Read. Learn. Share.
Tech Talk Show Notes
March 6, 2021
As cybersecurity professionals defend increasingly dispersed and complex enterprise networks from sophisticated cyber threats, embracing a Zero Trust security model and the mindset necessary to deploy and operate a system engineered according to Zero Trust principles can better position them to secure sensitive data, systems, and services.
Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgment that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.
The Zero Trust security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting critical assets (data) in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, allowing or denying access to resources based on the combination of several contextual factors.
Systems that are designed using Zero Trust principles should be better positioned to address existing threats, but transitioning to such a system requires careful planning to avoid weakening the security posture along the way. NSA continues to monitor the technologies that can contribute to a Zero Trust solution and will provide additional guidance as warranted.
Hardware that is widely used to control equipment in factories and other industrial settings can be remotely commandeered by exploiting a newly disclosed vulnerability that has a severity score of 10 out of 10.
The vulnerability is found in programmable logic controllers from Rockwell Automation that are marketed under the Logix brand. These devices, which range from the size of a small toaster to a large bread box or even bigger, help control equipment and processes on assembly lines and in other manufacturing environments. Engineers program the PLCs using Rockwell software called Studio 5000 Logix Designer.
On Thursday, the US Cybersecurity & Infrastructure Security Administration warned of a critical vulnerability that could allow hackers to remotely connect to Logix controllers and from there alter their configuration or application code. The vulnerability requires a low skill level to be exploited, CISA said.
New numbers show 2020 was the first year that Chromebooks outsold Macs, posting impressive market share gains at the expense of Windows. Computers powered by Google’s Chrome OS have outsold Apple’s computers in individual quarters before, but 2020 was the first full year that Chrome OS took second place. Microsoft’s Windows still retained majority market share, but also took a big hit as both Chrome OS and macOS gained share.
The milestone is based on numbers provided by IDC, which doesn’t typically break out sales based on the device operating system. But when we went looking to see how the pandemic may have impacted the PC market, IDC analyst Mike Shirer confirmed the findings to GeekWire. (We also contacted Gartner but that firm does not include Chromebooks in its traditional PC market results.)
This is a big win for Google and a warning for both Apple and Microsoft. It also signals to app and game developers that Chrome OS can no longer be ignored. Frankly, any business that provides a product or service over the internet should be setting aside resources to ensure the Chrome OS experience is comparable to Windows and macOS.
IN RECENT MONTHS, the audio-based social media app Clubhouse has emerged as Silicon Valley’s latest disruptive darling. The format feels familiar: part Twitter, part Facebook Live, part talking on the phone. But as Clubhouse continues to expand, its security and privacy failings have come under increased scrutiny—and left the company scrambling to correct problems and manage expectations.
Clubhouse, still in beta and available only on iOS, offers its users “rooms” that are essentially group audio chats. They can also be set as public addresses or panel discussions where some users are “speakers” and the rest are audience members. The platform reportedly has over 10 million users and is valued at $1 billion. Since last year it has been an invite-only haven for Silicon Valley elite and celebrities, including an Elon Musk appearance earlier this month. But the company has struggled both with concrete security issues and more ephemeral questions around how much privacy its users should expect.
“With smaller, newer social media platforms, we should be on our guard about our data, especially when they go through huge growth it tests a lot of the controls,” says security researcher Robert Potter. “Things you might have gotten away with only 100,000 people on the platform—you increase those numbers tenfold and the level of exposure goes up, the threat goes up, the number of people probing your platform goes up.”
New York’s attorney general filed a lawsuit on Wednesday to shut down the cryptocurrency platform Coinseed Inc for allegedly defrauding thousands of investors, including by charging hidden trading fees and selling “worthless” digital tokens.
Attorney General Letitia James said Coinseed traded cryptocurrencies such as bitcoin without registering as a broker-dealer and sold “CSD” tokens without authorization to raise money for its mobile application startup.
James also sued Coinseed Chief Executive Delgerdalai Davaasambuu and former
Chief Financial Officer Sukhbat Lkhagvadorj, saying they overstated the midtown Manhattan-based company’s management experience, while Lkhagvadorj misrepresented himself as a former Wall Street trader.
Current and former top executives at SolarWinds are blaming a company intern for a critical lapse in password security that apparently went undiagnosed for years.
The password in question, “solarwinds123,” was discovered in 2019 on the public internet by an independent security researcher who warned the company that the leak had exposed a SolarWinds file server.
Several US lawmakers ripped into SolarWinds for the password issue Friday, in a joint hearing by the House Oversight and Homeland Security committees.
“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad,” said Rep. Katie Porter. “You and your company were supposed to be preventing the Russians from reading Defense Department emails!”
In an email obtained by TechCrunch, originally sent to one of WhatsApp’s merchant partners, WhatsApp stated that those who don’t accept the changes by May 15 will “not be able to read or send messages from the app,” but “for a short time, these users will be able to receive calls and notifications.”
TechCrunch notes that a “short time” will stretch across a few weeks, but that feature, too, will eventually go away. You can still accept the policy after the deadline, of course.
TikTok has been accused of breaching users’ rights “on a massive scale” by the European Consumer Group.
It is the latest warning for the video-sharing app, which has faced numerous complaints about its lax copyright policy and its inability to protect children from harmful content and hidden advertising.
The consumer group noted several issues in its complaint to the EU’s network of consumer protection authorities, with TikTok’s terms of service drawing particular criticism.
“They are unclear, ambiguous, and favor TikTok to the detriment of its users,” the organization said.
“Its copyright terms are equally unfair as they give TikTok an irrevocable right to use, distribute and reproduce the videos published by users, without remuneration.”
TikTok has told the BBC that it has requested a meeting with the group to discuss these issues.