Friday Five: 10/11 Edition
News on a new military cyber alert system, Twitter mishandles user data, and what to do with data if there's a no-deal Brexit. Catch up on the week's news with the Friday Five.
1. The Military Is Getting a Much-Needed Anti-Cyber Alarm System by Kyle Mizokami
In what might be the most interesting story of the week: News via Popular Mechanics, via DefenseOne, on a new cyber alarm system that should be able tip off the military if a hacker has tampered with a plane's computer system. Apparently the system relies on MIL-STD-1553, a military standard that helps outline mechanical, electrical, and functional characteristics in a serial data bus. While the standard is years old - it was first introduced in 1973 - it hasn't been updated. Through a self-funded project, Raytheon is aiming to update the system, dubbed a Cyber Anomaly Detection System, after receiving customer feedback about vulnerabilities in aviation platforms. Per Defense One, the tech could ultimately be used to detect cyber intrusions on could eventually be used to detect cyber intrusions on drones, vehicles and missiles
2. These are the Apple macOS Catalina 10.15 security updates you need to know about by Charlie Osborne
MacOS Catalina, Apple's latest operating system has only been out a few days. And while the jury's still out on how effective the update is - The Verge reports that there have been a couple of issues – those who have downloaded it will want to gloss over this quick bit from ZDnet then apply updates the company pushed for the OS shortly after. According to the piece, there are a handful of memory corruption bugs that could be exploited to execute arbitrary code with kernel and system privileges, in addition to a logic vulnerability, another code execution bug, and a buffer overflow, among other issues. With Apple, it's never a surprise to see updates to resolve bugs so quickly after a release and this is no exception.
3. Twitter "Unintentionally" Used Your Phone Number for Targeted Advertising by Gennie Gebhart and Jacob Hoffman-Andrews
One of the biggest stories of the week involved yet another public gaffe by Twitter, which acknowledged on Tuesday that it "inadvertently" used data, like users' email addresses and phone numbers for advertising purposes. Of course users supplied that data to the social network upon the understanding that it'd be used for safety and security purposes but per Twitter, that wasn't the case. Twitter couldn’t come clean about exactly how many users were impacted by the slip up but admitted it rectified the issue on September 17 and is "no longer using phone numbers or email addresses collected for safety or security purposes for advertising." This blog, via the always reliable Electronic Frontier Foundation, gets to an interesting point that stems from this news: This shouldn't scare users away from two-factor authentication. Instead, it should pressure Twitter on embracing alternate forms of authentication, ones that don't need a phone number - like authenticator apps and hardware tokens - to work.
4. DHS asks Congress for subpoena authority to contact vulnerable asset owners by Sean Lyngaas
The Department of Homeland Security is hoping to change a law so they could identify the owners of vulnerable systems and identify them directly instead of having to wait and rely on outside parties to communicate with them. As Cyberscoop points out, this is mostly a move to quicken the pace around how CISA, DHS' Cybersecurity and Infrastructure Security Agency, interacts with companies on cyber threats. The DHS is technically looking to gain administrative subpoena authority, something that would basically mandate an internet service provider to handover the contact information of equipment owners so they can open a dialogue. Right now, they only have the IP addresses, which can only get them so far.
5. No-deal Brexit data - should firms worry? By Rory Cellan-Jones
The UK's Prime Minister Boris Johnson has insisted the country will leave the EU on October 31 and while this continues to be very much up in the air, firms there will no doubt want to familiarize themselves with how to handle data in the event there's a no deal Brexit. The government released step by step guidance on how to do just that this week. The BBC provides a nice recap of what the main issue is here: Data can flow freely across the EU as long as companies conform to the the GDPR. If there's no deal when the UK Brexits, the UK will need an adequacy ruling to show its data protection standards are up to par. To keep data flowing between the EEA and the UK, it's best orgs put a contract in place with the sender on EU-approved terms, with standard contractual clauses in place. The BBC piece does a good deal of explaining this further.