Truss Hack: When Expediency Trumps National Security

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

The UK's Daily Mail has published an unconfirmed report that former UK Prime Minister Liz Truss's phone was hacked when she was Foreign Secretary, possibly by Russian intelligence services.

A caveat up front: The Daily Mail is not the most reliable newspaper, and the hack has not yet been independently confirmed by other sources, although it hasn't been denied either. The broad outline of the claims are that the phone was hacked some months ago and sensitive messages compromised, including to international foreign ministers about the war in Ukraine and also to Kwasi Kwarteng, a friend of Truss who subsequently became Chancellor of the Exchequer. According to The Daily Mail's report, after the hack was discovered, Prime Minister Johnson and the Cabinet Secretary suppressed the news.

Matt Tait, aka PwnAllTheThings on Twitter, has written up a decent analysis of the story including an examination of why it might have been published now, the bona fides of the authors, and the possible motivations of sources. His conclusion: there are some red flags, but it could be true, and he goes on to examine the implications of the hack of a minister's phone.

Regardless of the underlying truth, The Daily Mail story highlights an uncomfortable reality — politicians absolutely need to use phones nowadays even though phones are insecure.

So, let's look at how we got here.

US President George W. Bush actually gave up email after being elected President in 2000, although this seems to be more about keeping personal messages private from freedom of information requests rather than being strictly about security.

Fast forward to 2009 and incoming President Barack Obama fought to keep his Blackberry, although he ended up with a secure (i.e. neutered) device that could only communicate with a small number of people who were also given secure Blackberries. Obama eventually replaced his Blackberry with a different smartphone that didn't take photos, play music, send texts or even make phone calls. Even these locked-down devices were essentially used as burner phones and were swapped out every 30 days and examined for signs of compromise.

When President Trump was sworn in, of course, all this went out the window. Trump had two locked-down government-issued phones, one for calls with camera and microphone and another for Twitter and news websites, but he resisted regular phone swaps because they were too inconvenient. He also kept a private phone to make personal calls because he was able to keep his contacts on it. Getting an aide to look up numbers must have been just too much.

His cellphone addiction was a boon to foreign intelligence agencies, at least according to this report from The New York Times. Calls made from his iPhones were monitored by Chinese and Russian intelligence services, and the intelligence was put to good use:

The current and former officials said they have also determined that China is seeking to use what it is learning from the calls — how Mr. Trump thinks, what arguments tend to sway him and to whom he is inclined to listen — to keep a trade war with the United States from escalating further. In what amounts to a marriage of lobbying and espionage, the Chinese have pieced together a list of the people with whom Mr. Trump regularly speaks in hopes of using them to influence the president, the officials said.

Regardless of Trump's bad habits, smartphones are indeed a necessary tool for all politicians to stay in touch with social media followers, friends, allies and enemies alike. Helping them do this in a secure way isn't an easy problem to solve.

In the case of a Prime Minister or President it's at least a tractable problem because you're dealing with a single device being used by an extremely powerful individual to whom government agencies answer. But what about politicians more broadly? Should the government provide more secure devices to members of parliament (or congress)? What about opposition members and politicians? Will they trust whatever agency is tasked with maintaining these devices? Should the devices be placed on a monitored tier of a cellular service? Who would do the monitoring? Wouldn't this just make that network a massive target?

Compounding the issue is politicians viewing device compromise as a political problem as opposed to a national security problem. From The Daily Mail:

…a source with knowledge of the incident said: 'This caused absolute pandemonium. Boris was told immediately, and it was agreed with the Cabinet Secretary that there should be a total news blackout. It is not a great look for the intelligence services if the Foreign Secretary’s phone can be so easily plundered for embarrassing personal messages by agents presumed to be working for Putin’s Russia.'

Allies of Ms Truss said that she was worried that if news of the hack leaked it could derail her chance of claiming the Premiership, and 'had trouble sleeping' until [Cabinet Secretary] Mr Case imposed a news blackout.

No mention of the national security impact of the loss of up to a year's worth of messages from the foreign minister's phone, then.

Opposition parties, meanwhile, are calling for an inquiry into the alleged hack.

In today's world, the smartphone security plan Obama employed actually seems pretty sensible: different phones for different purposes, neutered as appropriate, replaced regularly to limit the damage caused by compromise. But scaling that approach to cover hundreds of politicians in a country will be hard work. For now, perhaps the best option is to provide elected officials with some better guidance on device  security.

