Robert Grupe's AppSecNewsBits 2024-08-25

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
SolarWinds left critical hardcoded credentials in its Web Help Desk product
SolarWinds left hardcoded credentials in its Web Help Desk product that can be used by remote, unauthenticated attackers to log into vulnerable instances, access internal functionality, and modify sensitive data. A vulnerability researcher found and disclosed the flaw to SolarWinds on Friday and has promised to release more details about the bug next month. Hanley also urged orgs to install the hotfix as soon as possible. He noted that upon applying the patch, "requests to non-existent pages on patched instances will return no content / content-length 0."
This latest emergency patch comes about a week after CISA added a different critical WHD flaw to its Known Exploited Vulnerabilities catalog. This one, tracked as CVE-2024-28986, is a Java deserialization remote code execution vulnerability that, if exploited, allows an attacker to run commands on the host machine. It earned a 9.8 CVSS score, and it's unclear who is exploiting this vulnerability.

National Public Data Published Its Own Passwords
The background search service recordscheck[.]net — was hosting an archive that included the usernames and password for the site’s administrator. A review of that archive, shows it includes the source code and plain text usernames and passwords for different components of recordscheck[.]net, which is visually similar to nationalpublicdata[.]com and features identical login pages. The exposed archive, which was named “members[.]zip,” indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not. The passwords included in the source code archive are identical to credentials exposed in previous data breaches that involved email accounts.
The files had been stolen or at least created on December 25, 2022. This date could indicate that the threat actor gained access to a backup server where the data was stored.

Hardware Backdoor Discovered in RFID Cards Used in Hotels and Offices Worldwide
Cybersecurity researchers have uncovered a hardware backdoor within a particular model of MIFARE Classic contactless cards that could allow authentication with an unknown key and open hotel rooms and office doors. The secret key is not only common to existing FM11RF08S cards, the investigation found that "the attacks could be executed instantaneously by an entity in a position to carry out a supply chain attack." Compounding matters further, a similar backdoor has been identified in the previous generation, FM11RF08, that's protected with another key. The backdoor has been observed in cards dating back to November 2007.
The backdoor and its key "allows us to launch new attacks to dump and clone these cards, even if all their keys are properly diversified.
An optimized version of the attack could speed up the process of cracking a key by five to six times by partially reverse engineering the nonce generation mechanism.

Toyota confirms third-party data breach impacting customers
ZeroSevenGroup (the threat actor who leaked the stolen data) says they breached a U.S. branch and were able to steal 240GB of files with information on Toyota employees and customers, as well as contracts and financial information. They also claim to have collected network infrastructure information, including credentials, using the open-source ADRecon tool that helps extract vast amounts of information from Active Directory environments.

Local Networks Go Global When Domain Names Collide
The proliferation of new top-level domains (TLDs) has exacerbated a well-known security weakness: Many organizations set up their internal Microsoft authentication systems years ago using domain names in TLDs that didn’t exist at the time.
At issue is a well-known security and privacy threat called “namespace collision,” a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet. While that may sound like a bonkers way to design a corporate authentication system, keep in mind that many organizations built their networks long before the introduction of hundreds of new top-level domains (TLDs), like .network, .inc, and .llc.
Several researchers are seeking to chart the size of the namespace collision problem. Their analysis determined many TLDs had far more exposed domains than others, and that about 20 percent of the domains they found ending .ad, .cloud and .group remain unregistered. They found a domain registrar that would sell him the domain for $160, and handle the trademark registration for another $500.
Immediately after setting up a DNS server for memrtcc[.]ad, they began receiving a flood of communications from hundreds of Microsoft Windows computers trying to authenticate to the domain. Each request contained a username and a hashed Windows password, and upon searching the usernames online concluded they all belonged to police officers in Memphis, Tenn.
Domain administrators have long been encouraged to use .local for internal domain names, because this TLD is reserved for use by local networks and cannot be routed over the open Internet. However, many organizations seem to have missed that memo and gotten things backwards — setting up their internal Active Directory structure around the perfectly routable domain local[.]ad.
The “defensively” registered local[.]ad, which he said is currently used by multiple large organizations for Active Directory setups — including a European mobile phone provider, and the City of Newcastle in the United Kingdom.
Security researchers have been beating up on WPAD for more than two decades now, warning time and again how it can be abused for nefarious ends.
After setting up a server on wpad[.]ad to resolve and record the Internet address of any Windows systems trying to reach Microsoft Sharepoint servers, and saw that over one week it received more than 140,000 hits from hosts around the world attempting to connect.
Microsoft had actually used corp[.]com as an example of how one might set up Active Directory in some editions of Windows NT. Worse, some of the traffic going to corp[.]com was coming from Microsoft’s internal networks, indicating some part of Microsoft’s own internal infrastructure was misconfigured. When O’Connor said he was ready to sell corp[.]com to the highest bidder in 2020, Microsoft agreed to buy the domain for an undisclosed amount.

