Dr. T's security brief
dtau...@gmail.com
France Embraces Google, Microsoft in Quest to Safeguard Sensitive Data
Reuters
Mathieu Rosemain
May 17, 2021
The French government has indicated that cloud computing technology developed by Google and Microsoft could be used to store sensitive state and corporate data, providing it is licensed to French companies. French Finance Minister Bruno Le Maire acknowledged U.S. technological superiority in the field but said guaranteeing the location of servers on French soil, and European ownership of the companies that store and process the data, could help ensure a "trustworthy" cloud computing alternative. Companies that offer cloud computing services that meet these principles and other conditions set forth by France's cybersecurity agency ANSSI could receive a "trustworthy cloud" designation. Two French companies already meet the criteria.
Irish Health System Targeted in 'Serious' Ransomware Attack
Associated Press
May 14, 2021
Ireland's health service said a ransomware attack led by "international criminals' forced the shutdown of its information technology systems on May 14. Deputy Prime Minister Leo Varadkar, who called the incident "very serious," said it could last for days. Steve Forbes at U.K. Web domain registry Nominet said the breach highlights concerns about the vulnerability of critical infrastructure to worsening attacks by hacker gangs and criminals, and threatens to exacerbate a health system already strained by the pandemic. Forbes said the Irish hack and the recent disruption of the Colonial Pipeline in the U.S. show that "criminal groups are choosing targets that will have the greatest impact on governments and the public, regardless of the collateral damage, in order to apply the most leverage."
Facebook Loses Bid to Block Ruling on EU-U.S. Data Flows
The Wall Street Journal
Sam Schechner
May 14, 2021
Facebook has lost its attempt to block a European Union privacy ruling that could bar its sending of information about European users to U.S. computer servers. Ireland's High Court rejected Facebook's procedural complaints about a preliminary decision on data flows from the country's Data Protection Commission (DPC), which spurned Facebook's argument that it had allocated too little time for the company to respond, or issued a judgment prematurely. Legal experts say the reasoning in Ireland's provisional directive could apply to other large technology companies that are subject to U.S. surveillance statutes, potentially disrupting trans-Atlantic data flows and billions of dollars for the cloud computing, social media, and advertising sectors.
*May Require Paid Registration
Biden Signs Executive Order to Strengthen U.S. Cybersecurity Defenses After Colonial Pipeline Hack
CNBC
Kevin Breuninger; Amanda Macias
May 12, 2021
In the wake of the Colonial Pipeline ransomware attack, President Biden has signed an executive order to fortify U.S. cybersecurity defenses. The pipeline hack is the latest in a string of high-profile attacks on private and federal entities conducted by criminal groups or state actors. Biden's directive requires information technology service providers to alert the government to cybersecurity breaches that could impact U.S. networks, and lifts contractual barriers that might prevent them from flagging breaches. The order also calls for a standardized playbook and definitions for federal responses to cyber incidents; upgrades to cloud services and other cyber infrastructure security; a mandate that software developers share certain security data publicly; and a Cybersecurity Safety Review Board to analyze breaches and make recommendations.
Study Explores Privacy of Prison Communications
Carnegie Mellon University CyLab Security and Privacy Institute
Daniel Tkacik
May 11, 2021
The constant monitoring of people incarcerated in the U.S. extends to communications between inmates and their relatives, according to a study by researchers at Carnegie Mellon University's CyLab Security and Privacy Institute. Through interviews with 16 family members of people imprisoned in Pennsylvania, the researchers learned that participants were generally aware their communications with inmates were surveilled, but their understanding of more advanced monitoring methods, like voice-printing and location tracking for calls received on a cellphone, was limited. The researchers said while prison communication companies have the technical capabilities to change, there is little evidence they would alter their surveillance practices without being required to do so by regulators.
Graphene Key for Novel Hardware Security
Penn State College of Engineering News
Gabrielle Stewart
May 10, 2021
Researchers at Pennsylvania State University (Penn State) have demonstrated the first graphene-based physically unclonable function (PUF), a hardware security device resistant to the use of artificial intelligence (AI) techniques to crack encrypted keys. The researchers said graphene's physical and electrical properties ensure the novel PUF is more energy-efficient, scalable, and secure than silicon PUFs. The researchers tested the PUF's security by using a simulation of 64 million graphene-based PUFs to train an AI to determine whether it could make predictions about the encrypted data and identify system insecurities. Penn State's Saptarshi Das said, "We found that AI could not develop a model, and it was not possible for the encryption process to be learned."
