A “cursed” domain, a biodata bill of rights, and more: Q1 ’20 cybersecurity roundup

In our first roundup post of the decade, I’ve included interesting articles whose topics include hacking satellites, the difference in mindset between technologists and policy makers, and what happens to your private health information when a pharmacy is acquired.

1. Kashmir Hill—The Secretive Company That Might End Privacy as We Know It

Intro: “Until recently, Hoan Ton-That’s greatest hits included an obscure iPhone game and an app that let people put Donald Trump’s distinctive yellow hair on their own photos.

Then Mr. Ton-That — an Australian techie and onetime model — did something momentous: He invented a tool that could end your ability to walk down the street anonymously, and provided it to hundreds of law enforcement agencies, ranging from local cops in Florida to the F.B.I. and the Department of Homeland Security.”

2. Brian Krebs—Dangerous Domain Corp.com Goes Up for Sale

Intro: “As an early domain name investor, Mike O’Connor had by 1994 snatched up several choice online destinations, including bar.com, cafes.com, grill.com, place.com, pub.com and television.com. Some he sold over the years, but for the past 26 years O’Connor refused to auction perhaps the most sensitive domain in his stable — corp.com. It is sensitive because years of testing shows whoever wields it would have access to an unending stream of passwords, email and other proprietary data belonging to hundreds of thousands of systems at major companies around the globe.”

3. Bruce Schneier—Policy vs. Technology

Intro: “Sometime around 1993 or 1994, during the first Crypto Wars, I was part of a group of cryptography experts that went to Washington to advocate for strong encryption. Matt Blaze and Ron Rivest were with me; I don’t remember who else. We met with then Massachusetts Representative Ed Markey. (He didn’t become a senator until 2013.) Back then, he and Vermont Senator Patrick Leahy were the most knowledgeable on this issue and our biggest supporters against government backdoors. They still are.

Markey was against forcing encrypted phone providers to implement the NSA’s Clipper Chip in their devices, but wanted us to reach a compromise with the FBI regardless. This completely startled us techies, who thought having the right answer was enough. It was at that moment that I learned an important difference between technologists and policy makers. Technologists want solutions; policy makers want consensus.”

4. Joseph Cox—How Big Companies Spy on Your Emails

Intro: “The popular Edison email app, which is in the top 100 productivity apps on the Apple app store, scrapes users’ email inboxes and sells products based off that information to clients in the finance, travel, and e-Commerce sectors. The contents of Edison users’ inboxes are of particular interest to companies who can buy the data to make better investment decisions, according to a J.P. Morgan document obtained by Motherboard.”

5. Graham Cluley—How your network could be hacked through a Philips Hue smart bulb

Intro: “Security researchers at Check Point have published details of vulnerabilities they have found in Philips Hue smart bulbs that could be exploited by hackers to compromise networks remotely.

The researchers were able to hijack control the IoT bulbs and install malicious firmware on it. With that beachhead in place they were then able to launch attacks to compromise the bulbs’ control bridge and then use an inventive method to attack the network.”

6. Daniel Miessler—Sickness Monitoring is the Opening Video Surveillance Has Been Waiting For

Intro: “I’ve thought for a long time that public video feed monitoring would become ubiquitous. My basis for this was looking at humans ultimately desire, not at the tech itself. … Just yesterday I tweeted that the COVID-19 situation was going to finally make large-scale video surveillance endemic to our society. Governments and various industries have been trying to do this for a long time, but they’ve been opposed on the grounds of protecting freedom and privacy.”

7. Troy Hunt—There is a Serious Lack of Corporate Responsibility During Breach Disclosures

Intro: “I’ve been sending [emails to notify companies of potential data breaches] for years. Its purpose is pretty self-explanatory and whilst it may not be an email anyone ever wants to receive from me, it’s a very important message. Yet somehow, it frequently goes ignored. … [If] anything, disclosure is only becoming more painful.”

8. Joseph Steinberg—A Local Pharmacy Is Acquired, Revealing a Major Flaw in Health Information Privacy Laws

Intro: “Last week, without any warning to customers, one of my town’s last local independent pharmacies was acquired by a major pharmacy chain. Customers were given no advance notice whatsoever; apparently, as part of the deal, the acquirer required absolute silence on the part of all involved until after the transaction had closed.

As a result of such a policy, customers found out that a major pharmacy chain had obtained their private health-related information only after it already had their data in its systems; they were given no opportunity to prevent the transfer of that data, nor were they given advance warning that such a transfer would happen.”

9. William Akoto—What happens when all the tiny satellites we’re shooting into space get hacked?

Intro: “[New] satellites have the potential to revolutionize many aspects of everyday life—from bringing internet access to remote corners of the globe to monitoring the environment and improving global navigation systems. Amid all the fanfare, a critical danger has flown under the radar: the lack of cybersecurity standards and regulations for commercial satellites, in the U.S. and internationally. As a scholar who studies cyberconflict, I’m keenly aware that this, coupled with satellites’ complex supply chains and layers of stakeholders, leaves them highly vulnerable to cyberattacks.”

10. Camilo La Cruz—Who owns your DNA? You should, according to this biodata bill of rights

Intro: “In the next decade, businesses and governments will increasingly collect biological data, from facial recognition to DNA. Every time you command a smart speaker, have your face scanned, or track your health on any app, it’s all going into your biological data bank.

Today, startups like Voicesense and Sonde Health can decode our voice to make predictions about anything from depression to defaulting on our mortgage. In the U.S., the Department of Homeland Security is planning on developing a DNA database of immigrants in federal detention facilities. Meanwhile, in China, the government is collecting DNA and biometrics from all residents aged 12 to 65 in Xinjiang, a region home to 11 million Muslim Uighurs.”

11. Jessica Guynn—Anxiety, depression and PTSD: The hidden epidemic of data breaches and cyber crimes

Intro: “After a restorative getaway last July – a week in Stockholm, another exploring Norway’s fjords and a picturesque hike deep into the peaceful wilds of western Sweden’s forests – Christopher Lane returned home to his Chicago condo and an overflowing mailbox.

A nondescript envelope stamped ‘Important Update – Open Immediately’ caught his attention. Inside was an alarming notice that his medical and financial information had been stolen.”

12. Lawrence Abrams—Twitter First: Trump Video Retweet Tagged as ‘Manipulated Media’

Intro: “For the first time, Twitter has labeled a video as ‘Manipulated Media’ that attempts to portray Joe Biden as stating that  Donald Trump should be re-elected.

In a video tweeted by White House social media director Dan Scavino, it looks as if Joe Biden is saying that ‘We can only re-elect Donald Trump.’

In reality, though, this video has been deceptively cut short to fit this message when in fact Biden stated ‘We can only re-elect Donald Trump if in fact we get engaged in this circular firing squad here. It’s got to be a positive campaign, so join us.’”

Read the previous roundup articles of 2019

Want to read up on the other big news and ideas for cybersecurity in 2019? Here are our previous roundup posts:

• Q1 2019 roundup
• Q2 2019 roundup
• Q3 2019 roundup
• Q4 2019 roundup