Cybercrime, contact tracing, honorable espionage, and the persistence of remote work.
the cyberwire logo8 days ago

News for the cybersecurity community during the COVID-19 emergency: Friday, May 22nd, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.

Cybercrime, contact tracing, honorable espionage, and the persistence of remote work.

COVID-19 cybercrime continues unabated.

Four US Federal agencies—the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), the Internal Revenue Service, the Department of the Treasury, and the US Secret Service—warn that the Government continues to "encounter" attempts by criminals to steal personal and banking information using COVID-19 phishbait to lure their victims. Fifth Domain reports that many of these attempts involve drawing people in with proffers of assistance from the CARES relief act and other programs established to help people during the economic stresses of the pandemic.

Researchers at Proofpoint report that the ZLoader variant of the ZeuS banking Trojan is being actively distributed in phishing campaigns designed to take advantage of COVID-19 fears. Infestations have been observed in Australia, Canada, Germany, Poland, and the United States, but they're unlikely to remain confined to those countries.

And Microsoft has tweeted warnings of malicious Excel 4.0 macros also being distributed to the accompaniment of COVID-19 phishbait. The malicious payload is the NetSupport Manager remote access tool (or Trojan, as it functions when abused).

Britain's troubled contact-tracing app stays troubled.

Authorities in the UK acknowledged, ComputerWeekly reports, that the NHS contact-tracing app won't make the June 1st deadline for a national rollout. This is due in part to skittishness by the governments of Northern Ireland and Scotland about the privacy and efficacy of the system. Northern Ireland, for example, doesn't want a system that will impede travel across the border with the Republic of Ireland. NHS Highland, responsible for healthcare in Scotland, has undertaken development of its own system designed to protect residents, visitors, and staff in care homes from infection by "creat[ing] virtual geozones around the care home and particularly sensitive or quarantined areas to control access, as well as dynamic personal two-metre geozones around everyone with the app." It's also due in part to what's increasingly perceived as an unacceptable degree of bugginess in the app's source code itself ("it's just getting silly now," as Gizmodo UK put it). In any case, a June 1st rollout is now generally regarded as an impossibility.

Privacy issues surface with some tracing apps in the US.

The US Federal Government hasn't undertaken development of a national contact-tracing app, but some of the states have. North and South Dakota have deployed Care19, an app that collects geolocation data under conditions that require opt-in, anonymization, and no sharing with third-parties. But researchers at privacy-specialist shop Jumbo Privacy have looked at Care 19 and report, as the Washington Post reports, that "one of the first contact-tracing apps violates its own privacy policy." In particular Jumbo says that Care19 shares location data with Foursquare, best known for its offerings in support of advertisers, and also that the app's data aren't really as anonymous as one might think: they include devices' Advertising Identifiers." Jumbo recommends that users not install the app until Care19's privacy policy is updated for accuracy, and until the app can assure users that their data won't be shared with third parties.

There are other state-level projects under development. The Telegraph reports that British tech company Wejo has contracted with eight states to develop a system for tracking the movements of connected cars, the better to help the states ensure that people are following stay-at-home orders, going out only for essentials like groceries, and not simply gallivanting around like a bunch of Sunday drivers. Comments on the story generally evince a negative reaction to this kind of tracking, as well as some expression of relief that, thank heaven, the commenter drives a primitive rattletrap without newfangled Internet gizmos.

Estonia moves toward immunity passports.

Estonia is preparing a digital immunity passport, a QR code people can display on their smartphones that will inform shopkeepers, gatekeepers, barkeeps and so on that the bearer has been tested for COVID-19. The Telegraph quotes Taavet Hinrikus of Back to Work, a non-governmental organisation that's developing the passport: “Digital immunity passport aims to diminish fears and stimulate societies all over the globe to move on with their lives amidst the pandemic.” The Telegraph's report is ambiguous, saying only that the passport displays test results, but Reuters goes farther, and reports that the intention is to show, specifically, immunity status. There may be some front-running going on here: it's not clear that there's yet a sound understanding of COVID-19 immunity and its relationship to the spread of the virus.

Honorable espionage and norms for cyberspace: lessons from the time of the pandemic.

Columbia University's Jason Healey and Virpratap Vikram Singh have a post in the Council of Foreign Relations blog in which they argue that the COVID-19 pandemic represents an opportunity to achieve some clarity about norms in cyberspace. The post's title urges the US to "double down on cyber norms," but their argument is more nuanced than the hard-nosed cardsharp language of the title suggests.

