SWITCH security report on the latest IT security and privacy trends
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
SWITCH security report on the latest IT
security and privacy trends
July/August 2020
I. Aimless navigation – Garmin scrambling to regain
its bearings after hacking incident
How utterly ironic when one of the most well-known and biggest makers of smartwatches,
wearables and receivers for land, marine and aeronautical navigation leaves its customers in
the lurch without any direction. Which is exactly what happened in late July when users noticed
that the systems of the US/Swiss multinational Garmin had basically stopped working on its
fitness trackers, golf and sport watches, as well as the FlyGarmin aviation navigation services.
Instead of providing clear route navigation, for a while there was just a vague notification
under the guise of nebulous maintenance work.
Several internal memos and external social media posts from Garmin employees made it
increasingly clear, however, that the company and several of its services and platforms had
obviously fallen victim to a targeted cyber attack with WastedLocker, a piece of ransomware
that had appeared for the first time in the spring. Although the reports at that point had not
yet been verified or even acknowledged by Garmin, ZDnet had already reported on it on
23 July. According to the report, not only virtual services and communities but also production
SWITCH • PO Box • 8021 Zurich, Switzerland • +41 44 268 15 40 • cert@switch.ch
securityblog.switch.ch • security.switch.ch • © SWITCH 2020operations had been taken out to a large extent. Only after this report came out did Garmin
admit in an official statement that it had, indeed, fallen victim to a ransomware attack. In the
days that followed, Bleeping Computer reported that internal informants had confirmed and
reported the WastedLocker attack. Garmin is also rumoured but not officially confirmed to
have paid the ransom to the tune of USD 10 million in order to quickly get the systems up and
running again. And that was probably only because so many customers were apparently
extremely aggravated by the Schaffhausen-based company’s policy of non-communication.
Garmin claimed that, based on its current knowledge, at no point had customer data been
stolen (the Garmin Connect service saves health and fitness data, and Garmin Pay saves
payment information). Yet in many cases, it is often a standard ‘business practice’ of cyber
extortionists to first siphon off data before encryption in order to get away with an additional
data breach ransom – demanding payment of a sort of hush-money so that this data is not
released to the public. Most services are now working again. However, just how big the blow
was for Garmin financially, how many customers it lost and how far off course it veered in just
a few days due to the cyber attack and its own inept communication is not likely to be made
public either.
Read more:
https://www.tagesanzeiger.ch/sytemausfall-legt-garmin-uhren-lahm-279497191954
https://www.zdnet.com/article/garmin-services-and-production-go-down-after-ransomware-attack
https://www.nzz.ch/wirtschaft/cyberopfer-garmin-macht-keine-gute-figur-
ld.1568606?mktcval=OS%20Share%20Hub&mktcid=smsh&reduced=true#register
https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack
https://www.androidcentral.com/garmin-connect-suffers-multi-hour-outage
II. Hacking with a heavy hand: German intelligence is
making a push to install hardware directly with
internet providers and reroute internet traffic
Making citizens informal agents of the state was fundamental to the ‘success’ of the
surveillance carried out by the East German Ministry of State Security (Ministerium für
Staatssicherheit, popularly referred to as the ‘Stasi’), which was headed in its final days by Erich
Mielke in the former GDR. A good 30 years after Germany’s reunification, Horst Seehofer’s
Federal Ministry of the Interior, Building and Community (BMI) now appears keen to adopt the
same model. Evidence of this provocative claim is draft legislation, which the BMI already
proposed in mid-2019 with the aim of harmonising constitutional protection law. It includes
provisions for internet providers to assist German intelligence authorities in sneaking govware
onto the computers of their customers. Specifically, the idea is not only to export a copy of
data but instead to route data through the authorities’ hacking proxy, where it is then
SWITCH • PO Box • 8021 Zurich, Switzerland • +41 44 268 15 40 • cert@switch.ch
securityblog.switch.ch • security.switch.ch • © SWITCH 2020manipulated and passed on to recipients without them noticing the manipulation. The slogan
of FinFisher – a major provider of govware – reads as follows: ‘FinFly ISP is able to patch files
that are downloaded from the destination on-the-fly or to send fake software updates for
popular software.’ The accompanying promotional video is included in the netzpolitik.org
article cited below. Because the Federal Criminal Police Office (BKA) and other German
intelligence authorities have purchased govware from FinFisher, it has to be assumed that they
are using it, even if information about it is not even available to the Bundestag’s intelligence
oversight committee.
