IEEE Cipher --- Items from security-related news (E169)
Summary:
We note with sadness the sudden passing of Drew Dean, a researcher who
contributed greatly to our field. His friends and colleagues are now
preparing tributes to him, but they are not yet available. The
computer security research community is over 50 years old, and it has
lost enough notable people to warrant a community memorial page, where Drew will be
remembered.
Summary:
Over a hundred million Americans have signed up to TikTok accounts.
The company is owned by the Chinese tech giant Bytedance, and that
has given US regulators pause. However, the exact dangers of the
app remain unknown, despite being talking points in the US midterm
elections. This vagueness has not stopped the current administration
from planning to doubledown on the current bans against its use on
military devices and for some agencies, such as TSA. An upcoming
executive order is said to address TikTok and the ability of China to
collect data on Americans. This might interfere with US investment in
China.
The relationship between TikTok and Bytedance is structured to protect the data of US users, at least on paper. TikTok is a US company, subject to US data privacy laws. Can Bytedance engineers access TikTok user data? Perhaps. Do they? If they do, they would purportedly have to make a request to TikTok, and TikTok would have to keep a record of that. TikTok says that no requests have been made. Is that good enough? Meta's notoriously porous controls over Facebook data are a poor example, but perhaps not all social media companies should be tarnished with the same brush.
Why is TikTok, among all social media apps, seen as such a looming danger? Even if its data were being harvested by the Chinese government, it seems unlikely to yield any more information than is available already on the "dark web". Perhaps there is some concern about having foreign agents conduct focused disinformation campaigns leading up to the next US general election. Whatever the concern, the US citizen remains in the dark.
Summary:
North Koreans are alleged to have stolen lots of money from the
Vietnamese gaming company Sky Mavis. The thefts
$30 mil is a nice chunk of change, and it is a feel-good headline
about stopping international cryptocurrency thefts. But, the flip
side of the news is: "... the seizures still only account for a sliver
of the billions of dollars made through cybercrime
annually. Cybercriminals received more than $1.2 billion in ransom
payments in 2020 and 2021 combined, according to Chainalysis." But
wait a minute! The article also mentions that Sky Mavis lost $600
million. So that single Vietnamese company loss accounted for 50%
of all cybertheft last year?
In any case, the "recovered" money is said to be "frozen" at a cryptocurrency "mixer". Increasingly, the FBI targets these services in order to make it harder for hackers to get their stolen cryptocurrency secured with the cloak of anonymity.
Summary:
The good news is that Nigeria has a state health agency that uses AWS
services to manage data on 37K of its clients. The bad news is that
all their personal data was unsecured online from April to late July
of this year. This situation is "typical of widespread cybersecurity
issues in Nigeria, where regulations are ineffective, bad practices
run rampant, and public disclosures of security breaches are often
slow and insufficient." Security awareness remains low, despite the
guidelines established by their National Information Technology
Development Agency (NITDA). Good news, they have such an agency, bad
news, no one pays any attention to it.
Summary:
If you want to move a group of files and their directory structure to
a new environment, and you want to package all those files into one
file for transfer, "tar" is time-honored format for doing that. It is
as common as mud, a workhorse of portability. Yet, with great power
comes great responsibility. Unpacking a tar file can spray files
anywhere, and the "untar" function has to be used with caution, lest
it overwrite things that are important. Code for creating and
unpacking tar files is part of Python and has been for some time, but
the library function has no safeguards to keep it confined to a single
part of the file system. Technically, this is not a bug, it is just a
failure to include handrails for a powerful function. However,
researchers found that the tar function is included in many thousands
of github projects, and it is unlikely that all those uses are
carefully confined, so the possibility of misuse is great. No known
exploits have been reported.
Summary:
Optus is an Australian company that registers identity information about
cellphone users. Brett Callow, a threat analyst, posted on Twitter
that names and email addresses for 1.1 million Optus customers had
been for sale online since 17 September. Bayer Rosmarin of Optus could not say
whether that was true, but the total exposure could be as great as
their total customer base of 9.8 million.