Newsletters

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, and founding corporate sponsor Proofpoint.

The first ever Cyber Safety Review Board (CSRB) report has landed. It's an excellent deep dive on the Log4j event, but the broadness of its recommendations show just how far we have to go to make critical software safer.

First, the findings. The Board found that the Log4j vulnerability (as we covered here) was a bad one made worse by common practices in modern software development. It's likely that other just as bad vulnerabilities are still out there, so a whole lotta work needs to be done across the software and cyber security ecosystem to mitigate the risks.

As Mishaal Rahman, the former editor-in-chief at XDA Developers, points out in a Twitter thread, the change is a major shift in policy for the Google Team—for two reasons.

The first is that Google is moving away from a hard-to-understand list of technical permissions to something that's easier to understand by more of the laymen. An app using a weird permission doesn't always correlate in the app developer's collecting user data because of it. The permission might be needed for some banal on-device operation that might not be damaging to a user's privacy at all. Google's plan for the Data Safety section is to tell users what data is actually collected and how that data is being handled or shared by the app developer.

But here comes the second reason why this change is a big deal—namely, that the Data Safety section won't be automatically parsed from an app's manifest file and code, but it will be written by the app developer.

US senators propose crackdown on shady VPNs: Two Democrat senators have asked the FTC to look into the deceptive practices of VPN companies. The two want the FTC to look at how VPN companies use false or misleading claims about user anonymity in their ads, the sale of user traffic data to third parties, and if the companies disclose when they share user data with law enforcement agencies.

Iran puts the entire country in Safe Search mode: Several Iranian users reported on Wednesday that Iranian internet service providers started replying to DNS queries for the main Google.com domain with the Lock SafeSearch URL of forcesafesearch.google.com. This is a known feature of the Google search engine that's usually employed in controlled corporate environments, where companies prevent users from searching for inappropriate content. Apparently, this is also the second time the Iranian government has done this.

KillNet: Intel471 has a report out on the operations of pro-Russian hacktivist group KillNet and its recruitment, tactics, techniques, and procedures.

ETH researchers noted that installing these patches will have an impact on the CPU's performance metrics between 14% and 39%, and another issue they found in AMD processors that they named Phantom JMPs (CVE-2022-23825) might even come with a 209% performance overhead.

Concerns about this performance hit will most likely result in many people not installing the patches to protect themselves against "exotic attacks" that are unlikely to be seen in the wild, at least yet.

In some ways, this side channel research is similar to the first cryptography attacks from the 90s and early 2000s, all of which broke smaller pieces of various cryptographic operations, with each new research building on top of the previous work until. At a certain point, major cryptographic algorithms started falling.

More than 16,000 Yubikeys have been deployed to Ukrainian government executives, workers, and employees of private companies in Ukraine's critical sectors in the aftermath of Russia's invasion.

The initiative is spearheaded by Hideez, a Ukrainian security firm specializing in identity services and FIDO consultancy. Earlier this spring, the company secured a donation of 30,000 Yubikey security keys from hardware authentication device maker Yubico.

Since then, Hideez's staff has been working with Ukrainian government agencies like the Ministry of Digital Transformation, the National Security and Defense Council, and the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) to ensure the devices can be imported into the country, that government infrastructure is prepared for the keys' rollout, and that recipients receive the necessary training.

Apple says that once users enable Lockdown Mode, iOS and macOS will be put into what the company describes as an extreme and super-secure protection mode.

What happens under the hood is that iOS and macOS will turn off some of their internal services and features that are commonly abused by threat actors to attack and compromise devices. Apple said that Lockdown Mode would focus on five major areas of concern for the company. This includes:

Lockdown Mode is not meant for everyday users

We wonder why the Shanghai police needed data on a billion people, but both CNN and the Wall Street Journal verified a (tiny tiny, lol) subset of the data. News of the leak is being censored on Chinese social media, which may be as close as we'll get to official confirmation.

Read more about this story in Risky Biz news.

Ciaran Martin, former head of the UK's NCSC has an excellent thread about how cyber capabilities fit into the structure of a Defence force, riffing off a speech by UK Chief of the General Staff General Sir Patrick Sanders. In short, even destructive cyber capabilities don't replace conventional military force but are instead complementary.

According to a sample released by the threat actor, the data contains details such as names, addresses, national ID numbers, mobile numbers, and police and medical records.

ChinaDan said they are currently looking for buyers for this gigantic data trove, with which they were willing to part ways for the tiny sum of $200,000 worth of Bitcoin.

While previous leaks sold for this price have often turned out to be scams or publicity stunts, reporters from the Wall Street Journal and CNN said they already confirmed the data's authenticity with some of the victims who had information listed in ChinaDan's samples.

DNS hijack incident: Ankr, a company that provides server infrastructure for blockchain companies, disclosed a security breach on Friday, revealing that a threat actor social-engineered a Gandi employee to take control over some of its servers. The company said the attacker modified two nameservers in order to redirect traffic from two RPC servers to malicious versions. These two servers handled traffic for Polygon and the Fantom Foundation, two organizations that specialize in Ethereum-based infrastructure. Both companies confirmed the RPC infrastructure hijack but did not provide any details about the impact on their customers.

China to invest in its own OS: A group of ten Chinese tech companies have agreed to help Kylinsoft build a new project named openKylin, meant to help improve the open-source development of Kylin, China's national operating system. The move comes as western software companies, such as Microsoft and Apple, are pulling out of Russia and creating technical issues for the Russian government, which, just like China, is incredibly dependent on US-made operating systems.

Azure AD now supports temporary passcodes: Microsoft has formally launched a new feature called Temporary Access Pass for Azure AD. The feature allows Azure AD servers to issue time-limited passcodes to a company's employees. These passcodes can be used by employees to register new accounts or reset accounts where they lost access. Microsoft said the feature should be used by companies that have migrated their employees to passwordless setups where employees use hardware security keys, authenticator apps, or biometrics to access their accounts and need a temporary way to let users register or reset access to accounts.

Stone argues that vendors should do more root cause analysis of their own. First, because it helps the security industry; second, because it helps the company's own developers too; but third, and most important, because it makes an attacker's job harder and may delay future attacks.

OpenSea malicious insider: OpenSea, today's largest NFT marketplace, has suffered a malicious insider incident. The company said that an employee of Customer.io, its email delivery vendor, misused their access to download the email addresses of OpenSea users who signed up for the marketplace's newsletter.

Walmart denies ransomware attack: US retail giant Walmart has denied getting hit by a ransomware attack. The company's name had been recently listed on the leak site of the Yanluowang ransomware gang, with the group claiming to have encrypted between 40,000 and 50,000 of the retailer's systems.