Cyjax CISO, Ian Thornton-Trump, and Head of Editorial, Tristan de Souza, return in the second installment of their new podcast on geopolitics and cybersecurity.
This month they look at some of the most interesting events of the last month, delving deeper into coronavirus, tackling technology and democracy, perusing the Panama Papers’ first US conviction, while in the UK, the Post Office is held to account for software issues that ruined lives.
Coronavirus and social media
Since our last podcast – in which we discussed the spread of false information regarding the outbreak, various malware’s use of the virus as a lure in its campaigns, and the disruption to global travel – coronavirus has spread to 118 countries and infected over 115,000 people worldwide. At the time of writing the World Health Organisation has still not called the outbreak a ‘pandemic’ – noting that it has “pandemic potential”. Governments around the world have pushed out both public health guidelines and best practices, monitored self-isolated or quarantined individuals, and started testing more and more citizens. South Korea, Iran, and Italy are among the world’s worst-hit countries – excepting China – and Israel was the first country to introduce a compulsory 14-day self-quarantine period for all those arriving from abroad. Coronavirus is causing a global economic slowdown, serious travel disruption, and killing thousands. But is the media and the so-called ‘infodemic’ actually going overboard?
We have seen innumerable panic-inducing headlines from those stating that as many as 80% of the British population could be currently infected with coronavirus to those claiming that “half a million” are already dead. [1, 2] In addition, misinformation circulates on social media: In the last few days of February, Facebook finally banned ads that promised a cure for coronavirus (there currently is none) or claimed to prevent the spread of the virus (there are no products or medication currently that would prevent the spread of the virus). Given that a significant percentage of the world’s population gets its news from social media, and Facebook in particular, this was a welcome step. (Though it does beg the question why the company still refuses to ban political advertising that is misleading.)
Of course, the less misinformation circulating about coronavirus the better. Not that this stops malicious actors from leveraging the situation to their benefit. There has been an exponential increase in the use of coronavirus as a lure in phishing campaigns, malware distribution operations, and other nefarious activity. This has ranged from fake World Health Organisation emails requiring recipients to ‘verify’ their email address by entering their username and password, which are then stolen; state-sponsored APTs (Advanced Persistent Threats) using coronavirus in their phishing emails to infect recipient devices with malware using documents allegedly stolen from the Chinese government; and a SMiShing (SMS phishing) campaign targeting South Korea which used a “free mask missed delivery” notice to entice people into clicking a link and giving away their details. Some of the most dangerous malware in the world have been distributed in these campaigns and one, the Ryuk ransomware, was even found to have references to both coronavirus and Hong Kong’s Head of Communicable Disease, Dr Chung Shuk-Kwan, in its code. Threat actors are nothing if not enterprising.
As a result, in the last few weeks we have also seen an erosion of trust: both in politicians – though their stock was already low – and other authorities, like health services. Nowhere is this better exemplified than Ukraine, where coronavirus-themed phishing lures impersonated the Center for Public Health, a department of the Ukrainian Ministry of Health. The campaign, along with other misinformation about the spread of the virus and stories about those infected on social media, led to protests; the deployment of riot police; buses of patients likely to have coronavirus being attacked; and hospitals being barricaded to prevent the arrival of these people. And this was in spite of assurances from both the Ukrainian government and Ministry of Health that these messages were fake. It does not help that politicians are making the virus a partisan issue – President Trump at one point called the coronavirus the left’s “new hoax”. This outbreak may have a serious impact on trust in democracy in general. Which leads us neatly onto our next topic.
Democratic primaries, democracy and technology
Officials in the United States said they feared that malicious actors might weaponise the coronavirus in misinformation campaigns (like the coronavirus was started by the Pentagon or the Bill & Melinda Gates Foundation or the deployment of 5G technology) ahead of Super Tuesday’s Democratic primaries. Public fears about coronavirus could be used to “spread disinformation, amplify rumours and tamp down voter turnout,” according to the Washington Post. Stories that someone tested positive for coronavirus at their local polling station could be circulated to voters for a candidate that the threat actors do not want to win. In the event, the Super Tuesday voting went off without a hitch – technologically, at least. But it is important to note that the Department of Homeland Security’s cybersecurity division chief Chris Krebs confirmed that this was “one of a number of scenarios” that they were looking into. (3)
Not that it’s always malicious actors that are the ones potentially undermining the Democratic process. As we discussed in the podcast, there are serious issues with the Voatz app, which was used in the midterm elections in 2018, was due to be deployed in the West Virginia primary (now dropped), and is still scheduled to be rolled out in the 2020 presidential elections. Researchers at MIT found several bugs in the app and reported them to Voatz, but the company instead attempted to sue the academics rather than working with them to fix the app. Clearly it is more important to maintain a reputation than to build a secure app for a presidential election.
