Robin’s Newsletter #280

29 October 2023. Volume 6, Issue 44
1Password, Cloudflare amongst 170 caught up in Okta breach. UK Online Safety Bill becomes law. Lawful intercept against Russian chat service.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

1Password, Cloudflare caught up in recent Okta compromise

  • Password manager 1Password was one of the companies targeted by an attacker who gained access to Okta’s support systems (vol. 6, iss. 43). The Okta instance was to “manage employee-facing apps,” said Pedro Canahuati, 1Password’s CTO.
  • In a blog post about the incident, Okta’s Chief Security Officer David Bradbury explained that Okta support may request HTTP Archive (HAR) files from customers to diagnose issues. “HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users”, Bradbury wrote.
  • The original breach of Okta’s systems was discovered by BeyondTrust, another authentication firm, when they noticed unusual activity. An Okta spokesperson told TechCrunch that around 1% (170) of the company’s 17,000 corporate customers were affected.
  • Cloudflare, who confirmed they’re affected, urged Okta to take reports of compromise more seriously, improve communication with customers, and use hardware security keys for all their systems. “For a critical security service provider like Okta, we believe following these best practices is table stakes”, the content delivery and security company wrote in a sassily-titled blog post about “yet another” Okta breach

UK Online Safety Act becomes law

  • After four-and-a-half years, the UK’s Online Safety Act has received royal assent and become law. It’s been a controversial piece of legislation that’s led to tech companies threatening to leave the UK market rather than comply with requirements (vol. 6, iss. 9) to backdoor encryption in their products.
  • While the House of Lords made some amendments to the bill as it passed through the upper chamber (vol. 6, iss. 30), around measuring harm, not harmful content, there was no movement on ‘Section 122’, which technologists see as a requirement that would need messaging services to break end-to-end encryption. 
  • It reminded me of a quote from Bruce Schneier, from 2015, talking about a similar campaign by US legislatures for encryption backdoors:

“I can’t create mathematics that works differently in the presence of a particular legal piece of paper. Math just doesn’t work that way.”

  • It’s now over to the regulator Ofcom to consult on, and then enforce, what has finally passed into law, with the government admitting that parts will only be enforceable once it becomes “technically feasible” to do so (vol. 6, iss. 37). 
  • The EU’s Digital Services Act, which tackles similar online safety concerns, went into effect in August, making online platforms that meet certain thresholds legally accountable for the content users post to them. It also bans targeted advertising based on sexual orientation, religion, ethnicity, and political beliefs.

Apparent lawful intercept against Russian Jabber service discovered after TLS certificate isn’t renewed

  • This is pretty interesting: a popular Russian XMPP messaging service seems to have been wiretapped, with two ISPs hosting the systems rerouting traffic and an alternative TLS certificate being used.
  • hosted their systems in Germany to avoid surveillance (lol), and it came to light when someone forgot to renew the cert (because of course they did). The wiretap may have lasted up to six months, from April through October, and “ and communications between these dates should be assumed compromised”. 
  • By controlling the certificate used to encrypt communications to and from the Jabber service, an attacker-in-the-middle could have accessed or sent, user’s messages and view other account information. 
  • The investigation concludes that it’s likely to be a lawful intercept request, with the German hosting companies being compelled to alter their systems to support the interception. Unsurprisingly, German authorities and the companies didn’t respond to The Record’s request for comment.

Interesting stats

22% increase in authorised push payment (APP) fraud in the first half of 2023, compared with the same period in 2022, with  £239.3 million losses representing a 1% decrease, and  £152.8 million returned to victims, according to trade body UK Finance. 1.4 million cases of fraud occurred in the UK during the first half of 2023, with a  29% jump in romance scams, and a  50% increase in ID theft, often resulting in account takeover or application for loans and credit cards.

Other newsy bits / in brief

And finally

  • A group of hardware and cryptographic hackers calling themselves Unciphered have developed a technique to break into a specific model of IronKey encrypted USB thumb drive. A Swiss cryptocurrency entrepreneur, Stefan Thomas, has one such IronKey that holds a digital wallet containing 7,002 BitCoin, worth around $230 million. Only, having forgotten the key, Thomas doesn’t seem interested in Unciphered’s help to get access to the wallet, reports Andy Greenberg for Wired


  • For anyone on X (Twitter), a little heads up that audio and video calling is pushing out when you update the app. This feature will allow premium accounts to audio or video call your phone through the app unless you turn the feature off. To do that, go to: Settings & Privacy > Privacy & Safety > Direct Messages > Turn off enable video & audio calling. (H/T Zara)

  Robin's Newsletter - Volume 6

  “1Password" Okta BeyondTrust Online Safety Bill End-to-End Encryption (E2EE) Lawful Intercept Surveillance Certificates Authorised Push Payment Fraud Cyberwar Ukraine IT Army India Unified Payments Interface (UPI) Octo Tempest 0ktapus Scattered Spider Roundcube Citrix Bleed iLeakage Digital Services Act Microsoft PwC