Pete Recommends – Weekly highlights on cyber security issues January 5, 2019

Subject: The Cybersecurity Stories We Were Jealous of in 2018
Source: Motherboard

These are the best stories on hacking and information security that we wish we had reported and written ourselves. Here at Motherboard, we are passionate about cybersecurity. We cover stories of hacking and information security every single day. Our goal is to tell you all the most important stories in the world of hackers. Unfortunately, we just can’t get to all the stories, and more often than not, other publications get to them before we do. And that’s OK! It’s how journalism works.

This year, we thought it’d be good to highlight some of those stories. We took inspiration from Bloomberg BusinessWeek Jealousy list, where the magazine highlights other people’s great work. Call it Motherboard’s Cyber Jealousy list. A humble hat tip to our favorite stories from our fierce competitors. It’s a tribute to the journalists and the stories that gave us a bit of envy, pushed us to be better, and best served the public interest. Without further ado, here’s a very incomplete list of our favorite stories about hacking and information security that we loved, and that we wish we had done ourselves….


filed under HACKING:


Subject: Opinion | Our Cellphones Aren’t Safe
Source: The New York Times

Security flaws threaten our privacy and bank accounts. So why aren’t we fixing them?

America’s cellular network is as vital to society as the highway system and power grids. Vulnerabilities in the mobile phone infrastructure threaten not only personal privacy and security, but also the country’s. According to intelligence reports, spies are eavesdropping on President Trump’s cellphone conversations and using fake cellular towers in Washington to intercept phone calls. Cellular communication infrastructure, the system at the heart of modern communication, commerce and governance, is woefully insecure. And we are doing nothing to fix it.

This should be at the top of our cybersecurity agenda, yet policymakers and industry leaders have been nearly silent on the issue. While government officials are looking the other way, an increasing number of companies are selling products that allow buyers to take advantage of these vulnerabilities.

Spying tools, which are becoming increasingly affordable, include cell-site simulators (commonly known by the brand name Stingray), which trick cellphones into connecting with them without the cellphone owners’ knowledge. Sophisticated programs can exploit vulnerabilities in the backbone of the global telephone system (known as Signaling System 7, or SS7) to track mobile users, intercept calls and text messages, and disrupt mobile communications.

These attacks have real financial consequences. In 2017, for example, criminals took advantage of SS7 weaknesses to carry out financial fraud by redirecting and intercepting text messages containing one-time passwords for bank customers in Germany. The criminals then used the passwords to steal money from the victims’ accounts.

Subject: Google Has Lawsuit in Illinois Over Facial Recognition Scanning in Google Photos Dismissed
Source: Gizmodo

Google has had a lawsuit in Illinois over its facial-recognition software thrown out, with a judge dismissing the case on the grounds that the plaintiff in the case did not suffer “concrete injuries,” Bloomberg reported on Saturday. The ruling puts to rest one of three lawsuits against major tech companies for alleged violations of the state’s Biometric Information Privacy Act (BIPA), with the Verge noting that cases against Facebook and Snapchat are still pending.

Individuals in Illinois who believe their rights under BIPA, the nation’s strongest biometrics privacy law, have been violated can sue for damages.

Bloomberg wrote that plaintiffs in this case alleged that Google violated BIPA by collecting facial recognition data without express user consent, specifically by extracting millions of “face templates” from images uploaded to the cloud-based Google Photos service. The plaintiffs further alleged that Google scanned the faces of people who had never signed up for Google Photos, but instead simply had images of themselves uploaded there by other means. From a 2016 International Business Times article on the case:

more GOOGLE-tagged articles:

Subject: Cyber attack hits U.S. newspaper distribution
Source: Reuters via Yahoo–finance.html

(Reuters) – A cyber attack caused major printing and delivery disruptions on Saturday at the Los Angeles Times and other major U.S. newspapers, including ones owned by Tribune Publishing Co such as the Chicago Tribune and Baltimore Sun.

The cyber attack appeared to originate outside the United States, the Los Angeles Times reported, citing a source with knowledge of the situation.

The attack led to distribution delays in the Saturday edition of The Times, Tribune, Sun and other newspapers that share a production platform in Los Angeles, the Los Angeles Times reported.

Tribune Publishing, whose newspapers also include the New York Daily News and Orlando Sentinel, said it first detected the malware on Friday.

