Cyberweekly #148 - Reading for fun and profit
Published on Monday, May 10, 2021
It's a short newsletter this week because I've pulled together some absolutely amazing long reads for you, as well as a couple of typical news features.
Whether it's getting to understand North Korean use of cybercrime as a funding mechanism, or the US's decision making processes for classified operations, I love to read good well written articles that help me understand the subjects better.
Half the reason that I write this newsletter is that it drives me to continue to try to stay on top of the amazing content that is out there, and to read it, and think about it enough to select something to quote and write something intelligible about it. That act of sifting (I read something like 5-8 news articles in my RSS reader for every one that I feature), and then reading with an eye to work out "What's my take on this, what does it tell me" keeps me alert to both the good and the bad in those articles.
Keeping abreast of this industry requires more than simply consuming all the things written by others. It also requires constantly asking yourself "so what" and "how does this affect me?". In reality, the 3 long form pieces that I've selected this week probably won't affect most of you. They won't cause you to change your plans, the way you work or the things you worry about, but that doesn't make them any less enjoyable or interesting to read.
On the morning of May 1, 2011, most Americans had never heard of Abbottabad. By that night, the dusty midsize city near the mountains of northwest Pakistan was the center of the biggest story in the world. A team of U.S. Navy SEALs had just descended by helicopter on a high-walled mansion there in the dark of night, located the globe’s most hunted man and killed him.
The effort to track and execute Osama bin Laden, which took place 10 years ago this weekend, was the most closely held operational secret in modern American history—a highly sensitive, politically fraught and physically risky mission that involved breaching the sovereign territory of a purported U.S. ally to target an icon of international violence and terror.
This is a riveting read, giving great insight into the process and people who got the US into position to carry out the raid, and also the political behind the scenes of how the interplay between the politicians, the intelligence and the military organisations required decision making that empowered teams to make their decisions while ensuring the most strategic decisions needed.
A great example of leadership, management and organisational processes working exactly the way they are supposed to.
Moriuchi also noted that, although the North Korean hackers were technically accomplished, their more important attribute was a felonious savoir-faire. In the Bangladesh Bank case, the robbers waited seventeen months after their first reconnaissance in Dhaka before they pulled off the heist. They had determined the ideal weekend and holiday to strike; they had planned how to move cash quickly out of recipient banks; and they had chosen institutions that had particularly lax know-your-customer protocols. Once they executed the theft, they used local contractors in the Philippines to launder their pesos, effectively hiding the money trail. Their success was predicated on knowing not only how computers work but how people do. “They’re smart,” Moriuchi told me. “It’s this connection of the virtual world and the physical that’s so impressive.”
Thanks to Nat and David who independently sent me this.
Fascinating long read into the cyber security offensives programmes in DPRK. It's easy, especially with the Sony hack after the release of "The Dictator" to assume that North Korean hackers don't need to be taken seriously, because they don't pose as big a threat as other major cyber powers. But as this article shows, the level of investment in smart people that North Korea can carry out, as well as the financial motivations make them one of the more worrying ones for commercial firms.
For years, Chinese hackers were the most dominant forces at events like Pwn2Own, earning millions of dollars in prizes and establishing themselves among the elite. But in 2017, that all stopped.
In an unexpected statement, the billionaire founder and CEO of the Chinese cybersecurity giant Qihoo 360—one of the most important technology firms in China—publicly criticized Chinese citizens who went overseas to take part in hacking competitions. In an interview with the Chinese news site Sina, Zhou Hongyi said that performing well in such events represented merely an “imaginary” success. Zhou warned that once Chinese hackers show off vulnerabilities at overseas competitions, they can “no longer be used.” Instead, he argued, the hackers and their knowledge should “stay in China” so that they could recognize the true importance and “strategic value” of the software vulnerabilities.
Tianfu’s links to Uyghur surveillance and genocide show that getting early access to bugs can be a powerful weapon. In fact, the “reckless” hacking spree that Chinese groups launched against Microsoft Exchange in early 2021 bears some striking similarities.
In that case, a Taiwanese researcher uncovered the security flaws and passed them to Microsoft, which then privately shared them with security partners. But before a fix could be released, Chinese hacking groups started exploiting the flaw all around the world. Microsoft, which was forced to rush out a fix two weeks earlier than planned, is investigating the potential that the bug was leaked.
These bugs are incredibly valuable, not just in financial terms, but in their capacity to create an open window for espionage and oppression.
Security research that discloses the results to the vendor gives states with the appropriate insight a window in which to conduct attacks. At the point where a vulnerability is discovered during Pwn2Own or Tianfu, it is a 0-day vulnerability, but of course it remains on day-0 until the vendor can issue a patch, and even then it requires companies or individuals to apply that patch.
