Vol. 3 Iss. 19 10/05/2020, last updated 17/05/2020 Robin Oldham ~8 Minutes
I send out a weekly information security newsletter of cyber/infosc security and privacy articles, events or topics that have caught my eye, some intersting stats, plus a summary of other news.
Subscribers get it direct to their inbox, every Sunday, at 7:00pm.
Privacy concerns over contact tracing app
These issues have been bubbling away (vol. 3, iss. 16, 18) for the last few weeks and have come to a head in the UK following the launch of a trial on the Isle of Wight.
NCSC’s Technical Director, Dr Ian Levy, has posted a breakdown of the ‘small part’ that NCSC has played in the design of the app and the decisions that have been made, for example favouring a centralised rather than decentralised approach.
There have been reports that the app appears to break guidelines on app development set by Apple and Google on their respective platforms. These are ‘unprecedented times’ however places them in an awkward position when other regimes come asking for similar exemptions. (See Ben Evans’ tweets.)
Without these exceptions that efficacy of the NHSX app would plummet. The NHSX app already relies on looser Android SDK restrictions because iOS apps aren’t able to engage in persistent background activities for privacy reasons. The source code has now been published and I expect some more detailed write-ups in the coming weeks.
It feels a lot like contact tracing apps are this week what infection are graphs were early in the pandemic and the UK may still ditch the NHSX app in favour of the ‘Gapple’ (Google + Apple) developed decentralised system. That has the benefit of working across national boundaries (e.g. Northern Ireland border).
Data sharing within the public sector is notoriously bad. UK government departments struggle to share data between one another for a variety of reasons including basic ones like not having a common way to identify an individual. It is the private sector where my concerns lie: the rise of ‘corporate tracing apps’ by for-profit organisations take the current privacy concerns but put the hands into organisations that are much more likely, and ready, to exploit that data.
McKinsey offers some interesting perspectives on both public, and private-sector contact tracing if you want to read more on this emerging trend.
The NHSX app has been developed at break-neck speed. I’m sure that, and the inevitable shifting nature of designs, has contributed to a large volume of negative press coverage. It will likely have been extremely difficult to present a confident, clear message against a backdrop of shifting technology challenges. That’s been exacerbated by the arrogant and aggressive comms strategy (both to journalists and by MPs questions in Parliament).
I’m sure it will make an interesting case study in the future: getting your messaging right when it comes to privacy and security isn’t optional any more. You will get called out on it.
Ultimately I hope that all the negative press and mixed messages do not undermine the efforts significantly and that the app itself may — indeed I hope will — prove to be successful. bbc.co.uk, ncsc.gov.uk, @benedictevans, theguardian.com (Android/iOS), bbc.co.uk (source code) order-order.com (comms style) theguardian.com (Gapple switch), theregister.co.uk (data retention), mckinsey.com
It was world #PasswordDay on Thursday and if you’ve ben wondering why credential stuffing attacks are so successful… 91% of people say they know reusing passwords is a risk, but 66% of them do it anyway (up 8% on 2018), and 59% do not change their password after a breach, according to LastPass lastpass.com
(I have some LastPass Premium subscriptions available on a first-come, first-serve basis if you need a password manager: just reply to this email.)
“We do anticipate the revenue and corresponding margin impact [of the ransomware incident] to be in the range of $50 million to $70 million for the quarter” — Karen McLoughlin, CFO, Cognizant zdnet.com
8% of active, public repositories on GitHub had a ‘secret’ (a machine-to-machine password) exposed during the last month, according to GitHub wired.com
Other newsy bits
GSM Law hit by ransomware
New York-based Grubman Shire Meiselas & Sacks (GSM), a law firm that specialises in media and entertainment, appears to have become victim to a REvil/Sodinokibi ransomware attack. The company, whose website is currently displaying a simple logo splash page, represents acts including Lady Gaga and Madonna, sports stars including Cam Newton and Mike Tyson, and companies such as Activision and HBO.
Ransomware gangs increasingly take copies of data before encrypting it to increase the leverage they have over their victims. In this case unconfirmed reports claim that 756GB of data has been exfiltrated from the law firm that will almost certainly contain information that they, and their clients, wish to keep confidential.
Security investment at law firms comes at the expense of partner’s profit-shares and so getting buy-in for expensive technology or security transformation programmes can be challenging. These new tactics should especially be a concern to those holding sensitive information, such as law firms like GSM, and whose business model relies on trusted relationships. It makes them prime targets for this sort of attack.
