca, gave a presentation at BlackHat on the attack against their satellite network on the eve of the Russian invasion of Ukraine (vol. 5, iss. 12). In addition to the malware used against satellite modems, a second attack with “highly technical knowledge of our network.. [targeted] specific terminals to not let them back on the network,” Colaluca said.
Dell’s enterprise storage system for VMware uses a hardcoded encryption key to store credentials in its configuration file.
CISA has disclosed another strain of backdoor malware targeted at Barracuda’s email security gateway devices. The malware, called ‘Whirlpool’, exploits a remote command injection vulnerability (CVE-2023-2868; 9.8/10) in version 5.1.3.001 through 9.2.0.006. Barracuda encouraged customers to ripe and replace (vol. 6, iss. 24) affected devices back in June.
Belarus has been targeting foreign embassies by a new group called MustachedBouncer identified by ESET.
CPU attacks: A new ‘transient execution’ vulnerability dubbed Inception has been found in AMD’s Zen processors that can leak secrets on shared computers. Intel doesn’t get off this week either, a new vulnerability called Downfall causes the CPU to “unintentionally reveal internal hardware registers”.
Industrial control systems software used to configure and test programmable logic controllers (PLCs) contains multiple vulnerabilities, according to Microsoft. More than 500 manufacturers use the Codesys V3 software development kit, and while the bugs have been fixed, they ‘could be used to shut down power plants’.
Microsoft published thoughts on pen testing artificial intelligence from its journey developing an ‘AI Red Team’.
ChatGPT’s web crawler can now be blocked using ‘robots.txt’ rules.
Online advertising practices are usually opaque, but a leak of source code from Yandex (‘Russian Google’) has allowed privacy researchers to analyse how the search firm targets ads at users. Over 300 factors are fed into machine learning algorithms, which also build household personas for those people living together.
Bulletproof hosting company Lolek has been taken down by Polish police, and five admins arrested for allegedly supporting Netwalker ransomware attacks and distribution of other malicious software.

Investments, mergers & acquisitions

Horizon3 has announced a $40 million Series C that will be used for R&D and expanding channel sales of its continuous penetration testing platform.
Check Point is buying Perimeter 81, an Israeli startup, for $490 million to bolster remote and hybrid work services.

Two rounds of layoffs were announced this week:

Rapid7 is to lay off 18% of its workforce as operating losses widen.
NCC Group is making further redundancies after reducing its workforce by 7% earlier this year.

And finally

A card shuffling device used by casinos that “cannot be compromised” was compromised. In a talk at Defcon, researchers from IOActive explained that the DeckMate 2, which is usually under gambling tables, has an exposed USB port that can be used to reprogram the devices and a camera, ostensibly used to confirm every card is present in a deck, can be used to give the exact order that cards will be dispensed.

Robin

Robin's Newsletter - Volume 6

Electoral Commission Election Interference General Data Protection Regulation (GDPR) Privacy Police Service of Northern Ireland (PSNI) Freedom of Information (FOI) Zoom Rapid7 Lapsus$ Cyber Safety Review Board Artificial Intelligence (AI) Barracuda Networks Viasat Russia Dark Patterns

Robin’s Newsletter #270

Robin’s Newsletter #268