Newsletters

Written content from the Risky Business Media team

Srsly Risky Biz: Tuesday April 28

Presented by

Brett Winterford
Brett Winterford

It's seriously risky business to shut the world's second-largest economy out of your telecommunications sector altogether.

This week the US Federal Communications Commission ordered three Chinese State-owned telcos to 'show cause' for why it shouldn't expunge their license to operate in the United States.

FCC previously banned Chinese networking equipment, blocked China Mobile from entering the US market and blocked Google from connecting undersea cables between the US and Hong Kong.

Srsly Risky Biz: Tuesday April 21

Presented by

Brett Winterford
Brett Winterford

As discussed on our livestream, there are no technical impediments to capturing enrolment data in apps that make use of the Gapple API. Developers could feasibly link contact details captured at enrolment to notifications generated through the Gapple API to support existing manual contact tracing processes. The only change use of the Gapple framework imposes on an app is the order in which an at-risk individual is notified - first by the Gapple OS feature, followed by a call from health authorities.

This analysis assumes Apple and Google won't block apps that include these additional features. It's incumbent on the mobile OS companies to provide assurance to health authorities by clearly elucidating to the public what would constitute abuse of the service.

More broadly, the EU announced a minimum set of requirements for all contact tracing apps across Europe, insisting on user consent, no location tracking, anonymised data and a post-pandemic plan for switching off tracing features. EU academics are meanwhile split over whether to take a decentralised approach to contact tracing (using the DP-3T contact tracing protocol) or to allow health authorities greater control and access to data (the ROBERT protocol).

Srsly Risky Biz: Tuesday April 14

Presented by

Brett Winterford
Brett Winterford

Apple and Google have answered a call from policy makers to build a consent-based contact tracing tool for Android or iOS devices.

The two organisations will release OS updates in mid-May that allow health authorities to use 'contact detection' APIs developed by Apple and Google to launch multi-platform contact tracing apps.

Under the published design, if two users of these apps have been in close proximity for a designated period of time, their devices exchange a set of identifiers (ephemeral 'tracing keys') via Bluetooth Low Energy (BLE). Storage of these anonymised identifiers is decentralised - stored only on user devices.

Srsly Risky Biz: Tuesday, April 7

Presented by

Brett Winterford
Brett Winterford

Videoconferencing startup Zoom will enact a 90-day feature freeze while it works to address a long list of security issues raised in recent weeks. Zoom’s user base has skyrocketed from 10m to 200m this year as schools, businesses and even politicians have scrambled to find easier ways to meet while under lockdown.

To the company’s credit, some misconfigurations - such as excessive data sharing with Facebook and LinkedIn and recently reported security vulnerabilities - have been addressed far faster than bugs found in 2019. It has also turned password-protection on by default.

But now - as the company responds to lawsuits and investigations - it can expect scrutiny over the more fundamental security attributes of the app. Citizen Lab has queried its access controls, its use of non-standard encryption and the occasional routing of cryptographic keys through China. Expect to see  significant changes in the weeks ahead.

Srsly Risky Biz: Tuesday, March 31

Presented by

Brett Winterford
Brett Winterford

Cybercrime gang FIN7 has added some old school tools to its arsenal - sending US targets malware-infected USB keys in the post. Expect the FBI’s warning on the subject to feature in future Powerpoint pitches for USB lockdowns. Is it now time to start including USB drops in the pen test scope again?

Ransomware source code unleashed: Researchers have noted that the source code for Dharma ransomware - which extorted at least US$24 million from victims last year alone - is for sale online for US$2k. Variants of Dharma already abound, but there’s naturally concern for how many bad actors might have it now.

Hot Plastic - Attackers installed a web skimmer to steal customer credit card details from the Tupperware website last week. Tupperware didn’t respond to warnings from security researchers for five days, but removed the code once ZDNet journalist Catalin Cimpanu published a story.

Srsly Risky Biz: Tuesday, March 24

Presented by

Brett Winterford
Brett Winterford

Lawmakers have asked US tech companies to contribute data to help health authorities monitor quarantine compliance and trace recent contacts of people infected with coronavirus.

As authorities the world over rush to flatten the curve of coronavirus infections, even the most diehard privacy advocates are exhibiting a willingness to temporarily let civil liberties slide in the name of saving lives.

You might be surprised by which of our regular Risky.Biz contributors said as much when we hosted a livestream discussion on cell phone tracking earlier today - which featured Dmitri Alperovitch, Adam Boileau, Patrick Gray and Alex Stamos.

Srsly Risky Biz: Wednesday, March 18

Presented by

Brett Winterford
Brett Winterford

Welcome to the first edition of Seriously Risky Business, your weekly batch of the big stories shaping cyber policy, curated by Brett Winterford.

Feedback welcome at editorial@risky.biz

If we hoped ransomware gangs would give hospitals a reprieve during a global health epidemic, prepare to be disappointed. Local Czech media reports that the University Hospital in Brno - the country’s second-largest - had to shut down and isolate systems and re-route some patients to counter a ransomware infection.

Srsly Risky Biz: Pilot Edition

Presented by

Brett Winterford
Brett Winterford

Welcome to the pilot edition of Seriously Risky Business, your weekly batch of the big stories shaping cyber policy, curated by Brett Winterford.

Feedback welcome at editorial@risky.biz

US Attorneys failed to convince a jury that former CIA exploit developer Josh Schulte dumped an archive about the agency’s offensive cyber weapons program to Wikileaks (the ‘Vault 7’ leaks).