Against this backdrop, the rhetorical sop offered up by former SPD Minister of the Interior and
current SPD party leader in the Landtag of Schleswig-Holstein, Ralf Stegner, smacks of outright
cynicism: Stegner had attempted to downplay the proposed ‘serious encroachment’ (quote
from eco – Association of the Internet Industry) on the private sphere with his remark that no
one need worry because the surveillance would, of course, be under parliamentary control.
So, it is no surprise that the two umbrella organisations of Germany’s digital industry, eco and
bitkom, appear concerned and accuse Horst Seehofer’s Ministry of the Interior of attempting
to turn its members into deputy sheriffs. He appears to have become numb to the issue of
privacy altogether: in the draft legislation just mentioned, he intends not only to allow police
but also domestic intelligence officials to break into private homes and install spyware there.
Moreover – and this is where Seehofer is testing the limits of legality and, in the eyes of many
critics, goes far beyond them – this is to occur without any judicial ruling in the matter.
In view of all these developments, it is fortunate that Seehofer’s BMI has performed rather
poorly in terms of efficiency. While there are now several new drafts of security legislation
waiting in the wings, some of which are drastic, none of them has taken centre stage yet.
Read more:
https://netzpolitik.org/2020/staatstrojaner-provider-sollen-internetverkehr-umleiten-damit-geheimdienste-hacken-
koennen/?utm_source=pocket-newtab-global-de-DE
https://www.heise.de/tp/features/Dringende-Anpassung-an-neue-digitale-Moeglichkeiten-4722312.html
https://www.sueddeutsche.de/politik/gesetzentwurf-bundesamt-fuer-einbruch-1.4564401
https://www.tagesspiegel.de/politik/umstrittene-sicherheitsgesetze-die-baustellen-des-herrn-seehofer/25481314.html
III. A protection shield minus the protection – ECJ
declares Privacy Shield unlawful
What rules must companies follow when transferring their customers’ data to the United
States and storing it there? This question, which has been at the centre of lengthy negotiations
between the EU Commission and the US Department of Commerce, has led to two agreements
SWITCH • PO Box • 8021 Zurich, Switzerland • +41 44 268 15 40 • cert@switch.ch
securityblog.switch.ch • security.switch.ch • © SWITCH 2020so far – both of which have since been invalidated by the European Court of Justice. In 2015,
‘Safe Harbour’ failed after a lawsuit brought by an Austrian law student named Max Schrems.
Schrems had hoped to find out what data Facebook had been collecting from him and saving,
as well as who else had received this data. Mark Zuckerberg’s social media empire, which has
its European headquarters in Ireland, initially refused to provide this information. This was
followed in 2014 by the lawsuit that ultimately led to the collapse of the agreement.
The lawsuit brought to the ECJ by Schrems, who is now a practising lawyer, also led to the
overturning of the subsequent ‘Privacy Shield’ agreement. The EU’s supreme court ruled that,
given the existence of state surveillance programmes run by the NSA and other intelligence
agencies, the data of European citizens would be less secure on American servers than in
Europe. In particular, due to inadequate access restrictions, it would be possible for US
government agencies to access the personal data of European citizens without offering them
the same degree of legal recourse to defend against this as they would have in Europe.
Moreover, the ECJ reprimanded Ireland’s data protection agency for its lax treatment of
‘standard contractual clauses’, which were the basis for allowing Facebook to continue
transferring its international customers’ data to the United States, storing it there and using it
for advertising purposes.
Facebook is not the only one affected by the demise of the Privacy Shield agreement. To the
contrary, companies on both sides of the Atlantic that exchange data both ways under the
terms of the Privacy Shield agreement are faced with the question of what they are and are
not allowed to do now. Given the fact that the European Commission currently holds that there
are only 12 other countries that protect data against misuse and access by government
authorities to the same extent as the EU, the issue is certainly more urgent than ever. But
considering the dominance of cloud providers like Amazon, Microsoft and Dropbox, it is also
proving difficult for users to quickly find European alternatives. On the other hand, because
the United States is unlikely to tone down its surveillance practices, the conflict surrounding
Big Brother and data protection when it comes to Big Data has yet to be resolved. Potential
consequences and specific recommendations for Swiss companies and organisations are
covered in the SWITCHlegal statement cited below.
