Srsly Risky Biz: Thursday January 13

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

The newsletter will be taking a break and the next edition will be 27 January.

E2EE and Anonymous Payments Don't Mix

End-to-end encrypted (E2EE) messaging app Signal has rolled out a worldwide beta integration with MobileCoin, an anonymity-enhanced cryptocurrency (AEC). We expect this will result in an avalanche of legal and regulatory challenges.

One concern, explored well by Casey Newton at The Verge, is that combining end-to-end encryption with a cryptocurrency designed to make transactions anonymous will ultimately result in increased legal and regulatory pressure that puts Signal's entire enterprise at risk.

Alex Stamos, Facebook's former CSO, told The Verge "Signal and WhatsApp have effectively protected end-to-end encryption from multiple legal attacks at the state and federal level, but the addition of pseudo-anonymous money transfer functions greatly increases their legal attack surface, while creating the possibility of real-life harms (extortion, drug sales, CSAM sales) that will harm them in court, legislatures and public opinion".

Governments have tolerated E2EE messaging (so far) because although there are downsides (such as the loss of exceptional access for law enforcement) there are also clear benefits (such as secure communications for politicians). It's been impossible so far to find legislative or regulatory responses that don't throw the baby out with the bathwater.

But there is no such hesitancy when it comes to financial transactions. Thirty-seven governments, including China and Russia, collaborate through the Financial Action Task Force to develop international standards to combat money laundering (AML) and counter terrorist financing (CTF). Some of these standards include customer due diligence or Know-Your-Customer (KYC) requirements and the reporting of suspicious transactions. These standards, at least to some degree, are incompatible with privacy-enhanced cryptocurrencies.

Regulators will be able to rely on KYC requirements to identify people exchanging MobileCoin for cash, but the cryptocurrency payments themselves will be completely opaque. Governments will tolerate anonymous communications, but not anonymous money transfers.

Despite widespread international agreement about AML and KYC, Stamos expects that challenges to E2EE could arise from US state regulators. "Until this moment, local DAs and state AGs didn't have a lot of levers to pull if they wanted to attack an E2EE provider, but the addition of money transmittal (sic) could change that. NY is especially powerful in this area," he wrote. "Any AG/DA can just use existing AML/KYC laws to punish Signal without legislation."

The comparison with Diem (formerly Libra), the cryptocurrency that Meta (formerly Facebook) has been trying to integrate into WhatsApp is illustrative. Diem is intended to provide affordable financial services to the unbanked, not private or anonymous transactions.

Despite this relatively 'regulation friendly' approach, Diem has still not launched after years of effort. Signal, by contrast, has just yolo'd a rollout, which is a recipe for regulatory pushback. Stamos sums it up: "Tech-libertarian types have always underestimated the power of governments, and opening up this kind of avenue of attack seems foolhardy."

There's no question integrating private communications with anonymous cryptocurrency transfer will enable some illegal activity. Anonymising technologies such as Tor and cryptocurrencies are used by criminals to access and pay for Child Sexual Abuse Material (CSAM). Integrating private payments with Signal will enable some criminality, it's just a question of degree. This might be acceptable if these harms were offset somehow, but what's the problem Signal is trying to solve?

Nicholas Weaver, senior computer security researcher at the International Computer Science Institute in Berkeley, California, told Seriously Risky Business that MobileCoin was "simply not suitable for legal payments".

Perhaps worst of all, Weaver is concerned about the distribution of MobileCoin funds:

The entire amount, 250 million, was mined in a single event and spread to insiders and the MobileCoin Foundation. Any transaction fees go to the MobileCoin Foundation.

Moxie Marlinspike's involvement with MobileCoin is somewhat murky. He was listed as the MobileCoin CTO in a 2017 whitepaper, but MobileCoin CEO Joshua Goldbard describes this as "erroneous". However, archived MobileCoin web pages show that Marlinspike was described as a member of "The Team". He's also been described as an early technical advisor. As best we can tell, his MobileCoin holdings — if any — are undisclosed.