How the ransomware attack at Change Healthcare went down: A timeline

110K domains targeted in 'sophisticated' AWS cloud extortion campaign
Security shop Cyble released some research this week after finding 110,000 domains targeted by attackers exploiting misconfigured .env files, which typically contain secrets such as hard-coded cloud access keys, SaaS API keys, and database login information. Those in the study who eventually found their S3-stored data replaced with a ransom note had exposed their environment variables, failed to refresh credentials regularly, and didn't adopt a least-privilege architecture.
Attackers zeroed in on unsecured web applications, scanning for environment files that exposed identity and access management (IAM) keys.
Once acquired, the crims ran the GetCallerIdentity API call to verify the data inside, the ListUsers API request to enumerate the IAM users in the AWS account, and the ListBuckets API request to find all the S3 buckets.
These access keys didn't have the admin privileges the attackers were after, but they did allow for the creation of new IAM roles to which policies could be applied, ultimately allowing them to escalate their privileges to those with unfettered access.

 
CrowdStrike deja vu as 'performance issue' leaves systems sluggish
Earlier this month at DEF CON, CrowdStrike President Michael Sentonas accepted the Pwnie Award for Most Epic Fail and admitted, "we got this horribly wrong."
Some IT administrators suffered a moment of deja vu on Thursday morning as CrowdStrike blamed a cloud service issue for performance problems and lagging boot times affecting some of European customers. Luckily for the embattled security vendor and its customers, however, there was no blue screen of death this time around, nor does it appear that this remediation will ruin any admins' weekend plans. CrowdStrike says it has now fixed the problem, and there's nothing to worry about.

This uni thought it would be a good idea to do a phishing test with a fake Ebola scare
The message, titled "Emergency Notification: Ebola Virus Case on Campus," went out to the university community on Sunday, August 18. It began, "We regret to inform you that a member of our staff, who recently returned from South Africa, has tested positive for the Ebola virus." The message went on to say that the university has initiated a contact tracing protocol and asks message recipients to "Please Log In to the Access Information Page for more details" – the very activity phishing messages attempt to encourage in order to capture login credentials.
Cybersecurity researcher Marcus Hutchins advised care when simulating phishing attacks. "Phishing simulations run a very high risk of creating distrust and friction between your employees and security team," he wrote. Several months ago, Google security engineer Matt Linton made a similar point, arguing "the information security industry should move toward training that de-emphasizes surprises and tricks and instead prioritizes accurate training of what we want staff to do the moment they spot a phishing email – with a particular focus on recognizing and reporting the phishing threat.

HACKING
Ransomware batters critical industries, but takedowns hint at relief
Of the 395 ransomware attacks claimed by criminals last month,
over a third (125 or 34 percent) targeted critical industrial organizations.
Followers of infosec news this past year might think that healthcare would be at the top of the list, given the various catastrophes at the likes of Change Healthcare and Synnovis. However, those in the industrial sector were vastly more likely to be targeted, registering nearly three times as many attacks as the next hardest hit, consumer cyclicals.
The trend established last year that found ransomware baddies were using infostealer malware on a much grander scale continues well into 2024. In terms of corporate risk, we have observed that infostealers play a pivotal role in the initial access of the corporate environments. For example, an employee might be searching for an image editing software on their work laptop and downloads a trojanised application through SEO poisoning/malvertising, usually with some infostealer capabilities. This application extracts the system, network, and user information, which could later be sold or used for carrying out follow-up attacks on the user (targeted phishing, etc).
Halliburton probes 'an issue' disrupting business ops
In an August 23 filing with the US Securities and Exchange Commission, the SEC, the oil giant said it became aware that an unauthorized third party broke into its computer systems on August 21.
The world's second-largest oil service was undergoing a cyberattack, and said that the digital intrusion affected business operations at Halliburton's north Houston campus, along with some of its global connectivity networks. According to some reports on social media, the payroll database along with employees' devices were compromised.

