Chinese surveillance tech pulled from US retailers
Home Depot, Lowes, and Best Buy have pulled all products from the Chinese brands Lorex and Ezviz over their ties to human rights abuses. The brands sold surveillance camera tech in the US. The parent companies of the brands, Dahua and Hikvision, were put on a US economic sanctions list in 2019 after being linked to ongoing suppression of the Uighur Muslim ethnic minority in China. These sanctions did not apply to either company’s subsidiaries, and only applied to purchases by the federal government. Walmart and Costco still list products from Lorex and Ezviz as of this recording.
Microsoft warns of rise in password spraying attacks
Both CISA and Microsoft have recently noted that while high profile supply-chain attacks have used trojanising software updates, password guessing and password spraying administrative accounts for initial access is also on the rise. While such attacks have a 1% success rate, Microsoft estimates that more than a third of account compromises come from password spraying. Microsoft’s Detection and Response Team outlined two approaches to these attacks. ‘Low and slow’ is a sophisticated attack using “several individual IP addresses to attack multiple accounts at the same time with a limited number of curated password guesses.” The other is ‘availability and reuse,’ which is essentially credential stuffing using logins obtained on the dark web. Microsoft notes that cloud administrators have seen a marketed uptick in password spraying attacks, with the Nobelium threat group increasingly using it against managed service providers.
The FTC is looking into the Facebook Files
The Wall Street Journal’s sources say the Federal Trade Commission is looking into whether Facebook’s research documents indicate that it might have violated a 2019 settlement with the agency over privacy concerns. At the time, Facebook paid a $5 billion fine. Former FTC officials say the agency may be determining if Facebook had a legal obligation to warn users about the risks revealed by internal research findings, and if failure to do so constitutes a deceptive business practice. In a statement to the Journal, Facebook said it is “always ready to answer regulators’ questions and will continue to cooperate with government inquiries.”
Biden names FCC chair
US President Joe Biden named acting FCC Head Jessica Rosenworcel as official head of the agency Tuesday. Her commissioner spot will be filled by co-founder of lobbying group Public Knowledge, and FCC special counsel Gigi Sohn. If Sohn is confirmed by the US Senate, the FCC would return to a full 5 members, avoiding frequent ties. A tied FCC has not been able to make rulings on important issues like net neutrality and infrastructure investment.
Thanks to our episode sponsor, Banyan Security
China wants a “civilized” internet
Cyberspace Administration of China head Zhuang Rongwen said the country will reinforce efforts to build a “civilized” internet, using the reach of the internet to “let the party’s innovative theories ‘fly into the homes of ordinary people'”. Rongwen called on tech platforms to improve their self-discipline and to better publicize positive role models for younger users, rather than foster cyberbullying. This comes during an ongoing crackdown in China of large tech platforms across industries, which has seen the government walk back tech mergers, enforce codes of conduct, and break up monopolies.
FCC blocks China Telecom in the US
The Federal Communications Commission unanimously voted to block China Telecom Americas from the US market, saying that despite being a US subsidiary, it was still “subject to exploitation, influence, and control by the Chinese government.” China Telecom is required to discontinue any domestic or international services that it provides within 60 days of the order. Trouble for China Telecom started in 2020, when the Department of Justice recommended terminating the company’s authorization to operate in the US for failing to live up to a 2007 DOJ agreement and providing inaccurate information about where the company stores US records.
Twitter requires security keys following hack
Last year, Twitter experienced a hack impacting a number of high-profile accounts. This was possible after the attacker stole Twitter employees’ credentials using a phone spear-phishing attack on July 15, 2020. Twitter now says after the attack, it migrated employees from legacy 2FA using SMS or authenticator apps to security keys in less than three months, with security keys now mandatory for accessing any internal system. On the user’s side, despite rolling out fairly comprehensive 2FA support for web and mobile, only 2.3% of all active accounts used any 2FA method between July and December 2020. Of those 79.6% used SMS-based 2FA, with only 0.5% using security keys.
The EU doesn’t lend a hand to Nvidia’s Arm deal
The European Union launched a formal competition investigation into Nvidia’s planned acquisition of the chip maker Arm from SoftBank. This was originally announced in September 2020 and valued at $40 billion. The main concern of EU regulators will be maintaining Arm’s licensing neutrality, with an acquisition by Nvidia potentially making it harder for other firms to license Arm chip designs. Nvidia CEO Jensen Huang said the company is committed to maintaining Arm’s open licensing model, but the EU found this “insufficient to clearly dismiss its serious doubts as to the effect of the transaction.” The UK’s Competition and Markets Authority has also recommended a deeper investigation into the deal, and it’s possible the US and China could launch investigations as well.