This Week in CyberNews: September 11-18 [Cybersecurity & Tech Roundup]

Every week at CyberNews, we look back at the biggest stories of the week in cybersecurity and tech. This week we’ll talk about the surprise ending to the TikTok saga, WeChat’s upcoming sort-of ban, Facebook again, the problem with secure messaging services, and the Windows super-critical Zerologon bug.

Watch the video below, or read on to find out more:

CyberNews E5: Facebook, TikTok & Oracle, WeChat, WhatsApp, Telegram & Signal
video screenshot

The big twist in the TikTok Saga

So unless you’ve been living under a rock, the Trump administration has been going hard against Chinese companies in its escalating cyber cold war with China. Trump targeted TikTok, claiming that it’s a sort of surveillance tool for the Chinese government, and that it needs to sell the US version of the app or else be banned...somehow.

Microsoft was in the lead to buy US TikTok, then Twitter threw its hat in there, and then Walmart and a variety of other tech companies. And that’s where Oracle came in, the enterprise software-creating, unexciting company. It seemed to be the least likely to buy the young-people, hot TikTok.

And guess who won? Oracle.

It is of course just a coincidence that Oracle’s CEO Larry Ellison has a buddy-buddy relationship with the real Donald Trump, having hosted fundraisers for the current US president. So why didn’t Microsoft get the bid, since it was the forerunner? Well, apparently ByteDance, TikTok’s owner, felt personally dissed when Microsoft called TikTok a security risk.

But, here’s the double-twist. Oracle isn’t even buying it. It’s just “partnering” with TikTok. What exactly does that mean? Details have been coming out since Microsoft got the surprise “uh-uh” from TikTok this past weekend:

  • TikTok will split form ByteDance and become TikTok Global, headquartered in the US and it’ll create 20,000 jobs for Americans
  • TikTok Global will still be mostly owned by ByteDance, and Oracle would own just part of it
  • Oracle will just store and process TikTok’s data around the world, and US data would be stored in the US (which is kind of what Google and Amazon’s cloud services are providing to TikTok now anyways)
  • The Chinese are definitely not giving up TikTok’s algorithm

So if you’ve been paying attention, you’ll notice that absolutely nothing has been achieved from Trump’s executive order. Let’s assume that Trump was correct that the Chinese via ByteDance are somehow surveilling Americans with TikTok. If part or most of that surveillance is done through the algorithm, then that would still continue in this Oracle deal.

To put it simply: nothing has been achieved really to address national security concerns, which is the reason this whole thing started in the first place.

What about WeChat?

Let’s not forget WeChat. By the way, the same day Trump signed the Executive Order against TikTok, he also signed one against WeChat transactions. It was confusing a month ago and they promised to clarify exactly what “WeChat transactions” actually means – seeing as back then they had no idea.

Well, the order is supposed to kick in this week, and guess what – they still have no idea exactly what that means. The Trump Administration had to respond to an injunction from American WeChat users. The Administration then responded that “personal or business information” via WeChat will not be subject to penalties.

According to the group of WeChat users, “the administration’s latest ‘assurances’ that users can keep using WeChat, and exchange their personal and business information, only further illustrates the hollowness and pre-textual nature of the Defendants’ ‘national security rationales.'”

Which is true. They don’t know what they’re doing.

Facebook has "blood on their hands"

In a 6,600-word memo to Facebook employees, an ex-Facebook data scientist claims that she has “blood on her hands” because Facebook ignored global political manipulation.

Sophie Zang, the memo’s author, writes that Facebook knew that leaders all around the world were manipulating voters on the site. Even in the presence of clear and objective data that the manipulation was happening, Facebook failed to act.

These concrete examples include manipulation from national leaders of Azerbaijan, Honduras, India, Ukraine, Spain, Brazil and more. In one case of manipulation involving Azerbaijan, it took Facebook 1 year to begin investigating it. One year. That’s enough time to even forget you were manipulated in the first place. And these aren’t small networks either – one scheme involved 672,000 fake accounts, while another used 10.5 million fake engagements and fans.

Telegram, WhatsApp and Signal threatening your privacy

With all the protests going on around the world, secure messaging apps like Signal, WhatsApp and Telegram have really taken off. These apps use end-to-end encryption and are aimed at privacy-seeking users. 

However, new research from German university research teams found that WhatsApp, Telegram and Signal were exposing users’ personal data via contact discovery. So contact discovery is essentially when you give these apps permission to view your contacts list so that they can tell you which of your contacts are also on the same platform. 

However, these secure messaging apps had relatively weak security on their contact discovery platform, and that malicious users or hackers could collect sensitive data at a large scale and without strong restrictions. WhatsApp and Telegram upload a user’s entire address book to their servers, while Signal is better by transferring only short cryptographic hashes values of phone numbers. 

For the average user, this may seem as a small problem, but for those people who really, really need to remain private on these platforms, this could cause a huge headache.

Windows vulnerability patched in August 2020

And lastly, Windows had a very very big, 10/10 critical issue for its Windows Servers. Essentially, what’s known as the Zerologon bug allowed researchers to do a few very bad things:

  • impersonate the identity of any computer on a network
  • disable security features in the Netlogon authentication process
  • change a computer's password on the domain controller's Active Directory (essentially a database of all computers joined to a domain, plus their passwords)

The entire attack would take only about 3 seconds to perform. There are also no real limits on how attackers can use Zerologon. For example, the attacker can pretend to be the domain controller and change the password, which would allow it to take over the entire corporate network. 

However, for the attack to take place, it cannot be used to take over Windows Servers from outside the network. An attacker first needs a foothold inside a network.

Although the bug was patched in Windows August 2020 Patch, it was only made public recently.