Albania Severs Diplomatic Ties With Iran Over Cyber Attack

PLUS: A deep dive on Cloudflare's Nazi cuddling ways...

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

Cloudflare: Still Number One With Nazis

After significant community pressure, Cloudflare has dropped Kiwi Farms, a decade-old website notorious for planning and executing harassment campaigns targeting transgender and other marginalised people.

Kiwi Farms is a terrible website. NBC reporter Ben Collins has done some excellent reporting on the site, which he says "extremist researchers warned me not to cover because publicising it would be dangerous".

Kiwi Farms has become synonymous with doxxing (the release of an individual’s identifying information with malicious intent), swatting (a term for when an anonymous person sends an urgent, false tip to the police about a violent crime in a victim’s home in the hopes that law enforcement will raid it and potentially harm the person inside), and archiving controversial materials such as manifestos by mass shooters and recordings of their livestreams.

The forum is a massive archive of sensitive information on their targets, which has been used to repeatedly harass them. Kiwi Farms’ most notorious section is titled “lolcows” and targets transgender people.

The archive often features social media pictures of their targets’ friends and family, along with contact information of their employers. The information is used in an effort to get their targets fired or socially isolated by spreading rumours that they are paedophiles or criminals.

Its users delight in tormenting people and have even celebrated the suicides of its targets. Even after its victim’s deaths, Kiwi Farms users will sometimes brigade the social media pages of the deceased's loved ones to continue the harassment.

The site's administrator is also vile. In the aftermath of the Christchurch massacre, the site hosted the live stream and manifesto of the shooter. Kiwi Farms' administrator, Joshua Moon, taunted New Zealand police when asked to preserve information relating to who had posted the files, telling them "if anyone turns over to you the information they’re asking for they’re not only cowards, but they’re f---ing idiots," adding "I don’t give a single solitary f-- what section 50 of your f----t law say about sharing your email. F--- you and f--- your shithole country."

In August this year, transgender activist and Twitch streamer Clara Sorrenti, aka keffals, kicked off a campaign against Kiwi Farms that encouraged companies to stop providing digital services to it that kept it online. Kiwi Farms had targeted Keffals after she'd risen to prominence as a trans-rights activist. The DropKiwiFarms campaign website describes the harassment:

[Kiwi Farms] members… published private information on Clara Sorrenti, including sexually explicit photos and videos, phone numbers, addresses, her deadname and the private information of her friends and family. Publishing that information led to threats on her life, both implicit and explicit, as well as attempts to end her life through false reports to the police about imminent violence…

After Sorrenti was swatted, she fled her home. NBC describes the intense stalking that followed:

After her swatting, Sorrenti fled to a nearby hotel. Within hours, stalkers determined which hotel in her city had matching bed sheets from a photo Sorrenti tweeted of her cat. Trolls then sent dozens of pizzas to Sorrenti’s hotel in an apparent effort to make her aware that her hotel had been identified.

Sorrenti said her Uber account was then hacked. Hundreds of dollars worth of groceries arrived at her hotel. Through Uber, Sorrenti said that hackers were able to obtain her phone number, home address and email address, as well as the addresses and numbers of her family members.

Sorrenti then fled to Europe, but Kiwi Farm users were able to identify her hotel using small hints from her streams. A Kiwi Farms user took a picture outside of what their userbase believed to be Sorrenti’s temporary home base in Europe on Tuesday.

Cloudflare, an American company, provided a variety of different services to Kiwi Farms, including DDoS protection and its Content Delivery Network (CDN) services. Both services were crucial in keeping Kiwi Farms online and accessible to its users.

As recently as August 31, Cloudflare's position was that it would not remove problematic sites from its security services. It adopted the approach that the closer you are to hosting and recommending content the better placed you are to moderate it. A forum administrator, for example, can remove the problematic content while preserving all the other stuff. This seems a reasonable position, but continuing to support sites and forums that aren't doing this type of moderation is where things get sticky.

Cloudflare argues that service restrictions should be driven by legal processes and should be applied sparingly, especially when it comes to what they describe as "core internet technologies" like DNS services and internet access. Cloudflare even argues that its CDN and DDoS protection services are essentially fundamental and should be available to everyone more or less regardless of content:

In 2017, we terminated the neo-Nazi troll site The Daily Stormer. And in 2019, we terminated the conspiracy theory forum 8chan.

