Tiktok Tactics and Digital Nomads

News, thoughts, and puns about remote workforce's emerging security issues, Tiktok taking over, Facebook's uncoolness, ransomware threatening hospitals, and more!

This week's spotlight: Remote workforce giving new meaning to "fishing trip"

Sometimes I wish we, infosec specialists, were better at "reading the room". A report from Tessian reveals that 56% of IT leaders believe employees are "cutting corners" when not in the office. The main concern seems the revolve around "blurring" personal and professional lives, leading to the use of personal devices for work purposes, increased phishing, and failure to report incidents.  The study further reports that 70% of these leaders believe "return to office" will improve security behaviours. The conclusions are thus exactly what you think: having people "watching" each other is perceived by IT leaders as an improvement in security.

I disagree.  I believe "watching" people only works when we constantly do it, which costs extreme amounts. The costs are not only technological: the loss of employee experience can hurt your employer's brand.

Let's first agree the study dealt with qualitative data. Even quantitative data over increased attacks should be carefully interpreted: how could we isolate the variable "working away from office's surveillance" to identify causality? In my opinion, the results from the survey express more the concerns of IT leaders over a perceived loss of control over employees' behaviours rather than a true spike in breaches due to changing work habits. My hypothesis is that remote work did not change behaviours significantly. Charlie will click on that phishing, wherever the lure lands.

From the employee's side, it is clear that the benefits of remoteness should stay. A recent survey from Virgin Media reveals that 76% of workers intend to add remote work days to prolong their time abroad. And the fear-mongering essay I have linked will not change that.

The CEO of Tessian does reinforce my position by concluding that the hybrid workforce is not going away and our best bet is doubling down on building a security culture to inspire rather than scare employees into compliance. The positions are echoed in this recent article from CPO Magazine which suggests a shift to "zero trust" (I hate the buzzword too, bear with me!)  Access to systems should be bound to identities rather than networks, and the identity should be analyzed within its context (location, device, apps, etc.).

If we detect Suzan is accessing European PII from her trip to Hawaii, our systems should know that access to this data must be blocked. And the same systems should inform Suzan of said restriction... Unless you want her to ask "Ha-WHY can't I see this?"

Legal Jam

🧑‍⚖️Cost of a Breach

T-Mobile had to pay $350 million as part of a class action lawsuit for a 2021 hack that exposed the mobile data of 77 million users. A supplemental $150 million was promised to enhance cybersecurity. Cost per record: $6.50. This is the fifth major breach affecting T-Mobile in the past five years. My theory is T-Mobile is paying up parts of an immense technical debt, with interest. Interesting, right?

🐾There is always a way

Researchers from the New Jersey Institute of Technology have demonstrated a new passive fingerprinting technique using time-based side channels. The attack goes like this:

• Select a list of emails you want to track online (example: potential customers)
• Add them to a Google Document access list
• Embed the Google file on a website
• When the victim visits the site, if the victim has access to the document, the browser will cache the contents automatically, thereby sending the e-mail address that is stored in the browser to the attacker via Google Doc.

This is a way to circumvent current tracking technologies and could be used by "borderline" unethical marketing and advertising companies. Somehow I guess this will result in even more contrived privacy policies.

🏥Cyber-criminals Crossing a Line

Cyber-crime, to me, always had a "redeeming quality" in that its acts were non-violent. However, there are two news stories about recent ransomware attacks striking healthcare companies leading to loss of services that show that no moral boundary stops criminals, whether they are "cyber" or whatever. This may be the silver lining of living in Quebec where we have the worst ER waiting time in the western world: you cannot get hit by ransomware when everything is still paper and fax.

Quick Hits

🦠Log4Shell Endemic, say authorities

In the least surprising news of the week, Cyber Safety Panel warns system administrators that they will be stuck patching vulnerable Java library Log4J for years to come. We are still fixing the Y2K bug. No surprises here. What's really interesting is the existence of the panel itself, which was created as part of the May Presidential Order. Hopefully, it kicks fewer open doors when it is fully alive and kicking.

🚅Starting out?

I think I found the best guide if a friend asks how they could start building a security program in their company. It even tries to answer the fundamental question of why you would want to inflict cybersecurity on your organization! (For puns, of course).

✔️Does SOC 2 suck too much?

A very long read from fly.io thoroughly explains the SOC 2 verification. As a self-professed SOC 2 Jedi, I loved getting an engineer's perspective on the process and how SOC 2 *gasp* actually helped the company. I was pretty surprised to see that the company convinced auditors to forego background checks! I will one day write an essay on SOC 2. What I will say right now is that there is such a thing as "good" and "bad" SOC 2, just like you can have "good" and "bad" dentists, lawyers, or accountants despite all of them being "certified". Now please Tweet me how you picture a SOC 2 Jedi.

🦹Protect your Repo from the Repo Man!

