Srsly Risky Biz: Thursday May 19

There's something fishy in the Pacific, and on data sales, a decree...

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Biden Data Transfer EO Just Another Trump Card

The Biden administration is in the process of drafting an executive order to restrain data transfers to foreign adversaries like China. According to Reuters, the order as drafted would give Attorney General Merrick Garland the authority to review and potentially block transactions involving the sale or transfer of data.

An effective executive order would be a good first step, but what comes next?

The ultimate problem here is that China has a clear strategy to use data for strategic advantage and the US doesn't. Dr. Samantha Hoffman, Senior Analyst at ASPI and author of Engineering global consent, a report on the Chinese government's use of data, describes China's strategy as "engaging in data collection on a massive scale as a means of generating information to enhance state security – and, crucially, the political security of the Chinese Communist Party (CCP)".

China's strategy is broadly understood within the intelligence community. In an interview with the BBC, Richard Moore, the head of UK's MI6, has warned of China's ability to "harvest data from around the world".

US intelligence has also issued a public warning on Chinese collection of US healthcare and genomic data in particular. The statement notes that genomic data could be particularly useful when combined with other information obtained in breaches attributed to the PRC. It cites examples like the hacks of the US Office of Personnel Management, Marriott hotels, Equifax, and Anthem, to name a few:

The combination of stolen PII, personal health information, and large genomic data sets collected from abroad affords the PRC vast opportunities to precisely target individuals in foreign governments, private industries, or other sectors for potential surveillance, manipulation, or extortion.

By contrast, the US doesn't have an explicit strategy for managing its citizens data. There is a sparse patchwork of state-level privacy regulations, but the status quo that has evolved really prioritises commercial benefits over national security and privacy concerns.

This week the Irish Civil Liberties Council released a report into real-time bidding (RTB), one of the mechanisms used behind the scenes in internet advertising, which hints at the scale of the problem. It found that, on average, a US person has "their online activity and location exposed 747 times per day". Europeans were a bit better off in that they were only outed 376 times per day! This is problematic because this data is then bought, sold, and shared globally in a more or less unconstrained way — who knows where it ends up? And RTB data is just one input into the ad tech and data broker ecosystem, so it is potentially combined with a lot more information.

Policymakers are increasingly aware of the national security problems of an essentially unregulated data ecosystem, and this isn't the first time PRC-related data issues have come to the fore in the US. TikTok was sanctioned by two President Trump Executive Orders in August 2020. These executive orders now seem like some sort of half-remembered fever dream as they were never implemented and were subsequently overturned by President Biden, whose overriding executive order just happened to mention in passing that the government should base decisions on "rigorous, evidence-based analysis".

This back and forth on TikTok is symptomatic of the US policy community not understanding the underlying problem. "The problem isn't adequately understood," Hoffman told Seriously Risky Business. "[US policymakers] aren't able to articulate what makes data have strategic value. And what values are we trying to protect?"

The meaning of the oft-used phrase "liberal democratic values" isn't even agreed upon, she added.

Should human rights be at the centre of a US data strategy? In one way, the idea is attractive because it is the diametric opposite to the PRC's approach of using data to support state power, but frankly, the EU's implementation of a rights-based approach is both pointlessly painful (yes, I accept your stupid cookie policy) and stifles innovation. And Hoffman cautions that "even with a strategy, the methodology to decide what data is important still needs to be developed".

European Grooming Detection Proposal Panned

The European Commission has proposed that companies be forced to scan end-to-end encrypted (E2EE) messages for child sexual abuse material (CSAM) and evidence of grooming.

This proposal was broadly panned by a variety of groups for being both technically impossible and introducing risks to all users and was described in the press as a "war upon end-to-end encryption" and an "attack on privacy".

The most controversial part of the proposal allows national regulators to impose "detection orders" which compel services to search for and report CSAM and grooming (the solicitation of children for sexual abuse) regardless if the services use E2EE. These detection orders can be used if a service's protections against the risk of child abuse aren't deemed to be up to scratch.

The proposal recognises that grooming detection is "generally speaking the most intrusive one for users… since it requires automatically scanning through texts in interpersonal communications". But it doesn't say how scanning for grooming should be carried out, other than to say that service providers should do the best they can:

Providers will have to deploy technologies that are the least privacy-intrusive in accordance with the state of the art in the industry, and that limit the error rate of false positives to the maximum extent possible.

Regarding grooming detection, the proposal cites the accuracy of a Microsoft grooming detection tool at 88%, "meaning that out of 100 conversations flagged as possible criminal solicitation of children, 12 can be excluded upon review and will not be reported to law enforcement". But this particular tool's intended application, scoring chats in multiplayer games and services like Discord, is quite different from communications on messaging platforms.

Without knowing how the technology will be implemented and the scale of grooming, it is hard to know what this means. Does this mean hundreds of thousands of innocent messages will be manually reviewed to stop millions of grooming attempts? And is that acceptable?

In the words of Dutch group Bits of Freedom, the proposal tells service providers to "do the impossible, you get to decide how".

The proposal is not all bad, however, and much of it is actually fairly sensible.

In its justification, the proposal notes that the current status quo "has proven to be insufficient to adequately protect children" and there is no consistent application of protections across different platforms — some do a lot to combat CSAM, and some do next to nothing. Almost "all reports of child sexual abuse received in 2020 came from one company, despite clear evidence that the problem does not only exist on one platform".

