Analysis: Huawei 5G Dilemma episode artwork

EPISODE · Jan 17, 2020

Analysis: Huawei 5G Dilemma

from Info Risk Today Podcast · host InfoRiskToday.com

The latest edition of the ISMG Security Report discusses why Britain is struggling to determine whether to use China's Huawei technology in developing its 5G networks. Plus: An update on a mobile app exposing infant photos and videos online and an analyst's take on the future of deception technology.

Episode metadata supplied by the publisher feed · Published Jan 17, 2020

The latest edition of the ISMG Security Report discusses why Britain is struggling to determine whether to use China's Huawei technology in developing its 5G networks. Plus: An update on a mobile app exposing infant photos and videos online and an analyst's take on the future of deception technology.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

Analysis: Huawei 5G Dilemma

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

Britain between a 5G rock and a hard place, the nightmare fusion of baby videos in the cloud and leaky servers, and where's deception technology going today? These stories are more, in this week's ISMG Security Report. Hello, I'm Nick Holland. Brexit has been looming over the UK for four years now, but with yet another deadline for the former exit of Britain from Europe coming up, the ramifications of this messy divorce are becoming clearer.

One of these has been Britain's commitments to Chinese-built telecommunications equipment for 5G infrastructure. As Britain may line itself more with the US for trade deals in future, does this mean an abrupt u-turn to appease the US government, which has taken a hard line against Chinese providers such as Huawei and ZTE? To explore this conundrum, is ISMG's executive editor day-to-day in Europe, Matthew Schwartz? As Britain continues to collectively debate its existential future, one big question continues to loom large.

We'll look at the government, led by Prime Minister Boris Johnson. Allow British telecommunications providers to use Chinese-built telecommunications gear as part of the country's national 5G rollout. Of course, that question isn't nearly as important as the question of how and when Britain will exit the EU following the June 2016 Brexit referendum in which a majority of voters opt-in for the country to leave the European Union. The British government's self-imposed Brexit deadline has now been rescheduled for the third time to January 31st.

In the meantime, answers to numerous other questions, and arguably huge swaths of basic governance have been left in limbo. So should China be trusted, critics say the Chinese government could easily force domestic manufacturers to use their 5G gear to help spy on other nations' networks. Over the past year, the Trump administration has been publicly pressuring allies to ban all gear built by the likes of Huawei and ZTE from their networks. White House officials have warned that it might curtail intelligence sharing with any ally that adopts Chinese gear, including members of the Five Eyes Intelligence Sharing Partnership, comprised of the US, as well as Australia, Britain, Canada, and New Zealand.

This week, a White House national security delegation arrived in London, meeting with senior British government officials to urge them to ban Chinese gear. What will Britain do? On Tuesday, Boris Johnson sat for an interview with the BBC Breakfast Show, asked about what his 5G decision would be, and the Prime Minister remained firmly equivocal. The British public deserve to have access to the best possible technology.

I've talked about infrastructure and technology. We want to put in a gigabit broadband for everybody. Now, if people oppose one brand or another, then they have to tell us which is the alternative. Right?

On the other hand, let's be clear, I don't want as a UK Prime Minister to put in any infrastructure that is going to prejudice our national security or our ability to cooperate with Five Eyes Intelligence Parks. The US pushed the block Huawei, the world's largest manufacturer of 5G gear from Britain's 5G rollout is hampered on several fronts. For starters, a secret technical assessment prepared by the intelligence services reportedly concluded that the risks of using Huawei in Britain as part of its 5G rollout could be minimized, especially in non-core parts of the network, if the process was appropriately managed. In addition, the Trump administration has failed to produce any smoking guns, pointing to Beijing, having used gear from the likes of Huawei or ZTE to spy.

Instead, critics likened the use of Chinese gear to providing Beijing with a loaded gun that it could use at a time of its own choosing. As Britain's Prime Minister told the BBC, however, what is the alternative to using Chinese-built gear? It navigates its go-it-alone Brexit future, outside the EU, it faces a 5G Sophie's choice. If it blocks Chinese networking gear, it risks anger-engaging, triggering trade sanctions, and a potential increase in cyber espionage.

If it adopts Chinese networking gear, it risks angering Washington, triggering trade sanctions, and losing access to Five Eyes Intelligence. Faced with such a choice, the decision by the British government appears to be clear. At least for now, do nothing. For Information Security Media Group, I'm Matthew Schwartz.

You're listening to the ISMG Security Report on ISMG Radio, your number-one source for information and security news. There are many areas of concern when it comes to cyber security and data privacy, but when the Venn diagram includes photographs and video of babies, location-based data, and very leaky servers, the alarm bells really start ringing. This is what happened recently with Peek-boo Moments. A mobile app has allowed parents to share photos and video over their infants with family and friends, or in this case, with anyone who came across their wide-open database of media on the internet.

So that's more, it's ISMG's managing answer security and technology, Jeremy Cook. The short video features a bundled baby snoring gently who flashes a couple of involuntary, sleepy smiles as someone sings a lullaby. The video is one of what is likely thousands of baby videos and images leaked by the mobile app Peek-boo Moments. The company behind it, Bit House Inc, left an open elastic search database on the internet.