Speaking to Wired, Goldbard confirmed that incorporation of MobileCoin into Signal has given the cryptocurrency a boost. "There are over a hundred million devices on planet Earth right now that have the ability to turn on MobileCoin and send an end-to-end encrypted payment in five seconds or less." Wired also reports that daily transactions have leapt from mere dozens to thousands per day.

Pushing ahead with MobileCoin integration is asking for regulatory trouble, and MobileCoin's somewhat opaque cast of beneficiaries give the whole thing a slight pong.

With Friends Like Xi's: China’s Ransomware Headache

This item was written by CTI analyst Daniel Gordon, who is contracted to the Department of Defense Cyber Crime Center. It was edited with input from Tom Uren, Brett Winterford and Patrick Gray.

It might not make the English speaking news, but Russian ransomware is heavily impacting Chinese organisations.

It's causing enough pain that at some point in the near future, China's leaders will need to formulate a counter-ransomware strategy, and that's where things will get interesting. The fact is, China has counter-ransomware options available to it that the USA just doesn't have, like decent diplomatic relations with Russia.

First, let's set the scene. According to multiple Chinese cybersecurity vendors, as well as the country's CERT, Chinese organizations are routinely being compromised by ransomware, and the bulk of this activity is attributed to Russian-speaking criminal actors.

It's impacting every major critical infrastructure sector in China, including healthcare, transportation, energy, manufacturing, education and government. In 2020, Qihoo360 claimed 3,700 systems were confirmed "poisoned". Rising identified 860,000 successful ransomware attacks in the same year.

Chinese security vendors attribute these attacks to a lot of familiar names. Sodinokibi and GandCrab, both associated with REvil, top the list. Phobos, Dharma, and Crysis also make the list and all three are linked to Russian-language criminal forums and a related code base. Makop, the successor of Crylock, and Buran are also-rans also tied to the Russian underground. Medusalocker, Magniber, and Cerber also make an appearance. The reason they sound familiar is they're the same crews wreaking havoc in the West. VirusTotal data backs this up.

So if we assume that China is as motivated as we are to solve the problem, what will its response look like?

Lots of folks lament that many ransomware operators and developers are beyond the reach of U.S. law because they live in Russia. China has a limited extradition treaty with Russia — allowing for the extradition of non-citizens only — and is not shy about arresting people domestically for online activity, including a ransomware operator who was likely identified via financial surveillance.

China’s relationship with Russia is complex, but valued by Russia, so we'd expect to see some diplomatic pressure applied, even if Russia extraditing its own citizens is off the table.

On the extrajudicial front, in contrast to the U.S. military's cyber operations' well-documented limitations, the PLA does not have a reputation for being overly cautious. Its cyber-hounds have a longer leash. So if China decides to go on the offensive it should be pretty spectacular.

Cooperation with the West would look a bit more complicated. In any case, there are things we should be doing, even at the coalface level.

Intelligence sharing, though ineffective when done badly, has a role to play. The task of attributing and identifying ransomware developers and operators is fundamentally an act of sharing and consuming intelligence. If China is interested in acting against ransomware crews, providing the names and IP addresses of people behind ransomware attacks in China to its authorities may well be in everyone's shared interests. If we can share intelligence with China that proves ransomware actors are a mutual threat, the results could be entertaining.

Intel sharing is also realistic. FBI agents and MSS officers skipping through flowery fields, arm in arm, while they cooperate in putting ransomware developers in handcuffs in Moscow would gladden many hearts, but it just won't happen. But swapping attribution information might just work.

There are other actions China might take that will just improve the situation for everyone. The entire ransomware ecosystem currently relies on cryptocurrency as a mechanism for payments and money laundering. Sanctions on the cryptocurrency exchanges that facilitate ransomware transactions would have more teeth if China were also enforcing them. If ransom payment and laundering via cryptocurrency were curtailed, some ransomware gangs may have to fall back to more complicated, riskier, and less efficient laundering methods including gift card purchases, money transfer apps, money mules, shell companies or mobile commodities, and banks willing to turn a blind eye.

