CISA says to stop passing the security buck
At a recent event at Carnegie Mellon University, Cybersecurity and Infrastructure Security Agency director Jen Easterly called on technology companies to “fundamentally shift” product design around security. She said frequently tech companies shift the burden of security to consumers, ending up where “we’ve unwittingly come to accept as normal that such technology is dangerous by design.” Easterly questions why companies get blamed for data breaches when they run unpatched software, but questions why no blame falls on the manufacturer that “required too many patches.” She pointed to memory safe languages, transparent disclosure policies, and secure coding practices as ways vendors can improve.
The cyber security fallout of Russia’s war in Ukraine
With the one-year anniversary of Russia’s invasion of Ukraine, Recorded Future released a report looking at the larger cyber security impacts. The physical realities of war definitely saw an impact in cyber operations, with threat actor groups fleeing Ukraine, Russia, and Belarus to avoid the conflict. In addition, the combination of IT and cybersecurity professionals leaving Russia and drafting of young men have begun to show a “brain drain” in its “hacker reserves.” This can be seen in a fall in activity on criminal forums, marketplaces, and social media. This also saw cybercriminals targeting each other across national lines. Previously these groups, including the Conti ransomware group, worked together to target other areas.
Canada bans TikTok on government devices
Canada’s Treasury Board Secretariat President Mona Fortier announced that no government devices will be allowed to use TikTok after February 28th. Fortier cited “unacceptable level of risk to privacy and security,” although characterized this as a precautionary move. She also said ByteDance’s data collection can be used to create vulnerabilities for future cyber attacks. The government does not believe the TikTok app compromised any government information to date.
Carriers announce initiative to open network APIs
The GSM Association announced the Open Gateway initiative, which will provide a framework to provide universal, open-source-based APIs into carrier networks for developers. 21 carriers signed up at launch including Verizon, Vodaphone, Orange, Bharti Airtel, China mobile, Deutsche Telekom, KT, and AT&T.
There are no APIs live right now, but this announcement sets out API specifications for eight services, including SMS two-factor authentication, carrier billing, and device location. It also includes an API specification specifically called SIM swapping, meant to make porting numbers easier. Of course, the unfortunately naming similarity does open the question about security considerations. AWS and Azure were named as cloud providers with carriers to provide API access to devs.
And now a word from our sponsor, Conveyor
Signal “won’t participate” in UK law
The draft legislation of the UK’s Online Safety Bill requires providers to block illegal content and enforce age-restrictions on legal content. This creates a problem for end-to-end encrypted services, as they do not know what content users send, and often doesn’t even store encrypted content on central servers. In response to this proposed legislation, Signal CEO Meredith Whittaker said it would “exit any country if the choice were between remaining in the country and undermining the strict privacy promises we make to the people who rely on us,” saying that the “UK is no exception.”
Dutch police arrest cyberextortion suspects
Dutch police disclosed the arrests of three suspects, aged between 18 and 21, which actually took place in January. The police believe the three began criminal activity back in March 2021. They blackmailed victims for up to €700,000 in order to not leak exfiltrated data. Since there’s no honor among thieves, the group often published the data anyway after payment. This seems to have been a lucrative enterprise from the suspects. Police report its prime suspect had a criminal income of over €2.5 million.
HMD will start production in Europe
Over the last few years, we’ve seen several companies looking to become less dependent on China for manufacturing. Some of this came in response to the supply chain crisis. Local production laws, particularly in India, also played a part. Now the phone maker HMD Global plans to spin up some phone manufacturing in Europe to meet a “surge in customer demand,” specifically citing security and sustainability concerns. This wouldn’t move any existing Chinese manufacturing to Europe. Rather HMD characterized this as quickly responding to local conditions in the market. No word on where, but the company operates out of Finland, and moved its data centers there in 2019.
Twitter 2.0 lays off 10% of remaining staff
Since Twitter’s acquisition by Elon Musk, product manager Ester Crawford quickly made a name for herself as a poster child for the “new Twitter.” She spearheaded the rollout of verification with Twitter Blue subscriptions before shifting over to the company’s new focus on payments. However, sources speaking to several outlets report Crawford was among the company’s latest round of layoff. Overall this impacted 200 jobs, about 10% of the estimated 2000 remaining employees. Also included in the latest cuts, Martijn de Kuijper, founder of the now-defunct newsletter service Revue.