Srsly Risky Biz: Pilot Edition

Vault 7 mistrial, CDA230 under review, "Wormable" SMBv3 bug in the works

Welcome to the pilot edition of Seriously Risky Business, your weekly batch of the big stories shaping cyber policy, curated by Brett Winterford.

Feedback welcome at editorial@risky.biz

Mistrial: Vault 7 leaker’s OpSec was tighter than you thought

US Attorneys failed to convince a jury that former CIA exploit developer Josh Schulte dumped an archive about the agency’s offensive cyber weapons program to Wikileaks (the ‘Vault 7’ leaks).

While Schulte was found guilty on lesser charges (making false statements to law enforcement and contempt of court), he wasn’t for eight counts related to the leaks. His defence painted an unflattering picture for the jury of toxic workplace culture and poor security practices at the CIA, and of a defendant so reviled by some colleagues that he made for a handy scapegoat. It helped the defence that a colleague of Schulte monitored the alleged exfiltration of CIA tooling and didn’t cooperate with the investigation - facts the prosecution weren’t so forthcoming about.

If you’ve got 10 hours free and a focus on insider threats, Alexa O'Brien has archived the case transcripts.

Schulte isn’t out of the woods: the US will most likely to try the case again. He also faces allegations investigators found child exploitation material on his laptop. But this episode goes to show: Computer crimes are easier to prosecute when authorities are in possession of the proverbial smoking gun, which was absent in this case.

US lawmakers wedge tech giants over E2E crypto

US lawmakers have proposed bills that would strip service providers of safe harbor protections under Section 230 of the US Communications Decency Act (CDA) if they fail to comply with recommendations from an unelected body.

CDA 230 provides qualified liability and immunity protection to service providers for user-generated content on their platforms. Proponents of the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act claim these Section 230 protections can be excuses for inaction when law enforcement requests takedowns of problematic content, such as child exploitation material.

Under EARN IT, a Government-appointed panel determines ‘best practices’ for service providers to follow, breaches of which will forfeit their Section 230 rights.

So what’s the problem? The fear is that a panel appointed by the government might take issue with the use of end-to-end encryption used to protect user communications. Tech companies argue this would force them to remove E2E encryption, introduce cryptographic backdoors or risk losing the legal protections that enable them to host user-generated content. It would be a convenient way for lawmakers to wash their hands of the whole debate.

Apple subpoenas security researchers

Apple’s anxiety over advances in iOS exploit development just got nasty - Forbes reports that Apple served Santander Bank and defence contractor L3Harris subpoenas over their use of Corellium software, an OS emulation tool used by security researchers. Apple has been pursuing Corellium for DCMA violations since August 2019, claiming its iOS emulation software “commercialises the illegal replication” of iOS. That allegation is hotly contested.

While the subpoenas are linked to the DCMA case against Corellium - they come off as a veiled threat to security researchers or indeed anyone with a profile saying nice things about Corellium. Expect Apple to go bare-knuckle if your research cuts against its marketed image of superior security.

For context, L3GHarris subsidiary Azimuth Security has a (very profitable) knack for discovering exploits in iOS. Santander claims it isn’t a Corellium client - it’s only connection to Corellium is a tweet from Santander’s head of offensive security Dan Cuthbert, who was impressed with his own use of the emulation software.

This week Corellium released a new tool that allows researchers to run Android on several models of iPhone. We suspect the primary use for this tool is its ability to irritate Apple’s lawyers. How do you like them Apples?

Client list of Facial Recognition scraper is… scraped

Clearview AI has notified clients of a data breach at the facial recognition startup, the Daily Beast reports. Clearview AI sells law enforcement agencies a facial recognition tool that matches any picture uploaded to it with a database of 3 billion images scraped without user consent from Facebook, YouTube and other social media properties.

(Twitter, Facebook, Google, Microsoft and others have since demanded the company stop scraping their services.)

While some Clearview clients were already publicly known - thanks to a January exposé by the New York Times’ Kashmir Hill - a far larger set have since been exposed by Buzzfeed, using documents the startup claims to have resulted from a breach.

The breach serves to remind law enforcement that - attractive as pervasive surveillance technologies like facial recognition might seem - startups with scant regard for data privacy are probably also not so crash hot at data security. Do you really want to upload sensitive data to these services, burn your leads or render evidence inadmissible?

This week Vice Motherboard went deep on another surveillance startup - Banjo. Banjo has signed contracts worth US$20m to hoover up data collected by the State of Utah to match with a huge database of data scraped using techniques its former staff liken to those of Cambridge Analytica. It all sounds very Minority Report, but there’s every chance it’s more Jack and the Beanstalk. Risky Business is also happy to offer its subscribers magic beans, at steep discounts on Banjo’s price list.

Regulators arrive late and unnoticed to the privacy party

The US Federal Trade Commission has proposed fining T-Mobile $91m, AT&T $57m, Verizon $48m and Sprint $12m for selling the location data of their customers without consent to Securus Technologies from 2014-2017.

To illustrate the deterrence effect of these fines - T-Mobile was fined 1.3% of after tax profits over the offending period, AT&T fined 0.09%, Verizon fined 0.06%. You may recall that when Motherboard’s Joseph Cox’s went undercover in mid-2019, he found that at least three of them continue to sell customer data.

Ransomware hell rolls on

Two more US Defence contractors (CPI and Visser) were knocked offline in ransomware attacks in February, following the infection of Electronic Warfare Associates in late January.

