Srsly Risky Biz: Thursday, July 29

When mobile apps, privacy and national security collide

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, AustCyber and founding corporate sponsors CyberCX and Proofpoint.

Let he who is without sin...​​

A small Catholic publication using commercially available data to out a US Catholic priest as a Grindr user highlights the security and intelligence risks posed by the data broker industry to -- in particular -- the United States and its interests.

The story was broken by The Pillar, a Catholic Substack publication, and relied on "anonymous" app data supplied to it by a third party. 

The Pillar correlated the priest's "pattern of life" -- his travel, home and business addresses, and the addresses of his family and friends -- against a mobile location data set to find a matching device. The publication then tied that device to Grindr use at gay bars across various American cities. The priest subsequently resigned after The Pillar published an article teeming with homophobic innuendo.

It's surprising that examples like this haven't come to light already. The Pillar both harassed its intended target and drew significant attention to itself by weaponising mobile app data that most people assume is private. This double "success" will likely result in similar "doxxing-for-outrage" incidents. 

Grindr's privacy track record, to be frank, is pretty piss-poor. In 2018 it was caught exposing its users' HIV statuses with other companies via sharing agreements. Then, earlier this year, it was fined USD$11.7m by the Norwegian Data Protection Authority for unlawfully sharing user data -- user profile information, IP addresses, geolocations and device identifiers -- with advertising platforms. 

When the Chinese Beijing Kunlun Tech company bought Grindr in 2016, it dawned on the US government that the data it gathered could be used by the Chinese government for intelligence collection and blackmail. In 2019 Kunlun was forced to sell Grindr on national security grounds.

However, as this incident demonstrates, the forced sale won't stop foreign adversaries from just buying Grindr data rather than compelling the company to hand it over. In practical terms, the forced sale only had the effect of making Chinese intelligence efforts slightly more expensive.

Forgetting about security and intelligence for a moment: When a micro-publication focussed on Catholic affairs can obtain data through (presumably) commercial sources that exposes a citizen's most closely guarded secret for some clicks and notoriety, the problem starts to look a bit bigger than just countering state-sponsored blackmail. 

The privacy issues in the data broking industry are well known, thanks in part to Joseph Cox's work on VICE's Motherboard blog. He's written extensively about the shadow industry that takes theoretically anonymous device identifiers and links them to real people. This makes it dramatically easier to use purchased data maliciously. 

At this point we might ask: Why is it even possible to buy, sell and de-anonymise data that can be used to persecute people? 

Although there is some industry-specific federal privacy legislation (covering the US government, banking, health and children's privacy), there is no US federal legislation dealing specifically with internet privacy. In that policy vacuum, a complex and opaque information ecosystem has developed where information about people is bought, traded, scraped, collected and compiled for profit. Individuals typically don’t know that their data is being harvested and don’t have any direct relationships with these 'data brokers'.  Regulators like the Federal Trade Commission have lacked both the legislative authority and resourcing to understand and respond to the problem. 

Some state and international law is relevant. The California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR) give their respective residents the right to know what their personal data is used for, how it is being used, and to opt out of (some) data processing.

Introducing these kinds of laws federally (in the USA) would be a start, but simply giving people more rights won't solve this problem. Companies can obscure how data is used behind complex terms of service and privacy policies, which are practically impossible for most users to navigate and understand. Grindr's terms of service, for example, points to its privacy policy, which describes what they share with advertising partners:

...cookie or device IDs (such as advertising ID), connection information (such as type, carrier, speed), opt-out status, and technographics (such as device model, brand, OS version).

This minimises what advertisers can learn about Grindr users. It's only by finding Grindr's third party disclosure document do you find that:

...our Ad Partners may collect the following categories of information from your device: device IDs (such as advertising ID, device ID, IP Address, MAC Address, IMEI, and others), device location (general and precise), connection information (such as type, carrier, speed), gender, age, opt-out status, and technographics (such as device model, brand, OS version, etc.).

This is absolutely everything you need to identify people by building profiles over time. This sensitive data is shared in auctions with potentially hundreds of buyers and it is possible that some data brokers are acquiring, collating and analysing this information to be on-sold.

New laws need to go much further protecting people by providing guardrails that limit how such data can be collected, used and exported, even with user consent. And they also need a national security lens applied -- there is a new and difficult balance to be struck that allows for the flow of data to enable commerce and valuable services while minimising its potentially damaging uses. The current status quo just maximises the downsides and presents a golden opportunity for malicious use by foreign intelligence services.

Decline in ransom payments are evidence of... well, not much, actually

There are some indications that the ransomware situation is changing, if not improving.

Coveware, a ransomware response firm, reports the ransom payments it tracks fell significantly in the second quarter, with the average declining by roughly 40% to USD$137,000. Rather than reflecting the success of various anti-ransomware efforts, this may be due to a change in the ransomware ecosystem -- some of the crews that have historically received higher ransoms have been less active. Additionally, fewer companies are paying to stop hacked data being leaked as it turns out that data is often leaked anyway.

On those efforts: The EU has proposed legislation to update Anti Money Laundering and Know Your Customer (AML/KYC) rules to include cryptocurrency exchanges. Together with increased US focus on tracing cryptocurrency payments to ransomware gangs this should help staunch the flow of money to ransomware operators. US efforts are in their infancy but will likely make a dent in the longer term. 

But what will happen next? We think criminal activity will likely spill over into different areas. 

Criminals have options: They could simply be more discriminating in their targets, avoid large organisations and critical infrastructure and focus instead on small and medium enterprises (SMEs). Whereas large organizations are important to a functioning society and are often well-connected politically, individual SMEs are usually not and attacks on them won't generate the same type of headlines and pressure. 