Hackers may have found an entirely new way to backdoor into Windows systems
Msupedge is designed as a dynamic link library (.DLL) with a particularly distinctive feature of communicating with the C2 via DNS traffic. The technique is known, and has been used by “multiple threat actors. It is nevertheless something that is not often seen.”
They breached the victim devices through a PHP vulnerability that allows remote code execution (RCE). The vulnerability, tracked as CVE-2024-4577, carries a severity score of 9.8/10, making it a critical flaw.

Deadbeat Dad Hacks State Registry to Fake His Own Death
Jesse Kipf, a 39-year-old, admitted he was trying to avoid paying the reported $116,000 he owed in back child support payments to his daughter and her mother. To fake his own death, Kipf used stolen credentials belonging to a doctor in another state to log into the Hawaii Death Registry System and fill out the paperwork necessary to create a death certificate for himself. As a result, Kipf was listed as deceased in many government databases. The US Attorney's Office in the Eastern District of Kentucky said, in addition to committing computer fraud to cheat his kid out of cash, Kipf infiltrated several additional business, as well as private and government networks, then sold the access he gained on Dark Web forums to the highest bidder.

Microsoft Copilot Studio Exploit Leaks Sensitive Cloud Data
Researchers have exploited a vulnerability in Microsoft's Copilot Studio tool allowing them to make external HTTP requests that can access sensitive information regarding internal services within a cloud environment — with potential impact across multiple tenants.
Tenable researchers discovered the server-side request forgery (SSRF) flaw in the chatbot creation tool, which they exploited to access Microsoft's internal infrastructure, including the Instance Metadata Service (IMDS) and internal Cosmos DB instances.
Microsoft responded quickly to Tenable's notification of the flaw, and it has since been fully mitigated, with no action required on the part of Copilot Studio users.

Novel technique allows malicious apps to escape iOS and Android guardrails
The novel method involves enticing targets to install a special type of app known as a Progressive Web App. These apps rely solely on Web standards to render functionalities that have the feel and behavior of a native app, without the restrictions that come with them. The reliance on Web standards means PWAs, as they’re abbreviated, will in theory work on any platform running a standards-compliant browser, making them work equally well on iOS and Android. Once installed, users can add PWAs to their home screen, giving them a striking similarity to native apps.

Android malware steals payment card data using previously unseen NFC technique
The malware was installed through traditional phishing scenarios, such as the attacker messaging targets and tricking them into installing NGate from short-lived domains that impersonated the banks or official mobile banking apps available on Google Play. Masquerading as a legitimate app for a target’s bank, NGate prompts the user to enter the banking client ID, date of birth, and the PIN code corresponding to the card. The app goes on to ask the user to turn on NFC and to scan the card. Some of the apps used in later months of the campaign came in the form of PWAs, short for Progressive Web Apps. The researchers said NGate or apps similar to it could be used in other scenarios, such as cloning some smart cards used for other purposes. The attack would work by copying the unique ID of the NFC tag, abbreviated as UID.

Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control
The threat actor's stealthy exploitation of CVE-2024-20399 came to light early last month, prompting Cisco to issue security updates to release the flaw. The zero-day exploit allows an attacker with valid administrator credentials to the Switch management console to escape the NX-OS command line interface (CLI) and execute arbitrary commands on the Linux underlying operating system. The latest attack chain entails breaking into a Cisco switch appliance using CVE-2024-20399 and conducting reconnaissance activities, subsequently pivoting to more network devices and ultimately executing a backdoor binary by means of a malicious script.

PostgreSQL databases under attack
Internet-exposed PostgreSQL databases are a favorite target of opportunistic cryptojacking groups and, occasionally, extortionists. They usually take advantage of lax security (e.g., weak passwords) or misconfigurations (e.g., a default configuration that binds PostgreSQL to all network interfaces, including the public one). Currently, Shodan “sees” over 830,000 exposed PostgreSQL databases.

