Pete Recommends – Weekly highlights on cybersecurity issues – October 22, 2022

Subject: Weakness in Microsoft Office 365 Message Encryption could expose email contents
Source: Help Net Security

WithSecure researchers are warning organizations of a security weakness in Microsoft Office 365 Message Encryption (OME) that could be exploited by attackers to obtain sensitive information.OME, which is used by organizations to send encrypted emails internally and externally, utilizes the Electronic Codebook (ECB) implementation – a mode of operation known to leak certain structural information about messages.

Attackers able to obtain enough OME emails could use the leaked information to partially or fully infer the contents of the messages by analyzing the location and frequency of repeated patterns in individual messages, and then matching these patterns to ones found in other OME emails and files.

Because there is no fix from Microsoft or a more secure mode of operation available to email admins or users, WithSecure recommends avoiding the use of OME as a means of ensuring the confidentiality of emails.

Subject: Data Protection and Privacy Law: An Introduction
Source: CRS in Focus via beSpacific

CRS in Focus – Data Protection and PrivacyLaw: An Introduction, Updated October 12, 2022 – “Recent controversy surrounding how third parties protect the privacy of individuals in the digital age has raised national concerns over legal protections of Americans’ electronic data. The current legislative paradigms governing cybersecurity and data privacy are complex and technical and lack uniformity at the federal level. This InFocus provides an introduction to data protection laws and an overview of considerations for Congress.(For a more detailed analysis, see CRS Report R45631, Data Protection Law: An Overview, by Stephen P. Mulligan, Wilson C. Freeman, and Chris D. Linebaugh.)

Abstracted from beSpacific
Copyright © 2022 beSpacific, All rights reserved.

Subject: Chinese Firms Exporting Surveillance Tools Across the Globe, Report Says
Source: Nextgov

The Chinese government is using its investments in surveillance technologies to advance “both its ambitions of becoming a global technology leader as well as its means of domestic social control,” according to a report released by the Atlantic Council on Monday.The report, authored by Bulelani Jili—a non-resident fellow at the Atlantic Council’s Cyber Statecraft Initiative—noted that Beijing’s domestic surveillance system “is confined to its national borders,” but said that the Chinese companies that “make its surveillance state possible are now actively selling their tools abroad.”

These technologies—produced almost exclusively by companies funded by and tied to the Chinese government—enable Beijing to monitor its citizens through the collection of a vast array of personal data.

By allowing for the export of technologies underpinning its surveillance system to the Global South—particularly to African nations—the report said that Beijing is able to “expand and strengthen their political and economic influence worldwide,” while also empowering other countries to implement an authoritarian model of surveillance and control over their own citizens.

China’s growing sphere of influence around the world, coupled with its push to outcompete America in the production and development of new technologies, has led the Biden administration to issue warnings about Beijing’s growing threat to U.S. national security interests.


Subject: How Facebook Became the Internet’s Covid-19 Misinformation Hub
Source: Gizmodo

This piece is part of Gizmodo’s ongoing effort to make the Facebook Papers available to the public. See the full directory of documents here.
Meta didn’t choose to become a global distributor of medicinal snake oil and dangerous health advice. But it did decide it could tolerate it. From the onset of the covid-19 pandemic, Facebook understood the outsized role its platform would plays in shaping public opinion about the virus and the safeguards that governments would inevitably institute in hopes of containing it. Ten months before the first reported U.S. infection, Facebook’s head of global policy management, Monika Bickert, had laid out in a company blog a plan for “Combatting Vaccine Misinformation.” And while the title alludes to efforts to reduce the spread of misinformation — namely, by curtailing its distribution in the News Feed — what the blog really reveals is that, at some point, Facebook made a conscious decision to continue hosting vaccine misinformation rather than aggressively purge it.
It was a missed opportunity, given that, at the time, the groups and pages promoting “anti-vaxxer” sentiment were relatively few in number. Very soon, that would all change.In our latest drop of the Facebook Papers, Gizmodo is publishing 18 documents that shed light on the internal discussions within Facebook on covid-19. The papers, only a handful of which have ever been shown to the public, include a number of candid conversations among mid- and high-level employees; researchers, managers, and engineers with appreciably different views on the company’s moral obligations. Facebook declined to comment.

Subject: TX AG Ken Paxton Sues Google Over Facial Recognition in Photos
Source: Gizmodo

Texas Attorney General Ken Paxton announced the state is suing Google for allegedly collecting biometric data from millions of Texans without consent, his office said in a press release Thursday. The case is part of a recent flood of lawsuits against tech companies over biometrics, which measure physical characteristics like faces and fingerprints. But this new lawsuit makes an unusual and potentially gamechanging argument: Paxton alleges Google violated the privacy of people who aren’t even Google users.

A Google spokesperson said in a statement, “AG Paxton is once again mischaracterizing our products in another breathless lawsuit.”

Elaborating on specifics, the statement reads, “For example, Google Photos helps you organize pictures of people, by grouping similar faces, so you can easily find old photos. Of course, this is only visible to you and you can easily turn off this feature if you choose and we do not use photos or videos in Google Photos for advertising purposes. The same is true for Voice Match and Face Match on Nest Hub Max, which are off-by-default features that give users the option to let Google Assistant recognize their voice or face to show their information. We will set the record straight in court.”

Subject: TikTok Parent ByteDance Planned To Use TikTok To Monitor The Physical Location Of Specific American Citizens
Source: Forbes

Forbes: “…The team behind the monitoring project — ByteDance’s Internal Audit and Risk Control department — is led by Beijing-based executive Song Ye, who reports to ByteDance cofounder and CEO Rubo Liang. The team primarily conducts investigations into potential misconduct by current and former ByteDance employees. But in at least two cases, the Internal Audit team also planned to collect TikTok data about the location of a U.S. citizen who had never had an employment relationship with the company, the materials show. It is unclear from the materials whether data about these Americans was actually collected; however, the plan was for a Beijing-based ByteDance team to obtain location data from U.S. users’ devices. TikTok spokesperson Maureen Shanahan said that TikTok collects approximate location information based on users’ IP addresses to “among other things, help show relevant content and ads to users, comply with applicable laws, and detect and prevent fraud and inauthentic behavior.” But the material reviewed by Forbes indicates that ByteDance’s Internal Audit team was planning to use this location information to surveil individual American citizens…

Posted in: Cybersecurity, Privacy, Social Media