Category Archives: Cybersecurity & Digital Privacy

Hack The Army 3.0 Starts Today (01/06/2021)

Hack The Army 3.0 Starts Today (01/06/2021)

The Defense Digital Service, a self described “SWAT team of nerds” along with service provider HackerOne are conducting another in a series of bug bounty programs to help organizations identify potential cybersecurity vulnerabilities.

Military and civilian hackers invited to discover and disclose vulnerabilities in digital assets affiliated with the largest branch of the U.S. Military

Source: HackerOne

Thematics Make Outsized Returns in 2020

Thematics Make Outsized Returns in 2020

To say 2020 was a year unlike any other is an understatement on several fronts but despite all of it, equities finished the year higher and once again the major indices were bested by several of Tematica Research’s thematic indices. That includes several of them topping the outsized (but fairly narrowly driven) 43.6% return for 2020 registered by the Nasdaq Composite Index.

Investing between February 19th and March 23rd was a clear example of “catching a falling knife” as the uncertainty of the impact of an unfolding global pandemic set in. While that uncertainty lingered well into the 2nd quarter, some trends started to emerge that forced changes in both consumer behavior and company business models. Going into the 3rd quarter, equities recovered as economic data and earnings were somewhere between better than expected and not as bad a feared. There were some setbacks in September and October as Covid case counts surged, but stocks were once again surging in early November due to a fresh shot of hopium following positive vaccine developments and the conclusion of the presidential election. 

The bulk of the 2020 gains for the Dow Jones Industrial Average and the S&P 500 came during the fourth quarter, despite the year-end haggling over the pandemic relief bill. The same was true with the small-cap heavy Russell 2000, which climbed 31% in the fourth quarter, outpacing the other major market barometers and enabled its positive return for all of 2020. By comparison, the Nasdaq Composite Index, which closed up more than 40% in 2020, benefited from a number of factors, including the pandemic inspired accelerated shift to digital shopping, work from home and learn from home. That pull-forward in both data consumption and data creation fueled incremental network capacity additions and set up the launch of 5G networks and devices in the second half of the year. The same shift, however, led to a year over year uptick in cyberattacks culminating with the Solar Winds attacks that compromised not just federal institutions and large companies, but also platforms of Microsoft (MSFT) and FireEye (FEYE). Those catalysts in particular led to the strong December quarter showing for Tematica’s Digital Infrastructure & Connectivity and Cybersecurity & Data Privacy investing themes.

What’s to come in 2021?

It’s great to enjoy the wins, but as we all know, the stock market is a forward-looking animal and that means not taking too much time to pat ourselves on the back, but rather preparing for what lies ahead. Even as the COVID-19 vaccine is being administered, it will take months before vaccines are readily available to all who need them. Then, and only then will many politicians feel comfortable fully reopening their economies. On January 4, for example, UK Prime Minister Boris Johnson just ordered a third national lockdown to be in place through mid-February. Yes, there is a light at the end of the tunnel, but we continue to see some economic speed bumps to be had — at least at the outset of the March quarter. 

In the coming weeks, President-elect Joe Biden will be sworn into office, and despite the lawsuits, promises of legislative (and other) disruptions, the machinery of government continues to move forward. Perhaps Capitol Hill will hammer out an infrastructure spending bill that will finally address the nation’s crumbling roads, bridges, ports, airports and highways. The ongoing trade issues with China will also need to be addressed, as well as President Biden’s own agenda items.

Before Biden takes the Oval Office, two known items that we’ll contend with are the CES 2021 tech conference and the start of the December-quarter earnings season. Much like other conferences and trade shows held during the pandemic, CES will be a virtual-only event for the first time in its history. It will still feature a number of keynotes that will prognosticate on what we are likely to expect in the coming year on the technology front and “virtual” vendor booths.  

In recent weeks we’ve seen GDP expectations for the start of 2021 drift lower as the pandemic has once again presented a headwind to the economy and efforts to contain it have expanded. We’re also learning of a new strain of Covid-19 that “spreads more efficiently” but “does not seem to evade the protection that’s afforded by vaccines that are currently being used,” according to Dr. Anthony Fauci. At the same time, the distribution of vaccines in the U.S. has gotten off to a slower-than-expected start. Expectations are that vaccine activity will increase in the coming weeks and we’ll be sure to keep tabs on vaccine-related data published on the CDC COVID Data Tracker website. As the number inoculated rises in the coming months, the closer we will be to the economy returning to normal. 

The issue is it will take some time to walk down this path, which to suggests things won’t begin to normalize until the second half of 2021. We also continue to think consensus expectations run the risk of an economic and earnings speed bump in 2021. Supporting that view is the retreat in the Citibank Economic Surprise Index in recent months, and also the slowing growth reported in the IHS Markit December Flash U.S. Composite PMI data. Part of that was due to the fall in new export sales, as renewed lockdowns in key export markets dampened foreign demand.

