Srsly Risky Biz: Thursday, October 7

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Narrowly Targeted Google Keyword Warrants Make Sense

Keyword and geofence warrants that tap into the panopticon of Google's data holdings feel a bit creepy, but these searches can be both targeted and proportional. They are a valuable investigative tool and should have oversight and limits applied to them rather than being banned.

Geofence warrants provide law enforcement with details of devices (and hence potential suspects) at the scene of a crime at a specific time. These warrants have been used extensively to identify participants in the January 6 Capitol riots and are increasingly common — Google received over 11,000 of these warrants in 2020.

Keyword warrants provide law enforcement with details of accounts and devices that searched for particular terms within a particular time frame. These warrants appear to be less common, but have been used to identify suspects that may have searched for certain very specific terms related to a victim in the days or weeks leading up to a crime.

It all feels a bit dystopian. It's flat-out creepy to learn how much Google knows about you, where you've been and, from your search history, what you are interested in. But in addition to the dystopian vibe of the thing, data provided under geofence warrants in particular can be incomplete and inaccurate.

Google's corpus of geolocation only records information for some proportion of the smartphone carrying population. Users need to opt-in to Google's Location History for a start (perhaps a third of Google users do) and even then different operating systems and privacy settings affect the amount of data collected.

In addition to being incomplete, geofence warrants can also incorrectly include and exclude devices.  Location estimates are exactly that — estimates — so geofence warrants mistakenly include and exclude devices if Google's best guess happens to place them incorrectly inside or outside the warrant's boundaries.

Thus the EFF has argued that these warrants are overly broad and "can ensnare countless people with no connection to the crime".

Keyword warrants are far superior in terms of specificity — either you searched for a term or you didn't — but they raise quite different concerns. Some of the rhetoric around all this is a bit over the top. Talking to Thomas Brewster at Forbes, Jennifer Granick of the American Civil Liberties Union warned "trawling through Google’s search history database enables police to identify people merely based on what they might have been thinking about, for whatever reason, at some point in the past. This is a virtual dragnet through the public’s interests, beliefs, opinions, values and friendships, akin to mind reading powered by the Google time machine".

We think, however, that these types of warrants can be used in a targeted and proportionate way to provide law enforcement with investigative leads for serious crimes.

Forbes reported of one case in which Google was asked to provide information about anyone who had searched for certain details relating to a child who was kidnapped and sexually assaulted. These details included the child's address, her name and her mother's name and the warrant only covered searches on 16 particular days. For these types of crimes that level of specific request is entirely justified and a far cry from the sort of thing Granick is concerned about.

As for geofence warrants, they can arm investigators with the information they require to identify suspects and ultimately make arrests, despite the data being provided under them being incomplete and possibly incorrect.

In Virginia, a geofence warrant provided police with information that led them to prosecute Okelle Chatrie for a bank robbery — his phone was one of 19 identified as being in the vicinity of the bank. Chatrie's defence team unsuccessfully argued that the warrant was unconstitutional.

Judges seem to know what’s what. Some geofence warrants have been knocked back for being overly broad. One warrant denied by a Chicago judge "has a 100-meter radius, is in a densely populated city, and the area contains restaurants, various commercial establishments, and at least one large residential complex, complete with a swimming pool, workout facilities, and other amenities associated with upscale urban living."

Google itself appears to have introduced a three-warrant process for law enforcement to access geofence data. In the first two steps Google provides anonymous data that helps law enforcement narrow the scope of a third warrant that compels the production of account-identifying information. It has also become more transparent about the use of these warrants.

In some jurisdictions, however, lawmakers are moving to ban the use of these warrants. Politicians in New York state have already introduced legislation to end the use of geofence warrants by police, and importantly, also ban law enforcement use of commercial sources of data for the same purposes.

Banning these types of warrants goes too far. They are valuable tools for law enforcement and can be both specific and proportionate. Banning them outright because we are uncomfortable with the extent of Google's data holdings would be throwing the baby out with the bathwater. Although we are absolutely in favour of adding judicial oversight and a warrant application process to the use of commercial or freely available data in investigations.

