Pete Recommends Weekly highlights on cyber security issues March 8, 2020

Subject: Apple Bans Clearview App From Its Store
Source: BuzzFeed via Gizmodo
https://gizmodo.com/apple-disables-clearview-ais-app-accusing-the-face-rec-1841982899

Embattled face recognition startup Clearview AI is topping off a week of intense scrutiny over its nebulous law enforcement partnerships with an even bigger dose of bad news: Apple has reportedly disabled the iOS version of Clearview’s app citing violations of its developer program.BuzzFeed first reported the news, saying Apple took action after learning the Clearview had sidestepped the Apple App Store and encouraged its clients to download a version of its iOS app reserved exclusively for developers; a violation of the terms of service for Apple’s Enterprise Developer Program.

Clearview has become the focus of controversy in recent weeks following a New York Times exposé that laid bear the firm’s questionable data collection practices. Clearview has reportedly scraped some three billion images off the internet to feed its face recognition tech, in many cases violating the policies of other companies such as Facebook and YouTube, which prohibit scraping and are now threatening legal action.

As BuzzFeed notes, Apple has previously suspended other companies for violating the developer program’s guidelines, including both Facebook and Google.

RSS: https://gizmodo.com/tag/surveillance-tech/rss

see also: https://gizmodo.com/c/privacy-and-security


Subject: For Small County Governments, Tackling Cybersecurity Basics Can Go a Long Way
Source: Route Fifty
https://www.routefifty.com/tech-data/2020/02/small-county-governments-tackling-cybersecurity-basics-can-go-long-way/163414/

To a small county with limited resources, it may sound intimidating to overhaul and adopt new cybersecurity standards.But if county officials begin by taking small steps to improve their government’s overall cyberhygiene – such as using secure passwords and training employees on cyber threats – they may be surprised how quickly they fall in line with industry best practices.

Cybersecurity experts shared tips on how local governments could apply the National Institute of Standards and Technology’s cybersecurity framework to their networks on Friday at a panel discussion at the National Association of Counties legislative conference in Washington, D.C.

Ensuring that county information technology officials have a working relationship with those overseeing the budget can be critical to ensuring cybersecurity efforts receive sufficient funding, said Barry Condrey, the chief information officer for Chesterfield County, Virginia.

filed


Subject: NIST tests law-enforcement’s phone-hacking tools
Source: GCN
https://gcn.com/articles/2020/02/28/nist-phone-forensics.aspx

Two methods criminal investigators use to extract data from damaged smartphones have both proved effective, researchers at the National Institute of Standards and Technology’s Software Quality Group say.

Over the course of a year, they tested two techniques — JTAG and chip-off — for accessing data on 10 Android-based smartphones and put then data through eight forensics software programs to interpret the data and determine whether the mobile forensics tools did a better job with the data than traditional methods.

In the end, both methods extracted the mobile data without altering it.  “The one thing that we did find are the mobile tools did a much better job of categorizing the data that was contained on the device … into text messages, contacts, call logs, social media-related data, third-party apps, calendar and things like that,” said Rick Ayers, project lead.  “[With] a traditional forensics tool, you had to really dig down a little big deeper. It presents you with more of a file system view, like if you were to open up Finder or Explorer in [Microsoft] Windows.”

The research, which is in the quality assurance phase, was funded by NIST and the Department of Homeland Security’s Cyber Forensics Project.

see also: https://www.dhs.gov/science-and-technology/forensics


Subject: Week in review: Attackers probing for vulnerable Exchange servers, RSA Conference 2020 coverage
Source: Help New Security
https://www.helpnetsecurity.com/2020/03/01/week-in-review-attackers-probing-for-vulnerable-exchange-servers-rsa-conference-2020-coverage/

Another source for a weekly SECURITY summary: https://www.helpnetsecurity.com/2020/03/01/week-in-review-attackers-probing-for-vulnerable-exchange-servers-rsa-conference-2020-coverage/

Here’s an overview of some of last week’s most interesting news and articles:…

see also: https://www.helpnetsecurity.com/author/helpnet/

RSS: https://www.helpnetsecurity.com/author/helpnet/feed/


Subject: You’re about to be scammed
Source: Soft Maker
https://www.softmaker.com/en/blog/bytes-and-beyond/you-are-about-to-be-scammed

Online criminals are targeting hospitals, government agencies and companies with cruel extortion schemes. The attackers stealthily encrypt the files of their victims and demand large sums of money for returning a decryption key to recover the data.Most of these schemes start with a scam e-mail. Current targeted spam e-mails can be fiendishly clever, inserting themselves into legitimate conversations and business transactions to cause maximum damage. To protect yourself against such scams, you have to stay one step ahead of the attackers’ game.

Signs that you’re being scammed

filed under https://www.softmaker.com/en/blog/bytes-and-beyond

RSS: https://www.softmaker.com/en/blog/bytes-and-beyond?format=feed&type=rss


Subject: Google Chrome ToS [Terms of Service]
Source: Google Chrome Privacy EULA
https://www.google.com/chrome/privacy/eula_text.html

We’re updating the terms of service for Chrome on March 31, 2020. The new terms will include Google’s Terms of Service and the Google Chrome and Chrome OS additional terms of service. Until then, the terms below continue to apply. See a summary of the key changes for more details.