All of this is summed up rather well by Chris Williamson, Chief Business Economist at IHS Markit who said, “… December has seen companies rein in their expectations, given the higher virus case numbers and tougher lockdown stances adopted in some states. Lockdowns in other countries were meanwhile reported to have hit exports. While vaccine developments mean some of the clouds caused by the pandemic should lift as we head through 2021, rising case numbers continue to darken the near-term outlook.” 

Normally, there tends to be some step down in economic activity from the December quarter to the March one, as consumer spending wanes in comparison to the year-end holiday shopping season. The start of 2021 is expected to see a somewhat larger step down in GDP — to 1.9% during the March quarter vs. the expected 4.1% in the December 2020 quarter, according to data published by The Wall Street Journal’s Economic Forecasting Survey. That same survey goes on to forecast GDP of 3.7% for all of 2021, which means its expectation for the other three quarters of 2021 hover around 4.0%. 

While recent COVID-19 new cases have waned some in aggregate across the U.S., hot spots remain — and that has prompted the extension of virus-fighting measures even as a new strain of the virus that spreads quicker has been found inside the U.S. Similar to what we saw after Thanksgiving, odds are we will see a post-holiday rise in new case counts in early January. Should this come to pass, in all likelihood it will mean more restrictions that will be a headwind to the economy and corporate earnings.

Earnings expectations ahead

On the December-quarter earnings front, data from FactSet shows that so far in the quarter, more S&P 500 companies issued positive earnings guidance than average. More than 80 companies in the index have issued EPS guidance for the December quarter so far and of them, roughly 30 issued negative EPS guidance and more than 55 issued positive EPS guidance. That puts the percentage of companies issuing positive EPS guidance at more than 65%, well above the five-year average of 33%. This sounds positive, but keep in mind that the total number of companies issuing guidance remains well below the five- year average for the quarter and consensus expectation for December quarter EPS is still a year-over-year decline of around 10%.

Digging into the data, we see the S&P sectors that are driving that year-over-year decline for the December quarter.

But again, the stock market is a forward-looking animal, and current expectations call for a 22.7% rebound in S&P 500 EPS during 2021 vs. 2020, as well as a 4.1% increase compared to 2019.

Circling back to the Tematica Research indices that we shared at the outset, their EPS prospects over the 2019-2021 period are multiples greater than for the S&P 500. We attribute this to the pronounced tailwinds that are powering both each of those themes as well as the revenue, EPS and cash flow of the aggregated constituents. One rule of thumb on Wall Street is that faster EPS growth tends to spur multiple expansion, which is a pretty powerful one-two combination for stock prices and index constituents. Reflecting on the below data, it looks like 2021 will be another year of outperformance for several Tematica Research themes and indices.

U.S. Treasury Cyber Attack

U.S. Treasury Cyber Attack

An assumed nation-state backed group has been monitoring employee emails for some time it was revealed. It is not known yet if access was obtained through a phishing or direct attack on the groups MS Office 365 platform. Officials met Saturday, December 13th to assess the damage and prepare a remedy.

Hackers backed by a foreign government stole information from the U.S. Treasury Department.

Source: U.S. Treasury breached by hackers | CyberNews

California voters approved California Privacy Rights and Enforcement Act. Now what?

California voters approved California Privacy Rights and Enforcement Act. Now what?

On November 3, California citizens approved the California Privacy Rights and Enforcement Act (CPRA), a comprehensive privacy law that expands the California Consumer Privacy Act (CCPA). Of note, the CPRA creates more stringent requirements for companies that collect and share sensitive personal information and creates the California Privacy Protection Agency, which will be responsible for enforcing CPRA violations once the CPRA becomes effective on January 1, 2023. Most privacy experts believe the CPRA moves California closer to the European Union’s General Data Protection Regulation (GDPR).

The CPRA defines “sensitive personal information” as a wide range of data points that includes things like account and login information, precise geolocation data, contents of mail, email and text messages, genetic data, Social Security numbers, drivers licenses, passports, financial accounts, race, ethnicity, religion, union membership, personal communications, genetic and biometric data, health information, and anything about sex life or sexual orientation.

CPRA sets limits on the collection and retention of personal information, requiring a business to retain only that which is reasonably necessary to achieve the purposes for which the personal information was collected or processed. In addition, the CPRA requires businesses to inform consumers of the length of time the business intends to retain each category of personal information and sensitive personal information, or the criteria used to determine that period.

The CPRA also expands the private right of action for consumers to bring claims against a business for the unauthorized access or disclosure of an email address and password or security question that would permit access to an account, along with access to a consumer’s non-encrypted and non-redacted personal information. It creates triple damages for violations relating to consumers who are minors under the age of 16.

One key change in the CCPA requirements in the CPRA is an extension of an exemption for businesses in terms of their employees’ data. The CPRA gives businesses the exemption from meeting the consumer privacy requirements’ tough standards for their employees until January 1, 2023. However, businesses will have to comply with certain aspects of employee privacy protection between now and then.

Source: California voters approved a new and even tougher data privacy act.  What happens now?

