Srsly Risky Biz: Tuesday, November 17

Trump points to DEF CON videos to explain election defeat, Australia eyes payment card data for contact tracing, No homicide charges for ransomware crew

Your weekly dose of Seriously Risky Business news is written by Brett Winterford, edited byPatrick Gray and supported by the Cyber Initiative at the Hewlett Foundation.

Trump points to DEF CON videos to explain election defeat

As his options for legal appeals thin out, Donald Trump is doing his utmost to undermine confidence in the 2020 election results. And yes, he's blaming computers.

We're not talking about the fanciful notion of an all-powerful "Hammer and Scorecard" supercomputer flipping votes, which Pat covered in last week's podcast. Trumpworld's latest claim is that "tabulating software glitches" in voting machines "owned by a Radical Left privately owned company" Dominion Systems resulted in Trump votes being "flipped" to Biden in key states. The claims are easily debunked, but they'll probably stick with his base.

We're in uncharted territory here. The sitting US President is actively eroding trust in America's election result by hyping security research into voting machines. Trump has even tweeted videos from DEF CON's Voting Village to support his claims that the election was "rigged".

This leaves DEF CON's Voting Village, which offers hackers the fun of cracking open end-of-life voting machines, with a "complicated legacy", according to NBC's Kevin Collier. The voting machines hacked at the village were not tested under election booth conditions, so the risks posed by the vulnerabilities discovered there were sometimes overplayed. Some attacks were dependent on how the devices were configured upon purchase, some were only relevant if a machine was connected to the internet and others required physical tampering that wouldn't go unnoticed at the polling booth. It’s a little galling to watch Democrat Senators call those vulnerabilities the "biggest election security threat" of 2019, then demand the MAGA crowd ignore them in 2020.

But putting these theatrics aside, DEF CON’s Voting Village played a key role in making election system vendors more accountable (1, 2). It raised awareness about important election integrity processes like risk-limiting audits. Earlier today, 59 election security experts released a statement to defend that legacy:

"We never claimed that technical vulnerabilities have actually been exploited to alter the outcome of any US election."

We don't expect Trump's screeching to achieve much in the short-term, but ironically, it might lead to meaningful improvements in election integrity measures in the future.

Australia eyes payment card data for contact tracing

Australian health officials have been asked to investigate tapping card payment data to track the spread of COVID-19 infections.

It's an extreme measure, especially for a country whose response to COVID-19 compares favourably to most of its global peers. The idea was put forward as part of a national review of contact tracing methods by Australia's policy makers, chaired by its chief scientist, Dr Alan Finkel.

“The Commonwealth lead arrangements between states and territories and payment card providers so that contact tracers from the states and territories will be able to request contact details of persons who have made a transaction at a hotspot venue."

This week Risky Biz took a closer look at how payments data has been used in the fight against COVID-19 in other countries, and what banks and health authorities would need to do to make the data useful. You can read the story in full on the Risky Biz web site.

No negligent homicide charges for ransomware crew

German prosecutors have abandoned plans to charge the ransomware crew that attacked University Hospital Düsseldorf in September with negligent homicide.

In the midst of that attack, paramedics transporting a 78-year old woman in a critical condition to the University Hospital had to be redirected to a hospital 30km away. She died during the journey.

A negligent homicide charge would have made a compelling case for numerous actions against ransomware gangs. But as William Ralston at Wired discovered, those hopes were dashed. German law would have required prosecutors to prove the ransomware attack played a “decisive role” in the woman's death, not merely a contributing one. It's difficult to prove that a person would have lived if they had been treated sooner.

Our view is that even in the absence of a prosecution linked to a patient's death, these events will harden the resolve of policymakers that want to see justice served.

Trumpworld turns on CISA

The US officials in charge of protecting US critical infrastructure from cyber attacks have been caught up in a purge of defence and intelligence leaders by the outgoing Trump administration.

Bryan Ware, the CISA exec leading its cyber security efforts, announced he was "stepping down" on November 12. According to Chris Bing at Reuters, Ware's resignation was a "request from the White House".

Reuters also suggested Ware's boss, Chris Krebs, was next in line to be fired and had (metaphorically speaking) already packed up the office knick knacks. Last week Krebs co-authored a statement with other election officials that reassured Americans that "there is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised." This week he celebrated CISA's second birthday with some A-grade trolling.

