Friday Five: 4/5 Edition
Employee theft at SMBs, fighting stalkerware, and a "hacker-proof" new cryptographic library - catch up on the week's infosec news with this roundup!
1. Small businesses are extra vulnerable to employee theft; so what can they do? by Joyce M. Rosenberg
A straight forward, no frills piece via the Associated Press on how small businesses have been affected by former employees stealing data. “It was a huge eye opener. I’m someone who’s very trusting and I love our employees,” Suelyn Farel, the owner of a New York City-based beauty products company told the publication. “It really reminded me that I have to be careful, that possibly my judgment of the character of people around me is wrong,” The story goes onto to interview small business owners who've fallen victim to employee theft. The story helps support the idea behind a report published just last month: 58 percent of small to medium business execs are more concerned about experiencing a data breach than a flood, fire, or break-in.
2. Hacker Eva Galperin Has a Plan to Eradicate Stalkerware by Andy Greenberg
One of our favorite stories of the week digs into some of the good being done to combat stalkerware. This piece, via WIRED, digs into how Eva Galperin, a researcher who heads up the Electronic Frontier Foundation's Threat Lab, is pressing the anti-virus industry and Apple to make strides to better protect users from stalkerware - software that enables users to track their spouses and can often lead to physical abuse or stalking. "Full access to someone’s phone is essentially full access to someone’s mind," Galperin told the magazine's Andy Greenberg this week. The article, much like Kim Zetter's ShadowHammer piece last week about how attackers hijacked ASUS' software updates, serves as a tease for Kaspersky Lab's big Security Analyst Summit next week: The company will unveil more around ShadowHammer and announce a change to how it flags stalkerware on Android phones, an early victory for Galperin.
3. Cryptography That Can’t Be Hacked by Kevin Hartnett
It's almost impossible not to roll your eyes when you read the phrase "hacker-proof" but this is an interesting take - and on something I wasn't familiar with: EverCrypt, a set of digital cryptography tools that's supposedly provably invulnerable to most types of hacking attacks. The tools, which were born out a Carnegie Mellon/Microsoft Research initiative dubbed Project Everest in 2016, are apparently free of some of the things that usually plague many cryptographic libraries, including coding errors like buffer overruns. This piece, via Quanta Magazine, is just an introduction to EverCrypt but it’s worth flagging to see how the tools evolve over the years.
4. Covert data-scraping on watch as EU DPA lays down 'radical' GDPR red-line by Natasha Lomas
It's always interesting to check in across to pond to see what the repercussions around GDPR have been. TechCrunch has news this week on a company in Poland that was found in violation this week and told to by Poland’s data protection authority to a) pay a €220K fine - and this is where it gets interesting - b) reach out to the six million people whose data it failed to protect under Article 14 of the regulation. The company, a digital marketing firm named Bisnode, isn't going to do that, it's just going to delete the records. It's also willing to fight the ruling, something that could have some ramifications, as this piece points out: "Any challenge to the UODO's enforcement decision could therefor end up clarifying (and/or setting) some harder limits around covert scraping of personal data, if it reaches the Court of Justice of the European Union (CJEU) - potentially affecting operators in multiple industries and sectors such as business intelligence, advertising and even cyber threat intelligence." TechCrunch goes deep here – this piece is roughly 3,200 words – but it’s worth reading to get a better idea of the of how both Poland's Personal Data Protection Office (UODO) and the company are interpreting the regulation.
5. MIT cuts collaborations with Huawei and ZTE over security concerns by Rosie Perper
The dominos around Huawei and ZTE continue to fall. The latest came this week when the Massachusetts Institute of Technology said it would be more closely scrutinizing the relationships of technology firms and their countries. In a letter to the school, MIT's Associate Provost Richard Lester and Vice President for Research Maria Zuber said it would be cutting both funding and research connections with the firms in light of recent federal investigations of sanction restrictions. US intelligence agencies, namely the FBI, CIA, and NSA have gone on record warning against buying Huawei and ZTE phones citing the devices could make it easier for the Chinese government to spy on users. The U.S. first started investigating the two way back in 2011, when the House Intelligence Committee began an investigation of these two firms as telecommunications equipment suppliers. It was several years later, in 2014, that American government banned the two companies from bidding for government contracts.