Srsly Risky Biz: Thursday, September 9

Apple Backflips on CSAM Countermeasures

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Apple Backflips on CSAM Countermeasures

Apple has backflipped on its plan to implement on-device scanning for known Child Sexual Abuse Material (CSAM) with the introduction of iOS15.

"Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features," a company release read.

It hasn't gone over well with child safety advocates. Julie Inman-Grant, Australia's eSafety Commissioner tweeted "Apple totally caved on doing the right thing. A chance at real industry leadership is now failed leadership. Having spent more than 22 years inside the tech industry, I observed that revenue, reputation & regulation tends to dictate these decisions. Regulation, here we come!"

And regulation is certainly coming, globally, with or without input from US lawmakers.

In Australia, under the Online Safety Act 2021, service providers will be asked to meet Basic Online Safety Expectations (BOSE) and take reasonable steps to ensure services are safe for users. The draft BOSE requires that all providers take reasonable steps to minimise content including cyber bullying and abuse material and CSAM. Encryption is not an excuse to avoid tackling the challenge -- the draft says encrypted services "will take reasonable steps to develop and implement processes to detect and address material or activity on the service that is or may be unlawful or harmful."

This doesn't require any particular solution and it's up to companies to justify their actions as "reasonable," but it seems likely that companies will be expected to do more than they do now.

The UK's draft Online Safety Bill has similar intent and the EU is also tackling the issue of "Security through encryption and security despite encryption". It produced a draft "technical solutions" discussion paper that compares a variety of technical interventions to detect CSAM while encryption is being used.

Let's also point out something that tech firms pretend to forget: that legislation trumps marketing. We saw a good example of that this week. Despite ProtonMail's marketing that it doesn't keep IP addresses of its users it was "forced to" when faced with legally binding orders.

It's a straightforward and often standard practice for companies to detect CSAM on unencrypted services, but detection of CSAM on end-to-end-encrypted (E2EE) services is difficult without on-device detection. (Note: Apple's iCloud photos service is not currently E2EE, but we suspect it proposed on-device CSAM scanning as a first step down that path.)

Balancing detection, safety and privacy involves difficult trade-offs, but nuanced discussion of these issues is often difficult. This week's ProPublica article on WhatsApp's efforts to police abuse on its platform illustrates why.

WhatsApp takes a holistic approach towards preventing abuse. WhatsApp primarily detects CSAM two ways: by using all available unencrypted information (such as profile and group photos and messaging patterns) and allowing users to report problematic content. When users file reports they are given the opportunity to forward the offending content to WhatsApp's human "content moderation associates".

It strikes us as a reasonable way to balance safety against privacy when running an end-to-end encrypted (E2EE) messaging service. ProPublica, however, framed these efforts as privacy violations. Alex Stamos, director of the Standford Internet Observatory and former Facebook CSO, said on Twitter that the article was "terrible" and Eva Galparin, Director of Cybersecurity at the Electronic Frontier Foundation described it as a "misleading mess".

Bad takes are all too common, but there is another dynamic at play here. Companies know legislation is coming and are jostling to portray their approaches as the right ones while, naturally, slagging the competition as privacy destroying monsters.

WhatsApp CEO Will Cathcart, for example, came out swinging against Apple's on-device CSAM scanning announcement. He says it's "the wrong approach and a setback for people's privacy all over the world".

One argument raised by Cathcart and others against Apple's on-device scanning is that  authoritarian governments will force scope creep. They say Apple's CSAM detection will be turned towards images of, for example, Winnie the Pooh, which are often banned in China because they are used to mock Xi Jinping.

However, in this case Apple made several policy choices designed to rebut these "slippery slope" arguments. These include limiting scanning to photos that are shared in iCloud, relying on two different child protection organisations to provide the set of known-bad CSAM images and human review of detected images. Perhaps the most compelling was that Apple could limit deployment of the technology geographically; it was initially going to be applied only to US-based iOS devices.

These are all policy choices that could be trumped by legal compulsion. But that is true for many classes of software systems that can access the user data governments want.

The debate around lawful exceptional access and encryption is a quagmire, but the sheer scale of CSAM and universal agreement on the need to protect children has galvanised policy makers. In a world where companies are likely to need to demonstrate some level of proactive detection and response to CSAM there are no good solutions. They all compromise privacy and security in some way, even the options that aren't particularly good at detecting CSAM. On-device detection may be the least bad option.

IoUO: The Internet of Uh Oh

IoT security research is nothing new but it sure has been picking up in pace and severity lately. The long predicted IoT armageddon hasn't eventuated yet, but we think we may soon enter an era where these types of exploits will start being used in creative and destructive ways.

In the past couple of months vulnerabilities have been reported in Arcadyan routers, devices using the Realtek SDK, and Blackberry's QNX real-time operating system. This week, BrakTooth vulnerabilities in Bluetooth software stacks that affect a number of System-on-Chip (SoC) boards were announced. In some cases these vulnerabilities allow arbitrary code execution and potentially affect billions of devices.

The Realtek vulnerabilities were exploited within days by a variant of the Mirai botnet. Earlier in August, it was a similar story for routers running Arcadyan firmware.

Botnet owners currently make money by using their botnets distributed computing in fairly straightforward ways such as by offering DDoS attack services for sale, selling VPN access, or even by cryptomining.

However, Dr Silvio Cesare and Kylie McDevitt, Founders and Managing Directors of Infosect, a security consulting organisation that runs IoT security and device exploitation training, expect IoT exploitation will inevitably move beyond botnet assembly.

"These devices are poorly configured for security. Current best practices for IT security such as the Essential Eight don't really apply to IoT devices," says McDevitt. "Organisations tend to either segment them off from the rest of the network [but sometimes] just drop them in without isolation."

