Friday Five 11/13
Cyber Command trolling, end-to-end encryption debates, and stolen source code - catch up on all the week's infosec news with the Friday Five!
1. How the Pentagon is trolling Russian, Chinese hackers with cartoons by Shannon Vavra
Cyber Command, the cyber arm of the US Department of Defense, realized that by adding illustrations to their reports on foreign hacking they could potentially annoy or infuriate foreign government hacking operations. A recent report, which addressed espionage tied to the FSB, was accompanied by an image of an endearing, clumsy bear. This was opposed to the typical artistic depiction of the FSB in cybersecurity of a burly or ferocious bear and was intended to annoy the Russians. The new strategy for images is the part of a larger push by Cyber Command to combat foreign cyber operations. Previously, Cyber Command has been publishing samples of malicious software used by foreign hackers to make the attacks less effective. While the new images might not be a game changer in preventing cyberattacks, it shows Cyber Command’s openness to new ideas and the article helps explain the slightly unusual images that readers may have observed in the recent Cyber Command reports.
2. Dell, FedEx, Switch Team Up to Build Nationwide Cloud Service by Nico Grant
Dell, FedEx, and Switch are collaborating to build data centers; the new hubs will be based in FedEx facilities, use Dell hardware, and connect to Switch computing centers. The data centers are meant to serve as an alternative to companies maintaining their own server farms or using cloud services like Azure and AWS from Microsoft and Amazon respectively. As well, instead of all of the information being stored in one large centralized location, customers will use the service to host private clouds at locations closer to their business for faster computing speeds. The service will begin by supporting the FedEx autonomous vehicle network and a modern manufacturing plant. The new service marks another major company moving in the direction of a cloud-delivered solution whether it be a hybrid or multi-cloud environment.
3. EU inches closer to ban on end-to-end encryption by Dale Walker
According to a leaked memo, the council of the European Union seems poised to ban the use of end-to-end encryption on apps like WhatsApp and Signal. Though they espouse the importance of strong encryption, the use of apps like WhatsApp and Signal have strained law enforcements’ ability to conduct investigations. The council hopes to strike a balance between privacy and security but is worried that the balance has tipped too far towards privacy with the increase of end-to-encryption apps and the increased use of end-to-encryption as default on more common apps. One solution, to create a secure corridor where only law enforcement can access sensitive information, has been decried by digital privacy groups, who say that approach would make the data vulnerable to hackers and defeat the point of end-to-end encryption. The debate over how to balance privacy vs. security is a staple of the post-internet world and this memo is just the latest example of the government trying to find an equilibrium.
4. Zoom lied to users about end-to-end encryption for years, FTC says by Jon Brodkin
Zoom has agreed to upgrade its security practices after reaching a tentative settlement with the FTC. The FTC says that since 2016, Zoom has claimed to have end-to-end 256-bit encryption to protect users, when in fact over that period of time they provided a lower level of security than their claim. As well, the encryption was not end-to-end, Zoom maintained keys that let it access the content of its user’s meetings. Further, saved meetings were unencrypted for up to 60 days before being uploaded to its secure cloud storage. As part of the settlement, Zoom does not have to pay any financial penalties or financially compensate those affected. If Zoom does not improve their security practices or continues to make false claims, the settlement will be void, and there will be further penalties.
5. FBI: Hackers stole source code from US government agencies and private companies by Catalin Cimpanu
The FBI has sent out a security alert warning that misconfigured SonarQube applications are being used to steal source code repositories. The intrusions have been occurring since at least April 2020. SonarQube, the application that is being exploited, is a software that lets companies test their code for flaws before officially implementing it. By running the system on its default configuration and default admin credentials, companies have left themselves vulnerable to hackers stealing their source code. Based on the warning, and previous discussion of SonarQube, it seems that a significant number of SonarQube’s have been left vulnerable, so if your company uses the application, it’s important to properly configure your program.