International Ransomware Cooperation Redux

This week the US government held the second International Counter Ransomware Initiative Summit in an effort to develop "concrete, cooperative actions to counter the spread and impact of ransomware around the globe".

The first summit, held virtually last October, surprised us by being more than an empty stunt and forced some governments to stake out more robust ransomware positions.

This week's summit included 36 countries and the European Union and also included 13 private sector organisations. Compared to last year, the summit also produced a range of more concrete outcomes. These broadly include a commitment to enforce domestic ransomware laws, make use of cryptocurrency more difficult for criminals with anti-money laundering laws, lawfully disrupt ransomware actors, and more information sharing.

Under these umbrella goals there are also more specific action items, including the creation of an International Counter Ransomware Task Force, initially to be chaired by Australia. The task force will "coordinate resilience, disruption, and counter illicit finance activities in alignment with the ICRTF’s thematic pillars. ICRTF members will commit to contribute to joint work of the coalition through information and capability sharing, as well as joint action in the fields of resilience, disruption, and countering illicit finance".

Of course, ransomware hasn't gone away since last year's summit. Just this week, the US Treasury's Financial Crimes Enforcement Network (FinCEN) released a report on ransomware trends based on July to December 2021 Bank Secrecy Act filings. FinCEN identified that compared to 2020, incidents occurring in 2021 more than doubled from 602 to 1251, and the dollar value increased from USD$527m to USD$886m. This is likely an underestimate, however, and FinCEN notes "it is not a complete representation of all ransomware attacks or payments" and it only includes US data.

FinCEN found 75% of ransomware incidents had some "nexus to Russia". The methodology FinCEN used here was not particularly robust and it identified links to Russia when "variants were identified in open source information as using Russian-language code, being coded specifically not to attack targets in Russia or post-Soviet states, or as advertising primarily on Russian-language sites".

This week in its Q3 2022 report, ransomware incident response company Coveware found a pivot towards ransomware targeting the healthcare sector — it was the second most affected sector behind professional services. Coveware partly attributed this to the increasing prevalence of Hive ransomware, which gleefully attacks healthcare organisations regardless of the impact on patient care. Coveware also found that BlackCat, Black Basta, and Vice Society ransomware groups have started attacking the sector when they'd previously avoided it.

Will the actions arising from this week's summit change the trajectory of ransomware?

One possibly promising approach that at least seemed plausible at last year's summit was to apply concerted diplomatic pressure on the Russian government to crack down on ransomware operators. Given the war in Ukraine that option has likely disappeared.

We think this leaves slow, grinding, incremental efforts that will gradually make life in the ransomware ecosystem harder. Change the trajectory? Yes. Drastically? No.

Three Reasons to be Cheerful this Week:

1. Apple Cares About Security: Apple has launched a new Apple security research website. The site announces changes ("upgrades") to Apple's security bug bounty program and security researchers are also now able to apply for a Security Research Device, an iPhone especially built for security research. The site also has a security research blog with an inaugural post on XNU memory safety. Together with Lockdown mode these initiatives indicate that Apple's security team could be getting some traction in the organisation.
2. Ransomware gang Yanluowang internal chats leaked: These chats were posted to the group's dark web leak site and has resulted in various group members being doxxed and the linking of internal chat names to cybercrime forum identities. Curiously, despite claiming to be Chinese the group is actually Russian! (more on Risky Biz News)
3. NSA embraces meme culture: For Cyber security Awareness Month NSA's Director of Cybersecurity, Rob Joyce, has been using memes to communicate cyber security messages in a light-hearted way. The US Army Chief of Cyber has also been memeing and we approve of these efforts to bring some humour to government comms although, unfortunately, it looks like Joyce's effort was for October only.

Sponsor Section

Proofpoint has released an entire e-book on securing Microsoft 365. Get it here.

Shorts

Cryptocurrency Explained in Only 40,000 Words

Matt Levine, author of Bloomberg's Money Stuff newsletter, has a terrific explainer on cryptocurrency "where it came from, what it all means, and why it still matters". It contains some hilarious gems such as this explanation of Bitcoin:

Imagine if keeping your car idling 24/7 produced solved Sudokus you could trade for heroin

This newsletter often covers cryptocurrency thefts and hijinks and the ingenuity in cryptocurrency hacks can be something else. (See, for example, this BGP hijack to redirect transactions from KakaoTalk's digital asset wallet and the hack of the Axie Infinity game.) Levine isn't a cryptocurrency booster but finds the cryptocurrency's reinvention of finance interesting and his motivation for writing about cryptocurrency speaks to us:

… I have a soft spot for stories of fraud and market manipulation and smart people putting one over on slightly less smart people. Often those stories are interesting and illuminating and, especially, funny. Crypto has a very high density of stories like that…

I write about crypto as a person who enjoys human ingenuity and human folly and who finds a lot of both in crypto.

