I’m going to take a stab at doing something different on the GRC blog so it doesn’t get too stale by posting links to articles I found interesting during the past month or so and adding some thoughts about the articles. Where the focal point of the blog will mostly revolve around Governance, Risk, and Compliance (GRC), these will likely stray from that focus and into the wider IT industry / environment.
FIFA
This post popped into my feed on the infosec.exchange Mastodon instance and, though it can be a little technical to read at times (read: boring), it might be the most interesting read from the last month. Bob the Hacker was able to find a weakness in FIFA’s Agent Platform that allowed him to not only see the backend of the FIFA feeds, but change them if he wanted. Things got worse as he attempted to contact FIFA to report the security flaw. The headline for the post makes it even better, thinking about how funny it would have been if he changed a match feed to Rick Astley’s Never Gonna Give You Up at the most inopportune time.
I Could’ve Rickrolled the Entire FIFA World Cup. All I Needed Was My ID
On that note, why not give the song a watch/listen.
Apple
It didn’t happen overnight, but the devices I use in my personal life are almost entirely in the Apple ecosystem, so articles about them tend to peak my interest. However, the reality of this article headline about an exploit doesn’t really hold up from a risk perspective. Yes, there’s an exploit on millions of iPhones that can’t be patched. However, assuming the information included in the article is accurate, it only affects older iPhones, requires directly connecting to the iPhone via a special USB device, and doesn’t grant access to user data. It’s not something to dismiss, but maybe don’t let someone connect a USB device to your iPhone without your knowledge.
New Exploit Bypasses Apple’s Boot Defenses
Sticking with the Apple ecosystem, Apple is planning to move from @icloud.com to @private.icloud.com for their hide my email address feature. I’ve used this feature a few times when signing up for an online web site/service. I’m not a fan of the change as it would seem to make it easier for web sites to blacklist @private.icloud.com email addresses, nullifying its usefulness.
Apple Plans to Change its Hide My Email Privacy Feature
META
I don’t actively use Meta platforms much anymore, mostly just using Facebook for the community page to keep up with things happening in my neighborhood, but that’s not really the point of the article. The article is about an employee tracking program called MCI.
Meta rolled out the Model Compatibility Initiative (MCI) tool in April to US employees. The tool “collects computer inputs such as mouse movements, click locations and keystrokes, as well as screen content,” according to workers who have been petitioning against it over privacy, security, and personal liberty concerns.
There are obviously a lot of decisions that go into obtaining employment and deciding to stay with that employer over time, but I’m not sure I’d be willing to give up all my privacy to allow an employer to go into this level of monitoring. To make matters worse, Meta failed to protect the data it was gathering in the program… TWICE. Not good.
Meta Pauses Employee-Tracking Program Following Internal Data Leak
That’s it for this month.
Zalovo GRC 