To the best of our knowledge, Krebs still has a job. But as the conspiracy theories Krebs is duty-bound to debunk grow wilder, his odds of escaping the blast radius of a Trump tantrum are narrowing.

.Mil taps adtech for location data

Joseph Cox at Vice Motherboard reports that the US military buys access to location data in bulk from mobile apps via a network of data slurping intermediaries and defence contractors. The apps that harvest location data include a Muslim prayer app with 98m downloads and a dating app that targets Iranians. Cox made his discoveries through government procurement records and via his own forensic investigation: he searched for apps that sent traffic to an endpoint used by X-Mode, a broker of location data, then studied the network traffic apps sent to that endpoint using Charles and MITM Proxy.

GRU, North Korea shamed for spying on COVID-19 vaccine research

Microsoft revealed that Russia's GRU and two North Korean hacking teams have (between them) targeted at least seven COVID-19 vaccine research bodies that use Microsoft platforms. The victims were in Canada, France, India, South Korea and the United States. Microsoft didn't add any new information on which attacks were successful. Previous reports have accused Chinese and Iranian APTs and Russia's FSB of dabbling in this sort of thing.

TikTok ban postponed, forced sale on ice

The US Commerce Department couldn't enact a scheduled ban on TikTok late last week, owing to ongoing legal battles. The ban would have prevented US app stores from offering access to TikTok after November 12. A sale of TikTok's US operations to Oracle and Walmart is also on ice.

Attackers print your ransom note for you

The EGregor ransomware group has infected Chile’s largest retail group, Cencosud. We only added this to the newsletter so we could link this video of ransom notes being spat out of Cencosud PoS machines. How thoughtful of them!

The Swiss were in on CryptoAG

A report commissioned by the Swiss Government has confirmed that Switzerland's Strategic Intelligence Service (SND) knew that Crypto AG was a US and German intelligence asset and was exporting vulnerable cryptographic equipment to other countries as far back as 1993. The report states that SIS allowed the US and German intelligence services to conduct their operations in exchange for access to US intelligence products. Neutral as always.

Denmark traded its own secrets for some SIGINT

Danish media reports that a SIGINT sharing deal between Denmark and the US, the subject of whistleblowing complaints and the dismissal of three intelligence chiefs in September, provided US authorities with visibility into Denmark's tender for a new fleet of fighter jets in 2015. Lockheed Martin ended up beating Eurojet (built in Germany) and Saab (built in Sweden) to the deal. The Germans are especially displeased, because in several respects, history is repeating.

TA505 emails arrive down under

The ACSC warned that the CLOP ransomware gang is targeting Australia's healthcare sector, using access supplied by TA505. We're unsure of why this warning was published: TA505 has been pushing SPBBot for several months, targeting a large number of countries and industries. We're yet to learn of any Australian victims. Maybe an analyst just got a bit jumpy after seeing an .au target in a TA505 campaign?

Twitter hires Mudge

Twitter has hired Peiter Zatko ("Mudge" of "Cult of the Dead Cow" fame) as head of security, to run its infosec, physical security and platform integrity operations, reporting directly to CEO Jack Dorsey. Twitter hired Rinki Sethi as CISO a month ago.

A common enemy

There are not many "cyber norms" that CCP officials, Russian oligarchs and the CEO of global multinationals agree on. However, one shared interest is a dependence on the stability of the global financial system that sustains them. Tomorrow the Carnegie Endowment for International Peace has invited heavy hitters from the banking sector to launch a blueprint for how all nations -- including adversaries in cyberspace -- might find some common ground for once.

You had one job, Palo Alto

Add another entry to the dozens of VPN bugs defenders have had to squash in 2020. Palo Alto disclosed an authentication bypass in PAN OS that "allows an attacker to bypass all client certificate checks with an invalid certificate". It was discovered by Palo staff and we haven't seen reports of any POCs or attacks in the wild yet.

This week's long read

This Wired feature provides a vivid character study of the scammer that hacked the Telegram accounts of Brazil's most powerful politicians in 2019. It's the story of an opportunistic scammer, initially motivated by petty grievance and self-interest, who convinces himself that he's hacking for a political cause. He's a slippery unit, though, so best to take everything he's said with a big grain of salt.