Pete Recommends – Weekly highlights on cyber security issues May 11, 2019

Subject: The Challenges of Implanted Cardiac Device Security
Source: Eurospace via Medscape
https://www.medscape.com/viewarticle/911954?src=wnl_edit_tpal&uac=72389PN&impID=1954536&faf=1
Abstract and Introduction – Implanted cardiac devices, primarily consisting of implantable cardioverter-defibrillators (ICDs), pacemakers, and implantable loop recorders, are capable of recording physiological signals from the body that may provide health status and numerous other information about habits. Never in history has this amount of physiological and cardiac data been generated and recorded regarding humans and their behaviours through these implanted devices, and as these devices become increasingly inexpensive and indications for use increase, this generated data will be a valuable source for research, monitoring, and potential commercial use. Additionally, more lives are dependent on the proper functioning of the devices, as they also become more connected with remote access and possible re-programming of functionality. With the functionality and data stores, the techniques for securing information and protecting patient privacy must be continuously and expertly maintained, as a single point of compromise, whether on the device itself, through its communication protocols, or in online storage, may affect all patients and users of the devices.

Subject: ‘One ring’ robocalls: FCC warns users not to call them back
Source: USA Today
https://www.usatoday.com/story/tech/talkingtech/2019/05/03/one-ring-robocalls-fcc-warns-users-not-call-them-back/3661967002/

That late-night telephone call you just got that amounted to one ring – don’t call back. The Federal Communications Commission has issued an alert to consumers about a new wave of “One Ring” robocalls after “widespread overnight calling” in the states of New York and Arizona.

These recent “One Ring” calls attempt to bait consumers into calling the number back, which can result in you being billed toll charges as if you called a 900 number. The calls are also known as “Wangiri” – the term means “one ring and done” in Japanese, so labelled after the scam originated there years ago. Robocallers typically call specific area codes repeatedly, often late at night. The latest wave of calls, the FCC says, are using the “222” country code of the West African nation of Mauritania. “This is a concerning trend and consumers should not call back if they receive such calls,” deputy press secretary Will Wiquist said.

Beyond not calling back the numbers, the FCC has other consumer tips…


Subject: Cybersecurity: Legislation and Hearings, 115th-116th Congresses
Source: EveryCRSReport.com
https://www.everycrsreport.com/reports/R43317.html

July 15, 2015 – May 2, 2019
Most major cybersecurity legislative provisions were enacted prior to 2002, despite many recommendations having been made over the past decade. More recently, in the 115th and 116th Congresses, cybersecurity legislation has received either committee or floor action or final passage, and both chambers have held multiple hearings.

In the 116th Congress, a number of House and Senate bills have received consideration, and hearings have been held by committees in each chamber.

In the 115th Congress, 31 bills received some type of action (committee consideration or passage by one or both chambers). Five bills became public law. The House held 54 hearings on cybersecurity issues and the Senate held 40 hearings.

Cybersecurity: Legislation and Hearings, 115th-116th Congresses

Contents:

Tables


Subject: A New Era of Warfare Begins as Cyberattack Leads to Airstrikes
Source: Gizmodo
https://gizmodo.com/a-new-era-of-warfare-begins-as-cyberattack-leads-to-air-1834556908

For the first time ever, a government announced publicly that it had used immediate lethal physical force in response to a cyberattack.

Israeli military officials announced on Sunday that it launched air strikes to respond to an alleged “Hamas cyber offensive against Israeli targets.”

The exchange came amid a flurry of deadly violence between Israel and Palestinian groups in Gaza that left at least 23 Palestinians and four Israelis dead, CNN reported. The fighting began when Hamas and Islamic Jihad, two Gaza militant groups, fired around 600 projectiles into Israel over the weekend. On Monday, a cease-fire was reached after being brokered by Egypt and the United Nations.

The Israel Defense Force used the incident as an opportunity to grab the spotlight on Twitter: “HamasCyberHQ.exe has been removed.”

“Hamas no longer has cyber capabilities after our strike,” IDF spokesperson Ronen Manelis told reporters, according to the Times of Israel.

Earlier this year, the Russian cybersecurity company Kaspersky spotlighted a stable of Gaza-based hacking groups. Similar campaigns have been known for years and some have been linked by researchers to Hamas. But it’s not clear who was on the receiving end of this week’s attack by Israel nor if any casualties were incurred as a result of this particular incident.