Also this week, a ‘data security flaw’ in systems by Advanced Computer Software (ACS) left 10,000 legal documents of 190 UK law firms accessible in an online database. variety.com, bleepingcomputer.com, ft.com (ACS)
Roblox support agent bribed to give access to player’s data
A hacker bribed a support agent of Roblox, a world-building game with over 100 million monthly active users, to gain access to their accounts and personal data. They didn’t really seem to know what they were doing it for - to prove a point, or claim a bug bounty - though it serves as a good reminder for some customer service and support portal tips:
- Implement multi-factor authentication (MFA) on admin portals that are remotely accessible as this helps to prevent legitimate users from being phished, or sharing their login details
- Create audit logs, and display some of this content to support agents so they know actions are being monitored
- Use least privilege models for some features: customer support interfaces shouldn’t be a way to get ‘god mode’ over an account
In-game items and micro-transaction payments have become the norm for many game developers, seeking alternative revenue streams (that endure beyond the initial point of purchase) and keep gamers engaged with new content. The digital characters can become extremely valuable representing months, or even years, worth of time invested. vice.com
Attacks, incidents & breaches
Err, quite a few, this week!
- Aussie transport business Toll Group suffers second outbreak of different ransomware in three months (vol. 3, iss. 6) theregister.co.uk
- Europe’s largest private hospital operator, Fresenius, victim of Snake ransomware attack krebsonsecurity.com
- CPC Corp, Taiwan’s state-owned energy company, hit by ransomware attack cyberscoop.com
- U.S. Marshall’s Service only just notifying victims of data breach discovered in December 2019 techcrunch.com, zdnet.com
- Train manufacturer Stadler being extorted following data breach bleepingcomputer.com
- SSH Keys of 28,000 GoDaddy hosting customers compromised in incident discovered after seven months bleepingcomputer.com
- P…orn Waterhouse Coopers: PwC domain used to serve pornography after poor decommissioning of cloud service theregister.co.uk
- Adult site CAM4 left 7TB ElasticSearch database exposed wired.com
- 91 million user records from: Zoosk, Chatbooks, SocialShare, Home Chef, Minter, Chronicle of Higher Education, GGuMim, Mindful, Bhinneka, and Star Tribune posted online for sale by new group ‘ShinyHunters’ zdnet.com
- ShinyHunters also behind alleged leak of 500GB of data from private Microsoft repositories bleepingcomputer.com
- Lazarus group hiding trojan inside legitimate one-time password app for MacOS, targeting Chinese users bleepingcomputer.com
- Salt configuration management instances (inc. Ghost CMS, Lineage OS) being compromised using authorisation bypass, following disclosure of vulnerability theregister.co.uk, f-secure.com (advisory)
- Cisco releases patches for 12 high-severity vulnerabilities in Adaptive Security Appliance, Firepower Threat Defense platforms theregister.co.uk
- SAP contacting ~40,000 (9%) of customers over vulnerability in Success Factors, Concur, and other SAP cloud products, security updates due over next 8 weeks(!!) zdnet.com
- Patched ’zero-click’ vulnerability in Samsung’s messaging app on Android phones caused by parsing of images in multi-media images theregister.co.uk
- GitHub releases code-scanning, key/credential-finding tools for free to open source projects theregister.co.uk, wired.com
- POWER-SUPPLaY uses modulates compute workloads of computers to transmit data out of air-gapped computers using their PSU theregister.co.uk
Internet of Things
- Phone books, call logs, calendar entries, Spotify and W-Fi passwords and session cookies that allowed access to Netflix and YouTube accounts found stored in plaintext on old Tesla ‘media control units.’ The MCUs are meant to be destroyed or returned to Tesla by dealers, but many are being sold online arstechnica.com
- UK Information Commissioner publishes priorities that “reflect the requirements and reality of those we regulate” while they “must also protect people’s privacy” ico.org.uk
- Five arrested in Poland behind ‘Infinity Black collections’ password dumps zdnet.com
Mergers, acquisitions and investments
- Zoom acquires Keybase to bring end-to-end encryption, security engineering expertise techcrunch.com
You’ve got to protect the integrity of your systems, especially if they involve snitching on your neighbours
The U.S. state of Ohio has launched a website for employers to report citizens who are refusing to work because of fears of the Coronavirus (COVID-19) pandemic. The website lodges a ‘fraud report’ to prevent state unemployment insurance being paid. That hasn’t gone down too well with locals and now one hacker has generated a script to bombard the website with spurious data.
“It needs to be so much data that their ability to investigate these ‘fraud’ cases is hampered.”
The script is now packaged as a tool that other locals can run on their computer to contribute to the volumes of data from a variety of IP addresses in an attempt to make it extremely difficult for the state to work out which are legitimate fraud reports, and which are fake data. vice.com