ABC Raided By Police
Huawei Embedded Apps Stripped / Email Is Poison / Leaky Docker Containers / Secret Police vs. News Orgs
Sam Byford: New Huawei phones will ship without Facebook, WhatsApp, or Instagram
Facebook won’t allow Huawei to pre-install its apps on smartphones anymore, Reuters is reporting. It’s the latest example of Western tech companies cutting ties with the beleaguered Chinese telecom giant after President Trump issued an effective trade ban against it.
Huawei phone owners will still be able to download and use apps like WhatsApp, Instagram, and Facebook’s main app itself, and they’ll continue to receive updates through the Play store. Huawei just won’t be able to include them out of the box, which it typically does alongside various other pre-loaded services like Twitter.
Facebook has apparently landed on a different calculus to deal with the trade ban than Google. Google has secured a temporary license to continue to send security updates to existing Huawei phones. Huawei phones currently in stores or “those which have not yet shipped or even been built” will still have the Google services pre-installed. Facebook, Reuters says, is denying pre-installs on “any phone which has not yet left the factory.”
The implications aren’t necessarily as worrying for Huawei as other prior decisions from Google and ARM, which respectively restrict its ability to use core Android services and develop its own chips. But Facebook’s move closes another potential avenue for Huawei to deliver crucial third-party apps to customers, underlining the fact that it’ll have to go it alone with its own app store — no small task.
Read more about this story at The Verge.
What’s almost comical about this is there are many Americans who would love to buy a phone without hardcoded apps like Facebook so they could opt out. Will this, in the end, be a reason to get a Huawei phone? No, I don’t think so. But a big question on my mind is, do Big Tech companies subsidize prices for low end technology by paying manufacturers to install their grayware and what role might consumer advocates play in demanding more accountability for opting-out by default, or getting the Tech Giants paying damages to consumers (rather than fines to state agencies) when data tankers spill oil into the digital environment.
Steve Martino: The Endless Scourge Of Malicious Email
There is no question that unwanted email is a source of annoyance. It is also the biggest source of cyber threats. In fact, just last month, spam accounted for 85 percent of all email sent. Plus, according to Verizon’s 2018 Data Breach Investigations Report, email is the number one vector for both malware distribution (92.4 percent) and phishing (96 percent). Attackers know that, unfortunately, this channel just works.
Because email forces the user to stop and at least scan every message they receive, it presents the perfect opportunity to serve up malicious links and file attachments that people in a hurry sometimes mistakenly click on. Phishing and social engineering have gotten so sophisticated that it can be hard for even cyber-savvy users to discern the legitimate from the malicious.
Our most recent CISO Benchmark Study showed that 56 percent of CISOs we surveyed felt that defending against the user behavior of clicking a malicious link in an email is very or extremely challenging. This ranks higher than any other security concern surveyed — higher than data in the public cloud, and even higher than mobile device use.
You can read the entire report today over at Cisco’s security blog.
For Phish and Chips day, let’s take time to remind end-users on what phishing is and why they should regard every email as suspicious. Let’s also demand more of hosts like Microsoft to help secure corporate communications with support of seals and encryption that visually distinguish legitimate messages from the spoofed and dangerous. Otherwise, maybe it’s time to re-think email as a form of communication altogether.
Phil Muncaster: Researchers Find 40,000+ Containers Exposed Online
Researchers have discovered over 40,000 Kubernetes and Docker container hosting devices exposed to the public internet through misconfigurations.
Palo Alto Networks’ Unit 42 revealed the results of its latest research in a blog post yesterday. The discovery was made via a simple Shodan search.
Some 23,353 Kubernetes containers were found in this way, located mainly in the US, as well as Ireland, Germany, Singapore, and Australia. Even more (23,354) misconfigured Docker containers were discovered exposed to the internet, mainly in China, the US, Germany, Hong Kong and France.
“This does not necessarily mean that each of these 40,000+ platforms are vulnerable to exploits or even the leakage of sensitive data: it simply highlights that seemingly basic misconfiguration practices exist and can make organizations targets for further compromising events,” explained senior threat researcher, Nathaniel Quist.
“Seemingly simple misconfigurations within cloud services can lead to severe impacts on organizations.”
This has happened several times in the past: attackers exploited weak security configurations to steal keys and tokens for 190,000 Docker Hub accounts, while poor container security also led to a major breach of 13 million user records at Ladders.
You can dig deeper into this story over at Info Security Magazine.
In the era of move fast and break things we need to slow down to ensure that company records, processes and consumer data are protected by best practices. Proper training for users and administrators alike are essential tools for ensuring better data protection. Perhaps host services could provide hardened containers as templates or as a complete feature set when going to production. Otherwise, these security messes damage their brand and increase risk analysis scores.
Kacy Zurkus: Australian Police Collect 9K+ Docs in ABC Raid
Outrage over the Australian Federal Police (AFP) raid at the Australian Broadcasting Corporation (ABC) continues to mount as a question of national security versus freedom of the press plays out between journalists and law enforcement.
In response to allegations that ABC had published classified information related to stories reported in 2017, the AFP raided ABC’s headquarters in Sydney and seized several documents, according to John Lyons, executive editor at ABC news, who was allowed in the room as several police officers combed through thousands of emails.
“They have downloaded 9,214 documents. I counted them,” Lyons told ABC news in a live interview. “They have set up a huge screen and they are going through email by email. It’s quite extraordinary. I’ve never seen an assault on the media as savage as this one I’ve seen on ABC.”
“The AFP have the power now to be going through those documents and essentially deleting anything they want. They can change material,” said Lyons who live-tweeted events as they unfolded.
The news is the second raid on members of the press in Australia in less than 24 hours. Combined with the recently passed Assistance and Access Bill, also known as the anti-encryption law, these raids are especially troubling. “Australia is heading down a path that leads to its citizens not being able to speak freely nor privately,” said Paul Bischoff, privacy advocate with Comparitech.com.
“When members of the press are targeted by their own governments, it’s important for journalists to step up their cybersecurity and protect sources. If you cannot depend on the law to protect press freedoms, then journalists must take care to secure their communications, notes, drafts, data, documents and other materials. Most importantly, they need to encrypt their phones and laptops, connect to reputable virtual private networks (VPNs) and use secure communication channels with end-to-end encryption.”
But for those paying attention, you know that Australia new laws demand providers make back doors for all security and provide those to government before deployment in the country. Australia’s adjacency to China and this fundamental lack of privacy follows Europe’s dangerous path away from civil liberties. What we must ask ourselves, will America (or has it already) fallen into this trade of privacy for security? And do citizens trust enough those who have access to every element of their digital lives, or should we demand more? Can we opt out or are we digital sheep to be shorn mercilessly?
I’d love to know what you think. Leave me comments here or at Twitter.
Help me get the word out about this blog, won’t you? If you’d rather listen, look for the Your Tech Moment podcast on major platforms, use the Amazon skill in your Flash Briefing or YouTube channel.
Updates throughout the day on Twitter handle Weym0
©WHTS