Israel’s claim is noteworthy because it brings into reality a scenario that many experts have long predicted: The use of immediate and near real-time physical force to respond to a cyberattack.

filed under Privacy and Security


Subject: Parental Advisory: Dating Apps
Source: FTC Blog –  Consumer Information
https://www.consumer.ftc.gov/blog/2019/05/parental-advisory-dating-apps

Parents be warned: some dating apps – like FastMeet, Meet24 and Meet4U – allow adults to find and communicate with children. Concerned parents should remove these apps if they’re on children’s devices. You also can set your kids’ devices so they must get parental approval before purchasing any new apps. Here are a few more things you should know.

FastMeet, Meet24 and Meet4U let children create public dating profiles. So, adults can use these apps to connect with children. If that’s not scary enough, the apps collect users’ real-time location data. In other words, adults – including sexual predators – can search by age and location to identify children nearby.

The FTC recently issued a warning letter to Wildec, LLC, the Ukraine-based maker of the three apps, because the company appears to be violating both the Children’s Online Privacy Protection Act (COPPA) and the FTC Act. COPPA requires app providers to give notice and get consent from parents before collecting or sharing any personal information about children under age 13, and the FTC Act prohibits unfair acts or practices. As the FTC’s letter states, “the ability to identify and communicate with children – even those over age 13 – poses a significant risk to children’s health and safety.”

Tagged with: app, COPPA, kids, online dating, parental control, parents, young kids

Blog Topics:
Privacy, Identity & Online Security, Protecting Kids Online


Subject: New Rules On E-Evidence Could Streamline Criminal Investigations in the EU
Source:  Center for Data Innovation via beSpacific
https://www.bespacific.com/new-rules-on-e-evidence-could-streamline-criminal-investigations-in-the-eu/

Center for Data Innovation – “Law enforcement authorities have a problem: Evidence from crimes is often digital, such as emails or documents in the cloud, but investigators cannot easily access data stored in another country. While this issue is global, it is particularly acute within the EU. According to the European Commission, nearly two-thirds of crimes involving e-evidence held in another member state cannot be properly investigated because of lengthy delays by which time the evidence may be destroyed. To address this problem, the European Union should adopt new rules to streamline the process for obtaining and preserving e-evidence within its territory. While the European Commission has made an initial proposal on reforming the rules for e-evidence, the proposal has largely missed the mark by making the process more cumbersome for companies and shifting the burden of vetting requests to the private sector. In addition, the proposed rules threaten high fines—up to 2 percent of their global turnover—for compliance violations, which will make companies focus more on avoiding penalties rather than working cooperatively with investigators.

beSpacific Subjects: E-Mail, E-Records, Economy, Financial System, Government Documents, Legal Research

beSpacific RSS sample category feed: https://www.bespacific.com/category/e-records/feed/

RSS feed for CfDI: https://www.datainnovation.org/feed/


Subject: Verizon, T-Mobile, Sprint, and AT&T Hit With Class Action Lawsuit Over Selling Customers’ Location Data
Source: Motherboard
https://motherboard.vice.com/en_us/article/3k3dv3/verizon-tmobile-sprint-att-class-action-lawsuit-selling-phone-location-data

On Thursday, lawyers filed lawsuits against four of the country’s major telecommunications companies for their role in various location data scandals uncovered by Motherboard, Senator Ron Wyden, and The New York Times. Bloomberg Law was first to report the lawsuits.

The news provides the first instance of individual telco customers pushing to be awarded damages after Motherboard revealed in January that AT&T, T-Mobile, and Sprint had all sold access to the real-time location of their customers’ phones to a network of middlemen companies, before ending up in the hands of bounty hunters. Motherboard previously paid a source $300 to successfully geolocate a T-Mobile phone through this supply chain of data.

“Through its negligent and deliberate acts, including inexplicable failures to follow its own Privacy Policy, T-Mobile permitted access to Plaintiffs and Class Members’ CPI and CPNI,” the complaint against T-Mobile reads, referring to “confidential proprietary information” and “customer proprietary network information,” the latter of which includes location data.

The thrust of the complaints center around whether each telco violated section 222 of the Federal Communications Act (FCA), which says that the companies are obligated to protect the CPI and CPNI of its customers, and whether the Plaintiff’s and Class Members’ CPNI was accessible to unauthorized third parties during the relevant period.

After Motherboard’s January investigation, 15 Senators called for the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) to properly investigate the sale of phone location data to bounty hunters. The House Committee on Energy and Commerce asked FCC Chairman Ajit Pai to hold an emergency briefing on the issue; Pai refused.

