Robin’s Newsletter #94

5 April 2020. Volume 3, Issue 14
All the Zoom news distilled, plus Marriott data breach, Morrisons' supreme court win, cloud availability, bug bounty non-disclosures and COVID-19 CTI.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

Robin’s Newsletter #94 Volume 3. Issue 14. 5th Apr 2020

At Cydea this week we trialled a series called Security Watercoolers, to bring together people to share experiences, knowledge and some informal, lockdown-busting conversation.

Thank you to everyone who participated. Especially Phil Huggins, Tim Ward, Tim Orchard, Stephanie Albertina and Jessica Lennard, who co-hosted the sessions through the week on NIST’s Identify, Protect, Detect, Respond and Recover categories respectively.

Check out the notes from each session, on the Cydea blog, for some of the insights.

This week

All about Zoom

It’s been a rollercoaster ride for video conferencing app Zoom. While its customer base has grown 2,000% from 10 million to 200 million ‘daily meeting participants,’ the company has also faced a lot of negative press over its security and privacy practices. 
 Firstly there were concerns over privacy policy not being clear about how data would, or wouldn’t be used, then there is the fact that the company is Chinese-owned, while latterly, and almost inevitably given the booming popularity of the app, security researchers were quick to find some vulnerabilities in the zoom app. 
 ‘Zoombombing’ came next, with nefarious individuals ‘war dialling’ for meeting IDs that did not have a password set, then joining to disrupt meetings and screen share pornographic or obscene content. (The DOJ has rule Zoombombing illegal.) This problem isn’t isolated to Zoom: any conferencing app (video or audio) that just needs a meeting code to join is susceptible.Â
 On balance though, the company has responded promptly to update privacy policies, patch vulnerabilities and change the language on its website. A blog post from CEO, Eric Yuan, said the company had ‘fallen short’ of security and privacy expectations.

And that is where I think this is really interesting. The coverage was, largely, based around hypotheticals. The company hadn’t suffered any data breach or successful attack against their systems. The risk here is actually less ‘cyber’ and more one of ‘trust’ People have higher expectations on how companies securely develop and deliver services, and protect their data. It is no longer an optional, or bolt-on thing. Perhaps that has traditionally been the culture at Zoom who were found to leave a vulnerable web server installed on computers after the app was uninstalled last year (vol. 2, iss. 28).
 Yuan’s blog post stated that the company has frozen new feature development for the next 90 days to focus on security and privacy reviews and updates. That should help to stem some regulatory concerns, though class-action lawsuits in the US have already been instigated.

With market capitalisation swelling to over $34B, and company shares worth double what they were at the start of the year, maybe the impact of that ‘trust’ risk may be acceptable to the board and shareholders.

Ultimately all the attention can only be a good thing: the company will have to tighten security in its service and development processes.
 Security researcher Kenn White’s quote in WIRED sums it up best for me: ”It’s absolutely fair to put public pressure on Zoom to make things safer for regular users. But I wouldn’t tell people ‘Don’t use Zoom.’ It’s like everyone is driving a 1989 Geo and security folks are worrying about the airflow in a Ferrari.”

After all, can you imagine trying to talk a parent through installing and using Cisco Webex?

techcrunch.com (roundup), cyberscoop.com (vulnerabilities)krebsonsecurity.com (war dialling), bleepingcomputer.com (zoombombing), zoom.us (official response), ft.com (regulators), wired.com

Interesting stats

400%* increase in COVID-19 related fraud reported to the City of London Police, and **£970,000** losses to COVID-19 fraud reported to Action Fraud, since the beginning of February ft.com

41% increase in RDP servers visible on the Internet, up to 4.4M since early March, according to Shodan data zdnet.com

39% of people think companies should pay to retrieve personal information about employees, according to a survey of 3,000 people by Kaspersky kasperskydaily.com (PDF)

90,000 monthly business email compromise (BEC) scams attempted by Nigerian SilverTerrier group, according to Palo Alto cyberscoop.com

775% increase in usage of Microsoft’s Azure cloud platform bleepingcomputer.com

Other newsy bits

Remember that the cloud is just someone else’s data centre

Off the back of the last Interest Stat, it’s worth a quick note on cloud platforms. There is no doubt they offer lots of flexibility and benefits. However their capacity is not infinite and at the end of the day they are just somebody else’s data centre. The COVID-19 pandemic is an extreme event and, with some user’s unable to start new instances this week, it is testing business continuity and disaster recovery assumptions that the cloud will just scale to meet your needs. zdnet.com

Second data breach for Marriott

Details of 5.2 million customers have been stolen from the hotel chain, that announced its second data breach in as many years this week (vol. 1, iss. 24). The data included names, email and postal addresses, phone numbers, gender, birthday, and loyalty information.

The attackers used employee credentials and gain access in January, and were detected at the end of February meaning that it has taken over a month to notify customers of the breach (though that is one-third the time it took them previously.) With so many usernames and passwords now available for criminals to try, it is important that passwords are not re-used, especially across business applications.

