Newsletters

Your weekly dose of Seriously Risky Business news is supported by the Cyber Initiative at the Hewlett Foundation.

Three indicators of compromise released in the NSA's May 2020 advisory [pdf] on recent Sandworm activity reveal a lot more about Russia's formidable military hacking teams than a one-off, opportunistic campaign to hack vulnerable Exim mail transfer agents (MTAs).

Threat hunters studying those IoCs have used them to identify a large amount of infrastructure that looks custom-made to conduct credential phishing attacks against email and social media accounts used in Western countries.

Your weekly dose of Seriously Risky Business news is supported by the Cyber Program at the Hewlett Foundation.

At the onset of the COVID-19 crisis, Risky Business predicted then tracked an increase in cyber-enabled espionage of medical research institutions.

We've been doing a lot of thinking about why. The urgent search for vaccines and treatments for the coronavirus appears a globally-organised, open and collaborative effort. Why do national governments feel compelled to hack research institutions to get the jump on progress? What national advantage does that information get them?

Your weekly dose of Seriously Risky Business news is supported by the Cyber Program at the Hewlett Foundation.

A US District Court has challenged the long-standing practice of using legal privilege to protect documents created during investigations into security incidents, by ruling that Capital One hand over a Mandiant IR report into its 2019 data breach.

Capital One argued that because its legal counsel commissioned the Mandiant report, the report's findings should be subject to legal privilege.

Your weekly dose of Seriously Risky Business news is supported by the Cyber Program at the Hewlett Foundation.

The United Kingdom has bowed to pressure from at home and abroad and agreed to remove Chinese vendors from its mobile telecommunications networks.

Prime Minister Boris Johnson's conservative government confirmed it will ask telcos to remove all Huawei equipment from UK networks by 2023. The move was motivated - in part - by US sanctions against Huawei, which are likely to force the company to swap out US and Taiwanese components in its equipment for Chinese-made chips.

Russia has some competition in the disinformation game.

The US administration's claim that the COVID-19 outbreak was caused by a laboratory accident was based on a report that has now been thoroughly debunked.

The Daily Beast asked Bellingcat and the Middlebury Institute to analyse a leaked 30-page report produced by DoD contractor Sierra Nevada Corporation, which circulated - and appears to have been taken seriously - by the White House and multiple Congressional committees. The Sierra Nevada report mined commercially-available cell phone location data to conclude that a disruptive event occurred at the Wuhan Institute of Virology in October 2019.  It casually attributed it to a coronavirus outbreak.

The United Kingdom has released the NHS COVID-19 app for users on the Isle of Wight. The app features a crafty workaround for keeping alive connections between iOS devices running in the background. The Financial Times also reports that an alternative version based on the Gapple framework is under parallel development, should it be required. The client-side source code for the NHS app was released on day one alongside high-level security designs, as was a lengthy justification by NCSC Director Dr Ian Levy of why the UK opted for a centralised approach. (Spoiler: UK authorities want to know more than which user was in proximity to a person that later tests positive to COVID-19. They don't want to miss out on the opportunity to build a social graph from incidental data pulled from an infected user's device - see 'other interaction data' on this infographic).

In Australia, government agencies are responding with newfound maturity to bugs in the COVIDSafe app after being grilled in a Senate Estimates hearing on Wednesday. Risky.Biz is aware of a new set of security and privacy bugs in COVIDSafe. One is a Denial-of-Service condition that impacts all derivatives of Singapore's TraceTogether (including COVIDSafe and ABTraceTogether in Alberta, Canada). Encouragingly, Australia's Digital Transformation Agency responded to security researchers within a day, validated the bug within a further three hours and promised a fix in a future release. The DTA also released client-side source code for the COVIDSafe contact tracing app. It doesn't reveal much more than what could be gleaned from decompiled code - so it's only a half-step to transparency at this point.

Europe continues to be split down the middle between centralised and decentralised approaches: Switzerland pilots its decentralised contact tracing app (based on DP-3T protocol) on May 13, and will pass similar laws to Australia that ban employers or other parties from forcing people to use the app. Austria's second attempt at a contact tracing app - also based on the decentralised DP-3T protocol - launches later today.  France's centralised app won't be available until June 2, while Germany has only just commissioned SAP and Deutsche Telekom to come up with an alternative.

How's this for a cogent data point: Catalin Cimpanu at ZDNet had the curiosity and foresight to search for the word 'ransomware' in recent SEC filings. Cimpanu found that over 1000 public US companies now list ransomware attacks as a forward-looking risk.

It wasn't long ago that a company getting popped in a ransomware attack would rate a mention on the Risky Business podcast. Today, it takes a novel attack to raise an eyebrow.

The risk community commonly views human-operated ransomware as a high impact event - the cost of attacks on Norsk Hydro (US$75m) and Travelex (US$30m) ensured it - but until recently it didn't score quite so high on the likelihood axis.

It's seriously risky business to shut the world's second-largest economy out of your telecommunications sector altogether.

This week the US Federal Communications Commission ordered three Chinese State-owned telcos to 'show cause' for why it shouldn't expunge their license to operate in the United States.

FCC previously banned Chinese networking equipment, blocked China Mobile from entering the US market and blocked Google from connecting undersea cables between the US and Hong Kong.

As discussed on our livestream, there are no technical impediments to capturing enrolment data in apps that make use of the Gapple API. Developers could feasibly link contact details captured at enrolment to notifications generated through the Gapple API to support existing manual contact tracing processes. The only change use of the Gapple framework imposes on an app is the order in which an at-risk individual is notified - first by the Gapple OS feature, followed by a call from health authorities.

This analysis assumes Apple and Google won't block apps that include these additional features. It's incumbent on the mobile OS companies to provide assurance to health authorities by clearly elucidating to the public what would constitute abuse of the service.

More broadly, the EU announced a minimum set of requirements for all contact tracing apps across Europe, insisting on user consent, no location tracking, anonymised data and a post-pandemic plan for switching off tracing features. EU academics are meanwhile split over whether to take a decentralised approach to contact tracing (using the DP-3T contact tracing protocol) or to allow health authorities greater control and access to data (the ROBERT protocol).

Apple and Google have answered a call from policy makers to build a consent-based contact tracing tool for Android or iOS devices.

The two organisations will release OS updates in mid-May that allow health authorities to use 'contact detection' APIs developed by Apple and Google to launch multi-platform contact tracing apps.

Under the published design, if two users of these apps have been in close proximity for a designated period of time, their devices exchange a set of identifiers (ephemeral 'tracing keys') via Bluetooth Low Energy (BLE). Storage of these anonymised identifiers is decentralised - stored only on user devices.