Srsly Risky Biz: Thursday, December 2

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Russian Cooperation? Once Upon a Time

Despite US indictments, Russian ransomware developers and affiliates appear unaffected and live relatively freely in Russia.

This week the UK's Daily Mail was able to track down Russian Yevgeniy Polyanin at his home in the Siberian city of Barnaul. Polyanin was the subject of a US indictment unsealed earlier this month and is accused of being a ransomware affiliate and extorting over USD$13m from victims.

Polyanin studied computer science at the Altai State University, where he was reportedly an average student. The Daily Mail spoke to Vladimir Pashnev, Polyanin's professor. "We have a joke around here now: 'He didn't study well. Had he done so, well, he wouldn't have been caught.'," he said. A fellow student, Konstantin Starodubtsev, told the Daily Mail "He was not particularly a genius in programming."

Russia and the US do not have an extradition agreement (indeed, the Russian constitution prohibits extradition). There are some small signs that Polyanin's life has been affected — he keeps his curtains shut — but there's no evidence that Russian law enforcement is putting any kind of pressure on him at all.

Kim Zetter has a great retrospective on the time when Russia and the US did cooperate on cyber crime. It has some gems and is worth reading:

...this was also the time when the FBI began investigating Moonlight Maze — the FBI code name for a series of intrusions that were eventually attributed to the Russian government in one of the first widespread nation-state hacking operations uncovered.

It wasn’t initially clear that the Russian government was behind the operations, and Kinane says for a while the Russian police were eager to assist in tracking the perpetrators, whose IP addresses had been traced to Russia.

"I was astounded that the Ministry of Interior was helping us to resolve it,” he says. “But they did a lot of work and zeroed in on some groups that were fronts of the FSB. And finally in the end they … told me 'We can't do anything more for you’.”

You can subscribe to Kim's newsletter here.

Human Intelligence in the Digital Age

Speaking at IISS, Richard Moore, head of the UK's Secret Intelligence Service (the UK's HUMINT agency aka MI6) delivered his first public speech and addressed current priorities and the need for change within MI6. Moore spoke of the 'big four' threats: China, Russia, Iran and international terrorism, but also of the need to embrace technology to enable human intelligence.

... we are opening up our mission problems to those with talent in organisations that wouldn’t normally work with national security. Unlike Q in the Bond movies, we cannot do it all in-house.

I cannot stress enough what a sea-change this is in MI6’s culture, ethos and way of working, since we have traditionally relied primarily on our own capabilities to develop the world class technologies we need to stay secret and deliver against our mission.

This is the paradox I referred to earlier in my speech: we must become more open, to stay secret

HUMINT agencies are extremely reluctant to share details of sources and methods as lives are literally on the line.

From 2009-2013 the CIA experienced significant intelligence losses after details of its Web-based covert communications system were uncovered somehow. After this initial breakthrough, Iranian counterintelligence was reportedly able to detect other Websites that the CIA was using for secret communications via Google dorking. Once other sites with similar features were identified the Iranians were able to uncover the wider network of agents and arrest or execute them.

A similar debacle occurred in China, where dozens of US agents were executed because of a similar compromise. The communications system was similar, although it's not clear if Iran passed information to China or whether it was a parallel discovery.

From the reported descriptions of these covert communications systems they were, frankly, appallingly unsuitable and not at all fit for purpose.

But it's not just developing secure covert communications that is a problem. The PRC has also used stolen data (such as personnel clearance information and hotel and airline travel records) to identify and disrupt US intelligence operations. And creating a background or "legend" for operatives that passes scrutiny in this environment is extremely difficult.

HUMINT tradecraft alone is not enough to avoid being snapped by competent counter intelligence agencies. It also needs to be coupled with an absolutely top-notch understanding of how to operate safely in today's world where adversaries have access to troves of revealing data, operate extensive surveillance networks in their own territories and heavily use technologies like facial recognition. They need the SIGINT perspective. MI6 (and other HUMINT agencies) can't do this alone.

It's easy to see what the key geopolitical threats are, but it's much harder for intelligence agencies to balance the need for secrecy with the need for careful collaboration. Success needs secrecy — but a level of secrecy that gets in the way of cooperation will guarantee failure.

COVID-19 Vaccination Pass Cryptography Works. Get on Board.

In Italy, police arrested criminals offering to sell fake Covid-19 'Green Passes' via at least 35 Telegram channels. The criminals claimed that they had insider access to national health databases and were asking €100 for 'authentic' Green Passes that would pass checks.

The Green Pass, also known as the European Union Covid Digital Certificate (EUDCC), provides proof of Covid-19 status such as being recovered, immunised or having recently tested negative. The EUDCC has the desirable, and perhaps even necessary, property that certificates can be verified, in this case by using the magic of cryptographically signed QR codes. Signed QR codes can also be used on both digital and physical certificates and can be verified without an internet connection as verification doesn't require polling a central database.

The Italian Green Pass fraudsters were lying — the certificates they produced weren't correctly signed and merely looked like real certificates. Sometimes the criminals wouldn't even bother producing a fake certificate when paid and would just take the money and disappear.

Despite being a collection of national governments with independent health systems the EU has actually managed to build a cryptographically verifiable proof-of-vaccination system. Scammers taking the money and running is proof that it's working.

