Srsly Risky Biz: Thursday, September 30

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Hostage Diplomacy Won't Pay Off For Huawei, China

Chinese firms are so closely interlinked with the Chinese government that they cannot be trusted in critical infrastructure. The release of two Canadians held by China immediately after Huawei CFO Meng Wanzhou struck a plea deal and returned to China, proves it.

"Huawei Princess" Meng Wanzhou, Huawei founder Ren Zhengfei's daughter, had been under house arrest in her two Vancouver mansions for three years as the US sought her extradition in relation to Huawei's alleged sanction-breaking dealings with Iran. Two Canadian citizens, Michael Kovrig and Michael Spavor (often referred to as the two Michaels) were detained in China in apparent retaliation nine days after Meng was arrested in Canada in December 2018.

Although the Michaels had apparently pleaded guilty to espionage, within hours of the plea deal that allowed Meng to return to China being struck they were on a plane back to Canada. If there was any doubt that the releases were directly related to Meng Wanzhou, two American siblings also trapped in China by "exit bans" were also allowed to leave. Exit bans prevent people from leaving China to place pressure on friends or relatives. A 2018 agreement between Presidents Trump and Xi to allow the siblings to leave China was kiboshed by Meng's arrest in the following days.

These synchronised releases have been described as a "prisoner swap," but the White House claims "there is no link". Canada's Ambassador to the US, Kristin Hillman, has said that once it became clear that Meng was to be released, the Chinese government decided "it was no longer in its interest to continue holding [the] Michaels, and so they started the process in talking to our officials in Beijing about making arrangements to have the Michaels leave".

The release of Meng was heralded as a Chinese victory by its state media. The Chinese foreign ministry, meanwhile, boasted it "got 400 million thumbs-ups on the online platform of the China Media Group... larger than the combined populations of the US and Canada".

We think Meng's return will deliver a sugar hit in the short term, but this event will bring about huge downsides for Chinese technology companies.

In the debate about high-risk vendor involvement in 5G rollouts one of the more compelling arguments was that companies such as Huawei and ZTE would be unable to say no if the Chinese government demanded they betray their customers to enable Chinese espionage or even, in the event of a conflict, sabotage. This incident illustrates how far the PRC will go to protect its companies and key people, with a whole-of-government effort involving domestic law enforcement and state media in addition to diplomatic efforts. The state has shown it will help, but the flipside is that loyalty to the Chinese Communist Party (CCP) is expected in return.

For Huawei, it is now clearer than ever how much it owes the CCP. Tim Rühlig, a Research Fellow specialising in EU-China relations at the German Council on Foreign Relations told Seriously Risky Business that although Huawei's interests aren't necessarily aligned with the CCP, Huawei "heavily relies on state support". While large Chinese companies like Huawei have some leverage, the "release of Meng is tipping the balance [of power] between the two more in favor of the CCP. Huawei in general and the founder in particular is in the CCP’s debt more than ever before".

On her return, Meng lauded the closeness of enterprise and state in remarks to the media at the airport. "The past three years made me realise that the destiny of the enterprise and individual interests are closely linked to the country's destiny, and the motherland always has our back."

How all this will settle in the short to medium term is still unknown. Canada will soon make a formal decision about Huawei's involvement in its own 5G network. This decision appeared to be in a holding pattern while the two Michaels were held hostage.

Dr Charles Burton, Senior Fellow at Canada's Macdonald-Laurier Institute told Seriously Risky Business that "many civil servants and politicians in Ottawa at the highest levels of decision-making authority believe that Canada erred in detaining Meng Wanzhou by not appreciating the integrated nature of Huawei and its elite management with the 'red nobility' CCP senior elite".

We think this whole drama is bigger than Huawei in Canada. All Chinese tech companies are subject to the whims of the CCP, so from a procurement point of view there is a real risk that suppliers will be forced to act against customer interests to benefit the Party.

Indeed, Rühlig thinks this incident will remind Chinese tech companies of some long established ground rules. "No matter how big you are, how relevant you are and how much leverage you have, you ultimately rely on party-state support."

