The EU Throws a Hand Grenade on Software Liability

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Okta.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

The EU and US are taking very different approaches to the introduction of liability for software products. While the US kicks the can down the road, the EU is rolling a hand grenade down it to see what happens. 

Under the status quo, the software industry is extensively protected from liability for defects or issues and this results in systemic underinvestment in product security. Authorities believe that by making software companies liable for damages when they peddle crapware, those companies will be motivated to improve product security. 

Introducing software liability is a big idea of the Biden administration's 2023 Cyber Security Strategy. Per the strategy:

Markets impose inadequate costs on — and often reward — those entities that introduce vulnerable products or services into our digital ecosystem. Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance. Software makers are able to leverage their market position to fully disclaim liability by contract, further reducing their incentive to follow secure-by-design principles or perform pre-release testing. Poor software security greatly increases systemic risk across the digital ecosystem and leave[s] American citizens bearing the ultimate cost.

Writing for The Record this week, Eric Geller has a good article covering 'the struggle for software liability' in the US. 

Geller covers some of the reasons why there has not yet been significant progress. These  include lack of political will, extensive lobbying and debate about how to implement liability. The Biden strategy suggested that new legislation should define standards for secure development as well as preventing companies from fully absolving themselves of liability.

By contrast, the EU has chosen to set very stringent standards for product liability, apply them to people rather than companies, and let lawyers sort it all out.

Earlier this month, the EU Council issued a directive updating the EU's product liability law to treat software in the same way as any other product. 

Under this law, consumers can claim compensation for damages caused by defective products without having to prove the vendor was negligent or irresponsible. In addition to personal injury or property damages, for software products damages may be awarded for the loss or destruction of data. 

Rather than define a minimum software development standard, the directive instead sets what we regard as the highest possible bar. Software makers can avoid liability if they prove a defect was not discoverable given the "objective state of scientific and technical knowledge" at the time the product was put on the market. 

Although the directive is severe on software makers, its scope is narrow. It applies only to people (not companies), and damages for professional use are explicitly excluded. There is still scope for collective claims such as class actions, however.  

The directive isn't law itself, but sets the legislative direction for EU member states and they have two years to implement its provisions. The directive commits the European Commission to publicly collating court judgements based on the directive, so it will be easy to see how cases are proceeding. 

Major software vendors used by the world's most important enterprises and governments are publishing comically vulnerable code without fear of any blowback whatsoever. So yes, the status quo needs change. Whether it needs a hand grenade lobbed at it is an open question. We'll have our answer soon.

Ain't No Party Like a Multiparty Crypto Theft Party

In an incident reminiscent of a major 2022 hack, attackers stole USD$50m worth of cryptocurrency from decentralised finance platform Radiant Capital after compromising devices owned by three core developers. This episode demonstrates individual firms are learning lessons one hack at a time, but the industry as a whole is slow to take heed.

Radiant only required three out of 11 signers to approve multisignature wallet transactions. Per the organisation's investigation into the incident:

Attackers were able to compromise the devices of at least these three core contributors through a sophisticated malware injection. These compromised devices were then used to sign malicious transactions.

Although three compromised devices have been confirmed, it is likely that more were targeted — the means by which they were compromised remains unknown and under investigation. The devices were compromised in such a way that the front-end of Safe{Wallet} (f.k.a. Gnosis Safe) displayed legitimate transaction data while malicious transactions were signed and executed in the background.

Radiant's signers were using hardware wallets, but they didn't help at all. The Safe{Wallet} user interface looked legit, but the developers didn't confirm that what they were signing matched the intended transactions. 

Compromising a quorum of devices in a pool reminds us of the 2022 hack of the Axie Infinity games' Ronin sidechain, a private Ethereum-based blockchain. At the time we wrote:

The Ronin sidechain only had nine validator nodes in its network and the thieves managed to compromise the private keys for five of them, enough to forge transactions with a five of nine validation threshold. In the short term Ronin is moving to an eight of nine validator threshold and adding more validators from different organisations. Will it be enough? Who knows! Stay tuned to find out! Probably not! Lol!

No surprise that the Axie Infinity hack was ultimately attributed to North Korea. 

Among other shut-the-gate-after-the-horse-has-bolted measures, Radiant has increased the number of signers required to approve transactions to four while reducing the pool of signers to seven. 

The underlying assumption here is that mandating multiple signatures is much safer than requiring just one. It is safer, and may be much safer when the underlying signature mechanisms are independent and therefore different, but this isn't necessarily true for systems in which signatures are generated in multiple identical systems. In the case of Axie Infinity, for example, compromising five validator nodes was not five times harder than compromising one.

The good news here is that the Radiant theft was only USD$50m, ten times less than the Axie Infinity's hack. Now that is progress!

G'day, We're Swiss!

404 Media describes how the organisation behind the Session Messenger encrypted messaging app is moving its operations to Switzerland after an employee received an unexpected house call from the Australian Federal Police (AFP).

The employee was asked about the app and the employee's history on the project, as well as an ongoing investigation related to a specific user. Based on this interaction and on Australian regulations that could require Session to collect phone numbers or email addresses for new users, the app’s owners decided to create a Swiss-based foundation to run its operations. 

