Srsly Risky Biz: Thursday May 5

Roe v Wade leak puts location data privacy front and centre...

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray, and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber, and founding corporate sponsors CyberCX and Proofpoint.

Bombs and Bad Packets Fly in Ukraine

A new Microsoft report has taken a comprehensive look at how Russia is using cyber operations in its invasion of Ukraine.

There are two clear takeaways. The Russians have launched lots of operations, including nearly 40 destructive attacks, so there has been an active cyber component to this war (despite some mainstream reporting). But it's also clear that these cyber operations have not much changed the progress of the war. Microsoft writes the various attacks "have had an impact in terms of technical disruption of services and causing a chaotic information environment, but Microsoft is not able to evaluate their broader strategic impact".

This doesn't mean that these attacks didn't have some significant impact. One of the earlier Russian attacks in the hours before the invasion started disrupted communications on a Viasat KA-SAT satellite servicing Ukraine (and other European countries). These systems were used intensively by the Ukrainian military and Victor Zhora, a senior Ukrainian cybersecurity official, told reporters in a briefing that this caused a "huge loss in communications in the very beginning of the war".

This had the potential — perhaps — to have significant effects if SpaceX's Starlink satellite service hadn't stepped in to replace the lost Viasat capability. The country now has more than 10,000 Starlink terminals and the service is being used to restore internet access to war-ravaged parts of Ukraine, sometimes with a single terminal handling over 150 subscribers. The Ukrainian military is also using Starlink to support drone strikes by connecting operators to targeting databases and can also provide communications in besieged cities. One Ukrainian soldier claims it "changed the war in Ukraine's favour. Russia went out of its way to blow up all our comms. Now they can't. Starlink works under Katyusha fire, under artillery fire. It even works in Mariupol".

As for the rest of Russia's cyber-campaigns, Microsoft's report says it "observed that cyber and kinetic military operations appeared to be directed toward similar military objectives. Threat activity groups often targeted the same sectors or geographic locations around the same time as kinetic military events."

This sounds more like sharing objectives rather than coordinating specific action and isn't the same as the tight coupling we've seen described in some Western military operations. In the fight against ISIS, for example, a US cyber operation took down communications at a primary command post. This forced fighters to relocate to alternate command posts, whose locations had previously been unknown. The fighters were tracked to these alternate sites, which were then destroyed with conventional action.

These types of tightly coupled operations require extensive planning and coordination, and perhaps when the heat is on, the lead time to prepare simply isn't available. Or perhaps these kinds of operations simply haven't come to light yet.

Microsoft found that Russia began preparing for the conflict as early as March last year, when sporadic targeting became constant. This pre-positioning "appeared aimed at securing persistent access for strategic and battlefield intelligence collection or to facilitate future destructive attacks in Ukraine during military conflict".

Microsoft also believes that the FSB, SVR, and GRU are all involved. GRU, military intelligence, has been launching destructive attacks, the SVR, foreign intelligence, has been focussed on diplomatic targets and the FSB, public security, has stolen data, conducted reconnaissance and phished. Microsoft to date has seen GRU actors "operating with restraint in the execution of destructive attacks by limiting malware deployments to specific target networks", so it looks like they might have learned a lesson from NotPetya. Hopefully.

Having more substantive data on the use of cyber operations in war is great, but it doesn't tell us what we want to know. From the cyber operations perspective, it looks like the Russians have had a red hot go and achieved some success without gaining any kind of decisive advantage. Is this as good as it gets?

For its part, Ukraine has defended itself relatively effectively. Mykhailo Fedorov, Ukraine's Minister of Digital Transformation, told Wired they had been preparing since 2014. “We have had eight years,” he says. Talking about ICS attacks in particular, Joe Slowik, an ICS threat hunter who now manages threat intelligence and detections engineering at Gigamon, told this newsletter that "I honestly think they’re better off than the US or Australia to defend against this sort of thing". Practice makes perfect, especially when combined with help from friendly Western cyber forces.

Allowing the Collection of Invasive Data is Just Dumb

The easiest way to mitigate the privacy and national security risks born of mobile device location data brokering is to severely restrict its collection in the first place.

The risks are very real. Motherboard's Joseph Cox has reported the masthead purchased location information related to visits to Planned Parenthood clinics in the US. Planned Parenthood provides a variety of sexual health services, including abortions, which are now particularly sensitive in light of the US Supreme Court potentially overturning Roe v. Wade, a 1973 court decision to protect a woman's right to choose. The data Motherboard bought for USD$160 contained information about devices that visited clinics, including how long they stayed and where they went afterward.

SafeGraph, the firm that sells this data, takes some steps to anonymise and aggregate data. Device home locations are only as accurate as the location's census block group, areas which can contain thousands of people, for example. However, the raw data used to calculate a device's likely home location is "GPS pings from anonymous mobile devices". The real problem here is that although SafeGraph is taking what may be reasonable steps to mitigate privacy and national security risk, without strong regulation and enforcement, 'reasonable' is entirely in the eye of the seller.

Furthermore, this type of data is notoriously difficult to anonymise effectively, so the techniques used shouldn't be left up to individual firms. Does SafeGraph's anonymisation and aggregation really protect privacy or national security? Maybe. Who knows. And there is nothing to prevent adversary states or unscrupulous groups from acquiring the exact same raw data and analysing it maliciously.

SafeGraph has a chequered history. It was banned from Google's Play Store and developers embedding SafeGraph's code in their own apps were told to remove it or face action that could mean removal from the Play Store. Another red flag — one of the investors is a former head of Saudi intelligence.

Last week we wrote about possible legislative changes but worried that current proposals "focus to a greater or lesser degree on restricting the sale and export of data once it has been created and collated, but the real game is in preventing the collection and collation of the riskiest data in the first place".