They look at last week's warning from the FBI and US Department of Homeland Security concerning Chinese espionage directed against organizations conducting biomedical research into COVID-19, and find that warning's contentions that such espionage jeopardizes effective treatment of the disease to be "flimsy." And they think it unrealistic to think that any nation-state's intelligence services would agree to refrain from collecting information about medical treatments. A pandemic is a threat to any nation. It would be irresponsible for them to renounce such collection. They don't put it this way, but it would amount to professional malpractice, and expecting such restraint to become an international norm is as naive as the attitude Secretary of State Stimson displayed when he withdrew funding from the joint State-Army Black Chamber in 1929 on the grounds that "Gentlemen do not read each other's mail."

What Healey and Singh recommend instead is insistence on certain familiar distinctions. They suggest that any reasonable set of norms should include, as a minimum, the following features, many of which will be familiar in spirit to students of the laws and customs of armed conflict:

  • Cyber incidents shouldn't cause direct harm, which amounts to an application of principles of proportionality. (It's worth noting that there have been some concerns that Chinese espionage against vaccine research not only stole data, which in itself is arguably "honorable espionage," but may have also corrupted research data, either intentionally or not. If it did so, that would seem to constitute "direct harm." As the authors put it, "interruption of the availability of or, even worse, manipulation of vaccine and public health data is reckless and completely unacceptable.")
  • Cyberattacks against protected organizations like hospitals should be prosecuted as crimes, and such facilities should be off-limits to attack, an application of the principle of discrimination.
  • "States agree that espionage regarding vaccine and public health data is acceptable. Such espionage should be as non-disruptive as possible so as not to interrupt the work of the medical and research teams. The fruits of such espionage, such as stolen intellectual property, cannot be used for commercial advantage." The insistence that espionage not serve commercial advantage has been a longstanding American position, and is frequently cited by US authorities when they're asked why American spying is different from Chinese spying.
  • Information operations shouldn't interfere with crisis response.
  • States should not permit their territory to be used by cybercriminals or other malicious actors. Doing so would constitute failure to live up to the responsibilities of sovereignty.
  • Finally, governments would voluntarily cooperate "to hold states accountable when they act contrary” to their obligations, which amounts to an invocation of a responsibility for collective security.

Developing norms for conduct in cyberspace should realistically recognize the truth of former Director NSA and Director of Central Intelligence Hayden's observation after the Office of Personnel Management hack that there's such a thing as "honorable state espionage," and "shame on us" if we can't block it. So perhaps the simplest formulation would be, spying is in, but sabotage and criminal theft are out.

On the persistence of remote work.

Remote work appears likely to remain widespread even after the pandemic abates. Facebook is the most prominent corporation to announce that it's all-in on a teleworking future. The Wall Street Journal reports that Menlo Park sees many advantages in terms of cost-savings, productivity, and employee quality of life when its people won't actually have to show up in Menlo Park. And, of course, Mr. Zuckerberg foresees more "geographical and ideological diversity" if the company's workers can live anywhere, and not remain so closely tied to the San Francisco Bay area.

The US Federal Government has also found that many of its jobs can be done from home. Federal Times reports that the US Federal CIO Suzette Kent says the Government has been able to rethink its ways of doing business, and now has a better grip on the sorts of work that in fact require physical presence to accomplish.

This is good news for vendors who specialize in remote collaboration tools, as the Wall Street Journal also observes. The effects on individual workers will vary, depending on their home circumstances. They may also have to accept lower salaries: few places have a higher cost-of-living than Silicon Valley, and that will surely factor into compensation plans.

There are some downsides to both returning to the office and to continuing to work from home. Police in the UK are concerned that businesses take proper precautions to ensure that the offices they've "abandoned" during the pandemic are clear of cyber threats when people return. SC Magazine quotes Peter Goodman (chief constable for the Derbyshire Constabulary, National Lead for Cyber Crime and for Serious and Organised Crime, National Police Chiefs’ Council) as saying, "Because unfortunately some may have locked the front door but have forgotten to close the back door as they left. We do anticipate that there may be some malware sitting on people’s systems as they get back to work.” Imagine an infestation of evil maids if you must, but at least take a look at security upon your return.

Another issue that might be easily overlooked by organizations continuing to work remotely: does your cyber insurance cover risks of telework? JDSupra advises you to check your policies.

Not all work, of course, can be done in cyberspace. Most jobs, in fact, including most of those that build what we call "civilization," have to be done in kinetic space, in real life, in meatspace. It's worth bearing that in mind as societies and governments evolve labor practices for whatever the new normal turns out to be.