Security News for the Week Ending October 29th, 2021

Smartphone Counterespionage Tips for Travellers

Most people say “who would be interested in me?” but the reality is that foreign governments track Americans for a variety of reasons, both good and bad. Read this article to find some tips that could keep you below the radar and your information safer.

Are Surveillance Cameras the Answer to Worker Productivity

ZDNet wrote a story this week about a boss who texted an employee at night about what the boss perceived was employee laziness. Apparently the boss was completely uninformed and when the employee pointed out what was really happening, the boss doubled down. The employee told the boss to take his job and shove it. That doesn’t mean that management should ignore what they think they see, but as we are seeing in this recovery after the pandemic shutdowns, employees seem a lot more empowered and your employees may tell you to shove it. Read the details here.

State Department Recreates Cybersecurity Effort After Trump Disbanded it

Cybersecurity will be a core part of the State Department’s mission with the new Bureau of Cyberspace and Digital Policy. Congress forced the issue by legally creating the department after Trump eliminated the position of cyber coordinator in State. State will also add 50% to it tech budget and new civil service positions. Credit: Dark Reading

Britain’s Privacy Commissioner Calls for More End to End Encryption

Britain’s privacy protection agency, the ICO, has called for video conferencing companies to implement end to end encryption at the same time that police and politicians are calling for the elimination of any secure end to end encryption. The ICO attempted to do some spin after the fact, but their statement still stands. Police say that having to get warrants to obtain information is inconvenient for them. This follows last year’s call by British, Canadian, Australian, Chinese, Swiss, Gibraltarian and Hong Kong data protection regulators also asking for end to end encryption. The police have vocally asked for a master decryption key because, of course, you can trust them. This week the master encryption key used to secure Covid passports in the EU was publicly exposed. Covid vaccine passports for Adolf Hitler and Mickey Mouse have been found and fake Covid passports signed with this key are now available on the web. Not to worry, if we give the thousands of police agencies access to these keys, I am sure this would never happen. Credit: The Register

Proton Wins Swiss Appeal Over Surveillance Rules

Weeks after Proton Mail was force to capture the IP address of a user after receiving a Swiss subpoena, they won a different court battle. Swiss courts had earlier ruled that companies like Whatsapp and Zoom were not Internet providers and did not have to maintain surveillance records of their users’ actions, but for some reason, the Swiss Post thinks that Proton does have to. The appeals court said no to that and remanded the case back to a lower court to “change their mind” so to speak. Credit: Cybernews

Minimum Viable Secure Product (MVSP)

Vendor risk must be a core part of every company’s cybersecurity program, but it is hard.

Especially when the company is a tech company, developing software that you use.

The term Minimum Viable Product or MVP is a term marketing folks have used for years to describe creating a version 1 product that has the minimum set of features that a customer will be willing to use or buy.

Add another letter and you have another acronym to remember – MVSP – Minimum Viable Secure Product. This is YOU defining what you consider the MINIMUM set of security features that you require in order to buy or use a vendor’s product.

With a little work, this could become a standard.

In part, because this MVSP checklist is based on the checklists already used by two small companies named GOOGLE and DROPBOX.

Rather that having to create your own set of “standards”, one has already been created for you based on what Google and Dropbox require of their vendors.

And it is licensed under the Creative Commons 1.0 license (free for any use).

And it will be updated as needed.

Who should use it?

Proposal teams should use it in RFPs.

Anyone can use it for self assessments.

And vendor management teams can use it as their standard vendor cybersecurity questionnaire.

What is in it?

It contains 4 major sections: Business controls, application design controls. application implementation controls and operational controls.

Section 1 contains eight controls, section 2 contains nine controls, section 3 four controls and section 4 contains three controls.

Alternatively, you can create this yourself. I am sure that you will do a better job than Google and Dropbox.

In fairness, you can tweak it for your own needs.

Credit: Helpnet Security

The MVSP project

The MVSP questionnaire

FCC Boots China Telecom

The Federal Communications Commission has “terminated” China Telecom’s authority to provide services in the U.S.

