Here are the stories that caught our eye this week:
Credit card details, online banking logins, and social media credentials are available on the dark web at worryingly low prices, according to Privacy Affairs. Forged documents including driving licenses, passports, and auto-insurance cards can be ordered to match stolen data. The research team scanned dark web marketplaces, forums, and websites, to create the price index for a range of products and services relating to personal data, counterfeit documents, and social media. The general public needs to not only be aware of how prevalent the threat of identity theft is but also how to mitigate that threat by applying due diligence in all aspects of their daily lives.
Four medium-sized, cloud-based cybersecurity companies – Okta, Crowdstrike, Netscope, and Proofpoint – announced on Thursday that they have formed an “alliance” to combine their integrated services and protect enterprise customers with remote workers. The companies say they are powerful enough to protect the largest companies, but agile enough to outmaneuver big, all-in-one security firms in serving an evolving workforce adapting to the changing conditions of COVID-19. The four firms don’t name specific rivals as a target of this new alliance, but the cybersecurity industry is dominated by heavyweights including McAfee, Symantec, and a newly-resurgent Microsoft. The cybersecurity industry has quickly evolved to protect employees working from home during the COVID-19 pandemic, shifting from on-premises network systems to cloud-based systems that protect remote employees wherever they work. “Customers will be able to connect our services together in a cloud-native environment via APIs so they can get the best outcomes and assemble the right pieces, as opposed what’s been done for many years when an engineering team at a company would have to basically hodgepodge products together and hope they work,” says George Kurtz, the CEO of CrowdStrike. Industry experts say the companies are right that cloud-based cybersecurity solutions are outpacing more traditional competitors, such as McAfee, Symantec, Palo Alto Networks, and Cisco. “What you’re seeing is the products that were heavy, that take a week to install and 12 people need to be trained on – those are struggling,” says Mike Janke, CEO of DataTribe, a venture capital firm that invests in cybersecurity companies. “Cloud-based solutions are flourishing.”
Twitter has contacted its business clients to warn them of a potential breach of their data. It said that email addresses, phone numbers and the last four digits of card numbers may have been accessed by others, thanks to a technology snafu which exposed the information. It meant that billing information viewed on ads.twitter.com or analytics.twitter.com may have been exposed in the browser’s cache. The social network first became aware of the incident on May 20 and said it took immediate action to remediate and notify any affected customers. The snafu is not thought to have affected consumer users of the service, according to the BBC. This isn’t the first time something like this has happened on the social platform. Around a month before this incident, Twitter warned users that non-public information may have been stored in their Firefox browser’s cache. “This means that if you accessed Twitter from a shared or public computer via Mozilla Firefox and took actions like downloading your Twitter data archive or sending or receiving media via Direct Message, this information may have been stored in the browser’s cache even after you logged out of Twitter,” it said at the time. It’s unclear how many businesses were affected by the May breach, experts generally agreed that incidents of this kind are likely to have a limited impact on customers’ data security and privacy.
Data collection and targeted online messaging were integral to the 2016 US presidential election, and they will be again in 2020. In the same way that candidates in the last cycle used Facebook to reach and persuade voters, ongoing research from the team at the propaganda research lab at UT Austin’s Center for Media Engagement suggests that 2020 will be defined by the use of bespoke campaign apps. Purpose-built applications distributed through the App Store and Google Play Store allow the Trump and Biden teams to speak directly to likely voters. This strategy means the app makes extensive permission requests, asking for access to location data, phone identity, and control over the handset’s Bluetooth function. Where the Trump app has a range of uses, from spreading tailored campaign messages to airing live streams of rallies, Team Joe is largely built for a single purpose: relational organizing. The Team Joe app blurs the line between the personal and the political. If you want to understand what the Trump and Biden apps are really for, compare the permissions requested in the Google Play Store. Besides some basic network and notification permissions, the Team Joe Campaign App may ask for access to your contacts. Political campaigns purchase that information and combine it with other data and tools—from other social-media companies, say—to build “lookalike audiences” that include people similar to those who had their data scooped. To understand the future of political campaign apps, it is useful to look to India. The app was pushed through official government channels and collected large amounts of data for years through opaque phone access requests. For political movements revolving around a charismatic, illiberal leader, the shift to individualized apps that blur the line between government and private communication is the step toward independence from both the “mainstream media” and the social-media platforms that allowed them to create a fact-agnostic communication channel in the first place.
What if a hacker could use an ordinary, old-fashioned light bulb to spy on your conversations from afar? Hackers have found a way to eavesdrop on conversations from as far as 80 feet away thanks to a hanging light bulb. Can any light bulb open the door to hackers? As long as there’s a “dumb” but essential light bulb in the same room, it’s all systems go. The hackers need a clean line of sight between their electro-optical sensor-equipped telescope and the hanging light bulb concerned. If the curtains or blinds are closed on a window, or the light bulb sits behind a lampshade of some sort, this eavesdropping method will fail. The quality of the eavesdropping will depend on how close the people are to the light bulb in question and how loud the conversation is. How can hackers use a light bulb to listen in to your conversations? The author won’t say it is a matter of hooking up an electro-optical sensor to a telescope and pointing it at a light bulb, but that’s “the meat and potatoes of the sub $1,000 hardware hack at least.” Researchers have developed an algorithm for the attack method, which they named Lamphone, that can “recover sound from the optical measurements obtained from the vibrations of a light bulb.” This is done passively and without needing to be in the same room.
This year, Pride Month takes place at a time when societal pressures and challenges are typically significant, with global Black Lives Matter movements calling for an end to racism and racial injustice. Improving inclusion and bettering equality has been a key mission of large parts of the information security industry – traditionally criticized for its lack of diversity – in recent years. One company in the sector that has taken notable steps in this regard is Cybereason with its UbU initiative, created by CEO Lior Div. Keen to learn more about UbU, Infosecurity recently spoke to Div about its mission and the wider importance of inclusivity and diversity in the information security industry. UbU is a value that sits front and center at Cybereason – and it has been since the early days as a company. It is the mission to continue to build a global team of diverse ‘Cybereasoners’ where everyone feels welcomed to UbU every day. Achieving equality and inclusiveness is a shared responsibility for all of us, and security companies can take the lead. The most brilliant cyber-minds come in all shapes and forms. This is a great opportunity for the industry to lead the diversity initiative and make a stronger societal impact.
Meme of the Week!