Regulation is absolutely required. But it should focus on setting limits on what types of crimes these warrants and tools can be used for and how we can ensure they are used proportionately.

Nakasone Itching to Tackle Ransomware Threat

US government and intelligence officials have changed their tone on ransomware. Senior officials speaking at the Mandiant Cyber Defense Summit in Washington DC emphasised that it was now clearly a national security issue and had galvanised the Biden administration.

Gen. Paul Nakasone, director of NSA and US Cyber Command, stated per The Record:

“When ransomware starts impacting our critical infrastructure, it’s significant. If it isn’t important to U.S. Cyber Command and the National Security Agency — who are built for the express purpose of defending the nation — there’s something wrong there,” he explained.

“Ransomware is a national security issue. I firmly believe that.”

Nakasone believes that ransomware will remain a threat that the US will face "Every single day" for years to come.

On the bright side, Nakasone says NSA and Cyber Command are already working towards tackling the ransomware threat. This is good to hear — Risky Business has been a long-time proponent of offensive cyber operations as part of a ransomware response. Our best guess is they’ve started with collection against the key players and organisations.

Speaking at the same conference Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology said the "administration feels a sense of urgency".

It’s no surprise they’re feeling some heat. CISA director, Jen Easterly, told a Washington Post Live event Biden’s tough talk has achieved little. “I have not seen any significant, material changes,” she said.

President Biden also announced that the US will bring together 30 countries this month to "to accelerate our cooperation in combating cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, and engaging on these issues diplomatically".

Biden specifically mentioned the G7, NATO allies, and partnering against shared threats, so presumably the meeting won't include Russia. But this could still be useful in developing a united front to apply pressure to encourage Russian law enforcement action against ransomware crews, and perhaps more practically in encouraging more Anti-Money Laundering and Know Your Customer regulations for cryptocurrency exchanges world-wide (often referred to as AML and KYC).

There has also been a rash of proposed legislation tackling everything from identifying "systemically important critical infrastructure" to several separate bills that require notification of incidents or ransomware payments within various timeframes. CISA, if it has a vote, would like critical infrastructure to report (presumably the more serious) incidents within 24 hours.

It's overly optimistic to think that any US government action is actually working yet, but ransomware operators seem to think the increased attention is bad for business. The Conti gang is threatening to dump victim data if ransom negotiations leak to reporters.

To bring home what is at stake, a hospital in the US is being sued for allegedly delivering substandard care after a baby was born with severe brain injury (and later died) while hospital systems were down because of a ransomware attack. Although it is self-evident that modern care requires modern computer systems, this may be the first time a straight line can be drawn from a ransomware attack to a patient's death. The suit alleges that modern monitoring systems that could have detected the baby's distress weren't working at time of delivery.

Rules on ex-IC Need Five Eyes Carveout

Proposed legislation would place very strict post-employment rules on former US intelligence and national security operatives. The intent is to stop the proliferation of intelligence skills to human rights-abusing countries.

One part of the proposed legislation requires former officials to report foreign government employment if it involves "national security, intelligence, or internal security" services. It appears the government doesn't have a good handle on where former employees have ended up and what work they are doing.

Another part bans such employment for five years after leaving the intelligence community. We think they’ve missed an obvious carve-out here: people often migrate between Five Eyes countries to take up IC or defence contractor positions. Halting that free movement would be counterproductive.

This proposed legislation comes shortly after three Project Raven senior managers were charged by the US Department of Justice for providing hacking services to a foreign government, as covered by this newsletter.

For former intelligence personnel some of these jobs can be extremely lucrative. Marc Baier, one of the Project Raven three, was earning around USD$500k to hack for the UAE even while working for US company CyberPoint and even more when he started working for UAE company DarkMatter.

A final thought — if you are an ex-IC Five Eyes citizen plying your trade outside the alliance, it might be time to take stock and re-evaluate your choices.

