Pete Recommends – Weekly highlights on cyber security issues November 3 2018

Subject: As digital threats grow, will cyber insurance take off?
Source: The Conversation

From my research on cybercrime and cybersecurity over the past two decades, it is clear to me that cyberattacks have become increasingly sophisticated. The cyber insurance market’s extremely small size suggests that organizations and individuals might have underrated its importance. However, more and more internet users are finding reason to protect themselves. In 10 years’ time, insurance coverage for cyberattacks could be standard for every homeowner.

The insurance industry is doing more, too. A wide range of insurers such as Munich Re, AIG’s CyberEdge, Saga Home Insurance, Burns & Wilcox and Chubb all offer cyber insurance for individuals. These plans cover as much as $250,0000 to repair or replace damaged devices and to pay for expert advice and assistance if a cyberattack affects a policyholder. They may also include data recovery, credit monitoring services and efforts to undo identity theft.

Some current challenges:

Before cyber insurance becomes more common, however, the insurance industry will likely have to come to some consensus about what will and won’t be covered. At the moment each plan differs substantially – so customers must conduct a detailed assessment of their own risks to figure out what to buy. Few people know enough to be truly informed customers. Even insurance brokers don’t know enough about cyber risks to usefully help their clients.


Each has its own RSS feed e.g.,

Subject: U.S. mail bomber case prompts call for better postal screening
Source: Reuters via Yahoo

(Reuters) – The arrest on Friday of a man accused of mailing at least 14 explosive devices to prominent Democrats and critics of U.S. President Donald Trump has prompted concern about how the U.S. Postal Service screens against deadly deliveries.

“We’ve got to do a better job of screening the mail,” New York Governor Andrew Cuomo told CNN after Cesar Sayoc, 56, was arrested in Florida. Sayoc was charged with five federal crimes including threats against former presidents and faces up to 48 years in prison if found guilty. The Postal Service does not screen most of the mail, Joe Bellissimo, a retired postal inspector, said in a phone interview from Pittsburgh.

“We call it the sanctity of the seal. It’s protected under the Constitution,” he said. “Unless there is something exigent about that mail, you can’t go around scanning everything.”

The U.S. Postal Inspection Service said it combines specialized technology, screening protocols and employee training to screen for dangerous mail. It also has a forensic laboratory in Dulles, Virginia, according to its website. The Postal Inspection Service, which investigates mail crimes, created a Dangerous Mail Investigations agency following the anthrax mailings of 2001 that killed five people and sickened 17.

Subject: The Next Big Internet Threat
Source: POLITICO Magazine

All told, the internet age has seen four major waves of digital threats. None of these challenges has been entirely resolved, and the more recent of them remain serious threats, not just to the integrity of online dialogue but to American security and democracy. But the fifth wave is now fast upon us—and it might prove the thorniest of all.

So, what will we see next in the social media universe? Thus far, we’ve witnessed four major waves of offensive content that have tracked the darkest tendencies in humanity—content that has exploited people (sex), spread vitriol (hate), encouraged ghastly attacks (violence) and duped electorates (power). Going forward, we fear a new kind of trend will emerge: “reputational exploitation,” feeding off the human tendency to maximize self-interest while paying no heed to the rest of society—namely, through falsely disparagement of others for one’s own benefit.

Subject: President Trump and Cellphone Security
Source: The Atlantic

Earlier this week, The New York Times reported that the Russians and the Chinese were eavesdropping on President Donald Trump’s personal cellphone and using the information gleaned to better influence his behavior. This should surprise no one. Security experts have been talking about the potential security vulnerabilities in Trump’s cellphone use since he became president. And President Barack Obama bristled at—but acquiesced to—the security rules prohibiting him from using a “regular” cellphone throughout his presidency.

Three broader questions obviously emerge from the story. Who else is listening in on Trump’s cellphone calls? What about the cellphones of other world leaders and senior government officials? And—most personal of all—what about my cellphone calls?

