The niner noteworthy stories of 2017 (week 24)

These are the noteworthy stories, in no particular order, that peaked my interest for this week.

Ransomware-as-a-service schemes are now targeting Macs too


MacOS (MacoSX or OSX) users have, always incorrectly, assumed their platform is more secure because there is simply not much malware or virus-software available for the platform. Incorrect as this is only due to the economy of scale factor, as there are more Windows machines the return on investment simply is higher to write malicious software for Windows rather then for the fruity operating system.
Times are changing however with the Mac’s popularity gaining marketshare, so will the attention of threat actors increase to target Macs as well as Windows systems.
One thing that would certainly help is if and when Apple starts realising this as well. Recent incidents, specifically with the root-user vulnerability in MacOS versions 10.13.0 and 10.13.1, don’t look like that’s happening at the moment.
Security-by-design as well as secure coding principles need to be embedded in all programming procedures, controls as well as testing programs within large software vendors. Apple is pretty good in marketing themselves on the security and privacy fronts, but marketing alone won’t cut it in the end if mistakes like the one I just described as well as others like the recent security blunder on Homekit devices become more prevalent.
source: ZDNet (external link) and BBC News (external link)

Top university under ‘ransomware’ cyber-attack


Another day, another ransomware attack. What makes this one interesting is hidden in this specific sentence in the article: “University College London (UCL) is a “centre of excellence in cyber-security research”, a status awarded by the GCHQ intelligence and monitoring service.”
So yes you can be a center of excellence and still get busted because somebody clicked on something. Switching all drives to read-only was a smart move though, but I wonder if more network segragation might have saved even more.
The other question that pops up is on who was the initial point of infection and how many rights had that person on his or her account to make it such a widespread attack? Okay multiple factors can be at play here as well.
Anyway, the only defence against these types of attacks are: constant awareness training, least privilege access controls and monitoring of systems and drives for unexpected behaviour. Does your company already have these measures in place? If not contact me to discuss your options.
source: BBC News (external link)

Found: “Crash Override” malware that triggered Ukrainian power outage


Who thought it was a great idea to connect industrial systems to the Internet is partially to blame for this. Yes those industrial protocols that are used in this specific malware (four of them) were never designed with security in mind, but that holds for a lot of protocols we daily use on the Internet itself as well. The most notable example of this is the DNS (domain name service) protocol) of which a secured version does exist but is rarely used.
Interconnecting industrial systems need to be based on a security model that takes the vulnerabilities of the default industrial communication protocols into account. The best way is to design the security perimeters around instead of on these networks itself. This will make some communication channels harder to maintain, but rather that then failed systems with potentially massive impact I would say.
source: Ars Technica (external link)

Russia struck at election systems and data of 39 US states


Governments and IT Security don’t seem to go hand-in-hand. Not only in Europe or the Netherlands specifically, but the USA as well. This is an ongoing story and we may never know the entire truth of the matter.
What I do know is that if Russian hackers were involved, it is quite unbelievable if the government did not know about it as they claim themselves.
source: Ars Technica (external link)

‘How foul-mouthed hackers messed up my life’


Let this story be an example to everyone who reads this article and the related link. Yes you could be the next victim as well. And if not, do share this with your friends and family.
Oh yes and don’t forget, not all IOT devices are build with skills matching the security and privacy risks associated with it’s functionality. Not even those of high-end brands in some cases.
Do you trust a manufacturer of a refrigerator to also understand how to write secure software? Well as a rule of thumb actually I don’t.
source: BBC News (external link)

Identity theft can be thwarted by artificial intelligence analysis of a user’s mouse movements


Whilst this is interesting research, unexpected questions require also that the answers are straightforward to the people that need to answer them when they come across it. This statement looks pretty trivial, but it also hides something else which simply states: this will only work if the organisation deploying such a system has enough additional personal data and profiling information about you to actually come up with the unexpected easily answerable questions in the first place.
If we further analyse this, we quickly find that it would be difficult to put this under the current and upcoming data protection regimes in Europe. The only legal reason may be legitimate interest of the data controller, which throws up another set of possible pitfalls.
And to cap this off completely, how would this work if you don’t use a mouse to browse the Internet? Yes that’s possible for sure, I am doing so myself on a daily basis. It also is a possible way around the detection system as well.
source: Quartz (external link)

Trump Puts U.S.-EU Privacy Shield At Risk


I believe that the background music this article is talking about has only become louder over the last six months. Besides all that and the exemptions made in the framework that go against European data protection foundations anyway, to some degree those “share values” don’t really hold for the data protection (privacy) way of thinking.
Europe has a longstanding view that data protection is a fundamental human right, signified in the European Charter of Human rights (ECHR) article 8. This as opposed to the American view that sets privacy (effectively data protection) as a consumer right which is handled differently per sector. Connect that to the massive amounts of bulk surveillance the American agencies undertake as well as laws like the foreign intelligence security act (FISA) and you may get an idea on how shared those values really are.
There is one other thing that in 2018 may actually make this entire framework obsolete, the GDPR has an extra-territorial scope. Effectively this means that all American companies doing business in Europe need to become GDPR compliant before May 25th 2018. This fact only may undermine the privacyshield requirements in the private sector. What remains is the parts on surveillance and bulk data collection on which I simply don’t believe the American agencies will ever adhere to any limitations.
source: Lawfare (external link)

NGO to Israeli High Court: Block state from public biometric campaign


A couple of years ago a similar project in the Netherlands was halted and no central storage of fingerprint data was setup. As a side-effect of that, fingerprints are only collected and used for passports, not for the EU identity card you can get as well.
The israeli system is not only collecting fingerprints but if you read between the lines of this article, it seems to be collecting facial recognition data as well.
The reason for this is kind of interesting: because the government can not design an identity document that is nearly foolproof, the citizens have to prove themselves with their biometric data that they are the legitimate owner of that card. Provided that the current card and chip system holding that data can’t be compromised too.
besides the false positives and negatives there is also one other potentially larger issue with using these fast amounts of biometric data, specifically if they are stored centrally like in this case. One targeted attack which is successful and the entire country, at least those citizens who opted in, lose the ability to use their fingerprints for anything during the entire remainder of their lives.
source: Jerusalem Post (external link)

German minister calls for expanded use of face recognition software


The fact that there are calls for facial recognition software as well as backdoors in end2end encryption is not new, what is new and maybe worrying that this time these calls are coming from the German government.
Germany, at least since the second world war, has been known for very strict privacy legislation. Even so that if the German members of the EU parliament had their way, the upcoming general data protection regulation would have been even more modelled to the German privacy model then that it already is in it’s current form.
There is one additional thing the German interior minister apparently doesn’t understand or doesn’t want to understand, end2end encryption systems that are fully secure for it’s users and at the same time have the ability to read messages, just like with sms, simply does not exist. The only way to do this is either to weaken the used encryption which completely negates the end2end encryption system or encrypt all messages with a second key which allows access to law enforcement upon request (effectively a backdoor into the system) weakening the system from that end.
The last interesting bit is in the first sentence: “if the software works dependably”, whatever that may mean. Yes there is a measure for that indeed called false positives or false negatives which come together in the so-called cross-over error rate.
Adding to this that biometrics will become a special category under the GDPR (article 9.1), usage of these kind of systems will have to rely heavily on the exemptions allowed in article 23.1 under the conditions specified in article 23.2 of the GDPR.
source: Deutsche Presse-Agentur GmbH (external link)