Data privacy legislation is a difficult topic to get your head around. There can be multiple dimensions, sector-specific rules, and various national and, in some cases (such as in the US), local laws enacted to cover a multitude of issues. But the good news is that there are several US states which are on track to pass new data privacy laws during 2021. Some of these laws focus on consumer protection, while others concentrate on regulating data brokers or how ISPs should protect their customers’ data. Let’s review the progress and what is being proposed in my latest blog for Avast here. This could make 2021 the year that privacy laws become more pervasive in the US.
We all got an update on the quality of deepfake videos last week with the popularity of a set of videos of “DeepTomCruise” on TikTok. I have been keeping track of these videos, created by various computer programs, and last wrote about them for Avast here. It doesn’t take too much imagination to see how this technology can be exploited, but lately there are some positive things to say about deepfake vids. Let’s go to Korean TV, covered by this story in the BBC.
The announcer shown in the screen grab above is supposed to be the anchor Kim Joo-Ha, one of the regulars on the MBN channel. It looks pretty ordinary. But she was replaced by a computer program that generated a digital copy that mimicked her facial expressions, voice and gestures. Now, before you get all in a twist, viewers were told ahead of time that this wasn’t the real Kim and the network was using it as a test. One place that deepfakes could be useful is during real breaking news reports where they have to put someone on air quickly (as opposed to what American cable news calls breaking news).
Deepfake videos are increasingly being used for legitimate purposes, such as Synthesia, a London-based firm that creates corporate training videos. The tech can be useful and cut production costs significantly if you are trying to produce a series in different languages and don’t want to hire native speakers. USC’s Shoah Foundation has produced a series of deepfake video interviews of Holocaust survivors, and the public can ask questions from the survivors and get their answers in real-time — all assembled by computers from hours of videotaped interviews.
The issue is the negative taint that has been part of the deepfakes. In my post for Avast, I mentioned four different categories, including porn, misinformation campaigns, evidence tampering and just plain fraud. Clearly, that is a lot of tempting places for criminals to use them. So we have some work ahead to swing to more legitimate uses.
Also an issue: who owns the rights to the person that is depicted, particularly if the person is no longer alive? This means some truth in labelling, so that viewers — like in the Korean example cited above– know the exact situation.
One of the long-time FIDO supporters gave testimony to its biggest benefits at the recent Authentication 2020 conference. The speaker was Marcio Mello, who is the head of Product for Intuit’s identity and profile platform. The benefits are saving money and time when users have to login to their SaaS financial offerings from Intuit, a company who has been interested in FIDO for years.
You can read more on my post for Nok Nok’s blog here.
Yesterday Google announced that they will completely eliminate third-party browser cookies. Calling it a move towards a more privacy-first web, as their director of product management who wrote the post claimed, is a bit of a misnomer. Yes, they will phase out tracking these cookies on their Chrome browser. But they will still track what you do on your mobile phone, especially an Android phone, and track what you do on their own websites, including YouTube and its main search page. And they will still target the ads that you see from these activities.
The announcement was expected: last year they announced their plan to de-cookiefy their browser. They basically had to — Safari and Firefox have blocked these cookies for years, so it was high time Google got on board this train. They have come up with a variety of technologies and tools that sound good at first blush, but I am not sure that these replacements are better, especially for preserving privacy. One of them is called the Privacy Sandbox. Now, sandboxes have certain implications, especially for security researchers. The goal is to limit who can view what is going on inside the sandbox, and more importantly, who can’t. It seems that smaller advertisers will have to find some other place to play, but the big guys will still have the means to figure out who you are and more importantly, what you are interested in, to target their advertising. Vox’s Recode says that “Google will still technically deliver targeted ads to you, but it will do so in a more anonymous and less creepy way.”
Firefox has a better idea: to limit the reach of cookies to just the website that places them on your hard drive. They call it Total Cookie Protection and you can follow the links on their blog to understand more of the details. It does seem to eliminate web tracking cookies, but we’ll see as they roll it out across their browsers.
