Infosec Round-Up Sep 17th
Apple Flaw, TikTok Data Investigation & Microsoft Passwords
This is the Hut Six InfoSec Round-Up, where we look at some of the most pressing matters, latest trends, and industry news from across the world of information security.
Ireland Investigates TikTok
The social media platform TikTok is currently under investigation by the Irish data protection authority over two separate data protection issues.
Announced this week, the Irish Data Protection Commission (DPC) will be investigating not only “the processing of personal data... for users under age 18, and age verification measures for persons under 13”, but also “transfers by TikTok of personal data to China”.
Having faced multiple accusations of sharing personal data with its parent company ByteDance, which would be in violation of GDPR, TikTok has repeatedly denounced these claims, though many doubt their transparency.
This investigation comes only months after the former Children’s Commissioner for England Anne Longfield launched a claim against the platform for the collection of children’s personal information without the necessary consent, transparency, or warning required by law.
Though the DPC investigation is still being undertaken, Ms Longfield has previously alleged that the “shadowy” platform is “a data collection service that is thinly veiled as a social network" which has "deliberately and successfully deceived parents”.
Pegasus Flaw Fixed
Apple has this week issued emergency software updates following the discovery of a flaw which allowed the execution of sophisticated spyware developed by Israel’s now notorious NSO Group.
The spyware, known and marketed as Pegasus, used what is referred to as a “zero click remote exploit”, allowing parties to turn on a user’s camera and microphone, record messages, texts, emails, and calls - even those sent via encrypted platforms.
With the flaw having been discovered by security researchers at Citizen Lab, Apple are now urging users to undertake the necessary updates to protect themselves against malicious actors.
As part of Citizen Lab’s disclosure of the discoveries, the company stated: “Despite promising their customers the utmost secrecy and confidentiality, NSO Group’s business model contains the seeds of their ongoing unmasking.”
Adding “As presently engineered, many chat apps have become an irresistible soft target. Without intense engineering focus, we believe that they will continue to be heavily targeted, and successfully exploited.”
Microsoft Goes Passwordless
Microsoft has this week announced that it will be rolling out Passwordless login support, allowing users to log into accounts without using a password.
Having made the feature available to business users back in March, the system, which will be available in the coming weeks, will let customers choose between an authentication mobile app called Windows Hello, or a verification code being send to either phone or email.
Relying primarily on biometric data to bypass traditional passwords, this move is to help improve security, with Microsoft’s announcement noting that the company detects a “whopping” 579 password attack incidents every second, or 18 billion each year.
Corporate Vice President of Security, Compliance and Identity, Vasu Jakkal stated on the matter: “Passwords are incredibly inconvenient… We are expected to create complex and unique passwords, remember them, and change them frequently - but nobody likes doing that.”
Adding, “While passwords can be guessed, stolen, or phished, only you can provide fingerprint authentication, or provide the right response on your mobile at the right time.”
Thank you for reading this edition of Infosec Round-Up. Please be sure to subscribe to the Hut Six YouTube Channel to keep up to date with the latest news and see all our latest information security videos.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
An email security policy is a document describing how an organisation's email system should, and most importantly, should not be used.
When Human Error is found in information security, it is often avoidable errors that allow much larger consequential problems to arise.
Investing in Information Security Awareness Training - educating people against cyber threats should be considered essential for any organisation operating in 2021
How Secure is Microsoft Teams? Information Security blog by Information Security Awareness solution provider Hut Six Security
Best Ways To Ensure Enterprise Data Regulation guest blog by technivorz.com and information security awareness solution Hut Six Security.
Writing a Disaster Recovery Plan: information security planning blog by information security awareness solution provider Hut Six Security.
Security program policies blog by information security awareness training provider Hut Six Security.
Security awareness training for Cyber Essentials blog by information security awareness training provider Hut Six Security.
Information Security Awareness Training in 2021 blog by information security awareness training platform Hut Six Security
What are the best VPNs for work? - VPN review blog by security awareness training provider Hut Six Security.