December 2018: the laws of mathematics don’t apply in Australia
Days in the Northern Hemisphere have grown short. Businesses work frantically to meet their numbers. Retailers process more orders than ever. Meanwhile, down under, a law is passed to void the laws of mathematics.
Let’s look back at 2018’s last month. What happened?
EU diplomat cables hacked
A US anti-phishing company (Area1), through a largely undisclosed process, found a large trove of EU diplomat cables, and shared these to the New York Times. The story quickly focused on the content of these cables, as they (unsurprisingly) revealed anxiety surrounding geo political events. The company quickly blamed Chinese military state actors as the ones responsible for the hacks. While the dust settled, which nowadays takes hours rather than weeks, InfoSec veterans started wondering:
- Why is an anti-phishing company suddenly deep into geo political threats; did they just stumble upon it?
- How was the attribution done? It’s a difficult process, so why are they so certain?
- Why did they disclose to the press instead of the victim?
While the last question might be easily answered (“doing the right thing doesn’t get you headlines”), the others are, as of yet, uncertain.
In the meantime, the content of the cables is public, and the EU is painfully reminded that communication among dozens of sovereign nations is difficult to secure.
US newspapers don’t print due to ransomware
On the second to last day of the year, another eerily fast attribution was published- several US newspapers had been hit by a ransomware attack. Tribune Publishing suffered server outages, and several newspapers, including the Wall Street Journal and New York Times, weren’t able to print. The ransomware used was Ryuk, and the article in Forbes states connections to North Korea.
The article goes on to mistake a standard EU GDPR block at the San Diego Union Tribune as a result of the hack. This was later rectified. It seems with the large number of journalists reporting on cyber related events, some have a steep learning curve.
For what it’s worth, which is good to remember, ransomware can have consequences reflecting into the physical world.
CEO fraud target list
It’s common knowledge for a while now, that CEO fraud is one of the most profitable scams out there. Because the scam is all about social engineering, usually without the support of malware, it’s notoriously difficult to detect. In December, we got an interesting insight into one of these groups, “London Blue”, via security company Agari.
This collection of scammers uses many known business structures, sugarcoating their fraudulent operations. The “email marketing” department sends out the phishing emails, and the “sales” team follows up. The “business intelligence” department had a list of 50,000 C-level targets in the US, Spain, the United Kingdom, Finland, the Netherlands and Mexico.
In the past, we’ve seen other groups organising (tongue in cheek or not) in business structures. The GameOver ZeuS gang called themselves the “business club” for example.
It just goes to show that trusting your C-level peers isn’t as straightforward anymore.
Australian government passes new encryption law
InfoSec people worldwide continue to debate the new and unique Australian encryption law vigorously. The law, seemingly written by people who didn’t study mathematics or encryption, states that companies should “help the government” open individual encrypted communications. The law goes on to mention that the aim of the law isn’t to weaken encryption. Many InfoSec professionals sneered at this, saying there pretty much is no way to do this without weakening encryption for the masses.
Malcolm Turnbull, Australia’s PM, famously said “the laws of mathematics do not apply in Australia“.
Let’s step back for a minute and get the premise straight. The problem is end-to-end encryption, which is used by many modern messengers. In the old days, law enforcement could pretty much wiretap everything. Nowadays, they’re confronted with a new reality of truly secret communications. They want access to those communications.
PKI systems, like TLS (SSL), can be broken open with a master key anyway. The theoretical discussion is that law enforcement would join your chat as an “invisible” participant, therefore not weakening encryption.
We know, since “invisible participants” require a process and some secret code, the issue is still the same: law enforcement agencies are not immune to breaches, and even if the math isn’t weakened, the process is. We are watching the discussions and developments closely.