October 2020: Cybersecurity Roundup
This past month in cybersecurity:
- October is Cybersecurity Awareness Month
- T2 security chip on Macs can be hacked
- ‘Security of your vote has never been higher’
- CLEAR, expedited security, expanding to a holistic identity verification platform
- Data breach at Barnes & Noble
October is Cybersecurity Awareness Month
This October marked the 17th annual cybersecurity awareness month. Cybersecurity awareness month is led by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA). It is a collaborative effort between government and industry to ensure Americans have the resources they need to stay safe online.
The theme of the 2020 cybersecurity month was “Do Your Part. #BeCyberSmart.” Each week had a different goal, namely:
- Week 1: If You Connect It, Protect It
- Week 2: Securing Devices at Home and Work
- Week 3: Securing Internet-Connected Devices in Healthcare
- Week 4: The Future of Connected Devices
If you haven’t already, now is an excellent time to run through some of these short publications on keeping yourself secure (https://www.cisa.gov/publication/national-cybersecurity-awareness-month-publications):
- Cybersecurity While Traveling Tip Sheet
- Online Privacy Tip Sheet
- Passwords Tip Sheet
- Protecting Your Digital Home Tip Sheet
- Social Media Cybersecurity Tip Sheet
T2 security chip on Macs can be hacked
Security researchers claim that it is possible to gain full root access and kernel execution privileges on macOS computers in models containing the T2 security chip made between 2018-2020. Since the vulnerable code is stored in read-only memory, it is not possible for Apple to patch this vulnerability. While this is clearly bad, physical access to the computer is required to exploit the vulnerability, which reduces the impact of this issue. Also, if you are using FileVault2 for disk encryption, an attacker would need physical access twice to get the contents of your disk (once to plant a keylogger and another time to decrypt and copy the contents).
The exploit involves using two exploits used to jailbreak iPhones. It is exploited via USB, so never connect anything to your Mac unless you trust the person or organization providing it.
While the risk to ordinary Mac users is low, you may have a higher chance of being targeted if you are a senior company executive or diplomat. Most people expect this issue to be resolved with the next Mac release later this year since it will use a different chip.
‘Security of you vote has never been higher’
There has been a considerable buzz surrounding voting security in the 2020 general election. A large portion of this stir can be attributed to misinformation and foreign interference.
Foreign counties, such as Russia that want to meddle in US elections, are attempting to attack both the election infrastructure itself and voters’ minds. Because meddling with the actual election infrastructure (like ballot counts) is very difficult, malign foreign countries are using “easier” methods to change American minds. This is accomplished by sowing seeds of doubt and worry via social media and attacking unrelated (but seemingly related) targets such as the takeover of Trump’s website. These issues do not impact the election infrastructure but make individuals worry over the security of the election.
The FBI and NSA are confident in the current voting process, and FBI Director Christopher Wray remarked that “you should be confident that your vote counts.”
CLEAR, expedited security, expanding to a holistic identity verification platform
If you’ve ever been at the security checkpoint in the airport and stared in disgust as someone skips the entire line and cuts in front of you, then you have probably seen CLEAR at work.
CLEAR is an expedited security service that allows members to skip long lines by verifying their biometrics (such as your eyes and face). CLEAR has now branched out to develop a holistic identity verification platform, mostly driven by the fact that lines are less of an issue at the airport with covid in full swing.
According to a CLEAR representative, “CLEAR plans to be the company that verifies your identity every time you would have swiped a credit card, shown your ID at a door, or handed over a health insurance card.”
Data breach at Barnes & Noble
Barnes & Noble suffered a data breach, which it became aware of on October 10. The data breach revealed customers’ email addresses and transaction history. According to the incident report, customer’s financial data, such as payment card information, was not exposed.
Data breaches seem to have become a part of our Halloween tradition. Three years ago, we dressed up as the “Equifax Data Breach” where I (dressed as “Security”) and my wife (dressed as “Equifax”) handed out (fake) social security numbers and other PII while I stood distracted without interfering.
It looks like we will be dressing as Barnes & Noble this year.
That’s All Folks
Thanks for reading! We’ll be back next month with a quick roundup of topics we found interesting.
Did we miss a super important story? Let us know! We’ll do better next time.