Earlier this year (vol. 3, iss. 1) the ICO agreed to a delay in finalising the monetary penalty for both Marriott and BA’s data breaches. Mishcon has an interesting piece pointing that, with travel industry companies suffering significantly with the economic impacts of COVID-19 that both companies may be on the way to reduced penalties. wired.com, theregister.co.uk, mishcon.com

Bug bounty programmes promote (non-)disclosure

An interesting read from CSO: ‘Responsible’ disclosure of vulnerabilities by security researchers is an emotive subject. Many heated debates have been had about how long companies should be given to respond (and patch) issues, thus keeping users safe. Often those disclosures happen within the research community so that others can learn and software vendors are, in theory, held accountable, and customers can make informed choices about their security. The rise of bug bounty platforms like HackerOne and BugCrowd make it easier for companies to offer and manage such programmes and reward researchers for their findings. That is also coming with stricter non-disclosure agreements and gagging orders on the participants of such programmes, and their findings, leading to some claiming they are a way for companies to ‘buy silence’ and avoid the negative publicity of security issues. csoonline.com

Morrisons cleared of wrong-doing in employee data breach

Supermarket chain Morrisons has won its Supreme Court appeal against a ruling that they were responsible for a data breach caused by a rogue insider. The aggrieved employee published fellow employee data on the Internet with the intent to damage the company (vol. 2, iss. 45). The case sets legal precedent for when ‘vicarious liability’ applies:

“In a case concerned with vicarious liability arising out of a relationship of employment, the court generally has to decide whether the wrongful conduct was so closely connected with acts the employee was authorised to do that, for the purposes of the liability of his employer, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.” — Lord Reed theregister.co.uk

In brief

Attacks, incidents & breaches

  • A hacker has wiped, defaced more than 15,000 Elasticsearch servers zdnet.com
  • Personal details for the entire country of Georgia published online zdnet.com

Threat intel

  • Mishcon de Reya have a good round-up of COVID-19 threat intelligence mishcon.com (PDF)
  • Cyber Threat Coalition has a human-verified list of COVID-19 related phishing and scam related domain names cyberthreatcoalition.org (txt)
  • Zeus Sphinx (AKA Zloader, Terdot) resurrected in government aid ‘malspam’ campaign targeting US, Canadian, Australian banks. securityintelligence.com
  • An interesting summary of an Emotet infection that overheated computers and saturated network bandwidth from Microsoft bleepingcomputer.com
  • A second good post from Microsoft this week about some o the work they have been doing with hospitals to address insecure RDP or VPN servers. The post contains some useful event codes to be looking for in Microsoft event logs microsoft.com
  • Magecart style web-skimming attacks will either rise (Wired) or stay the same (ZDNet) according to two interviews involving RiskIQ four days apart. (FWIW, I’d expect the focus of attackers to shift and follow where consumers are spending money) wired.com, zdnet.com
  • APT37 / Suspected North Korean hackers resume spearphishing campaign targeting people interested in North Korean refugees cyberscoop.com
  • Docker servers targeted by new Kinsing malware campaign zdnet.com

Security engineering

  • Amazon releases ‘Detective’ that will help analysts investigate AWS security incidents zdnet.com
  • Mozilla releases Firefox 74.0.1 and Firefox ESR 68.6.1 to address two critical vulnerabilities bleepingcopmuter.com
  • Safari vulnerabilities patched that would have given attacker access to microphone, webcam of Apple devices wired.com

Privacy

Quite a bit this week on using technology to track citizens during the Coronavirus (COVID-19) pandemic:

  • Google releases ‘Community Mobility Reports’ showing aggregate data of how communities are spending more, or less, time at different places. The dat is sourced from users of Google Maps cnet.com, google.com
  • Meanwhile Western Australia state officials have given themselves powers to install surveillance equipment in peoples homes, or compel them to wear tracking devices theregister.co.uk
  • The UK Information Commissioner’s Office has OK’d the use of anonymised mobile phone location data by the government to track public adoption of social distancing measures. The data will be owned by the NHS, held in Azure, and Palantir, Amazon and Google will have access. It is to be ‘returned or destroyed’ at the end of the pandemic. bleepingcomputer.com

And finally

Epic Games offers $1M for proof of smear campaign

Video conferencing apps have exploded in popularity as many countries around the world implement measures that require people to stay at home. One of those is Epic Games’ Houseparty that was accused of leaking customer details this week. Epic has offered $1 million for evidence that it is the victim of a ‘commercial smear campaign’ by one of its rivals. bbc.co.uk

Plus Boris tweeted the Cabinet meeting ID

Book-ending with another Zoom-related story: Welcome to the #OpSecFail club, Boris! @BorisJohnson

Robin

  Robin's Newsletter - Volume 3

  Coronavirus (COVID-19) Security Watercooler Zoom Cloud Bug bounty Marriott Morrisons Emotet Amazon Detective Public Health Surveillance
Next:
Robins Newsletter #95
Previous:
Robin's Newsletter #93