Read. Learn. Share

TECH TALK SHOW NOTES

January 30, 2021

Cloud Jacking: The Bold New World of Enterprise Cybersecurity

Those with their finger on the pulse of emerging cybersecurity threats are already aware that there’s a new danger in town: cloud jacking. The increased reliance of individuals and businesses on cloud computing has led inevitably to this form of cybercrime primarily driven by misconfiguration, and that looks to dominate a multitude of online security concerns in the near future.

Cloud jacking, also known as cloud account hijacking, is when a cybercriminal takes over an individual or business account, typically by some form of social engineering. Once in control of an account, hackers are limited only by their imagination, but you can expect some form of data or identity theft. Perhaps even a ransomware attack. The bottom line is that it probably won’t be much fun for the legitimate account owner.

__________

Chrome and Edge want to help with that password problem of yours

If you’re like a lot of people, someone has probably nagged you to use a password manager, and you still haven’t heeded the advice. Now, Chrome and Edge are coming to the rescue with beefed-up password management built directly into the browsers.

Microsoft on Thursday announced a new password generator for the recently released Edge 88. People can use the generator when signing up for a new account or when changing an existing password. The generator provides a drop-down in the password field. Clicking on the candidate selects it as a password and saves it to a password manager built into the browser. Users can then have the password pushed to their other devices using the Edge password sync feature.

Password generators are among the safest sources of strong passwords. Rather than having to think up a password that’s truly unique and hard to guess, users can instead have a generator do it properly.

______________

Military intelligence buys location data instead of getting warrants, memo shows

The Defense Intelligence Agency, which provides military intelligence to the Department of Defense, confirmed in a memo that it purchases “commercially available” smartphone location data to gather the information that would otherwise require the use of a search warrant.

The DIA “currently provides funding to another agency that purchases commercially available geolocation metadata aggregated from smartphones,” the agency wrote in a memo (PDF) to Sen. Ron Wyden (D-Ore.), first obtained by the New York Times.

The Supreme Court held in its 2018 Carpenter v. United States ruling that the government needs an actual search warrant to collect an individual’s cell-site location data. “When the Government tracks the location of a cell phone, it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone’s user,” Chief Justice John Roberts wrote for the majority in his opinion. “The retrospective quality of the data here gives police access to a category of information otherwise unknowable.”

_____________

US administration adds “subliminal” ad to White House website

Hidden messages, features or jokes in apps and websites are commonly known in hacker jargon as easter eggs, because they’re supposed to be found and enjoyed, but they’re not supposed to be immediately obvious.

One of the most famous easter eggs in commercial software history – if not the most complex – was the hidden flight simulator (really!) in Microsoft Excel 97.

Sometimes, amusingly, it wasn’t games hidden in business apps, but business apps hidden in games.

One of the most famous computer games in software history, the first IBM PC version of Tetris, had a hidden spreadsheet as its easter egg, or more accurately as its boss mode.

Boss mode, activated with the boss key, often Ctrl-B or Alt-B so it was quick to type, popped up a more dubious sort of easter egg intended as a decoy.

____________

Why North Korea Excels in Cybercrime

Although the US and the United Nations have levied sanctions meant to prevent the illegal financing of nuclear weapons, North Korea is proving to be adept at sidestepping them — and is also remarkably proficient at cybercrime. As other countries try to hammer out common cybersecurity protocols, North Korea has rapidly grown its cyber capabilities, both domestically and abroad. As a result, despite ever-tightening sanctions, the regime is finding ways to exploit digital vulnerabilities around the world and launch cyberattacks — typically through its hacking teams, code-named Hidden Cobra or Lazarus Group — to extort money for its banned nuclear weapons development program.

In 2017, the US Department of Homeland Security and the FBI published a rare cybersecurity bulletin that linked North Korea to several attacks on US businesses and critical infrastructure. The alert concerned a type of malware dubbed Delta Charlie, which the Department of Homeland Security and FBI claim the North Korean government used to launch distributed denial-of-service (DDoS) attacks. These botnet attacks direct a flood of destructive IP traffic stemming from insecure Internet of Things devices to knock websites, applications, and other IT infrastructure offline for hours, days, or weeks.

____________

Speed of Digital Transformation May Lead to Greater App Vulnerabilities

Digital transformation initiatives have become a common way for companies to make their businesses more agile and to adapt quickly to market changes. But faster software development speeds and the greater number of applications may be causing vulnerabilities to be more common, application-security experts said this week.

Industries such as manufacturing, IT, and retail each have a large share of companies whose applications are always vulnerable, according to the AppSec Stats Flash monthly report from WhiteHat Security. Seventy percent of applications at manufacturing companies, 56% of IT applications, and 56% of retail applications have at least one serious vulnerability affecting the software for the entire year, the report stated.

Along with government agencies, healthcare, and real estate, these industries have the largest share of applications that have year-round vulnerabilities, the report states.

“These industries fall into a group of industries that have seen their number of applications per organization increase dramatically over the last several years as their business become increasingly digital,” says Zach Jones, senior director of detection research at WhiteHat Security. “For most organizations, achieving an average time to fix of less than 30 days on high- and critical-risk vulnerabilities is a policy that is rarely achieved.”

______________

Waymo CEO dismisses Tesla self-driving plan: “This is not how it works”

Many Tesla fans view the electric carmaker as a world leader in self-driving technology. CEO Elon Musk himself has repeatedly claimed that the company is less than two years away from perfecting fully self-driving technology.

But in an interview with Germany’s Manager magazine, Waymo CEO John Krafcik dismissed Tesla as a Waymo competitor and argued that Tesla’s current strategy was unlikely to ever produce a fully self-driving system.

“For us, Tesla is not a competitor at all,” Krafcik said. “We manufacture a completely autonomous driving system. Tesla is an automaker that is developing a really good driver assistance system.”

For Musk, these two technologies exist along a continuum. His plan is to gradually make Tesla’s Autopilot software better until it’s good enough to work with no human supervision. But Krafcik argues that’s not realistic.

_____________

What’s the technology behind a five-minute charge battery?

Building a better battery requires dealing with problems in materials science, chemistry, and manufacturing. We do regular coverage of work going on in the former two categories, but we get a fair number of complaints about our inability to handle the third: figuring out how companies manage to take solutions to the science and convert them into usable products. So, it was exciting to see that a company called StoreDot that was claiming the development of a battery that would allow five-minute charging of electric vehicles was apparently willing to talk to the press.

Unfortunately, the response to our inquiries fell a bit short of our hopes. “Thank you for your interest,” was the reply, “we are still in pure R&D mode and cannot share any information or answer any questions at the moment.” Apparently, the company gave The Guardian an exclusive and wasn’t talking to anyone else.