Aqua Security just released the Center for Internet Security (CIS) Software Supply Chain Security Guide. I am very excited about how vendors and the community will adapt these. Engineers clearly wrote the guide with experience in building dev tooling. Many policies can be automated in repository and pipeline settings. One can imagine as well GitHub launching proactive audits of these for enterprise customers. Great DevSecOps work. Here's a happy puppy:

🧑‍✈️GitHub Copilot and abstraction

As a follow-up to my latest newsletter, the CEO of Wasp has interesting thoughts on the evolution of ML-assisted coding. Essentially, ML should enable us to deliver languages and frameworks that do to current ones what garbage collection, data structures and memory management did to assembly language. What, you really thought the future would be made of fewer languages?

🪟Microsoft Returns to Windows Versions

A new report suggests Windows will continue its numerical increments after all for what appears to solely be marketing reasons. My big question is whether Microsoft will go through with Windows 13! I can already write the jokes for the bugs!

🤖How much do you trust Android Developers?

In what seems like another bizarre move from tech giants, Google will now require developers to describe their app's data collection practices on the Play Store instead of automatically filling them on their behalf. I believe this move comes from a legal assessment. Google probably feels allowing the public to have bad information from developers that are 100% liable is preferable to being responsible to give accurate information.

🎨DALL-E Beta is open!

New AI-based image generator DALL-E (as in: Salvator Dali and WALL-E's child) is now in beta. I strongly believe DALL-E will have a greater cultural impact than GPT-3. Words are very close to our personality, whereas making beautiful pictures is out of most people's grasp. I can't wait to see whether it allows generating images so unique that NFT minting could be possible. AI-generated NFTs: I finally have all the buzzwords I need.

This is what Unsplash gets me for "Pizza Robot"

💲Startup Markets

An informative essay was published on the upcoming hard times in the tech economy. Essentially, Covid policies lead to an excess of low-interest money, which created hiring sprees and inflated fundraising. Private companies will get back to "normal" in the upcoming months, meaning those who went on a binge will get their hangover. The author further advises "cutting deeper than is needed and then rehire later versus doing multiple layoffs spread out in time". This is where I add that the author has a manga character as a Twitter photo.

🦊For Firefox's sake!

Did you know Firefox 100 was launched this May? Me neither. This blog chronicles the rise and fall of what was once the prime destination for privacy enthusiasts. Everybody wants Firefox to succeed because it is the only major browser left not running in the Chromium engine. I departed 3 years ago to Opera and every foray back into Firefox lead me to the same resource hoarding problem. I agree with the article: time to move on. What does the Fox say?

(You got the song stuck in your head now, don't you?)

This week's rant: Tiktok's dominance, Facebook's decline

Did you know anyone under 20 has been watching more Tiktok than YouTube for the past two years? The Chinese app also topped Instagram in 2021 as the favourite social media for teenagers.

To me, it means one thing: Tiktok is cool like Facebook was cool in 2010. Facebook nowadays is dealing with a declining user base,  its first-ever revenue loss. Furthering Meta's troubles, BeReal, advertised as an "anti-Instagram", has been steadily growing. As a reaction, Facebook intends to Tiktok itself by ripping off the cool app. They say imitation is the sincerest form of flattery, do they?

Speaking of which, Microsoft hilariously decided to announce its new Teams feature that - and you can't make this up! - will shamelessly rip off the original Facebook interface! The most uncool workplace app making a knock-off of the now-uncool app to raise its cool! How ya doin' fellow kids?

This unexpected decline of Meta carries both good and very bad news. On the good side, Meta's changing focus could mean it is shifting away from some of its most controversial algorithmic failures outlined in the Facebook papers in favour of online shopping and "intentional" search and discovery.

On the very bad news side,  recent research from BuzzFeed reveals the extent to which Chinese authorities can harvest Tiktok user data and apply a "soft" influence over the contents that Tiktok's recommendation algorithm shows.

Tiktok responded by revoicing its commitment to move its US operations to the Oracle Cloud. As part of the shift, its Global Chief Security Officer quietly left the company which, let's be honest, is bad PR at best.

Should we quit Tiktok over these legitimate concerns of government surveillance and indirect propaganda? This is a choice that each individual must make. Here on ppfosec, I want to provide you with education to help you make the best decisions about your online life. I chose to accept the risk and remain a creator on Tiktok for the moment, although new information could change my choice. My choice is driven by my enjoyment of the video editing interface and the possibility to connect with a younger audience.

That said, I would strongly advise any up-and-coming influencer to not make Tiktok its primary revenue and brand-building stream. The probability of Tiktok becoming a proxy for the rivalry between the West and the China Communist Party appears way too high for anybody to risk putting their livelihood into Tiktok's hands. Let's face it: Tiktok does sound like "toxic" when you say it multiple times very fast.