It will send a message to the west, too. Although he doesn't think this is a game changer in Europe, Rühlig believes policymakers who favor a ban of Huawei now have more ammunition. "I expected Germany to adopt a de facto ban already before the swap of hostages [but] this scenario has become even likelier now."

To sum up: This is a tactical victory for China but a strategic setback.

Mike Pompeo's Killer Idea

Alarming and outlandish details of Trump Administration thought bubbles to kidnap or even assassinate Julian Assange illustrate how the intelligence community struggled to tackle non-traditional hack and leak influence operations.

One of the more bizarre incidents reported -- beyond that the CIA spitballed plans to kidnap or even assassinate Assange -- was that Russian operatives planned to spirit Assange away to Moscow. Per Yahoo News:

The intrigue over a potential Assange escape set off a wild scramble among rival spy services in London. American, British and Russian agencies, among others, stationed undercover operatives around the Ecuadorian Embassy. In the Russians’ case, it was to facilitate a breakout. For the U.S. and allied services, it was to block such an escape. “It was beyond comical,” said the former senior official. “It got to the point where every human being in a three-block radius was working for one of the intelligence services — whether they were street sweepers or police officers or security guards.”

Beyond fascinating details of the inner workings of the CIA under Pompeo, the piece also describes the evolution of the US intelligence community response to WikiLeaks.

The Obama White House was initially reluctant to use the intelligence apparatus to target or disrupt WikiLeaks, fearful the action could infringe on press freedoms.

That reluctance evaporated in two phases. After the Snowden leaks -- and the assistance WikiLeaks provided to Snowden in escaping from Hong Kong to Russia -- the WikiLeaks organisation became a legitimate intelligence target, albeit within fairly stringent limits.

When WikiLeaks helped release Democratic campaign emails in the 2016 Presidential campaign the administration went further, concluding WikiLeaks was actively working to undermine US interests. Collection of direct communications between Guccifer 2.0 and Assange cemented that belief. (Guccifer 2.0 was a Russian GRU persona leaking the hacked emails).

Although the Obama administration inched its way towards action, Trump's CIA director Mike Pompeo sent the response into overdrive following Wikileaks' publication of leaked CIA material. Per Yahoo's report, he personally and wholeheartedly argued for far more aggressive action, describing (and even designating) WikiLeaks as a "non-state hostile intelligence service".

"WikiLeaks walks like a hostile intelligence service and talks like a hostile intelligence service," he said.

Classifying WikiLeaks as a hostile intelligence service gave the CIA freedom to conduct "offensive counterintelligence" activities without needing presidential authorisation or having to brief Congress. This designation opened up more intelligence collection and disruption opportunities, but eventually Pompeo proposed some frankly insane options -- like killing Assange, an Australian, in London, holed up in the Ecuadorian embassy.

Cooler (or at least less bonkers) minds prevailed, but there is a genuine problem here. At first glance WikiLeaks looks a bit like News Corp, a self-styled transnational media organisation with a strong Five Eyes nexus, so the institutional and political hesitation in targeting it with intelligence resources is well grounded. But it also creates a blindspot that adversary states can take advantage of by co-opting journalists, activists and useful idiots (we'll let you decide which one Assange is) to advance their goals in influence operations. Hamstringing counter-intelligence isn't the right solution, but neither is giving the CIA carte blanche because it unilaterally decides to classify an organisation as a hostile intelligence service. If there is to be intelligence agency action against organisations like WikiLeaks, it should be conducted under stringent oversight.

The First Step is Realising You Have a Problem

Former AWS veteran Charlie Bell is joining Microsoft to lead a newly formed engineering organisation: Security, Compliance, Identity and Management. Hopefully this announcement is an indication that Microsoft will eventually deliver secure products again.

Almost every week for months this newsletter has covered example after example of Microsoft security clangers. These rolling debacles are symptoms of senior management's failure to prioritise product security. (This week's, btw, is an Exchange Autodiscover protocol bug that allowed a researcher to harvest tens of thousands of credentials from multiple companies by registering a few domains).