In a deeply troubling response, after both terminations we saw a dramatic increase in authoritarian regimes attempting to have us terminate security services for human rights organisations — often citing the language from our own justification back to us.

Since those decisions, we have had significant discussions with policy makers worldwide. From those discussions we concluded that the power to terminate security services for the sites was not a power Cloudflare should hold. Not because the content of those sites wasn't abhorrent — it was — but because security services most closely resemble Internet utilities.

Just as the telephone company doesn't terminate your line if you say awful, racist, bigoted things, we have concluded in consultation with politicians, policy makers, and experts that turning off security services because we think what you publish is despicable is the wrong policy.

In a perfect world this might actually be the correct approach, but the world is clearly not perfect. And when people are using your content delivery system to support unmoderated hate forums, their arguments just don't stack up.

Cloudflare's "principles"-based approach assumes that other mechanisms of content moderation work effectively, but they just don't. We can't rely on hosting providers to moderate content — bulletproof hosting's entire business model built around hosting objectionable or illegal material. And there is no effective global law enforcement response to coordinated online harassment. This means that organisations like Cloudflare need to be prepared to step in when other moderation layers have failed.

Cloudflare has, in the past, argued that kicking hate sites off its platform is pointless because they'll just find services elsewhere. But that's not what's happened in the past. 8chan is a shell of what it once was because Cloudflare withdrew service in response to pressure the last time around. The opposite argument — that it's important to provide a platform of last resort for speech you may disagree with —doesn't stack up so well either. It shouldn't be the role of a multibillion dollar, NASDAQ-listed company that does business with the world's leading brands to be the reliability and resiliency backstop for violent neo-fascists who no one else will touch.

Doing business with these people is also bad for business. Alex Stamos, from Stanford's Internet Observatory, wrote on Twitter that "there have been suicides linked to KF, and soon a doctor, activist or trans person is going to get doxxed and killed or a mass shooter is going to be inspired there. The investigation will show the killer's links to the site, and Cloudflare's enterprise base will evaporate."

In the end, and after an awful lot of pressure, Cloudflare recognised this and blocked Kiwi Farms on Sunday this week, saying:

…the rhetoric on the Kiwifarms site and specific, targeted threats have escalated over the last 48 hours to the point that we believe there is an unprecedented emergency and immediate threat to human life unlike we have previously seen from Kiwifarms or any other customer before.

Unfortunately, although this is a victory for the DropKiwiFarms campaign, Cloudflare somehow remains convinced that it has made the wrong decision. "We do not believe that terminating security services is appropriate, even to revolting content," a blog post by the company says.

Indeed, Cloudflare is over-represented when it comes to supporting hate speech and misinformation websites, as demonstrated in research by Stanford's Catherine Han, Deepak Kumar, and Zakir Durumeric. Han et al speculate that this may be due to Cloudflare's "lax policies" and they quote a former Daily Stormer author who praised Cloudflare's content-neutral stance. We can't help but think it is a red flag when neo-Nazis endorse your policy position.

Even the Russian DDoS-Guard service that took on Kiwi Farms after it was booted from Cloudflare got it right within a single day:

As a DDoS protection provider, we have customers around the world and it is not our duty to moderate content on their sites. We don’t have to decide whether a website violates the law. We only can restrict access to the customer’s website if it is reasonable. For example, if there’s the official notice from the court.

However, today we did not wait for the official notification and stopped providing services for the Kiwi Farms forum. We have received multiple complaints from users saying that it violates the DDoS-Guard Acceptable Use Policy.

Having analyzed the content of the site, we decided on the termination of DDoS protection services for To all those who brought this incident to our attention, we thank you.

This brings to mind the famous (mis)quote: "The only thing necessary for the triumph of evil is for good men to do nothing". Unfortunately, doing nothing in the face of evil is Cloudflare's official policy.

This Is What You Get When You Don't Regulate Location Data

The Associated Press, with documents sourced by the Electronic Frontier Foundation, reported this week that a service called Fog Reveal is being used by US local law enforcement agencies to track people via mobile phone advertising data.

