Cyber Security Headlines: Russia bans foreign messaging apps, GitHub scans for secrets, Bootkit beats Secure Boot

Russia bans foreign private messaging apps

The country’s internet watchdog agency, Roskomnadzor, warned that new laws went into effect, prohibiting organizations in Russia from using foreign-owned information exchange systems. The regulator specifically mentioned Discord, Microsoft Teams, Snapchat, Telegram, and WhatsApp as falling under this ban. This comes as the country also began trying to promote “domestic software,” offering incentives to organizations that use Russian Linux distributions like Astra Linux and Red OS. 

(Bleeping Computer)

GitHub expands secret scanning

Back in December, GitHub introduced a beta for a free secret scanning feature on public repositories. Within that test, 70,000 public repositories enabled it. Now GitHub announced the service became publicly available. This will look for API keys, passwords, tokens, and other confidential information left in code. As part of this, GitHub will also notify its service partners if it detects their secrets left in public code, letting them revoke tokens and notify impacted customers. Admins need to opt-in to the feature, available in the Settings tab. 

(Bleeping Computer)

Bootkit bypasses Secure Boot

Researchers at ESET report that the UEFI bootkit known as BlackLotus became the first malware able to bypass Secure Boot on Windows 11. It found it able to run on fully up-to-date systems. BlackLotus could allow an attacker full control over the OS boot process, opening the door to deploying arbitrary payloads at startup. Kaspersky researchers first discovered BlackLotus back in October, and it remains available for sale for $5,000. Attackers use legitimate drivers with known security vulnerabilities to install Black Lotus initially. After a first reboot it gains persistence. 

(Hacker News)

Bill would give Biden power to block TikTok

The US recently moved to forbid TikTok on government devices, with Canada following suit. While it’s unclear if the US will follow India in a nationwide block of the app, legislators moved a step closer to making that action easier. The US House Foreign Affairs Committee voted in favor of the Deterring America’s Technological Adversaries Acts, which passed on a fully partisan Republican vote. The act gives President Biden the power to block TikTok. It remain unclear if the bill will become law. It needs to pass the Senate and the rest of the House. Given the partisan committee vote, it could face issues. 


And now a word from our sponsor, Conveyor

“I HATE security questionnaires with the fury of a thousand suns.” said one of our customers. Makes sense, since tools used to answer them haven’t changed in years. At Conveyor, we’re on a mission to get teams out of the questionnaire stone age by implementing GPT-3 into our first-of-its-kind questionnaire eliminator. Go beyond re-writing mediocre matches, to getting your questionnaire auto-filled with the exact answers customers need. Join the top SaaS companies in the GPT-3 powered future by using Conveyor. Learn more at

TikTok responds to security concerns

Of course the reason TikTok faces bans on government devices comes over perceived cybersecurity concerns. TikTok responded to three of these concerns in a BBC piece. In response to claims that TikTok collects “excessive” amounts of data, it pointed to tests from Citizen Lab and the Georgia Institute of Technology that found its data collection in line with other social media apps. The company also insists that US user data is stored in the US and Singapore rather than China, with plans to have EU and UK data processing done in Ireland by 2024.

On allegations of censorship or using its feed for influence operations, a Citizen Lab comparison between TikTok and ByteDance’s China-specific Douyin app found it did not deploy the same political censorship. The BBC say fears about the app come down to theoretical risks. But it notes that since Western apps remain largely banned in China, this represents a one-way risk. 


Mobile phishing exploded in 2022

According to a new report from Lookout, 2022 saw the highest rate of mobile phishing ever. It found half of all personal mobile phone users globally experienced a phishing attack at least every quarter. The percentage of users experiencing attacks increased on the year every quarter since Q2 2020. On professional devices, phishing attacks increased about 10% since 2021, with the insurance, financial, and healthcare industries more specifically targeted. It seems malicious actors also got better at crafting messages for click through. The report found that in 2020, only 1.6% of mobile enterprise users clock on six or more malicious links a year. By 2022, that jumped to 11.8%.

(InfoSecurity Magazine)

How to integrate Gen Z into a security program

We know there is a glaring cybersecurity skills shortage, so bringing young people into the field remains a known problem. CSO Online’s Maril Vernon recently looked at how organizations can better work with this younger generation. One of the things the report found was that Gen Z employees can be eager to learn new skills, but also want to move forward quickly to new challenges. Employers should lean into that to help deal with the fast changing threats in cyber security. These younger employees also greatly prefer electronic communications, even when in speaking distance. It recommends using this to promote create tight-knit highly dispersed teams. 

(CSO Online)

BlueSky Hits the App Store

The decentralized social media protocol BlueSky released an app on the iOS App Store, meant to serve as a showcase for its Authenticated Transfer Protocol. The protocol is backed by Twitter co-founder Jack Dorsey, who sits on its board. The service remains an invite-only beta, so you can download it, but likely can’t use it. Right now the app is pretty barebones, with a 256 character limit, support for uploading photos, but no Direct Messages. Given the rise of services built on the W3C standard ActivityPub, like Mastodon, it’s not clear what future the protocol has if it doesn’t interoperate. 


Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.