Ransomware Attack Leads to Shutdown of Major U.S. Pipeline System
The Washington Post
Ellen Nakashima; Yeganeh Torbati; Will Englund
May 8, 2021
A ransomware attack forced operators of the Colonial Pipeline to shut down its network on Friday, highlighting the vulnerability of industrial sectors to such threats. A U.S. official and another source familiar with the matter said the attack appears to have been conducted by DarkSide, an Eastern European-based criminal gang believed to operate primarily out of Russia. Private companies that probe cyberattacks say they are handling cases involving DarkSide targeting U.S. industrial firms with ransomware, while many other ransomware gangs also appear to be attacking such companies in greater numbers than previously known. Eric Goldstein at the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency said, "We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats."
*May Require Paid Registration
96% of U.S. Users Opt Out of App Tracking in iOS 14.5, Analytics Find
Ars Technica
Samuel Axon
May 7, 2021
U.S. users have opted out of application tracking nearly all (96%) of the time following Apple's release of iOS 14.5 in April, according to mobile app analysis platform Flurry Analytics. That release was accompanied by Apple’s launch of enforcement of the App Tracking Transparency policy, which requires iPhone, iPad, and Apple TV apps to request user consent to monitor their activity across multiple apps for data collection and ad targeting. Based on data from roughly 1 million mobile apps, Flurry Analytics said U.S. users agree to be tracked only 4% of the time; globally, the firm found that number reaching 12%.
AI Consumes a Lot of Energy. Hackers Could Make It Consume More.
MIT Technology Review
Karen Hao
May 6, 2021
Maryland Cybersecurity Center (MC2) researchers have outlined an attack that could boost the energy consumption of artificial intelligence (AI) systems by forcing a deep neural network to overuse computational resources. The team added small amounts of noise to the inputs of an input-adaptive multi-exit neural network, which were perceived as more difficult, increasing computation that required more energy to complete. In assuming the attacker had full data about the network, the researchers could max out its energy draw; in assuming the attacker had little to no data, they could still slow processing and increase energy consumption 20% to 80%. This hack remains somewhat theoretical, but MC2's Tudor Dumitras said, "What's important to me is to bring to people's attention the fact that this is a new threat model, and these kinds of attacks can be done."
Spotify Urged to Rule Out 'Invasive' Voice Recognition Tech
Reuters
Umberto Bacchi
May 4, 2021
A coalition of musicians and human rights groups has called on music streaming service Spotify to exclude the use of a recently developed speech recognition tool it developed for suggesting songs, describing the product as "invasive." The tool analyzes users' speech and background noise to suggest tracks based on mood, gender, age, accent, or surroundings. In its original patent application, Spotify said the tool was designed to streamline the tedious process of personalizing music suggestions to users' tastes; the coalition warned such devices could absorb private information and make deductions about other people in the room who might be unaware they were being surveilled. An open letter by the coalition called the technology "dangerous, a violation of privacy and other human rights," and urged Spotify to discard it altogether, and publicly vow never to "use, license, sell, or monetize it."
60% of School Apps Are Sharing Kids' Data with 3rd Parties
Gizmodo
Shoshana Wodinsky
May 4, 2021
A study by technology-focused nonprofit Me2B Alliance analyzed 73 "utility" apps for school districts and found that about 60% share some student data with third-party marketing companies. These apps are downloaded by students and parents to review school calendars or bus schedules, among other things. The data shared includes the student's location, their contact list, and their phone's mobile ad identifiers. The researchers found 486 software development kits (SDKs), small libraries of code that help monetize the apps by sharing data with third-party app networks, across the 73 apps. About two-thirds of the SDKs were owned and operated by Facebook or Google, and the rest shared data with lesser-known third parties that shared data with dozens, if not hundreds, of other lesser-known third parties.