Cyberweekly #105 - Taking time

Sent on 2020-06-07

This past few months have been hectic and difficult for all of us. From lockdowns and pandemic to protests and #blacklivesmatter, this is a tough time for people who are concerned about themselves, their family and their friends.

This week there's a selection of articles that I've come across or in some cases, have been sitting around in my queue for a while. There's not as much analysis as you might normally get as I'm feeling personally overloaded with the news, and I'm sure like many of you, tired of dealing with most of the world. It's distracted me from reading my normal news feels and from spending as much time exploring and analyzing all of this as I normally would.

I'm going to take most of June off from the deeper analysis that I've been doing for Cyberweekly. I'll still aim send out a newsletter each weekend, but I'm going to scale it back. I'm going to trim it down to just a collection of news each week with no or little analysis in each case. Feel free to continue to send me links and comments via twitter or email. I'm still here, I'm just focusing this month and trying to take some time to recharge. Normal service will resume from July onwards hopefully.

Take the time to take care of yourselves, and make sure to check in with your friends, family and coworkers.

German intelligence agencies warn of Russian hacking threats to critical infrastructure
https://www.cyberscoop.com/german-intelligence-memo-berserk-bear-critical-infrastructure/

The hacking group — dubbed Berserk Bear and suspected by some industry analysts of operating on behalf of Russia’s FSB intelligence agency — has been using the supply chain to access the German companies’ IT systems, said the alert from the BSI, BND, and BfV federal agencies.

“The attackers’ goal is to use publicly available but also specially written malware to permanently anchor themselves in the IT network…steal information or even gain access to productive systems [OT networks],” the advisory said. There was no evidence of a disruptive attack on any company’s industrial networks, German authorities said.

The interesting question here is what the purpose of this sort of intrusion is. Berserk Bear isn't a destructive attacker, and it is not a terribly noisy actor. It could be prepositioning, attempting to have forces in position in case they are needed, or it could be entirely exploratory, how far can we get without being noticed, and what information can we store for later.

If we map this to military based activities, this could be a combination of scouting and understanding the terrain as well as seeking to maintain the higher ground, ready for any increase in hostilities.

Google says Iranian, Chinese hackers targeted Trump, Biden campaigns | TechCrunch
https://techcrunch.com/2020/06/04/google-china-iran-trump-biden/

When reached by TechCrunch, a Google spokesperson reiterated the findings:

“We can confirm that our Threat Analysis Group recently saw phishing attempts from a Chinese group targeting the personal email accounts of Biden campaign staff and an Iranian group targeting the personal email accounts of Trump campaign staff. We didn’t see evidence that these attempts were successful. We sent the targeted users our standard government-backed attack warning and we referred this information to federal law enforcement. We encourage campaign staff to use extra protection for their work and personal emails, and we offer security resources such as our Advanced Protection Program and free security keys for qualifying campaigns.”

Your reminder that your mail account is probably the root of trust for most of your life. Ensure that you are protecting with 2FA at least.

Game Security – NCC Group Research
https://research.nccgroup.com/2020/05/29/game-security/

Another aspect of game design which can reduce cheating is to increase the cost for the cheater. This can be done in several ways. The first is to increase the cost of the game. As cheaters get accounts banned, they need to buy new accounts in order to play again. The higher this cost, the less likely they are to be repeat offenders.

Similarly, cheaters can be discouraged by increasing the time commitment required when starting a new account. This can be done through tutorials, or trials which the player must complete before they can go online and play against other players.

A third method is to increase the value of an account. This method uses reputation or collections so that a player might perceive their account to have added value, thus discouraging them from cheating and potentially losing that account.

A fun article looking at online cheaters for playing games.

I like that there's a good set of "solutions" here that don't involve technical changes at all. They rely on detection and deterrence. Make it more expensive to cheat than your competitors games and the cheaters will go there, leaving you with a better community on your game.

Reimagining the technology operating model | Deloitte Insights
https://www2.deloitte.com/us/en/insights/focus/cio-insider-business-insights/reimagining-the-technology-operating-model.html?id=us:2em:3pa:innovation:eng:di:060120

A borderless technology mode effectively eliminates the boundaries between technology and business functions. Dedicated groups of business and technology talent with the necessary skill sets focus on creating, enhancing, and delivering value; they leverage automation and create continuous and integrated delivery of product updates.

The borderless mode is not suitable for products and services traditionally supported by the technology function. Products such as collaboration tools and ERP systems that are used across the enterprise may benefit from centralized maintenance, management, and operations and economies of scale—and will likely continue to be managed and delivered by a core central technology function.

