Mornings With Mark

Two major security issues with popular smartphones this week. First the Samsung Galaxy S10 and then the Google Pixel 4. For the Galaxy, it's fingerprint reader currently accepts any fingerprint to unlock the device and authorized activities. While the Pixel does not require attention for facial recognition to unlock the device or authorize activities.Neither is good. Though the response is telling. Samsung is quickly pushing out a patch to resolve their issue. Google has issued a statement say that facial recognition is working as expected and in the future, it may add extra features like attention detection.Getting users to accept new security controls is an uphill battle, any setback makes it harder for any solution to push out additional security measures. But the response is a stark reminder that security features are just like any others. They will be triaged for bugs and prioritized according to criticality and demand. And sometimes, other pressures mean that the security-focused call isn't the one that

In the 200th episode of the show, we look at e-transfer security. Sending money via email is simple and efficient, but is it safe?Turns out, not so much. Both from a practical standpoint and a legal one.References:- CBC's Go Public on the latest victim, https://www.cbc.ca/news/business/etransfer-fraud-banks-blame-customers-1.5286926- Erica Johnson from CBC News on the rising frequency of e-transfer fraud, https://www.cbc.ca/news/business/rbc-customer-out-of-pocket-after-e-transfer-fraud-1.5128114- Interac e-transfer terms and conditions, https://www.interac.ca/en/interac-e-transfer-terms-of-use.html

CBC News posted an article about how Canadian federal MPs are using digital tracking technologies on their personal websites The article was fair and covered the technology and some of the potential issues, however this is just standard digital adtech. Does that make it right? No, but it's not a scandal in of itself. So what is retargeting? How is it used? Why is its use in politics different? References;- article by Elizabeth Thompson and Andrea Bellemar for CBC, https://www.cbc.ca/news/politics/election-advertising-web-trackers-1.5276287- Hubspot's beginner guide to implementing retargeting, https://blog.hubspot.com/marketing/retargeting-campaigns-beginner-guide- CBC News on the Canadian 2019 federal election announcement, https://www.cbc.ca/news/politics/election-campaign-starts-today-1.5277657

Letting customers know about a security vulnerability is never an easy thing. From the logistics of it to the reputation management issues. But this is a critical aspect of delivery software and services. Recently MuleSoft handled a disclosure in a truly impressive way. They reached out via email and then called customers to let them know about the issue. This not only helps get the word out but also provides much needed context for the patch that is typically lacking. References: Catalin Cimpanu for ZDNet on the issue, https://www.zdnet.com/article/how-mulesoft-patched-a-critical-security-flaw-and-avoided-a-disaster/

Cybercriminals don't always use complicated technical attacks to get around your cybersecurity. Sometimes—probably more often than we care to admit—it's the really simple stuff that works and what's simpler than an email? Business email compromise is a social engineer technique that raked in over a $1B in the US alone last year. In this scam, the criminals leverage fake business pressures to circumvent normal financial processes. It's simple and it works. References; a business in North Battleford, Saskatchewan lost $1.4 M in this type of scam, https://www.cbc.ca/news/canada/saskatoon/spence-equipment-fraud-sask-1.5256322 the Ontario Provincial Police warn of an increase in "CEO email scams" province wide, https://ottawacitizen.com/news/local-news/police-warn-of-ceo-email-scams#click=https://t.co/OYhpIrCS33 financial reporting on the scam in the US, https://www.cyberscoop.com/business-email-compromise-bec-fincen-report-2019/ basic attack facts from Trend Micro, https://www.trendmicro.com/vinfo/us/s

Facebook was recently called out for listening to users audio messages on Facebook Messenger. They aren't alone. Apple, Amazon, Google, and Microsoft all have admitted to having contractors analyze audio from their voice assitants (and MIcrosoft's Skype service). There's a stark contrast to these use cases. When you're interacting with a voice assistant, there is an expectation that a computer is transcribing the audio. That's the whole point. When I send you a voice note in Facebook Messenger, there's no expectation that anyone other than you will listen. Of course, all of these activities were covered in the terms of service and privacy policies...but that doesn't mean users were aware, comfortable, or accepting of other humans listening in. Anonymized data or not. References: CNBC on the Facebook issue, https://www.cnbc.com/2019/08/13/facebook-hired-people-to-transcribe-voice-calls-made-on-messenger.html Apple's privacy statement, https://www.apple.com/ca/privacy/approach-to-privacy/ WhatsApp privacy stat

