nirutft - stock.adobe.com
Here are Computer Weekly’s top 10 investigations and national security stories of 2020.
Computer Weekly was the first publication to break the story of a devastating ransomware attack against Travelex.
The Sodinokibi cyber crime group demanded a six-figure ransom from the company to decrypt critical computer files needed to run the business.
People familiar with the attack told Computer Weekly that computers containing confidential information, including names of clients and bank account and transaction details, had been infected by the Sodinokibi malware.
The article raised questions about the security of Travelex’s computer network after it emerged that the company waited eight months to patch vulnerable VPN servers, despite warnings from security professionals and government agencies.
Travelex posted a notice on its website confirming it had been hit by a virus attack following publication of the story.
Three weeks after bringing Travelex’s computer systems to a halt, the Sodinokibi cyber gang attacked the German car parts manufacturer, Gedia Automotive Group.
The parts company said that the cyber attack would have far-reaching consequences for its business, and that it would take weeks or months before its IT systems were up and running.
The hacking group used two Russian-speaking underground forums on the dark web to threaten to publish 50GB of sensitive data, including blueprints and employees’ and clients’ details, unless Gedia agreed to pay a ransom.
The attackers released a file containing scans of Gedia’s Microsoft Active Directory, containing details of sensitive user names and passwords, as proof that they had infiltrated the company’s networks.
Computer Weekly established that the hackers used a tool, known as ADRecon, that was also used in previous Sodinokibi attacks, to extract data from Gedia.
In March, a different cyber crime group, Maze, attacked the computer systems of a medical research company on standby to carry out trials of a possible future vaccine for the coronavirus.
The Maze ransomware group extracted data from the computer systems of Hammersmith Medicines Research (HMR), publishing personal details of thousands of former patients after the company declined to pay a ransom.
The cyber criminals had earlier made a public promise not to attack medical organisations during the coronavirus outbreak.
The group removed the medical records from the internet, two hours after publication of Computer Weekly’s story, claiming that it had attacked HMR before it had made its promise not to attack medical organisations.
Maze’s statement attacked computer security professionals failing to do their jobs, suggesting that they “prefer to chat in social networks or watch porn”.
4. Automated image recognition: How using ‘free’ photos on the internet can lead to lawsuits and fines
An investigation by Computer Weekly revealed how schools, small businesses and charities had received intimidating demands for hundreds, or in some cases thousands of pounds after using apparently free photographs from Flickr.
German photographer Marco Verch has flooded the internet with tens of thousands of apparently free-to-use images that are protected by an outdated version of the Creative Commons copyright licence.
Verch uses his own software and third-party enforcement services to identify people who have broken his licensing rules, often unwittingly, leaving them open to be targeted for fines and legal action.
In the US alone, Verch has sought over $4.5m in fines and legal penalties.
Victims who have given interviews to Computer Weekly said they had received legal demands for money from Verch or his agents despite making honest mistakes.
Flickr and other photo-sharing sites could stamp out this sort of scheme by updating their photo-sharing licence to the latest version of Creative Commons.
Durham Police and the Police Service of Northern Ireland raided two journalists’ homes after they produced a documentary exposing the police failure to properly investigate the murder of six innocent people in a sectarian attack in Loughinisland, County Down.
During the raids, police officers downloaded over 10TB of highly confidential data from the film company’s servers, including files belonging to journalists, producers and researchers.
The material included sensitive notes and interviews on investigations into child abuse in the Catholic Church, gang members in Honduras and victims of atrocities in Columbia. Less than 5% of the material seized related to the documentary film No stone unturned.
Computer Weekly learned that despite a High Court ruling that the PSNI had unlawfully obtained search warrants against the journalists and the film production company, the police force has been unable to delete all the seized data from its backup systems.
The disclosure raises wider questions about the privacy of data seized by police from mobile phones and computer systems in cases where no crime has been committed.
