At a glance.
- Pegasus and smartphone privacy.
- Deanonymizing data.
- Virginia Tech says it survived the Kaseya compromise without loss of data.
- Ransomware attack on major law firm.
What the Pegasus leak means for smartphone privacy.
As the revelations surrounding NSO’s Pegasus surveillance software data leak rock the cybersecurity world, the incident raises questions about just how easily ordinary smartphones can be targeted by spyware. Pegasus takes advantage of zero-day vulnerabilities on a target’s device, and in some cases, the phone can be infiltrated using a zero-click exploit that requires no interaction from the user at all. Bleeping Computer notes Amnesty International’s investigation found that a number of victims’ phones running iOS 14.6, Apple’s latest operating system, were hacked using zero-day, zero-click iMessage exploits. "Most recently, a successful "zero-click" attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021," the report stated. Apple has been notified and is investigating the issue. Ivan Krstić, head of Apple Security Engineering and Architecture, responded "Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals."
NSO insists that US-based smartphones cannot be targeted by their spyware as it is “technologically impossible,” but the Pegasus incident might indicate otherwise. The Washington Post asks whether Americans’ smartphones are at risk of being infiltrated by spyware. Several Americans’ overseas numbers were among the 50,000 phone numbers exposed in the leak, and even a few numbers with +1 country codes were included, including the numbers for the Biden administration’s lead Iran negotiator and several United Nations diplomats residing in the US. That said, the investigation did not determine whether the spyware had been deployed on these phones.
For those wondering if their smartphone could be hacked, TechCrunch shares a tool designed to tell users whether their phones have been targeted by spyware. Amnesty International’s report includes a Mobile Verification Toolkit (MVT) that works on iPhones and Android devices, though forensic evidence of tampering is easier to detect on iPhones. The MVT checks an iPhone backup for any indicators of compromise, like domain names used in NSO’s infrastructure, that might have been sent to the device in a text or email, and even helps the user decrypt the backup first if necessary.
De-anonymizing the anonymous.
Though userIDs assigned for advertising tracking purposes by tech companies are intended to keep the user’s identity anonymous, Vice lets readers in on an entire industry devoted to de-anonymizing these IDs in order to connect individual users to their web activities. By connecting mobile advertising IDs (MAIDs) to a person's name, physical address, and other personal identifiable information (PII), data brokerage companies like BIGDBM or Full Contact can assemble complete individual user data sets. FullContact claims it has assembled “Identity Graphs” for over 275 million Americans. "Anyone and everyone who has a phone and has installed an app that has ads, currently is at risk of being de-anonymized via unscrupulous companies," says data supply chain researcher Zach Edwards, who also points out that even pseudonymous data flow is in violation of the EU’s General Data Protection Regulation. US Senator Ron Wyden, concerned these data sets could be used by foreign governments to endanger US national security, is pushing for privacy legislation to better regulate the de-anonymization industry.
Virginia Tech reports sustaining two cyberattacks.
Security Week reports that US university Virginia Tech was impacted by two recent security incidents: this month’s massive Kaseya ransomware attack and a separate May attack that encrypted a university server. Spokesman Mark Owczarski stated the school had not paid any ransom for either incident and is still working to remedy issues caused by the Kaseya attack.
Purandar Das, Co-founder and the chief security evangelist at Sotero, wrote to say that the incident should draw further attention to third-party risk:
“As with the other attacks, this one illustrates the multiplying effect of an attack using a third-party software provider as the carrier. It also illustrates another weakness when an organization can definitely establish that no data was stolen. Current security deployments don’t lend themselves to easily determining whether or not data was impacted, highlighting a limitation of the current security posture that focus on the perimeter and not the data. Having a data centric security framework with audit and governance built will provide better data security but also establish immediately if data were stolen.”
Major US law firm hit by ransomware attack.
Campbell Conroy & O'Neil, US law firm that works with Fortune 500 and Global 500 companies like Ford, US Airways, and Boeing, and whose clients have also included Big Tech firms, has disclosed that it experienced a ransomware attack in February, Security Week reports. The exposed data includes personal information related to cases, including Social Security numbers, driver's license and passport numbers, financial information, and even medical data. The firm did not disclose what, if any, corporate data might have been impacted.
Casey Ellis, CTO and founder of Bugcrowd, sees the attack as an indicator of the value of the data law firms hold:
“This breach highlights the wealth of sensitive data that law firms can possess, and the magnitude of damage that may happen when third-party vendors, which in this case offer services to numerous Fortune 500 and Global 500 companies, gain entry to sensitive data. Hackers behind the attack are said to have accessed sensitive information such as names, dates of birth, driver's license numbers/state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials.