Levine's explainer is worth reading.

F^$K! Profanity Flaw Stings More Victims

This latest example of cryptocurrency hilarity is the flaw in Profanity, a tool to generate vanity or customised Ethereum addresses (such as starting with seven zeros, for example) which has resulted in a string of cryptocurrency thefts worth hundreds of millions of dollars.

The fundamental flaw here was that the random seed used to generate addresses was limited to 32 bits, so it was possible to determine every possible Profanity public/private key pair using a single 16GB M1 Macbook over a weekend.

Catalin at Risky Biz News has more coverage of the fallout from the Profanity vulnerability.

When Being on the Lam Is Just Too Instaworthy

Krebs on Security has the story behind the arrest of Mark Sokolovsky, a key developer of the Raccoon Infostealer malware-as-a-service. Krebs's report identifies the key OPSEC failures that led to Sokolovsky's arrest. The key failure was that early posts on crime forums revealed his gmail and hence iCloud account which therefore allowed authorised access to his iCloud backups. But more recently Sokolovsky's girlfriend documented their travels from Ukraine through Poland to the Netherlands on Instagram, where Sokolovsky was arrested.

INTERPOL's Metaverse

Two weeks ago INTERPOL announced a law enforcement metaverse. The INTERPOL Metaverse "allows registered users to tour a virtual facsimile of the INTERPOL General Secretariat headquarters in Lyon, France without any geographical or physical boundaries, interact with other officers via their avatars, and even take immersive training courses in forensic investigation and other policing capabilities".

Geez. We could be cruel about this, but who knows, maybe it'll do some good?

PRC Interferes With Huawei Prosecution

Early last week two PRC intelligence officials were charged by US prosecutors for allegedly attempting to interfere in the prosecution of a Chinese "global telecommunications company", reportedly Huawei according to Reuters. We've written about this kind of thing before, but this is yet more evidence that Chinese companies and the state are closely intertwined.

Hacking For Hire Lawsuit

Jay Solomon, a former Wall Street Journal reporter is accusing a US law firm of using India-based hackers-for-hire to steal emails that were subsequently passed to The WSJ and published online in an ultimately successful effort to get him fired.

The court case follows on from a June Reuters article that detailed how the services of Indian hacking firms are being used to influence legal battles around the world. If true, these hacking operations would be truly corrosive for the rule of law, so we hope the court case gets to the bottom of things. Reuters has been all over these low-grade "hacker for hire" companies since 2020.

Risky Biz Talks

In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed  (RSS, iTunesor Spotify) also publishes interviews.

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss why some states seem to favour small dispersed groups that are contractors rather than large centralised organisations like the NSA and GCHQ. Do they see positive benefits in that approach? Or do they use contractors out of necessity?

From Risky Biz News:

Poland and Slovakia: In a series of DDOS attacks, Pro-Russian hacktivist groups have targeted the IT networks of the Parliaments of Poland and Slovakia. The attacks targeting Poland's Parliament came after the government passed a resolution recognizing Russia as a terrorist state and brought down the Senate's website. The attack targeting Slovakia's Parliament systems was far more severe, and the body had to suspend its voting session on Thursday due to the IT system being down.

Microsoft rolls out number matching to counter MFA push notification spam attacks: Earlier this week, Microsoft announced the general availability of several new security features for Azure AD tenants, including "number matching," a feature to protect against an increasingly popular attack known as MFA push notification spam.

Also known as MFA fatigue or MFA prompt-bombing, this MFA bypass technique has been a little-known secret of infosec red teams for years, but it has also become extremely popular with several threat actors over the past 12 months. (continued)

New CISA guidance: The US Cybersecurity Infrastructure and Security Agency has released guidance urging organizations and federal agencies to roll out phishing-resistant multi-factor authentication (MFA) [PDF] and number-matching protections if they use mobile push-notification-based MFA [PDF].