China has leverage with Russia, significant military and espionage capabilities, and a desire to promote PRC interests worldwide. The scale of ransomware activity in China will be tough for its leadership to ignore, especially for a regime obsessed with maximising economic output and cracking down on corruption. China risks being seen as a safe target for ransomware crews, so some limited cooperation with the West is realistic. And even if China goes it alone, its actions could boost a rising tide that will lift all our ships, if only a little.

Being an Open Source Developer Sucks

The maintainer of the colors and faker NPM libraries, Marak Squires, intentionally broke the two packages, apparently to protest big corporations making money from his work. Both were very popular — colors had over 20m weekly downloads and nearly 19,000 dependents on npm; faker 2.8m weekly downloads, so his ragequitting broke a lot of downstream apps.

In November 2021, the developer flagged his frustrations on his GitHub account: "I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work. There isn't much else to say. Take this as an opportunity to send me a six figure yearly contract or fork the project and have someone else work on it".

This newsletter has previously mentioned several ways to potentially improve the resilience of the FOSS supply chain: a software bill of materials (SBOM), security audits for high impact packages and improving the security of developer accounts with security keys. These efforts don't really help stop a previously reliable developer from deliberately sabotaging their own products, although an SBOM would help a little when it comes to cleaning up the mess.

Squires' actions may have been motivated in part by some personal difficulties, but regardless, at the scale of the FOSS supply chain there will always be developers facing challenges that affect their ability or willingness to support projects.

Three Reasons to be Cheerful this Week:

1. Salesforce to require MFA. While some of the MFA methods that Salesforce will accept (such as TOTP authenticator apps) are still susceptible to the MFA phishing MitM attacks we wrote about last week, requiring MFA is still a great move.
2. A win against dark patterns. France's privacy regulator, the National Commission on Informatics and Liberty or CNIL, has fined Google (€150m) and Facebook (€60m) for making it easier to accept cookies than it is to refuse them. Dark patterns are user interface designs that trick or funnel users into making choices that benefit the company rather than allowing consumers more equal choices.
3. iOS15.2 has a new 'App Privacy Report' feature. It records data and sensor access (eg. camera, microphone or location), and also network access. This data is made available as a privacy report. Providing access to this is a good thing and users can update privacy settings, revoke permissions or even delete an app if they find unexpected location access or microphone use. But the list of domains and websites contacted isn't useful for most people.

Paying the Bills

Risky Business has launched something new: product demos that we're publishing to YouTube. This new sponsorship product will help us fund this newsletter and make it sustainable, so if you happen to subscribe to our new product demo page on YouTube we sure would appreciate it. We published two demos late last year. The first is with Remediant co-founder Paul Lanzi showing off their network-based (read: "actually deployable") PAM solution. The second is with Ryan Noon of Material Security. They make a product that secures and redacts email at rest, but it has a lot of other features too.

Shorts

More Moxie

Moxie Marlinspike published a critique of web3 and NFTs. For those hiding under a rock, an NFT or Non-Fungible Token is theoretically a way to prove ownership (sort of) of a digital asset. Except Marlinspike shows that an NFT might just be a way to 'prove' that you own a poop emoji instead. It's well worth reading.

US Warns of Russian Attacks on Critical Infrastructure

A joint US government alert warns of Russian state-sponsored threats to US critical infrastructure. We think this is the US government warning about the possibility of more aggressive Russian action that might arise as a result of tensions over Ukraine, and not a warning about current action.

Manuscripts Missing, Presumed Read

An Italian man, Filippo Bernardini, working in the book publishing industry ran a five-year long phishing campaign to steal unpublished manuscripts. Bernardini used over 160 domains in the campaign to steal hundreds of books  authored by the likes of Margaret Atwood, Stieg Larsson, Sally Rooney, and actor Ethan Hawke. He didn't do anything with the manuscripts — the Justice Department claims "Bernardini was allegedly trying to steal other people's literary ideas for himself, but in the end he wasn't creative enough to get away with it".