Srsly Risky Biz: Thursday May 12

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Crunch Time for Facial Recognition

In a court settlement with the American Civil Liberties Union (ACLU), controversial facial recognition technology company Clearview AI agreed to not sell access to its facial recognition database of over 10 billion images to private companies or individuals in the US (although selling the use of its algorithm alone is ok).

The ACLU, which brought the case under a US state law, the Illinois Biometric Information Privacy Act, described the settlement as a "big win", although Clearview's lawyers also managed to claim victory, writing in a statement:

This settlement is a huge win for Clearview AI. Clearview AI will make no changes to its current business model. It will continue to expand its business offerings in compliance with applicable law.

The settlement does not require any material change in the company's business model or bar it from any conduct in which it engages at the present time.

Given that Clearview is paying USD$250k for the ACLU and other plaintiffs' legal fees and USD$50k to publicise the settlement, we think they are really stretching to describe the outcome as a 'win'.

Clearview's facial recognition technology is objectively pretty good, as determined by NIST's facial recognition technology testing. The company has fallen afoul of various regulators, however, for voraciously scraping publicly available images for its facial database without consent.

Clearview is not the only company that does this, but the ACLU's Nate Wessler, Deputy Director of its Speech, Privacy, and Technology Project, told Seriously Risky Business that Clearview was "especially brazen among American companies" in harvesting faceprints without consent.

"We hope this settlement will be a strong deterrent to any other company considering replicating Clearview’s original business model, by making clear how untenable such practices are under Illinois’ strong law."

Clearview also aggressively marketed its product to law enforcement by offering free trial accounts to individual police officers without the knowledge of their employers.

The unconstrained collection of biometrics and unregulated use by police forces is concerning, but we think privacy advocates sometimes go too far.

In a statement given to this newsletter, for example, the EFF's Senior Staff Attorney Adam Schwartz wrote:

The settlement announced today in the Illinois lawsuit, ACLU v. Clearview, demonstrates the need for strong data privacy laws, modelled on the Illinois Biometric Information Privacy Act. These laws must also include a ban on government use of face recognition technology, including through private contractors like Clearview.

Similarly, the ACLU's Wessler told Seriously Risky Business that the ACLU was working to "enact state and local bans on police use of face recognition technology in dozens of jurisdictions across the country".

Although these technologies present risks to civil liberties, they can also be used to improve public safety. The trick is to strike the right balance.

James Lewis, Senior Vice President at the Center for Strategic and International Studies (CSIS) and author of a report on the responsible use of facial recognition technologies, told Seriously Risky Business public safety "tends to get left out" of the discussion.

In most respects, the three experts we consulted were in agreement.

They all agreed that there are more risks from facial recognition technology than just Clearview and that overarching federal legislation is desirable. As Lewis puts it, "federal regulation would be the best solution instead of 50 states with different rules".

Where they differed however, was on the desired end state. Wessler and Schwartz were sceptical about legitimate government uses of facial recognition technology, whereas Lewis argued for a tiered approach, outlined below:

1. Strict controls on use by law enforcement agencies should be similar to those used for communications data. These should include oversight and prior approval for programs, transparency in use, rules limiting secondary uses of collected data, and requirements for human review and rights for redress.
2. Rules governing government uses other than law enforcement should be less restrictive. These should also include transparency and oversight, defining acceptable secondary uses, and providing processes for redress.
3. Rules for commercial use should be linked to improved privacy protections. Rules for commercial use in public spaces may need to be more fulsome than rules for on-premise use.

These tiers make sense to us, and there are certainly reasons to be wary of unrestrained government access to its citizen's data. A Georgetown Law Center on Privacy and Technology report this week says US Immigration and Customs Enforcement (ICE) has built a "surveillance dragnet by tapping data from private companies and state and local bureaucracies" while avoiding congressional oversight.

Russia's Coolest Hack Condemned by EU, Five Eyes

The US, UK, European Union, and other countries have formally attributed various cyber attacks on Ukraine to Russia, mostly notably the hour-before-invasion attack on Viasat's KA-SAT communications network. The attack affected tens of thousands of terminals, and although aimed at Ukrainian command and control, other customers were affected, including private and commercial internet users and wind farms in central Europe.

Interestingly, while some statements explicitly condemn malicious cyber activity in general or the attack on KA-SAT in particular, the UK's statement is much more circumspect. It said "Russia is responsible for a series of cyber-attacks", but didn't explicitly condemn them separately from Russia's broader war.

The Russians seem to have focussed their attack on terminals in spot beams that serviced Ukraine rather than disabling KA-SAT entirely, so there is an argument to be made that this was a proportionate attack on a legitimate military target.

Other destructive attacks also seem to have, at least so far, been focussed relatively narrowly on Ukraine, and we haven't (thankfully!) seen a repeat of NotPetya. From what we can see so far (a huge caveat!), we think Russian cyber operations have been relatively responsible.

A statement by UK Foreign Secretary Liz Truss points out that cyberspace isn't special and that unprovoked aggression is a problem wherever it occurs:

We will continue to call out Russia’s malign behaviour and unprovoked aggression across land, sea and cyberspace, and ensure it faces severe consequences.

The real problem with all these destructive cyber operations isn't the attacks themselves, it's that the whole war is unjustified, irresponsible, and illegal. These cyber attacks are arguably targeted and proportionate, but what makes them necessary? Putin's idiocy?

