Pete Recommends – Weekly highlights on cybersecurity issues – October 22, 2022

Subject: Weakness in Microsoft Office 365 Message Encryption could expose email contents
Source: Help Net Security
https://www.helpnetsecurity.com/2022/10/14/weakness-office-365-encryption/

WithSecure researchers are warning organizations of a security weakness in Microsoft Office 365 Message Encryption (OME) that could be exploited by attackers to obtain sensitive information.OME, which is used by organizations to send encrypted emails internally and externally, utilizes the Electronic Codebook (ECB) implementation – a mode of operation known to leak certain structural information about messages.

Attackers able to obtain enough OME emails could use the leaked information to partially or fully infer the contents of the messages by analyzing the location and frequency of repeated patterns in individual messages, and then matching these patterns to ones found in other OME emails and files.

Because there is no fix from Microsoft or a more secure mode of operation available to email admins or users, WithSecure recommends avoiding the use of OME as a means of ensuring the confidentiality of emails.

Tagged:
Subject: Here’s 5 of the world’s riskiest connected devices
Source: Help Net Security
https://www.helpnetsecurity.com/2022/10/13/riskiest-connected-devices/

Forescout’s research team analyzed 19 million connected devices deployed across five different industries, to find the riskiest device groups: smart buildings, medical devices, networking equipment, and IP cameras, VoIP, and video conferencing systems.Using the dataset and scoring methodology, where the risk of a device is calculated on its configuration, function, and behavior, the five riskiest connected devices across the four categories rank as follows:

Key research findings – “The growing number and diversity of connected devices in every industry presents new challenges for organisations to understand and manage the risks they are exposed to. The attack surface now encompasses IT, IoT and OT in almost every organisation, with the addition of IoMT in healthcare. It is not enough to focus defenses on risky devices in one category since attackers can leverage devices of different categories to carry out attacks. We have already demonstrated this with R4IoT, an attack that starts with an IP camera (IoT), moves to a workstation (IT) and disables PLCs (OT),” said Daniel dos Santos, Head of Security Research at Forescout.

Topics:

Subject: How Apple’s privacy changes force social media marketing to evolve
Source: VentureBeat
https://venturebeat.com/security/how-apple-privacy-changes-force-social-media-marketing-evolve/

How Apple’s privacy changes force social media marketing to evolveDirect-to-consumer businesses that previously relied heavily on Facebook (now Meta) as a way to target and advertise via social media are now starting to realize the perils that resulted from privacy policy changes instituted by Apple. These changes have upended the digital advertising strategy for hundreds of thousands of businesses and forced these companies to find new paths to their coveted customers.

Some brands have remained loyal to Facebook and Instagram, but many others are making sharp pivots to embrace more zero-party data and first-party data while turning to new social platforms for marketing based on one-to-one connections, such as TikTok.

Social media marketing: What changed with Apple?

Apple, maker of the iPhone and iPad, has changed the way it handles its users’ privacy. Specifically, it now gives customers enhanced control over privacy settings, giving them more say over which of their personal data is provided to brands.

Ads driven by Big Data have helped companies target people on social platforms such as Meta and Instagram, platforms that in the past could deliver messages to users who possess characteristics that indicate the messages and offers are likely to be of interest.

Of course, Big Data is the process of purchasing data from a third-party provider — collecting online activity, purchase history, social media content and more to identify people who are potentially interested in what companies have to offer.

Filed: https://venturebeat.com/security/

Subject: Data Protection and Privacy Law: An Introduction
Source: CRS in Focus via beSpacific
https://www.bespacific.com/data-protection-and-privacylaw-an-introduction/

CRS in Focus – Data Protection and PrivacyLaw: An Introduction, Updated October 12, 2022 – “Recent controversy surrounding how third parties protect the privacy of individuals in the digital age has raised national concerns over legal protections of Americans’ electronic data. The current legislative paradigms governing cybersecurity and data privacy are complex and technical and lack uniformity at the federal level. This InFocus provides an introduction to data protection laws and an overview of considerations for Congress.(For a more detailed analysis, see CRS Report R45631, Data Protection Law: An Overview, by Stephen P. Mulligan, Wilson C. Freeman, and Chris D. Linebaugh.)



Abstracted from beSpacific
Copyright © 2022 beSpacific, All rights reserved.

Subject: Chinese Firms Exporting Surveillance Tools Across the Globe, Report Says
Source: Nextgov
https://www.nextgov.com/policy/2022/10/chinese-firms-exporting-surveillance-tools-across-globe-report-says/378592/

The Chinese government is using its investments in surveillance technologies to advance “both its ambitions of becoming a global technology leader as well as its means of domestic social control,” according to a report released by the Atlantic Council on Monday.The report, authored by Bulelani Jili—a non-resident fellow at the Atlantic Council’s Cyber Statecraft Initiative—noted that Beijing’s domestic surveillance system “is confined to its national borders,” but said that the Chinese companies that “make its surveillance state possible are now actively selling their tools abroad.”