Other (known) ransomware victims in February included industrial firms EMCOR and EMRAZ, law firm EPIQ Global, Croatia’s largest oil firm INA Group and France’s Bretagne Telecom.

We should expect more of it - and targeting to include smaller organisations. This month alone, attackers known for ransomware campaigns have been playing with a severe Remote Code Execution flaw in dozens of ZyXEL Network Attached Storage boxes and Firewalls. The RCE was available for sale for two weeks in cybercrime forums prior to being patched. We wouldn’t be surprised to an RCE in Zoho-owned ManageEngine used by these actors - it was also unpatched for two weeks after being dropped on Twitter by a security researcher.

Group-IB exec named in US indictments

A senior exec at Russian threat intelligence unit Group-IB has been named in a newly unsealed 2014 US DOJ indictment, in which he is accused of selling data stolen in the 2012 attack on Formspring.

Group-IB’s global clients would undoubtedly have preferred to know a long time ago about links US investigators drew between Nikita Kislitsin, current head of network security at Group-IB, and two men from Russia and Ukraine accused of hacking LinkedIn, Dropbox, Formspring and the SEC.

Group-IB is standing by their man and claims he was acting as a threat researcher and journalist at the time of the offence.

NSO Group to claim sovereign immunity

Malware merchants NSO Group has asked a court for more time to respond to a lawsuit in which WhatsApp accused it of hacking 1400 user accounts. The company argues that it should be entitled to ‘sovereign immunity’ - a protection typically only offered to sovereign states, on the basis that “it’s only customers are the intelligence and law enforcement agencies”.

Bishop Fox releases gadget... gadget

When deserialization bugs made the OWASP Top 10 web app vulnerability list in 2017, the inclusion came with the disclaimer that finding them required painstaking human analysis. Bishop Fox has now gifted the community a tool (and Burp extension) called GadgetProbe that trivialises some of the trickier aspects of deserialization bug discovery. Your pentest team should take a look.

Five reasons to actually be cheerful this week

  1. Necurs botnet takedown - If you wondered why the Necurs botnet was a little quieter in recent months, now we know: a coalition led by Microsoft finally cracked the domain-generating algorithm that made the botnet hard to pin down for the last six years, and were able to predict the six million next domains it would use. Now begins the clean-up of over 9 million infected hosts.
  2. Chrome updates glitches cybercrime marketplace - Google’s use of AES-265 to hash passwords Chrome users store in their browser (Chrome 80 update) has temporarily affected supplies of stolen user credentials at the Genesis marketplace, a trader in user fingerprints.
  3. Brave goes one-up on randomizing fingerprints - Meanwhile the privacy-conscious devs at Brave Software are flouting new ways of randomizing user browser sessions that go a step further than efforts by Mozilla (Firefox) and Apple (Safari).
  4. Singapore’s basic hygiene check for IoT vendors - The happiest little dictatorship on Earth is issuing a labelling scheme for consumer broadband routers and other smart devices. They’ll be rated on basic configuration - shipping with unique default credentials and without obvious bugs - and be subject to ‘basic penetration testing’ (a Qualys scan? A once-over with Wireshark?)
  5. New Open Source tool santizes email attachments - Micah Lee is releasing ‘Dangerzone’, a tool that cobbles together Docker containers and LibreOffice as a sandbox to help users safely open suspicious file attachments. Andy Greenburg at Wired took a test drive and reckons that most MS Office docs don’t come through too mangled. Worth a look if you’re a high-risk, low-budget user (journalists, activists etc).

Shorts

NotWannaRyuk - Why do we get the feeling this will be leading our newsletter in a few weeks? A wormable Remote Code Execution condition affects Microsoft’s SMBv3 protocol. Details were accidentally disclosed and promptly deleted in the March patch cycle. Microsoft patched 24 hours later.

Washing the Nork’s dirty bits - Two Chinese nationals indicted, accused of laundering US$100m of the US$250m proceeds from raids on cryptocurrency exchanges by North Korean hackers.

Get off Grindr - Beijing-based Kunlun Tech intends to sell LGBTQI dating app Grindr for US$608.5, after purchasing it in 2016 without seeking regulatory approval. It reportedly has to meet a June 2020 deadline to offload it.

Cheetahs never prosper - All apps of Chinese-owned and NYSE-listed Cheetah Mobile have been banned from the Google Play Store, including Clean Master, a mobile AV app that didn’t take some of the necessary security precautions you’d expect when tracking user browsing activity.

ToTok banned again - Social messaging app ToTok has been removed from the Google Play Store a second time after US authorities warned it was a spying tool for the UAE Government. The app’s developer is urging users not to be too spooked about it.

Time to Kill - All major web browsers end support for TLS 1.0 and 1.1 between the end of March (Chrome, Firefox and Safari) and April (Edge).

Take a bow - A Dutch security researcher beavered his way into finding a flaw in iCloud authentication after following a lead left dangling by Risky.Biz

Dwell time at Citrix - Citrix has written to former staff as part of its post-breach responsibilities, disclosing that attackers were up in its business on various occasions between October 13, 2018 to March 8, 2019.

BEC Bonanza - The FBI recovered US$300m (11%) of the US$3.5 billion in cybercrime-related complaints made in the US in 2019. Half of those losses US$1.7 billion resulted from Business Email Compromise.

Everything is cancelled - ZDNet’s Catalin Campanu is keeping a list of InfoSec events that have been postponed or cancelled due to the Coronavirus. It’s most of them. Stay safe out there.