Ransomware "National Emergency" in Costa Rica

The newly installed President of Costa Rica, Rodrigo Chaves, has declared a state of emergency after a ransomware attack by the Conti group. The attack took place in mid-April, prior to Chaves’ inauguration, and has affected a number of government organisations including the Ministry of Finance. Independent news outlet Amelia Rueda reports that the Finance Ministry has been without digital services since 18 April and has to resort to manual procedures.

Funnily enough, the fact ransomware hasn't destroyed the government's ability to function illustrates the limits of disruptive cyber operations in other contexts — Conti has caused a lot of pain in Costa Rica, resulting in a national emergency, but somehow the government is muddling through. It says it is refusing to pay a USD$10m ransom, and the angry rhetoric from Conti's affiliate makes us believe them.

Brett Callow, a threat analyst and ransomware expert at Emsisoft, told Risky Business News that the Costa Rica attack may represent a shift in focus for ransomware crews.

"The US public sector has long been ransomware gangs' target of choice, but that may be changing. While attacks in countries like Costa Rica and Peru may not offer the same ROI, the increasing number of successes by US and European LEAs may make them seem like a safer choice," Callow said.

The US State Department calls Conti "the costliest strain of ransomware ever documented" and cited an FBI estimate of over 1,000 victims and USD$150m in ransom payments. However, Chainalysis counted Conti's takings at USD$180m in 2021 alone, so who knows what the real total is. The State Department continues to use large rewards as a tool against cyber criminals. It cited the Costa Rican incident when offering rewards of up to USD$10m for Conti's key leadership and USD$5m for other Conti co-conspirators.

Conti is the third ransomware group that the State Department has offered rewards for, after DarkSide and REvil in November last year. It's not clear what impact these type of rewards have, but that's ok: Even if rewards don't work, they're low cost until they do.

Three Reasons to be Cheerful this Week:

1. My Phone is my password: Apple, Google and Microsoft have announced that they'll support a passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. This means that one day you'll be able to log onto all the things by logging onto your device. Brian Krebs has a good wrap on the tricky but not all that uncommon problems like, what happens when you lose your phone?
2. Fined for Being Hopeless: The US Department of Transportation's Pipeline and Hazardous Materials Administration (PHMA) intends to fine Colonial Pipeline USD$1m for not complying with various control standards. Colonial Pipeline was victim of a May 2021 ransomware attack that resulted in significant disruption to US east coast fuel supplies. The fine doesn't relate to cyber security standards per se, but Colonial essentially ignored the requirement for it to have manual shutdown and restart procedures in place. Colonial's 'plan' for a manual restart was to just figure things out if they ever needed to. PHMA alleges this planning failure "contributed to the national impacts when the pipeline remained out of service after the May 2021 cyber-attack".
3. Mandatory MFA for Github: Github will require all users who contribute code to use MFA by the end of 2023. It sounds like Github would like to move faster but will spend some time figuring out how to improve security without it being too much of a PITA, such as by using passwordless authentication (cheerful reason #1).

Save Time with a Risky.Biz Product Demo

Risky Business is publishing sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors.

In our latest demo, Airlock Digital CEO David Cottingham shows Patrick Gray how Airlock manages effective and usable application allow and block-listing.

You can subscribe to our product demo page on YouTube here.

Shorts

Knives Out in Spain's Phone Hacking Fallout

The head of Spain's official intelligence agency (the CNI), Paz Esteban, has been dismissed after two separate mobile spyware campaigns have come to light in recent weeks.

The first campaign (our first Short article here) involved the domestic targeting of individuals linked to the Catalan separatist movement. The second campaign, most likely international espionage, involved the compromise of the phones of the Prime Minister, the Minister of Defence, and the Interior Minister.

Esteban reportedly admitted the CNI had hacked some Catalan pro-independence politicians after obtaining judicial approval, but the government says the second campaign is "illegal and external".

It's not altogether clear why Esteban is being removed. When announcing her dismissal, Defense Minister Margarita Robles implied that it was because the compromise of senior ministers' phones went undetected for so long. Robles said "that [the hacks of government phones] took a year to discover, well, it is clear there are things that we need to improve".

"We are going to try to ensure that these attacks don’t happen again, even though there is no way to be completely safe", Robles continued.

We have our suspicions that Esteban's removal has more to do with politics than insecure phones — the current minority government relies on Catalan separatist parties for support in Parliament.

What Does the F in F5 Stand For?

It's been a while since we've seen a dunce-cap level vulnerability in enterprise software, but F5 has come through with a doozy. Its BIG-IP portfolio of appliances that includes encryption inspection boxes, load balancers and firewalls are vulnerable to an attack that lets people log on as an admin without a password.

A patch is available and this is definitely one to fix quickly. This vulnerability is being exploited and has already been added to CISA's list of exploited vulnerabilities. There were reports someone was dropping a wiper which deletes the BIG-IP devices Linux file system, but this doesn't appear to have been widespread.

A bunch of similar bugs made last week's Five Eyes 2021 Top Routinely Exploited Vulnerabilities list. These bugs — in Accellion, Fortinet, Pulse Secure and SonicWall devices — are internet-facing, tend to have broad access into a network and often have administrative privileges. Everything an attacker could wish for, wrapped up in a nice null password bug.

Keep On Embuggering

In early April, we examined possible changes to National Security Presidential Memorandum 13, the policy under which US Cyber Command conducts offensive operations. CyberScoop reports the likely resolution is that the State Department will get more say on 'third-party notifications', forewarning a country if an operation is going to be conducted within its territory. Will this slow the pace of offensive operations? Possibly not — sources told CyberScoop that the parties reached consensus.