APPSEC, DEVSECOPS, DEV
Why OT cybersecurity should be every CISO’s concern
Operational technology (OT) is a blind spot that is often overlooked. Building management systems comprises a slew of hardware and software – lifts; heating, ventilation and air-conditioning (HVAC); a door access control system; as well as the internet of things — which all fall under OT. As we observe greater IT/OT convergence and the growing prevalence of smart buildings, the risk of exposure to cyber threats is larger than ever — and therefore requires a concerted effort to manage such risks. OT that was previously unexposed is now increasingly vulnerable, thanks to the acceleration towards Building 4.0. — in which smart sensors are deployed extensively, alongside remote access for predictive analytics.
A prime example of this was when hackers exploited a smart thermometer in a fish tank to gain access to a casino’s network and database. In this case — which was reported in 2018 — hackers allegedly pivoted through the compromised IoT thermometer and stole information from the casino’s high-roller database.
In 2013, security researchers found that they could hack Google Australia’s network through the HVAC system in the company’s building.
In 2016, hackers used Mirai Botnet to launch successful DDoS (distributed denial-of-service) attacks against DynDNS — disrupting websites such as Reddit, Twitter, Amazon, Netflix, and the BBC. As many as 300,000 IoT equipment that were insufficiently secured – including baby monitors and security cameras — were compromised and controlled by such botnets.
In 2022, it was also reported that uninterruptible power supply (UPS) products made by a renowned industrial-equipment manufacturing company were affected by critical vulnerabilities that can be exploited to remotely hack and damage devices.
Ultimately, it all boils down to adequate threat modelling and risk assessment to determine what these risks mean to the enterprise.

The Facts About Continuous Penetration Testing and Why It's Important
Continuous Penetration Testing or Continuous Attack Surface Penetration Testing (CASPT) is an advanced security practice that involves the continuous, automated, and ongoing penetration testing services of an organization's digital assets to identify and mitigate security vulnerabilities. CASPT is designed for enterprises with an evolving attack surface where periodic pentesting is no longer sufficient. Unlike traditional penetration testing, which is often performed annually or semi-annually, CASPT is an ongoing process that integrates directly into the software development lifecycle (SDLC), ensuring that vulnerabilities are discovered and addressed in real-time or near-real-time.

Companies poorly prepared for TLS transition
Last year, Google announced it was going to reduce the term of TLS certificates from 398 to 90 days to increase security. However, a Venafi survey of 800 IT security decision-makers from the US, the UK, France and Germany found that the majority (94%) of respondents are concerned about the effects of the shortened lifespan. A total of 76% of respondents believed that the shorter validity of TLS certificates would lead to more failures, and 81% believe that this will increase existing challenges in managing certificates. In addition, 75% of the participants fear that this could make them even more insecure.
The survey shows that the shortened lifespan of TLS certificates presents companies with the following problems:

• Delayed provision:
  Only 8% of security leaders fully automate all aspects of managing TLS certificates across their company. Almost a third (29%) still use their own software and spreadsheets to solve the problem. As a result, it takes an average of two to three working days to provide a certificate.

• TLS conversion:
  The volume of TLS certificates used in companies has increased steadily in recent years due to the increasing adoption of the technology. Almost all (95%) security leaders say digital transformation initiatives increased their organization’s use of SSL/TLS by an average of 36% in 2023. As a result, the average company now manages 3,730 TLS certificates — a number that is expected to increase by 39% to over 5,000 by 2026.

Navigating PCI DSS 4.0: Essential Tips for Web Application Security
While the PCI DSS 4.0 requirements document is quite extensive, there are three key areas related to application protection that organizations must address.

1. Deploying a web application firewall to safeguard websites
   For starters, PCI DSS 4.0 requires the use of a web application firewall (WAF) to safeguard websites. This is a notable shift from PCI DSS 3.2.1 where WAF protection was merely a best practice.

2. Preventing business logic attacks
   As organizations rely more heavily on APIs to run their business and APIs in turn rely on multiple integrations from various third parties, business logic can easily be exposed and exploited for malicious purposes. Companies should implement a solution designed to analyze business logic and detect API requests that abuse or bypass application features and functionalities. PCI DSS 4.0 has also strengthened rules on authentication and authorization, requiring the identification and authorization of access to cardholder data.

3. Implementing client-side protection
   Doing their best to protect customers’ personal data on their application server-side environments, the information that end-users enter on their browser side can be exposed to third-party services embedded in the applications. By exploiting vulnerabilities to plant malicious code in those third-party services, hackers can launch form jacking and skimming attacks and steal personal information from hundreds of thousands of customers without the customers or the company knowing. Standard WAFs do not have visibility into the data path between end users and third-party applications, and therefore cannot detect nor stop these types of attacks.