“There is no evidence that customer credit card information or personally identifiable information has been compromised,” Kollias said in a statement

Subject: Several Popular Apps Share Data With Facebook Without User Consent
Source: Privacy International via Slashdot

Some of the most popular apps for Android smartphones, including Skyscanner, TripAdvisor and MyFitnessPal, are transmitting data to Facebook without the consent of users in a potential breach of EU regulations. From a report: In a study of 34 popular Android apps, the campaign group Privacy International found that at least 20 of them send certain data to Facebook the second that they are opened on a phone, before users can be asked for permission. Information sent instantly included the app’s name, the user’s unique ID with Google, and the number of times the app was opened and closed since being downloaded. Some, such as travel site Kayak, later sent detailed information about people’s flight searches to Facebook, including travel dates, whether the user had children and which flights and destinations they had searched for. European law on data-sharing changed in May with the introduction of General Data Protection Regulation and mobile apps are required to have the explicit consent of users before collecting their personal information.

Topics: android facebook privacy

PI Topic: Profiling

Campaign name: Investigating Apps interactions with Facebook on Android

Subject: Here’s how technology vendors can navigate the legislative branch
Source: fedscoop

Congress can be a difficult place for technology vendors to do business.

The legislative branch’s “unique, fragmented and opaque rules” set a barrier to entry that can keep even vendors with experience in other areas of government out of the loop. But a new white paper from Future Congress aims to lay out the rules of the road for vendors and civic hackers who’d like to help Congress function better.

The paper gives a little information on everything from the governance structure of IT in the House and Senate to the acquisition rules and practices that govern the $288 million in IT spending Congress does each year.

In both chambers, acquisitions generally fall into the categories of “formal procurement,” authorized acquisition or unauthorized acquisition. The “formal procurement” is the more organized and structured of the three — tech acquired here generally serves the institution as a whole.

-In this Story-

civic hacking, Congress, Future Congress, information technology

Sample RSS feed for a topic:

Subject: Privacy, AI, health records
Source: Homeland Security Newswire

Advances in artificial intelligence have created new threats to the privacy of health data, a new study shows. The study suggests current laws and regulations are nowhere near sufficient to keep an individual’s health status private in the face of AI development.

The study, led by professor Anil Aswani of the Industrial Engineering & Operations Research Department (IEOR) in the College of Engineering and his team, suggests current laws and regulations are nowhere near sufficient to keep an individual’s health status private in the face of AI development. The research was released today on JAMA Network Open.

Aswani says he is worried that as advances in AI make it easier for companies to gain access to health data, the temptation for companies to use it in illegal or unethical ways will increase. Employers, mortgage lenders, credit card companies and others could potentially use AI to discriminate based on pregnancy or disability status, for instance.


More Stories:

Subject: How to recover from cybersecurity incidents: A 5-step plan
Source: TechRepublic

Cybersecurity prevention is essential, but it is failing miserably. Focus on how to recover from cybersecurity events by following these tips.

How dire is it?

Saying that cybersecurity incidents are as inevitable as death and taxes might be a bit much, at least let’s hope so. That said, a strong reminder is a recent survey by the Ponemon Institute for IBM, in which the cost of recovering from a data breach is in the millions. That’s enough money to give most business owners pause, and incentive to consider some of the above preemptive measures.

Topics in Security 


More about cybersecurity

SEE: Incident response policy (Tech Pro Research)

Subject: Anonymous Patient Data May Not Be as Private as Previously Thought
Source: JAMA Network via Reuters Health via Medscape

(Reuters Health) – For years, researchers have been studying medical conditions using huge swaths of patient data with identifying information removed to protect people’s privacy. But a new study suggests hackers may be able to match “de-identified” health information to patient identities.

In a test case described in JAMA Network Open December 21, researchers used artificial intelligence to link health data with a medical record number. While the data in the test case was fairly innocuous – just the output of movement trackers like Fitbit – it suggests that de-identified data may not be so anonymous after all.

“The study shows that machine learning can successfully re-identify the de-identified physical activity data of a large percentage of individuals, and this indicates that our current practices for de-identifying physical activity data are insufficient for privacy,” said study coauthor Anil Aswani of the University of California, Berkeley. “More broadly it suggests that other types of health data that have been thought to be non-identifying could potentially be matched to individuals by using machine learning and other artificial intelligence technologies.”

Aswani and colleagues used one of the largest publicly available patient databases, the National Health and Nutrition Examination Survey, or NHANES. Included in the database were recordings from physical activity monitors, during both a training run and an actual study mode, for 4,720 adults and 2,427 children.

Full article:

Subject: Hackers Threaten to Dump Insurance Files Related to 9/11 Attacks
Source: Motherboard

The Dark Overlord appears to be trying to capitalize on conspiracy theories about the September 11 attacks.

On Monday, New Year’s Eve, a hacker group announced it had breached a law firm handling cases related to the September 11 attacks, and threatened to publicly release a large cache of related internal files unless their ransom demands were met.

