Risky [Supply Chain] Business

Risky [Supply Chain] Business

Technology professionals have much to do protecting their enterprises from new threats every day. Even when we use best practices, there are vulnerabilities introduced by new untested hardware and software, employee devices (BYOD), and unreported vulnerabilities in the attack surface. Moreover state-actor and for-hire hacking is big business with ransomware and long-term data compromises on the rise.

This week, Bruce Schneier reported that AT&T employees were bribed into participating with a bad actor to unlock smartphones and install malware on consumer devices. End users are muling malware right across the border and into your companies’ systems. The schemers cost AT&T a pretty penny. Call center employees from the state of Washington have already pleaded guilty and the man behind this large operation has been extradited from Hong Kong.

Free antivirus apps on Android devices often can’t detect malware and can actually create security vulnerabilities that negate high-end corporate security.  Technologists should remember to remind employees that they must be part of the security solution by avoiding unapproved software. The old chestnut “if it’s free, you are the product” immediately comes to mind.

State Farm Insurance joined the growing list of companies reporting customer data exposure. It appears a credential-stuffing attack revealed user details. TripWire adds that Reddit, Daily Motion and Dunkin’ Donuts have all been victims of such attacks and warns users to use two-factor authentication (2FA) and a virtual private network (VPN.)  ZDnet revealed an unsecured MongoDB spilled secrets from a Spanish brothel. Kink dating app 3fun and Jewish dating app Jcrush demonstrated once again that old-fashioned dating is more private. And 23 million CafePress user credentials were stolen and now join the bloating HaveIbeenPwnd database.

Our operating system world continues to morph. As Microsoft pushes us into client-server again with virtual desktops in the cloud, free and open source desktop alternatives are struggling to stay front and center. This week after a 25-year run, Linux Journal closed down stating financial woes. Has Microsoft captured all of their rivals by absorption? And are we entering a new era of proprietary lock-down? With Apple monitoring handsets for unapproved batteries, consumers need to ask if are owning or simply leasing equipment. If users own the equipment, then they have the right to repair it at the dealer and elsewhere.

WhatsApp security is in the limelight again as the Vegas Black Hat Conference reveals a bug, verified in proof-of-concept code by CheckPoint, that allows a man-in-the-middle attack to “put words in your mouth.” We’ve seen this type of message interception in email before, but now technologists need to examine chain of custody on all communications to ensure that each endpoint is private and its host system is secured from intrusion. Voice, fax and texting systems are often overlooked in the security landscape; it’s time to prioritize scrutiny of those essential services. Even printers need periodic review.

Boeing suffers a nasty surprise as attendees at the Nevada Black Hat Conference this week were treated to a program on how to hijack a 787. It seems the code for running a jetliner was left lying around on the internet.  It’s not all bad news coming from Las Vegas though. Tools to help IT spot holes across a network are getting more sophisticated too.  It is wise to think like a hacker when projecting how to defend against them.

Instagram and its parent Facebook have kicked an ad partner for collecting user data in a situation that echoes the Cambridge Analytica fiasco. When will Zuckerberg secure things first rather than apologizing later? Silicon Valley neighbor Twitter disabled location tagging on their mobile app a few weeks back claiming users didn’t use the feature. But now we know that, oops, an ad partner was slurping up user location details all along. Unreal!

Microsoft is finally killing off VBscript across all platforms. The antique scripting language has been a constant security woe for years, having been developed for early Windows document and job automation.  This is great news for security and bad news for malware writers who love it so much.

There is an interesting article over at The Verge today about free speech, 8chan and regulation. With CloudFlare deplatforming the wild west board based on nebulous government claims that a gunman posted a manifesto there anonymously, we really need to ask what responsibility do we as technologists have to make moral judgments on our customers and users. Platforms are protected because they are agnostic to data passing through their system.  An example is a phone company isn’t responsible for the death threat a caller makes, but they may be compelled to provide evidence as a non-invested third party in the case. When service operators become editors though, they show ownership of the content and lose that protection. #BigTech Big Brothers are going to have to decide if they are utilities that enjoy ISP protections or if they are going to be legally liable for every byte of content they host. Moral judgments are a legal minefield best avoided altogether.  Within the terms of service, platforms have the obligation to allow users the freedom to be just, moral people or awful lawbreaking bigots; then let the communities and jurisdictional authorities sort it out in the real-world. Meanwhile, we must educate the masses to understand they’re being monitored and to call attention to government privacy risks like facial recognition.

What is the federal government doing to mitigate attacks on our electronic infrastructure? For starters they’re relaxing requirements for white hat hackers who want to join the NSA saying that past marijuana use is no longer a barrier to employment despite no change in federal drug law. Getting a creative, diverse team together really is a strength. Any time technologists focus on widespread best practices only, we become part of a broad attack vector. Standards are a start point, not an end state. We need many voices and skill-sets to create more-secure environments. Our hiring practices should adapt to recognize we must embrace a culture of agility in a rapidly changing digital landscape.


This article originally appeared on Your Tech Moment. You can get the podcast as part of your Alexa Flash Briefing and many other ways.  If you like this article, please share it across social media to bring attention to this site!

See a spelling or grammar error? Let us know! Highlight the text and press Ctrl+Enter.

Notify of
Inline Feedbacks
View all comments