Stories from the Wild #4
Welcome to the fourth edition of our Talking Tech series, Stories from the Wild, bringing you the latest stories in information security and cybersecurity.
This edition of Stories from the Wild commemorates the birthday of Hedy Lamarr, who was born on 9 November 1914.
Hedy would find fame in the heyday of Hollywood's Golden Age, starring in films such as Algiers (1938), Boom Town (1940), and Samson and Delilah (1950). Beyond the screen, sayings attributed to Hedy abound, including the following, prescient warning, "the world isn't getting any easier. With all these new inventions I believe that people are hurried more and pushed more... The hurried way is not the right way; you need time for everything - time to work, time to play, time to rest."
But Hedy would also find time to indulge hobbies and ideas, born out of an interest in technology that her father had cultivated. In 1940, at the height of World War II, Hedy and the composer George Antheil raised the idea that a signal that "hopped" between frequencies might prevent guidance systems for a torpedo from being tracked or jammed. The result was US Patent 2,292,387, granted on 11 August 1942, for a "Secret Communication System".
Although the technology was not picked up by the US military at the time, frequency-hopping spread-spectrum radio technology (FHSS) would eventually become one of the foundational technologies of the modern era. That's right, Bluetooth and Wi-Fi both rely on FHSS, to be resistant to interference and interception. FHSS was so ahead of its time that the 1942 patent had long run out.
In 1997, Hedy and George would be honoured with an Electronic Frontier Foundation Pioneer Award. Hedy passed away in 2000, her ashes spread in Vienna Woods at the foothills of the Alps. Her star, from 1960, remains on the Hollywood Walk of Fame.
This sceptred isle, this seat of Mars
UK politics has had an interesting time of late. However, some aspects of governance continue, and two consultations caught our eyes recently.
The first, a Home Office consultation on unauthorised access to online accounts and personal data, ran from 1 September to 27 October 2022.
Ostensibly to "explor[e] ways to reduce the burden of responsibility on individuals for cyber security and make large-volume reductions in cyber crime and associated offences", it is hard to see how this can be achieved in the current political climate, amidst a raft of other, potential changes in the broader area, from the pending Online Safety Bill to the Data Protection and Digital Information Bill.
More intriguingly, yours truly attended a talking session where a representative from the Home Office indicated that the intention was not to amend the Computer Misuse Act 1990 (CMA 1990). Given the wording of the consultation ("unauthorised access") and the fact that the call for information starts with a reference to the CMA 1990, it's not entirely obvious what the Home Office intends to happen here. Those of you familiar with the CMA 1990 will recall that section 1 criminalises intentional, unauthorised access to any program or data held in a computer, together with a range of other offences in sections 2 and 3.
The CMA 1990 was landmark legislation for its time, an era when computers were not yet so ubiquitous as they are today, nor crucially were they interconnected to the extent of today (think War Games-style modems). The breadth of drafting of the CMA 1990 has come under scrutiny, most recently discussed in the 2020 report of the Criminal Law Reform Now Network on the CMA 1990, which found that it was "crying out for reform". We will have to wait and see, then, what the Home Office intended here.
The second, a Parliamentary consultation on ransomware, by the Joint Committee on the National Security Strategy, is currently running until Friday 16 December 2022. The Committee is formed of a number of influential Parliamentarians: Lord Dannatt (former Chief of General Staff, i.e., head of the Army), Baroness Neville-Jones (former Chairman of the Joint Intelligence Committee and member of the National Security Council), and Tom Tugendhat (Minister of State for Security), amongst others.
Evidence sought includes:
- The extent and nature of the ransomware threat (including sources), modes of extortion, and how the threat could evolve in future;
- Levels and sources of vulnerability of UK organisations to ransomware, including operators of critical national infrastructure;
- The UK victim experience, including sources of support for prevention, detection and recovery, public-private partnerships, the role of the media, access to and availability of insurance cover, and regulatory requirements placed on ransomware victims;
- The effectiveness of the response to ransomware by Government, law enforcement agencies and other UK state actors, including key operational challenges and ministerial oversight;
- Reforms that might enhance the UK's resilience to ransomware, reduce the economic and societal damage that it causes, and/or support the law enforcement response;
- The scope for international cooperation to combat the global ransomware threat more effectively, including on crypto-currency regulation; and
- Lessons that could be learned from other countries' approaches and responses to ransomware.
This is a timely consultation, in view of the ever-increasing impact of ransomware (see our last edition for IBM's review of costs). With the world moving into a more volatile macro environment, geopolitics and ransomware have become common bedfellows, seen in the trends identified by ENISA, and in industry.
It's been a rough month Down Under. Following a series of major cyber-attacks, only a lucky minority will have escaped getting caught up in the mayhem.
Of these, a health insurance incident has dominated headlines over the past two weeks. The target ultimately decided not to pay the ransom demanded on the basis that "making any payment would increase the risk of extortion for [its] customers, and put more Australians at risk". The Home Affairs Minister quickly endorsed this decision, which she described as being in line with Government guidelines, and went on to confirm that the Government is examining whether new laws are needed to stop the payment of ransoms.
But any future strengthening of antipodean cyber resilience will be cold comfort for the millions of Australians bracing themselves as cyber criminals continue to publish stolen data on the dark web. In respect of the health insurance hack, this has been in the order of 500 records per day, starting with abortion history and drug use details.