Bell's rhetoric is promising. "As digital services have become an integral part of our lives, we’re outstripping our ability to provide security and safety… We all want a world where safety is an invariant, something that is always true, and we can constantly prove we have."

Worryingly, though, this is undercut by Microsoft CEO Satya Nadella, who wrote in a memo "The next big challenge for our company and our industry is securing digital technology platforms, devices, and clouds in our customers’ heterogeneous environments. This is a bold ambition we are going after and is what attracted Charlie to Microsoft."

Delivering secure products shouldn't be described as an ambitious challenge. It should be described as a fundamental priority.

Bill Gates' Trustworthy computing memo, published nearly 20 years ago, kicked off changes that drove real security improvements at Microsoft. It started with Gates himself declaring it a priority, and took years. A lukewarm endorsement from Nadella means Bell will have his work cut out for him.

Three Reasons to be Cheerful this Week:

1. HTTPS Everywhere is dead. Long live HTTPS. The Electronic Frontier Foundation is retiring the "HTTPS Everywhere" browser extension because HTTPS is actually everywhere now.
2. Emergency Mitigations in Exchange. Microsoft is pushing a new feature to Exchange that will deploy short term mitigations against new exploits until patches can be developed. Secure products in the first place would be better, but hey, they still get a biscuit for this.
3. Nigerian cyber scammers arrested… in Texas. 33 fraudsters tied to the Nigerian Black Axe gang were arrested for various cyber crimes including business email compromise, romance scams, and other frauds that amounted to more than USD$17m.

Shorts

Group-IB Shenanigans

The founder of Russian cybersecurity company Group-IB has been arrested for treason. There are a lot of hot takes on why this has happened, but we're withholding our analysis until we know more.

NSA's Big Four Adversaries

Speaking at the Aspen Cyber Summit, Rob Joyce, Director of NSA's Cybersecurity Directorate, provided pithy and very interesting summaries of the big four cyber actors: Russia, China, Iran and North Korea.

NSA Wants You to Pick a Less Awful VPN Plz

CISA and NSA have released a VPN selection and hardening guide. It's great. The advice boils down to using approved protocols and encryption, monitoring and disabling dumb bells and whistles.

Traces of Spine Detected in EU Ghostwriter Attribution

The EU Council has formally blamed Russia for the GhostWriter hack and leak operation. In previous years the EU has been reluctant to say, well, anything about cyber operations, but this is the third time this year. The US, Canada and New Zealand issued supportive tweets, whereas Australia went all out with a written statement! That'll show those Russians!

Value-Adding in the Phishing Supply Chain

For USD$800 a large phishing-as-a-service operator known as BulletProofLink, BulletProftLink, or Anthrax will handle all those pesky phishing details and return stolen credentials at the end of the week. It'll also keep the credentials for itself and maybe sell them later.

Scamazon

Amazon's ability to sell at scale is used by criminals to fence shoplifted real world goods and steal print-on-demand designs. Amazon appeared to be doing the bare minimum to both rein in crime and assist law enforcement. No biscuit.

Oh My, That's a Lot of Shells

Four different Chinese state-sponsored actors have been hoovering up gigabytes of data from Roshan, Afghanistan's main telco. This makes total sense, and it's immensely entertaining to watch cyber security companies see and report on it.

The Safest Burner Phone is… Still an iPhone

The Lithuanian Defence Ministry audited various Chinese smartphones and found a censorship module on a Xiaomi smartphone. The Huawei phone uses malware-riddled app stores. Also silent data collection.

AlphaBay 2.0: This Time, it's Personal

DeSnake, dark web market AlphaBay's number two admin, has returned with grand plans to relaunch the site. He claims to have rewritten the site, and is planning to use Monero, which unlike bitcoin is meant to be fully anonymous. But he'll probably only get traction when another site gets busted by law enforcement.

LinkedOut

Following on from last week's piece about tech giants operating in authoritarian regimes, LinkedIn will helpfully censor your profile in China.