‘Every piece of Huawei code I’ve ever looked at is garbage’

Top infosec trends in the social media spotlight this week

A security researcher in Bulgaria was arrested this week, days after it emerged that a breach at the country’s tax authority had exposed the financial data of millions.

According to reports, a 20-year-old Bulgarian cybersecurity worker has been charged with stealing the data of five million taxpayers from the country’s National Revenue Agency.

Twitter reacted with some surprise that one of its own was in the frame, especially since unconfirmed reports suggest the suspect provided cybersecurity training to the same cops that cuffed him.

The investigation is ongoing.

FaceApp? Make that FacePalm

Meanwhile, a mighty privacy flap erupted over a mobile app designed to give people a glimpse into what they’ll look like when they get older. It could also be used to take years off the age of someone whose image it depicted.

Sounds like fun, right? So, it’s no surprise the app quickly went viral.

However, the more plugged-in (or perhaps twitchy) privacy advocates were quick to note the selfie-editing mobile app is owned by a Russian firm, sharpening concerns that the app might be used to train facial recognition software. And, wait a minute, was it actually sucking up a user’s entire image library rather than just a single photo?

Others responded that the nationality of the developers was neither here nor there, while the firm itself claimed all the data processing was in the cloud.

Those uploading their photos were also giving FaceApp the permission for commercial purposes (such as internet ads) without renumeration, according to the app’s terms and conditions, some noted.

Others made the point that oversharing of potential sensitive photos and files through social media has been going on for years – long, long before this week’s privacy panic about FaceApp.

The UK’s Information Commissioner’s Office (ICO) made headlines last week with plans to fine British Airways $229m for a GDPR-infringing data breach.

Proving that, in the US, they do everything bigger and better, the Federal Trade Commission (FTC) reportedly approved a record $5 billion settlement with Facebook – equivalent to one month’s revenue – over the Cambridge Analytica data scandal.

This might sound a lot to us mere mortals, but Wall Street reacted favourably to the move, as the stock price of the social network surged, prompting criticism the Facebook might have been let off too easily.

A good week for Chinese 5G vendors

Last week, Chinese telecom equipment maker ZTE opened a cybersecurity lab in Brussels in order to improve its “transparency”.

Interested parties (potential telco customers, regulators, etc) will be offered the chance to inspect its source code and carry out security testing on its products, Reuters reports.

Controversial rival Huawei received an important vote of confidence this week, with UK MPs finding “no technical grounds” to exclude its equipment from British networks. Some independent technical experts remain unimpressed with the quality of Huawei’s code.

By contrast, security experts were full of praise for Cloudflare’s handling of an outage early this month, which it followed up with a detailed technical root cause analysis late last week.

Crudely put, it might that a single web application firewall (WAF) rule – combined with the removal of CPU profiling checks during a refactoring process – broke the Cloudflare network.

In truth, there was no “single root cause” and the problems would better be described as a cascading failure that involved human error.

Regardless, the content delivery network earned plaudits for its transparency and swift incident response.

Last weekend, SteelCon rocked.

The Daily Swig team was there in force to cover the annual Sheffield-based hacker conference. Catch up with our coverage on the cryptographic mistakes made by ransomware authors, the latest thinking on DevSecOps and more.

Staying in the UK, the National Cyber Security Centre (NCSC) outlined its progress in helping government agencies to clamp down on commodity phishing and malware attacks though its Active Cyber Defence program.

Successes included thwarting an airport-themed spam email campaign.

Moving closer to a genuine Turing machine

Finally, wartime codebreaker and computing pioneer Alan Turing was named as the face of the new British £50 note.

He’ll replace fellow scientist James Watt when the high denomination note goes from paper to polymer in 2021.