Read more:
https://netzpolitik.org/2020/datentransfers-eu-gericht-zerschlaegt-privacy-shield
https://t3n.de/news/privacy-shield-gekippt-muessen-1305303
https://www.sueddeutsche.de/digital/privacy-shield-eugh-urteil-amazon-microsoft-1.4976977
https://nzzas.nzz.ch/wirtschaft/privacy-shield-am-ende-eu-und-usa-ringen-um-datenschutz-ld.1566991?reduced=true
https://info.switch.ch/e/f2d46892293eab88/nl/-/webversion-version/704ddf04c3892c70041774c5/de.html
SWITCH • PO Box • 8021 Zurich, Switzerland • +41 44 268 15 40 • cert@switch.ch
securityblog.switch.ch • security.switch.ch • © SWITCH 2020IV. A night(mare) of celebrities – The ‘biggest Twitter
hack of all times’ raises questions about the
security of the network
Anyone who always thought that computer nerds had rather poor social instincts received a
rude awakening in mid-July when two young Americans and a British man showed how money
can be made through a combination of cluelessness, profiteering and fame on the right
platform. In short, the three hackers are strongly suspected of hacking the Twitter accounts of
several famous people, including Barack Obama, Bill Gates, Elon Musk, Joe Biden and Kanye
West. The imposters then used the hijacked accounts to tweet their ploy: they promised to
double the value of every bitcoin sent to them before returning it, under the guise of wanting
to ‘give something back to the community’. Soon enough, over USD 100,000 worth of bitcoin
flowed into the scammers’ accounts.
That they did not make off with more money and that the authorities caught onto the cyber
criminals surprisingly fast may perhaps be related to the fact that they both lacked some
sophistication in terms of the human factor, and also weren’t quite nerdy enough to compete
with celebrities in this league. For wherever that much power, money and influence is involved
at the same time, law enforcement authorities will do everything they can to investigate a
crime as quickly as possible. And had the hackers been more professional, they would certainly
have noticed that the dubious OGUsers internet forum where they had set up shop offering to
hijack any Twitter account for the price of about USD 3,000 had itself been hacked. A few days
later, the login details of all forum users and even some chat histories were available for all to
see – including the FBI, which was more than happy to accept the gift and quickly struck gold.
Twitter might have also been happy about the speedy investigation – after all, the hackers
apparently had gained direct access to the system administration. Yet the operators of the
microblogging site admitted only that employees with access to internal systems ‘had been
manipulated’ using social engineering. According to the definition found on the website of the
security company Kaspersky (link below), the goal of social engineering is to exploit human
weaknesses, such as the desire for power, greed, stupidity, vanity and so on in order to gain
access to information, passwords or systems. That such a thing could happen to Twitter
employees, and how, is what eventually motivated chair of the American Trade Committee,
Roger Wicker, to get involved as well. After all, the United States is in the middle of the
presidential election, and considering the current incumbent’s media proclivities, Twitter will
play a key role in how it unfolds. In a letter to Twitter CEO Jack Dorsey, Wicker therefore wrote:
‘It cannot be overstated how troubling this incident is, both in its effects and in the apparent
failure of Twitter’s internal controls to prevent it.’ Wicker gave Dorsey eight days to furnish
the committee with information about the incident and how it plans to move forward.
MarketWatch.com, the financial news site run by Dow Jones & Co., also wrote that the most
SWITCH • PO Box • 8021 Zurich, Switzerland • +41 44 268 15 40 • cert@switch.ch
securityblog.switch.ch • security.switch.ch • © SWITCH 2020disturbing fact about the Twitter hack was the revelation that staff were able to access the
accounts. And the website cryptonews.com maintained in its 23 July story that the bitcoin
scam was not the real problem with the Twitter hack. Far worse was the fact that access to the
personal data and direct messages of at least 36 of the 130 high-profile Twitter accounts posed
a risk that these people could be blackmailed for much larger sums of money to withhold the
release of these messages – much like the Garmin data breach ransom discussed in the first
section.
Read more:
https://www.zeit.de/news/2020-07/31/nach-massivem-twitter-hack-17-jaehriger-in-den-usa-gefasst
https://www.tagesschau.de/ausland/twitter-festnahme-hack-101.html
https://www.tagesanzeiger.ch/wie-die-polizei-den-twitter-hackern-auf-die-spur-kam-892682301157
https://usa.kaspersky.com/resource-center/definitions/what-is-social-engineering
https://www.zeit.de/digital/internet/2020-07/twitter-accounts-prominente-bitcoin-betrug
https://www.marketwatch.com/story/the-most-disturbing-part-of-the-twitter-hack-many-of-its-employees-have-access-to-accounts-2020-07-25
This SWITCH security report was written by Dieter Brecheis and Frank Herberg.
The SWITCH security report discusses current topics in the field of cybersecurity. It is aimed at interested
internet users, and seeks to make them aware of current threats. Despite careful review, SWITCH accepts no
liability for accuracy.
SWITCH • PO Box • 8021 Zurich, Switzerland • +41 44 268 15 40 • cert@switch.ch
securityblog.switch.ch • security.switch.ch • © SWITCH 2020You can also read