6. Airports deploy thermal cameras to control Covid-19, science suggests it’s merely ‘safety theatre’
UK airports began rolling out thermal surveillance cameras to identify people who may have coronavirus over the summer.
But an analysis of the science behind the technology showed that, according to multiple scientific studies, thermal cameras are ineffective at preventing the spread of Covid-19 and other infections.
The difference between a normal body temperature and a temperature caused by Covid-19 is just 1°C, leaving huge room for errors in temperature readings, particularly when cameras are used to scan multiple people in crowds.
Silkie Carlo, director at Big Brother Watch, who has been campaigning against the use of thermal imaging cameras to detect Covid-19, said airports were using unproven technology on passengers.
“It seems that they’re just treating travellers like guinea pigs in a live experiment,” she said. “And that’s going to be even more dangerous when they talk about the next stage, where they’re escalating passengers to health professionals.”
In July, Europe’s highest court struck down the EU-US data-sharing agreement, Privacy Shield, creating continuing uncertainty and disruption for companies in Europe that share data with the US.
The European Court of Justice also made it clear that companies that use an alternative legal mechanism to Privacy Shield – standard contractual clauses – will now have to take responsibility for ensuring the country they plan to share data with offers privacy protection equivalent to the EU.
Judges found that US surveillance laws meant that the US did not offer privacy protections equivalent to those under EU law. US electronic intelligence-gathering programmes were not proportionate and went beyond what was strictly necessary.
In particular, they said US laws did not give EU citizens rights of redress through the courts if their data was misused.
Business groups said the decision to invalidate Privacy Shield would create a barrier for electronic commerce between the US and the EU.
The decision is also likely to impact data transfers between the EU and the UK following Brexit.
The UK Secret Intelligence Service, MI6, apologised after attempting to persuade a court to withhold documents relating to its policy on crimes committed by undercover agents, from senior judges.
Two members of the Secret Intelligence Service telephoned the secretary of the Investigatory Powers Tribunal asking her not to share documents with the tribunal president and its members, which include current and former judges.
The incident raised serious questions about attempts by intelligence agencies to influence the Investigatory Powers Tribunal and the Investigatory Powers Commissioner’s Office, an independent watchdog that has oversight of the intelligence services.
The disclosures are just one of a string of revelations that have emerged from legal action brought by Privacy International, Liberty and other NGOs against the intelligence services over the lawfulness of their electronic surveillance practices. The cases were reported by Computer Weekly throughout the year.
The US extradition of WikiLeaks founder Julian Assange to face charges under the US Espionage Act and the Computer Fraud and Abuse Act has wider implications for press freedom.
Assange faces up to 175 years in jail after publishing hundreds of thousands of documents leaked by former army intelligence officer Chelsea Manning, covering the wars in Iraq, Afghanistan and the treatment of prisoners in Guantanamo Bay.
However, the extradition, if it is allowed to go ahead, will set a dangerous precedent for journalists, by criminalising much of their normal journalistic activity.
Trevor Timm, co-founder of the Freedom of the Press Foundation, said in evidence that the extradition “would criminalise every reporter who received a secret document, whether they asked for it or not”.
That was almost a consensus opinion among first amendment experts, media law experts and lawyers, and was why “virtually every newspaper in the US has condemned proceedings before the court”, he said.
Computer Weekly reported daily from the hearing held over four weeks at the Old Bailey.
According to former US government whistleblower Daniel Ellsberg, WikiLeaks’ disclosure of US government documents are among the most important revelations of criminal state behaviour in US history.
Ellsberg told a London court that WikiLeaks’ publication of thousands of documents were of comparable importance to his leaks of the Pentagon Papers that precipitated the end of the Vietnam war.
The WikiLeaks founder faces extradition to the US after publishing leaked government documents about the Guantanamo Bay detention camp, US diplomatic communications and the wars in Afghanistan and Iraq.
“It was clear to me that these revelations, like the Pentagon Papers, have the capability of informing the public that they had seriously been misled about the nature of war, progress in war, the likelihood of it ending at all,” said Ellsberg.