The breach was discovered by Dan Erlich, who runs the Austin-based computer security consulting firm, 12 Security. The database contained upwards of 70 million log files comprising more than 100 gigabytes that go back to March 2019. The logs recorded when someone uses Peek-boo and the specific action they took at a certain point in time, such as uploading data or content. The data exposed includes email addresses, detailed device data, and often links to photos and videos, which are stored on Alibaba's cloud.

Erlich estimates there may be as many as 800,000 email addresses in the data, and possibly more. For some of the babies whose data is exposed, this is quite possibly their first data breach exposure. The app transmits sensitive data. It has a growth tracker that allows people to record their baby's length and weight.

It also has a field for a baby's birth date. Another field shows the app collects location data and latitude and longitude for decimal points, which is accurate within about 10 meters of a person's actual location. When someone comes across such a finding, it should be an easy resolution. Contact the company, let them know what's wrong, and hopefully they will immediately fix it.

In this case, that didn't happen. Erlich and I tried for days to get someone at BitHouse to respond. I even contacted a former colleague of the company's CEO, who acted as kind of an intermediary. At one point, he suggested Erlich and I perhaps wanted money in exchange for not writing a story about the breach.

Nothing could have been further from the truth. We just wanted Peekaboo to secure the database. I told him the breach had legal implications for the company, including possible fines under GDPR. Absent a response from Peekaboo, we ran the story.

About seven hours later, after it was published on ISMG's website, a co-founder from Peekaboo reached out and said the server had been secured. Troy Hunt is a data breach expert who founded the Have I Been Poned notification service. He tells me for the most part, Peekaboo's exposure is a garden variety one of the likes we see every day, but the exposure of data on children sets it apart as well as the unresponsiveness to a breach warning. This kind of notification mess is all too common, though, that's encountered by security researchers and to some extent journalists.

Although a warning out of the blue of a data breach might seem strange, it's best to take it to heart. For Information Security Media Group, I'm Jeremy Kirk. Finally, deception technology is gaining significant momentum as it's all in the overall arsenal that gains a side of threats. I wanted to learn more about the role of deception tech and how it's evolving, so I spoke with Joseph Kroll, a senior analyst at ITA Group, and also if you could describe how it works and how technology is changing it.

It is. So I first was exposed to deception technologies in 2016 after doing some work with Israeli startups on most notably, Illusive Networks. And I was extremely positive about the concepts, the technologies, and the capabilities of deception tech. But what I found were two things that I think inhibited its ability to have an impact on our industry.

The first, it was very, very difficult to explain. There were a lot of things about the technology and about the ability to provide this type of embedded deception in existing corporate networks. And the second challenge is that the deployment model was not as easy as it could be. I think a lot of folks that understood traditional cybersecurity just could not get their head wrapped around how do I deploy assets, which really are not assets.

How do I put documents? How do I put credentials? And how do I put network assets like endpoints or servers that are emulating real things? And I think it was that they suffered from the inability to properly explain that to the target buyer who had a very traditional outlook about how cyber defense technology should be deployed.

Obviously, if they're deployed correctly, they offer some incredible capabilities. And the fact that when you know an attacker gets into the network and they go after one of these deceptive assets or they take an document that is put there specifically for stealing, you know immediately that you've got someone in the network that shouldn't be there. And then you can start to sandbox them and most interestingly, you can watch their whole attack scenario without having to shut it down like you would with a traditional defense of technology. But again, I was really, really excited when I first saw it, but then it really just didn't catch on because of the complexities of trying to explain it and sell it.

So, I mean, it has been around for a while as a concepting back to the days of Honeypots and things like that, which would probably be pretty straightforward. So I mean, what technologies are at the forefront today of the evolution of deception tech? What's state of the art as far as you're concerned, Joseph? Sure.

So one of the things you have to do with deceptive technologies, you have to keep them relevant and fresh because the attackers are starting to be able to understand when an organization has deceptive technologies deployed. They look for different activities or signatures or they look for different behaviors and they can say, aha. And in some cases, they can actually identify which vendor has provided those deceptive technologies. So today, what you have to be able to do is rapidly deploy them across multiple environments.

So I mentioned, you know, documents which are placed there, which are bogus that are enticing to an attacker. It could be an end point or a server that you're putting there or it could be just lots of different stuff on the network, which would be enticing one of those things being an active directory instance, which is kind of like the jewel in the crown. When I pivot and I try to escalate my privileges, I want to go after AD. But the problem today is keeping those things fresh creates a maintenance overhead for the organization that wants to deploy the set of technologies.

So what they're trying to do is make these things more dynamic to use technologies that will change the nature of what's deployed on the network. Then it won't be, oh, OK, I see that. I know they're trying to trick me and I'm going to evade that by doing something else. They can do this using AI.

And of course, the whole AI and security is a bit overhyped, but this may be one area where AI can give a second or third life to deceptive technologies. More importantly, it could be like using dynamic deployments of having different types of agents or different types of deceptions that are deployed with very little user or administrator overhead. So they're doing these things dynamically on the fly. That's it for this week's Ice and Security Report.

Theme user is by either audio. I'm Nick Holland. Catch you next time.

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on January 17, 2020.

What is this episode about?

The latest edition of the ISMG Security Report discusses why Britain is struggling to determine whether to use China's Huawei technology in developing its 5G networks. Plus: An update on a mobile app exposing infant photos and videos online and an...

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!