In the meantime, if you use any Google products, go to your Google Account and review the numerous personalization settings you have at your disposal to rid yourself of tracking, including their activity controls, ad personalization, and recorded activity history. And if you are using an iOS phone or tablet, make sure you update to iOS v14 and enable the ability to block cross-app tracking.
A novel experiment in deploying large-scale trusted data networks has begun in Helsinki, the capital of Finland. A variety of city services have been linked together using the open-source MyData Global solution, it was announced earlier this month. This puts city at the forefront of how it gathers data from its citizens and how it stores and uses the data. The goal is to give each person control over how their data is shared with various city agencies.
In this blog post for Avast, I examine the announcement and its significance for the rest of us and what it means for our own data privacy.
- The FDA has appointed Kevin Fu its first Acting Director of Medical Device Cybersecurity in the Center for Devices and Radiological Health. This center has several bodies, including the CyberMed Safety Board, the Digital Health Center of Excellence and other offices. Fu is an interesting choice: he’s most recently an associate professor of computer Science at the University of Michigan, and has previously held major management roles in the private sector. Fu was credited for establishing the field of medical device security beginning with a 2008 IEEE paper on defibrillator security and founding the non-profit research collaborative Archimedes Center for Medical Device Security. I interview him about his agenda, along with linking to various draft policy efforts the agency is working on to improve cybersec for IoT medical devices.
You can read my blog post here.
Sandbox security is complementary to honeypots. It usually involves a special VM that is kept in isolation from the rest of your network resources. Its sole purpose is to be a miniature laboratory to observe malware behavior. Security researchers have been using such sandboxes to analyze malware for many years. Because the sandbox is a controlled environment, its code can be dissected line by line without worrying about potential harm to other computers.
You can read my post on Network Solutions’ blog here, where I talk about its evolution and some of the online sources of sandboxes that can be used for testing for the presence of malware. Sandboxes also play a key role in the escalating war of obfuscation and detection evasion by malware.
It has been almost two months since the hacks surrounding SolarWinds’ Orion software were first revealed. We have learned a lot about the sloppy security practices at that company and its far-reaching consequences. Here are some of the takeaways for your own business security.
- SolarWinds was first breached in September 2019, yet evidence wasn’t found until last December, when the company issued two patches for its Orion network monitoring tool (the first attempt wasn’t completely successful). All of this is sadly typical for many breaches.
- The first major attack was called Sunspot, which then led to three further malware injections called Sunburst, Teardrop and Raindrop. These latter efforts were backdoor attacks that were used to penetrate more than 18,000 customer networks. Trustwave found additional vulnerabilities most recently, although these haven’t yet been exploited by any attackers.
- It wasn’t just Orion customers that were affected. CISA said last week that 30% of organizations breached did not have any Orion software installed. One of its customers was Fireeye and its own hacking tools were stolen as a result of the intrusion. Another security firm, Malwarebytes, isn’t an Orion customer but was hacked through similar means.
- The news about the attacks happened during a leadership transition. Sudhakar Ramakrishna became the CEO of SolarWinds at the beginning of this year and posted this update on what went wrong. My colleague Joe Panettieri lays out what should be his first priorities.
- If you are looking for a nice summary of best practice recommendations for SolarWinds by the consultants that are now working to fix their software development processes, check out this piece by CyberSecurity Dive.
- The attackers most certainly were Russian state-based, although there is new evidence that Chinese state-based attackers have also penetrated two US government agencies using similar malware.
If you recall the scene in Meet the Parents where the characters played by Robert De Niro and Ben Stiller discuss the “circle of trust,” then today’s blog will resonate with understanding of how your own digital circles of trust are constructed. Recently, Google decided to ban Spanish CA Camerfirma after repeated operational violations. The ban will come into effect with the launch of Chrome version 90, scheduled for release in mid-April. What this means for you, and how digital certificates are used in your daily computing life, are explained in my blog post for Avast here.
I had the opportunity to be the guest on the White Bull video webcast series recently. I spoke about how to understand the conflicts between working from home and keeping your enterprise secure, understanding what the differences are between zero trust networks and multi-factor authentication, how the idea of a secure perimeter has changed over the years, and other practical suggestions about managing and protecting passwords. The webcast was about 50 minutes: