America's clean path is slippery

The Risky Biz newsletter for August 11, 2020...

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.

America’s ‘clean path’ is slippery

A US-China trade war and a global pandemic have in a few short months accelerated a drift into ‘network sovereignty’: a world in which the internet is no longer a truly open, global network.

US President Donald Trump signed two executive orders on Friday that will ban Americans from “transacting” with WeChat and TikTok, two consumer apps collectively used by over a billion people..

It’s the latest salvo in Trump’s provocatively named ‘Clean Network’ strategy, which aims to inoculate US networks from PRC influence and strong-arm allies into following suit – first on networks and networking equipment, now on apps and cloud services.

As predicted on the Risky Business podcast last week – a ban on WeChat was the only logical outcome from prior Trump complaints about TikTok. While WeChat has fewer US users, it’s a more pressing threat to US interests. Content on the app is monitored and moderated to suppress dissent, both in China and for Chinese migrants living abroad. It does not protect users with end-to-end encryption. Every message sent via WeChat is accessible to the Chinese government, and any competing messaging service that isn’t surveillance friendly is simply blocked. If you want messaging in China, you need to use WeChat.

A ban on transacting with WeChat or TikTok may be the fastest, most blunt way to address that threat, but it’s not the only way. Federal data protection laws might achieve the desired outcomes while also solving a great many more of America’s online ills. US regulators could have set a standard for data protection TikTok and WeChat couldn’t meet, at least not without making dramatic ownership and operations changes, and set dramatic penalties (such as a ban) for non-compliance. Laws that apply universally are also less exposed to legal challenge: TikTok reportedly plans to sue the US Government over Trump’s Executive Orders. But the dealmaker in Trump doesn’t want a longer-term policy solution so much as he wants leverage for trade deals and talking points for why “Sleepy Joe is soft on China”.

The US Secretary of Commerce has 45 days to determine the scope of the Executive Orders. This lines up neatly with the window Microsoft has been given to acquire the US, Australian and New Zealand operations of TikTok. National security expert Bobby Chesney told Risky.Biz that while there is an “off-ramp” for TikTok, “no one thinks there is one for WeChat.”

It’s difficult to gauge the second-order effects that will emerge from the ban. Global capital is enmeshed in WeChat in ways that aren’t immediately obvious.

Take, for example, the NYSE-listed Yum China, which licenses the KFC, Pizza Hut and Taco Bell brands in mainland China. Before COVID-19, Yum generated around 60% of its US$8 billion sales using digital channels. In its last COVID-affected quarter, over 86% of KFC sales – Yum’s biggest earner – went digital thanks to ‘mini-app’ campaigns facilitated through WeChat.

The fortunes of Chinese licensees for Starbucks, McDonalds, Walmart and many other brands that return revenue to US investors are likewise entwined with the app. If the final ban prohibits Apple from listing WeChat – the most commonly-used messaging app in China – in its China app store, who is going to want to buy an iPhone in China? Say goodbye to something like 80 million iPhone sales a year. Further, some of the world’s largest gaming companies are also owned by WeChat’s parent company, Tencent. US officials told the LA Times that the EO doesn’t apply to Tencent’s other companies, but definitions in the order are vague enough for Trump to bundle them in if he wants to.

Expect lobbyists for US companies with interests in China to fast-rope onto the White House roof any second.

China’s great firewall blocks latest web encryption specs

China’s great firewall has been updated to block all internet traffic sent using the latest privacy-enhancing features of the TLS protocol.

TLS1.3 is shaping to become the cryptographic protocol that protects the confidentiality of web traffic over the next decade. All modern web browsers are moving to support it and it’s already supported by just under a third of the world’s top 150,000 websites.

TLS1.3 supports features that can make it more difficult for an observer on the network to determine the destination address of an outbound connection. In particular, the ESNI extension encrypts the (otherwise plaintext) server name indicator (SNI) sent during the initial TLS handshake. This obfuscates a critical indicator network security devices and national censorship regimes rely on to make rapidfire decisions about what connections to block or allow.

The problem for China is twofold: if a user inside mainland China can access unfiltered domain name lookups (via DNS over https, or DoH), then blocking websites that support ESNI is close to impossible for censors. The second issue is that ESNI underpins a very powerful censorship bypass technique that would allow users inside China to access all websites, not just those that support TLS 1.3 with ESNI.