In a move more expected from the last administration than the current one, the FCC said that China Telecom represents a security risk. China Telecom has been operating in the U.S. since 2002. It is not clear why the U.S. did not do anything about this during the last administration.

The FCC now believes that they (China Telecom) can access and store information, disrupt communications and route communications through hostile countries.

In addition, since China Telecom is state-controlled, the FCC is concerned that they would have to do the government’s bidding, if asked.

They said the termination was based on a demonstrated lack of candor, trust and reliability.

They also said that they did not think that any possible mitigation would improved the situation.

Finally, they said that China Telecom has already violated some of their constraints to operate.

Part of the assessment is based on classified information.

Jessica Rosenworcel, current acting FCC chair, who has been nominated by President Biden to become the permanent chair, said, basically, there is a new sheriff in town and they are currently looking at China Unicom and other similar carriers.

She also said that the FCC is now going to regularly review foreign carriers’ authorizations.

In addition, she said that there is a new process for underseas cable authorization.

Current China Telecom customers have 60 days to find a replacement.

Beijing is going to be quite unhappy. They may retaliate, which could make things difficult for U.S. companies with operations in China. If China shuts down U.S. carriers and the U.S. shuts down Chinese carriers, some companies could find themselves working with pencils and a Big Chief tablet. Key among those companies are U.S. tech companies like Apple, Dell and thousands of others. Long term, that would reduce U.S. dependency on China, which is good for the U.S. In the short term it could make the supply chain issues we currently have even worse.

Stay tuned, this is not over.

Credit: The Register

The Russians Are Still Cyber-Attacking Us

This is probably not a surprise to anyone who is past elementary school – and probably not to many who are still in elementary school, but the group that was behind last year’s SolarWinds attack is still at it.

Just like with SolarWinds, they are going after the global supply chain.

140 managed service providers and cloud service providers were attacked since May and at least 14 were breached. according to Microsoft.

Russia is doing that because, like with SolarWinds, compromising one of these companies may allow Russian hackers entry into hundreds or thousands (or more) of their customers.

Unfortunately, the attackers are using a variety of tactics, so there is not a one size fits all solution.

So, what to do?

First, if you are a service provider, make sure you are doing everything you can to protect yourself. And your customers.

Second, if you use service providers – and who does not – make sure you understand where the provider’s responsibility for security ends and yours begins and also make sure that are reviewing the provider’s cyber risk protection practices as part of your vendor cyber risk program.

Remember, you can outsource the task, but if you are breached, your customer will blame you, no matter what. Credit: Bleeping Computer

Security News for the Week Ending October 22, 2021

State Acknowledges Data Breach After 10 Months

I guess better late than never. Finally, the State of Illinois is admitting to a data breach, sort of. Here is what they are now saying. Check the dates below. Notice who was among the last to know – the victims. Can the state be fined for breaking the law? We shall see.

Pursuant to the requirements of the Health Insurance Portability and Accountability Act, 45 CFR Sections 164.400-414, the Illinois Department of Healthcare and Family Services (HFS) and the Illinois Department of Human Services (IDHS) (collectively the Departments) in conjunction with the Illinois Department of Innovation and Technology (DoIT) are notifying the media of an incident within the State of Illinois Integrated Eligibility System (IES).

IES is the eligibility system of record for State-funded medical benefits programs, the Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF). On November 24, 2020, the State discovered an issue within IES. Upon investigation, the Departments discovered that household members who were once on a case and had their access removed could still see information even after they were no longer part of that case.

In response to this incident, on January 8, 2021, IES was updated to limit case access to only the head of household, and prior and other current household members no longer have access. To date, the Departments are unaware of any actual or attempted misuse of personal information as a result of the incident and the number of potentially affected individuals was limited.

The Departments notified the members of the Illinois General Assembly on July 29, 2021, the potentially affected individuals on September 9, 2021, and the Office of the Illinois Attorney General on September 10, 2021.

