Read. Learn. Share

Tech Talk Show Notes

February 13. 2021

Strengthening Zero Trust Architecture

The invention of the term “Zero Trust” is generally credited to former Forrester analyst John Kindervag more than a decade ago. Although it’s not new, the concept has received renewed interest and market traction amid 2020’s widespread shift to remote work and the evolution of the cloud. As a concept, zero trust doesn’t refer to a specific piece of technology; instead, it relates to the idea that users should have only the bare minimum access they need to perform their job.

Within zero-trust architecture (ZTA), users can’t access areas of the network, data, and applications to which they do not specifically require access. In a way, this means that zero-trust implementation is a journey rather than a destination. A “perfect” zero-trust environment isn’t something that one can quickly achieve. More realistically, organizations should strive for a lean least-privilege structure of trust. Recently, organizations, including MITRE and the National Institute of Standards and Technology (NIST), have released frameworks highlighting how technologies like deception and concealment can contribute to zero-trust implementation.   

____________

Here’s a Way to Learn if Facial Recognition Systems Used Your Photos

When tech companies created the facial recognition systems that are rapidly remaking government surveillance and chipping away at personal privacy, they may have received help from an unexpected source: your face.

Companies, universities, and government labs have used millions of images collected from a hodgepodge of online sources to develop the technology. Now, researchers have built an online tool, Exposing.AI, that lets people search many of these image collections for their old photos.

The tool, which matches images from the Flickr online photo-sharing service, offers a window onto the vast amounts of data needed to build a wide variety of A.I technologies, from facial recognition to online “chatbots.”

____________

Scalpers aren’t the main reason you can’t find a new console

It has been over two months since Sony’s PlayStation 5 and Microsoft’s Xbox Series S/X officially hit store shelves, and both consoles still remain nearly impossible to find at major retailers. In light of these shortages, many would-be next-gen gamers have focused their ire on scalpers. These opportunistic resellers buy new systems the minute they become available at retail (often with the help of automated bots) with the intent to immediately list them for a significant markup on eBay or other third-party sales sites.

These resellers are certainly taking advantage of the situation and redirecting console stock from players who would otherwise be able to get the systems at the manufacturer’s suggested retail price. But some recent comprehensive analyses of online listings suggest that resellers are only responsible for a small number of all-new console sales in the US. Even in a world without scalpers, the current demand for the PS5 and Xbox Series S/X would be greatly outstripping current supplies.

_____________

What I Wish I Knew at the Start of My InfoSec Career

A security career can be an extremely rewarding path and a thankless job all at once. It is a point of pride for many security pros to know their work is focused on fighting the good fight and defending their organizations from breach or hack. But as soon as one threat is identified and mitigated, a new one comes along. The battle is never really won.

Because it is so challenging – and necessary – security continues to be a hot field with near-zero unemployment. What should those who are just dipping their toes into the employment pool know before diving into infosec? The Edge asked seasoned security pros what they wish they had known when they first got into the field.

Once you’ve read through their thoughts, ask yourself: Do these lessons learned sound familiar? Any others you’d add to the list? Would you have made any different career moves had you known earlier?

____________

Chrome users have faced 3 security concerns over the past 24 hours

Users of Google’s Chrome browser have faced three security concerns over the past 24 hours in the form of a malicious extension with more than 2 million users, a just-fixed zero-day, and new information about how malware can abuse Chrome’s sync feature to bypass firewalls. Let’s discuss them one by one.

First up, the Great Suspender, an extension with more than 2 million downloads from the Chrome Web Store, has been pulled from Google servers and deleted from users’ computers. The extension has been an almost essential tool for users with small amounts of RAM on their devices. Since Chrome tabs are known to consume large amounts of memory, the Great Suspender temporarily suspends tabs that haven’t been opened recently. That allows Chrome to run smoothly on systems with modest resources.

_______________

Klobuchar targets Big Tech with biggest antitrust overhaul in 45 years

With a new session of Congress underway and a new administration in the White House, Big Tech is once again in lawmakers’ crosshairs. Not only are major firms such as Apple, Amazon, Facebook, and Google under investigation for allegedly breaking existing antitrust law, but a newly proposed bill in the Senate would make it harder for these and other firms to become so troublingly large in the first place.

The bill (PDF), called the Competition and Antitrust Law Enforcement Reform Act (CALERA for short, which is still awkward) would become the largest overhaul to US antitrust regulation in at least 45 years if it became law. 

“While the United States once had some of the most effective antitrust laws in the world, our economy today faces a massive competition problem,” said Sen. Amy Klobuchar (D-Minn.) when she introduced the bill on Thursday. “We can no longer sweep this issue under the rug and hope our existing laws are adequate,” Klobuchar added, calling the bill “the first step to overhauling and modernizing our laws” to protect competition in the current era.

____________

I Fought the Dark Web and the Dark Web Won

Your “application for unemployment benefits has been approved,” stated the letter from the Illinois unemployment bureau a few weeks back. That was perplexing since I never applied and wasn’t unemployed. So I immediately told my (part-time) employer and the state unemployment agency.

Turns out somebody had stolen my personal information—again.

I wasn’t alone. Fraudulent jobless claims are a rampant scam across the country that accelerated during the COVID crisis as jobless benefits increased. More than a third of a million people in my state alone were also victims of the scam, including several people I knew. Although national tallies are still underway, the unemployment fraud is massive: California estimates more than $11 billion was stolen. All told, tens of millions of people could’ve been scammed in this way.

______________

How the United States Lost to Hackers

If ever there was a sign the United States was losing control of information warfare, of its own warriors, it was the moment one of its own, a young American contractor, saw first lady Michelle Obama’s emails pop up on his screen.

For months, David Evenden, a former National Security Agency analyst, questioned what he was doing in Abu Dhabi. He, like two dozen other N.S.A. analysts and contractors, had been lured to the United Arab Emirates by a boutique Beltway contractor with offers to double, even quadruple, their salaries and promises of a tax-free lifestyle in the Gulf’s luxury playground. The work would be the same as it had been at the agency, they were told, just on behalf of a close ally. It was all a natural extension of America’s War on Terror.