Three Reasons to be Cheerful this Week:

1. Ransomware arrests: two ransomware operators were arrested in Ukraine. We particularly like the YouTube videos that accompany these arrests, although we wish they had English subtitles.
2. 150 million more 2SV users: Google announced it will auto-enroll 150 million accounts into its two-step verification (2SV) system by the end of the year.
3. And a million for open source: Google also announced a million dollar sponsorship for improving security at critical open source software projects.

Shorts

A Bad Time to be a CIA Agent

The CIA recently warned its front line officers that too many of their foreign agents were being captured or killed. Poor tradecraft seem to be part of the reason and other countries also appear to be taking advantage of biometrics, facial recognition and other tracking technologies in their counter-intelligence efforts.

Bandwidth.com Ran Out of Bandwidth

In another example of interdependence, DDoS attacks on VoIP service provider and reseller Bandwidth.com resulted in widespread outages including some enhanced 911 (E911) services. VoIP.ms suffered a similar DDoS attack earlier this month.

Prepare for a Post-Quantum World Now

DHS and NIST have prepared a roadmap for organisations to transition to post-quantum cryptography. One key message: if you have data that you need to secure for a long time, you need to think about how to ensure it is not vulnerable to quantum computing attacks that may arise in the next decade.

And the Winner is… Samlesbury

The UK government has announced that its National Cyber Force, the UK equivalent to US Cyber Command, will be based in Samlesbury, near Manchester in the north of England. It'll be interesting to see how this works out. SIGINT and offensive operations use the same or similar capabilities, skills and people to conduct very different missions. Intelligence aims to collect information without being discovered, offensive cyber operations aim to disrupt or destroy. Offensive operations can place SIGINT capabilities at risk, so these two missions have been very closely integrated in the US — Cyber Command and NSA are both led by Gen. Nakasone. The location seems to be more about jobs and politics than capability. What difference will the three and a half hour train ride from GCHQ headquarters in Cheltenham make?

This is Not the Smoking Gun You’re Looking For

A report that claims the Covid-19 pandemic started as early as the northern summer of 2019 is bunkum. It uses data on Wuhan's 2019 PCR machines purchases as evidence when there are other more plausible explanations. PCR machines are used in the standard Covid-19 diagnostic test, but it's not the only test that they are used for. Per the Sydney Morning Herald, "PCR has been growing in popularity as it has become a standard method to test for pathogens". China was also dealing with an African swine fever outbreak in 2019 and "PCR equipment is widely used in laboratories to test for many other pathogens besides the virus that causes COVID-19, including in animals".

Bored Kids or the MSS, You Decide

Syniverse, a company that acts as a hub to exchange call records and text messages between telcos discovered a breach dating back to May 2016. It's not clear how significant the breach was, but given its access to call metadata, state-based espionage seems a likely motivation. So it is not altogether reassuring when Syniverse's SEC filing says "Syniverse did not observe any evidence of intent to disrupt its operations or those of its customers and there was no attempt to monetize the unauthorized activity”. Of course there wasn't! That's not what state hackers do!

OTPs Aren’t What They Used to Be

There are an increasing number of bots that will call people to steal one time passwords from SMS or authentication apps. If your account is really important, use a U2F hardware token.

Naughty Air Tags

Apple AirTags can be used in cross site scripting attacks with dropped AirTags directing finders to phishing pages. The researcher who discovered the flaw, Bobby Rauch, publicly disclosed the bug when Apple failed to give him an assurance that the bug would be patched or whether he would be credited or paid for its discovery.

NSO Cancelled UAE Contract

NSO group, maker of Pegasus spyware, cancelled its contract with the United Arab Emirates after its spyware was used against Dubai's ruler's ex-wife, her lawyers and her security team.

Even the Algorithms Need to “Think Correctly” in China

It's easy to regulate algorithms when everyone agrees that the key criteria is to promote core socialist values and safeguard national security.