"Trust Me," Says Microsoft As Apple's Problems Also Worsen
Dell and U.S.P.T.O. Breaches, ByteDance's Lawsuit, Etc. In This Week's Cybersecurity Review
Microsoft is trying to rehabilitate its security reputation despite its ever-worsening record of breaches, vulnerabilities and incompetence. βWe are making security our top priority at Microsoft,β wrote Microsoftβs Executive Vice President Charlie Bell, βabove all elseβover all other features.β
Not to be outdone, the city of Troy is banning wooden horses, the Lindberghs are installing window locks and Moeβs Tavern is finally getting caller I.D.
In the real word, however, actions continue to outweigh words.
Wired took time this week to repeat the obvious: Appleβs spyware problems are worsening.
Google, meanwhile, has made multi-factor authentication (M.F.A.) more broadly available for its services by allowing accountholders to enable it without providing Google a phone number. Those still waiting to set up M.F.A. on their Google accounts would be wise to consider doing so now. But be sure to leave a fallback authentication method or risk losing access forever.
Dell and the U.S. Patent and Trademark Office (U.S.P.T.O.) both reported breaches in the last week. Dell says that one of its portals was compromised and that customersβ names and physical addresses were pilfered. The U.S.P.T.O., in a self-inflicted wound, also lost control of filersβ names and physical addresses.
Surprising no one, ByteDance has sued to stop Washington from forcing it to divest TikTok. The suit fails to leverage a novel constitutional angle that may have proved effective.
Washington has struck back by revoking Intelβs and Qualcommβs export licenses to provide chips to Chinese network manufacturer Hauwei.
The Food and Drug Administration (F.D.A.) has recalled an iOS app that injured hundreds who linked their Apple devices to insulin pumps. There is no indication of a security breach, but the real-world physical injuries highlight that medical-device apps are a particularly worrying vector for malicious actors to exploit.
And ransomware attackers are growing more malicious. They are no longer simply extorting companies based on the safety of their customers. Increasingly they are targeting victimsβ families. The Register noted that one set of attackers SIM-swapped the phone of an executiveβs child and called the executive from childβs number to strike fear and push for ransom payment.
Unsatisfied by the pace of federal cybersecurity legislation, Maryland has enacted a pair of state laws to curb big tech platformsβ use of personal information and marketing to children. The tech lobby has cried foul, citing the First Amendment. Court battles likely loom. Meanwhile, the laws may also bring new compliance requirements to smaller platforms.
A set of security researchers is making a big deal out of a decades-old part of the widely used Dynamic Host Configuration Protocol (D.H.C.P.). (D.H.C.P. configures Internet Protocol addresses and other settings for clients on wired and wireless networks. For more information, see this link here.)
An attacker with control of a local D.H.C.P. server may use D.H.C.P. option no. 121 to push static routes to machines that join, e.g., a hotel Wi-Fi network. The attacker may use those static routes to stop a userβs traffic from traversing a virtual private network (V.P.N.). Thereby the attacker may eavesdrop on Internet activities the user believes to be private. The βattackβ has been dubbed Tunnel Vision.
Some V.P.N. products will be unaffected, i.e. those that preempt the operating systemβs native routing table(s).
On a higher level, the βattackβ compromises neither a targetβs V.P.N. nor operating system. In these scenarios, each does exactly what the relevant standards require.
The βattackβ instead leverages the knowledge gaps between V.P.N. administrators and end users. Network engineers, for example, routinely check their systemsβ routing tables when they activate V.P.N.s. Such checks would quickly reveal βTunnel Visionβ attempts. But most end users have never heard the phrase βrouting table.β They assume they are secure once their V.P.N.s successfully connect.
Neither the relevant standards nor the knowledge gaps will change anytime soon. One workaround is to disable option no. 121 for D.H.C.P. clients (Android does this by default). But this may break things on poorly designed networks.
The obvious, but effort-intensive, solutions are either 1) for V.P.N. clients to bypass the operating systemβs default routing table or 2) to implement testing routines in V.P.N. clients and corresponding functionality in V.P.N. servers so that V.P.N. software alerts end users to traffic that may not be encrypted as expected.
Donβt hold your breath for either solution. Learning to read a routing tableβand gaining a rudimentary understanding of Internet Protocolβis a good idea anyway.