The US is comparatively messy — there is no national vaccination register, a number of states have banned vaccine passports, and proof is generally tracked on a piece of paper.

Australia, meanwhile, is in the weird situation where, despite its centralised national immunisation register and verifiable international vaccination certificate, it uses easily forged certificates for various domestic vaccination mandates. Instead of cryptographic proofs, the digital version of certificates use features such as a shimmering Coat of Arms watermark, an animated check mark, and a live clock instead. Printed paper versions are also acceptable as proof of vaccination; their key protection is the Coat of Arms watermark.

But here's the thing. It's already a crime to falsify vaccination records, and governments are doubling down with additional legislation that imposes large fines specifically for using fake vaccination certificates. Decent cryptography works, but steep penalties for abuse will get governments somewhere too.

Nonetheless, we think the use of fake covid vaccination records should primarily be addressed by issuing verifiable certificates. The technology and open source reference implementations already exist. Public health measures that rely on confirming Covid-19 vaccination status could potentially last for years (there's always a new variant!), so the hard work bringing together the various building blocks could pay off in the long run. So get cracking, policy folks.

Three Reasons to be Cheerful this Week:

1. Not Squid Game: Haechi-II, A 20-country Interpol operation supported by the Republic of Korea resulted in over 1,000 arrests and the interception of nearly $USD27m in illicit funds. The countries involved covered every continent and ranged from less developed countries such as Angola and Laos to Japan and Singapore (but, interestingly, no Five Eyes country). Interpol's press release highlights a couple of cases that show China's willingness to collaborate when money is sent to accounts in China: all of the USD$800k stolen from a Slovenian company was recovered as was most of USD$8m stolen from a Colombian textiles company in a BEC scam.
2. Israel Shortens its Cyber Export List: The Israeli Government has reduced the list of countries that its firms can export surveillance hacking tools to from 102 countries to 37. Some of the countries now excluded include Morocco, Mexico, Saudi Arabia and the UAE, which have all been linked to the abusive use of Israeli cyber tools to target civil society.
3. USD$1.5m seized from a REvil and Gandcrab affiliate: the FBI seized the cryptocurrency from an Exodus wallet. Awooooooooo!

Shorts

Coming Soon to an Insurance Policy Near You

Lloyds of London has issued model "Cyber War and Cyber Operation Exclusion Clauses". These are designed to exclude or limit cyber insurance coverage from losses caused by war or through offensive cyber operations (operations that disrupt, deny, degrade, manipulate or destroy). Interestingly attribution relies on the government of the affected state, otherwise it is up to the insurer to prove state action. Between cuts to ransomware coverage and now this, we're seeing a gradual whittling down of what's actually covered. Sad times for those who'd just like to insure their way to an easy-sleeping nirvana.

Qihoo 360 Does AT&T a Solid

5,700 AT&T VoIP servers were compromised by a DDoS botnet using a blind command injection technique, according to  360 Netlab, the Network Security Research Lab at Chinese firm Qihoo 360. These EdgeMarc Enterprise Session Border Controller devices were compromised by an exploit discovered in 2017. In addition to launching DDoS attacks the malware could also steal information, although AT&T told The Record "We have no evidence that customer data was accessed" and they "have taken steps to mitigate".  Not really that reassuring.

£17m Fine for Clearview

The UK Information Commissioner's Office intends to fine Clearview AI £17m for failing to comply with UK data protection laws. Clearview attempted to identify individuals by comparing uploaded photos to a database of three billion images it had scraped from social media platforms and other websites. It tried to sell this facial recognition service to law enforcement agencies.

Earlier this month the Australian Information Commissioner and Privacy Commissioner also found that Clearview AI had breached the Australian Privacy Act and ordered it to stop collecting data about Australians and delete what it already held. But no fines in that case, unfortunately.

Messaging Apps Are Not Created Equal

Here is a handy cheat sheet for the types of data that law enforcement can get from different messaging services. What is provided to law enforcement varies wildly. Signal provides only the date and time a user registered and when they last used the service. WhatsApp can provide address book contacts and a near real-time record of source and destination addresses for messages.

Only Microsoft Would Think This is a Good Idea

Microsoft is catching some heat for incorporating a "Buy Now, Pay Later" feature in Microsoft Edge. Yay for predatory lending?

When Cybercrime is Better than University

The Record has a nice personal story about life in Nigeria and how the disruption of Covid-19 drove some students to cybercrime. Lack of opportunity is a constant, but the pandemic made it worse. Perhaps worryingly, the piece reports that "cyber fraud in Nigeria is celebrated as a lifestyle identified through a series of fashion tropes, lingo, and music".

Understanding the Cyberspace Administration of China

Relevant to last week's discussion about China's system of cyber, data and privacy regulation, ASPI (Tom's former employer) has a new report, China’s cyber vision: How the Cyberspace Administration of China is building a new consensus on global internet governance. It covers the Cyberspace Administration of China's place in the Chinese policy system and also addresses how the CCP is working to build consensus on the future of the internet.

Crypto Wars 2: This Time, it's Reasonable

The US added 28 foreign firms and individuals to export restrictions blocklists. Most were listed because of contributions to Pakistan's nuclear and ballistic missile programs, but eight were listed for supporting PRC military quantum computing applications such as "counter-stealth and counter-submarine applications, and the ability to break encryption or develop unbreakable encryption".