Newsletters

Your weekly dose of Seriously Risky Business news is supported by the Cyber Initiative at the Hewlett Foundation.

A critical, trivially exploitable vulnerability in the management interface of F5’s Big-IP devices (CVE-2020-5902) is the latest in a string of nasty bugs in networking equipment critical to enterprise computing.

Like last year’s Citrix NetScaler and Pulse Secure vulnerabilities, this one is going to hurt.

Your weekly dose of Seriously Risky Business news is supported by the Cyber Initiative at the Hewlett Foundation.

Three US Senators have put forward a bill that apes the powers of the UK Investigatory Powers Act and Australia's Assistance and Access Act, while omitting many of the (albeit weak) safeguards that protect that power from being abused.

The Lawful Access to Encrypted Data Act of 2020, introduced by Republican Senators Lindsay Graham, Tom Cotton and Marsha Blackburn, compels device manufacturers and digital service providers to provide access to user data when served with a warrant. It’s the Nike approach: Just do it!

Your weekly dose of Seriously Risky Business news is supported by the Cyber Initiative at the Hewlett Foundation.

The Australian Government has lost patience with the cyber shenanigans of its largest trading partner, prompting the Prime Minister to make it publicly known that government and industry are becoming more frequent targets of state-backed cyber espionage.

Prime Minister Scott Morrison told reporters that an unnamed state-based actor is engaged in a campaign targeting all levels of government and private sector entities. An accompanying set of indicators released by the Australian Cyber Security Centre left little doubt as to who is responsible for the attacks.

Your weekly dose of Seriously Risky Business news is supported by the Cyber Initiative at the Hewlett Foundation.

Three indicators of compromise released in the NSA's May 2020 advisory [pdf] on recent Sandworm activity reveal a lot more about Russia's formidable military hacking teams than a one-off, opportunistic campaign to hack vulnerable Exim mail transfer agents (MTAs).

Threat hunters studying those IoCs have used them to identify a large amount of infrastructure that looks custom-made to conduct credential phishing attacks against email and social media accounts used in Western countries.

Your weekly dose of Seriously Risky Business news is supported by the Cyber Program at the Hewlett Foundation.

At the onset of the COVID-19 crisis, Risky Business predicted then tracked an increase in cyber-enabled espionage of medical research institutions.

We've been doing a lot of thinking about why. The urgent search for vaccines and treatments for the coronavirus appears a globally-organised, open and collaborative effort. Why do national governments feel compelled to hack research institutions to get the jump on progress? What national advantage does that information get them?

Your weekly dose of Seriously Risky Business news is supported by the Cyber Program at the Hewlett Foundation.

A US District Court has challenged the long-standing practice of using legal privilege to protect documents created during investigations into security incidents, by ruling that Capital One hand over a Mandiant IR report into its 2019 data breach.

Capital One argued that because its legal counsel commissioned the Mandiant report, the report's findings should be subject to legal privilege.

Your weekly dose of Seriously Risky Business news is supported by the Cyber Program at the Hewlett Foundation.

The United Kingdom has bowed to pressure from at home and abroad and agreed to remove Chinese vendors from its mobile telecommunications networks.

Prime Minister Boris Johnson's conservative government confirmed it will ask telcos to remove all Huawei equipment from UK networks by 2023. The move was motivated - in part - by US sanctions against Huawei, which are likely to force the company to swap out US and Taiwanese components in its equipment for Chinese-made chips.

Russia has some competition in the disinformation game.

The US administration's claim that the COVID-19 outbreak was caused by a laboratory accident was based on a report that has now been thoroughly debunked.

The Daily Beast asked Bellingcat and the Middlebury Institute to analyse a leaked 30-page report produced by DoD contractor Sierra Nevada Corporation, which circulated - and appears to have been taken seriously - by the White House and multiple Congressional committees. The Sierra Nevada report mined commercially-available cell phone location data to conclude that a disruptive event occurred at the Wuhan Institute of Virology in October 2019.  It casually attributed it to a coronavirus outbreak.

The United Kingdom has released the NHS COVID-19 app for users on the Isle of Wight. The app features a crafty workaround for keeping alive connections between iOS devices running in the background. The Financial Times also reports that an alternative version based on the Gapple framework is under parallel development, should it be required. The client-side source code for the NHS app was released on day one alongside high-level security designs, as was a lengthy justification by NCSC Director Dr Ian Levy of why the UK opted for a centralised approach. (Spoiler: UK authorities want to know more than which user was in proximity to a person that later tests positive to COVID-19. They don't want to miss out on the opportunity to build a social graph from incidental data pulled from an infected user's device - see 'other interaction data' on this infographic).

In Australia, government agencies are responding with newfound maturity to bugs in the COVIDSafe app after being grilled in a Senate Estimates hearing on Wednesday. Risky.Biz is aware of a new set of security and privacy bugs in COVIDSafe. One is a Denial-of-Service condition that impacts all derivatives of Singapore's TraceTogether (including COVIDSafe and ABTraceTogether in Alberta, Canada). Encouragingly, Australia's Digital Transformation Agency responded to security researchers within a day, validated the bug within a further three hours and promised a fix in a future release. The DTA also released client-side source code for the COVIDSafe contact tracing app. It doesn't reveal much more than what could be gleaned from decompiled code - so it's only a half-step to transparency at this point.

Europe continues to be split down the middle between centralised and decentralised approaches: Switzerland pilots its decentralised contact tracing app (based on DP-3T protocol) on May 13, and will pass similar laws to Australia that ban employers or other parties from forcing people to use the app. Austria's second attempt at a contact tracing app - also based on the decentralised DP-3T protocol - launches later today.  France's centralised app won't be available until June 2, while Germany has only just commissioned SAP and Deutsche Telekom to come up with an alternative.

How's this for a cogent data point: Catalin Cimpanu at ZDNet had the curiosity and foresight to search for the word 'ransomware' in recent SEC filings. Cimpanu found that over 1000 public US companies now list ransomware attacks as a forward-looking risk.

It wasn't long ago that a company getting popped in a ransomware attack would rate a mention on the Risky Business podcast. Today, it takes a novel attack to raise an eyebrow.

The risk community commonly views human-operated ransomware as a high impact event - the cost of attacks on Norsk Hydro (US$75m) and Travelex (US$30m) ensured it - but until recently it didn't score quite so high on the likelihood axis.