Five Eyes alliance call for encryption backdoors (again)

Members of the alliance as well as representatives from Japan and India called on tech companies to develop a solution to let law enforcement access end-to-end encrypted messages. Similar to previous calls in 2018 and 2019, the alliance called on tech companies to “embed safety of the public into system designs,” enable law enforcement to access readable content when lawfully ordered, and engage with governments to design these systems. The countries didn’t just target messaging encryption, but extended this call to “device encryption, custom encrypted applications, and encryption across integrated platforms.”

(ZDNet)

Trickbot isn’t quite done yet

We reported yesterday about the takedown of servers used by the Trickbot botnet. However, the Swiss security site Feodo Tracker notes that at least six Trickbot command and control servers are still online and responding to requests from infected machines. The cybersecurity company Intel 471 notes that because Trickbot communicates over TOR, it’s highly unlikely that taking down Trickbot infrastructure would result in long or even medium term disruption of the network. 

(Krebs on Security)

Chinese facial recognition data leaks are rampant

A new piece in the South China Morning Post looks at the state of focial recognition data in China. Facial recognition systems have exploded across the country. This is the result of state pressure, but increasingly because of the desire to install contactless systems during the COVID-19 pandemic. Research from Comparitech late last year found China ranked the worst out of all countries surveyed when it came to collecting, using, and storing biometric data. Chinese state media reported in July that facial recognition data could be bought online for about $0.05 per face, with a bundle of 5000 facial images selling online for about $1.40. Security researchers say this is because databases used by biometric systems are often left online with no encryption, from middle schools to housing communities. According to security researcher Victor Gevers, this lack of security is often the result of apps prioritizing time to market in the rapidly changing Chinese tech scene. China lacks a unified legal framework or a clear definition of personal information, with the patchwork of laws dealing with personal information often having only small fines or app removal as a deterrent. 

(SCMP)

Flaws found in Apple’s internal network

Security researcher Sam Curry led a team that found 55 vulnerabilities in Apple’s corporate network, 11 of them critical. The vulnerabilities if exploited would have allowed an attacker to copy private email, iCloud data and more. Curry reported them over a three-month period and Apple fixed them all promptly often within hours. Apple is still processing the bug bounties which so far total $288,500 but could reach as high as $500,000 or so. 

(Ars Technica)

Thanks to this week’s sponsor, Trusona

Trusona enables enterprises to secure and simplify user access by removing passwords from the Windows 10 login experience. With a single desktop sign-in using Trusona’s passwordless MFA, employees are automatically authenticated into Office 365 or their SSO, giving them secure access to all of their corporate applications. Give your workforce a solution they don’t have to work around.

Survey shows password sharing common in the US

The survey came from ExpressVPN, which found that over 50% of unmarried adults in exclusive relationships shared passwords for video streaming services, mobile devices, and music services, with 47% sharing social media logins and 38% sharing personal email passwords. Using passwords with ex’s was also fairly common, with 20% saying they used an ex’s email password after a breakup, and 25% using a location sharing account. Over one in three say they regret sharing their passwords. 

(ZDNet)

Zerologon and VPN exploits chained to access government networks

The news comes from a joint security alert from the FBI and the Cybersecurity and Infrastructure Security Agency. Attacks have targeted federal and state, local, tribal, and territorial government networks, with non-government attacks monitored as well. The attackers combined a flaw in Fortinet VPN servers to gain initial network access, pivoting to use Zerologon to take over domain controllers. The FBI said the attacks seem to come from “advanced persistent threats”, and targeted systems in proximity to election support systems. The security alert made it clear though that there was “no evidence to date that integrity of elections data has been compromised.”

(ZDNet)

Prison video visitation system left exposed online

HomeWAV provides video calls for a dozen prisons across the US. But security researcher Bob Diachenko found the company left a dashboard for a database online without a password since April. This included call logs and transcriptions of calls between inmates and their friends, family members, and representatives. HomeWAV did not comment on why calls protected by attorney-client privilege were recorded.  The company took down the dashboard within hours of being notified, blaming the lapse on a third-party vendor. Diachenko previously found a similar security lapse from the visitation service TelMate in August. 

(TechCrunch)

Cloudflare launches Cloudflare One service

This is a cloud-based networking-as-a-service offering that Cloudflare claims will be the future of corporate networking. This replaces the patchwork of WAN deployments with a network that can manage security, performance, and control through a single interface. With the launch of the service, Cloudflare also announced partnership with the identity management solutions from Okta, Ping Identity, and OneLogin, with support for Microsoft Active Directory, Google Workspace, Github, LinkedIn, and Facebook. Endpoint security can also be handled with announced partnerships with CrowdStrike, VMware Carbon Black, SentinelOne, and Tanium. Cloudflare One can also support multiple endpoint and identity management systems. The company sees this as a secure alternative to MPLS connections or SD-WAN deployments. Cloudflare launched its WARP DNS resolver last year, which it used to test the viability of connecting endpoints to a potential Cloudflare One network. 

(Cloudflare)