Category Archives: Security

GitHub Will Require All Users Who Contribute Code to Enable 2FA



GitHub announced that it will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentications (2FA) by the end of 2023. This is part of GitHub’s platform-wide effort to secure the software ecosystem through improving account security.

GitHub described their reasoning for requiring 2FA this way:

The software supply chain starts with the developer. Developer account are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step towards securing the supply chain. GitHub has a long history of protecting developers through efforts including seeking and invalidating known-compromised user passwords, offering robust WebAuthn security key support, and enrolling all npm publishers in enhanced login verification.

According to GitHub, most security breaches are not the product of exotic zero-day attacks, but rather involve lower-cost attacks like social engineering, credential theft or leakage, and other avenues that provide attackers with a broad range of access to victim accounts and the resources they have access to.

GitHub continues by pointing out that compromised accounts can be used to steal private code or push malicious changes to the code. This places not only the individuals and organizations associated with the compromised accounts at risk, but also any users of the affected code. The potential for downstream impact to the broader software ecosystem and supply chain as a result is substantial.

Protocol reports that just 16.5% of GitHub.com users currently use two-factor authentication, considered to be a substantially more secure method of logging in given that it requires more than just a password. The two-factor authentication requirement will affect GitHub.com’s 83 million users, and is being announced well in advance to “make sure we get this right” in terms of user experience for developers, said Mike Hanley, chief security officer at GitHub.

According to Protocol, the announcement by Microsoft-owned GitHub comes at a time of high anxiety in the enterprise about the potential for security risks of open source software components. This is due in part to rising attacks against software supply chains – which jumped by more than 300% in 2021, according to a report from application protection firm Aqua Security.

In my opinion, it is a very good idea to put 2FA on everything – even if you don’t happen to post code on GitHub. Two-factor identification is a great way to prevent someone from stealing your social media accounts, breaking into your personal website, or preventing you from accessing your most frequently used email accounts. It makes sense for GitHub to be requiring 2FA.


U.S. Commerce Department Tightens Exports of Hacking Tools



The U.S. Commerce Department’s Bureau of Industry and Security (BIS) has released an interim final rule that establishes controls on the export, reexport, or transfer (in-country) of certain items that can be used for malicious cyber activities.

Here is a key part of the press release:

The United States Government opposes the misuse of technology to abuse human rights or conduct other malicious cyber activities, and these new rules will help ensure that U.S. companies are not fueling authoritarian practices. U.S. exporters are likewise encouraged to consult the State Department’s Guidance in Implementing the “Guiding Principles” for Transactions Linked to Foreign Government End Users for Products or Services with Surveillance Capabilities to minimize the risk that their products or services are misused by governments to violate or abuse human rights.

The Washington Post eported that this was a long-awaited rule that officials hope will stem the export or resale of hacking tools to China and Russia while still enabling cybersecurity collaboration across borders.

The rule will take effect after 90 days. Here is what it covers:

  • Software such as Pegasus, a potent spyware product sold by the Israeli firm NGO Group to governments that have used it to spy on dissidents and journalists
  • Bars sales of hacking software and equipment to China and Russia, as well as to a number of other countries of concern, without a license from the department’s Bureau of Industry and Security (BIS)

According to The Washington Post, The U.S. Department of Commerce already has export controls on products containing encryption, so the new rule applies to products that do not contain encryption. The Washington Post also reported that any intrusion software, even for defensive purposes, being sold to anyone in China or Russia, whether or not they work for the government, will require a license, according to the rule.

In addition, the rule will align the United States with the 42 European and other allies that are members of the Wassennaar Arrangement. This group sets voluntary export control policies on military and dual-use technologies (products that can be used both for civilian ad military purposes).

The Washington Post says that China is not a Wassenaar member. Israel is also not a member but voluntarily adopts its controls. Russia is a Wassenaar member.

In my opinion, the rule seems like a common-sense idea. There is no good reason to sell, transfer, or export tools to other countries that might be inclined to use those tools to hurt people.


TikTok Won’t Be Shut Down Due to Ongoing Lawsuit



The U.S. Department of Commerce said that it wouldn’t enforce its order that would have forced the Chinese-owned TikTok video sharing app to shut down, The Wall Street Journal reported. The reason is due to the result of a lawsuit.

In September of 2020, the U.S. Department of Commerce announced a prohibition on transactions relating to mobile apps WeChat and TikTok. It would have barred companies from providing internet hosting or content-delivery services to TikTok. This would have resulted in making TikTok inoperable in the United States.

In October of 2020, three popular TikTok creators, Douglas Marland, Cosette Rinab, and Alec Chambers filed a lawsuit against the Department of Commerce. TechCrunch reported that each have millions of followers on TikTok. Their argument was that banning the app would make them lose access to their followers, and impact their ability to earn a living.

U.S. District Judge for the Eastern District of Pennsylvania Wendy Beetlestone granted the three TikTok creators the preliminary injunction hey asked for. According to NBC News, Judge Beetlestone also found that the government had gone beyond the authority under the International Emergency Economic Powers Act.

As a result, the U.S. Department of Commerce announced that the preliminary injunction enjoined it from enforcing the prohibition on TikTok. It appears that the U.S. government intends to appeal this ruling.


CISA Says November 3rd Election was Most Secure in American History



The U.S. Cybersecurity & Infrastructure Security Agency (CISA) posted a joint statement in which they declared: “The November 3rd election was the most secure in American history”. This should be a big relief to those who were concerned about potential security issues, or who have become convinced that the election was “rigged”.