Not only are these data available and easy to buy, but they can be collated, manipulated, combined with other sources and then shared. Each data source, which individually can appear innocuous, can nevertheless provide more insight when combined with other data. When, exactly, does this jigsaw puzzle come together to form an all too clear picture that requires export control? What's to stop an adversary from buying the pieces individually?

In a document written last year and leaked this week, Facebook privacy engineers wrote:

We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as “we will not use X data for Y purpose.”

The authors describe data flows as mixing different types of 'ink' (user data) by pouring it into a lake that flows everywhere. The document briefly describes how lots of disparate data is used to infer information.

To make this understanding a bit more concrete, consider this: There are 15K features used in ads models. The graph to the right shows the dependency chain of actual tables used to produce just one single feature. In total, ~6K tables (the red dots) were used to produce “user_home_city_moved”

In other words, even within a single company it isn't possible to trace and manage data flows to match a privacy policy.

Limiting sales or export is better than nothing, but it will only force an adversary to use front companies and shop around for the specific data it needs to build up a rich picture on its own.

Not collecting the riskiest data in the first place is more likely to make a dent. Apple Maps, for example, uses techniques that mitigate privacy concerns at ingest. These include using random identifiers that are changed multiple times per hour and converting precise locations into "less-exact" locations within 24 hours.

In the unconstrained free-for-all that exists now it is far too easy for adversaries to collate and combine their own dangerously invasive data sets. It would be far better to introduce protections from the beginning.

Three Reasons to be Cheerful this Week:

  1. Russian IT exodus: Russia is facing a brain drain following its invasion of Ukraine and is being forced to look to its prison population for IT expertise! News about the invasion is usually pretty grim, but this is the sort of schadenfreude we can get behind.
  2. Something for Small Business: Microsoft is selling Defender as a standalone product for USD$3 per user per month to organisations with up to 300 seats. Previously it was only bundled with the much more expensive Business Premium package.
  3. Cryptocurrency attack foiled!: An attack on the Rainbow Bridge cryptocurrency bridge was stopped automatically by a watchdog script. And in a rare cryptocurrency double happiness, USD$5.8m of funds from the more than USD$540m North Korean hack of the Axie Infinity game have also been frozen by cryptocurrency exchange Binance. To stay cheerful, we'll just ignore that USD$90m worth of cryptocurrency was stolen from DeFi platforms Saddle Finance and Rari Capital in two separate incidents over the weekend.

Save Time with a Risky.Biz Product Demo

Risky Business is publishing sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors.

In our latest demo, Airlock Digital CEO David Cottingham shows Patrick Gray how Airlock manages effective and usable application allow and block-listing.

You can subscribe to our product demo page on YouTube here.

Shorts

Curious George

Google's TAG has an update on Eastern European cyber activity and has found an increasing number of groups using the war as a lure for phishing and malware campaigns. Worryingly, they've also found increasing targeting of "critical infrastructure entities including oil and gas, telecommunications and manufacturing".

Interestingly, TAG reports that Curious George, a Chinese group TAG attributes to the People's Liberation Army Strategic Support Force, is targeting:

government, military, logistics and manufacturing organisations in Ukraine, Russia and Central Asia. In Russia, long running campaigns against multiple government organisations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defence contractors and manufacturers and a Russian logistics company.

This just shows that Russia and China's strategic partnership doesn't (yet) trump intelligence requirements.

No Ransoms for North Carolina

The US state of North Carolina has banned state and local government organisations from paying ransoms after ransomware attacks. Victim organisations must report the attack to the North Carolina Department of Information Technology but aren't allowed to communicate with the attackers.

It seems logical that if everyone worldwide stopped paying ransomware extortionists, the attacks would disappear. Many governments have 'no payment' policies for kidnapping, but it is not clear that they deter kidnappers. People still pay ransoms and kidnappers are not very discriminating and snatch targets of opportunity. So this will make an interesting test case — will it work because ransomware operators only target lucrative victims? But we don't suppose the whole world is going to follow North Carolina's example.

Treaty Bunfight: Imagine a Boot Stamping on a Human Face — Forever

Human rights advocates are worried that authoritarian states will use UN negotiations on a global cybercrime treaty to trample human rights by, say, criminalising speech they don't like. Cyberscoop has good coverage, and Catalin Cimpanu also has a nice summary in Risky Business News, a new tri-weekly breaking-news focussed newsletter. Subscribe here for the text version, or for the audio version search 'Risky Business News' on your podcatcher of choice.

It's All Popping Off in Spain

The Spanish Prime Minister and Defence Minister's mobile phones were both infected with NSO Group's Pegasus malware last year and a significant amount of data was stolen, according to the Spanish government. This comes after last week's Citizen Lab report on the use of Israeli-made mobile spyware against members of the Catalan independence movement. Citizen Lab claimed "extensive circumstantial evidence" pointed to the Spanish government in the hack it examined.

The Guardian reports the culprit behind the hack of the Spanish ministers may be Morocco, which was certainly an NSO Group client, but part of the evidence for this attribution is the 50,000 number Pegasus Project targeting list. It isn't clear what exactly this list is, or its provenance, so it is hard to know what it means for attribution or even targeting and/or infection.

2021's Greatest Hits

The Five Eyes cybersecurity agencies have published a joint advisory on last year's most frequently exploited vulnerabilities, 2021 Top Routinely Exploited Vulnerabilities. Apache's Log4Shell was the 'winner', and the 'ProxyShell' and 'ProxyLogon'  vulnerabilities used in the mass exploitation of Microsoft Exchange servers earlier that year also feature heavily.