NULL is one of many special characters that has a long history in computing. What are the consequences of using NULL as a value provided via user input. The easy answer should be "nothing" but reality is a lot messier. Joseph Tataro set out to get a nerdy license plate and found out just how far the rabbit hole might go... References; Brian Barrett covers the talk and issue for WIRED, https://www.wired.com/story/null-license-plate-landed-one-hacker-ticket-hell/ journalist Christopher Null has some thoughts on the issue, https://chrisnull.com/about-2/

Is application security (AppSec) dead? Did it every really work? I would argue that it didn't and hasn't. Case in point: the OWASP Top 10 web application vulnerabilities hasn't significantly changed in the past decade. That's a problem. What's the solution? References: thread from Eric Hammond on security in tutorials, https://twitter.com/esh/status/1156359661878050816 OWASP, https://www.owasp.org/index.php/Main_Page

FaceApp (first released in 2017) is back in the news for the #AgeChallenge and a host of privacy concerns. There's a lot of knee-jerk reactions around the app but what's really going on? We dive in on this (as usual) no-BS episode... References; BuzzFeed checks Paul Rudd to make sure he CAN age, https://www.buzzfeed.com/jenniferabidor/paul-rudd-aged-faceapp Steven Asarch looks at the issue for Newsweek (I'm quoted in this one), https://www.newsweek.com/faceapp-russia-privacy-policy-app-ios-android-1449784 Brian Barrett for WIRED calls out the obvious, there are bigger issues with more mainstream apps, https://www.wired.com/story/faceapp-privacy-backlash-facebook/ CNN states the obvious, privacy is rarely a front line concern, https://www.cnn.com/2019/07/17/tech/faceapp-privacy-concerns/index.html

Recently on Twitter a nerd fight started around the idea of a 10x engineer. VC Shekhar Kirani kicked things off by advocating that startups do anything to grab these types of employees. Needless to say, a lot of differing opinions were shared on the matter. It's an interesting topic and one we dive into on the show today. References; the original twitter thread by Kirani, https://twitter.com/skirani/status/1150019060467240960 Rob Graham with a great response thread, https://twitter.com/ErrataRob/status/1150123449907666944 Jake Williams with a security angle, https://twitter.com/MalwareJake/status/1150383625986367489 some actual data on 10x engineers, https://jasoncrawford.org/10x-engineers witty response from Nina Zakharenko, https://twitter.com/nnja/status/1150110317176692736 fun response from Joshua Byrd, https://twitter.com/phocks/status/1150568202696441856 the 1x engineer response, https://1x.engineer/

Zoom.us had a pretty egregious security issue this week. Their response was poor despite the best efforts for responsible disclosure by the security research who discovered the issue. While this issue has dominated tech headlines, the real issue is much more significant and commonplace. Usability chosen over security. Scratch that, a push for usability without an awareness of security or privacy impacts. Yet another example of why security teams needs to change the way we work. It's time to do better. References; Alex Clayton on the Zoom IPO, https://medium.com/@alexfclayton/zoom-ipo-s-1-breakdown-119249acadd3 the disclosure from Jonathan Leitschuh, https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5 action taken by Apple to remove the Zoom.us web server, https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/

NBA Free Agency was a crazy time with almost 1/3 of the top players in the league changing teams. While that on it's on is interesting, this year's free agency period solidified what was had already come to light over the past few years: there are a special set of "rules" for the top players in the league. Beyond the collective bargaining agreement, beyond the rules the teams need to play by, and beyond the legal contracts that are signed, there is a set of unwritten rules for top players. There is a direct comparison here to how security policies work within your organizations. You write policy to set the guidelines for everyone but those guidelines rarely hold up to the reality of everyday user activity, let alone users with enough technical skill to bend those rules to their will. References; Lakers acquire Anthony Davis via NBA.com, https://www.nba.com/lakers/releases/190706-lakers-acquire-davis# insight in the Kawhi Leonard and Paul George signing with the Clippers from Global News, https://gl

A quick update on why MwM has been missing the past couple of weeks and where this show is going in the future.