Tagged:


Subject: Scammers Exploit Home Rental Listings With ‘Let Yourself In’ Link
Source: Slashdot
https://yro.slashdot.org/story/19/05/04/058217/scammers-exploit-home-rental-listings-with-let-yourself-in-link

“American Homes For Rent is a publicly traded company that owns more than 50,000 properties,” writes Slashdot reader McGruber — calling our attention to a glaring security error. “Its website has a tab on its listings that says ‘Let Yourself In.’ If you click it, you are taken to Rently.com, a website that sells the lockbox codes to anyone for only $0.99.” And those lockboxes contain a key to the vacant home being advertised.

But what’s to stop a scammer from pretending that they’re the home-owner, and then sending you the code for that same lockbox so you can tour “their” home — before they then ask you to wire a deposit?

Ciarra McConnell was one of the scam’s “several” unsuspecting victims, reports CBS46 in Atlanta: “The lockbox is what made it seem legitimate, and he gave me the key,” said Ciarra. Once she got the key, the scammer emailed a phony lease. Ciarra then wired a $1,900 deposit and moved in. The next morning an American Homes For Rent employee was at her door. “They were just like yup, nope sorry we can’t do anything for you but you need to get out,” she explained.

The scammers post duplicates of real home listings on Craigslist — and then ask to be paid through a bitcoin ATM.


Subject: Scammers Exploit Home Rental Listings With ‘Let Yourself In’ Link
Source: Slashdot
https://yro.slashdot.org/story/19/05/04/058217/scammers-exploit-home-rental-listings-with-let-yourself-in-link

“American Homes For Rent is a publicly traded company that owns more than 50,000 properties,” writes Slashdot reader McGruber — calling our attention to a glaring security error. “Its website has a tab on its listings that says ‘Let Yourself In.’ If you click it, you are taken to Rently.com, a website that sells the lockbox codes to anyone for only $0.99.” And those lockboxes contain a key to the vacant home being advertised.

But what’s to stop a scammer from pretending that they’re the home-owner, and then sending you the code for that same lockbox so you can tour “their” home — before they then ask you to wire a deposit?

Ciarra McConnell was one of the scam’s “several” unsuspecting victims, reports CBS46 in Atlanta: “The lockbox is what made it seem legitimate, and he gave me the key,” said Ciarra. Once she got the key, the scammer emailed a phony lease. Ciarra then wired a $1,900 deposit and moved in. The next morning an American Homes For Rent employee was at her door. “They were just like yup, nope sorry we can’t do anything for you but you need to get out,” she explained.

The scammers post duplicates of real home listings on Craigslist — and then ask to be paid through a bitcoin ATM.


Source: Reuters
Subject: Special teams at U.S. universities try to identify students at risk of violence
https://www.reuters.com/article/us-north-carolina-shooting-universities-idUSKCN1SC0RP

Last week’s shooting at the University of North Carolina at Charlotte that killed two students and wounded four was just the kind of tragedy a team of officials at the school was trying to prevent.

UNC Charlotte has a behavioral intervention team (BIT) tasked with reviewing reports about troubled students and intervening to prevent harm to themselves or others. Similar teams meet regularly at hundreds of other U.S. universities.

U.S. law enforcement has cited the growing use of such teams, which bring together officials from different branches of a campus to compare notes on troubled students with the aim of spotting signs of potential violence, as a key strategy to prevent mass shootings.

Last year, the U.S. Secret Service recommended schools set up threat assessment teams to meet regularly to discuss potentially troubled students. The gun control group Everytown for Gun Safety has echoed that call


Subject: Chinese spies stole NSA hacking tools, report finds
Source: NY Times via CNNPolitics
https://www.cnn.com/2019/05/07/politics/china-nsa-hacking/index.html

New York (CNN): Chinese hackers acquired and used National Security Agency hacking tools in 2016 and used them to carry out cyberattacks, a new report has found.

In the report, the cybersecurity company Symantec claims that a Chinese hacker group associated with Chinese government intelligence conducted a hacking campaign using a tool that at the time was only known to be the property of the NSA.

Though Symantec doesn’t name particular agencies in its report, the Chinese group in question was an arm of China’s Ministry of State Security in Guangzhou, which went dark after the US Department of Justice indicted three of its members in November 2017.

The findings muddy the timeline of an already strange episode in the NSA’s recent history. In 2016, a group calling itself Shadow Brokers appeared online in 2016 and began leaking the agency’s tools.

Last week, the Pentagon published a report which alleged that China is using espionage to steal cutting edge technology for military purposes.

Posted in: Computer Security, Congress, Cybercrime, Cybersecurity, Government Resources, Internet Dating, Legislative, Privacy
CLOSE
CLOSE