There are two basic places to eavesdrop on pretty much any communications system: at the end points and during transmission. This means that a cellphone attacker can either compromise one of the two phones or eavesdrop on the cellular network. Both approaches have their benefits and drawbacks. The NSA seems to prefer bulk eavesdropping on the planet’s major communications links and then picking out individuals of interest. In 2016, WikiLeaks published a series of classified documents listing “target selectors”: phone numbers the NSA searches for and records. These included senior government officials of Germany—among them Chancellor Angela Merkel—France, Japan, and other countries.

Other Bruce Schneier articles in The Atlantic:


Other Technology articles:


Subject: Proper Disposal of Electronic Devices

Why is it important to dispose of electronic devices safely?

In addition to effectively securing sensitive information on electronic devices, it is important to follow best practices for electronic device disposal. Computers, smartphones, and cameras allow you to keep a great deal of information at your fingertips, but when you dispose of, donate, or recycle a device you may inadvertently disclose sensitive information which could be exploited by cyber criminals.

Subject: Best Wireless Home Security Cameras of 2018
Source: Consumer Reports

Consumer Reports now tests them for data privacy and security. Wireless security cameras are a great way to keep an eye on your home and spot potential trouble. But just because your house is safer doesn’t mean the footage these streaming video cameras collect is necessarily safe—or even private. That’s why Consumer Reports is beefing up its testing of these popular smart-home devices.

“Your home is a very private place,” says Robert Richter, CR’s program manager for privacy and security testing. “We chose to add tests for data security and data privacy to our evaluations of wireless security cameras because they’re capable of capturing and transmitting very sensitive data.”

These new tests are part of Consumer Reports’ work on The Digital Standard, an open-source standard it created with other organizations to promote digital privacy and security in consumer products and services. Using The Digital Standard, we conducted more than 50 data privacy and security tests on each camera.

With the addition of these exhaustive new tests in our ratings, you can be confident you’re choosing a wireless security camera with  good picture quality and plenty of smart features as well as one that will keep your footage as secure and private as possible. For more on the findings of our privacy and security testing, see our story on the security risk we found in one D-Link camera.

More on Home Security Cameras:
D-Link Camera Poses Data Security Risk, CR Finds
Video Doorbells With the Most Free Cloud Storage
6 Smart-Home Upgrades to Help Sell Your House
How to Get Discounts on Smart Home Products

Subject: 30 years ago, the world’s first cyberattack set the stage for modern cybersecurity challenges
Source: The Conversation

Back in November 1988, Robert Tappan Morris, son of the famous cryptographer Robert Morris Sr., was a 20-something graduate student at Cornell who wanted to know how big the internet was – that is, how many devices were connected to it. So he wrote a program that would travel from computer to computer and ask each machine to send a signal back to a control server, which would keep count.

The program worked well – too well, in fact. Morris had known that if it traveled too fast there might be problems, but the limits he built in weren’t enough to keep the program from clogging up large sections of the internet, both copying itself to new machines and sending those pings back. When he realized what was happening, even his messages warning system administrators about the problem couldn’t get through.

His program became the first of a particular type of cyber attack called “distributed denial of service,” in which large numbers of internet-connected devices, including computers, webcams and other smart gadgets, are told to send lots of traffic to one particular address, overloading it with so much activity that either the system shuts down or its network connections are completely blocked.

There is cause for hope, though. In the wake of the Morris worm, Carnegie Mellon University established the world’s first Cyber Emergency Response Team, which has been replicated in the federal government and around the world. Some policymakers are talking about establishing a national cybersecurity safety board, to investigate digital weaknesses and issue recommendations, much as the National Transportation Safety Board does with airplane disasters.


RSS feeds, too e.g.,

Subject: Panel highlights legal, business side of using human health data in research | Penn State University
Source: PSU News

UNIVERSITY PARK, Pa. — In today’s world where information moves at a rapid pace, how do researchers make sure they are following the proper rules, especially when their studies pertain to sensitive information such as health data?

Four panelists and one moderator joined together on Oct. 11 to discuss matters of cyber security, privacy and health data for an Institute for CyberScience (ICS) CyberScience Seminar titled “Digital Human Data Research: Critical Law, Policy, & Business Considerations.”

