Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray with help from Catalin Cimpanu. It's supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.
The US and the UK governments have banned the use of certain Chinese technology products, but it is not clear policymakers have a clear end goal in mind.
In the US, the Federal Communications Commission (FCC) has banned Chinese telecommunications and video surveillance equipment from Huawei, ZTE, Hikvision and Dahua from sale in the United States. In the UK, the government banned Chinese surveillance camera manufacturers from installation at its "sensitive sites".
The UK government statement specifically mentioned the PRC's National Intelligence Law as the driver behind the ban. We don't think this is an overreaction. Article 7 of the law states:
All organisations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law, and shall protect national intelligence work secrets they are aware of. The State protects individuals and organisations that support, assist, and cooperate with national intelligence efforts.
It's clear: if the PRC government asks, companies must help.
Experts we asked think the US and UK actions are justified and are the continuation of ongoing trends.
Jon Bateman, a Senior Fellow at the Carnegie Endowment for International Peace and author of a report on US-China technological decoupling, told Seriously Risky Business the UK ban was "very sensible". Sensitive government sites have the "highest need for technological security," he says, and the narrowness of the ban means that it has very limited second order consequences, such as effects on trade.
On the other side of the pond, Alexis Serfaty, a director at geopolitical risk advisory firm Eurasia Group, told Seriously Risky Business the US action was "very much a continuation of the US’s regulatory crackdown on China’s tech industry".
"The revocation of Chinese telecom companies’ licences shows an active whole of government effort on the part of the Biden administration to achieve the policy objectives of the Clean Network initiative launched under former President Trump," Serfaty says.
Both experts say US lawmakers had paved the way for the FCC ban by enacting legislation like the Secure Equipment Act. Bateman says "the major decision making already happened last year, when Congress passed and President Biden signed this act into law," so the recent move was "neither a surprise nor an act of independent judgement".
Bateman also thinks that the action will have "little direct, practical impact," as Huawei and ZTE equipment kit is not widely used in the US and there are already strong financial incentives to "rip and replace" the equipment.
Although these bans are incremental moves, Bateman says US-China technological decoupling is "one of the most important things happening in the world today," but "is poorly understood and not seriously debated".
So far, moves towards decoupling – the Huawei sanctions, camera bans etc – all feel like reactions to specific concerns, not a broad strategy. What are policymakers trying to achieve, what are the overarching principles that policymakers should be using to make decisions and how far should decoupling go?
FCC Commissioner Brendan Carr has, for example, called for DJI drones to be banned, going so far as to call it a "Huawei with wings". We understand a ban within the Department of Defense and even the government generally, but we don't know that national security concerns justify a broader ban. Those drones are great fun and also commercially useful, especially in the absence of a domestic or allied-country alternative.
Bateman's report into decoupling identifies nine different rationales or policy objectives for technology restrictions, ranging from "maintaining a military edge" to "obtaining general leverage over China". The report then proposes what the US should attempt to achieve for each of these nine policy objectives.
When it comes to Chinese espionage, for example, Bateman proposes the goal should be to deny China access to the personal data of US citizens that it can't already collect easily. On that basis, genetic data should be strongly protected, but geolocation data shouldn't because it's already available thanks to the US data ecosystem being awash with it. However, the report argues the whole data ecosystem should still be bolstered by passing national cybersecurity and data privacy laws.
It's worth reading.
But until a broader, coherent strategy on tech decoupling emerges we'll just have to get by with piecemeal bans and restrictions.
Geofence Warrants Are Okay, With Oversight
Geofence warrants were used by the FBI to identify thousands of potential suspects in the January 6 Capitol attack, but recent reporting on the process authorities used is actually quite reassuring.
Based on earlier reporting by independent national security journalist Marcy Wheeler on her Emptywheel blog, Wired took a look at some of the legal issues in what it calls the "biggest-ever haul of phones from controversial geofence warrants". In addition to the political significance of the Capitol attack, the geofence warrants in this case are particularly interesting because of the high number of suspect devices involved.
Geofence warrants, in general, have been criticised for being both overbroad and inaccurate. And let's admit it, there's an ick factor – it just feels creepy that people can be identified in bulk just based on their presence at a particular location.