The news is the latest public extortion attempt from the group known as The Dark Overlord, which has previously targeted a production studio working for Netflix, as well as a host of medical centres and private businesses across the United States. The announcement also signals a slight evolution in The Dark Overlord’s strategy, which has expanded on leveraging the media to exert pressure on victims, to now distributing its threats and stolen data in a wider fashion.

It is unclear what exact files the group has stolen, but it is trying to capitalize on conspiracy theories around the 9/11 attacks.

“Pay the f**k up, or we’re going to bury you with this. If you continue to fail us, we’ll escalate these releases by releasing the keys, each time a Layer is opened, a new wave of liability will fall upon you,” the extortion note reads.

As The Dark Overlord’s announcement notes, the breach itself was previously reported in vague terms by a specialist legal publication, and Hiscox Group pointed Motherboard to the firm’s own April 2018 announcement of a data breach.

Subscribe to our new cybersecurity podcast, CYBER.

Tagged (you may get a brief 404 during the load of a topic):

Subject: How much Facebook knows about you
Source: Business Insider

  • Facebook’s privacy policies reinforce the message that “you have control over who sees what you share on Facebook.”
  • But if you use Facebook at all, you don’t have much control over what Facebook itself sees about you.

On Facebook’s map of humanity, the node for “you” often includes vast awareness of your movements online and a surprising amount of info about what you do offline, too.

The big picture: Even when you’re cautious about sharing, Facebook’s dossier on you will be hefty. Facebook tackles its mission of “bringing the world closer together” by creating a map of humanity, and each of us represents a tiny node on this “social graph.

Assembling your profile: This is where your Facebook presence begins….

Subject: HHS releases cyber guides for healthcare orgs
Source: FCW

The Department of Health and Human Services rolled out new guidance to protect organizations in the health care sector from cyberattacks.

The publications are the end result of a requirement in the 2015 Cybersecurity Act to align healthcare security practices and are being marketed by HHS as a starter kit for both IT and non-IT health care professionals to improve baseline cybersecurity. HHS Deputy Secretary Eric Hargan said the guidelines are meant to give “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines” to “local clinics, regional hospital systems, [and] large health care systems.”

The publication focuses on some of the most common attack vectors used to compromise health care organizations (email phishing, ransomware, data breaches, insider threats and targeted attacks against connected medical devices) and provides basic best practice advice on how to identify and mitigate each threat.

According to a foreword by the task force’s co-chairs, Julie Chua, an HHS risk management specialist in the Office of the Chief Information Officer and Eric Decker, chair of the Association of Executives in Health Care Information Security, the guidance is voluntary for all organizations and draws heavily from the Cybersecurity Framework developed by the National Institute for Standards and Technology.

Several bills designed to bolster cybersecurity requirements for Internet-connected medical devices were introduced in the last session of Congress, though none passed.

NB Strangely, though tagged CYBERSECURITY, I could not find that as a resource at FCW.  I did find:

RSS feed for site:

See also:

critical infrastructure, department of health and human services, guidance, health care security, hospitals, ransomware

Sample RSS feed for a tag:

Subject: The FTC’s cyberinsurance tips: A must-read for small business owners
Source: TechRepublic

Small-business owners are beginning to realize cybersecurity technology is a necessary evil—it’s evil in the sense there’s no guarantee company data and/or customer personally identifiable information (PII) will remain secure. Besides losing valuable data, there’s a real possibility that any cybersecurity event would hurt the victim company’s reputation, inhibit business, and decimate financial reserves.

If defensive technology in and of itself is not the answer, what are small-business owners supposed to do—just hope for the best?

SEE: SMB security pack: Policies to protect your business (Tech Pro Research)

The safe bet might be cyberinsurance

The FTC’s cyberinsurance guidelines for small businesses

To help prevent gaps and find some common ground, the Federal Trade Commission (FTC) compiled and published a series of lists on its Cybersecurity for Small Businesses website that should help small-business owners decide what they need to protect. The FTC suggests cyberinsurance should include coverage for:

Insurance on any level is a complicated subject, and then add the complexity of trying to secure a digital infrastructure from cybercriminals—using a partnership like Zeguro and QBE Insurance Group seems like good business.

Also see

Related Topics:
Security SMBs Software CXO Hardware Mobility Data Centers

Sample RSS feed:

Subject: Swamped by cyberthreats, citizens need government protection
Source: The Conversation

New York City offers its citizens a free smartphone app called “NYC Secure.” Any U.S. resident can download it, no matter where they live. It scans the person’s smartphone for a range of threats, and offers advice on how to fix any problems it finds. The app has some key strengths.

Most importantly, it targets citizens individually, delivering advice from a trustworthy authority directly to their pockets. This does not require people to search for information online and then figure out which web source to trust.

Posted in: AI, Cybercrime, Cybersecurity, Healthcare, Insurance Law, Social Media