Robin’s Newsletter #280

This week

1Password, Cloudflare caught up in recent Okta compromise

• Password manager 1Password was one of the companies targeted by an attacker who gained access to Okta’s support systems (vol. 6, iss. 43). The Okta instance was to “manage employee-facing apps,” said Pedro Canahuati, 1Password’s CTO.
• In a blog post about the incident, Okta’s Chief Security Officer David Bradbury explained that Okta support may request HTTP Archive (HAR) files from customers to diagnose issues. “HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users”, Bradbury wrote.
• The original breach of Okta’s systems was discovered by BeyondTrust, another authentication firm, when they noticed unusual activity. An Okta spokesperson told TechCrunch that around 1% (170) of the company’s 17,000 corporate customers were affected.
• Cloudflare, who confirmed they’re affected, urged Okta to take reports of compromise more seriously, improve communication with customers, and use hardware security keys for all their systems. “For a critical security service provider like Okta, we believe following these best practices is table stakes”, the content delivery and security company wrote in a sassily-titled blog post about “yet another” Okta breach. 

UK Online Safety Act becomes law

• After four-and-a-half years, the UK’s Online Safety Act has received royal assent and become law. It’s been a controversial piece of legislation that’s led to tech companies threatening to leave the UK market rather than comply with requirements (vol. 6, iss. 9) to backdoor encryption in their products.
• While the House of Lords made some amendments to the bill as it passed through the upper chamber (vol. 6, iss. 30), around measuring harm, not harmful content, there was no movement on ‘Section 122’, which technologists see as a requirement that would need messaging services to break end-to-end encryption. 
• It reminded me of a quote from Bruce Schneier, from 2015, talking about a similar campaign by US legislatures for encryption backdoors:

“I can’t create mathematics that works differently in the presence of a particular legal piece of paper. Math just doesn’t work that way.”

• It’s now over to the regulator Ofcom to consult on, and then enforce, what has finally passed into law, with the government admitting that parts will only be enforceable once it becomes “technically feasible” to do so (vol. 6, iss. 37). 
• The EU’s Digital Services Act, which tackles similar online safety concerns, went into effect in August, making online platforms that meet certain thresholds legally accountable for the content users post to them. It also bans targeted advertising based on sexual orientation, religion, ethnicity, and political beliefs.

Apparent lawful intercept against Russian Jabber service discovered after TLS certificate isn’t renewed

• This is pretty interesting: a popular Russian XMPP messaging service seems to have been wiretapped, with two ISPs hosting the systems rerouting traffic and an alternative TLS certificate being used.
• Jabber.ru hosted their systems in Germany to avoid surveillance (lol), and it came to light when someone forgot to renew the cert (because of course they did). The wiretap may have lasted up to six months, from April through October, and “jabber.ru and xmpp.ru communications between these dates should be assumed compromised”. 
• By controlling the certificate used to encrypt communications to and from the Jabber service, an attacker-in-the-middle could have accessed or sent, user’s messages and view other account information. 
• The investigation concludes that it’s likely to be a lawful intercept request, with the German hosting companies being compelled to alter their systems to support the interception. Unsurprisingly, German authorities and the companies didn’t respond to The Record’s request for comment.

Interesting stats

22% increase in authorised push payment (APP) fraud in the first half of 2023, compared with the same period in 2022, with  £239.3 million losses representing a 1% decrease, and  £152.8 million returned to victims, according to trade body UK Finance. 1.4 million cases of fraud occurred in the UK during the first half of 2023, with a  29% jump in romance scams, and a  50% increase in ID theft, often resulting in account takeover or application for loans and credit cards.

Other newsy bits / in brief

• Cyberwar: Internet and communications access has been a target in both the Russia-Ukranie and Israel-Hamas conflicts. This week, Ukrainian activists disrupted ISPs in Russian-occupied territories, while Gaza’s last remaining internet and mobile connections went dark.

• Chinese scammers are using fraudulent loan apps and India’s Unified Payments Interface to steal money from victims. While UPI has been credited with the explosion of digital payments in India, it is not covered by the country’s Prevention of Money Laundering Act (PMLA).

• Maybe breaches: The District of Columbia Board of Elections says that a threat actor may have gained access to the personal information of registered voters. The DCBOE was keen to emphasise may, with the word appearing in all caps in a tweet. Voter names, dates of birth, partial social security numbers, driver’s license numbers and other contact details like phone and email addresses could all have been purloined by the attackers. Meanwhile, the City of Philadelphia says that attackers may have gained access to City email accounts earlier this year. Investigations are ongoing into the unauthorised access, which occurred between the end of May and July 2023, with the issue exacerbated due to the mailboxes in question containing medical information.

