Mornings With Mark

Cybersecurity is a major topic when it comes to modern elections. With Canada probably going to the polls in the fall, discussion is heating up about the potential impact of cybersecurity this election cycle. The good news? Canada's election infrastructure is well protected. The challenge will be with various political parties and their campaigns as well as the influence of social media and the players there. In this episode, we break down the top two cybersecurity issues facing the campaigns themselves and what they can do about it. References: the CSE report on electoral process security, https://cyber.gc.ca/en/guidance/cyber-threats-canadas-democratic-process/page2 the Chief Electoral Officer's concerns about political party and campaign cybersecurity. https://www.cbc.ca/news/politics/electoral-officer-parties-cybersecurity-1.5006055 the new election monitoring team at the federal level, https://www.cbc.ca/news/politics/election-interference-panel-1.4998409

Security research can be a tricky thing. Depending on where you are and what jurisdiction you fall under, the research you conduct may be illegal. That can give companies who are resistant to outside researchers the ammo they need to strong arm research teams. What's the best way forward? There are no clear answers but the first step is definitely an understanding of the risk. The second is to be aware that researching a vendor with a bug bounty program or using a third party broker can help mitigate that risk but there is no silver bullet here. The next steps? Lots of discussion and awareness...lets get started. References; original article on SecJuice.com, https://www.secjuice.com/security-researcher-assaulted-ice-atrient/ a sampling of the Twitter discussion, https://twitter.com/Secjuice/status/1092877050527076353?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet US criminal code reference, https://www.law.cornell.edu/uscode/text/18/1030

Cryptocurrencies have dropped in popularity and value but cybercriminals continue undeterred. Cryptocurrency plays an important role in the digital underground and provides a direct profit engine for cybercriminals when them compromise systems at scale. But the biggest thefts come via exchanges. Cryptocurrencies are just digital files and that means they are a high value, easy to get target for criminals. the report from Chainalysis, https://blog.chainalysis.com/2019-cryptocrime-review (sign-up required) Andrew Liptak for The Verge on the QuadrigaCX drama,https://www.theverge.com/2019/2/3/18209586/cryptocurrency-quadrigacx-loses-190-million-founder-died-password cryptojacking research from Trend Micro, https://www.trendmicro.com/vinfo/us/security/news/cryptocurrency-mining

Facebook continues to do anything they can to build data profiles on users. This week it was revealed that they shifted their Onavo efforts to a new "research" project where they targeted 13-35 year olds via 3rd party market research companies. Users where then guided to installed a customer application that provided deep access to their data. For this they were compensated about $20/month. Ethics aside. Apple developer policies aside. Is $20/month worth trading off your privacy for? References: Josh Constantine for TechCrunch on the initial VPN app scheme, https://techcrunch.com/2019/01/29/facebook-project-atlas/ details on Apple's enterprise application options, https://developer.apple.com/business/integrate/ Josh again on Apple's reaction to the situation, https://techcrunch.com/2019/01/30/apple-bans-facebook-vpn/ Yael Grauer for Motherboard on the data broker industry, https://motherboard.vice.com/en_us/article/bjpx3w/what-are-data-brokers-and-how-to-stop-my-private-data-collection research fro

GDPR has been in effect for a few months and we're starting to see the first major rulings. Google was just hit with a 50m Euro fine for not being clear enough in their intentions with user data. Is this a turning point? While regulation and legislation is typically followed to the letter, there are a lot of areas of GDPR that have specific intent that might not line up with the language. Cases like this help provide clarity to those areas. References: Jon Porter for The Verge on the 50m Euro fine, https://www.theverge.com/2019/1/21/18191591/google-gdpr-fine-50-million-euros-data-consent-cnil Jon again on what information he received from an access request, https://www.theverge.com/2019/1/27/18195630/gdpr-right-of-access-data-download-facebook-google-amazon-apple

The 10 Year Challenge is sweeping social media right now. It's a harmless way of looking back at yourself—and everyone else—a decade ago...or is it? Is there something more to this challenge? Something very big brother tied to facial recognition? References: the tweet that kicked off the "big brother" thinking, https://twitter.com/kateo/status/1084199700427927553 an overview of the challenge from The Vox, https://www.vox.com/the-goods/2019/1/16/18185256/10-year-challenge-facebook-meme analysis from Wired, https://www.wired.com/story/facebook-10-year-meme-challenge/ // MWM Y2 006