However, the borderless mode may be appropriate for delivering capabilities where the technology function is cocreating value and driving experimentation and innovation or where time to market is a key driver.

I'm not normally a fan of the Big 4 and their grip on modern organisation design, but this a reasonable assessment of the organisation design issues that have been facing modern companies for the last decade.

Continuing to build silo'd organisations that treat IT as a cost center that keeps the phones going cannot help deliver organisational change. You need to be able to adapt and change and respond to change, because business landscapes change so much at the moment.

This article correctly addresses however that there is no golden bullet organisational design. The traditional IT process is needed in some areas, and flexible adaptable IT in other areas. Some things should be centralised and delivered at low cost equally to the entire organisation, and for those we have good existing patterns for delivery. It's the rest of these that we struggle with

Best practices for monitoring GCP audit logs | Datadog
https://www.datadoghq.com/blog/monitoring-gcp-audit-logs/

Cloud IAM policies are complex and can grant users and service accounts access to resources at every level of your environment’s hierarchy. Monitoring audit logs provides a better understanding of who is accessing a resource, how they are doing it, and whether or not the access was permitted.

Some common scenarios that lead to your GCP account being compromised include:

publicly accessible GCP resources, such as storage buckets or compute instances misconfigured IAM permissions mishandled GCP credentials

A good review of sets of audit logs you should be turning on in your GCP accounts and monitoring. There's a good list further down of specific log entries that are probably things that your security audit team should be aware of, such as account creation, buckets created that are world visible and so on.

bellingcat - Military And Intelligence Personnel Can Be Tracked With The Untappd Beer App - bellingcat
https://www.bellingcat.com/news/2020/05/18/military-and-intelligence-personnel-can-be-tracked-with-the-untappd-beer-app/

Examples of users that can be tracked this way include a U.S. drone pilot, along with a list of both domestic and overseas military bases he has visited, a naval officer, who checked in at the beach next to Guantanamo’s bay detention center as well as several times at the Pentagon, and a senior intelligence officer with over seven thousand check-ins, domestic and abroad. Senior officials at the U.S. Department of Defense and the U.S. Air Force are included as well. 

Cross-referencing these check-ins with other social media makes it easy to find these individuals’ homes. Their profiles and the pictures they post also reveal family, friends, and colleagues. 

For reasons explained further below, it is difficult to assess the total number of individuals that can be traced this way. Yet sensitive locations such as military bases can easily have hundreds of unique visitors, and beyond Europe, North America, and the Middle East, military users can be found at locations as varied as Greenland, Niger, and South Korea.

This is not really specific to Untappd. This is the same story as the previous releases around Strava, Foursquare and many other applications.

In this case, the deliberate release of information, something that requires user action like untappd feels like less of a risk than applications that gather and publish the information in a manner that is unwitting to the participant (such as Strava).

Untappd enables a private account mode, so you can simply track for personal pleasure or share with only your friends quite easily.

ShinyHunters Is a Hacking Group on a Data Breach Spree | WIRED
https://www.wired.com/story/shinyhunters-hacking-group-data-breach-spree/

Zack Allen, director of threat intelligence at the security firm ZeroFox, says that ShinyHunters' strategy of building hype on different forums and ginning up press attention is an increasingly common approach for such data thieves. For example, ShinyHunters dubbed the early May disclosures "Stage 1" and indicated that more was to come. The public relations push and staggered release are reminiscent of methods used by the incredibly prolific data dumpers known as GnosticPlayers, who started selling almost a billion stolen records from numerous companies in a short period of time last year. ShinyHunters also promoted its stolen data using a few personas on open, highly trafficked platforms like Raid Forums in addition to more elite dark web marketplaces like Empire.

"It definitely does not happen every day that a new actor like this shows up," ZeroFox's Allen says. "But I think a lot of cybercrime is going to start going public even more just because it’s really good hype."

Allen points out, though, that based on visible cryptocurrency payments it doesn't look like ShinyHunters has so far been wildly successful at selling its data, amassing tens of thousands of dollars, but nothing like the hundreds of thousands other groups have made. And he says that the pricing schemes for the troves seem amateurish, with some data overvalued and some undervalued

Selling stolen data is a tricky business. It's hard for groups who can hack into websites to also have the commercial nous to operate in a market. As groups gain expertise they begin to learn how to navigate such markets, and get to be known as sellers and invited to even more elite areas.

Of course, the dark markets are filled with law enforcement, intelligence officers, threat intelligence markets and of course, criminals, so selling data and getting paid is always trickier than it looks.

Previous Editions