Biden's SIGINT Executive Order Is Kafkaesque, but We Like It
PLUS: The C in CSO stands for Convicted
Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.
Biden's SIGINT Executive Order Is Kafkaesque, but We Like It
US President Joe Biden signed an executive order last Friday aimed at implementing a new privacy framework for data sharing between the European Union and the US (The EU-US Data Privacy Framework or EU-US DPF). The Executive Order on "Enhancing Safeguards For United States Signals Intelligence Activities" is intended to square the circle and balance US national security requirements for signals intelligence (SIGINT) against European Union human rights protections.
The goal of the privacy framework is to make transatlantic data flows between the EU and US legal and relatively easy by ensuring that EU citizens' user data is appropriately protected when it is transferred to the US. Two previous agreements — Safe Harbor and Privacy Shield — were both struck down by the European Court of Justice in 2015 and 2020 respectively for not adequately protecting users from US intelligence collection practices.
The EO adds new safeguards for US SIGINT activities, including:
Defining permitted national security objectives and explicitly prohibiting some activities;
Requiring that activities take into consideration the privacy and civil liberties of all persons regardless of nationality; and
That they be conducted only when necessary and proportionately to a validated intelligence priority.
In addition to changing SIGINT policy, the EO also sets up a review and redress mechanism. Citizens from qualifying states can complain to a newly established Data Protection Review Court if they feel that "their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law". Decisions of this court will be binding on the US intelligence community.
At one level, this whole saga — from Safe Harbor to Privacy Shield to the EU-US DPF — is a farce. The US intelligence community (IC) doesn't spy on foreigners for funsies, and the entire point of the IC is to lawfully satisfy validated intelligence priorities.
The legitimate objectives for SIGINT collection as defined in the EO are pretty broad, too. To give just one example, the EO defines legitimate objectives as "protecting against cyber security threats created or exploited by, or malicious cyber activities conducted by or on behalf of, a foreign government, foreign organization, or foreign person". So, no limits on any cyber threat as long as it is foreign.
And the practical effect of the Data Protection Review Court will be invisible to EU citizens. Washington DC-based Austin Mooney, a privacy and cyber security lawyer at McDermott Will and Emery, told Seriously Risky Business that the responses to complaints to the court will be necessarily limited.
"Due to the classified nature of the proceedings, all complainants to the Court can hope for is a 'Glomar' response – a boilerplate message that their matter has been resolved, without confirming whether an issue was identified or if any redress steps were taken," he said.
From a US perspective, EU citizens are foreigners and so, therefore, don't legally require the same privacy protections as citizens and are legitimate foreign intelligence targets. The relevance of EU human rights law to US intelligence collection is questionable at best.
However, both the EU and US would like transatlantic data flows to be easy and clearly regulated. Mooney said that "companies are caught in the crossfire of a longstanding conflict between US surveillance law and EU privacy and human rights law".
"Virtually every US service provider has spent the last few years fielding questions and contract terms relating to these issues. Often, these contracts ask for the impossible: that companies assert they are not subject to US law, and agree to disclose any surveillance orders, which by law cannot be disclosed. These issues can lead to delays and loss of business."
America doesn't like losing business. One might even suggest the US government amending its SIGINT practices to enable transatlantic commerce is a measure of the US's status as an enterprise-owned state.
Stepping past the farce, however, there are elements we positively approve of here.
The EO explicitly prohibits certain SIGINT activities including suppressing legitimate privacy interests, suppressing dissent or free expression, and disadvantaging persons based on their "ethnicity, race, gender, gender identity, sexual orientation, or religion". It also rules out collection of "foreign private commercial information or trade secrets to afford a competitive advantage to United States companies and United States business sectors commercially."
So much of what is normal for Chinese APTs is explicitly banned! What would their APT crews do if they were banned from targeting Uyghurs, the Hong Kong protest movement and companies for intellectual property theft? They'd have to get new jobs!
There's the rub. Even when it comes to intelligence collection, the EU and US have far more in common than sets them apart, and there are far more serious threats that are worth worrying about than perceived overreach by American SIGINT agencies.
Our optimistic (or maybe naive) hope is that by being explicit about its SIGINT practices and setting out what is prohibited in black and white, the EU and US might be able to move on and focus on more pressing issues.
But there's a wrinkle, and its name is the European Court of Justice.
Mooney thinks it "very likely that [the] European Commission will ultimately approve the DPF in the coming months, as they did with the Privacy Shield and Safe Harbor frameworks before it". But he also expects that the DPF, like Privacy Shield and Safe Harbor, will be challenged in the European Court of Justice (ECJ). Even though the EO's reforms are meaningful, he still thinks "it is far from clear that these reforms will be enough to clear the high bar set by the ECJ".
So stand by for more farce.
Thanks for reading Seriously Risky Business! Subscribe for free to receive new posts and support my work.
