"Right through the very heart of it" the IT Privacy & Security weekly update for March 16th 2021

Dear DAML’ers!

Welcome to the update that never sleeps… “king of the hill”, “top of the heap”.

This week we get non-fungible with our fungibles … and … just look at the results. We save you the FOMO by ELI5 to help you DYOR so you can BTFD.

Then, just as you spend your last fungible, LastPass your “hey, all my passwords are in there…” app announces they are going to charge you or force you to make a choice… we “spread the news” about a different free password manager.

We “stray” to breaches and fixes and other privacy and security items before we finish with an idea that just might have originated “in the very heart of it: New York, New York.”

This truly is the “King of the hill”, “A”, “Number one” IT Privacy and Security weekly update, so put on those “vagabond shoes” and let’s stray!

US: Taco Bell Issued NFTs for Digital Taco Art

Taco Bell jumped aboard the NFT bandwagon last week, releasing five pieces of “limited” digital art on the blockchain.

A quick primer for those unfamiliar with the latest fad sweeping the internet. NFT stands for non-fungible token, and it uses blockchain technology to create scarcity and authenticity for specific digital items. NFTs have generated a lot of headlines and hype over the past few weeks. Musician Grimes made $5.8 million selling digital art, but that number was dwarfed this week when artist Beeple sold a piece of digital art for $69 million at auction.
Taco Bell announced its NFT art sale on March 7 with the following tweet:
Our Spicy Potato Soft Tacos can now live in your hearts, stomachs, and digital wallets.

So what’s the upshot for you? The art was sold on the Rarible marketplace, and according to The Verge, the 25 tokens it put up were sold within a half hour. The good news? The money raised will go to charity.

WTF 'r NFTs?

What Are Non-Fungible-Tokens (NFTs)?

This is the equivalent of having a magazine cover signed by Steve Jobs. Sure, you could trade with someone for another cover for the same magazine, but the one you would receive won’t be the same as the one you traded away.
Since it’s unique, there is no defined value to the NFT at all.

Non-fungible tokens or NFTs are cryptographic assets on blockchain with unique identification codes and metadata that distinguish them from each other. Unlike cryptocurrencies, they cannot be traded or exchanged at equivalency. This differs from fungible tokens like cryptocurrencies, which are identical to each other and, therefore, can be used as a medium for commercial transactions.

Due to the cryptographic nature of blockchains, any attempts to change one block will be spotted. This ultimately keeps blockchain secure. In the case of NFT being associated with a blockchain, this can allow for parties to check the validity of the NFT. Typically this is built on top of one of the existing blockchains, such as Etherium… so again…

  • NFTs are unique cryptographic tokens that exist on a blockchain and cannot be replicated.
  • NFTs can be used to represent real-world items like artwork and real-estate.
  • "Tokeninzing& these real-world tangible assets allows them to be bought, sold, and traded more efficiently while reducing the probability of fraud.
  • NFTs can also be used to represent peoples identities, property rights, and more.

Like physical money, cryptocurrencies are fungible i.e., they can be traded or exchanged, one for another. For example, one Bitcoin is always equal in value to another Bitcoin.
Similarly, a single unit of Ether is always equal to another unit.
This fungibility characteristic makes cryptocurrencies suitable for use as a secure medium of transaction in the digital economy.
NFTs shift the crypto paradigm by making each token unique and irreplaceable, thereby making it impossible for one non-fungible token to be equal to another. They are digital representations of assets and have been likened to digital passports because each token contains a unique, non-transferable identity to distinguish it from other tokens. They are also extensible, meaning you can combine one NFT with another to “breed” a third, unique NFT.
Just like Bitcoin, NFTs also contain ownership details for easy identification and transfer between token holders. Owners can also add metadata or attributes pertaining to the asset in NFTs. For example, tokens representing coffee beans can be classified as fair trade. Or, artists can sign their digital artwork with their own signature in the metadata.
The most exciting possibility for NFTs lies in the creation of new markets and forms of investment. Consider a piece of real estate parceled out into multiple divisions, each of which contains different characteristics and property types. One of the divisions might be next to a beach while another is an entertainment complex and, yet another, is a residential district. Depending on its characteristics, each piece of land is unique, priced differently, and represented with an NFT. Real estate trading, a complex and bureaucratic affair, can be simplified by incorporating relevant metadata into each unique NFT.
And lastly the technical detail:

  • NFTs evolved from the ERC-721 standard.
  • Developed by some of the same people responsible for the ERC-20 smart contract, ERC-721 defines the minimum interface – ownership details, security, and metadata – required for exchange and distribution of gaming tokens.
  • The ERC-1155 standard takes the concept further by reducing the transaction and storage costs required for NFTs and batching multiple types of non-fungible tokens into a single contract.

