Tag Archives: Security

FCC Bans U.S. Sales Of Huawei And ZTE Over Security Concerns

Security,

Huawei, ZTE, Hikvision, Hytera and Dahua all sell telecommunications equipment and video surveillance technology into the United States, but many of their future security cams and radio hardware will no longer be welcome, The Verge reported.

According to The Verge, the Federal Communications Commission has just announced it will no longer authorize some of their equipment – which is a big deal, because companies can’t legally import or sell anything with a radio in the US without authorization.

The FCC posted news (in the form of a PDF, Docx, or Txt) titled: “FCC Bans Equipment Authorizations For Chinese Telecommunications And Video Surveillance Equipment Deemed To Pose A Threat To National Security”.

From the news:

The Federal Communications Commission adopted new rules prohibiting communications equipment deemed to pose an unacceptable risk to national security from being authorized for importation or sale in the United States. This is the latest step by the Commission to protect our nation’s communications networks. In recent years, the Commission, Congress, and the Executive Branch have taken multiple actions to build a more secure and resilient supply chain for communications equipment and services within the United States.

“The FCC is committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here,” said Chairwoman Jessica Rosenworcel. “These new rules are an important part of our ongoing actions to protect the American people from national security threats involving telecommunications.”…

… The new rules prohibit the authorization of equipment through the FCC’s Certification process, and makes clear that such equipment cannot be authorized under the Supplier’s Declaration of Conformity process or be imported or marketed under rules that allow exemptions from an equipment authorization. The Covered List (which includes both equipment and services) currently includes communications equipment produced by Huawei Technologies, ZTE Corporation, Hytera Communications, Hangzhou Hikvision Digital Technology, and Dahua Technology (and their subsidiaries and affiliates). The new rules implement the directive in the Secure Equipment Act of 2021, signed into law by President Biden last November, the requires the Commission to adopt such rules…

Brendan Carr, the FCC’s commissioner tweeted: “Today the FCC takes an unprecedented step to safeguard our networks and strengthen America’s national security. Our unanimous decision represents the first time in FCC history that we have voted to prohibit the authorization of new equipment based on national security concerns.”

Engadget reported that this latest move follows years of conflict between the US and companies closely tied to Chinese governments. That’s included placing several notable Chinese companies, including DJI, on the Department of Commerce’s “Entity List,” which prohibits US firms from selling equipment to them.

According to Engadget, the FCC is also calling for $5 billion to help US carriers with the massive task of replacing equipment from Huawei and ZTE.

In my opinion, it seems like a good idea for the United States to try and protect itself from products and services that “could pose a threat to national security”. I think the FCC is right to request $5 billion to help US carriers remove equipment from Huawei and ZTE, and I hope the money will also enable the carriers to install equipment made in the United States.

Microsoft Introduces Microsoft Defender – A 365 Online Security App

Microsoft,

Microsoft introduced its Microsoft Defender. It is a new Microsoft 365 online security app for you and your family.

Everyone deserves to feel safe online. Securing your personal data and devices is more challenging than ever, increasing malicious threats, more time online, and many connected personal devices can leave us feeling vulnerable. It’s time for online security that provides simplified and secure protection to meet you where you are.

Microsoft Defender for Individuals is a new security app designed to keep individuals and families safer online. Available for Microsoft 365 Personal and Family subscribers starting on June 16, 2022, Microsoft Defender helps simplify your online security through one, unified view into your family’s protections, across your personal phones and computers.

The footnotes attached to parts of that paragraph include: “App requires a Microsoft 365 Family or Personal subscription, and is available as a separate download.” A second footnote says: “App is available on Windows, macOS, Android, and iOS in select Microsoft 356 Family or Personal billing regions.”

Microsoft says that Microsoft Defender extends the production already built into Windows Security beyond your PC to your macOS, iOS, and Android devices. This, too, comes with a footnote which says: “New malware protection is not available where these protections exist in iOS and Windows”. Yet another footnote says: “Security tips are available on Windows and macOS only.”

Corporate Vice President, Security, Compliance, Identity and Management, Vasu Jakkal, wrote a post titled: “Making the world a safer place with Microsoft Defender for individuals”. Here are some key points from that post:

What does Microsoft Defender Do?

Microsoft Defender is simplified online security that meets you and your family where you are by bringing multiple protections together into a single dashboard. It provides online protection across the devices you and your family use. It offers tips and recommendations to strengthen your protection further. And, as you grow your digital footprint by adding family members and devices, Defender grows with you and keeps your defenses up-to-date using trusted technology.

  • This seamless solution, which includes continuous antivirus and anti-phishing protection for your data and devices, will enable you to:
  • Manage your security protections and view security protections for everyone in your family, from a singe, easy-to-use, centralized dashboard.
  • View your existing antivirus protection (such as Norton or McAfee). Defender recognizes these protections within the dashboard.
  • Extend Windows device protections to iOS, Android, and macOS devices for cross-platform malware protection on the devices you and your family use the most.
  • Receive instant security alters, resolution strategies, and expert tips to help keep your data and devices secure.

Personally, I am pleasantly surprised that Microsoft is extending Microsoft Defender to not only people who use PCs and Android devices, but also to those of us who use macOS and iOS devices. It is unusual for a tech company to extend its security protections to those outside of its “universe” of products.

