CVE-2021-35394 Realtek SDK : How to fix the exploited vulnerability | Read here >>

ChatGPT for cyber risk management: an opportunity, or a threat? | Read here >>

New in financial services: How to address security gaps with risk-based vulnerability management | Download here >> 

CVE-2021-35394 Realtek SDK : How to fix the exploited vulnerability | Read here >>

ChatGPT for cyber risk management: an opportunity, or a threat? | Read here >>

New in financial services: How to address security gaps with risk-based vulnerability management | Download here >> 

Perspectives

US TikTok ban and more: first officer's blog - week 30

The US TikTok ban, Apple's end-to-end security measures, and more. Here's the latest from the world of cyber risk.

Mike Parkin | December 19, 2022

First Officer’s log, Terrestrial date, 20221219. Officer of the Deck reporting.  

We departed Frontier Station [REDACTED] for our next destination, a planet in the [REDACTED] sector that requires assistance interpreting data from its deep space detection network. The assignment should be relatively typical for a support ship such as ours. It is, as we say, what we do. 

The only thing unusual about the trip was that we had been tasked with transporting Professor [REDACTED] from the Federation Science Council, and their two assistants, to [REDACTED], which was only a slight diversion from our planned route. We didn’t get these transport side missions very often, but they weren’t unheard of, and several of our crew were sure to take advantage of the Professor’s presence to glean some knowledge. 

The trip went as planned for the first eleven hours. We’d set the drive for maxim efficiency warp speed, on a course that would get us to our ultimate destination with time to spare, taking into account the diversion to drop off the Professor and their crew. 

However, at 11 hours, 8 minutes, the ship unexpectedly dropped out of warp. 

The crew reacted as we’ve been trained to in an emergency, and quickly took stock of the situation. Within a few minutes we had determined that a flow interruption in the anti-matter feed to the warp core had effectively crippled the drive. At least until we could determine the source of the interruption and get it corrected. 

That fell to the Engineering department which quickly isolated the problem. Or, at least identified where it started. 

A console in Engineering that normally displayed warp drive efficiency had a rather . . . different message displayed. 

It took a moment to translate the message from its apparently native [REDACTED], but the rough translation was something to the effect of “All of your warp drive belong to us. Do not attempt to contact authorities. Send 2 kilograms of gold-pressed latinum to the following coordinates, and we will send you key to make the warp drive work again.” 

It was obvious that the drive computer had somehow become infected with malicious code, but the question was how. So, while the Engineering team set about restoring functionality using the plans we had in place for this sort of contingency, the security team set about determining how, exactly, this had gotten past our defenses. 

If you put in a back door, someone will abuse it. 

What happened 

Apple’s announcement that more of their iCloud data would be protected by end-to-end encryption, has led some in Law Enforcement circles to again call for the installation of back-doors allowing “lawful access by design” in these products. 

Why it matters 

The balance between privacy and security has been debated for years, with privacy advocates calling for broad access to effective encryption, while the law enforcement and intelligence communities claim that wide access to cryptography will make their jobs more difficult. It is a classic “Security vs Liberty” argument. 

While this is technically true, in that widely available high-quality encryption will make their job harder, easy access to good encryption also dramatically enhances privacy for individual and business users. The challenge with having a legally required back door is the threat of access falling into the wrong hands, being compromised, or being abused. Any of which would render the encryption useless for normal users. 

Perhaps more important is the fact that strong encryption exists outside the confines of major vendors like Apple. People who truly require private communication will find ways to get it, rendering the required back door useless for the Law Enforcement and intelligence communities. 

What they said 

A hot debate like this one always gets attention.

Will this fit into a 15-second video?  The US TikTok ban

What happened 

The United States Senate passed a bill banning the installation of TikTok on government-provided devices. This follows in the wake of several US states passing laws forbidding the installation and use of the application on devices owned or used by State employees. A number of US government officials have used strong rhetoric denouncing TikTok as a tool of the Chinese Communist Party (CCP) and a threat to national security. 

Why it matters 

ByteDance, TikTok’s parent company, has tried to reassure users that they are not beholden to the CCP and that user data is safe, with data for US users being stored on US-based servers. But that has not stopped many people from assuming that the Chinese government can access TikTok’s aggregate data and use it to glean information about users in the US or manipulate TikTok to influence users in the US and elsewhere. 

Many have pointed out that the potential data gathering and influence by manipulating users’ feeds are no different from the data gathering, and potential influence, already being seen with existing social media platforms such as Facebook, Twitter, and YouTube. The difference is that most people aren’t worried that those tech companies are being leveraged by the government to influence the geopolitical situation and forward their national agenda. 

What they said 

US Tiktok ban

While it may not be going as viral as the latest TikTok dance, this story’s certainly getting people talking

FBI target hungry threat actors

What happened 

The Federal Bureau of Investigation (FBI) and the Food and Drug Administration Office of Criminal Investigations (FDA OCI) announced that threat actors had been using Business Email Compromise (BEC) techniques since the beginning of 2022 to steal shipments of processed food and raw materials, costing several businesses hundreds of thousands of dollars. This contrasts the more typical BEC tactic of direct monetary theft with fake invoices, etc. 

Why it matters 

Threat actors have used Business Email Compromise to steal from target organizations for years, often using falsified invoices or similar techniques to get their victims to send them money. But that is not the only technique they use, and this is a reminder that attackers are always finding new and entertaining ways to get at their victims. 

While stealing finished goods or raw materials involves a few additional steps between the initial attack and getting the end reward but may also slip under the radar for longer than a simple fake invoice. That would lead to them stealing more from their target over time. 

What they said 

This story has provided plenty of food for thought.

__________________________________________________________________________________________________________________________

Want to get ahead of the stories? Join the conversations as they happen with the Vulcan Cyber community Slack channel

 

cyber risk trends