Beyond the AFP's interest in a specific user, 404 Media reported that "anecdotally, 404 Media has sources linked to drug trafficking and cybercrime that have used Session". At one level, moving privacy-centric apps to favourable jurisdictions is sensible, but at the same time it does not isolate people from state pressure. See Telegram, for example, which is notionally based in Dubai, but whose CEO is facing charges in France. 

Patrick Gray and Adam Boileau discuss this in this week's Risky Business podcast at around the 16'30" mark. 

Watch Patrick Gray, Adam Boileau and Tom Uren discuss this edition of the newsletter: 

Three Reasons to Be Cheerful This Week:

1. Microsoft floods phishers: This video (via Jeremy Kirk) describes how Microsoft floods phishing sites with fake data to keep threat actors busy with pointless tasks and gives the company intelligence-gathering opportunities. Every couple of weeks, Microsoft uses OpenAI models to generate a bogus company including users and an email corpus that is used to populate an Azure tenant. Fantastic! 
2. Face-swapping scammers arrested: Hong Kong police have announced the arrest of 27 people involved in cryptocurrency investment scams. The group used face-swapping technology to appear as attractive females and lured victims to invest in fake cryptocurrency schemes. 
3. Biden administration releases proposed data transfer rules: The US Department of Justice has issued proposed rules that would limit data transfers to countries of concern, namely China, Russia, Iran, North Korea, Venezuela and Cuba. The whole document is 422 pages, but there is a fact sheet and The Record has good coverage. 

Sponsor Section

In this Risky Business News sponsored interview, Tom Uren talks to Brett Winterford, Okta’s APAC Chief Security Officer. Brett has mined Okta’s data and finds strong evidence that organisations invest in phishing-resistant authentication methods once they know they’ve been targeted by groups that excel at social engineering (such as Scattered Spider).

Here is the research that Brett talks about in this discussion.

Shorts

It's Not the Breach, It's the Cover Up

The US Securities and Exchange Commission (SEC) has charged four companies for making materially misleading disclosures in relation to the 2020 SolarWinds Orion software supply chain attack. The four agreed to pay fines to the SEC: Unisys USD$4m, Avaya USD$1m, Check Point USD$995k and Mimecast $USD$990k. 

For example, in the cease and desist order it issued to Unisys, the SEC said the company was aware of an ongoing breach that originated with the compromise of its SolarWinds Orion software. This breach lasted 16 months and resulted in the transfer of at least 33GB of data and the compromise of 34 cloud-based accounts. Despite this, Unisys cybersecurity risk disclosure reports to the SEC used the same meaningless boilerplate as they'd used in previous years: "Cybersecurity breaches could result in the company incurring significant costs and could harm the company’s business and reputation".  

CyberScoop has further coverage. 

North Korean Insiders Steal Data for Extortion

Secureworks reports North Korean IT workers are increasingly stealing data to extort their employers. 

In one case, the fraudulent worker started downloading proprietary company data almost immediately after being employed. When the worker was fired for poor performance, the stolen data was used in an extortion attempt against the former employer. This shift in tactics makes sense given increased awareness of the DPRK worker problem. Previously, a worker might be able to collect a pay cheque indefinitely while doing the bare minimum. Assuming these workers are increasingly likely to be identified and fired, preparing a 'severance package' ahead of time just makes sense.   

US Election Attracts Interference

The US intelligence community (IC) released its late October election security update this week. The IC expects interference to continue up to the election and through to the presidential inauguration. The community argues  "foreign actors almost certainly would not be able to manipulate election processes at a scale that would materially impact the outcome of the Presidential election without detection". 

After the election is over, however, the IC expects that interference will focus on casting doubt on the result, saying:

These actors probably perceive that undermining confidence in the elections weakens the legitimacy of our democracy and consequently makes the United States less capable of effectively pursuing policies that are counter to their interests.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about a new attempt to measure cyber power, the International Institute for Strategic Studies Cyber Power Matrix. 

From Risky Biz News:

Anonymous Sudan's Russia Links Are (Still) Obvious:

The US government has charged two members of the Anonymous Sudan hacking group after the FBI secretly seized server infrastructure and disrupted its operations in March this year.

The indictment names two brothers—Ahmed Omer, 22, and Alaa Omer, 27—as the two main individuals behind the group's operations.

The two are accused of launching thousands of DDoS attacks against government agencies, hospitals, critical infrastructure, and private businesses all over the world.

[more on Risky Business News, including a long list of incidents in which Anonymous Sudan supported Russian interests despite prosecutors saying that the group was driven by Sudanese nationalist ideology.]

SEC Twitter hacker detained: US authorities have arrested an Alabama man for hacking the Twitter account of the US Securities and Exchange Commission. Officials claim Eric Council Jr. used SIM swapping to take control of the SEC account in January this year to post a fake announcement on the SEC's behalf. The announcement caused the Bitcoin price to spike by $1,000 and then plummet by $2,000 when the tweet was proven to be fake. Court documents claim that the suspect didn't think the attack through. Officials say Council performed Google searches such as:

• How can I know for sure if I am being investigated by the FBI;
• What are some signs that the FBI is after you;
• What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them.

Apple wants to reduce the lifespan of TLS certificates to 45 days: Apple has put forward a proposal to gradually reduce the lifespan of TLS certificates from the current 398 days to only 45.

The planned move will take place across four phases between September next year and September 2027.

TLS lifespan will be reduced to 200 days in September 2025, to 100 in September 2026, and just 45 in April 2027.

[more on Risky Business News]