The proposal addresses this by placing obligations on providers to detect CSAM, remove or block it, and report it to a new EU Centre on Child Sexual Abuse. The Centre would be an intermediary between victims, platforms, and law enforcement; would triage and validate reports; and also manage databases used to detect illegal material. A government-funded Centre is a good idea as the current architecture has grown organically, and a European Centre could probably better meet EU needs rather than the current default global hub, the US-based National Centre for Missing and Exploited Children.

Providers will have to assess the risk of child abuse and implement mitigations, and detection orders should only be issued when national authorities determine that a "significant risk remains". So detection orders feel like a big stick that may be used to encourage the implementation of other less intrusive risk mitigations.

In this sense, the EU proposal is similar to other current or proposed legislation globally that pushes providers to meet certain standards. In Australia, the Online Safety Act 2021 imposes Basic Online Safety Expectations (BOSE) that service providers will be required to meet. The BOSE requires, for example, that encrypted services "will take reasonable steps to develop and implement processes to detect and address material or activity on the service that is or may be unlawful or harmful". The UK's Online Safety Bill has a similar intent.

And there are lots of things providers can do to improve safety and counter CSAM without placing E2EE messaging at risk. Many ideas are captured in an independent human rights impact assessment of Meta's E2EE expansion plans. The assessment presents many recommendations that could significantly affect bad actors if implemented. A few examples:

  • Use metadata analysis and behavioural signals to identify problematic behaviour
  • Encourage user reporting using behavioural nudges, user education and by altering  the user interface
  • Invest in ensuring that users who have violated platform policies cannot return

Many of the recommendations may be difficult to implement, but the assessment presents a whole swathe of complementary recommendations that could collectively make a significant dent to online CSAM, even if many on their own are not individually all that effective.

The EU proposal as it currently stands focuses too much on detection orders as an endpoint while under-emphasising what should be done to raise the baseline level of CSAM prevention across platforms.

The Pacific is Leaking

CyberCX, a corporate sponsor of this newsletter, believes a recent hack of the Nauru Police Force was intended to influence Australian politics, occurring just weeks before the upcoming May 21 Australian federal election.

The hacker leaked emails relating to the Nauru Police Force and the operation of an immigration detention facility on Nauru. In a statement accompanying the hacked data, the group asks the "newly elected Australian government" to end mandatory detention for asylum seekers, grant them permanent residency and investigate allegations of abuse. Interestingly, more than half of the statement is copied from other sources — CyberCX hypothesises that perhaps this is an OPSEC measure to hide the author's style or cover that they are a non-English speaker.

CyberCX is also sceptical about media reporting that the hack is attributable to Anonymous — this appears to have no real basis, although CyberCX doesn't have any indication that the threat actor is a nation-state.

Australian refugee policies have been a sensitive issue for years so it's possible that the person or group responsible simply doesn't like the current government's policies. But that's also what an outside party would want us to think. Homegrown hacktivism or state backed disinfo? We've got a betting pool going at Risky.Biz HQ and hopefully there'll be enough certainty in time that someone gets paid.

Three Reasons to be Cheerful this Week:

  1. Stricter cyber security standards in the EU: The EU Parliament and member states announced they've agreed to updated cyber security standards (NIS2). The NIS2 directive both strengthens cyber security requirements and also expands the scope to cover more entities in more sectors.
  2. Movement on Open Source Security: The Open Source Security Foundation released a 10-stream plan to improve the security of open source software and received pledges of over USD$30m to fund an initial body of work. Google also announced the creation of the Open Source Maintenance Crew, "a dedicated staff of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects".
  3. In addition to his medical practice: On Monday the Department of Justice announced it had charged Moises Luis Zagala Gonzalez (Zagala) with crimes relating to the development and sale of ransomware. Zagala, a Venezualan cardiologist (!??!), sold and rented ransomware software. United States Attorney Breon Peace announced the charges "As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran".

Save Time with a Risky.Biz Product Demo

Risky Business is publishing sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors.

In our latest demo, Sergio Gonzalez shows Patrick Gray the ins and outs of Red Canary's Managed Detection and Response service.

You can subscribe to our product demo page on YouTube here.


MSPs Under Attack

Five Eyes cyber security authorities last week issued a joint advisory warning that they "are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue".

The advisory contains information that is intended to "enable transparent, well-informed discussions between MSPs and their customers" about securing sensitive data and risk tolerance. It's worth having a look at the advisory and using it as a template for discussions to make sure both MSP and clients know where they stand.

Another joint advisory this week (from Five Eyes cyber security authorities plus the Dutch one) lists the most common poor security practices and misconfigurations exploited to gain initial access. There are some clangers here including: default passwords, not updating and patching software and weak passwords.

Greetings, Fellow Westerners!

The US government has warned that North Korean IT workers are trying to get lucrative IT jobs to fund North Korea's weapons of mass destruction (WMD) and ballistic missile programs. These workers try to get freelance work from wealthier nations and, not surprisingly, don't let on that they are North Korean and instead pretend to be South Korean, Chinese, Japanese, Eastern European or even US-based remote workers.

These workers normally engage in non-malicious IT work but will sometimes assist malicious North Korean cyber actors by using privileged access to enable intrusions or provide other support such as assisting with money-laundering and virtual currency transfers.

But the North will leverage information from wherever it can. On Tuesday, South Korean officials indicted four North Koreans for the attempted 2011 breach of a  South Korean bank. A South Korean was also indicted for assisting the North's hackers.