Infosec Round-Up Sep 17th

Apple Flaw, TikTok Data Investigation & Microsoft Passwords

This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.

Ireland Investigates TikTok

The social media platform TikTok is currently under investigation by the Irish data protection authority over two separate data protection issues.

Announced this week, the Irish Data Protection Commission (DPC) will be investigating not only “the processing of personal data... for users under age 18, and age verification measures for persons under 13”, but also “transfers by TikTok of personal data to China”.

Having faced multiple accusations of sharing personal data with its parent company ByteDance, which would be in violation of GDPR, TikTok has repeatedly denounced these claims, though many doubt their transparency.

This investigation comes only months after the former Children’s Commissioner for England Anne Longfield launched a claim against the platform for the collection of children’s personal information without the necessary consent, transparency, or warning required by law.

Though the DPC investigation is still being undertaken, Ms Longfield has previously alleged that the “shadowy” platform is “a data collection service that is thinly veiled as a social network" which has "deliberately and successfully deceived parents”.

Pegasus Flaw Fixed

Apple has this week issued emergency software updates following the discovery of a flaw which allowed the execution of sophisticated spyware developed by Israel’s now notorious NSO Group.

The spyware, known and marketed as Pegasus, used what is referred to as a “zero click remote exploit”, allowing parties to turn on a user’s camera and microphone, record messages, texts, emails, and calls - even those sent via encrypted platforms.

With the flaw having been discovered by security researchers at Citizen Lab, Apple are now urging users to undertake the necessary updates to protect themselves against malicious actors.

As part of Citizen Lab’s disclosure of the discoveries, the company stated: “Despite promising their customers the utmost secrecy and confidentiality, NSO Group’s business model contains the seeds of their ongoing unmasking.”

Adding “As presently engineered, many chat apps have become an irresistible soft target. Without intense engineering focus, we believe that they will continue to be heavily targeted, and successfully exploited.”

Microsoft Goes Passwordless

Microsoft has this week announced that it will be rolling out Passwordless login support, allowing users to log into accounts without using a password.

Having made the feature available to business users back in March, the system, which will be available in the coming weeks, will let customers choose between an authentication mobile app called Windows Hello, or a verification code being send to either phone or email.

Relying primarily on biometric data to bypass traditional passwords, this move is to help improve security, with Microsoft’s announcement noting that the company detects a “whopping” 579 password attack incidents every second, or 18 billion each year.

Corporate Vice President of Security, Compliance and Identity, Vasu Jakkal stated on the matter: “Passwords are incredibly inconvenient… We are expected to create complex and unique passwords, remember them, and change them frequently - but nobody likes doing that.”

Adding, “While passwords can be guessed, stolen, or phished, only you can provide fingerprint authentication, or provide the right response on your mobile at the right time.”

Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.