PCI DSS 4.0 now requires upholding the integrity of all payment page scripts executed in the consumer’s browser, including those from third-party sites. Robust controls are needed to secure all elements that interact with the consumer’s browser, especially for payment transactions. New PCI DSS 4.0 requirements are also mandating a tamper-detection mechanism. This required mechanism promptly alerts organizations about unauthorized alterations to HTTP headers and payment page content as perceived by the consumer’s browser.
To comply with these requirements, organizations should look for a client-side protection solution that can provide complete visibility to third-party scripts that are running on the browser side of an application. Continuous, automatic discovery of the application supply chain ensures that there are no third-party domains or scripts that go unaccounted for.
An effective client-side protection solution should also assess a threat-level for each service and script with detailed activity tracking and alerts. It should notify organizations of any attempts to manipulate form and payment pages as well as any attempts at DOM XSS. In addition, organizations should look for a solution that uses a positive security model—one designed to enforce protection by surgically blocking nefarious scripts without disrupting legitimate business traffic.

CISA: Best Practices for Event Logging and Threat Detection

Google Play will no longer pay to discover vulnerabilities in popular Android apps
Over the years, the scope of the Google Play Security Reward Program program expanded to cover developers of some of the biggest Android apps such as Airbnb, Alibaba, Amazon, Dropbox, Facebook, Grammarly, Instacart, Line, Lyft, Opera, Paypal, Pinterest, Shopify, Snapchat, Spotify, Telegram, Tesla, TikTok, Tinder, VLC, and Zomato, among many others.
The reason Google gave is that the program has seen a decrease in the number of actionable vulnerabilities reported. The company credits this success to the “overall increase in the Android OS security posture and feature hardening efforts.”
In September of 2018, nearly a year after the GPSRP was announced, Google said that researchers had reported over 30 vulnerabilities through the program, earning a combined bounty of over $100k. Approximately a year later, in August of 2019, Google said that the program had paid out over $265k in bounties. As far as we know, the company hasn’t disclosed how much they’ve paid out to security researchers since then, but we’d be surprised if the number isn’t notably higher than $265k given how long it’s been since the last disclosure and the number of popular apps in the crosshairs of security researchers.

Amazon CEO: AI-Assisted Code Transformation Saved Us 4,500 Years of Developer Work
Amazon CEO Andy Jassy took to Twitter to boast that using Amazon Q to do Java upgrades has already saved Amazon from having to pay for 4,500 developer-years of work. And Jassy says it also provided Amazon with an additional $260M in annualized efficiency gains from enhanced security and reduced infrastructure costs. "Our developers shipped 79% of the auto-generated code reviews without any additional changes.”
Comments:
“So the same company that makes the product, is citing how much it saved them? And the CEO, which has a primary duty of selling corporate product, is saying how incredible it is, and so forth? No”
“It isn't as good as Amazon CEO claims. And it isn't as bad as some skeptics make it out to be. It is a very very good auto-complete. Much better than any we have had before. And just like you don't completely trust auto-complete, you shouldn't completely trust AI suggestions either.”
“Using my own experience with ChatGPT as anecdote, I can say that my success rate hasn't been anywhere near that. As a matter of fact, with the simple exception of asking ChatGPT to write a function to calculate the square root of a number, every single time I've asked it for anything more complex has resulted in a lot of going back and forth until it gets things to be more aligned with what I asked and even then there are still issues with it and it contains errors. Maybe they're using something that's better. Maybe I'm stoopid and don't ask the right questions.”

VENDORS & PLATFORMS
GitHub rolls out AI-powered fixes for code vulnerabilities
GitHub has unveiled Copilot Autofix, an AI-powered software vulnerability remediation service as part of its GitHub Advanced Security (GHAS) service. GitHub found that developers using Copilot Autofix were fixing code vulnerabilities more than three times faster than those doing it manually. Copilot Autofix can be generated for dozens of classes of vulnerabilities, such as SQL injection and cross-site scripting, which developers can dismiss, edit, or commit in their pull request.

CloudStrike: 6 Key Takeaways from the 2024 Gartner Market Guide for Cloud-Native Application Protection Platforms (CNAPP)

1. CNAPPs Need a Cloud Detection and Response (CDR) Solution

2. CNAPPs Should Prioritize Risk Through the Lens of Business Context

3. CNAPPs Should Be Able to Classify Sensitive Cloud Data

4. CNAPPs Empower Development and Security Teams to Collaborate

5. Runtime Visibility and Analysis Is a Core Part of CNAPP

6. CNAPPs Should Have a Unified View of Risk

Top companies ground Microsoft Copilot over data governance concerns
Copilots, security and oversight concerns are commonplace: Particularly around bigger companies that have complex permissions around their SharePoint or their Office 365 or things like that, where the Copilots are basically aggressively summarizing information that maybe people technically have access to but shouldn't have access to. “You've got to have clean data and you've got to have clean security in order to get these systems to really work the way you anticipate. It's more than just flipping the switch."
The situation is similar to the IT security challenge 15 years ago when Google introduced its Search Appliance to index corporate documents and make them available to employees.

