Why the German Military's Use of WebEx Is Fine, Actually
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Corelight.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
A senior Russian media figure has published a recording of German Ministry of Defence (Bundeswehr) officials discussing the implications of providing Ukraine with medium-range cruise missiles.
The story here is not that German security is poor, but that Russia is publishing raw intelligence to sow discord in the country.
Margarita Simonyan, editor-in-chief at RT, the Russian state-controlled TV outlet, published the 38-minute audio recording on Friday 1 March saying "comrades in uniforms" had given her the recording.
The UK and the European Union both sanctioned Simonyan in 2022 for her propaganda supporting Russia's invasion of Ukraine.
The audio was a recording of a Webex call between four senior German military officials that occurred on 19 February. The head of Germany's air force, Ingo Gerhartz, was one of the participants.
After an initial investigation, Germany's Defence Minister, Boris Pistorius, said the leak resulted from one of the participants dialling in to the call on an unsecured line from a Singapore hotel.
There are several plausible scenarios here that could have resulted in the call being intercepted. An uninvited participant could have joined the call without being detected; the call could have been intercepted as it traversed telecommunications networks; it could have been recorded on a compromised endpoint device; or the room could even have been bugged.
Since Pistorius highlighted the use of an unsecured line, if the officer in question used a cellphone, one more specific scenario is that the Russians intercepted the call using base stations they control near the hotel (aka Stingrays).
Another possibility is that the call was intercepted remotely via SS7 shenanigans, which Russia has reportedly used before in Ukraine (SS7 or Signalling System 7 controls how phone calls are carried over the global telecommunications network). A call over a hotel landline could be intercepted by compromising the hotel switch.
Both types of calls could be passively intercepted using old-school SIGINT techniques, as they travelled from Singapore to the Bundeswehr's Webex server, presumably in Germany.
Pistorius said the show was attended by high-ranking military officers from across Europe and "targeted hacking took place in the hotels used across the board".
"It must therefore be assumed that the access to this (phone) conference was a chance hit as part of a broad, scattered approach."
Pistorius called this an "individual error" and described it as a one-off. He said that the Bundeswehr used a hardened on-premise Webex server and that calls up to certain classifications were allowed.
Dr Sven Herpig, director of cyber security policy at German digital policy think tank SNV, told Seriously Risky Business, he thought using hardened Webex correctly would likely have prevented interception.
'Correct use' would have included enforcing encrypted connections, using regular hardened laptops or smartphones and connecting from an embassy network. (Dr Herpig previously worked for both the German information security office and its foreign office). It is possible to set up Webex meetings that enforce end-to-end encryption with verified participants.
Taking these steps is still not an absolute guarantee, but mitigates against all the scenarios outlined previously.
Dr Herpig noted that in this case that insecure dial-ins hadn't been disabled, no one noticed the 'call not secure' sign, and said that unfortunately "there is no patch for human stupidity".
Regardless of how it accessed the meeting, Russia must have judged that it would get more value by weaponising the recording through publication, rather than keeping its access secret for possible future intelligence-gathering potential.
The published recording was portrayed by Russian figures as indicating that Germany was preparing to enter the war in Ukraine.
Simonyan claimed the recording showed that Germany was planning to bomb the Kerch Bridge linking Crimea to Russia. This bridge has already been the target of several Ukrainian attacks.
On Telegram, Dmitry Medvedev, the deputy chair of Russia's Security Council, said the leak indicated "our eternal adversaries, the Germans, have once again become sworn enemies". A foreign ministry spokesperson, Maria Zakharova, warned of "dire consequences" for Germany in connection with the leak.
Putin spokesperson Dmitry Peskov said the conversation "suggests that in the bowels of the Bundeswehr, plans for strikes on Russian territory are being discussed in a substantive and concrete manner".
Of course, an Associated Press report of the leaked discussion doesn't match the Russian portrayal. The conversation is not about 'preparing for war' so much as 'preparing a PowerPoint' to present to the Minister of Defence. In it, the participants discuss what would happen if Germany were to give Ukraine Taurus cruise missiles, including how Ukraine might use them and how much technical support German forces would need to provide. Per The Associated Press:
In the course of the discussion, it becomes clear that they are referring to the Kerch bridge linking Russia and occupied Crimea. One of the officials says that training to target the bridge, which is "as big as an airfield," would likely take longer.
They also discuss potential red lines for German politicians, including a desire to avoid the military being seen as directly involved.
The officers say the rapid deployment of Taurus missiles would only be possible with the participation of German soldiers—and that training Ukrainian soldiers to deploy the Taurus on their own would be possible, but would take months.
