Security News bites for the Week Ending March 8, 2019
Commerce Department Wants Companies to Publish Ingredients of their Software
The Commerce Department is trolling around the RSA conference trying to get companies to publish the ingredients in their software – the so called bill of materials that I have written about before – so that users can understand what libraries are being loaded. The objective is to avoid another Equifax style breach because people don’t know that this particular software package uses a vulnerable version of, say, Struts. Then people have to figure out how to use it. Big project, but a useful one. Source: The Cybersecurity 202.
Massachusetts High Court Orders Man to Unlock Phone
Various courts have come down with different decisions regarding whether a person can be compelled to unlock his or her computing device after a warrant is issued. In general, it has been held that you can be forced to look at your phone (face ID) or put your finger on your phone (fingerprint reader), but not to enter a password (compelled testimony). But not all courts agree.
The Massachusetts Supreme Justice Court announced (seriously) “the end of privacy in the digital age” when it compelled an accused pimp to unlock his phone.
Whether this particular case winds up in front of the US Supreme Court or not, the issue will ultimately have to be decided there. Source: Boston Herald.
Brits Say Brexit was a Russian Plot
As politicians scramble to spin reality regarding Russia’s inflluence peddling efforts, British foreign secretary Jeremy Hunt says that there is no evidence of successful Russian interference with UK polls in the face of lawsuits compelling the government to investigate if that happened.
He is likely right that the Ruskies did not try to literally break into the (digital) ballot box and change votes, but on the other hand, it is equally likely that they used their normal social media techniques to influence the outcome in a direction favorable to Russia.
Why Hunt thinks that England is in some kind of “no-influence” bubble is beyond me (other than to admit it would be politically damaging). After all, governments around the globe (including the US) have been working hard to influence elections for decades. Source: The Guardian.
Huawei Sues US Government Over Ban
The Chinese electronics giant Huawei sued the United States government on Wednesday, arguing that it had been unfairly and incorrectly banned as a security threat.
In what will likely be a years long court battle, China is demonstrating that it does not plan to roll over and play dead for Trump. Source: The New York Times.
Its Y2K All Over Again
Its been a few years (like around 1977 or so), but I seem to recall that we discussed this at the time and it is in the spec, but who reads specs anyway. Note: I was a member of the software development team that built the first GPS receiver for the Air Force.
The Global Positioning System tracks time in weeks since January 5, 1980. It uses a 10 bit number (1024 weeks) because memory was expensive in 1977, so we knew it was going to roll over about every 20 years and our code (inside the receiver that was placed in a fighter jet) handled the rollover.
But, apparently, not every software developer is as forward looking as we were, so come April 6, 2019 (the next rollover day), some GPSes may become wonky.
In the case that the GPS is directing you to the nearest Starbucks, you might get lost.
If the GPS is controlling a weapon system or a piece of high precision nuclear medicine equipment…. well… people could wind up dead.
So at least a few people are doing the Y2K thing all over again.
I suspect that if you power off your GPS before the rollover and then power it back on after, everything will be fine (as I remember the code in the GPS, but that was a real long time ago). That means you are on your own finding that Starbucks, but powering off that weapon system may not be an option.
It is very likely that the GPS firmware on your phone will be fine, I predict. We shall see. Source: Homeland Security.
by 