Russia bans foreign private messaging apps
The country’s internet watchdog agency, Roskomnadzor, warned that new laws went into effect, prohibiting organizations in Russia from using foreign-owned information exchange systems. The regulator specifically mentioned Discord, Microsoft Teams, Snapchat, Telegram, and WhatsApp as falling under this ban. This comes as the country also began trying to promote “domestic software,” offering incentives to organizations that use Russian Linux distributions like Astra Linux and Red OS.
GitHub expands secret scanning
Back in December, GitHub introduced a beta for a free secret scanning feature on public repositories. Within that test, 70,000 public repositories enabled it. Now GitHub announced the service became publicly available. This will look for API keys, passwords, tokens, and other confidential information left in code. As part of this, GitHub will also notify its service partners if it detects their secrets left in public code, letting them revoke tokens and notify impacted customers. Admins need to opt-in to the feature, available in the Settings tab.
Bootkit bypasses Secure Boot
Researchers at ESET report that the UEFI bootkit known as BlackLotus became the first malware able to bypass Secure Boot on Windows 11. It found it able to run on fully up-to-date systems. BlackLotus could allow an attacker full control over the OS boot process, opening the door to deploying arbitrary payloads at startup. Kaspersky researchers first discovered BlackLotus back in October, and it remains available for sale for $5,000. Attackers use legitimate drivers with known security vulnerabilities to install Black Lotus initially. After a first reboot it gains persistence.
Bill would give Biden power to block TikTok
The US recently moved to forbid TikTok on government devices, with Canada following suit. While it’s unclear if the US will follow India in a nationwide block of the app, legislators moved a step closer to making that action easier. The US House Foreign Affairs Committee voted in favor of the Deterring America’s Technological Adversaries Acts, which passed on a fully partisan Republican vote. The act gives President Biden the power to block TikTok. It remain unclear if the bill will become law. It needs to pass the Senate and the rest of the House. Given the partisan committee vote, it could face issues.
And now a word from our sponsor, Conveyor
TikTok responds to security concerns
Of course the reason TikTok faces bans on government devices comes over perceived cybersecurity concerns. TikTok responded to three of these concerns in a BBC piece. In response to claims that TikTok collects “excessive” amounts of data, it pointed to tests from Citizen Lab and the Georgia Institute of Technology that found its data collection in line with other social media apps. The company also insists that US user data is stored in the US and Singapore rather than China, with plans to have EU and UK data processing done in Ireland by 2024.
On allegations of censorship or using its feed for influence operations, a Citizen Lab comparison between TikTok and ByteDance’s China-specific Douyin app found it did not deploy the same political censorship. The BBC say fears about the app come down to theoretical risks. But it notes that since Western apps remain largely banned in China, this represents a one-way risk.
Mobile phishing exploded in 2022
According to a new report from Lookout, 2022 saw the highest rate of mobile phishing ever. It found half of all personal mobile phone users globally experienced a phishing attack at least every quarter. The percentage of users experiencing attacks increased on the year every quarter since Q2 2020. On professional devices, phishing attacks increased about 10% since 2021, with the insurance, financial, and healthcare industries more specifically targeted. It seems malicious actors also got better at crafting messages for click through. The report found that in 2020, only 1.6% of mobile enterprise users clock on six or more malicious links a year. By 2022, that jumped to 11.8%.
How to integrate Gen Z into a security program
We know there is a glaring cybersecurity skills shortage, so bringing young people into the field remains a known problem. CSO Online’s Maril Vernon recently looked at how organizations can better work with this younger generation. One of the things the report found was that Gen Z employees can be eager to learn new skills, but also want to move forward quickly to new challenges. Employers should lean into that to help deal with the fast changing threats in cyber security. These younger employees also greatly prefer electronic communications, even when in speaking distance. It recommends using this to promote create tight-knit highly dispersed teams.
BlueSky Hits the App Store
The decentralized social media protocol BlueSky released an app on the iOS App Store, meant to serve as a showcase for its Authenticated Transfer Protocol. The protocol is backed by Twitter co-founder Jack Dorsey, who sits on its board. The service remains an invite-only beta, so you can download it, but likely can’t use it. Right now the app is pretty barebones, with a 256 character limit, support for uploading photos, but no Direct Messages. Given the rise of services built on the W3C standard ActivityPub, like Mastodon, it’s not clear what future the protocol has if it doesn’t interoperate.