The recording makes clear that the German government has not given its OK for the delivery of the cruise missiles sought by Ukraine.
Here in Australia, Webex is rated for conversations up to PROTECTED, information which could cause 'damage to the national interest' if it was compromised (but not 'serious' or 'exceptionally grave' damage).
Germany's classification system is similarly high level, and although Pistorius didn't say exactly what level of classified discussion is permitted over Webex, we think it likely that the leaked conversation wasn't too sensitive for Webex.
To keep a sense of perspective here, a conversation actually about how to provide Ukraine direct boots-on-the-ground military support would be classified SECRET or TOP SECRET.
According to Deutsche Welle, Pistorius said Russia’s action was "about using this recording to destabilise and unsettle us", and described the incident as "part of an information war that Putin is waging".
Part of the background to this leak is that the German Chancellor has so far been reluctant to send Taurus missiles to Ukraine, fearing that it would cause an escalation that would drag Germany into the war, especially if Ukraine uses them to strike targets in Russia. There is some political support for providing Ukraine with the missiles, but the idea is unpopular with the public.
Scholz hasn't ruled out sending the missiles, however, and various politicians believe one of the reasons the recording was leaked was to undermine the possibility Scholz will allow Taurus deliveries to Ukraine.
In the short term, Russia's operation has been a success and Dr Herpig judged that the press coverage had been more damaging than the leak itself. We'll have to see if it has longer-term impacts on Germany's military support for Ukraine.
Data Broker Order Is the Best Band Aid Available
A new Biden executive order sets out to stop adversary countries from getting bulk sensitive personal data of Americans. It's a step in the right direction, but it needs to be part of a more holistic solution.
The executive order is motivated by foreign countries' continued efforts to access bulk data about Americans, which the administration says they could use to "engage in espionage, influence, kinetic, or cyber operations or to identify other potential strategic advantages over the United States".
From Risky Business News coverage of the executive order:
In a phone call with reporters, the White House said foreign governments are increasingly viewing data as a "strategic resource." Officials said foreign governments are collecting the personal data of Americans and using it for espionage and other cyber-enabled activities.
"Bad actors can use this data to track Americans (including military service members), pry into their personal lives, and pass that data on to other data brokers and foreign intelligence services. This data can enable intrusive surveillance, scams, blackmail, and other violations of privacy."
The new executive order is meant to provide US government agencies—and especially the Justice Department—with regulatory tools to hunt down data brokers that turn a blind eye to who they're doing business for the sake of profits.
The types of data covered includes genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personal identifiers.
The order directs the Department of Justice to develop rules to limit the sale of this kind of data to foreign entities from yet to be defined countries of concern.
There are some reasons to be sceptical about the effectiveness of the order. These include that privacy regulation of the private sector isn't standard fare for the Department of Justice and that many small data purchases that would bypass this order can add up to 'bulk data'.
Brandon Pugh, cyber security and emerging threats director at the R Street Institute, told this newsletter the order wasn't a "full solution", but did think "it has the potential to be part of the solution".
Pugh thinks a comprehensive federal data privacy and security law is needed and he noted that many recent administration policy documents call for exactly that kind of law.
However, he pointed out this is a complex issue and requires the balancing of competing interests and that, even though adversaries will look to steal sensitive data, "data is important for innovation and fuels many technologies".
One of the mitigations Pugh suggested was to impose controls over the amount of data collected in the first place. We think changes that have occurred over the last couple of years in the ad tracking ecosystem are a good example of that principle in practice.
Prior to 2021, for example, advertisers were able to track iOS devices using a more-or-less permanent pseudonymous per-device identifier known as an IDFA or (Identifier for Advertising). Coupled with geolocation data, this makes tracking over time more or less trivial and last week's newsletter covered real-world examples of this kind of tracking.
In mid-2021 with iOS 14.5, Apple introduced what it calls App Tracking Transparency. This privacy feature required iOS users to opt-in to allow tracking of their behaviour. If users don't opt-in to tracking, the IDFA is set to all zeros and App Store terms and conditions also forbid using workarounds such as hashed identifiers or device fingerprinting within apps.
This makes tracking over time much more difficult but doesn't entirely prevent it.
Eric Seufert, a mobile advertising expert and author of Mobile Dev Memo, told Seriously Risky Business that:
The deprecation of Mobile Advertising Identifiers does erect significant barriers to tracking a person's behaviour across online and real-world contexts but it doesn't entirely prevent it. For instance, location data can form the basis of a rough identifier if patterns become reliable or predictable, especially if they include a person’s home or place of work. IP address, location data, and various device parameters can be bundled into synthetic identifiers that, while not deterministic, can still be used in some ways to track a person’s behaviour.
