This week
All the nations doin’ all the cybers
A few stories this week all circling the tech divide theme (aka ‘digital sovereignty’ or ‘digital Balkanisation.’) A lot of posturing as the rollout of 5G networks picks up.
The US brought allegations that Huawei can covertly access their customer networks. The Washington Post ran the full story of how Crypto AG, a Swiss company that sold diplomatic encryption machines, was secretly run by the CIA. Wired focuses on the temptations of introducing backdoors.
The Huawei story is interesting because it is, I believe, the first time the US has made a specific accusation in the on-going desire to keep the telecommunications company out of its critical national infrastructure. Charges were also brought against Huawei for stealing intellectual property from six US companies. Lawfare picked up on a change in the language being used by Huawei: from deliberate backdoors being ‘impossible,’ to ‘implausible [and that they] would be discovered immediately.’
The Crypto AG story is a reminder of the lengths and audacity that intelligence agencies go to. Also, sometimes, it’s easier to buy what you need, rather than force your way in. In economic terms, not only did it reduce the CIA’s costs to collect intelligence, they made a tidy profit off the back of joint ownership with Germany’s BND. It’s well written, spy-thriller from WaPo.
The conclusion from it all, of course, is that no side is clean in this: all the nations are doing all the cybers. Intelligence agencies will always look for ways to advance their agendas, collect information, or build an advantage.
Huawei: wsj.com,
bleepingcomputer.com,
lawfareblog.com,
Crypto AG: washingtonpost.com,
wired.com
Interesting stats
31% of incident start with phishing (2018: ~50%) as infection vector… 29% of incidents now start with existing, compromised credentials. 85% of 8.5 billion breached records in 2019 were result of misconfigured cloud storage, according to IBM ibm.com
93% of passwords haven’t been breached, despite ever growing number and size of data breaches, @BeckyPinkard
1/10 Americans use stalker ware to track partners, exes… 2x more likely to be men than women, according to. Harris Poll for NortonLifeLock cnet.com
467,361 cybercrime complains to the FBI’s Internet Crime Complaint Center (IC3), totalling $3.5 billion total losses in 2019, of which $1.77 billion was as the result of Business Email Compromise (BEC) fraud, that’s 33x the direct financial impact than corporate data breaches. $75,000 average loss for each BEC complaint, compared to $4,400 average loss for each ransomware complain. zdnet.com, ic3.gov (PDF)
Other newsy bits
Emotet malware can now spread itself via wifi networks
A new module for the Emotet malware family gives it the capability to brute force the password of nearby wireless networks. Where successful the malware could jump between business and personal networks physically located near to each other. It’s a novel way of increasing access to different networks, especially in built-up, urban environments (I can see 15 networks from where I am writing this in London.) Calling your wifi ‘FBI Surveillance Van’ or ‘Pretty Fly for a WiFi’ is unlikely to help, but setting a more complex wireless password is. zdnet.com
As Tesla gets more aggressive in revoking paid software features, people are jailbreaking their cars
Interesting post, originally on car site Jalopnik and subsequently Motherboard, about car owners choosing to hack and ‘jailbreak’ the firmware on their Tesla cars. It seems Tesla is remotely disabling some options from vehicles when they are resold (like ‘Ludicrous’ mode, autopilot, etc) even though the options are advertised in the sale. The articles point out: you wouldn’t expect Ford to come and take your 20” alloy wheels back. Digital transformation has opened up new commercial opportunities for businesses, perhaps re-selling $8,000 options to each user is part of Tesla’s business model? The result points to less secure, and less safe vehicles. jalopnik.com, vice.com
US charges four Chinese nationals over Equifax breach
Nine charges have been brought against members of the People’s Liberation Army of China for perpetrating the 2017 Equifax data breach. That answer’s the ‘why has none of the data appeared on the dark web’ question. The PLA has been fingered for several high profile data breaches in the US in the second half of the last decade: the Office of Personnel Management, Anthem and Marriott/Starwood, as well as Equifax. When you combine all of those data sets you get an intelligence agency’s dream: travel, health and credit worthiness info, to combine with lists of known security clearance levels. It gives the Chinese an unprecedented database of US intelligence community and who may be most susceptible to coercion. techcrunch.com, cyberscoop.com
How North Korea uses the Internet to circumvent international sanctions
Recorded Future has published an interesting analysis of North Korea’s internet usage. It’s up 300% since 2017, and has shifted from ‘leisure’ weekend usage to ‘professional’ 9-5, Monday-Friday usage. It comes alongside an increase in the use of the Internet to raise funds for a regime under tight sanctions. Attacks against SWIFT connections, cryptocurrency mining schemes and intellectual property theft. (H/T Brad Jones!) recordedfuture.com
In brief
Attacks, incidents & breaches
- Software error exposed the ID numbers for 1.26 million Danish citizens to Adobe, Google Analytics zdnet.com
- Nedbank says 1.7 million customers impacted by breach at third-party marketing company zdnet.com
- PhotoSquared app exposed customer photos and shipping labels techcrunch.com
Threat intel
- MalwareBytes 2020 State of Malware Report malwarebytes.com (PDF)
- February 2020 Patch Tuesday, one of Microsoft’s biggest ever, fixes 99 security bugs zdnet.com
- Phishing scams are costing us more than ever, gift card fraud on the rise zdnet.com
- WordPress Cookie Consent Plugin Fixes Critical Flaw for 700K Users bleepingcomputer.com
Security engineering
- OpenSSH adds support for FIDO/U2F security keys zdnet.com
- From March, Firefox will block weak HTTPS connections using TLS 1.0, 1.1 theregister.co.uk
Internet of Things
- Connected car rentals - still able to use car app weeks after returning the vehicle (Always find the infotainment ‘reset’ option when hiring a car!) zdnet.com
Privacy
- A new Senate bill would create a US data protection agency techcrunch.com
Mergers, acquisitions and investments
- Deep Instinct nabs $43M for a deep-learning cybersecurity solution that can suss an attack before it happens techcrunch.com
And finally
When physical security gets in the way of digital security…
The cryptographic keys that help protect and authenticate the ‘root’ Domain Name System (DNS) are kept behind a complex set of physical and procedural security arrangements. DNS is the ‘Internet phonebook’ used to match human readable domain names to computer routable addresses. Every three months this cryptographic material is updated, only this week the whole ‘ceremony’ was delayed because of a physical fault in one of the safes. Bruce Schneier has a good write up and link to other resources if you want to geek out. schneier.com