Network security is struggling to keep up with the reality of how organizations are build and connect today. From hybrid network (on-premises and in the cloud) to large mobile user bases, traditional network security—push everything through a choke point—is well past it's best before date. What's next? Current it looks like zero trust or lean trust designs will solve the most problems in the most efficient way. But is there a difference between the two? Is one name more accurate or better than the other? References; kick off post by Barry Fisher at Cisco, https://blogs.cisco.com/security/forresters-zero-trust-or-gartners-lean-trust Gartner's lean trust approach with CARTA, https://www.gartner.com/smarterwithgartner/the-gartner-it-security-approach-for-the-digital-age/ Forrester's zero trust architecture, https://www.forrester.com/report/Five+Steps+To+A+Zero+Trust+Network/-/E-RES120510# Google's BeyondCorp, https://cloud.google.com/blog/products/gcp/preparing-beyondcorp-world-your-company // MWM Y2-005

It's not uncommon for cybercriminals to combine multiple data sets in order to increase their chances of finding valid user credentials. Security researcher Troy Hunt found the mother of all collections, dubbed "Collection #1". This roll up contains 773M sets of credentials from various breaches. But why does this work for cybercriminals? Is it an effective technique? References: Troy Hunt on the data collection: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/ Wired's article on the collection: https://www.wired.com/story/collection-one-breach-email-accounts-passwords/ // MWM Y2-004

Data is extremely valuable. We've seen that with data brokers, social media giants, and almost every company out there. The current attitude is to gather all the data possible, save it forever, and monetize it later on. That's problematic for a number of reasons. It's hard to manage that much data leading companies to simply allow internal access and prevent "outsiders". It also makes a tempting target for hackers. What to do? Maybe tidy up a bit? Take some inspiration from Marie Kondo and asked some key questions about the data your collecting.

Three articles this week each touching on smartphone data highlight a much bigger issue. Each of these articles remind us how much data our phones generate and how valuable that data is. Yet we don't treat that data as valuable. It's packaged and resold with no compensation to the owner of that data...if they are even aware that the data exists and is being sold. This is a huge issue and one we should be tackling again and again until things change. References: Joseph Cox for Motherboard on spending $300 to get a phone's location, https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile Blackberry CEO John Chen on how they would break their own encryption is legally asked, https://www.forbes.com/sites/thomasbrewster/2017/10/25/blackberry-ceo-well-try-to-break-our-own-encryption-if-feds-demand-it/#1b9453ef6977 Facebook is coming preinstalled on Samsung phones is appears to be impossible to delete, https://www.standard.co.uk/tech/why-you-might-

2019 is in full effect and I'm stumbling?!? Planning for a new year is exciting but can also be challenging. When I sat down to plan out 2019 vlogging and what topics to handle around security and privacy, I see a massive opportunity. But that opportunity can be challenging to break down into manageable pieces...

150th episode! As I wind down for the year, I always try to look back at what has worked and what hasn't. This show has evolved from a simple "get some ideas out there" to a regular view on how security privacy impacts our technology and our communities. At the same time, the audience has grown. What should the aim be for 2019? What type of content would you like to see? What formats? Please let me know...

Names matter. They help a community come together around a singular concepts. But what happens when definitions and usage differ?

Sometimes things don't go as expected. That can be frustrating and unfortunate...but also an opportunity to learn.

How much can one jurisdiction affect the internet? Turns out, a lot. Recent actions by the US and Australia are having and could have a disproportionate impact on our online communities. More on the Australian encryption law: https://techcrunch.com/2018/12/10/silicon-valley-denounce-australia-encryption-law/ More on the US FOSTA & SESTA: https://www.teenvogue.com/story/how-tumblrs-porn-ban-could-put-sex-workers-at-risk

Security metrics are hard. But that doesn't mean you should ignore them. In fact, a lot of teams are measuring the WRONG things which leads them down a path where efforts are being spent in areas that aren't driving to their bigger goals.

Fortnite is an international sensation. Despite being truly free-to-play, they are making a lot of money by continually improving the game experience, balancing the in-game economics, and other critical factors. There is a ton to learn here about delivering a service. Security and IT teams really should look to this type of service in order to improve user engagement and buy-in.

A lot going on around a central theme of data privacy. Australia passes a new law that enables the government to force companies to help law enforcement access data...even if it means breaking systems. This law passed despite strong opposition from technology companies, security experts, and others. At the same time, Huawei's CFO was arrested transiting through Canada...apparently for violating US sanctions. Another step towards pushing Huawei equipment out of western networks for rumoured backdoors. On a positive swing, Apple continues to advance the idea of "differential privacy' with a new research paper. This is an area to watch. Continuing to the positive, the Government of Canada published new guidelines around IT systems. They are defaulting to open code and open data formats. Lot's to think about...

After a jam packed AWS re:Invent 2018, I've been thinking about how to deliver information to an audience. One of the challenges is delivering that information with enough context that it makes sense to that audience. This is where a lot of security teams fall down. They put out the bare minimum amount of information about an initiative or challenge and—while users might comply—it leaves their users in the dark. There's no need for that.

When you are trying to get a message out to a lot of people, it's not realistic to try and get them all back to you digital properties. So what do you do? How do you manage trying to hold the same conversations in multiple places? How do you monitor what's working?