Category Archives: Security

Zoom wants to share calls with the police! 07/13/2020

07/25/2020 – UPDATE

From all the external pressures – ZOOM reversed its decision to make end-to-end encryption a paid feature. Privacy and Security MUST be the default in technology, not a paid luxury!
ORIGINAL 07/13/2020 POST: 

This is outrageous. Zoom made significant and commendable strides forward to finally address security flaws in 2020. However, IMO this latest policy change puts them back into the dog house. Zoom just announced that they will NOT offer end to end encryption to users with free accounts, because they want to give the police and FBI access to calls.

If paid subscribers do have end to end encryption this “policy” is a blatant strategy to simply generate revenue.

Sign the petition to tell Zoom: “Keep people safe by implementing default end to end encryption for all video, audio, and text chat.”

Tell Zoom to implement end to end encryption for all users.

FROM FIGHT FOR THE FUTURE:
“This threatens protesters who are using Zoom to coordinate demonstrations and have confidential discussions about necessary reforms. By giving cops these sensitive conversations, Zoom puts activists at risk. The police can use the information gathered to disrupt protests and even arrest the people involved.”

“As activists demand justice, accountability, and freedom from police violence, Zoom fuels the very police oppression the protesters are fighting against.1

“This is a decisive moment of change. The need for safety both on and offline has never been greater. Now more than ever companies must take action for our security, not expose us to more danger.”

Tell Zoom to keep all users safe.

“Eric Yuan, Zoom’s CEO, believes limiting encryption to paying customers is necessary because “some people use Zoom for bad purposes.” Not only does Yuan show disturbing bias in drawing a connection between free users and criminals, but he’s making a ridiculous argument. People with bad intentions will just pay to secure their calls, which means there’s literally no reason not to offer end to end encryption to free account holders other than to do law enforcement a favor.2,3

Eric Yuan, CEO Zoom

And while bad actors and corporations pay for safety, users who can’t afford paid accounts will be left vulnerable to cyber-criminals, stalkers, and governments around the world can access calls with full cooperation from Zoom.4

This sets an extremely dangerous precedent. This is what law enforcement wants and why they’re pressuring facebook to not roll out end to end encryption on messenger. By doing this Zoom is reinforcing a dangerous lie that widespread availability of end to end encryption is inherently dangerous, which is just nonsense.5

Tell Zoom to make all user accounts safe and secure with end to end encryption.


Footnotes:
1. The Guardian: https://www.theguardian.com/technology/2020/jun/03/zoom-privacy-law-enforcement-technology-yuan
2. CNET: https://www.cnet.com/news/zoom-wont-add-encryption-to-free-calls-so-it-can-work-with-law-enforcement/
3. Schneier on Security:  https://www.schneier.com/blog/archives/2020/04/secure_internet.html
4. Tech Crunch: https://techcrunch.com/2020/04/01/zoom-doom/
5. The Verge: https://www.theverge.com/2020/3/3/21158030/encryption-explainer-guide-law-enforcement-apple-fbi

Data Protection Law in the Age of Big Data and AI

A must read from Sandra Wachter for executives and front line legal and tech warriors.

FitCEO, Inc. - Since 2003
Subscribe

 

“A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of Big Data and AI”
Sandra Wachter – University of Oxford – Oxford Internet Institute
Brent Mittelstadt – University of Oxford – Oxford Internet Institute”Data protection law is meant to protect people’s privacy, identity, reputation, and autonomy, but is currently failing to protect data subjects from the novel risks of inferential analytics.”Paper from SSRN – Why you should create a free SSRN Account.[pdf-embedder url=”https://fitceo.com/wp-content/uploads/securepdfs/2019/01/SSRN-id3248829.pdf”%5D

Google Releases Updates for Chrome

Original release date: December 12, 2018 via The National Cybersecurity and Communications Integration Center (NCCIC)

Google has released Chrome Version 71.0.3578.98 for Windows, Mac, and Linux. This version addresses a vulnerability that an attacker could exploit to take control of an affected system.

Chrome

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review the Chrome Releases page and apply the necessary updates.

 

E-Verify Reminder – DHS – Q4 2018

Reminder: Employers may not terminate employees because of a Tentative Non-Confirmation (TNC)

You may not terminate or take any other adverse action against an employee because of Tentative Non-Confirmation (TNC) until the Social Security Administration (SSA) and/or Department of Homeland Security (DHS) has reviewed the case and the TNC becomes a Final Non-Confirmation.

Resources for more information on TNCs:


EMPLOYMENT ELIGIBILITY VERIFICATION (EEV) SERVICES

US Infrastructure: An Achilles Heel / SCADA exposure will short-circuit our utilities!

  • What is it?
  • Where are the vulnerabilities?
  • What should be considered?
  • Resources

Supervisory Control And Data Acquisition (SCADA) networks pervade the industry. These small microcontroller systems are used to control large industrial machines and systems. SCADA systems are predominantly used for monitoring industrial systems, often in remote locations.