"Law firms hold a great deal of responsibility to represent their clients and protect their information, and when a great amount of client data is infiltrated, firms and other third-party vendors should look to up-level their current cybersecurity measures with external security researchers via a bug bounty or vulnerability disclosure program (VDP) to help identify and disclose vulnerabilities before adversaries can exploit them. By doing so, they can get ahead of malicious actors and proactively address vulnerabilities before they become a devastating breach.”
It's not only law firms, but the third parties that serve them, who are attractive targets for data thieves. Uriel Maimon, senior director of emerging technologies at PerimeterX, wrote:
“Data breaches resulting from ransomware attacks are becoming all too common these days, just look at the Guess breach that made headlines only a week ago. Once personal information is stolen, there’s no “putting the genie back in the bottle.” And the damage incurred with stolen identities, whether through ransomware attacks or account takeovers, can last for years as the information can be repurposed multiple times to steal funds or create synthetic identities and apply for new accounts.
“This attack shows that while ordinary people may think they know who has access to their data, the modern digital economy has a sophisticated supply chain and multiple organizations can secure access to that data. They can be lawyers, accountants or consultants or the building blocks of modern web applications where the application itself relies on infrastructure from multiple companies such as cloud infrastructure providers, identity and access management solutions, third-party code libraries and many others. This underscores the need for constant vigilance and cross-silo solutions as the safety and integrity of data is only as strong as the weakest link. Knowing which links are even involved, is easier said than done."
And while there's a tendency to think of big consumer-facing sectors like retail, retail, healthcare, and financial services as the natural places to look for personal data theft, don't overlook the legal sector. Trevor Morgan, product manager with comforte AG, commented:
“When you think of high-profile data breaches, what probably comes to mind are those incidents that target large consumer-focused industries and companies such as online retail or financial services. Those targets possess valuable personal data about thousands or even millions of data subjects, so a successful attack can yield a treasure trove of information. However, news that Campbell Conroy & O’Neil, P.C., a prominent U.S. legal firm, should be discomfiting. Law firms house massive amounts of information about clients and legal cases—much of that privileged information—and most of that information is highly sensitive and can be used as leverage against the firms themselves (in ransomware attacks) and also to target other victims in a domino effect.
"Law firms and legal service providers (such as processors of legal discovery data) should be paying attention to this breach and immediately assessing their defensive posture. If you’re one of these organizations, you should be asking whether your sensitive data resides in a vulnerable clear state behind what you believe is a well-protected perimeter, or whether you apply some form of data-centric security to it. The difference is that perimeter-based security can always be surmounted because of the dizzying number of attack vectors involved—it just takes desire, patience, and craftiness. Better to protect sensitive information itself, applying a tried-and-true method like tokenization, which replaces sensitive data elements with representational information of a non-sensitive nature. Data-centric security travels with the data, too, so even if it falls into the wrong hands threat actors cannot exploit it.
"Remember, it’s the court of public opinion that has the biggest influence, so legal firms can secure a winning case by protecting their reputation through data-centric security measures.”
Javvad Malik, security awareness advocate at KnowBe4, made a similar point:
“While cyber criminal gangs are fond of deploying ransomware, their target has been increasingly focused on stealing data from organizations that they can use to blackmail, sell on, or use to target others with.
"Because of this, we're seeing more organizations targeted, which have traditionally not been on criminals’ radars. This is why it's important that organizations of all sizes and across all industry verticals invest in robust cybersecurity controls, which encompass the technologies, processes, and people to reduce the likelihood of becoming victims.”
The incident put Neil Jones, Cybersecurity Evangelist at Egnyte, in mind of the breach at Mossack Fonseca that produced the Panama Papers international scandal:
“This recent breach is reminiscent of the Mossack Fonseca breach that occurred in 2016, resulting in the infamous ‘Panama Papers’ scandal that revealed a wide range of private information about Mossack Fonseca's high-profile legal clients. In addition to the traditional data security best practices that I always recommend, such as protecting your company's highly-sensitive files and restricting access to files based on ‘business need to know,’ this is a classic example of the need to inquire about the data security policies for the third parties that handle your organization's privileged corporate data. Otherwise, your customers or employees could be negatively impacted and your brand reputation can be tarnished. Furthermore, an initial breach or ransomware attack can reveal third-party providers' IT vulnerabilities that can be capitalized on by attackers at a later date.”