In one of the most compelling presentations at Def Con: Safe Mode over the weekend, Erik Hunstad revealed techniques and shared tools for what he calls ‘domain hiding’, a variation on domain fronting that abuses TLS1.3 and ESNI to mislead network operators as to the true destination of an attacker’s traffic.

This is useful for bypassing censorship controls like the Great Firewall of China, and hiding nefarious attacker traffic from network security teams. More on that later.

China is doing what it can to stay ahead of it. From July 20, 2020, China’s mass censorship system started dropping all inbound and outbound connections that use the TLS1.3 encrypted SNI (ESNI) extension.

This adds a new and intriguing dimension to network sovereignty. There is probably a way back from country-specific telecoms infrastructure, country-specific cloud services and country-specific apps in some better, future world. Is there a way back from country-specific support for internet standards?

Hunstad’s talk also illustrated how a malevolent attacker can use domain hiding to hide C2 traffic and data exfiltration from network security teams. There’s a nice/awful part of his presentation where he demonstrates how to abuse the privacy-conscious ‘do not inspect’ lists SSL interception vendors ship with their devices to hide traffic. He hid requests behind log-in pages, for example, or other pages where stripping encryption would expose highly sensitive information like user passwords. That’s a big quandary for defenders, who need to make another impossible trade-off between user security and user privacy.

Fundamentally, blue teams and censors bump into the same types of issues. Would we like to see ESNI-enabled traffic bypassing the Great Firewall of China? Of course! Would you like to see all the C2 traffic in the world bypassing the Great Firewall of Your Organisation the same way? Probably not.

Capital One pays the last of the big breach fines

Capital One has been slugged with a US$80 million fine by America’s financial regulator over its 2019 data breach, after being accused of failing to identify and mitigate the risks of migrating to the public cloud.

The personal details of over 100 million customers were stolen after an attacker with specialist knowledge of AWS roles abused a simple IAM configuration error.

Infosec pitch decks will hereafter highlight the US$80 million fine to win funding for cloud security programs. And while there will continue to be breaches caused by misconfigured cloud services (and class action suits to follow), recent shifts in the threat environment might negate the need for regulators to so aggressively pursue companies that slip up.

Back in late 2018 and early 2019, any single security incident could dominate the news cycle. Capital One announced the breach within a week of the FTC imposing a US$700m fine against Equifax, and amidst expectations of huge fines for British Airways and Marriott Hotels in the UK – fines that have repeatedly been deferred and discounted since.

In 2020, the human-operated ransomware phenomenon has changed that dynamic. Organised criminal gangs have hit on a simple and very profitable business model: steal data from compromised networks, encrypt everything on the network, ask for a six or seven figure ransom to decrypt the data and destroy the stolen files, and draw public attention to the incident to dial up the pressure to pay.

The data lost in ransomware-related breaches rarely match the scale and impact of events at Capital One and Equifax. But the volume of incidents that involve data theft has risen dramatically. Regulators do not have the resources to investigate and prosecute the many publicly-known breaches we’ve seen in 2020. If Risky Biz can barely keep up with the volume, regulators can’t either.

Ransomware crews have in some respects superseded a key function regulators play in the market. Fines for data breaches were introduced to address a specific market failure: without them, a data breach usually imposed more external costs on the community (via identity theft) than direct costs on the breached entity. The penalties were required to force companies to clean up their security act.

Ransomware attacks are now so high on the ‘likelihood’ axis that organisations in all industries have to consider the costs of disrupted operations and ransom payments. The average size of ransoms leaped 60% over the last quarter alone, as organised crime groups targeted larger companies. The average duration of a disruption to business operations now sits at around 16 days. That can cost quite a lot.

Adversaries now have a bigger say in determining what a poor security posture costs a company than regulators do. Regulators should now limit their focus to egregious negligence or wilful abuses of customer data. Criminals are already doing a good job of imposing costs on everyone else.

Australia wants boards held to account for infosec

Australia’s new 2020 cyber security strategy is the latest national plan to propose that company directors be held accountable for meeting minimum information security baselines prescribed by the government.