If you don’t agree to our new Terms, you can find more information about your options in our Frequently Asked Questions.

Google Chrome Terms of Service

These Terms of Service apply to the executable code version of Google Chrome. Source code for Google Chrome is available free of charge under open source software license agreements at https://code.google.com/chromium/terms.html.


Subject: How to Dox Yourself on the Internet
Source: NYT via beSpacific
https://www.bespacific.com/how-to-dox-yourself-on-the-internet/

The NYT Open Team – A step-by-step guide to finding and removing your personal information from the internet. “No one wants their home address on the internet. That is personal information we typically only give out to friends, family and maybe our favorite online stores. Yet, for many of us, that information is available and accessible to anyone with an internet connection. And increasingly for journalists, public figures and activists, this kind of information is dug up and posted to online forums as a form of harassment, or doxxing. Doxxing (also sometimes called “doxing”) is a low-level tactic with a high-impact outcome: it often does not require much time or many resources, but it can cause significant damage to the person targeted. Once sensitive information — such as home address, phone number, names of family members or email addresses — about a targeted individual is posted to public forums, it can be used by others for further targeting…When our team begins looking into the personal information that is available online for a colleague, we think like doxxers and use some of the same readily available online resources that doxxers may use to surface personal information…” [h/t Barclay Walsh]

beSpacific Subjects: Civil Liberties, Internet, Knowledge Management, Legal Research, Privacy, Social Media

NB

(1) We are now publicly releasing the content of this program for anyone to access. We think it is important for freelancers, activists, other newsrooms or people who want to take control of their own security online.

(2) NYT OPEN articles: https://open.nytimes.com/

RSS: https://open.nytimes.com/feed


Subject: 5 years of Intel CPUs and chipsets have a concerning flaw that’s unfixable
Source: Ars Technica
https://arstechnica.com/information-technology/2020/03/5-years-of-intel-cpus-and-chipsets-have-a-concerning-flaw-thats-unfixable/Converged Security and Management Engine flaw may jeopardize Intel’s root of trust.

Virtually all Intel chips released in the past five years contain an unfixable flaw that may allow sophisticated attackers to defeat a host of security measures built into the silicon. While Intel has issued patches to lessen the damage of exploits and make them harder, security firm Positive Technologies said the mitigations may not be enough to fully protect systems.The flaw resides in the Converged Security and Management Engine, a subsystem inside Intel CPUs and chipsets that’s roughly analogous to AMD’s Platform Security Processor. Often abbreviated as CSME, this feature implements the firmware-based Trusted Platform Module used for silicon-based encryption, authentication of UEFI BIOS firmware, Microsoft System Guard and BitLocker, and other security features. The bug stems from the failure of the input-output memory management unit—which provides protection preventing the malicious modification of static random-access memory—to implement early enough in the firmware boot process. That failure creates a window of opportunity for other chip components, such as the Integrated Sensor Hub, to execute malicious code that runs very early in the boot process with the highest of system privileges.

Jeopardizing Intel’s root of trust

Because the flaw resides in the CSME mask ROM, a piece of silicon that boots the very first piece of CSME firmware, the vulnerability can’t be patched with a firmware update.

site RSS feed:

http://feeds.arstechnica.com/arstechnica/index/


Subject: Putin says Russia targeted from abroad by fake news on coronavirus
Source: Reuters via Yahoo
https://news.yahoo.com/putin-says-fake-coronavirus-news-110700861.html

MOSCOW (Reuters) – Russia has been targeted from abroad by foes spreading fake news about the coronavirus to sow panic, President Vladimir Putin said on Wednesday.Putin’s remarks came as Russia’s communications regulator said it had shut down access to some social media posts containing falsehoods about the virus outbreak.

“The Federal Security Service reports that they (the fakes) are mainly being organized from abroad. But unfortunately this always happens to us,” Putin said on Wednesday, in televised remarks at a government meeting. “The purpose of such fakes is clear: to sow panic among the population.”

A Russian cyber security company, Group-IB, on Monday identified what it said were thousands of fake news posts on messaging services and social networks such as Russia’s VK alleging that thousands of Muscovites have caught the virus.


Subject: Robo lawyer will sue organizations that will not delete your personal info
Source:  Fortune via beSpacific
Fortune: “In January, a new law gave consumers the power to stop companies collecting their personal information. The law, known as the California Consumer Privacy Act (or the CCPA), can be a powerful tool for privacy, but it comes with a catch: Consumers who want to exercise their CCPA rights must contact every data broker individually, and there are more than a hundred of them. But now they have an easier option. On Thursday March 5, 2020, a startup called DoNotPay unveiled a service it calls Digital Health that automates the data-deletion process. Priced at $3 a month, the service will contact more than 100 data brokers on your behalf and demand they delete your and your family’s personal information. It will also show you the types of data the brokers have collected—such as phone number or location info—and even initiate legal proceedings if the firms fail to comply. The monthly fee also gives subscribers access to DoNotPay’s other automated avenging services, like appealing parking tickets in any city, claiming compensation for poor in-flight Wi-Fi, and Robo Revenge, which sues robocallers…”
Note – please be sure to read the Terms of Service and Privacy Policy
Posted in: AI, Business Research, Competitive Intelligence, Cybersecurity, KM, Privacy, Search Engines, Social Media, Technology Trends