This Week in Security #6
- 3 minsNavigating the ever-evolving landscape of cybersecurity can feel like a whirlwind—new threats, innovations, and incidents that are constantly reshaping the digital world. This week’s post breaks down some of the developments and that took place last week.
Rapid-fire:
- Club penguin fans steal Disney strategy information while trying to find information on the game
- More Snowflake customers have information leaked; lack of 2FA still seems to be the culprit
- 750,000 Social Security Numbers leaked in April cyberattack
Working Your Way Around an ACL
This article doesn’t contain advice on how to rehab a serious injury, rather it outlines an easy method to crack Microsoft’s Recall feature.
A couple of weeks ago we talked about a widely maligned new Windows 11 feature, Recall. There was plenty of criticism directed towards the project, most of which revolved around privacy issues.
While some workarounds have shown it’s possible to breach the database containing a user’s Recall data through privilege escalation, James Forshaw, a google researcher showed that it’s possible to bypass the security even without admin rights. Recall’s data is protected by an Access Control List (ACL, discussed at the end of this post). Forshaw has demonstrated that these ACLs can sometimes be circumvented as is the case for Recall.
As more data is stored and used for increasingly powerful features, companies need to be careful to not rush to market with half-baked security measures and reviews.
Microsoft is in the process of making changes to the feature and its rollout in response to widespread criticism.
Interesting Read
Privacy and Overfishing
Yes, that’s overfishing with an ‘f’, not a ‘ph’.
Scientists calculate the “acceptable catch size” for fisheries, based on the baseline population level that needs to be sustained. In the mid-1900’s scientists realized fish populations were dropping dramatically even with these catch size guidelines. How could that be?
A marine biologist, Daniel Pauly concluded that researchers were making a big mistake in their calculations. Borrowing the concept of “shifting baselines” from architecture, he concluded that each new generation of researchers was their own concept of a “baseline”.
- Their baseline was whatever population they inherited when they began their work.
- So although the decline relative to their baseline wasn’t significant, the drop off over generations was large.
These shifting baselines parallel our relationship with privacy over time. Initially we would run relatively isolated machines with little oversight or monitoring, but as cloud computing has become the standard data is more easily monitored.
In recent years this issue seems to have come to the forefront with AI training on any and everything. Where do we go from here? Time and policies will tell.
Security Fundamentals
Access Control List (ACL): In the third edition I explained access control generally.
An ACL is a set of rules that determines the permissions for various users or systems to access resources within a network. Although similar conceptually, compared to something like Role-based Access Control (RBAC), ACLs are better suited for individual users rather than a company-wide system.
Conditional access control entries simply require an additional condition to be met to allow access (e.g. whether an attribute exists or not). This is what Forshaw worked around in his hack.
Siddhantha Bose
Living, learning, and meeting people along the way