The UK Parliament’s e-mail system was targeted by a sustained brute-force password-guessing attack last Friday, forcing parliamentary staff to temporarily block remote email access and mandate password changes. The ‘rudimentary’ but effective attack resulted in the compromise of at least 90 email accounts. A few members of parliament, including Cabinet ministers, saw their details posted for sale online, and it’s possible that embarrassing personal information has been taken, posing a risk of blackmail. More importantly, the details gathered could be used to penetrate other vital systems. It’s not yet clear who conducted the attack or why they did it, but Conservative Party MP Henry Smith trundled out the usual suspects, from Russia, to North Korea, to an anonymous stranger in a basement. Subsequent commentary has criticised the Parliament’s information security practices, from accepting the use of weak passwords that could be ‘guessed’, to lacking basic and decades-old mitigation strategies like IP filtering and 2-factor-authentication, and finally the 10-hour delay before the Parliamentary Digital Service alerted affected personnel.
Attorney-General George Brandis and Minister for Immigration and Border Protection Peter Dutton have issued a joint media release setting out Australia’s agenda ahead of a Five-Eyes meeting in Ottawa—though 10 points from Gryffindor for ‘Ottowah’. The meeting is set to focus on encrypted communications, data sharing and immigration arrangements. Encrypted messaging has dominated the national security debate recently, due to its massive growth to 40% of CT-related commutation intercepts today, compared to 3% just four years ago. Russia is also facing the encryption debate, with the Russian Federal Security Service threatening to block encrypted messaging app Telegram for refusing to decrypt messages after it was used by terrorists in the St. Petersburg metro attack back in April.
Tech firms aren’t happy with the direction of the encryption debate either, with Google’s Legal Counsel Kent Walker stating that companies are in an ‘untenable’ position—caught between needing to fulfil unwieldy treaty-based international evidence requests (which currently take up to 10 months on average) despite systemic legal ambiguity. In a supporting blog post, he’s called for new regulations that clarify data sovereignty, improve current international evidence sharing processes, and introduce agreed norms when it comes to baseline principles of privacy, human rights and due process. Google has also announced that Gmail will no longer be scanned for advertising profiling data to increase consumer confidence.
In news for any legal scholars following the infosec world, the National Law Review, an American journal, has put out a three-part series providing a rundown on China’s recently implemented Cybersecurity Law. Germany has recently introduced new laws that expand the scope of situations in which German police are allowed to access devices and see messages at the source. The law has run into legal challenges, which argues that the new legislation is in contravention of EU laws. Finally, pending legislation, Canada might see it’s Communications Security Establishment legally empowered (with upgraded oversight) to carry out offensive cyber operations, a move that would significantly expand its mandate.
Cyber cooperation has seen big wins this week, with Canada and China signing an agreement to stop using cyber-attacks for industrial espionage. Multilaterally, Thailand’s Ministry of Foreign Affairs will host a seminar next week to discuss ASEAN’s cybersecurity cooperation and practice in the future. And the World Bank is funding a project to stand up Zambia’s National Cybersecurity Agency, with Israeli cybersecurity company CyGov providing advice and expertise.
WannaCry has continued to infect pockets of unpatched systems this week, striking a Honda factory and forcing the factory to temporarily shut down while fixes were applied. WannaCry has also affected traffic cameras in Victoria. Initial statements from the Victorian government indicated that the overall system wasn’t compromised and that all infringements would remain, but that was later reversed, with the government stating they would ‘quarantine’ and review infringements generated by the affected cameras. The contradiction seems to indicate that the Victorian government is struggling with its communications and decision-making processes in the event of cyber incidents.
The US national security community seems to be embracing open source development communities, with the National Security Agency (NSA) joining GitHub to launch a page that shares the details of 32 different projects. Similarly, the Department of Homeland Security has announced a Kaggle competition for passenger screening, sharing valuable training data and offering a US$1.5 million reward to the team that develops an algorithm for body scanners to automatically identify concealed objects. There’s been some involuntary technology sharing between the national security and open source communities, too, with WikiLeaks releasing more technical documentation on CIA hacking tools from ‘Vault7’ The latest leak has provided details on a toolset called ‘Brutal Kangaroo’, designed to spread through infected USBs and, potentially, infiltrate air-gapped computers.