Human error can happen in any organization; the reason the mistake was able to progress to a fully-fledged attack was because the institute didn’t have the protection in place to contain the error. At the heart of this was its approach to letting people outside the organization access the network. Students working with the institute use their personal computers to access the institute’s network. They can connect into the network via remote Citrix sessions without the need for two factor-authentication.
The institute was exposed the moment one of these external university students apparently decided they wanted a personal copy of a data visualization software tool they were already using for work. A single user license was likely to cost them hundreds of dollars a year, so they posted a question on an online research forum asking if anyone knew of a free alternative (the Rapid Response team know this because the student handed over their laptop for analysis once the full extent of the incident became clear).
When the student couldn’t find a suitable free version, they searched for a “Crack” version instead. They found what appeared to be one and tried to install it. However, the file was in fact pure malware and the installation attempt immediately triggered a security alert from Windows Defender. The user disabled Windows Defender – and at the same time appears have also disabled their firewall – and tried again. This time it worked.
However, instead of a cracked copy of the visualization tool they were after, the student got a malicious info-stealer that, once installed, began logging keystrokes, stealing browser, cookies and clipboard data and more. Somewhere along the way it apparently also found the student’s access credentials for the institute’s network.
Thirteen days later a remote desktop protocol (RDP) connection was registered on the institute’s network using the student’s credentials.
I think Human Error is a bit strong in this report. Users will be users, and will do whatever they want with their personal computers.
In this case, I'd say the issue is the lack of second factor authentication for the RDP connection, and the ability of the attacker to run arbitrary code on the RDP once they had stolen the credentials.
However, Facebook’s own tools have the potential to divulge what is otherwise unseen. It’s already possible to catch fragments of these truths in the ads you’re shown; they are glimmers that reflect the world of a surveilling stranger who knows you. We wanted to use those same tools to directly highlight how most technology works. We wanted to buy some Instagram ads.
Access denied We created a multi-variant targeted ad designed to show you the personal data that Facebook collects about you and sells access to. The ad would simply display some of the information collected about the viewer which the advertising platform uses. Facebook was not into that idea.
Signal is on a roll at the moment with sticking it's fingers up at established companies and processes. In this case attempting to buy highly specific adverts that explain why they are being shown to you.
If you've never tried to buy an ad on Google Ads or Facebook Ads, I recommend you give it a try to see how their targeting systems work.
We recently audited central parts of the Exim mail server (https://en.wikipedia.org/wiki/Exim) and discovered 21 vulnerabilities (from CVE-2020-28007 to CVE-2020-28026, plus CVE-2021-27216): 11 local vulnerabilities, and 10 remote vulnerabilities. Unless otherwise noted, all versions of Exim are affected since at least the beginning of its Git history, in 2004.
We have not tried to exploit all of these vulnerabilities, but we successfully exploited 4 LPEs (Local Privilege Escalations) and 3 RCEs (Remote Code Executions)
Exim is a remarkably popular mail transfer agent. That's to say, it doesn't handle users mailboxes like Exchange does, it's job is to route mail around the internet and to local mailservers.
This is a lot of vulnerabilities, many of which are very serious, so you should be applying patches ASAP.
Cyber security and offensive cyber are very different activities. One is about making our own computer networks safe. The other is about exploiting weaknesses in others to support military operations, or counter terrorism and serious crime. These are important activities, but they don’t do much to make our digital homeland safer apart from the occasional specific operation against cyber criminals (offensive cyber has proved strikingly ineffective as a deterrent against cyber activity from hostile states). In the US, a debate has raged for years concerning whether a heavy focus on ‘offence’ has actually harmed American cyber security.
So the problem to which this ‘whole of cyber’ approach is the answer is far from obvious, whereas the risks of it are. But the decision is taken. So here are six ‘security checks’ by which we will be able to assess, when it comes out, whether the framework still works for Britain’s cyber security.
An interesting think piece from Ciaran Martin, really asking whether the new National Cyber Security Strategy will focus on cybersecurity, defence and the economically valuable use of the internet, or whether it will simply focus on the same old militarised angles, claiming that cyber is the new battlefield on which international wars are fought.
At team at AV reviews site SafetyDetectives found the China-based Elasticsearch server exposed online without any password protection or encryption.
The 7GB trove contained over 13 million records including the email addresses and WhatsApp/Telegram phone numbers of vendor contacts, plus email addresses, surnames, PayPal account details and Amazon account profiles of reviewers.
According to SafetyDetectives, fake review scams typically begin with vendors sending their reviewer contacts a list of products for which they would like a five-star review.
After leaving the review and sending the vendor a link, the reviewer will be paid via PayPal to compensate them for the product purchase and will be allowed to keep the product itself as payment. The reviews site claimed that the leak implicated around 200,000 individuals in such schemes.
In case you didn't realise just how coordinated the scam reviews systems are, this is a sense of the scale and coordination of just a single operator (who naturally left their elasticsearch database unsecured!)