Read. Learn. Share.
Tech Talk Show Notes
April 3, 2021
The hacker behind last year’s big Twitter hack has just been sentenced to hard-time.
Graham Ivan Clark, the teenage hacker who broke into Twitter’s systems, took over verified accounts, and used them to scam users out of Bitcoin, was sentenced to three years in prison, according to the Tampa Bay Times.
Clark’s hack took the internet by storm in the summer of 2020. On July 15, verified Twitter accounts belonging to users such as Barack Obama, Elon Musk, Kanye West, and Joe Biden as well as accounts belonging to companies like Apple and Uber were compromised. The accounts began tweeting out a popular Bitcoin scam, an offer to double the amount of Bitcoin that anyone sent to a particular Bitcoin address included in the posts.
Clark was able to scam the equivalent of more than $100,000 worth of Bitcoin at the time before Twitter shut the hack down.
Cryptocurrency scams are not new on Twitter, although this was a whole new level. Usually, fake accounts posing as celebrities try to convince users to send money to anonymous Bitcoin addresses with the promise of making money. This scam was being carried out via celebrities’ actual accounts.
So last year, when everybody was freaking out over TikTok, we noted that TikTok was likely the least of the internet’s security and privacy issues. In part because TikTok wasn’t doing anything that wasn’t being done by thousands of other companies in a country that can’t be bothered to pass even a basic privacy law for the internet. Also, any real security and privacy solutions need to take a much broader view.
For example, while countless people freaked out about TikTok, none of those same folks seem bothered by the parade of nasty vulnerabilities in the nation’s telecom networks, whether we’re talking about the SS7 flaw that lets governments and bad actors spy on wireless users around the planet or the constant drumbeat of location data scandals that keep revealing how your granular location data is being sold to any nitwit with a nickel. Or the largely nonexistent privacy and security standards on the internet of broken things. Or the dodgy security in our satellite communications networks.
The point being, hysteria over the potential threat of a Chinese app packed with dancing tweens trumped any real concerns about widespread, long-standing security vulnerabilities and privacy issues, particularly in telecom. This week this apathy was once again on display after reporters found that a gaping flaw in the SMS standard lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages. All for around $16.
The number of domains using an anti-spoofing technology known as Domain-based Message Authentication, Reporting, and Conformance, or DMARC, topped 2.7 million in 2020, yet most domains still fail to specify a policy to delete or quarantine unauthenticated email, according to data from security firms published over the last month.
During the pandemic, email scams and phishing attacks that purported to be from the World Health Organization (WHO) widely targeted businesses and government agencies. DMARC foils one component of such attacks when the attacker spoofs an organization in an e-mail’s From field. As of December 2020, more than 2.7 million domains published a DMARC record, up 43% during the last year, according to the latest adoption report on DMARC.org, based on data from Farsight Security, a cybersecurity intelligence firm.
Still, two-thirds of those domains do not specify any policy for unauthenticated email, instead essentially monitoring the situation, according to the Farsight data. With ransomware and non-spoofed phishing attacks increasingly common, companies are tackling those issues that have the most impact on their risks, says Ben April, chief technology officer for Farsight Security.
Remote Desktop Protocol (RDP) became a hot target for cybercrime as businesses shifted to remote work due to the COVID-19 pandemic. A year later, the trend shows no sign of slowing.
RDP, Microsoft’s proprietary protocol for enabling people to remotely access Windows servers or workstations, is among the most popular remote access protocols used by organizations today. As such, when businesses shifted to remote work last March, cybercriminals swiftly took notice.
In the spring of 2020, when many organizations shut their office doors, attacks targeting RDP began to skyrocket: Kaspersky reported a spike from 93.1 million global RDP attacks in February to 277.4 million in March – a 197% increase, researchers note. The trend went up and down throughout the year but saw another significant jump as winter lockdowns were announced.
Tesla has begun accepting bitcoin as payment from car buyers in the continental US, and CEO Elon Musk said the company plans to expand the new payment option to other countries later this year.
Musk announced the news on Twitter today. “You can now buy a Tesla with Bitcoin… Tesla is using only internal & open source software & operates Bitcoin nodes directly. Bitcoin paid to Tesla will be retained as Bitcoin, not converted to fiat currency,” Musk wrote.