Avoiding large and critical enterprise targets could reduce the Biden administration's focus on ransomware and give these criminals the space to continue operations. There's still money there. Ransomware already disproportionately affects small and medium enterprises and the profits add up.

We'd hate to see the issue ignored because it's not affecting the well connected. So we'd like to see ransomware notification laws introduced. They'll assist policy makers in tracking ransomware's impact, evolution and responsiveness to government actions. 

Another possibility is criminals will move their focus away from the US. The US and other developed countries have been lucrative playgrounds, but if they become harder targets ransomware crews might simply seek out greener pastures. 

The Kaseya incident is all over, red rover

Kaseya, a remote management software company whose product was used to install ransomware on victim networks, has obtained a universal decryption key from a 'trusted third party', and has begun helping customers restore their encrypted data. (But only if they sign an NDA, of course.) This is good news, but almost three weeks after the attack it is no doubt too late for many of the affected companies. 

It's unclear how Kaseya received the decryptor. The company has denied it paid the ransom REvil demanded 'either directly or indirectly through a third party'. Given the pressure President Biden has attempted to apply to Russia over ransomware attacks, it's enticing to speculate (as Lawrence Abrams did at Bleeping Computer) that the Russian government pressured REvil to take a break and hand over the decryption key. 

It is an enticing theory, but we don't think it's accurate. 

That said, even if Abrams' reporting is based on rumours he's picked up from sources in the Russian cyber criminal underground, that's still a win. Rumours the FSB is coming for ransomware crews is something we'd love to take root in that community. But the truth is we just don't know how the decryptor was obtained. 

In other 'good' news, it turns out that the Kaseya incident was overhyped as the 'biggest ransomware attack on record'. Although it has a customer base of around 35,000 organisations, with many of those being Managed Service Providers using Kaseya to manage customer environments, only a relatively small number of organisations were affected. 

It turns out that while the bug that allowed Kaseya's VSA software to be compromised was a doozy (a null password allowed authentication), the bypass also required a valid unique Kaseya agent identifier. It is not clear how these were obtained as they don't seem to have been brute forced, but the end result is that 'only' about 60 of Kaseya's clients were compromised. Phew.

Shorts

Israeli government swings by NSO HQ for a chat

The Israeli Ministry of Defense has opened an investigation into the activities of NSO group, visiting the company's offices in response to recent "Project Pegasus" media reporting. Some outlets described the visit as a "raid" in early reporting, but the visit was apparently coordinated in advance with NSO and did not involve the seizure of any materials or data.

Microsoft regains security idiot heavyweight title

Microsoft is having a horror run with serious bugs, with three disclosed over the past month and two in the last week. Last week it was the SeriousSAM bug. We learned the Security Account Manager and other sensitive OS configuration files had been readable to all Windows users (since 2018!), allowing anyone to copy them, steal password hashes and then potentially crack the passwords within. The second bug, revealed this week, PetitPotam, is an internal network attack that could force domain controllers to reveal password hashes or authentication certificates and also allow cracking. (Unauthenticated network access to domain admin! Yay! Such fun! Unless you're a customer!) These came hot on the heels of PrintNightmare, which allowed attackers to abuse the ability to install malicious print drivers to get SYSTEM privileges. 

The APTs are INSIDE YOUR HOUSE

The Chinese APT31 group, linked to the Chinese Ministry of State Security, has been using compromised home routers to launch attacks and for reconnaissance. These obfuscation techniques have been used by cyber criminals before and by the 'Inception Framework' APT from as early as 2014, but this sign of increasing operational security could indicate that Chinese cyber operators are trying to tighten things up a bit.

The Iranians are coming for your gas pumps, Americanskis

A cache of documents appear to show early stage Iranian research into potentially destructive cyber operations. They focus on civilian targets including cargo ship bilge pumps, fuel pumps at petrol stations, and satellite communication systems. The documents assess whether they can be remotely subverted for some destructive effect. They indicate a level of Iranian interest in particular technologies, but the information contained appears to be open source. 

Reaping what you sow can really suck

A spammer is flooding the forums of the Babuk ransomware group with, ahem, "graphic" GIFs after the group failed to pay a ransom demand. Babuk is the crew that tried to extort the DC Police. The forum was supposed to be their big pivot away from ransomware. Back to the drawing board for them!

This week's WTAF

The Republican-led Arizona Senate has issued a subpoena for Maricopa county routers to audit them for 2020 Presidential election irregularities. An election machine audit and manual sampling of votes have found no irregularities in voting, but perhaps these routers have Russian or Chinese hackers hiding in them. The truly hilarious part of all of this is Risky.Biz understands the routers are in active use. So, you know, that'll be fun.

All the birthday love...

The No More Ransom initiative has celebrated its fifth anniversary. No More Ransom is a public-private partnership started by the Dutch police, Europol, Kaspersky and McAfee and has free decryption tools for over 150 ransomware families.

You had one job

A vulnerability in IDEMIA biometric authentication solutions that would have allowed doors to be opened remotely has been fixed. IDEMIA's technology is used in airports, banks and data centers. We trust all those patches will be applied in a timely manner. Because that's how it always works in the IoT world.

Just sayin'

A former eBay security operations supervisor was sentenced to 18 months prison for cyber stalking a couple that wrote an e-commerce newsletter that executives thought had been  critical of the company. He was the first to be sentenced of the seven charged over this incident. If nothing else, it's a story that illustrates that you should be nice to your newsletter authors. Send fruit baskets, not bloodied pig masks, folks.