Stories from the Wild #2
August 2022
Welcome to the second edition of our Talking Tech series, Stories from the Wild. Every month, we bring you the latest stories in information security and cybersecurity. You can read our introductory post for why this matters.
Commemorating…
Peter Shor
Our second edition commemorates the birthday of Peter Shor, who was born 14 August 1959. Currently Professor of Applied Mathematics at MIT, Shor is best known for proposing, in 1994, an algorithm which permits the efficient calculation of prime factors of large numbers using quantum bits. Why was this ground-breaking? Because almost all public key cryptography is grounded in a form of maths problem that is difficult to solve using classical computers, e.g., prime factorisation. Proposing a real-time solution meant that such cryptographic methods could be cracked, using a quantum computer. This proposal has become known as Shor's Algorithm.
1994 was almost 30 years ago, when quantum computing was in its relative infancy. Today, quantum computing is fast becoming a real, commercial prospect. You can read about NIST's efforts to standardise post-quantum cryptography in our first edition of Stories from the Wild…and some hiccups along the way in our "Looking ahead" section below.
(And a shoutout – a happy 25th anniversary to Black Hat, which was on last week!)
This month in…England
Lawyers have been cautioned by the UK's National Cyber Security Centre (NCSC), which is part of Government Communications Headquarters (GCHQ), and the Information Commissioner's Office (ICO) against advising clients to pay ransomware demands.
In a joint letter to the Law Society and Bar Council, the NCSC and ICO state that they have seen evidence of a rise in ransomware payments and that lawyers may have advised clients to pay, in the belief that doing so would protect stolen data or result in a lower penalty from the ICO (should there be an investigation and a finding of breach of a provision of the UK GDPR). The letter asks that the Law Society and Bar Council remind their members that this is not the case, noting that payment of a ransom is not encouraged, endorsed, or condoned, and that payments incentivise malicious actors, with no guarantee of the decryption or return of stolen data.
The letter notes that the ICO does not consider payments to reduce the risk to individuals and that penalties incurred through enforcement action would not be reduced. Mitigation of risk would be recognised, however, where steps have been taken to understand an incident and learn from it, where the NCSC and law enforcement (via Action Fraud) are notified, and where evidence is provided of taking advice from, or demonstrating compliance with, NCSC guidance and support.
Whether a ransom should be paid is a complex decision, often made in the short hours after discovery of a ransomware attack. While the guidance is a useful indication of the regulatory approach to risk and mitigation, it is difficult to determine what impact this will have on ransom payments, as often they are paid not so much for reasons of perceived regulatory lenience as for business continuity, data recovery or reputational reasons. Advisors need to help clients navigate all the factors to consider whether a ransom demand should be met. What is the business impact? What are the costs involved? What are the ethical and reputational issues? What is the position as to sanctions? A multitude of considerations are involved in making an appropriate assessment in each case. Yours truly prefers Confucius: 人无远虑,必有近忧 one who does not think and plan ahead will find trouble at their door. Preparedness is key.
This month in…crypto
The Federal Bureau of Investigation (FBI) has observed an increase in cyber criminals contacting U.S. investors, fraudulently claiming to offer legitimate cryptocurrency investment services, and convincing investors to download mobile apps which are subsequently used to defraud the investors of their cryptocurrency. The scheme has resulted in losses estimated at US$42.7 million between 4 October 2021 and 13 May 2022. It is predicted that such losses will continue to rise as the interest and investment in cryptocurrency has made it a popular target for cyber criminals.
The FBI recommends that:
- Investors should be wary of unsolicited requests to download investment applications and verify that an app is legitimate before downloading it. Applications with limited functionality should be treated with scepticism.
- Financial institutions should take precautions including, among other things, to proactively warn customers about this activity and provide steps for reporting, inform customers as to whether the institution has a mobile app and to recommend that they conduct online searches for the company's name.
This is the latest in a string of crypto-related hacking activity, from online games to nation states. Perhaps in code one does not trust after all.