Tesla recently bought $1.5 billion in bitcoin, a move that sent the cryptocurrency’s price soaring. A Tesla regulatory filing on February 8 said the company would begin accepting bitcoin as payment “in the near future.” While Musk is betting big on bitcoin, customers may prefer to buy Tesla cars in dollars if they expect the price of bitcoin to keep rising.
The bitcoin payment process is described on Tesla’s website in a support FAQ and terms and conditions. “Bitcoin is the only cryptocurrency Tesla accepts,” the company said. Sending other cryptocurrencies to Tesla “will likely result in a loss of funds for you.”
Semiconductor supply chains have not been having a good year. Shifts in demand brought on by COVID-19 have slammed into a series of fab and factory fires, the effects of which have been cascading throughout the global economy. Now, the semiconductor industry is being threatened by Taiwan’s worst drought in 67 years.
Chip shortages have rippled through various industries in recent months. Automakers have cut back production, citing supply issues. Automotive shortages are somewhat of the industry’s own making—when the pandemic hit over a year ago, automakers cut production and chip orders. Meanwhile, demand for consumer electronics surged, snapping up excess fab capacity. When car and truck sales rebounded months later, semiconductor manufacturers had no slack to meet demand. Recently, even consumer electronics companies have been finding it hard to secure a steady supply of chips for their products.
Taiwan’s drought began when typhoons failed to make landfall last year. Today, drought conditions cover a significant portion of the densely populated western third of Taiwan, extending from Hsinchu south to Kaohsiung, an arcing span of more than 150 miles on an island that’s only about 240 miles long. Water levels in major reservoirs have been as low as 10 percent of their capacity, and they’re currently being stabilized by water piped in from Taipei, which has so far avoided the worst of the drought.
Think of everything you’ve posted online over the past year — photos, blog entries, comments on websites, and so on. Now consider how much of that content says something about you as an individual, from your habits to where you live to what you buy. The Internet is awash in personally identifiable information (PII), and we should never forget that this is a major cybersecurity liability for individuals and companies alike.
Some forms of PII can be used to infiltrate a victim’s accounts and networks directly, such as account numbers and passwords. However, even seemingly innocuous forms of PII can put employees and companies at risk — the more cybercriminals know, the easier it is for them to manipulate and defraud their victims. For example, if cybercriminals have access to employees’ email addresses, they can launch a password spraying attack in which they test a single password on every available account until they break into one.
PII security has to be a priority all the time — it’s not enough to make sure employees are using good password hygiene, avoiding malicious links and attachments in emails, and so on. They also have to be mindful of their digital behavior in other domains — which cloud services they’re using (and what security protocols those services have), whether they work on personal devices, and what other personal details they disclose.
Fairphone—the sustainable, modular smartphone company—is still shipping updates to the 5-year-old Fairphone 2. The company won’t win any awards for speed, but the phone—which launched in 2015 with Android 5—is now being updated to Android 9.0. The most interesting part of this news is a video from Fairphone detailing the update process the company went through, which offers more transparency than we normally get from a smartphone manufacturer. To hear Fairphone tell the story of Android updates, the biggest barrier to longer-term support is—surprise!—Qualcomm.
Fairphone wants consumers to keep their phones for longer, creating less e-waste and carbon emissions via modular replacement parts that are easily upgradeable and repairable. A big challenge for designing a long-lasting phone like this is software support. Even if Fairphone wanted to support a phone forever, Android software updates do not work that way, and major OS updates normally rely on a relay race of companies that all need to hand-off a build of Android before it reaches your phone.
We’ve gone over this before, but let’s do a quick recap of how Android makes it to your smartphone. First, Google releases builds of AOSP (the Android Open Source Project) to everyone. This doesn’t run on a phone yet, though. First, your SoC (System on a Chip) manufacturer (usually Qualcomm) has to get hold of it and customize Android for a particular SoC, adding drivers and other hardware support. Then, that build goes to your phone manufacturer (Fairphone, in this case) which adds support for the rest of the hardware—things like cameras, the display, and any other accessories—along with built-in apps and any custom Android skin work that the company wants to do.