This newsletter has consistently warned of the national security dangers represented by the very loosely controlled ad tech and data broker ecosystem. Fog Reveal is a concrete example of an easily accessible tool authorities can use to track and identify people based on the aggregation of these types of data.

Fog Data Science, the company that sells Fog Reveal, claims to have billions of records from 250 million mobile devices dating back to 2017. The Electronic Frontier Foundation, which obtained records about Fog Reveal by making public records requests, says that the "smartphone signals in Fog’s database include latitude, longitude, timestamp, and a device ID". The Fog Reveal service can cost just thousands of dollars per year.

Using this information, Fog Reveal can be used to search for devices in an area at a particular period of time or can be used to follow a device over time. This allows police to develop a "pattern of life", including where devices spend the night and identify other significant locations.

Although Fog Reveal data is notionally anonymous, this is a convenient fiction. As the EFF writes:

Fog states that it does not collect personally identifying information (for example, names or email addresses). But Fog allows police to track the location of a device over long stretches of time — several months with a single query — and Fog touts the use of its service for “pattern of life” analyses that reveal where the device owner sleeps, works, studies, worships, and associates. This can tie an "anonymous" device to a specific, named individual.

Matthew Broderick, a managing partner at Fog Data Science, told the Associated Press that "search warrants are not required for the use of the public data" and that Fog Reveal only provides "lead data". It appears that, to some extent, Fog Reveal tries to keep a low profile. At least some law enforcement agencies do not seek warrants and Fog Reveal's name does not appear in many court documents.

Michael Price, litigation director of the National Association of Criminal Defense Lawyers’ Fourth Amendment Center, told AP "[Fog] is exceedingly rare to see in the wild because the cops often don’t get warrants".

In principle, we believe that law enforcement officials should have access to sensitive data when they need it to solve serious crimes. But that access should come with robust authorisation procedures beforehand and strict oversight afterward.

Leaving aside law enforcement, Fog Reveal also illustrates just how out of control the US's data economy is — a private company can develop a cut-price intelligence system and sell it without any real restraint using commercially available data. Just imagine what the Chinese government could do when they combine this commercially available data with information it's stolen.

Albania Severs Diplomatic Ties With Iran Over Cyber Attack

Albania has severed diplomatic relations with Iran and ordered Iranian diplomats out of the country, citing a July cyberattack. This is the strongest response to a cyber event that we are aware of.

The mid-July attack caused significant disruption to government services and was conducted by actors posing as Albanian nationalists. That cover was pretty thin, though, and Mandiant attributed the attack to Iranian actors in late August. Not only were there code similarities to malware that has been used to support Iranian interests, the logo used by the attackers has elements that refer to Predatory Sparrow, an Israeli group that has been targeting Iran with destructive cyber operations.

The ultimate target of the July operation appears to be a conference by an Iranian opposition party, the Mujahedeen-e-Khalq/People’s Mojahedin Organisation of Iran or MEK. The conference was scheduled for July 23, but was ultimately postponed because of terrorist threats.

The US government issued a statement supporting Albania, confirming attribution to the government of Iran and saying that it will take "further action to hold Iran accountable for actions that threaten the security of a U.S. ally and set a troubling precedent for cyberspace".

Attacking government systems with wipers to stop a conference is totally disproportionate and unreasonable, so a strong response is needed to prevent these types of attacks being seen as acceptable. We'll have to wait and see if this step by the Albanians will be enough to discourage Iran from engaging in similar activities elsewhere in the future.

Three Reasons to be Cheerful this Week:

  1. State bans Project Raven mercenaries: The US State Department has banned three former NSA employees from having anything to do with foreign commercial surveillance. They also have to cough up $1.7m in fines between them.
  2. Australia goes after crypto fraud: The Australian Federal Police has set up a new cryptocurrency unit focussed on money laundering.
  3. Sextortion gang detained: Interpol officials said they detained 12 suspects that six were part of a cybercrime gang that engaged in sextortion schemes across Asia.