The C in CSO stands for Convicted
Joseph Sullivan, former Uber Chief Security Officer, was last week convicted of charges relating to his attempt to cover up a 2016 data breach at Uber.
Reactions to the news among information security professionals have varied, with many expressing concern that executives will now be held personally liable for cyber security incidents.
It's important to be clear about what happened here, though. In late 2016 Sullivan was working with an FTC investigation into an unrelated 2014 Uber data breach that had occurred prior to Sullivan joining the company. In the midst of this investigation Sullivan was informed of a new breach. Rather than informing the FTC and law enforcement authorities, however, Sullivan kept the new hack secret and paid the hackers USD$100k in Bitcoin via Uber's bug bounty program. The Department of Justice press release says Sullivan was convicted because he "affirmatively worked to hide the data breach from the Federal Trade Commission and took steps to prevent the hackers from being caught". The press release describes what Sullivan was convicted of:
The evidence demonstrated that, shortly after learning the extent of the 2016 breach and rather than reporting it to the FTC, any other authorities, or Uber’s users, Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC. For example, Sullivan told a subordinate that they “can’t let this get out,” instructed them that the information needed to be “tightly controlled,” and that the story outside of the security group was to be that “this investigation does not exist.” Sullivan then arranged to pay off the hackers in exchange for them signing non-disclosure agreements in which the hackers promised not to reveal the hack to anyone, and also contained the false representation that the hackers did not take or store any data in their hack. Uber paid the hackers $100,000 in bitcoin in December 2016, despite the fact that the hackers had refused to provide their true names. Uber was ultimately able to identify the two hackers in January of 2017 and required them to execute new copies of the non-disclosure agreements in their true names and emphasized that they were not allowed to talk about the hack to anyone else. Sullivan orchestrated these acts despite knowing that the hackers were hacking and extorting other companies as well as Uber, and that the hackers had obtained data from at least some of those other companies.
The evidence showed that, despite knowing in great detail that Uber had suffered another data breach directly responsive to the FTC’s inquiry, Sullivan continued to work with the Uber lawyers handling or overseeing that inquiry, including the General Counsel of Uber, and never mentioned the incident to them. Instead, he touted the work that he and his team had done on data security. Uber ultimately entered into a preliminary settlement with the FTC in summer 2016, supported fully by Sullivan, without disclosing the 2016 data breach to the FTC.
We don't think Sullivan deserves much sympathy here, especially considering he was formerly a federal prosecutor. He knew what he was doing. We are not convinced, however, that he was solely responsible. Other people in Uber knew of the plan to conceal the hack including then CEO Travis Kalanick, Uber's Chief Privacy Officer and a lawyer on Sullivan's team. The lawyer, Craig Clark, admitted in court to providing advice that the breach did not have to be disclosed if the hackers were identified and could convincingly commit to delete and not spread the stolen information. Clark was granted immunity from prosecution to testify against Sullivan.
Playing fast and loose with laws and regulations seems to have been part of Uber's DNA. In addition to launching its ride-hailing service into new markets without regulatory approval, Uber is also accused of taking active steps to thwart regulators and police. Uber allegedly used a "kill switch", for example, to prevent police and regulators from accessing Uber's corporate data in several countries when its offices were raided. And it is also accused of creating a tool known as "Greyball" that was used to identify and shadowban officials that were trying to regulate Uber. Australian officials say that because of Greyball they had to negotiate with banks and phone companies to obtain new bank accounts and SIM cards to investigate Uber's activities.
These incidents are alleged to have occured during Sullivan's time as Uber's CSO from 2015 to 2017 although the practices predated his arrival. In other words, from an ethical governance point of view it seems that Uber's culture was rotten prior to Sullivan's arrival. The Washington Post reports prosecutors "unsuccessfully pressed Sullivan to implicate Kalanick, who would have been a far bigger prize but was not damned by the surviving written evidence, according to people familiar with the process".
He didn't snitch. Good for him.
What's the lesson for CISOs and CSOs here? First of all, don't hide breaches from regulators, especially when they're already investigating you. Secondly, think very very carefully about not disclosing a breach or incident. An incident doesn't just disappear because some criminal got paid a lot of money, and there’s no guarantee the hacker(s) won’t get caught in the future and decide to use your breach as barter to get out of a longer jail sentence.
Three Reasons to be Cheerful this Week:
Cyber security star labels in the US: The White House is planning an IoT device cybersecurity star rating scheme. Doing something about smart device security is a good thing, but we are not sure that consumer transparency schemes will drive security improvements. Hopefully they do. More at CyberScoop.
Microsoft enables brute force protection for local admin accounts: This will be particularly useful to protect against RDP brute force attacks which were previously not prevented. If enabled the default setting will lock an account for 10 minutes after 10 failed login attempts.