They are imperfect. The EFF argues the accuracy limitations of location services and their opt-in nature means that "search results are both over and under inclusive". Warrants sometimes include people that weren't actually in a geofenced area because Google's location estimates aren't perfect, but also miss people that are in a location because it is an opt-in Google service.
Despite these concerns, this recent reporting on the geofence warrant processes followed by the FBI is reassuring. It spells out the steps taken to both include and exclude devices as being potentially associated with illegal activity during the riots.
As a first step, the FBI obtained device identifiers for all devices in or near the Capitol building during the four-and-a-half hour time period of the breach. This provided information on 5,723 unique devices. It turns out that Google had preserved relevant location data on January 6 and January 7, so this included information from nearly 70 devices from which the device owner had tried to delete their location history.
The FBI then excluded devices if they were present in the Capitol either before or after the riot, as these likely belonged to members of Congress, staffers or other authorised people. This left 5,518 unique devices.
To narrow down the field the FBI asked for further details on just two specific groups of users that were more likely to have actually committed a crime.
The first group is those that were likely within the Capitol building itself, not just within the broader geofence including the area surrounding the Capitol. Presumably, presence within the building is evidence of trespass.
The second group consisted of devices that users attempted to delete location history from in the week after the riot between 6 and 13 January and were also present within the larger geofence. In a court filing, a government agent asserted "based on my knowledge, training, and experience, I know that criminals will delete their Google accounts and/or their Google location data after they commit criminal acts to protect themselves from law enforcement". So, even though these devices weren't detected within the Capitol building, the deletion of location history itself was posited as evidence of likely criminality. This resulted in another 37 devices.
Wired writes that after this identification and selection process,
[T]he FBI received identifying details for 1,535 users, as well as detailed maps showing how their phones moved through the Capitol and its grounds. Geofence evidence has so far been cited in over 100 charging documents from January 6. In nearly 50 cases, geofence data seems to have provided the initial identification of suspected rioters.
Although this warrant caught up a large number of devices, there is a strong argument that in this situation a geofence warrant is justified. Most of the time, people at public locations are not committing crimes, so a warrant seeking information about devices near a bank robbery, for example, would likely mostly identify devices not associated with the robbery. In a Virginia bank robbery case where the use of a geofence warrant was challenged in court, only one of 19 devices where Google provided location data was associated with the robber.
In the case of the Capitol riot, however, it is not likely that many innocent bystanders were caught up in the warrant. As the Emptywheel blog notes, "everyone inside the Capitol was generally trespassing, a victim, a journalist, or a first responder".
We've examined these warrants before and ultimately decided they are "are a valuable investigative tool and should have oversight and limits applied to them rather than being banned". Wired's account doesn't change our mind at all — it shows that these warrants can be used in a targeted and sensible way.
Chinese Spam Operation Disrupts Protests
Widespread protests against Covid restrictions in China have, curiously, seen a surge of Twitter app downloads in the country as people seek alternatives to tightly censored domestic social media.
Even though access to Twitter is blocked by the Great Firewall, the app is still available in Apple's Chinese App Store, and its downloads ranked as high as 8th amongst free iOS apps in China in recent days. After downloading the app, however, users in China still need to get around the Great Firewall, which is being made more difficult as the government increasingly clamps down on unauthorised VPNs.
In addition to the Great Firewall, since Sunday there has been a flood of coordinated spam on Twitter which is making it extremely difficult to find new tweets about the ongoing protests. Per The Washington Times:
Numerous Chinese-language accounts, some dormant for months or years, came to life early Sunday and started spamming the service with links to escort services and other adult offerings alongside city names.
The result: For hours, anyone searching for posts from those cities and using the Chinese names for the locations would see pages and pages of useless tweets instead of information about the daring protests as they escalated to include calls for Communist Party leaders to resign.
We've written before about the security implications of severe staff cutbacks at Twitter. Its Trust and Safety team has been hit particularly hard. Speaking about the protest-related spam campaign, an anonymous former Twitter employee told The Washington Post "all the China influence operations and analysts at Twitter all resigned".
