Secrecy orders abound in Microsoft’s government data requests

Microsoft’s customer security head Tom Burt disclosed that one-third of all government data requests the company receives are issued with secrecy clauses that prevents Microsoft from disclosing it to the subject of the warrant. Burt classified these kinds of clauses as “commonplace” often with “boilerplate secrecy orders unsupported by any meaningful legal or factual analysis.” Since 2016 Microsoft receives between 7to 10 secrecy orders a day on average, often receiving more in a year than the total number of secrecy clauses U.S. courts approved in 2010. For context Microsoft disclosed it received 11,200 total legal orders from U.S. authorities last year.

(TechCrunch)

When proof of concepts go wrong

An infosec company accidentally published proof of concept exploit code for a critical Windows print spooler vulnerability dubbed PrintNightmare on GitHub. Originally the exploit was classified as a local privilege escalation bug, allowing low-privileged users to execute code as an administrator. However security researchers realized that a slight tweak to the proof of concept code opened the door to let a malicious or compromised user execute code at the system level, resulting in the bug being reclassified as remote-code execution vulnerability. Researchers recommend disabling the print spool service on any devices not requiring it until a patch is released. 

(The Register)

Maine passes strong facial recognition ban

The law is the strongest state prohibition on the technology, largely forbidding government use of facial recognition. There are some exemptions, the largest permitting its use by police who have probable cause that an unidentified person in an image committed a serious crime, or for proactive fraud prevention. Maine’s police do not have access to facial recognition databases, so in these instances, the searches would be run by the FBI and Maine Bureau of Motor Vehicles. The law also gives Maine citizens the right to sue if improperly targeted by government facial recognition. Washington is the only other state with a facial recognition ban, although Virginia and Massachusetts have also passed bans on police using the technology. 

(The Verge)

Nest commits to five years of security updates

The recent Western Digital My Book data wipe attack shows the danger of running network hardware that’s no longer in support. In an effort to give some clarify on its smart home security, Google confirmed it will provide critical bug fixes and patches for Nest devices for a minimum of five years after a product launches, with 9to5Google noting that current Nest devices like the Nest Cam Indoor are still maintained after six years. The company also said that every Nest product released since 2019 has been validated using third-party security standards, with validation results published for review. 

(9to5Google)

Thanks to our episode sponsor,
Keyavi

Worried about being the next ransomware victim, like Colonial Pipeline? Cyber criminals stole gigabytes of data before their first extortion attempt, demanding payment to decrypt Colonial’s information. Despite a multi-million-dollar ransom payment, the pipeline’s stolen data is in the hands of these attackers forever. Head to www.keyavi.com/sessions to learn more about protecting data from extortion attempts.

DOJ files new charges against Capital One hacker

The US government filed a superseding indictment against Paige A. Thompson, a former Amazon engineer accused of stealing personal information on over 100 million Americans through a hack of Capital One, adding seven new charges to the original two filed in the original indictment from 2019. After analyzing data from Thompson’s computers, prosecutors have added six counts of computer fraud and abuse, and one count of access device fraud, as well as adding four new unnamed technology companies to the list of impacted parties. Thompson’s trial remains scheduled for March 14, 2022, although she now faces up to 20 years in prison based on the new charges. 

(The Record)

No salvation from ransomware for one Christian charity

The UK arm of the Salvation Army disclosed it suffered a ransomware attack, first detected a month ago impacting a London data center. Administrators informed both the Information Commissioner’s Office and Charity Commission about the incident. None of its charitable services have been impacted by the attack. Specifics about the ransomware strain, attack vector, and other details are unknown, and no known information from the attack has surfaced online as of this recording. 

(The Register)

Google working on HTTPS-Only feature

A new code change in Chrome shows Google is developing a “HTTPS-Only Mode” for the browser, which will automatically upgrade all URLs to use HTTPS when enabled. Chrome already uses HTTPS by default when not specified in a URL, so this setting would apply to links clicked or when http is manually typed into the address bar. 

(9to5Google)

SentinelOne goes public

The cybersecurity company went public on the New York Stock Exchange on June 30th, closing with shares up 20% over the start of the day, valuing the company at $8.9 billion. This makes it the highest-valued cybersecurity IPO in history, beating CrowdStike’s $6.7 billion market debut in 2019. The company’s market success is also being seen as increasingly competitive in the endpoint security marketplace, with CrowdStrike, Qualys, and Palo Alto Networks citing it as a major competitor in company and analyst reports. 

(CNBC)