At a glance.
- Social media companies decide to cease cooperation with Hong Kong data requests.
- TikTok receives more hostile scrutiny in Australia and the US.
- Home routers found to be a security and privacy mess.
Social media reviews their relations with Hong Kong police.
Major social media companies have decided to curtail their cooperation, at least for now, with requests for data from Hong Kong police, the New York Times reports. Facebook, Google, and Twitter are all pumping the brakes on providing requested information. The decision is motivated by concerns over the implications of China's new National Security Law. More surprising is TikTok's decision to cease operations in the formerly autonomous city altogether. TikTok's headquarters are nominally in Los Angeles, but the social medium is wholly owned by Beijing's ByteDance.
TikTok's appetite for user information scrutinized.
Suspicion of Chinese espionage and influence operations against Australian targets has turned attention to TikTok. Whatever virtue signalling the social medium may be engaged in over Hong Kong and the National Security Law, Members of Australia's Parliament have called for a ban on the video-sharing platform. Senator Molan, deputy chair of the Parliamentary inquiry into Foreign Interference through Social Media told the Guardian that TikTok might be considered “a data collection service disguised as social media.”
TikTok is also under scrutiny in the US, where Secretary of State Pompeo said that the Government was actively considering banning the social platform.
Faunhofer Institut confirms: home routers don't get updated and are usually poorly secured.
The Fraunhofer Institute's FKIE unit, based not far from Bonn, has published its study of home routers, and the results are as dismal as might be expected. They looked at one-hundred-twenty-seven routers developed by seven different major vendors (that is, AVM, ASUS, Netgear, D-Link, Linksys, TP-Link, and Zyxel). All are widely sold in Europe. They were able to obtain one-hundred-seventeen of the firmware images. While some vendors, notably AVM, followed by ASUS and Netgear, showed better security than the others, none were found to be without problems. "There is no router without flaws," the report concluded. "46 routers did not get any security update within the last year. Many routers are affected by hundreds of known vulnerabilities. Even if the routers got recent updates, many of these known vulnerabilities were not fixed. What makes matters even worse is that exploit mitigation techniques are used rarely."
Most home routers, more than 90% of them, run on Linux, and in fact most of them run on a Linux 2.6 kernel, which is no longer maintained, and thus is vulnerable to exploitation. Many are still using hard-coded credentials. "To sum it up," the Fraunhofer researchers write, "our analysis shows that there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects. Much more effort is needed to make home routers as secure as current desktop or server systems."
The privacy implications of vulnerable home routers is clear, and the risk is heightened during a period when more people are working from home. We heard from Cerberus Sentinel and KnowBe4, both of whom offered their take on the report.
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, wrote:
"The current culture of software and firmware development has many built in perverse incentives that almost guarantee such abysmal security outcomes. Pressure to ship new products as soon as possible, the 'move fast and break things' mentality, means that producing a minimally functional firmware is prioritized above shipping a secure one. Likewise, prioritizing minimal development costs is at odds with hiring internal or external security professionals to review both the design and implementation of products for safety in the real world. Finally, the time delta between product release and discovery of security issues that damage the reputation of the product and brand are often long enough that management responsible for shipping the initial products have long since moved on to other projects or departments and face no accountability for taking shortcuts in security. For product manufacturers to protect themselves from these perverse incentives takes a culture of security and accountability that values long term success of the company over short term bumps in apparent profitability and sales. Independent internal or external groups should be tasked with auditing and certifying the security of product development to achieve these long-term organizational goals. Likewise, customers of technology products should require evidence that their vendors are following security best practices both in product development but also in normal business operations to protect themselves from security issues from the products they buy."
Jelle Wieringa, Security Awareness Advocate at KnowBe4, had this to say:
"Most routers in this test are geared towards the consumer and SMB market. And while it is an enormous risk that vendors do not update their firmware to fix security issues, it is also important for them to inform users of the possible risks associated with the security flaws of unpatched routers. Since routers are often the only line of defense for home users and small businesses, it is critical they are kept up to date. The end-users need to be aware of the importance and risks of unpatched software, and vendors need to take responsibility for security seriously."