Typically, remote terminal units and Programmable Logic Controllers are connected to enterprise networks using a “telemetry” network. Where the telemetry network meets the enterprise computer network, gateways permit two-way communications between the SCADA network and the traditional corporate network.

SCADA systems were designed to be highly efficient, but they were not necessarily designed with security in mind. Because security was not the primary consideration, SCADA telemetry networks may be highly vulnerable to exploitation. Because SCADA systems control and provide feedback on industrial processes, exploitation of these systems could seriously disrupt key industrial processes, such as power generation, lift and crane systems, and transportation systems.

There are numerous entry points to SCADA telemetry networks:

  • Compromise of WLAN and/or wireless networks that connect SCADA systems to each other and to control systems;
  • Compromise of gateways from traditional computer networks to the SCADA network;
  • Improper physical access to key control systems;
  • Access to telemetry networks and modification of command-level traffic (typically this traffic is unencrypted);
  • Application-level vulnerabilities in SCADA control software;
  • SCADA traffic encapsulated in TCP/IP and transmitted over public networks.

These vectors are but a limited selection of the entry points for SCADA networks. Because of the traditional use of SCADA networks, encryption of traffic between endpoints is often forgone.

The most memorable SCADA attack was STUXNET (1).  STUXNET attacked the centrifuge control SCADA systems in Iran, rendering them useless.

Organizations need a structured approach to securing SCADA systems.

While firmware manufacturers may be slow to respond to security requirements, organizations must take the following preventive initiatives:

  • Implement simple but effective controls that separate SCADA networks from general computer network systems.
  • Monitor SCADA system activities for abnormal conditions.
  • Upgrade and assess SCADA firmware on a regular basis.
  • Where bounds checking has been implemented (for controller movement such as stepper-motor controlled systems), the configuration scripts for SCADA devices must cover movement bounds to avoid damaging control hardware.

Finally, while there are many technological aspects to controlling SCADA systems, we cannot overlook the human element.

Originally released in part by VIMRO,
Larry Boettger
and
Michael Horsch Fizz

Resources:

SCADA 2019 Tech Summit: August 28 – 29, 2019
Westin O’Hare: 6100 N River Rd, Rosemont, Ill. 60018


Additional Resources:

SCADA News:


(1) AN UNPRECEDENTED LOOK AT STUXNET, THE WORLD'S FIRST DIGITAL WEAPON

They will bypass your best computer security system in ten minutes.

Social Engineering
The Evil Art of Human Hacking

Social engineering is a technique hacker’s use to take over an account by persuading or psychologically manipulating people to divulge confidential information. This is usually the first step within a more complex scheme. Social engineering uses “confidence building” techniques to set the victim at ease and convince him or her that the attacker is legitimate and presenting a valid scenario.

Social engineering is very common and occurs regularly; it is so pervasive, in fact, that two prominent internet companies, GoDaddy and PayPal, recently fell for a carefully crafted social engineering attack. This attack enabled unauthorized parties to hijack the account of a significant user and, through that breach, to access other confidential accounts. Cases like this “should have thrown up red flags for any Internet company dealing in identity,” reports techcrunch.com. “These are not new tactics and they should be guarded against as a very basic precaution.”

More alarming than the frequency of social engineering attacks is the relatively low risk for the attacker, who can disengage at any time simply by hanging up the phone or deleting the address used to send fraudulent emails. When this low risk is combined with the inviting ratio of success to failure, social engineering becomes an attractive alternative to much riskier fraud that requires facing your victim.

The means to defeat social engineering, however, are relatively simple if you understand what social engineering is: social engineering is a con. It relies on the victim’s reluctance or inability to question the authenticity of the attacker. Once that authenticity is questioned, the attacker must deviate from their “script” and flounder to avoid being discovered. The more you drive the attacker off the script, the more information you can gain; proportionally, this increases the risk to the attacker. Five simple steps can help you avoid becoming a victim of social engineering:

  • Question the authenticity of every communication. This is especially true if you are asked for information such as usernames, passwords, or other sensitive data.
  • Do not be afraid to validate the caller. Advanced social engineers will set up “bounce” numbers; these are phone numbers that are answered by co-conspirators who serve to falsely validate the authenticity of the caller. You can avoid this trap by instead calling a number you know to be legitimate, such as the published number for a company or the internal extension for the employee’s supervisor.
  • Insist on two-way validation. If someone asks you for your information, ask them for their information about you. For example, if a caller identifying himself as an IT technician asks for your information, ask what equipment his database reports for you. Then request from him his supervisor’s name, which you can validate in an employee directory, and call that supervisor to validate his request.
  • If you have identified a social engineering attempt, be sure to communicate your finding to management; news of this attempt should then be shared companywide to limit the attacker’s possible success.
  • Validate through testing. Every organization should, as one component of a thorough penetration test, evaluate employee readiness for social engineering attempts. A firm well versed in social engineering testing will go beyond mere phone calls, employing a multitude of techniques to perform extensive tests in this discipline.

Originally released in part by VIMRO,
Larry Boettger
and
Michael Horsch Fizz


Schedule an Introductory Consult

Contact Us