Cloudflare and Apple design a new privacy-friendly internet protocol

Cloudflare and Apple design a new privacy-friendly internet protocol

Engineers at Cloudflare (NET) and Apple (AAPL) say they’ve developed a new internet protocol that will shore up against “one of the biggest holes in internet privacy.” Dubbed Oblivious DNS-over-HTTPS (ODoH), as Nick Sullivan, Cloudflare’s head of research explains, it is meant to “separate the information about who is making the query and what the query is.”

Every time you go to visit a website, your browser uses a DNS resolver to convert web addresses to machine-readable IP addresses to locate where a web page is located on the internet. But this process is not encrypted, meaning that every time you load a website the DNS query is sent in the clear. That means the DNS resolver — which might be your internet provider unless you’ve changed it — knows which websites you visit. That’s not great for your privacy, especially since your internet provider can also sell your browsing history to advertisers.

Enter ODoH, which decouples DNS queries from the internet user, preventing the DNS resolver from knowing which sites you visit.

ODoH wraps a layer of encryption around the DNS query and passes it through a proxy server, which acts as a go-between the internet user and the website they want to visit. Because the DNS query is encrypted, the proxy can’t see what’s inside, but acts as a shield to prevent the DNS resolver from seeing who sent the query to begin with.

Cloudflare (NET) is a constituent in the Foxberry Tematica Research Cybersecurity & Data Privacy Index.

 

Source: Cloudflare and Apple design a new privacy-friendly internet protocol | TechCrunch

SCOTUS to Weigh in on What Constitutes “Hacking”

SCOTUS to Weigh in on What Constitutes “Hacking”

Many people’s go to image for a hacker is some young, hoodie wearing Anonymous collective member who is just as happy cracking your credit card as he is trolling ISIS with LGTBQ postings. Believe it or not, per the U.S. Computer Fraud and Abuse Act of 1986 the odds are good that you fall under the official definition of a “hacker.” Ever share a password for Spotify, Hulu, Disney+ or Netflix? Hacker! Ever lie on a dating app profile? Hacker! Ever stumble across a bug in a program and want to notify the software publisher of their mistake? Hacker! This ruling could have huge implications and most importantly drag a law drafted in 1986 into the here and now.

The court’s decision could fundamentally change how millions use their computers and access online services.

Source: The Supreme Court will hear its first big CFAA case

Almost one-third of top online shopping domains are vulnerable to a cyber attack

Almost one-third of top online shopping domains are vulnerable to a cyber attack

It’s extremely important for digital shopping and e-commerce platform websites that handle sensitive customer information to ensure the communication between servers and users is encrypted. As we move in the 2020 holiday shopping season, one that is widely expected to shift considerably to digital shopping given the resurgence in the coronavirus, this is more critical than ever. However, new report from CyberNews found that nearly one-third of analyzed web servers were vulnerable.

CyberNews decided to see if popular online shops take their encryption hygiene seriously. To do this, our Investigation team analyzed the web servers of 2,620 popular online shopping domains for SSL configuration security, as well as their susceptibility to known vulnerabilities related to the Secure Sockets Layer (SSL) encryption protocol.

…to carry out this investigation, we gathered a list of the top 2,620 online shop domains on Google search. We then tested them for their SSL web server configuration security and their susceptibility to six known high-severity SSL vulnerabilities by using the Qualys SSL Server Test service.

We found that even though the absolute majority of online shops follow excellent to good SSL configuration practices in general, almost a third of the web servers we analyzed are susceptible to known SSL vulnerabilities, with the BEAST vulnerability being the most widespread among online shops.

BEAST (short for Browser Exploit Against SSL/TLS) is an attack that allows a threat actor to access the data exchanged between a web server and the user’s web browser.

Source: 30% of top online shopping domains are vulnerable to BEAST SSL attack | CyberNews

Internet Router Backdoors Create Vulnerabilities For Walmart Customers

Internet Router Backdoors Create Vulnerabilities For Walmart Customers

When thinking about cybersecurity and backdoors, we usually think this is a technique employed to attack corporations or governments.  It has been revealed that Middle America was targeted through embedded vulnerabilities in mid-tier routers.

Walmart-exclusive Jetstream routers and Wavlink routers contain hidden backdoors. The routers are actively being exploited by Mirai malware

Source: Walmart-exclusive router and others sold on Amazon & eBay contain hidden backdoors to control devices | CyberNews

Do You Recognize any of These Passwords? I Hope Not!

Do You Recognize any of These Passwords? I Hope Not!

This annual review shows just how some folks just don’t understand that short and easy to remember passwords are just as easy and short for hackers to figure out! Don’t get lazy when deciding on a password.

 

Do you use strong, unique passwords? Check our annual top 200 worst passwords of 2020 and learn how to strengthen them now.

Source: Most common passwords of 2020

Right to Repair – Your Car? This is an issue?

Right to Repair – Your Car? This is an issue?

Right to repair laws have long been targeted at consumer electronics. It turns out that knowing where to mark top-dead-center on a car engine’s flywheel just doesn’t get the job done anymore.

The vehicular data question was one of statewide two ballot measures Nov. 3.

Source: Massachusetts votes yes on Question 1, ‘right to repair’ ballot question