Robin’s Newsletter #258

28 May 2023. Volume 6, Issue 22
Meta fine €1.2 billion. US-China cyber tensions. Brute-forcing biometric authentication. Insider threat fail.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Meta fined €1.2 billion for mishandling data

US-China cyber tensions

BrutePrint unlocks Android smartphones for $15 in as little as 40 minutes

  • Researchers from Zhejiang University in China have developed BrutePrint, a method to brute forcing fingerprint authentication on smartphones. The technique requires dissembling the phone to attach a new circuit board and circumventing some protections that restrict the number of failed attempts. It’s limited on iPhone but successful against Android devices, brute forcing access in anywhere from 40 minutes to 14 hours.
  • I’m sure that this will be of interest to law enforcement. Long, complex passphrases are better than fingerprints if you believe you’ll be targeted by police, with the FBI previously gaining a warrant to force a user to unlock their device, regardless of the potential for self-incrimination (vol. 5, iss. 30).

Interesting stats

60% of phishing websites were registered through Freenom in November 2022, dropping to  <10% in April 2023, after Meta sued the company for ignoring abuse complaints, according to Interisle Consulting Group.

Other newsy bits / in brief

And finally

  • Insider threat: A former security analyst at Oxford Biomedica has pleaded guilty to blackmail and unauthorized access to a computer with intent to commit other offences. Ashley Liles was in the cyber security team of Oxford Biomedica in February 2018 when the company suffered a security incident. Liles modified the ransom emails from attackers to include his own Bitcoin address hoping to receive part of the £300,000 demands. The good-guy-turned-bad also set up a similar email address and pressured the firm’s management to pay up. Terrible OpSec got Liles arrested as he accessed his fake attacker email address directly from his home internet connection, leading police to be able to track him down from his IP address. (H/T @JoeTidy).

  Robin's Newsletter - Volume 6

  Meta Facebook Data Protection Commission (DPC) European Data Protection Board (EDPB) General Data Protection Regulation (GDPR) Privacy Data protection Standard Contractual Clauses (SCCs) China Micron Diplomacy Volt Typhoon Critical National Infrastructure Guam BrutePrint Brute force Fingerprint Biometric Insider threat