"Trust Me," Says Microsoft As Apple's Problems Also Worsen
Dell and U.S.P.T.O. Breaches, ByteDance's Lawsuit, Etc. In This Week's Cybersecurity Review
Microsoft is trying to rehabilitate its security reputation despite its ever-worsening record of breaches, vulnerabilities and incompetence. “We are making security our top priority at Microsoft,” wrote Microsoft’s Executive Vice President Charlie Bell, “above all else—over all other features.”
Not to be outdone, the city of Troy is banning wooden horses, the Lindberghs are installing window locks and Moe’s Tavern is finally getting caller I.D.
In the real word, however, actions continue to outweigh words.
Wired took time this week to repeat the obvious: Apple’s spyware problems are worsening.
Google, meanwhile, has made multi-factor authentication (M.F.A.) more broadly available for its services by allowing accountholders to enable it without providing Google a phone number. Those still waiting to set up M.F.A. on their Google accounts would be wise to consider doing so now. But be sure to leave a fallback authentication method or risk losing access forever.
Dell and the U.S. Patent and Trademark Office (U.S.P.T.O.) both reported breaches in the last week. Dell says that one of its portals was compromised and that customers’ names and physical addresses were pilfered. The U.S.P.T.O., in a self-inflicted wound, also lost control of filers’ names and physical addresses.
Surprising no one, ByteDance has sued to stop Washington from forcing it to divest TikTok. The suit fails to leverage a novel constitutional angle that may have proved effective.
Washington has struck back by revoking Intel’s and Qualcomm’s export licenses to provide chips to Chinese network manufacturer Hauwei.
The Food and Drug Administration (F.D.A.) has recalled an iOS app that injured hundreds who linked their Apple devices to insulin pumps. There is no indication of a security breach, but the real-world physical injuries highlight that medical-device apps are a particularly worrying vector for malicious actors to exploit.
And ransomware attackers are growing more malicious. They are no longer simply extorting companies based on the safety of their customers. Increasingly they are targeting victims’ families. The Register noted that one set of attackers SIM-swapped the phone of an executive’s child and called the executive from child’s number to strike fear and push for ransom payment.
Unsatisfied by the pace of federal cybersecurity legislation, Maryland has enacted a pair of state laws to curb big tech platforms’ use of personal information and marketing to children. The tech lobby has cried foul, citing the First Amendment. Court battles likely loom. Meanwhile, the laws may also bring new compliance requirements to smaller platforms.
A set of security researchers is making a big deal out of a decades-old part of the widely used Dynamic Host Configuration Protocol (D.H.C.P.). (D.H.C.P. configures Internet Protocol addresses and other settings for clients on wired and wireless networks. For more information, see this link here.)
An attacker with control of a local D.H.C.P. server may use D.H.C.P. option no. 121 to push static routes to machines that join, e.g., a hotel Wi-Fi network. The attacker may use those static routes to stop a user’s traffic from traversing a virtual private network (V.P.N.). Thereby the attacker may eavesdrop on Internet activities the user believes to be private. The “attack” has been dubbed Tunnel Vision.
Some V.P.N. products will be unaffected, i.e. those that preempt the operating system’s native routing table(s).
On a higher level, the “attack” compromises neither a target’s V.P.N. nor operating system. In these scenarios, each does exactly what the relevant standards require.
The “attack” instead leverages the knowledge gaps between V.P.N. administrators and end users. Network engineers, for example, routinely check their systems’ routing tables when they activate V.P.N.s. Such checks would quickly reveal “Tunnel Vision” attempts. But most end users have never heard the phrase “routing table.” They assume they are secure once their V.P.N.s successfully connect.
Neither the relevant standards nor the knowledge gaps will change anytime soon. One workaround is to disable option no. 121 for D.H.C.P. clients (Android does this by default). But this may break things on poorly designed networks.
The obvious, but effort-intensive, solutions are either 1) for V.P.N. clients to bypass the operating system’s default routing table or 2) to implement testing routines in V.P.N. clients and corresponding functionality in V.P.N. servers so that V.P.N. software alerts end users to traffic that may not be encrypted as expected.
Don’t hold your breath for either solution. Learning to read a routing table—and gaining a rudimentary understanding of Internet Protocol—is a good idea anyway.