Australia’s Ministry of Home Affairs flagged “possible legislative changes that clarify the obligations for businesses… to protect themselves and their customers from cyber security threats” including new “duties for company directors”. These new rules of the road would affect both regulated and previously unregulated entities.

In the absence of anything more specific in the strategy document, Risky.Biz talked to some real experts on measuring cyber security maturity to suggest some ways forward. The story ran long, so you can read it in full at Risky.Biz.

ASD recruited to fight the battle at home

The Australian Government is on course to relax restrictions on the work of the Australian Signals Directorate, so that ASD’s offensive cyber teams can be tasked (subject to a warrant) with helping federal law enforcement agencies investigate serious crimes.

Today, Australia’s Intelligence Services Act stresses that the ASD is not a law enforcement body. The ASD can only act against Australian targets under a very limited set of circumstances.

Announcing a top-up in funding for ASD this week, Australia’s Home Affairs Minister Peter Dutton told reporters that it “would take years” for the Federal Police to “ramp up” the technical capabilities the ASD already has.

In other words, let’s just leave the nerds where they are and make them do tech support for everyone. A story as old as time…

America battles election interference… with SMS spam

The US State Department has SMS spammed mobile phone users in Russia and Iran, to raise awareness about a US$10m bounty for information that identifies or locates a foreign agent hacking US Government systems to interfere with US elections.

The SMS was sent to what appears to be a limited number of recipients from a service commonly used by commercial spam operators.

It’s difficult to gauge the deterrent effect without knowing more about the campaign. If highly targeted, it would signal to adversaries that their activities are being carefully watched by US authorities. If it wasn’t targeted, it would require an official Russian response or media outrage to amplify its effects. While the spam campaign did prompt a response from one Russian official and was amplified by Russia Today, the Moscow Times and other prominent publications, commentators sounded more tickled than outraged.

Hacker leaks passwords for 900+ enterprise VPN servers

The plaintext admin credentials for 900 hacked Pulse Secure VPNs have been shared in a cybercrime forum frequented by ransomware gangs. Catalin Cimpanu at ZDNet made the alarming discovery, and the stolen data looks legit. While numerous parties scanned for and exploited a known vulnerability (CVE-2019-11510) in Pulse Secure VPNs in recent months, the bar for exploitation by less capable actors has now been set much lower. Expect carnage.

“Iran here, is your F5 patched yet?”

The FBI warns that Iran’s state-aligned Fox Kitten/Parasite group is exploiting unpatched F5 Big-IP devices alongside a longer list of vulnerable networking equipment. Fox Kitten usually hands off access to compromised networks to other state-backed actors to do their worst with. So, you know. Good times.

Data-slurping startup could do with a better backstory

The Wall Street Journal exposed a US Defence contractor that reportedly paid the developers of over 500 mobile apps to use an SDK that surreptitiously collects location data from user devices. Affected apps were not named and the story doesn’t conclusively prove that Anomaly Six sells data to intelligence agencies.

NSA releases guide to hiding your location

Executive Orders are all the rage right now, but NSA has some different suggestions for how to prevent adversaries from accessing your location data. NSA’s newly-published guide to limiting exposure to location tracking is a handy document for your security awareness team.

Tor traffic hijacked in another cryptocurrency scam

Profit-motivated attackers have added hundreds of new nodes to the Tor network since May – at one point running a quarter of the world’s Tor exit relays – in order to perform MITM attacks on Tor users connecting to Bitcoin mixing services. The attackers downgraded their victim’s connection to HTTP and attempted to replace Bitcoin addresses entered into Bitcoin mixing services to steal cryptocurrency.

Ransomware crews target printer companies

Canon, LG and Xerox are the latest victims of the Maze ransomware crew. Maybe the Maze admins finally got sick of being told to “PC LOAD LETTER”.

Some long reads on disinfo

Disinformation experts poured scorn on a public statement on election interference by the US Office of the Director of National Intelligence (ODNI) this week, after it oversimplified the motivations and capabilities of China, Russia and Iran. A more detailed summary of how the US views Russia’s disinfo capabilities was published [pdf] separately by the State Department. For further balance, try Anna Arutunyan’s view in Foreign Policy: she believes Russia plays less like a Grandmaster and more like a chicken running around with its head cut off.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at