Microsoft resurrects Windows Recall for upcoming preview
Windows Recall first appeared at Microsoft Build 2024 in May. It was swiftly described as a privacy nightmare as users digested what it did. On June 13, Microsoft removed its fingers from its ears and pulled the engineering prototype, dubbed a "preview," from a broad Copilot+ PC release to something that would hit Windows Insiders first. At the time, Microsoft said the Windows Insider preview would arrive "in the coming weeks." Weeks have turned into months, but finally Recall is set to be released to Microsoft's army of unpaid testers, the Windows Insiders. Then it will be made available on all Copilot+ PCs.

Apple Pushes Ahead With Tabletop Robot in Search of New Revenue
The product, which relies on actuators to tilt the display up and down and make it spin 360 degrees, would offer a twist on home products like Amazon[.]com Inc.’s Echo Show 10 and Meta Platforms Inc.’s discontinued Portal. The company also is working on robots that move around the home and has discussed the idea of a humanoid version. The company is also working on augmented reality glasses, as well as exploring less ambitious products like smart glasses that would be similar to Meta’s Ray-Ban spectacles. In addition, Apple is looking to create a version of its AirPods earbuds that include cameras, letting them better sense the outside world. And it’s working on a giant, foldable iPad.

The best SSH clients for MacOS

LEGAL & REGULATORY
US accuses Georgia Tech of fraud for NIST 800-171 Noncompliance
Dr. Emmanouil "Manos" Antonakakis runs a Georgia Tech cybersecurity lab and has attracted millions of dollars in the last few years from the US government for Department of Defense research projects. The government is suing Georgia Tech in federal court, singling out Antonakakis and claiming that neither he nor Georgia Tech followed basic (and required) security protocols for years, knew they were not in compliance with such protocols, and then submitted invoices for their DoD projects anyway. “DoD paid for military technology that Defendants stored in an environment that was not secure from unauthorized disclosure, and Defendants failed to even monitor for breaches so that they and DoD could be alerted if information was compromised.” Antonakakis and his lab are required to abide by many sets of security rules, including those outlined in NIST Special Publication 800–171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations."
Georgia Tech had to self-assess its security and submit a score showing how many of the 110 NIST-listed security controls it had in place. Georgia Tech submitted an "overall security plan" for the whole campus with a score of 98 out of 110. But this "overall" plan was basically fictional—it was a model, and apparently not an accurate one. Georgia Tech doesn't have a unified IT setup; it has hundreds of different IT setups, including a different one at most research labs. Rather than score each setup—such as the Antonakakis lab—differently, Georgia Tech officials simply submitted the modeled "98" overall score for the Antonakakis projects.
By suing a major institution like Georgia Tech, the US government seems to be firing a shot across the bow of all the other schools running labs with federal security money. "We don't care if you don't like it," the suit seems to say. "If you want the money, get serious about the obligations."
[rG: This is a seismic event that is going to have significant repercussions on Cyber Security Governance, Compliance, and Audit not only for US Federal contractors but also commercial customer/supplier certifications.]

Shocker: French make surprise arrest of Telegram founder at Paris airport
French authorities detained Pavel Durov, the founder of the Telegram messaging/publication service. They are allegedly planning to hit him tomorrow with serious charges related to abetting terrorism, fraud, money laundering, and crimes against children, all of it apparently stemming from a near-total lack of moderation on Telegram. According to French authorities, thanks to its encryption and support for crypto, Telegram has become the new top tool for organized crime.
Durov appears to be an old-school cyber-libertarian who believes in privacy and encryption. His arrest will certainly resonate in America, which has seen a similar debate over how much online services should cooperate with law enforcement. Civil liberties advocates and techies generally note that creating backdoors makes such systems fundamentally insecure. The global debate over crime, encryption, civil liberties, and messaging apps is sure to heat up with Durov's arrest.

Labor board confirms Amazon drivers are employees, in finding hailed by union
Amazon may be forced to meet some unionized delivery drivers at the bargaining table after a regional National Labor Relations Board (NLRB) director determined Thursday that Amazon is a joint employer of contractors hired to ensure the e-commerce giant delivers its packages when promised. This seems like a potentially big loss for Amazon, which had long argued that delivery service partners (DSPs) exclusively employed the delivery drivers, not Amazon. By rejecting its employer status, Amazon had previously argued that it had no duty to bargain with driver unions and no responsibility for alleged union busting.