Home / Robin's Newsletter

Robin’s Newsletter #84

 Vol. 3  Iss. 4  26/01/2020, last updated 06/04/2020   Robin Oldham  ~6 Minutes

Some blog posts from Cydea that might interest you:

You can follow Cydea on: LinkedIn and Twitter.

This week

Investigation into hacking of Jeff Bezos’ phone

It’s a web of the ultra-rich, nation-states, sex, murder, political influence and hacking. Photos and text messages leaked to the National Inquirer that exposed Jeff Bezos’ extramarital affair in 2018 triggered an investigation into the breach. This week The Guardian, citing sources familiar with FTI Consulting’s forensic investigation, published that investigations concluded it was ‘highly probable’ that Saudi crown prince Mohammed bin Salman was behind the compromise of Bezos’ phone.

The investigation found that the outbound data usage from Bezos’ phone dramatically increased following a video from the Saudi prince over WhatsApp. A vulnerability in the way that WhatsApp handled video files has been patched by the company, who are also suing spyware company NSO Group for exploiting the vulnerability to deploy their software covertly (vol. 2, iss. 44.)

It’s interesting, as The Register points out, that while many of the ultra-rich have personal security details, nation-state hacking probably hasn’t previously featured in their threat models.

When your net worth is the same as over 1 million average US families you increase the likelihood of being a target. Both to nations who will be interested in economic decisions from your business, and cyber criminals interested in financial gain.

Vice Motherboard subsequently obtained a copy of the report if you want to read it. theguardian.com, vice.com, theregister.co.uk

Interesting stats

10% of all Mac computers attacked by Shlayer malware bleepingcomputer.com

16.2 days average length of ransomware incident, up from 12.1 days in Q3 2019, combined with… $84,116 average ransom demand (up from $41,198,) according to Coveware zdnet.com

160,000 data breaches have been reported since the introduction of GDPR €114M ($126M £97M) total fines issued by regulators, according to DLA Piper (h/t Michael Stead) dlapiper.com

Other newsy bits

Microsoft database containing Customer Support data was accessible from the Internet

Five identical Elasticsearch databases containing 250 million records of Microsoft customer support incidents were exposed on the internet. The databases were found using search service BinaryEdge (recently acquired, see below.) In a security advisory sent to affected customers, Microsoft noted that “misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your configurations and ensure your own configurations and ensure you are taking advantage of all protections available.” (h/t Tom Dibb) zdnet.com

Facial recognition company ClearView.AI

The NY Times kicked off coverage of ClearView.AI, a start-up that has scraped over 3 billion photos of people from the web. Their service allows customers to upload an image that can be matched, and returned with links to the social media profiles. Apparently, 600 law enforcement agencies in the US are customers. It was a hit in part because, unlike searching FBI databases, ClearView’s service didn’t require getting a warrant and ‘risking the investigation.’ A class-action lawsuit has followed the coverage, and Wired has a good read on scraping the web. There’s been a lot in the news this week about facial recognition. See the links below about the Met Police’s decision to roll out the technology in London, and the ICO’s views too. nytimes.com, wired.com, cnet.com (class-action)

Google finds flaws in Apple’s privacy tool

Flaws in the Intelligent Tracking Prevention feature of Apple’s Safari browser have been disclosed by Google. The flaws allow users’ browsing behaviour to be tracked, despite the purpose being to prevent it. The issues in the underlying WebKit engine were fixed in December. Also this week it came to light that Apple dropped plans for fully encrypted iCloud backups after the FBI complained that doing so would harm investigations. (Search warrants can force Apple to hand over copies of customer data.) ft.com, webkit.org, reuters.com

Insurer force to pay up in ransomware case

There is a growing market for insurance against cyber-attacks. Some of these are lumped in with existing policies (such as ‘non-damage business interruption’) while others have dedicated cyber security policies. What is - and perhaps, more importantly, isn’t - covered by these policies is starting to be tested. Increasingly victims of ransomware attacks are turning to their insurance to help cover business losses, IT replacement and restoration costs, and other legal fees. These aren’t always successful, for example, Zurich is in court for denying Mondelez’ NotPetya claim because it was ‘an act of war’ (vol. 1, iss. 26.) The case is still on-going, meanwhile, a Maryland federal judge ruled this week that Ohio insurer provider State Auto must cover the costs following a ransomware attack that forced a client to replace much of its technology. cyberscoop.com

In brief

Attacks, incidents & breaches

  • Ransomware shuts down production at Flemish multinational vrt.be
  • 2015-member database floats off through breach in Royal Yachting Association’s hull theregister.co.uk

Threat intel

Security engineering

  • NCSC introduces new mobile device guidance ncsc.gov.uk
  • Octarine releases open-source security scanning tools for Kubernetes techcrunch.com
  • Citrix and FireEye release security tool to help admins find out if their servers vulnerable to CVE-2019-19781 have been hacked theregister.co.uk

Internet of Things

  • An Open Source Effort to Encrypt the Internet of Things wired.com
  • Leave your admin interface’s TLS cert and private key in your router firmware in 2020? Just Netgear things theregister.co.uk
  • Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices zdnet.com

Privacy

  • ICO publishes Code of Practice to protect children’s privacy online ico.org.uk
  • Police are about to deploy ‘privacy destroying’ facial recognition cameras across London zdnet.com, ico.org.uk

Law enforcement

  • Russian Cardplanet and malware-exchange forum pleads guilty theregister.co.uk
  • Secret Service to launch private-sector cybercrime council cyberscoop.com
  • Cybercrime laws need urgent reform to protect UK, says report theguardian.com

Mergers, acquisitions and investments

  • Coalition acquires IoT search engine BinaryEdge zdnet.com
  • FireEye scoops up cloud security startup Cloudvisory zdnet.com

And finally

Sticking with facial recognition this week…

Chinese city uses surveillance tech to shame citizens for wearing pajamas outside China has extensively adopted CCTV and facial recognition in public places. Now the city of Suzhou (pop. 11M) is using the technology to name-and-shame citizens for being out and about in their PJs. Their surname, picture, and partial ID number made public, alongside the offending image. cnet.com