So what’s the upshot for you? They say that a good salesperson could sell an Eskimo snow. “and when you hold that snow in NFTs you don’t have the problems of storage and sudden melting. We’ll take care of that for you…” .
Like anything, NFTs come with practical considerations, just remember to consider them all!

Global: Wait What?!?! It’s the 16th.! I need a new, free, password manager

If you use lastPass like some of us and you have just been forced into the position of deciding what class of devices to use it on: Desktops/Laptops or Phones/tablets or pay up, we thought we’d do a little looking around for you.

Trying a couple, we thought we would share a pretty good showing in Bitwarden, a fully-featured password manager. Although not open source, it does get 3rd party security assessments regularly and although it stores your data in the cloud, it’s all done in encrypted form where only you have the key. It’s available for phones on iOS and Android; it has native desktop applications on Windows, macOS, and Linux; and it also integrates with every major browser including Chrome, Safari, Firefox, and Edge.

You also have the option of protecting your Bitwarden account with two-factor authentication to provide an extra layer of security.

Importing our passwords was involved, but successful, and Bitwarden has guides for many popular password managers in its support pages. It supports biometric security on iOS and Android, and all of its software is nicely designed and easy to use.

Bitwarden does have paid tiers, but you probably won’t need most of the features they offer. Paying gets you access to encrypted file attachments, more second-factor security options, and reports on the overall security of the passwords you have in use. But even on the free tier, you can perform checks to see if individual passwords have been leaked in a password breach. Paying also gets you access to a built-in one-time code generator for two-factor authentication, but it’s easy and arguably more secure to use a separate app for this.

So what’s the upshot for you? Most (if not all) internet browsers offer built-in password management features, but it may be worth taking the time to store your passwords in a standalone service. There is more flexibility to switch platforms and browsers in the future, and password managers also generally have interfaces that are better suited to the task of storing passwords. Today is the day that LastPass start billing to keep using the software across phones and PCs. Wired did a great story covering this and they detail the export of data from LastPast and its import into an alternate password manager.

It’s worth taking a look at if you plan to move any time soon!

Global: Google fixes the 3rd Chrome Vuln. so far in 2021

Google is hurrying out a fix for a vulnerability in its Chrome browser that’s under active attack – its third zero-day flaw so far this year. If exploited, the flaw could allow remote code execution and denial-of-service attacks on affected systems.

The vulnerability exists in Blink, the browser engine for Chrome developed as part of the Chromium project. Browser engines convert HTML documents and other web page resources into visual representations viewable to end-users.

So what’s the upshot for you? If you look to the right of your URL bar and notice an orange sign that says “update now” … click on it. You’ll get the latest updates to Chrome.

Global: Too many cameras and look what happens…

Last week, hackers breached the network of IoT security camera start-up Verkada. The company provides web-accessible video surveillance for businesses, healthcare facilities, financial institutions, schools, and governments.
During the incident, approximately 150,000 security cameras were compromised, affecting the thousands of organizations that use Verkada’s services. The hackers were able to access live video feeds from restricted areas monitored by Verkada cameras. In addition, they were able to view users’ archived videos and images. The breach affected organizations both large and small, including such famous names as Tesla and web infrastructure giant Cloudflare.
“Backdoors built by default into a product with a standard reused secret is a dangerous thing,” says Ray Canzanese, director of the threat labs at cloud security provider Netskope. “A leak of that secret means that anybody can now access any of those devices. And we, the industry, concluded long ago that is not a good approach to security.”
Login details for a Verkada admin account were exposed on the web. Armed with those credentials, white-coat hacktivists (who said they were really only interested in highlighting the pervasiveness of video surveillance) were able to enter Verkada’s corporate network — and use many of the company’s internal administrative tools. Because they had privileged access, the hackers could see customers’ live video feeds, and download the archived video as well.
Verkada contained the breach within a day or so of the initial intrusion.

So what’s the upshot for you? Even though Verkada worked quickly to remediate the exposed admin credentials, this could have ended differently. Remember to be prudent with any cameras that are recording to cloud sources. Use non-identifying email addresses for login and even when you point the camera, try to do it in a direction or at articles that cannot be uniquely identified.

US: Google says, “Throw it out.” but the judge says Privacy Lawsuit Against Google can go ahead.

The crux of the lawsuit: “Google tracks and collects consumer browsing history and other web activity data no matter what safeguards consumers undertake to protect their data privacy. Indeed, even when Google users launch a web browser with ‘private browsing mode’ activated (as Google recommends to users wishing to browse the web privately), Google nevertheless tracks the users’ browsing data and other identifying information.”

So what’s the upshot for you? It looks like the privacy tide is starting to turn. This lawsuit is asking for US$5,000.00 per California-based user. Ouch!!!