Proofpoint's Human Factor 2022 report examines trends in cyber security threats from a people-centric perspective. Some of the key findings include:

  • Over 80% of businesses are attacked by a compromised supplier account in any given month.
  • Attackers attempt over 100,000 telephone-oriented attacks every day.
  • SMS-based phishing attempts doubled in the U.S. year over year.
  • Managers and executives make up only 10% of users, but almost 50% of the most severe attack risk in our data.

Download the report here.


Ransomware Boiling Frog Syndrome is Real

Although this newsletter writes about it less, in the last two weeks there have been a number of notable ransomware attacks lately.

Most significantly, Cuba ransomware hit the government of Montenegro, affecting government services to such an extent that the US embassy issued advice to limit unnecessary travel. This week FBI and French officials arrived in Montenegro to investigate the attack.

Italian critical infrastructure has also been under fire, although fortunately attacks so far have only caused minor disruption. Oil and gas company Eni was hit by a ransomware attack and the country's electricity agency was breached in an apparent data extortion attempt.

Even Fake News is Bad News for TikTok

On September 3, AgainstTheWest, a hacking group that targets Chinese and Russian  entities despite its name, claimed to have breached TikTok and WeChat.

TikTok denies that it has been breached and Troy Hunt, creator of the Have I Been Pwned breach database, found the breach data to be "pretty inconclusive". Breach Forums, the site where AgainstTheWest first claimed to have breached TikTok and WeChat banned AgainstTheWest's account for "lying about data breaches".

Unfortunately for TikTok, however, we think that the incident will keep fears about Chinese government access to user data held by TikTok in the spotlight.

As an aside, AgainstTheWest also claims it was the original discoverer of the Log4J vulnerability and that Alibaba found the vulnerability after AgainstTheWest used it against them. Given that the Cyber Safety Review Board's report into Log4J didn't identify AgainstTheWest as the originators, we are skeptical that this is the true story.

A Fun One From Moscow

Anonymous and the IT Army of Ukraine claimed responsibility for a hack that created a Moscow traffic jam by ordering many taxis to Kutuzov Prospect. A Yandex spokesperson confirmed the attack and told Vice the issue was resolved "in less than an hour" and that Yandex had "improved the algorithm for detecting and preventing such attacks to prevent similar incidents in the future".

Assuming that they are responsible, we imagine that this is considered a success from the point of view of Anonymous and the IT Army and it's definitely an annoyance for those caught up in the jam. But it has zero impact on the Russian state and no impact on the war in Ukraine.

Risky Biz Talks

In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed  (RSS, iTunesor Spotify) also publishes interviews.

In the last "Between Two Nerds" discussion Tom Uren and The Grugq discuss how OSINT is making clandestine HUMINT very, very difficult.

And Catalin Cimpanu interviews Vitali Kremez, CEO of Advanced Intelligence, about the impending downfall of the Ransomware-as-a-Service ecosystem.

From Our Risky Biz News Newsletter:

Peter Eckersley has died: The cyber-security industry lost a seminal figure over the weekend with the death of Peter Eckersley, a beloved security software engineer and privacy activist who played a crucial role in many of today's web encryption technologies.

Born and educated in Australia, he spent 12 years working for the Electronic Frontier Foundation, where he helped co-found and co-create many of today's most notable privacy-inclined projects, including the likes of Let's Encrypt, Certbot, Privacy Badger, HTTPS Everywhere, SSL Observatory, and Panopticlick (later rebranded to Cover Your Tracks). (continued)

Apple Private Relay how it works and possible flaw: At its WWDC 2021 conference, Apple announced a new security feature named iCloud Private Relay that would work as a two-layer VPN-like system and hide a (paying) Apple user's IP address from their internet service provider and website owners.

At a technical level, iCloud Private Relay would do this by taking internet traffic from a user's Apple device—their iPad, iPhone, or macOS system—and sending it to a first group of servers (called ingress servers), which would then forward the traffic to a second group of servers (called egress servers) before finally connecting the user to the website or service they were trying to access. (continued)

China does its best US APT attribution effort but falls short of the mark: Back in April, this newsletter noted a somewhat interesting trend where Chinese government officials would repeatedly accuse the US government of engaging in "irresponsible malicious cyber activities" by hacking Chinese organizations. (continued)