An Optus blackmailer arrested: The Australian Federal Police have arrested a 19-year old Sydney man for allegedly attempting to use stolen Optus data to blackmail people via text message. The man messaged people whose data from the Optus hack had been posted online and asked for AUD$2000, threatening to use their data for fraud if they didn't pay. Police don't think he's the original Optus hacker. He's not smart enough to be — he used his own phone and pointed potential victims to his own bank account.
A new Proofpoint and Cybersecurity at MIT Sloan report examines boards of directors' perceptions about key challenges and risks. It finds that although cyber security is high on the agenda in board rooms there are some interesting differences in perception between CISOs and boards.
These differences cover the gamut from how likely a material cyber attack is, whether malicious insiders are a top concern and what the most important consequences of a cyber attack are.
Another significant concern is that awareness and funding do not translate into preparedness. Most respondents thought their board recognised cyber security risk, there was adequate investment and that data was protected, but despite that nearly half thought their organisations weren't prepared for a cyber attack.
Download the report here.
Analysing Files to identify threats with Stairwell's Inception platform
Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors. You can subscribe to our product demo page on YouTube here.
In our latest demo, Mike Wiacek shows Patrick Gray how to hunt down and triage suspicious files within your enterprise using Stairwell's file analysis and threat detection platform.
Does My Blockchain Look Big In This
Zcash, a privacy-focussed cryptocurrency, is being subject to a "spam attack" where large volumes of inexpensive transactions are used to dramatically expand Zcash's blockchain.
This has resulted in the blockchain tripling in size from 31GB to over 100GB since mid-June. This is affecting performance and making it harder for wallets to sync, although the Electric Coin Company, the organisation behind Zcash, says that they are releasing improvements and everything will be fine.
It's interesting to speculate about the motivations behind this attack, which cover the gamut from "for the lulz" to financial gain to degrading Zcash itself, or to unmask users. Because fees are very low, the estimated cost of the attack is only USD$10 a day and at that price it could be anyone, really. The transactions in question are "shielded", ie private, so it isn't even possible to know if it is a real attack or some weird legitimate use.
You Keep Saying Article 5, but It Doesn't Mean What You Think It Means
Politico reported last week that Albania considered invoking NATO's Article 5 in response to mid-July Iranian cyberattacks that disrupted government services. This seems very significant, but Dmitri Alperovitch points out in a Twitter thread that Article 5 is about restoring and maintaining security. In the context of a cyber attack, "it may mean as little as providing Incident Response services to the impacted party like Albania", he says. In some more extreme cases where the attack is still ongoing it might mean "using voluntary assistance requests, legal process or cyber offensive actions to shutdown Command & Control servers (which are rarely even located in the aggressor country)".
Comedy is Tragedy Plus Blockchain
Hackers managed to exploit a flaw in Binance's BNB token cross-chain bridge to create two million new BNB tokens, notionally worth over USD$560m at the then price of USD$283 per token. It appears the attacker managed to transfer more than USD$110m out of the cryptocurrency before the theoretically decentralised system was paused and the tokens frozen.
This is significant in part because Binance is the largest cryptocurrency exchange by trading volume and because it also illustrates how some of the touted benefits of blockchains are illusory. In its report on the hack, CoinDesk notes that "blockchains are purportedly decentralized beasts designed to operate beyond the whim of singular entities. You aren't supposed to just flip an off switch."
Risky Biz Talks
In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed (RSS, iTunesor Spotify) also publishes interviews.
In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss using cyber capabilities to tackle foreign cyber criminals.
From Risky Biz News:
Hacktivist sentenced in Belgium: Meanwhile, in a very weird case in Belgium, an anti-vaccine activist was sentenced this week to 100 hours of community service. According to local media, Marie Samijn hacked into the personal laptop of Flanders prime minister Jan Jambon on December 7, last year. Testifying in court, Samijn said she visited Jambon's residence last year after returning from an anti-government protest. She was allegedly left alone for 90 minutes to wander around the residence, during which time she found the prime minister's laptop, on which his account password was taped. Jambon admitted to accessing the device and changing one of the official's PowerPoint presentations to add statistics on child pornography and human trafficking across various European countries. Cookers gonna cook.
Exchange zero-day update: Earlier this week, US cybersecurity firm Volexity linked the recent Chinese APT group that exploited the ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) to a known threat actor that has previously targeted Outlook Web Access and Zimbra servers in the past. However, in a tweet on Thursday, the company backtracked on its findings, saying that two different Chinese APTs used the same infrastructure for different attacks in the past, hence the confusion. As Mandiant's Mark Lechtik points out, this indicates the existence of specialized initial access brokers serving Chinese APTs, similarly to how both Russian and Iranian groups also employ IABs for some of their operations.
In a report on Friday, security firm Checkmarx said the threat actor, which goes online as the LofyGang, was behind almost 200 packages uploaded on the npm portal across 53 different developer accounts. (continued)