UK: Web Snooping in the UK

For the last two years, police and internet companies across the UK have been quietly building and testing surveillance technology that could log and store the web browsing of every single person in the country.
The tests, which are being run by two unnamed internet service providers, the Home Office, and the National Crime Agency, are being conducted under controversial surveillance laws introduced at the end of 2016. If successful, data collection systems could be rolled out nationally, creating one of the most powerful and controversial surveillance tools used by any democratic nation.
The Investigatory Powers Act is a wide-ranging law that sets out how bodies in the UK can collect and handle data that may be linked to criminal activity. Since it was passed in 2016 the law has led to sweeping reforms of UK surveillance powers, adding new controls on what law enforcement and intelligence agencies can do and explaining when phones, computers, and other systems can be hacked—other legislation previously covered these powers. As part of the changes, Internet Connection Records, or ICRs, were introduced as a new type of data that could be collected and stored for security purposes.

People’s internet records can contain the apps they have used, the domains they have visited (discuss.daml.com, for example), IP addresses, when internet use starts and finishes, and the amount of data that is transferred to and from a device. While not containing the content of what people are viewing, metadata can still be hugely revealing. Amongst other things it can reveal health information, political leanings, and personal interests. Documents from the Home Office say “there is no single set of data that constitutes an Internet Connection Record” and that the logs are likely to be held by people’s internet service providers.
NSA whistleblower Edward Snowden called the law “the most extreme surveillance in the history of western democracy”. Since then the scope of the legislation has been expanded to include more organizations.

So what’s the upshot for you? The Investigatory Powers Act is scheduled to be scrutinized in the next year—it needs to be reviewed five years and six months after it was passed into law. If you are in the UK this gives you some time to write your letters and emails to the powers-that-be so that transparency and relevancy become part of the review. The UK definitely does not need a copy-cat of what the NSA has done in the US, but the outcome of this review will have repercussions globally.

US: Microsoft Probes Whether Leak Played Role in Suspected Chinese Hack

Microsoft and others have been reviewing an information-sharing program called the Microsoft Active Protections Program (Mapp), which was created in 2008 to give security companies a head start in detecting emerging threats. Mapp includes about 80 security companies worldwide, about 10 of which are based in China. A subset of the Mapp partners were sent the Feb. 23 Microsoft notification, which included the proof-of-concept code, according to sources familiar with the program. A Microsoft spokesman declined to say whether any Chinese companies were included in this release.
The investigation centers in part on the question of how a stealthy attack that began in early January picked up steam in the week before the company was able to send a software fix to customers. In that time, a handful of China-linked hacking groups obtained the tools that allowed them to launch wide-ranging cyberattacks that have now infected computers all over the world running Microsoft’s Exchange email software.

So what’s the upshot for you? Thankfully, no matter how the hack arose, if you run an Exchange mail server, Microsoft has a one-click mitigation tool for you here: CSS-Exchange/Security at main · microsoft/CSS-Exchange · GitHub

US: The New York Restaurant cleanliness rating system may be moving to computer software.

SENIOR ADMINISTRATION OFFICIAL: "We learned key lessons regarding visibility and market. Today, the cost of insecure technology is borne at the end: by incidence response and cleanup. And we really believe it will cost us a lot less if we build it right at the outset.

And I give two exemplars to help characterize what we want to do here. One is: Mayor Bloomberg, a number of years ago, when he wanted to address restaurant sanitation, he realized, you know, the health department kept rating restaurants, and it just wasn’t changing anything. So he required restaurants to put a simple rating — A, B, C, D — in their front window to make a market — to make a market around health and sanitation.
And we’re looking to do a very similar thing with cyber and the cybersecurity of software companies we buy software from."

The SENIOR ADMINISTRATION OFFICIAL continues, “Similarly, Singapore has an interesting model where they provide cybersecurity standards for different Internet of Things devices, like baby monitors, so that moms who want to buy secure products have a really easy way to put their money on it. And we don’t have that in the U.S. today; we don’t have that transparency so that people can make a market for cybersecurity.”

Finally: “…we’re working to really build back better to modernize defenses, thinking through rebooting the approach to software security, rebooting the approach to software security standards, and trying to get to a goal we have: that the level of trust we have in our systems is directly proportional to the visibility we have to their cybersecurity. And the level of that visibility needs to match the consequences if those systems fail.”

So what’s the upshot for you? We love this approach! If this idea could, it would do a Frank Sinatra and sing: “If it can make it there, it’ll make it anywhere. It’s up to you, New York, New York.”

That’s it for this week DAML’ers. We hope you enjoyed the sing-along elements of this week’s update.

You’ll find the podcast of this week’s IT Privacy and Security update on Spotify along with a huge back-catalog of previous weekly updates.

See you in se7en!

1 Like