Seufert said that Apple had also introduced new tools to prevent device fingerprinting including privacy manifests and a required reasons API.
When it comes to geolocation data derived from phones, perhaps this type of operating system-level change could reduce national security risks associated with geolocation data to acceptable levels?
We are not sure this is good enough in isolation, but we think restrictions on the type and amount of data that can be collected and sold must be part of the solution.
Apple's actions here are one example of mitigating these types of risks at the point the data is collected. But the entire data ecosystem involves many players. Google, for example, has not yet restricted use of its Advertising ID, although it has said it might do so when it rolls out its Privacy Sandbox in 2024.
And automobile manufacturers are getting into the 'selling customer data' game.
We are certain that managing national security risk is not top priority for these industry players, so we think regulation that controls the collection of at least some data types is required.
Three Reasons to Be Cheerful This Week:
- Court orders NSO to hand over source code: A US court has ordered NSO Group to give source code for its Pegasus spyware to Meta as part of an ongoing court case between the two companies.
- German police seize Crimemarket: Dusseldorf police have announced the seizure of Germany's largest cybercrime marketplace, Crimemarket. The market had 180,000 registered users, 102 search warrants were executed, three people arrested and almost €600k in cash and assets seized.
- US ups ante on spyware sanctions: The US Treasury Department has imposed economic sanctions on spyware company Intellexa, its founder and another executive. The company was placed on the US's Entity List in July, but in October an investigation implicated its Predator spyware in the targeting of US, UN and European officials. These new sanctions are stricter than previous ones levied against spyware companies and aim to prevent the entities and individuals named from accesing the US financial system.
Sponsor Section
In this Risky Business News sponsored interview, Tom Uren talks to Vijit Nair, Corelight’s VP of Product, about how cloud security was once an afterthought but is now on the improve.
Shorts
AlphV Strikes Back Then Disappears
A recent ransomware attack on US health care payment processor Change Healthcare has rippled across the US health sector.
The company announced it had been affected by ransomware on 21 February, with the attack affecting reimbursement payments from insurers and electronic filing of prescriptions across the US.
The attack was purportedly carried out by the AlphV/Blackcat ransomware group, a group disrupted by the FBI in late December.
It appears AlphV has absconded without paying affiliates after receiving a USD$22m ransom.
Adam Boileau and Patrick Gray discuss this extensively on this week's Risky Business podcast.
Google On Board With Memory Safety
In the wake of last week's White House call for developers to use 'memory safe' languages, Google has released a paper outlining its perspective on the topic.
In short, Google is on board with the idea. It says memory safety can only be achieved with "a Secure-by-Design approach centred around comprehensive adoption of languages with rigorous memory safety guarantees".
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In this edition of Between Two Nerds Tom Uren and The Grugq look at the shift that has taken place in Ukraine’s cyber strategy as it has gone on the front foot and its cyber forces have launched multiple cyber strikes in the last few months. They discuss reasons why Ukraine might want to make this change and ask whether it makes sense.
From Risky Biz News:
Intellexa pulls new Predator spyware infra after thorough undressing: Intellexa—the holding company that sells and operates the Predator spyware—has taken servers offline after two security firms exposed the company's brand-new infrastructure.
Reports from Sekoia and Recorded Future provided details on new domains and servers used as part of the Predatory attack and delivery platform.
Less than 24 hours after the second report went out, all of these servers went offline.
[more on Risky Business News, including more details from the reports and Predator's history.]
ACEMAGIC mini PCs shipped with pre-installed malware: Chinese company ACEMAGIC has confirmed that early batches of some of its new mini PC models were shipped with pre-installed malware.
Malware such as the Redline infostealer and the Bladabindi backdoor were found in the Windows OS system recovery section of its mini PCs. In some cases, malware was also found in the mini PCs' RGB lighting driver.
[more on Risky Business News, including how the malware infections were initially found by… YouTube reviewers!]
Ukraine hacks Russia's Defense Ministry: Ukraine's military intelligence agency claims it successfully hacked Russia's Defense Ministry. Ukraine's Defence Intelligence Main Directorate (GUR) says it obtained data on Russia's military encryption software. The GUR says it also obtained documents exchanged between more than 2,000 units of Russian security services. Ukrainian officials say the documents have helped to recreate the full structure of the Russian Defense Ministry. The GUR claimed they gained access to the network via one of Sergei Shoigu's deputies.