Friday Five: 5/11 Edition
Supply chain risk management advice, a GDPR primer, and more - catch up with the week's infosec news with this roundup!
1. Signal for Mac users should disable notifications to keep their messages secure by Taylor Hatmaker
Signal, the encrypted messaging app of choice for many, was quick to fix an issue that left supposedly disappearing messages viewable to anyone with physical access to a Mac. Messages received through the app's desktop version could be seen through macOS' notification center, even if a user had selected to send a "disappearing message," a message that self-destructs so to speak after its sent. The issue is obviously concerning for users who value their privacy, like journalists or government workers. Initially publications (like TechCrunch and Motherboard) encouraged users to change Signal's settings to outright disable notifications. Signal didn't waste too much time putting out a new version of the app (1.10.0) that resolves the issue. Patrick Wardle, a noted Apple security expert and Chief Research Officer at Digita, verified the fix works.
2. NIST wants to the federal government to pay more attention to the supply chain by Sean Lyngaas
As if NIST's recent revisions last month to its Cybersecurity Framework weren't enough this week the agency (which operates under the US Department of Commerce) released a new update to its Risk Management Framework, a tool federal agencies defer to when assessing cyber risk. NIST says “the growing dependence on component products, systems, and services from external providers and the relationships with the providers, present an increasing amount of risk to an organization." There are several sections in the document (.PDF) that harp on the importance of supply chain management. The draft arrives just a few weeks after NIST stressed that supply chain risk management (SCRM) plays a "crucial role" in addressing risk when it comes to critical infrastructure. This week’s document – viewable here – also encourages agencies to shore up their information security program and privacy program to better safeguard personally identifiable information, or PII.
3. What Europe’s Tough New Data Law Means for You, and the Internet by Adam Satariano
Even if you’ve been beaten over the head, over and over again, the last several months on the EU's General Data Protection Regulation, or GDPR, the New York Times’ ran a refresher this past Sunday that’s worth a read. Adam Satariano, the Times' Europe tech correspondent explains succinctly and coherently what users can expect from the regulation, including users' privacy rights and responsibilities. The article skimps on the minutiae but it's the perfect article to send to your mother or your uncle if they've been confused by all these privacy notices that have been hitting inboxes of late.
Photo copyright: jorisvo / 123RF Stock Photo
Answering Your Top GDPR Questions: A Q&A with Data Security Experts
4. Secure Data Act Reintroduced by John Eggerton
Some potentially promising (if you're a fan of encryption) bit of news this week via Washington. The Secure Data Act, a bipartisan bill that aims to stop government agencies or court orders for that matter from mandating companies put backdoors into their devices was reintroduced in Congress on Thursday. We say reintroduced as the bill was first introduced, way back in 2014, by Senator Ron Wyden (D-Ore). The Electronic Frontier Foundation, who laid some groundwork for the bill's resurgence last week are understandably excited but given the hurdles synonymous with Washington and bureaucracy perhaps that excitement should be tempered, at least until the bill shows some signs of life.
5. Researchers say a breathalyzer has flaws, casting doubt on countless convictions by Zack Whittaker
Some crack reporting here via ZDNet’s Zack Whittaker who talked to two researchers who uncovered flaws in the source code used by breathalyzers that could under some circumstances, produce incorrect breath test results. Defense teams obviously had issues with the findings but couldn't stop governments from continuing to use the devices. It's a fascinating read on a prickly legal quagmire (the work of said researchers stopped after mounting pressure from the breathalyzer's manufacturer). Draeger, the German medical technology maker that sells the device, told Whittaker the company was protecting its source code and intellectual property - a valid claim - not preventing further research.