These technologies—produced almost exclusively by companies funded by and tied to the Chinese government—enable Beijing to monitor its citizens through the collection of a vast array of personal data.

By allowing for the export of technologies underpinning its surveillance system to the Global South—particularly to African nations—the report said that Beijing is able to “expand and strengthen their political and economic influence worldwide,” while also empowering other countries to implement an authoritarian model of surveillance and control over their own citizens.

China’s growing sphere of influence around the world, coupled with its push to outcompete America in the production and development of new technologies, has led the Biden administration to issue warnings about Beijing’s growing threat to U.S. national security interests.

Topics:

Subject: How Facebook Became the Internet’s Covid-19 Misinformation Hub
Source: Gizmodo
https://gizmodo.com/facebook-papers-covid-19-coronavirus-misinformation-1849667132

This piece is part of Gizmodo’s ongoing effort to make the Facebook Papers available to the public. See the full directory of documents here.
Meta didn’t choose to become a global distributor of medicinal snake oil and dangerous health advice. But it did decide it could tolerate it. From the onset of the covid-19 pandemic, Facebook understood the outsized role its platform would plays in shaping public opinion about the virus and the safeguards that governments would inevitably institute in hopes of containing it. Ten months before the first reported U.S. infection, Facebook’s head of global policy management, Monika Bickert, had laid out in a company blog a plan for “Combatting Vaccine Misinformation.” And while the title alludes to efforts to reduce the spread of misinformation — namely, by curtailing its distribution in the News Feed — what the blog really reveals is that, at some point, Facebook made a conscious decision to continue hosting vaccine misinformation rather than aggressively purge it.
It was a missed opportunity, given that, at the time, the groups and pages promoting “anti-vaxxer” sentiment were relatively few in number. Very soon, that would all change.In our latest drop of the Facebook Papers, Gizmodo is publishing 18 documents that shed light on the internal discussions within Facebook on covid-19. The papers, only a handful of which have ever been shown to the public, include a number of candid conversations among mid- and high-level employees; researchers, managers, and engineers with appreciably different views on the company’s moral obligations. Facebook declined to comment.
Subject: TX AG Ken Paxton Sues Google Over Facial Recognition in Photos
Source: Gizmodo
https://gizmodo.com/google-photos-texas-attorney-ken-paxton-sues-face-data-1849681912

Texas Attorney General Ken Paxton announced the state is suing Google for allegedly collecting biometric data from millions of Texans without consent, his office said in a press release Thursday. The case is part of a recent flood of lawsuits against tech companies over biometrics, which measure physical characteristics like faces and fingerprints. But this new lawsuit makes an unusual and potentially gamechanging argument: Paxton alleges Google violated the privacy of people who aren’t even Google users.

A Google spokesperson said in a statement, “AG Paxton is once again mischaracterizing our products in another breathless lawsuit.”

Elaborating on specifics, the statement reads, “For example, Google Photos helps you organize pictures of people, by grouping similar faces, so you can easily find old photos. Of course, this is only visible to you and you can easily turn off this feature if you choose and we do not use photos or videos in Google Photos for advertising purposes. The same is true for Voice Match and Face Match on Nest Hub Max, which are off-by-default features that give users the option to let Google Assistant recognize their voice or face to show their information. We will set the record straight in court.”

Subject: TikTok Parent ByteDance Planned To Use TikTok To Monitor The Physical Location Of Specific American Citizens
Source: Forbes
https://www.bespacific.com/tiktok-monitor-physical-location-of-specific-american-citizens/

Forbes: “…The team behind the monitoring project — ByteDance’s Internal Audit and Risk Control department — is led by Beijing-based executive Song Ye, who reports to ByteDance cofounder and CEO Rubo Liang. The team primarily conducts investigations into potential misconduct by current and former ByteDance employees. But in at least two cases, the Internal Audit team also planned to collect TikTok data about the location of a U.S. citizen who had never had an employment relationship with the company, the materials show. It is unclear from the materials whether data about these Americans was actually collected; however, the plan was for a Beijing-based ByteDance team to obtain location data from U.S. users’ devices. TikTok spokesperson Maureen Shanahan said that TikTok collects approximate location information based on users’ IP addresses to “among other things, help show relevant content and ads to users, comply with applicable laws, and detect and prevent fraud and inauthentic behavior.” But the material reviewed by Forbes indicates that ByteDance’s Internal Audit team was planning to use this location information to surveil individual American citizens…

LinkedIn
Posted in: Cybersecurity, Privacy, Social Media