Recent public discourse has been alive to the geopolitical dimension to the emerging cybersecurity landscape. Many cyber criminals operate with the tacit blessing of their resident countries – indeed, the 2019 cyber-attacks on Australia's Parliament and three largest political parties were attributed to a nation state actor – and with public frustration building, the authorities are becoming less and less subtle in acknowledging this reality.
What next? The public and the government continue grapple with the best course of action. And so it goes, aye, the Ides of March are come but not yet gone.
Look not with the eyes
An increase in fake profiles on a certain professional business networking website is threatening to create an identity crisis, especially for those companies who utilise its services for hiring employees and running invite-only groups. A specific phishing scam tied to redirecting users had also been identified recently.
In reports by various experts, a large number of fake profiles have been discovered, estimated to have been made by pairing AI-generated profile photos (hello, This Person Does Not Exist) with text taken from legitimate accounts. Apparently, hackers have been able to copy job resumes from job listings and individual profiles and reproduce them to create fake profiles. In particular, sham executive profiles have aligned themselves with jobs and industries that are linked to recent global events and trends. Fake profiles, often operated by bots, have also appeared as job recruiters, gathering personal data from those who fall for employment scams.
Since instances and reports of fake profiles tend to fall within a grey area for enforcement absent identifiable abuse, removing fake profiles has proved difficulty. Verification would seem to be the way forward – recent events at another networking service aside – which has been implemented in recent weeks. Will it be effective? It will certainly help. Don't forget that it's a wild, wild place out there.
The fault is in ourselves
Most newly created passwords are subject to a minimum standard. A special character, a number, upper- and lower-case letters, and a minimum length, for example.
But not all passwords are created equal. As many noted over 6 years ago, it's only when we see massive credential dumps that we realise how bad our passwords can be. Passwords hashed to a deprecated standard (such as SHA-1) have been cracked, and it's rather terrifying: passwords such as "123456" and "password" – or our favourite, "qwerty" – still top the charts.
6 years hence, the top compromised passwords of 2022 remain disappointingly familiar. ZeroFox, a cybersecurity and reputation management company, collected 525 million compromised passwords from 1 October 2021 to 30 September 2022 and found that the top 5 most compromised plaintext or easily cracked passwords were:
"Password" is not far behind, at rank 13, and perhaps more concerningly, "admin123" ranks 15th.
As the 2022 Psychology of Passwords report indicates, over 60% of respondents still use or mostly use the same or variation of a password. Gen Z respondents were the biggest offenders, with 69% admitting to using a variation of a single password; millennials follow closely at 66%, despite 89% of all respondents knowing the risks of recycling a similar password. Only about a third of respondents stopped reusing the same passwords after cybersecurity education and only a quarter have a password manager (though more on that below).
At the end of 2020, McAfee estimated that cybercrime led to global losses of over USD 1 trillion, a 50% increase from 2018, with two-thirds of companies reporting some form of cyber incident. Yet, as we've said before, clearly the fundamentals of good cyber hygiene must remain the focus of improvements in security. Yes, convenience rules human psychology, but with insecure or repeat passwords continuing to be prevalent, only persistence and further education will improve awareness and resilience.
In this edition, we look at the curious case of the password database and the latest updates from Patch Tuesday.
Password managers: all that glitters is not (always) gold
Any ordinary person alive would have heard of the importance of a good password. Schehezerade's "open sesame" serves an equally important role in our modern, digital lives as it did for Ali Baba. As compute power improves, our own passwords must become ever more complex. Increasing complexity for passwords and requiring more frequent password changes have become the cornerstone of any good cybersecurity programme and part of good cyber hygiene.
But humans are fallible (see above), and password managers have stepped in to bridge the gap between the inconvenience of magicking a new and different password for each new site or each password renewal. These managers store our most sensitive passwords, offer up suggestions for new passwords, and generally improve our digital life.
A compromise of a password manager, then, could be…interesting. Surely, they encrypt passwords. Well, cybersecurity consultants TrustedSec and Shielder recently published critical examinations into one password manager and associated CVEs (in particular, CVE-2022-35405). They found that the encrypted database password, and encryption key (a static secret key and master key) were identifiable in plain text. Plaintext credentials stored in the password database were then able to be decrypted.
Yes, that's right, the password manager was hacked (or hackable).
The 9.8 CVE was published by MITRE back on 19 July 2022, after it had been patched on 24 June 2022. But exploitation was identified in August, and in-the-wild attacks were detected as late as 7 September 2022. We imagine that that specific password manager had not been updated since June. So, while a password manager is usually a good sign of security awareness, here the security product itself became the single point of failure.
Like last edition's CVE Corner, our message remains the same: you still need to know what you have to know to patch it. And if appropriate MFA were also in place, the risks consequent to a single point of failure involving credentials would certainly be mitigated.
6 zero-day vulnerabilities were patched by Microsoft in their latest monthly update, including 2 Remote Code Execution bugs that have been circulating in the wild for several months. One bug, tracking as CVE-2022-41091, targets the Mark of the Web feature. This is designed to protect users against files from untrusted sources. You know, when Windows opens a Word document in "Protected View" to prevent edits? That's right, you've probably gotten used to clicking the button to allow edits, and this kind of behavioural change is precisely what is being exploited through the vulnerability. Always pay attention to what is downloaded and opened.
Until next time – happy birthday, Hedy Lamarr!