Friday Five 2/5
Chrome updates, open source frameworks, and an interview with a cybercriminal - catch up on all of the week's infosec news with the Friday Five!
1. Chrome's Cookie Update Is Bad for Advertisers but Good for Google by Matt Burgess
A significant future update of Google Chrome will remove third-party cookies. In theory, this move is positive for personal privacy as it’ll make it much harder to track users’ web activity. But the reality is more complicated, Chrome itself will now log browsing history and group users by similar interests. The change comes as part of the larger Privacy Sandbox initiative, which is Google's proposal to improve online ads. It’s unclear whether the new update will ultimately improve privacy for users, but just about everyone agrees that the current online ad system needs to be altered. For many, there is still the valid concern that the vast majority of data will flow to a small group of powerful tech companies, something which will boost their advertising revenue but is likely not the best thing for the average consumer.
2. Congress is starting to move on more cyber bills, even if few become law by Tim Starks
Though Congress has increased the number of cybersecurity bills introduced, this has not led to a proportional increase in new cybersecurity laws. The upsurge in proposed legislation is an indication of the growing comfort among elected officials with cybersecurity issues. However, the dysfunction facing Congress is spilling over and affecting its ability to pass cybersecurity legislation. This failure of legislation has been especially apparent on the issue of election security. One potentially concerning detail is that a large portion of cybersecurity legislation is getting wrapped up in the annual defense policy bill as a national security issue, which may lead to a militarization of cyber policy. That said, a positive aspect of this association is that national security issues tend to have the most bipartisan support and consensus.
3. Interview With a Russian Cybercriminal by Kelly Sheridan
In September, researchers interviewed a cybercriminal after verifying their standing within the LockBit community. Going by the assumed name, Aleks, he explained that he was attracted to cybercrime after becoming disillusioned with his career in IT. Some interesting tidbits: his admission that a large number of hospitals pay their ransom, about 80-90%, especially if they have insurance; a tendency of companies in Europe to pay quickly and quietly to avoid GDPR fines; and many attacks originating from a lack of patching after CVEs are published. Though the interview is with one cybercriminal and is not necessarily representative of the larger ransomware community, it’s important to understand the psychology and strategy behind ransomware attacks if the cybersecurity community hopes to mitigate the problem.
4. Pro-China influence campaign claiming 'hypocrisy' of American democracy gains traction by Shannon Vavra
A social media campaign aligned with the Chinese government known as Spamouflage Dragon has recently picked up some attention online. Though its content is spammy and basic, real users, including politicians and diplomats, have begun amplifying the content. The campaign is evolving: spammers are creating more realistic personas to try to convince users that the information is coming from more familiar and reliable sources, as opposed to the Chinese government. Though the campaign is currently fairly ineffective, its recent traction is another concerning indication of what people will believe online and a preview of the evolution of propaganda in the coming years.
5. Know, Prevent, Fix: A framework for shifting the discussion around vulnerabilities in open source by Eric Brewer, Rob Pike, Abhishek Arya, Anne Bertucio, and Kim Lewandowski
This week, a group of Google security professionals released a framework for how to discuss fixing vulnerabilities in open-source software. The framework stresses the importance of reaching a consensus on metadata and identity standards and increasing transparency and review of critical software. The issue of fixing vulnerabilities in open source is complicated as it includes challenges pertaining to supply chain, dependency management, identity, and build pipelines. The group lays out two sets of goals: the first to address vulnerabilities, enable automation, and reduce workload and risk; the second to define the set of critical software packages. The hope is that the framework will further the discussion and get the security community on the path to addressing this important problem.