ProtonMail shares user IP address with law enforcement

The privacy-focused email provider received a “legally binding order from the Swiss Federal Department of Justice”  it was “obligated to comply with,” leading the organization to handover the IP address and information related to the type of device used by the account. The account was related to the anti-gentrification activists Youth for Climate, and led to arrests in France. On it’s site, ProtonMail claims “[b]y default, we do not keep any IP logs which can be linked to your anonymous email account.” Under Swiss law, ProtonMail must hand over data when users of its service engage in activity deemed illegal in Switzerland. ProtonMail CEO Andy Yen said the company had no choice but to comply, although he said handing over data is not done by default, only if legally forced. 

(Hacker News)

IoT attacks double in six months

This data comes from a new report from Kaspersky, analyzing its telemetry from honeypots. The company detected 1.5 billion IoT attacks in the last six months, up from 639 million in the previous period. Part of this increase comes from the increased number of IoT devices available, from smartwatches to smart home accessories. The major security concern is that threat actors could target corporate resources through the increased number of people working at home, where network security is generally more lax. The most common use for compromised IoT devices includes stealing personal or corporate data, mining cryptocurrencies, and taking part in DDoS attacks. 


Study looks at criteria for ransomware targeting 

The rise of ransomware has become the cyber security story of the decade, not breaking any news here. The basic methods threat actors use to infiltrate networks are generally understood. But the cybersecurity intelligence company KELA tried to look into how victims are selected by ransomware organizations. They examined 48 forum posts from July from parties looking to purchase access to a network. 40% of these are want ads created by those working for ransomware organizations. Overall the US, Canada, Australia, and Europe were the most popular locations. Target companies have an average revenue of $100 million, although often groups will target companies in the US with far less revenue. 47% of organizations refused to target healthcare and education industries, while 37% banned targeting government sectors. 

(Bleeping Computer)

Netgear makes Demon’s Cries no more

The network equipment vendor released patches for several nasty vulnerabilities that could allow malicious actors to bypass authentication and take over 20 smart switch models. The patches resolve the vulnerabilities known as Demon’s Cries, Draconian Fear, and Seventh Inferno. The vulnerabilities resided in the web-based administration panel, known as SCC Control. This is disabled by default on the switches. It’s unclear if any future Netgear vulnerabilities will sound as metal. 

(The Record)

Thanks to our episode sponsor, Semperis

How would your organization score in an Active Directory security assessment? The average grade for first-time users of Purple Knight, a free security assessment tool from Semperis, is about 68%—a barely passing grade. Security and identity managers are shocked at the security gaps this tool has uncovered. But with knowledge comes power. Download Purple Knight so you can find and fix Active Directory security problems. Check it out at

Germany wants seven years of updates

According to a report by German publication Heise, German lawmakers proposed requiring smartphone manufacturers to provide seven years of mandatory security updates, also requiring availability of affordable replacement parts for the devices. The proposal from Germany would hope to supersede current EU regulations that will require five-years of security updates in a policy set to roll out in 2023. The tech advocacy group  DigitalEurope, which includes Google, Samsung, and Apple, is currently lobbying for 3-years of updates. 


El Salvador readies for Bitcoin future

As the country ramps up to be the first country in the world to recognise Bitcoin as legal tender on September 7, polls suggest Salvadorians are not prepared, and the World Bank has warned against the move. Under the country’s new Bitcoin Law, passed in June, businesses have to accept either Bitcoin or the US dollar as payment. El Salvador’s government is offering $30 in free bitcoins to encourage citizens to use the national wallet by using an app. More than 200 new cash machines are being installed across El Salvador to enable dollars to be converted into Bitcoin.


The failures of automated resume scanning

A new report from Harvard Business School found that automated resume-scanning software is a significant barrier to employment and mistakenly rejects millions of viable candidates. These systems are used by about 75% of all US employers and 99% of the Fortune 500. These systems often automatically reject candidates with gaps larger than 6-months in a resume, or require exact verbiage on resumes, like asking for “computer programming” experience for a data entry job. 9 out of 10 executives surveyed in the report said they knew these systems mistakenly filtered out viable candidates, with some saying they were looking at alternative ways to hire candidates. The report recommended adopting an “affirmative” filter for application screening, rather than “negative” filters that disqualify applications.

(The Verge)

Microsoft expands admins ability to block Active Content

Microsoft will roll out new permissions to Office 365 admins, letting them set up policies to block Active Content on Trusted Content. Currently Trusted Documents automatically open without warning prompts even if Active Content is altered. Active Content could run in Trusted Documents even if it was blocked by admin policies in all other instances. Under the new policy, all documents with Active Content would open in Protected View by default. Microsoft expects to roll out these new policies by October. 

(Bleeping Computer)