Last updated on May 5th, 2022 at 05:00 pm
Last month the story broke that the hacker group LAPSUS$ had figured out how to manipulate well-meaning people at major corporations into turning over private user data. The group impersonated members of law enforcement agencies and made an emergency data request (EDR) for the information.
EDRs allow law enforcement access to a backdoor in a secure system if a person may be in imminent danger. EDRs can come in emails, express mail or, most often, faxes to the company’s data protection officer (DPO). The requests do not require warrants but when faced with the option of saving a life or saving data, most companies comply.
Companies comply willingly
In March Apple and Meta DPOs acceded to fake EDRs and leaked massive amounts of personal data to LAPSUS$ operatives, some of whom are teenagers. According to Apple’s own public records, the company fielded 1,162 EDRs worldwide and rejected only 8. Interestingly, just under half of all the requests came from the United Kingdom and another quarter from the United States.
There was no lack of handwringing and justifying the DPO decisions to allow that access. After all, human life might have hung in the balance. Facebook’s own guidelines state, “If we believe in good faith that the matter is regarding potential bodily harm or death of a person, the Facebook Security Team will respond in a timely manner.”
So they were just doing the right thing, but so would placing a phone call to verify the request.
Cyber Protection Magazine wondered why the DPOs just didn’t take 5 minutes to place a call to the law enforcement agency and confirm the requests. We contacted several security experts to ask if that was an effective defence and they all agreed it was prudent. Matthew Rosenquist, CISO at Eclipz.io Inc., even had a name for it: Side-channel validation.
“For any type of potentially fraudulent communication, where someone impersonates an authority, reaching out using a different method is good practice,” Rosenquist said.
In many cases, the request comes in the form of a fax, according to Ian Thornton-Trump, Chief Information Security Officer at Cyjax Ltd., a fact he found somewhat amusing.
“We live in a world where faxes are still a thing. Anyone can send a fax,” he chuckled. “it’s really important to verify the request and the identity of anyone utilizing special authorities to gain access to sensitive data.”
Thornton-Trump suggested even more scrutiny than a confirming phone call would be prudent. ”Maybe even a one-time code or verified account process is required. The leverage of data requests under a fake pretence or fake authority should be akin to impersonation with penalties and significant, dissuasive and punitive penalties.”
Rosenquist added that any request for access to data should be verified, not just EDRs.
Once again, zero-trust approaches are mandatory for safety, especially for the gatekeepers of that information.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.