Speaking on this week's Risky Business podcast, CyberCX security consultant Adam Boileau said some of the newer IoT exploits would be useful in red teaming exercises. "If we can break into any sort of device that can bridge you onto the wireless, that's genuinely useful," he said. "A camera would be ideal, because then you'd be able to see people typing in their passwords, too."

The number of IoT devices out there is booming, Cesare says, and they're increasingly integrated with more traditional IT systems. "Almost any useful device these days has a computer behind it, and these embedded devices are attackable," he says. Furthermore, many of these systems lack modern security protections and "it's like winding back the clock 20 years".

Governments have been concerned about IoT security risks for years. McDevitt, who previously worked at the Australian Cyber Security Centre pointed to a five country ministerial Statement of Intent regarding IoT security that was issued in 2019. In Australia, this led to an IoT code of practice that is intended to improve IoT security and there are similar efforts in the other countries.

We doubt the current crop of government actions will be enough to head off what we expect to happen: IoT exploits being used in earnest as an attack vector into enterprise and government networks.

Ransomware Crews Relax Over Labor Day Weekend

Last week the FBI, CISA and the White House warned of ransomware groups' fondness for attacking American targets on holidays and weekends. Thankfully the "only" action we saw over America's Labor Day weekend was the mass exploitation of Atlassian Confluence servers.

Ransomware affiliates like to attack over weekends simply because there are less people around to respond quickly and interrupt attacks. Does the absence of mass ransomware mean it was... a great long weekend?

Confluence is very popular. It's used in over 60,000 organisations including NASA, The New York Times, Twilio and docker. The sensitivity of the information stored on these servers will vary between organisations but it seems that data extortion -- which we'll discover over time as criminals leak the data they've pilfered -- may be a way that criminals will attempt to make money from this holiday hack.

Confluence compromises may also provide attackers a pathway into an enterprise environment. Again, this will vary depending on network architecture and segmentation, but access to Confluence could still be escalated to ransomware...

So perhaps we haven't dodged a bullet, it just hasn't arrived yet. Maybe this weekend...


Time Warp Microsoft Exploit is This Week's Disaster

A Microsoft Office 0day logic flaw is being actively exploited using malicious Word documents. Amazingly, according to Kevin Beaumont, Word will download an html template from the internet which is then opened locally. Since it is now a local document, javascript and ActiveX will run! He was also able to modify the technique to avoid Microsoft's workaround. In about a minute.

Well… He Ain't Shakespeare

Speaking of awful things to come out of Microsoft, Brad Smith wrote about the company's response to the Holiday Bear campaign aka SolarWinds hack. It's just a terrible collection of words and manages to be self-congratulatory and hyperbolic at the same time. Apparently it's an excerpt from a book. Do not buy.

Seoul is the new Bangkok

A Russian TrickBot malware developer was arrested in Seoul attempting to fly back to Russia after being stuck in South Korea because of the Covid-19 pandemic. He is the second TrickBot developer to be arrested. The first, a Russian-born Latvian woman named Alla Witte, was arrested in Miami, Florida, in June this year. Malware developers can add South Korea, Miami and Bangkok to their list of places not to holiday. (Miami though. Really? WTF were you thinking?)

REvil Spins Back Up

It looks like REvil, the group responsible for the Kaseya attack in July, might be back. The Happy Blog, where REvil advertise victim data and their payment portal are back online. So far no new breaches or ransomware attacks have been discovered… yet.

Heiliger Strohsack! Germany Used NSO's Pegasus

The German Federal Criminal Police Office (BKA) used NSO's Pegasus spyware, apparently because its internally developed software wasn't suitable. The BKA used only some of the functionality of Pegasus as its capabilities exceeded its legal authorities.

Using Pegasus spyware isn't automatically bad; Pegasus is just a tool and it can be used legally (and ethically) by police forces when they operate with appropriate legal authorities and oversight. But perhaps lining NSO's pockets presents its own ethical quandary?


A reader pointed out that Sony Pictures Entertainment wasn't the only hack North Korea carried out to preemptively silence the media industry. North Korea apparently also hacked Mammoth Screen, a production firm that was planning to produce a TV series called Opposite Number about a British nuclear scientist taken prisoner in North Korea. The project didn't attract enough funding to continue, but it's not clear whether the hacking scared potential financiers away, particularly given this happened after the Sony Entertainment hack.

The Burner Phone Supply Chain is a Rough Neighbourhood

A Russian researcher found pre-installed malware was surprisingly common on budget push-button phones sold online in Russia. Sometimes the phones would message premium SMS services in a pretty straightforward form of fraud. Other phones would "only" send SMSs with IMEIs and SIM details on activation, presumably to track sales. One phone model would intercept and forward number verification messages from services like Telegram, enabling creation of accounts that are totally separate from device ownership. These accounts were likely sold elsewhere. Clever. So journalists, dissidents and criminals take note: the safest burner in Russia is probably an iPhone. Adjust your budgets accordingly.

They Broke the Golden Rule

The authors of the Mozi IoT botnet have been arrested in China. The botnet was notable for trying new monetisation mechanisms, but more than half the devices it infected were in China. It looks like botnets don't contribute to the PRC's strategic goals so the authors were fair game for law enforcement.

Have a Say on Zero Trust

CISA and the Office of Management and Budget (OMB) are looking for feedback on the OMB Federal Zero Trust Strategy and CISA's Zero Trust Maturity Model. May their inboxes not overfloweth with vendor crap. (lol, of course they will.)

That's a Lot of Corn

The FBI is raising awareness of the disruption that ransomware causes in the food and agriculture sector. One US farm lost USD$9m due to the temporary shutdown of operations.