Ukraine picks up six hackers behind Clop ransomware

Hacker, Information,

It’s been a rough spell for hackers, one was just extradited from Mexico to face charges in California for a DDoS attack on the city of Santa Cruz. 

Now six members of a group responsible for the Clop ransomware were picked up in a raid in the Ukraine. It is not clear if these were all the members behind it or just one cell. The search of the home resulted in the seizure of hundreds of thousands of dollars and expensive vehicles such as an AMG 63 and a Tesla. 

A Ukrainian report states that “[in] 2021, the defendants attacked and encrypted the personal data of employees and financial reports of Stanford University Medical School, the University of Maryland and the University of California.” 

As S Korea and the US were also in on this roundup and have charges pending for hacks in both countries, it’s unclear where things go from here. 

MJR Digital Cinemas has upgraded, but what’s wrong with this picture?

Security

Despite the ever-increasing tab at the box office, we all, or most of us, enjoy seeing an occasional movie on the big screen. There are just some flicks that lend themselves to the immersive experience. 

The good news is theaters around the country have been upgrading recently – improved seating and digital systems along with a wider selection of (overpriced) goodies to choose from and dine on during your show. Some now even have bars. 

One theater chain in Michigan, MJR, has been among those to upgrade, however they apparently failed to consult any sort of IT professional, or at least one who knows anything about security. Take a look at the image below and see if any problems seem apparent. 

At least they made the job easy for hackers. In fact, there’s no real job at all, it’s just handed over to them. 

VLC patches multiple security flaws, two critical

Information, Security,

There are many options out there for media playback, we’ve come a long way since Windows Media Player and Quicktime.  Alternatives abound, and some of them quite compelling.

Take the Video Lan Client, better known to everyone as VLC, which is capable playing almost any format a user can throw at it. Like any software, however, there are always bugs, and sometimes security holes  that could allow bad things to happen to good people.

VLC is issuing a number of security fixes, 33 of them to be exact, designed to keep your system healthy. Two of these are considered critical, designed to patch an out-of-bound write vulnerability and a stack-buffer-overflow bug.

According ThreatPost “Details are scant on the two high-severity bugs and how they could be exploited. Impacted is VLC 3.0.7 and the EU-FOSSA release of the player, along with code tied to the upcoming 4.0 release of the player.”

The high number of patches comes on the heels of a new bug bounty program started by the European Commission on January 7, 2019.

The updates are being pushed out so users shouldn’t need to do anything except wait, and actually, you may already have it.

UK Government Consults on IoT Security

Home Automation, Security, ,

The UK Government’s Department for Digital, Culture, Media & Sport (aka Ministry of Fun) has announced plans to introduce new laws governing internet-connected devices, i.e. Internet of Things.

Given that there have been some high-profile instances involving connected toys and cameras, this is welcome news. In a perfect world, users should be educated in the basics of IT security such as changing the default password, but sadly it’s case of getting a gadget out of the box and setup as fast as possible.

The Government is consulting on a “Secure by Design” initiative which intends for basic cyber security features to be built into products and for consumers to get better information on how secure the devices are.

Much like food packaging or the energy ratings on white goods, the Government is proposing a mandatory labelling scheme that states the security level of the gadget. Only goods with the applicable “IoT” label could be legally sold in the UK.

The consultation proposes three essential requirements for internet-connected gadgets.

  1. Device passwords must be unique without any standard factory setting
  2. The minimum duration for which the device will receive security updates must explicitly stated
  3. A public point of contact as part of a vulnerability disclosure policy must be given

Point 3 isn’t directly for consumers but rather for security researchers who will be able to directly contact organisations about security issues. All of these points will be a significant deterrent to the “cheap’n’cheerful” IoT gadgets that typically come in from China with zero support.

Overall, this is a very welcome consultation and I would encourage readers to review the proposals and feedback on the options. This is very much about protecting ourselves and our families and reducing the risk of being hacked. For too long, manufacturers have got away with having little responsibility for their devices after they’ve been bought and these ideas address that balance.

If you want to know more on the consultation and comment on the proposals, it’s over here.

Photo by Dan LeFebvre on Unsplash.

23 Million People Use 123456 as a Password

Security,

Despite all the warnings, 23 million people worldwide use the password “123456”. This is according the UK’s National Cyber Security Centre which analysed the Have I Been Pwned data set to produce a list of the top 100,000 passwords.

It’s frankly embarrassing – here’s the top 10. Anyone who uses any of these should have their computer, tablet and phone taken away from them immediately.

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 111111
  6. 12345678
  7. abc123
  8. 1234567
  9. password1
  10. 12345

Looking through the full list, there’s a reasonable selection of expletives, and for Brits, variations on “Liverpool” appear twenty eight times. For non-Brits, Liverpool is not only a city in the North of England but a premier league football (soccer) team. James Bond 007 is rich pickings too, with variations into the teens. No matter how smart or unique you think you are, there’s someone else who thinks the same.

The NCSC recommends using three random words for passwords such as “tablehouseblue” and  not to re-use passwords between accounts. It particularly suggests to always have a different password for your email account.

Dr Ian Levy, NCSC Technical Director, said: “Password re-use is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band. Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.

You can read the full UK Cyber Survey and there’s more analysis on the password list in this article.

Photo by Kristina Flour on Unsplash