Read. Learn. Share.

Tech Talk Show Notes

March 6, 2021

Embracing a Zero Trust Security Model

As cybersecurity professionals defend increasingly dispersed and complex enterprise networks from sophisticated cyber threats, embracing a Zero Trust security model and the mindset necessary to deploy and operate a system engineered according to Zero Trust principles can better position them to secure sensitive data, systems, and services.

Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgment that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.

The Zero Trust security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting critical assets (data) in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, allowing or denying access to resources based on the combination of several contextual factors.

Systems that are designed using Zero Trust principles should be better positioned to address existing threats, but transitioning to such a system requires careful planning to avoid weakening the security posture along the way. NSA continues to monitor the technologies that can contribute to a Zero Trust solution and will provide additional guidance as warranted.


Hard-coded key vulnerability in Logix PLCs has a severity score of 10 out of 10

Hardware that is widely used to control equipment in factories and other industrial settings can be remotely commandeered by exploiting a newly disclosed vulnerability that has a severity score of 10 out of 10.

The vulnerability is found in programmable logic controllers from Rockwell Automation that are marketed under the Logix brand. These devices, which range from the size of a small toaster to a large bread box or even bigger, help control equipment and processes on assembly lines and in other manufacturing environments. Engineers program the PLCs using Rockwell software called Studio 5000 Logix Designer.

On Thursday, the US Cybersecurity & Infrastructure Security Administration warned of a critical vulnerability that could allow hackers to remotely connect to Logix controllers and from there alter their configuration or application code. The vulnerability requires a low skill level to be exploited, CISA said.


Chromebooks outsold Macs worldwide in 2020, cutting into Windows market share

New numbers show 2020 was the first year that Chromebooks outsold Macs, posting impressive market share gains at the expense of Windows. Computers powered by Google’s Chrome OS have outsold Apple’s computers in individual quarters before, but 2020 was the first full year that Chrome OS took second place. Microsoft’s Windows still retained majority market share, but also took a big hit as both Chrome OS and macOS gained share.

The milestone is based on numbers provided by IDC, which doesn’t typically break out sales based on the device operating system. But when we went looking to see how the pandemic may have impacted the PC market, IDC analyst Mike Shirer confirmed the findings to GeekWire. (We also contacted Gartner but that firm does not include Chromebooks in its traditional PC market results.)

This is a big win for Google and a warning for both Apple and Microsoft. It also signals to app and game developers that Chrome OS can no longer be ignored. Frankly, any business that provides a product or service over the internet should be setting aside resources to ensure the Chrome OS experience is comparable to Windows and macOS.


Clubhouse’s Security and Privacy Lag Behind Its Explosive Growth

IN RECENT MONTHS, the audio-based social media app  Clubhouse has emerged as Silicon Valley’s latest disruptive darling. The format feels familiar: part Twitter, part Facebook Live, part talking on the phone. But as Clubhouse continues to expand, its security and privacy failings have come under increased scrutiny—and left the company scrambling to correct problems and manage expectations.

Clubhouse, still in beta and available only on iOS, offers its users “rooms” that are essentially group audio chats. They can also be set as public addresses or panel discussions where some users are “speakers” and the rest are audience members. The platform reportedly has over 10 million users and is valued at $1 billion. Since last year it has been an invite-only haven for Silicon Valley elite and celebrities, including an Elon Musk appearance earlier this month. But the company has struggled both with concrete security issues and more ephemeral questions around how much privacy its users should expect. 

“With smaller, newer social media platforms, we should be on our guard about our data, especially when they go through huge growth it tests a lot of the controls,” says security researcher Robert Potter. “Things you might have gotten away with only 100,000 people on the platform—you increase those numbers tenfold and the level of exposure goes up, the threat goes up, the number of people probing your platform goes up.”


New York sues to shut down ‘fraudulent’ Coinseed crypto platform

New York’s attorney general filed a lawsuit on Wednesday to shut down the cryptocurrency platform Coinseed Inc for allegedly defrauding thousands of investors, including by charging hidden trading fees and selling “worthless” digital tokens.

Attorney General Letitia James said Coinseed traded cryptocurrencies such as bitcoin without registering as a broker-dealer and sold “CSD” tokens without authorization to raise money for its mobile application startup.

James also sued Coinseed Chief Executive Delgerdalai Davaasambuu and former 

Chief Financial Officer Sukhbat Lkhagvadorj, saying they overstated the midtown Manhattan-based company’s management experience, while Lkhagvadorj misrepresented himself as a former Wall Street trader.


Former SolarWinds CEO blames intern for ‘solarwinds123’ password leak

Current and former top executives at SolarWinds are blaming a company intern for a critical lapse in password security that apparently went undiagnosed for years.

The password in question, “solarwinds123,” was discovered in 2019 on the public internet by an independent security researcher who warned the company that the leak had exposed a SolarWinds file server.

Several US lawmakers ripped into SolarWinds for the password issue Friday, in a joint hearing by the House Oversight and Homeland Security committees.

“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad,” said Rep. Katie Porter. “You and your company were supposed to be preventing the Russians from reading Defense Department emails!”


WhatsApp will basically stop working if you don’t accept the new privacy policy

WhatsApp confirmed in January that its updated privacy policy will go into effect starting May 15. With only a few months left, the company says its users will lose access to all the features that matter if they don’t agree to it. 

In an email obtained by TechCrunch, originally sent to one of WhatsApp’s merchant partners, WhatsApp stated that those who don’t accept the changes by May 15 will “not be able to read or send messages from the app,” but “for a short time, these users will be able to receive calls and notifications.”  

TechCrunch notes that a “short time” will stretch across a few weeks, but that feature, too, will eventually go away. You can still accept the policy after the deadline, of course.

The email also included a link to an FAQ page created by WhatsApp, running through the aforementioned details as well as options for those who don’t want to accept the new privacy policy. Prior to May 15, you can delete your account, download a report of it, and export your chat history.


TikTok breaching users’ rights “on a massive scale”, says European Consumer Group

TikTok has been accused of breaching users’ rights “on a massive scale” by the European Consumer Group.

It is the latest warning for the video-sharing app, which has faced numerous complaints about its lax copyright policy and its inability to protect children from harmful content and hidden advertising.

The consumer group noted several issues in its complaint to the EU’s network of consumer protection authorities, with TikTok’s terms of service drawing particular criticism.

“They are unclear, ambiguous, and favor TikTok to the detriment of its users,” the organization said.

“Its copyright terms are equally unfair as they give TikTok an irrevocable right to use, distribute and reproduce the videos published by users, without remuneration.”

TikTok has told the BBC that it has requested a meeting with the group to discuss these issues.