This month in…television
The Undeclared War
In a new drama series released on the UK's Channel 4 on 30 June 2022, The Undeclared War, the Bafta award-winning writer Peter Kosminsky explores the dark spaces between national security and cybersecurity.
What is the show about? In 2024, cyber-attacks set off a chain of events that threatens to escalate into open (conventional, kinetic) warfare, set in a hyper-realistic UK. The show follows a team of analysts at GCHQ (yes, that one) as they defend the country against a range of actions from a foreign, nation state actor.
I've watched enough hacking shows. You remember the shows where a hacker taps on a keyboard for 2 seconds and says, "I'm in"? This is not that. The Undeclared War portrays real-life hacking and security: a meticulous, laborious effort in writing and picking apart thousands of lines of code. More importantly, it's got misinformation, troll farms, social unrest…and (mini spoiler) the writer predicted that in November 2022 Boris Johnson would be ousted by a coup organised by a colleague during an economic crisis. Yikes.
Tell me more… It might not be a Stranger Things or Mindhunter, but even Rotten Tomatoes has it at a respectable 83%. And it's got Simon Pegg, Mark Rylance, and Adrian Lester. So, plenty of great acting – and plenty of computers.
Looking ahead…
The Q-word (continued)
We did say in our first edition that public key cryptography would always be a test of mathematics.
On 5 July 2022, the NIST Post-Quantum Cryptography competition announced its first 4 winners. It also announced 4 candidates that advanced to a fourth round of competition for Key Establishment Mechanisms: BIKE, Classic McEliece, HQC, and SIKE. These candidates were invited to submit "tweaks" – updated specifications and implementations – by 1 October 2022.
One candidate, SIKE, has since been defeated by mathematicians.
On 30 July 2022, Wouter Castryck and Thomas Decru at the Catholic University of Leuven (KU Leuven) released a paper describing how SIKE's underlying protocol (the Supersingular Isogeny Diffie-Hellman, or SIDH) can be attacked, using a single, classical computer. A proof-of-concept was also released on Castryck's website. Since then, alternative implementation based on the paper has also been released, as well as proposals to defend, or strengthen, SIDH.
What are the implications?
For those of us whose algebraic geometry requires a brush-up, the immediate effect is that SIKE is, for now, unlikely to progress much further in the competition.
What is surprising is that a maths problem that was thought to be practically unsolvable was cracked – for now – by a standard Intel CPU released in 2013 (even if this is limited to the very specific problem that the SIKE NIST submission was built on).
As several commentators have noted, the true lesson learnt is that we must simply continue working at the problem. At least this was discovered before standardisation.
CVE Corner
In this edition, we look at Palo Alto Networks Unit 42's annual Incident Response Report, which was released at the end of July 2022.
Ransomware and business email compromise (BEC) were the main kinds of security incident, forming almost two-thirds of incidents. Top affected industries included finance, professional services, manufacturing, healthcare, and wholesale and retail. "Dual use" technologies like Nmap, Cobalt Strike, Rclone, WinRAR remained common capabilities, and as did the (in)famous Mimikatz.
Software vulnerabilities were a significant point of (suspected) initial access – in almost 1 in 3 security incidents. Of these, 83% fell into one of 5 CVE categories:
- ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)
- Log4j
- SonicWall CVEs
- ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
- Fortinet CVEs
(That is, two of the same ProxyLogon and Fortinet vulnerabilities discussed in our first edition's CVE Corner.)
Excluding zero-day vulnerabilities, poor patch management contributed to some 28% of incidents. Like many areas in cybersecurity, what is good practice can change quickly. Patch management might start becoming automated, but more generally, Unit 42 noted that the time available to patch vulnerabilities will continue to shrink: attackers now typically start scanning for vulnerabilities within 15 minutes of a CVE announcement.
Lest the basics be forgot, 50% of incidents involved a lack of multi-factor authentication (though an MFA solution itself should be resistant to phishing). CVEs are no different: you need to start by knowing what you have, to know to patch it.
//
Until next time – happy belated birthday, Peter Shor!