22 May 2024: On the CISA guidance for civil society

A personal/work update: I am still working for Internews, but only in a part-time capacity. In the meantime, I have returned to working as a part-time researcher for Silent Push, an exciting threat intelligence startup that I already worked for a few years ago. I am also involved in some smaller ad hoc projects. More on some recent work I did for Silent Push later. And to state the obvious: this newsletter reflects my opinion alone.

If someone forwarded this newsletter to you, that is very kind of them and don't forget to thank them for it. You can subscribe here to receive future newsletters directly into your inbox. Feedback and suggestions are always welcome!

Martijn

martijn@lapsedordinary.net

martijngrooten.37

On the CISA guidance for civil society

Last week, CISA, the United States Cybersecurity and Infrastructure Security Agency, together with other government agencies from the US, the UK, Canada, Estonia, Finland, and Japan published a report with guidance on digital threats for civil society.

I think it’s great that CISA and its partners did this work. Whatever your views on the US government, CISA is widely respected as a very capable organization and its guidance is rightly followed by organizations well beyond the government agencies it is usually written for. CISA acknowledging that civil society needs tailored advice to “[mitigate] cyber threats with limited resources” is important.

The report is also really good. The guidance given is the one that would make a tangible difference and the threat actors listed are indeed known to have had civil society among its targets. It is also something that can be referred to in, for example, funding proposals.

Still, I’d like to add some context, especially for those less familiar with this particular sub-field of cybersecurity.

(Note: I have been involved in some discussions with CISA staff members on this very topic. I was not involved in any way in the writing of this report.)

The first point to make is that the mitigations listed in the report aren’t exactly a surprise. We all know that multi-factor authentication reduces the likelihood of account takeovers by several orders of magnitude. We also know that patching software limits the chances of malware to run successfully.

This is true for cybersecurity in general. The step from knowing how to do security right to actually doing it is, it turns out, incredibly hard for any organization. This is why ransomware continues to be such a big problem, even though almost all ransomware incidents could have been prevented.

People and organizations have conflicting priorities and, with hindsight, often make the wrong choices when it comes to security.

What makes the situation worse for many civil society organizations is that they are very small and often don’t have the in-house expertise to do things like auditing user accounts, applying the principle of least privilege, or checking vendor contracts for security controls – all of which the CISA report helpfully suggests they do. And a report, good though it is, is not going to make the difference.

There is good news though: there are many highly skilled individuals and organizations working around the world that are trusted by the local communities (which is very important in an environment where distrust is the default). They do security audits, give trainings, provide support and often help with incident response. If you would like to help make civil society around the world more secure, find a way to support these people (reach out if you need contacts!).

A second thing to note is that digital threats against civil society aren’t limited to the usual CIA triad (not that CIA) of confidentiality, integrity and availability of information systems. They also include things like harassment, regional or national Internet shutdowns, and disinformation. Many people working in civil society also have reasons to worry about their physical safety, for example arrests or worse, and not just their digital safety.

Focusing solely on the information security component doesn’t do justice to the lived experience of the people involved. It also doesn’t always accurately address the problem. For example, in some parts of the world, certain sensible security decisions can make someone a bigger target for the police or intelligence services.

And a final point to make is that incident response work for civil society revolves around incidents, not threats. Not all incidents are threats (I would guess a majority isn’t), but many are still perceived as such. The goal of incident response shouldn’t be to always look for a possible threat, but to resolve the incident, regardless of what caused it. That is how this community is best served.

One of my favorite things to do in security is to make links between civil society and the cybersecurity industry and find ways for the latter to help the former. I actually gave a talk about that last year. If you’re interested in learning more, don’t hesitate to reach out!

What else?

For Silent Push I wrote a blog post about a network of Telegram phishing pages targeting countries in Eastern Europe and Central Asia. I liked using the Silent Push platform to expand on work by CyberHUB-AM. But it also serves as a reminder how Telegram phishing works.
By default, a Telegram is only protected through the phone number it is linked to. So if someone manages to trick you into entering a code sent via SMS to your phone number, they can take over your Telegram account. This is how this particular phishing campaign works.
The same trick would also work against WhatsApp or Signal, but there, thanks to end-to-end encryption, at least an account takeover doesn’t grant access to your old messages. The best way to protect these accounts from this kind of phishing (or from SMS interception, which also happens but is less common) is therefore to add a password or passcode to the account.

Cyberscoop has a long report from Poland where the new government is reckoning with years of spyware abuse under its predecessor, in which almost 600 people were targeted with Pegasus. As John Scott-Railton from Citizen Lab rightly points out, this is "unprecedented for spyware abuse accountability".

Partial or total Internet shutdowns around events such as elections, protests and exams are becoming increasingly common around the world. Access Now's annual report on shutdowns, of which the 2023 edition was just released, continues to provide the best and most complete overview of such events and is thus worth reading and bookmarking.

Last month, Human Rights Watch wrote about the Supreme Court of the Philippines rejecting the practice of "red-tagging". This is the practice of accusing people and organizations of supporting the communist insurgency in the country. It is a threat specific to the Philippines, but in different forms is common in many other countries, where the government accuses those it doesn't like of supporting a foreign nation, a different religion, or terrorism. Especially in the latter case, tech platforms can be too willing to comply with the government demand.

An interesting blog post by Didier Stevens (known for his malware analysis tools) at the SANS Internet Storm Center points to a subtlety in DNS that is often overlooked. Technically, all hostnames end on a dot (so www.example.com. rather than www.example.com). This dot is almost always omitted but if you do so then for example Windows will try to append DNS suffixes set in the client. It's not something you often come across but DNS issues can be very subtle and maybe the solution to your particular problem is in that dot.
By the way, I've mentioned this before, but the SANS ISC daily podcast mixes security news with tips like this one. And it's nicely short too and thus highly recommended.

Those who have been around in cybersecurity for a long time, will remember the Heartbleed vulnerability in openssl discovered in 2014, one of the most (in)famous vulnerabilities of all time. Security news site Dark Reading looked back on the vulnerability and the debate on naming it and included my input.

Non-security things

A book I read: The protagonist of Andrey Kurkov’s Death and the Penguin is a writer who gets a job writing obituaries of well known people, who all end up getting killed shortly afterwards. And he lives with a penguin. That’s quite surreal, but then this is Ukraine in the post-Soviet 1990s which in my imagination was a pretty surreal era and that atmosphere is well captured in the story. The book is strange but funny and intriguing and keeps going at a good pace until reaching a surprising but great final sentence.

A song I liked: I was cycling through the fields last week when I stopped my bike to listen to the beautiful singing of larks. Then I found Boudewijn de Groot’s Kinderballade (Spotify, YouTube), which mentions singing larks at the very beginning, stuck in my head. I don’t listen to a lot of Dutch language music, but I’ve liked this song since I was a child. De Groot, known for his clear Dutch voice, has been one of the best known Dutch singers for about six decades (my parents love him too), but this song (a tragic love story of two children) is the most poetic in his oeuvre, if only because its lyrics were written by one of the country’s best known poets.