Herder pointed out that the Intellectual Property Clinic, a free resource for Penn State researchers, can help faculty understand issues around copyright of data and technologies. Similarly, Sharbaugh pointed to another free resource, the Entrepreneurial Assistance Clinic and LaunchBox, that will work with researchers to build knowledge around technology transfer — the process of taking products to market — so that researchers can be more confident in their decisions.

“When Strava decided to combine satellite heat imagery and its wide array of data about users, the unthinkable happened. When combined with other publicly available satellite imagery, Strava’s heat map accidentally gave away the location of numerous undisclosed, U.S. special operations bases — for all the world to see,” McKenna said.

This is just one of the many concerns facing data privacy, especially when it comes to how data is used and stored. McKenna, Sharbaugh, Herder and Gilmore provided the audience with knowledge and tips for how to continue conducting research and accomplish goals, such as how to take products to market while following laws.

Subject: Twitter now lets you report accounts that you suspect are bots
Source: The Verge via beSpacific

(I wonder if there will be any counter-bots that falsely accuse twitter users as bots? / pmw1)

The Verge – Part of Twitter’s broader fake account crackdown: “Twitter has updated a portion of its reporting process, specifically when you report a tweet that you think might be coming from a bot or a fake account masquerading as someone or something else. Now, when you tap the “it’s suspicious or spam” option under the report menu, you’ll be able to specify why you think that, including an option to say “the account tweeting this is fake.” Twitter announced the change through its official safety account today, and it’s now live on both the web version and mobile version of the service. You can see an example of the mobile report flow pertaining to this update below:

Activity that attempts to manipulate or disrupt Twitter’s service is not allowed. We remove this when we see it. You can now specify what type of spam you’re seeing when you report, including fake accounts. — Twitter Safety (@TwitterSafety) October 31, 2018.

Subject:  How safe is your place of worship?
Source: The Conversation

Many Americans may be wondering what security measures are in place at their place of worship after 11 people were killed in Oct. 27 shooting at the Tree of Life synagogue in Pittsburgh. President Donald Trump also alluded to this question when he said “the results would have been far better” if the Tree of Life congregation had armed guards or members.

According to news reports, the Tree of Life synagogue did not have armed guards present at the time of the shooting. Many community leaders rebuked Trump’s statements and argued that increasing armed security was not the solution.

We are a sociologist and criminologist who in 2015 conducted a national study of religious congregations’ experiences with, fears of and preparations for crime. Our study, which was supported by the National Science Foundation, featured a survey of over 1,300 places of worship and in-depth interviews with more than 50 congregational leaders.

We asked each leader – individuals with significant knowledge of the congregation’s operations – about the congregation’s history of crime, its security measures, the individual’s assessment of future crime risk and fears, and a variety of questions about the congregation’s operations and neighborhood. While the Tree of Life synagogue was not part of our study, the results of this work may hold useful insights for conversations about crime and security in places of worship. Here’s what we found…

Subject: FDA isn’t doing enough to prevent medical device hacking, HHS report says
Source: CNN

(CNN) The US Food and Drug Administration is not doing enough to prevent medical devices such as pacemakers and insulin pumps from being hacked, a report from the US Department of Health and Human Services’ Office of the Inspector General said Thursday.

“FDA had plans and processes for addressing certain medical device problems in the postmarket phase, but its plans and processes were deficient for addressing medical device cybersecurity compromises,” the report says.

The report came after the inspector general’s office identified cybersecurity in medical devices as one of the top management problems for Health and Human Services. The FDA is the division responsible for the safety of these devices.

The report recommended that the FDA continually assess and update its plans and strategies on medical device cybersecurity risks, establish written procedures and practices to share information about cybersecurity events with key stakeholders such as clinicians, ensure that a procedure for the recall of vulnerable devices is established and maintained, and make agreements with federal partners to further the cybersecurity mission.

In 2017, the FDA reported on vulnerabilities in St. Jude Medical’s Implantable Cardiac Devices, including pacemakers and defibrillators, and the accompanying St. Jude Medical’s Merlin@home Transmitters.

Posted in: Cybersecurity, Gadgets/Gizmos, Healthcare, Social Media