“When states have close elections, many will recount ballots. All of the states with close results in the 2020 presidential race have paper records of each vote, allowing the ability to go back and count each ballot if necessary. This is an added benefit for security and resilience. This process allows for the identification and correction of any mistakes and errors. There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised”.

The statement also pointed out: “Other security measures like pre-election testing, state certification of voting equipment, and the U.S. Election Assistance Commission’s (EAC) certification of voting equipment help to build additional confidence in the voting systems used in 2020.”

CISA is the nation’s risk advisor, working with partners against today’s threats and collaborating to build more secure and resilient infrastructure for the future.

The Joint Statement included people from the CISA, the Election Infrastructure Government Coordinating Council (GCC) executive committee, the U.S. Election Assistance Commission Chair, the National Association of Secretaries of State (NASS), the National Association of State Election Directors (NASEED), and members of the Election Infrastructure Sector Coordinating Council (SCC).

In short, this group includes people who have the job of making sure our election infrastructure is secure. Together, they have more data about this election than anyone else. Personally, I think this statement should be viewed as a major debunking of the misinformation that has been spread about this election.


U.S. Department of Commerce Prohibits WeChat and TikTok



The United States Department of Commerce announced a prohibition on transactions relating to mobile apps WeChat and TikTok. This is being done in response to President Trump’s Executive Orders that were signed on August 6, 2020. The action by the Department of Commerce describes the decision as one made “to safeguard the national security of the United States.”

Here is a small portion of the Department of Commerce’s announcement:

…While the threats posed by WeChat and TikTok are not identical, they are similar. Each collects vast swaths of data from users, including network activity, location data, and browsing and search histories. Each is an active participant in China’s civil-military fusion and is subject to mandatory cooperation with the intelligence services of the CCP. This combination results in the use of WeChat and TikTok creating unacceptable risks to our national security.

Has the U.S. government ever banned an app before? If so, I don’t remember that happening. The thing that bothers me is that there are several social media platforms that collect the same kinds of data from American users, (but are not involved with China). My concern is that the prohibition on WeChat and TikTok could be used as precedent for the Trump Administration to ban Twitter and/or Facebook.

As of September 20, 2020, the following transactions are prohibited:

  • Any provision of service to distribute or maintain the WeChat or TikTok mobile applications, constituent code, or application updates through an online mobile application store in the U.S.;
  • Any provision of services through the WeChat mobile application for the purpose of transferring funds or processing payments within the U.S.

As of September 20, 2020, WeChat, and as of November 12, 2020, for TikTok, the following transactions are prohibited:

  • Any provision of internet hosting services enabling the functioning or optimization of the mobile application in the U.S.;
  • Any provision of content delivery network services enabling the functioning or optimization of the mobile application in the U.S.
  • Any provision directly contracted or arranged internet transit or peering services enabling the function or optimization of the mobile application in the U.S.;
  • Any utilization of the mobile application’s constituent code, functions, or services in the functioning of software or services developed and/or accessible within the U.S.;

CNBC reported that WeChat is owned by the Chinese company Tencent. TikTok’s parent company is Beijing-based Byte Dance. CNBC points out that the prohibition means Apple and Google will have to pull those apps from their libraries.


Microsoft Warns of New Cyberattacks Targeting U.S. Elections



Microsoft warns that it has detected cyberattacks targeting people and organizations involved in the upcoming presidential election. This includes unsuccessful attacks on people associated with both the Trump and Biden campaigns.

The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated, and is consistent with what the U.S. government and others have reported. We also report here on attacks against other institutions and enterprises worldwide that reflect similar adversary activity.

Microsoft has observed:

  • Strontium, operating from Russia, has attacked more than 200 organizations including political campaigns, advocacy groups, parties and political consultants
  • Zirconium, operating from China, has attacked high-profile individuals associated with the election, including people associated with the Joe Biden for President campaign and prominent leaders in the international affairs community.
  • Phosphorus, operating from Iran, has continued to attack the personal accounts of people associated with the Donald J. Trump for President campaign.

Microsoft believes that more federal funding is needed in the U.S. so states can better protect their election infrastructure. The company encourages Congress to move forward with additional funding to the states and provide them with what they need to protect the vote and our democracy.

Based on what Microsoft observed, it would be a good idea to stay vigilant when online. Shenanigans are happening that could affect the outcome of the upcoming election. We all need to take a step back and question election-related social media posts before spreading what might be misinformation from a foreign country.


Zoom Expands to Smart Displays at Home



Zoom announced that they are rolling out support for Portal from Facebook, Amazon Echo Show, and Google Nest Hub Max. This will make interactive video meetings as easy as the touch of a button or the sound of your voice. Zoom also points out that this feature can be used to connect by video to family and friends.

I can see where this could be useful for people who have disabilities that make it difficult for them to use their hands. Being able to attend a Zoom meeting by using voice controls would make the experience more accessible. It could also be good for people who need help setting up Zoom on their computer or laptop, and who may find it difficult to log in when they need to.

There are many reasons not to trust Zoom. They have a history of security failures, including a problem that allowed Zoom to enable a user’s camera without the users permission. At the time, uninstalling Zoom did not fix the problem. In June of this year, Zoom decided to limit end-to-end encrypting only to paid users – which they later opened up to free accounts after backlash.

The reality is that there are many people who are working from home and who are required to use Zoom for work meetings. One advantage of using Zoom on a smart display is the option to take Zoom off your computer or laptop. A Zoom Meetings user could log into one of the smart devices that are supported by Zoom, and integrate their calendar, status, and meeting settings.

Zoom will be rolling out to Portal from Facebook in select regions in September. It will roll out to Amazon Echo Show devices in the United States later this year, beginning with Echo Show 8. Zoom will roll out to Nest Hub max later this year.