• Ransomware: Watchmaker Seiko says they suffered a Black Cat ransomware attack earlier in the year during which around 60,000 ‘items’ of sensitive customer, partner and personnel information was compromised. Chilean telco Grupo GTD has warned customers of its Infrastructure-as-a-Service (Iaas) platform that services may be disrupted following an attack by the Rorschach ransomware gang.

• Octo Tempest is the name Microsoft has given to a financially motivated threat group which overlaps with 0ktapus, Scattered Spider and UNC3944. Key techniques of the group, believed to be native English-speakers, are social engineering and SIM swapping. IT administrators and Helpdesk employees are targets of note, with new employees often being impersonated as ways to gain access to company systems. But evidence from the recent attacks on Caesars Palace and MGM Resorts shows a dark side too, with the group threatening violence against employees at the Las Vegas resorts and their families

• Russia: ESET says that pro-Russia attacks have been abusing a cross-site scripting (XSS) bug in Roundcube, an open-source webmail project popular with web hosting companies, to steal information. France’s information security agency, ANSSI, also published a report about Russia’s APT28 (aka Fancy Bear) activities targeting French government, businesses and research institutions.

• In Finland, a Chinese ship has been blamed for damage to a gas pipeline. The Finnish prime minister had said it was “too early to draw conclusions” amid speculation (vol. 6, iss. 42) that the event may have been sabotage by a hostile nation.

• Vulnerabilities: Citrix Bleed: A proof of concept exploit for Citrix NetScaler ADC and NetScaler Gateway appliances has been released for a remotely exploitable information disclosure bug (CVE-2023-4966). VMware has fixed a remote code issue (CVE-2023-24048) in its vCenter Server software and says it has not seen evidence of it being actively exploited. F5 has fixed a remote code execution bug (CVE-2023-46747) in its BIG-IP product suite.

• iLeakage: Researchers have devised a side-channel technique that can be used to recover content from the Safari web browser running on Apple Silicon powered devices. Around 5 minutes is needed on an attacker-controlled website, before the desired website is opened in a pop-up window and, if the user is logged in, content is extracted at around 24 to 34 bits per second (a low data rate).

• Anti-tracking: Google Chrome will get a new ‘IP Protection’ feature to enhance users’ privacy by proxying their traffic to mask their actual IP address. Meanwhile (h/t Jackie), an Apple feature which hid the hardware address of iPhones and iPads to enhance privacy and prevent tracking doesn’t appear to have worked as intended… ever. The bug, which was discovered and fixed by Apple, has been present since iOS 14. When connecting to a new network, a broadcast message is sent from the ‘hidden’ MAC address, but which also contains the real MAC address in a field of the main message payload. I’m not sure how impactful this really will have been: you’d need to know it was being broadcast in this part of the message, and to be capturing the complete message data for it to be of use. But well done to Tommy Mysk and Talal Haj Bakry for finding, disclosing, and getting the issue fixed.

• CISA has released its first version of Logging Made Easy, a project initially created by NCSC, and that was picked up by the US agency after it’s UK counterpart “retired” support for the project in January.

• The European Union may have broken its own rules when it ran a micro-targeted political ad campaign to promote its child sexual abuse material (CSAM) scanning proposal it’s promoting to member states on X (Twitter).

• Law enforcement: Spanish National Police have arrested 34 alleged cybercriminals who stole the personal data of, or scammed, over 4 million people. In Nigeria, six suspects have been arrested for running a hub that recruited and mentored cybercriminals. 

• Industry news: Microsoft has announced a $5 billion investment in its Australian business, to increase their cloud capacity by ~250% in the next two years and collaborate with signals intelligence agency ASD to counter domestic cyber threats. Microsoft has also announced a collaboration with PwC to ‘expand [their] joint incident response and recovery capability’. Microsoft does the containment and investigation, while PwC works with executives on contingency plans and recovery strategies. Censys has raised $50 million in a Series C funding round, and plans to expand from 134 employees to 150 by the end of the year. Censys claims over 350,000 free users and 180 paying customers. 

And finally

• A group of hardware and cryptographic hackers calling themselves Unciphered have developed a technique to break into a specific model of IronKey encrypted USB thumb drive. A Swiss cryptocurrency entrepreneur, Stefan Thomas, has one such IronKey that holds a digital wallet containing 7,002 BitCoin, worth around $230 million. Only, having forgotten the key, Thomas doesn’t seem interested in Unciphered’s help to get access to the wallet, reports Andy Greenberg for Wired. 

Plus…

• For anyone on X (Twitter), a little heads up that audio and video calling is pushing out when you update the app. This feature will allow premium accounts to audio or video call your phone through the app unless you turn the feature off. To do that, go to: Settings & Privacy > Privacy & Safety > Direct Messages > Turn off enable video & audio calling. (H/T Zara)