Recently a video of mine was flagged by YouTube's automated ContentID system which may or may not have been justified. Regardless, it got me thinking of the mismatch in motivations for builders investing in cybersecurity and privacy. We need to find a better motivator to align incentives with our desired outcomes of strong, secure technologies that respect user privacy while accomplishing big goals. What are those motivators? I'm not sure but I know we won't find them unless we start the discussion... References: the sanitized version of my video that was flagged, https://www.youtube.com/watch?v=S6-WdvOUtO8&t=5s (it's on the Apple WWDC keynote) an example of YouTube's failure to stop harassment, https://www.theverge.com/2019/6/4/18653088/youtube-steven-crowder-carlos-maza-harassment-bullying-enforcement-verdict YouTube's official response to that incident, https://twitter.com/TeamYouTube/status/1136055805545857024 the NYT's on YouTube's child endangerment challenges, https://www.nytimes.com/2019/06/03/wo

At Apple's Worldwide Developer Conference (WWDC), Apple made several announcements that focus on user privacy. Specifically, advancements to; location tracking on-device data processing finding your devices 3rd party app sign-ins Each of these features follow the same patterns: your data stays under your control and as close to your devices as possible. There's a competitive advantage to Apple but some big wins for customers around privacy. Lots more as these operating systems continue their development. References; Apple's WWDC keynote, https://www.apple.com/apple-events/june-2019/ Apple's iCloud, https://support.apple.com/en-ca/HT202303

On Kara Swisher's show, Recode Decode, she recently hosted Gabe Weinberg from DuckDuckGo. Their conversation revolved around some core concepts in online privacy. During that conversation, a few terms popped up that I think are often misunderstood or misinterpreted. Specifically; opt-in vs. opt-out, "do not track" options in your web browser, and private browsing/incognito mode. In this episode, we'll explore those terms a bit more to help make sure you truly understand them. References; Eric Johnson covers the discussion between Kara Swisher and Gabe Weinberg from DuckDuckGo for Vox, https://www.vox.com/recode/2019/5/27/18639284/duckduckgo-gabe-weinberg-do-not-track-privacy-legislation-kara-swisher-decode-podcast-interview // MWM Y2 no. 036

At Google I/O 2019, Google announced some significant changes to how the Nest line of products operates. Not only are they being re-branded as "Google Nest" but account holders will be strongly encouraged to move their Nest accounts to Google ones. Combine that with the abrupt wind down of the "Works with Nest" program in favour of the "Works with Google Assistant" program, a shift in privacy policies, and a number of questions start to come to mind. A discussion around data rights and access needs to be happening. Especially when companies change hands. Now that the digital world is blending with the physical one, the consequences are becoming more significant. The longer this goes on, the harder it will be to change the current momentum of external ties for everything. There's a lot to unpack on this issue and this episode is just the tip of the iceberg. References: the recent changes to Nest by Ron Amadeo for Ars Technica, https://arstechnica.com/gadgets/2019/05/nest-the-comp

Huawei was recently put on the US Entity List from the US Department of Commerce. That essentially means that it needs a license to receive technology from US companies...a license that is a default "no" and in this political climate, a definite "no". Politics aside, what does that mean for Huawei smartphone users? The company has been pushing the P20 and P30 lines of phones aggressively in North America and around the world. The way forward is murky but it appears that the company will lose access to Google Mobile Services. That's at least 1/2 of the Android stack and really what most users think of as "Android". No more YouTube, GMail, Google Search, Google Maps, or access to the Google Play store—among other loses—for Huawei devices. What does that mean for the cybersecurity of these devices? References: Ron Amadeo from Ars Technica on the dispute between the US and Huawei, https://arstechnica.com/gadgets/2019/05/google-reportedly-ends-business-with-huawei-will-cut-it-off-fro

The Digital Economy Act of 2017 in the UK is trying to put up enforceable age gates to pornography. That might be a good idea but it's extremely difficult to actual do online. In fact, these efforts might be creating a monopoly on age verification identity in the UK with significant consequences.At the same time, here in Canada, our major financial players are launching a joint identity service. With no clear problem to solve, this effort is attempting to centralize financial identities for Canadian with unknown repercussions.Connect both of these issues together and the larger issue emerges: should anyone own digital identity? Do you have just one identity or is it fractional online? What role—if any—do social media companies play?Lots of questions, very few answers but discussion is sorely needed.References;John Hermann for the New York Times on the UK's porn age verification efforts, https://www.nytimes.com/2019/05/03/style/britain-age-porn-law.html?searchResultPosition=1David Paddon for CBC News on the Ca

A recent CBC News article highlighted both the powers of border agents to search digital devices and the general lack of awareness of your rights at the border. In this case, a lawyer was returning to Canada and refused to provide his digital passwords resulting in seizure of the devices. This is fully within border policy and the legal framework at the border. Your smartphone, laptop, and other devices contain a massive amount of information about you and your life. Taking those devices across a border could be putting your information at risk. It all depends on your particular risk tolerance. Are you aware of your rights as you cross the border? Do you take precautions to protect your digital footprint? References: original CBC News article, https://www.cbc.ca/news/business/cbsa-boarder-security-search-phone-travellers-openmedia-1.5119017