Another intriguing trend, that we, unfortunately, didn’t have time to cover in the podcast, was reported by researchers at Proofpoint. According to the statistics of spam and malspam, as well as numbers of malicious domains registered, it is possible to form a picture of who the most popular candidate is at a certain point in an election cycle. In 2016, Trump-based illicit emails far out-paced those using Hillary Clinton as a means of luring their victims. There were similar trends in the UK and German elections of 2017, as there was in France in 2017, where Macron-themed malicious emails were by far the most prolific. And in 2020, at the time of publishing, Trump still massively outguns all the democratic challengers, garnering 68% of all illicit emails, compared to 5% for Biden and 8% for Sanders. It is closer in terms of the numbers of malicious domains being registered with names related to the candidates, but Trump still comes out on top with 52% compared to Sanders’ 28%. Whether these statistics will be borne out in November remains to be seen.
Panama papers – the first US conviction
In terms of trust in institutions, and the truth in general, the Panama Papers were, arguably, a low point, in the last decade. The leak from Panamanian law firm, Mossack Fonseca, was a victory for investigative journalism and a vindication for many campaigners. It showed that the great and the good – as well as the bad and the (morally) ugly – were engaging in illegal practices to hide wealth, disguise the sources of wealth, and to evade tax, 23 countries have recovered $1.2 billion and various heads of government have stepped down or faced prosecution; Mossack Fonseca has been shut down; and there have been investigations in at least 82 countries.
Harald Joachim von der Goltz, who was charged with using the services of Mossack Fonseca to circumvent US tax laws, will now plead guilty, according to federal prosecutors, in what could be the first conviction in the US related to the case. Von der Goltz had originally pleaded not guilty but, for reasons that have not yet been disclosed, has now decided to reverse this plea (though it is not clear to which of the government’s charges of wire and tax fraud and money laundering Mr van der Goltz will plead guilty).
From a cybersecurity point of view, remember that Mossack claimed its emails had been hacked It transpired, however, that the company’s employees had not been encrypting their emails, the company was running a three-year-old version of the Drupal content management system (CMS) that was riddled with vulnerabilities, and some parts of its site may have been running an out-of-date WordPress plugin. The site’s CMS had not been secured against SQL injection, which is a common database attack vector, and it was later revealed that research had found four government-grade remote access Trojans on the Mossack Fonseca client login page. This situation is a ‘What Not To Do’ guide for any company, particularly those that deal with incredibly sensitive data.
Post Office accounting software leads to tragedy
Another example of how not to run a company – though this time in terms of the way in which employees are cared for – is the long-running, but little reported, saga of the Post Office sub-postmasters. Due to errors in their accounts, spanning months, and in some cases years, hundreds of sub-postmasters were fired and pursued through the courts. They were charged with theft and false accounting. But the ‘discrepancies’ were not human-made, they were caused by issues with the Horizon computing system deployed by the Post Office throughout its holdings.
The system, manufactured by Fujitsu, was causing money to simply disappear from the tills of sub-postmasters all across the UK. When they contacted the Post Office, however, they were told in no uncertain terms that they were the only ones to be experiencing these issues and that if they did not balance their books they would lose their post office. One sub-postmaster had a stroke which he blames on the Horizon problem. Another developed fibromyalgia, Bell’s palsy, and started having panic attacks. He tried to take his own life; another succeeded in committing suicide. Others are now unable to get work using their financial qualifications because they have spent time in prison in connection with the Horizon-related ‘discrepancies’.
Following a settlement for £58 million in December 2019 at the High Court, the current and former CEOs of the Post Office will be brought in front of a Parliament select committee to explain how this happened. Forensic accountants had deemed Horizon ‘not fit for purpose’ in 2013, but the Post Office had dismissed their findings. The real-world consequences of technology malfunctions, and an unwavering faith in technology, can be both financially and, sometimes, literally terminal.
For more on cybersecurity, visit the Cyjax blog at…