The Kitchen Sync

January 15, 2021

Podapalooza

What's new: With all of the events over the last several weeks, I (Klon) have been making the podcast rounds to discuss these critical issues.

Why this matters: Gotta look busy for the bosses!

Key points:

We hope these are helpful as you navigate these challenging times and issues.


Chinese hackers hoovering surveillance footage

What’s new: Just before the new year, Reuters reported that a hacking group likely based in China was pilfering security camera footage from the African Union headquarters compound in Addis Ababa, Ethiopia.

Why this matters: It is the latest accusation of Beijing spying on African rulers, and hints at the comprehensive surveillance the Chinese government likely enjoys of Africa’s leadership, a key source of support for Beijing’s international agenda.

Key points:

  • The Reuters report is the third credible accusation of Chinese spying on the AU HQ.

  • In 2018, Le Monde reported that the AU’s Huawei ICT system was daily uploading its contents to Shanghai, and that the walls of the Chinese-constructed building were stuffed with listening devices. The Financial Times later confirmed the report.

  • The problem likely extends far beyond the AU. Beijing has excellent surveillance opportunities across the continent because of the warm relations it has with African elites, Huawei and ZTE’s dominance of Africa’s telecoms infrastructure, and the fact that its companies have constructed scores of sensitive African government buildings, in addition to the AU HQ.

What we’re thinking: African countries form the largest voting bloc in international forums, and they frequently vote together and in support of Chinese President Xi Jinping’s aggressive international agenda. Beijing likely uses the information it gathers through its eavesdropping to tailor and strengthen the political influence campaigns it uses to ensure African elites’ loyalty. As long as the Chinese government enjoys unflinching support among African leaders, it will be hard for Washington to hold Beijing accountable through international forums for its malign activities, or to prevent Beijing from subverting those institutions to its own purposes.

Joshua Meservey (@jmeservey) is the Senior Policy Analyst for Africa and the Middle East at the Heritage Foundation.


Parler hacked before going dark

What's new: Due to a basic bug in the social media platform Parler’s security measures, a group of hackers downloaded dozens of terabytes of Parler’s data to the Internet Archive, just before the site’s shutdown, according to Wired Magazine.

Why this matters: With 99% of the site’s public contents archived before its shutdown, much “incriminating evidence” of who participated in the Capitol raid and how they did so is now accessible.

Key points:

  • On Sunday night, Parler was shut down after Amazon Web Services cut off hosting the site, due to the site being used as a tool to coordinate the mob invasion of the US Capitol building last week.

  • The construction of Parler lacked the most basic security measures that could have prevented the automated hack of the site’s data -- for example, their posts were listed in sequential order.

  • This mistake meant that an automated attack algorithm could grab all the site's posts by simply increasing the target URL by one, granting you access to the next post that appeared on the site. Typically, this is done in non-sequential numbering to prevent this kind of easy "scraping."

  • One of the hackers confirmed that not all Parler information was accessed, only posts that were available publicly via the web were archived.

  • Parler had failed to remove the geolocation metadata from images and videos posted on the site, so much of the data that hackers archived hold user’s detailed locations.

What we're thinking: Any website, especially one that promises free speech, should not lack the basic security measures that prevent anyone from freely accessing and downloading anything posted to the site. Now, Parler investors say the web service will be back online within a week. If Parler does return, it will need to deeply reconstruct its security engineering. Kenneth White, the codirector of the Open Crypto Audit Project, says that "If a Python script can archive your whole user content with simple web requests, then you've got a serious architecture problem." 


SolarWinds hackers also hit email security co.

What's new: A security breach at email security provider Mimecast Inc earlier this week allowed hackers to access its customers' Microsoft office productivity services, according to the Wall Street Journal

Why this matters: It was found that the Mimecast hackers used tools and techniques that linked them to the hackers who broke into SolarWinds Corp. Previously it was thought that all victims of the attack were compromised via Orion, owned by SolarWinds—this latest attack on Mimecast demonstrates that the vulnerabilities are broader. 

Key points:

  • Now it is known that not all victims had to be SolarWinds users themselves to be targeted by the hackers.

  • The hack potentially affected 10% of Mimecast’s users, or about 4,000 customers.

  • Last week, the Department of Homeland Security warned that the SolarWinds hackers were using techniques aside from Orion software to break into their victims’ companies, including guessing passwords.

  • Chief executive at Obsidian Security Inc. says that “With Mimecast digital certificates in hand, the hackers would likely be able to read email or other sensitive information stored on the Microsoft Exchange servers.” 

What we're thinking: Something needs to be done to stop the Russia-linked hackers who, not only use Orion to access their victims, but seemingly are targeting companies that do not use the software at all. SolarWinds said an analysis suggests that hackers circumvented detection by mimicking legitimate network traffic that was run through US servers. We need to find out how this went undetected by SolarWinds, Mimecast, and a host of others. 


Your face killed your career?

What's new: HireVue, a software for vetting job candidates based on an individual’s behavior and speech is discontinuing a feature of its software that analyzes a person’s facial expressions to discern certain characteristics, according to Wired Magazine.

Why this matters: The use of facial analysis to determine emotion or personality traits is controversial, with some experts warning that the underlying science is flawed since a person’s face does not on its own reveal emotion or character.

Key points:

  • About 100 companies, including GE, Unilever, Delta, and Hilton use HireVue technology to assess a candidate’s suitability for a job, based on HireVue’s judgement.

  • The company helped screen more than 6 million videos last year.

  • AI experts warn that algorithms trained on data from previous job applicants may perpetuate existing biases in hiring.

  • A bill before the New York City Council proposes regulating the use of hiring software by requiring employers to inform candidates when they are being assessed by AI. 

What we're thinking: Data collection without the knowledge of the applicant = not ok. AI bias based off of facial recognition and now audio-based screening = not fair.