Three Reasons to be Cheerful this Week:
A thousand perps and 130 million dollars: INTERPOL announced a five-month long international operation had resulted in the arrest of nearly 1000 suspects and the seizure of USD$130m in virtual assets. The operation targeted "voice phishing, romance scams, sextortion, investment fraud and money laundering associated with illegal online gambling".
A million fewer spoofed calls each month: The servers and websites of iSpoof, a call and SMS spoofing service, have been seized and more than a hundred people arrested. (more on Risky Business News)
Australia passes a new privacy bill: The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 drastically increases potential fines for companies that fail to safeguard user data. It grants the Office of the Australian Information Commissioner (OAIC) the ability to levy fines up to AUS$50 million, or 30% of the company's adjusted turnover, whichever is higher. (more on Risky Business News)
Sponsor Section
In Proofpoint's latest DISCARDED podcast Josh Miller and Sam Scholten discuss attackers' evolving TTPs, including using multi-persona impersonation (MPI), which involves using more than one persona on a single email thread to convince targets of the campaign's legitimacy.
Okta and Passwordless Authentication
Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors. You can subscribe to our product demo page on YouTube here.
In our latest demo, Brett Winterford and Harish Chakravarthy demonstrate to host Patrick Grey how Okta can be used for passwordless authentication. These phishing resistant authentication flows — even if they are not rolled out to all users — can also be used as a high-quality signal of phishing attempts that can be used to trigger automated follow-on actions.
Shorts
China not the only Supply Chain Worry
Earlier this month, Pushwoosh, a purportedly US-based company that provides activity profiling software for apps turned out to be based in Russia. The firm's software was incorporated into thousands of apps, including mobile apps from both the US Army and Centers for Disease Control (CDC).
Even worse, this week Krebs on Security reported that one of Pushwoosh's developers was previously an author of the Pincer Trojan Android malware.
Trouble in Paradise
The government of the small Pacific island of Vanuatu is still struggling to overcome a ransomware attack that has crippled its IT network since early November. ABC News reports that government workers are using their personal email services and hotspots to conduct government business and that local hospitals are still limited to using pen and paper.
The Caribbean island of Guadeloupe, a French overseas region, was also hit by a computer attack on Monday last week, although it is not clear if it was a ransomware attack.
Medibank Data Published
The group behind the Medibank data extortion attack appears to have posted the entire data set it stole to the dark web and stated "Case closed". We've written about the Australian government's whole-of-government response to this breach and its subsequent decision to set up a standing operation to disrupt ransomware crews. At this stage we think it's too early to know what this means for the government's efforts.
Risky Biz Talks
In addition to a podcast version of this newsletter (last edition here), the Risky Biz News feed (RSS, iTunesor Spotify) also publishes interviews.
In our last "Between Two Nerds" discussion, Tom Uren and The Grugq have good news — ransomware has peaked and they examine why criminals will look for different sources of income. Of course, every silver lining has a cloud, and ransomware will be replaced by other types of cyber crime.
From Risky Biz News:
Hacking back: Security firm Buguard said it identified a vulnerability in the command and control (C&C) servers of the Mars Stealer malware. Buguard said the vulnerability can be used to tamper with Mars servers to delete data collected from infected users, terminate connections to infected systems, and even lock Mars operators out of their own servers by scrambling their admin passwords. The company told TechCrunch it neutralized five Mars Stealer servers so far and that the same vulnerability is also present in servers for the Erbium malware.
CYBERCOM hunt forward operations in Ukraine: US Cyber Command has published details for the first time on its "hunt forward" mission the agency conducted in Ukraine ahead and after Russia's invasion. Officials said the mission consisted of a joint team of Navy and Marine Corps operators, who worked together with local Ukrainian teams to hunt and detect malicious cyber activity on Ukrainian networks. CYBERCOM said the mission lasted from December 2021 to March 2022, and its operators were present in Ukraine when Russia began executing destructive cyber-attacks in mid-January. CYBERCOM described its Ukrainian mission as the "largest hunt forward team" the agency has deployed in the field so far.
EU Parliament DDoS attack: The EU Parliament said its servers were subject to a DDoS attack hours after they proclaimed the Russian government as a sponsor of terrorism. A pro-Kremlin hacktivist group took credit for the attack, according to Roberta Metsola, President of the EU Parliament. The agency's website resumed operations after two hours.