Tesco Launches First Checkout-Free Store in London

Following in line with companies like Amazon, retailers like Tesco in London are working on letting customers shop in their stores and not having to stop at the checkout line. This is done with a crazy number of cameras and sensors. My guess is that they are willing to take some losses in the short term to try and figure out the weak spots and how people plan to game the system, but this is surveillance to the the max. It requires that you have their app and they will automatically charge your credit card, which has to be on file. Me, I’m okay with the checkout line. Credit: Computing

Facebook Plans to Rebrand Itself

Okay, this is not really security related, but fun for Friday. Facebook, apparently, wants to rebrand itself. They have been quiet about this but will announce the new name at their annual conference this month. Note that they didn’t ask for suggestions; they probably would have gotten a bunch that referred to different body parts than people’s faces. But, this is kind of like what Google did with Alphabet a couple of years ago. Facebook as a company has lots of brands and it probably doesn’t make sense, any more, for the parent company to still be called Facebook. Credit: Computing

CISA Wants the 24 Hour Breach Reporting Law for Incidents

There are bills working their way through Congress right now that would make it mandatory that certain companies report breaches and some attacks within either 24 or 72 hours, depending on the bill. CISA is putting its weight behind 24 hours. This probably will include anything designated as critical infrastructure, which is a lot, and possibly some others. Stay tuned to see what passes. Companies would rather keep hacks secret, if possible, but if the bill passes and companies might be fined or executives go to jail, they will probably disclose. The disclosure would be to the government, probably, and not publicly. Credit: FCW

CISA Says Ransomware Targeted SCADA Systems of 3 US Water Treatment Plants

The FBI, CISA, EPA and NSA issued a joint alert saying that cyberattacks against water and wastewater treatment plants are up. They revealed that the industrial control system (ICS) or SCADA systems at three plants had been hit by ransomware and that the malware had been lurking inside for about a month before it launched the attacks. They target the outdated software and poorly configured hardware of these systems and it is a pretty easy attack. Drinking water is the primary target, they say. My guess is that they do that because poisoning people will create more chaos. Credit: Hack Read

Introducing Trump Media & Technology Group

Former President Trump revealed plans for the Trump Media and Technology Group (TMTG). His plan, apparently, is to copy Facebook and Twitter and Google and Microsoft and Amazon and …

Even for him, that is pretty ambitious.

TMTG News would be a competitor to CNN – but also to Fox and OAN and all of the other conservative media that have given him a voice over the last 5 years. I guess it is payback time.

Another part, call Trump Social, plans to compete with Facebook and Twitter, similar to what GETTER and Parler tried to do.

One slide in the pitch deck says that there is a long term opportunity to build a TMTG tech stack that competes with AWS, Google and Azure. And also competes with Stripe.

Also Netflix.

It is immediately being listed on the NASDAQ using a SPAC, a popular reverse merger tool that allows companies to go public with a very thin review. The difference between investors in TMTG and people who buy Trump hats for $40 is that the investors expect a return on their investment and they are very fickle.

The things people should consider before investing in TMTG. Trump has a history of bailing when things get tough, leaving the investors high and dry. He has filed for bankruptcy at least 6 times and that is just the casinos. Other operations like Trump airlines and Trump steaks and Trump wines just went away.

Personally, I think competition in this space is great. I hope he is successful.

But companies like Facebook and Amazon have spent billions of dollars and have some of the brightest minds in tech. If he thinks they are going to lie down and let him roll over them, I think he is mistaken.

They also have massive patent portfolios and they might choose to follow his own history and sue TMTG into oblivion for patent infringement.

Still, the battle will be interesting and we should watch what happens.

Companies like Facebook and Google have laid their own undersea transoceanic fiber optic cables to obtain cheap bandwidth. Netflix alone represents something like 33% of all bits on the Internet. I doubt his competitors will be willing to sell him space on their fiber.

Reports from people who have seen previews of Trump Social (actually they hacked it since you can’t sign up for it yet, which is not a good sign) say it is just a repackaged version of Mastadon, a free, open source social network framework.

If he is successful, even if it is only to a degree, it could mean even faster innovation and lower prices for consumers and businesses, which would be great.

Currently, Google competes with Microsoft, Amazon competes with Walmart. More competition is better.

Stay tuned.

Credit: Vice