Pete Recommends Weekly highlights on cyber security issues April 18, 2020

Subject: Apple, Google to harness phones for virus infection tracking
Source: A.P. via WHYY
https://whyy.org/articles/apple-google-to-harness-phones-for-virus-infection-tracking/

Apple and Google launched a major joint effort to leverage smartphone technology to contain the COVID-19 pandemic.New software the companies plan to add to phones would make it easier to use Bluetooth wireless technology to track down people for who may have been infected by coronavirus carriers. The idea is to help national or regional governments roll out apps for so-called “contact tracing” that will run on iPhones and Android phones alike.

The technology works by harnessing short-range Bluetooth signals. Using the Apple-Google technology, contact-tracing apps would gather a record of other phones with which they came into close proximity. Such data can be used to alert others who might have been infected by known carriers of the novel coronavirus, although only in cases where the phones’ owners have installed the apps and agreed to share data with public-health authorities.

Software developers have already created such apps in countries including Singapore and China to try to contain the pandemic. In Europe, the Czech Republic says it will release such an app after Easter. Britain, Germany and Italy are also developing their own tracing tools.

Privacy and civil liberties activists have warned that such apps need to be designed so governments cannot abuse them to track their citizens. Apple and Google said in a rare joint announcement that user privacy and security are baked into the design of their plan.

Li suggested that Bluetooth signal tracking protects privacy better than the use of other options such as GPS or cell-tower based location data, which would allow centralized authorities access to the information. But it could still lead to numerous mistaken alerts, she said — for instance, if someone was in full protective gear or in an adjacent apartment while physically close to an infected person.

Security experts note that technology alone cannot effectively track down and identify people who may have been infected by COVID-19 carriers. Such efforts will require other tools and teams of public health care workers to locate people in the physical world, they say. In South Korea and China, such efforts have included the use of credit-card and public-transit records.

https://whyy.org/coronavirus


Subject: COVID-19 needs some big-picture thinking (PGN)
Source: The RISKS Digest Volume 31 Issue 67
https://catless.ncl.ac.uk/Risks/31/67/#subj1.1

“Peter G. Neumann” <[email protected]> Sat, 11 Apr 2020 11:26:27 PDT. Overall, COVID-19 is eventually going to offer us many lessons in retrospect, if we are paying enough attention.  Advanced planning for realistic scenarios has often been eschewed.  There are divergent models with incomparable assumptions, not enough testing, not enough equipment and personnel, disrespect and disregard for science and clear evidence, and much more.  But some increased predictability is emerging, and sheltering in place seems to be `flattening the curve’.  Above all, centralized leadership is critical.  Ultimately, we need to consider this crossroads as as an opportunity for our civilization to reflect on what must change in the future, particularly regarding health care and long-term instead of short-term optimization. However, hucksters are trying to capitalize on fear, with new creative forms of fraud and deception.  Misinformation abounds.  This morning’s news includes an item on the risks of misinformation that is also relevant.  A front-page article by Adam Satariano and Davey Alba, Britons Set Fire to Cell Towers, Driven by False Theory on Virus. in *The New York Times* today is relevant here, which “some government officials call an Internet Conspiracy Theory” that links 5G emanations with increased susceptability to COVID-19.  This has resulted in the UK in more than 30 acts of arson and vandalism against wireless towers.  “In roughly 80 other episodes in other countries, telecom technicians have been harassed on the job.” Misinformation is also becoming viral, and evidently pandemic as well.

These are stressful times, but I seem to be stepping up the frequency of RISKS issues, rather than getting way behind and playing catch-up with huge issues.  This will keep the issues more timely, as things are changing rapidly.  RISKS remains an open forum for discourse, so we welcome constructive criticism and always value corrections.

End of my own rant for now.  I have other things to do.  PGN


Subject: Tips and tricks for grocery shopping online during the coronavirus pandemic
Source: Reviewed via Yahoo
https://news.yahoo.com/tips-tricks-grocery-shopping-online-191639070.html

To adhere to social distancing and avoid contracting coronavirus, there has been a subsequent boom in online grocery shopping. With fewer delivery time slots available—leaving some people waiting up to two weeks for orders—and fewer items actually available in stores, shoppers are frustrated with the grocery bounties (or lack thereof) that they receive. Additionally, some Instacart users are even claiming that their groceries are being stolen and many are receiving orders that are canceled, incomplete, or arrive later than expected, which leaves many of us wondering whether or not it might be better to brave the stores.Although going to the grocery store might not be possible for everyone (those watching the kids or those unable to leave the house, for instance), there are a few tips and tricks to successfully shop for groceries online. From ordering at the right time to picking the right service, these are the best ways to assure your grocery haul comes at a reasonable time and is as close to what you ordered as possible during the coronavirus pandemic.


Subject: Zoom to stop routing free calls through China, give paid users control
Source: Business Insider
https://www.businessinsider.com/zoom-data-routing-control-china-servers-2020-4

  • Zoom recently admitted that some video calls via its app were “mistakenly” routed through China, even for users outside the country.
  • Now Zoom has announced an update coming April 18, that will give paid users control over which data center regions their meetings will be routed through.
  • As for those who don’t pay for Zoom, the company says that “data of free users outside of China will never be routed through China.”
  • Zoom CEO Eric Yuan has said that the mistake was made because the company was scrambling to keep pace with its heightened demand, and didn’t follow its usual “best practices” in enforcing its policies around how calls get routed.
  • In an interview with Business Insider on Friday, before the update was announced, Yuan said the company wants to prevent this type of mistake from ever happening again.

With the update, users will know which region their meeting data is routed through. Free users won’t be able to choose to switch locations; they will by default be assigned to the region they’re based in. Paid users can opt in or out of regions, except their default region. Zoom’s data centers are grouped by these regions: the United States, Canada, Europe, India, Australia, China, Latin America, and Japan/Hong Kong.


Subject: Hundreds of new shady websites are pushing chloroquine scams: report
Source: Business Insider
https://www.businessinsider.com/shady-phishing-websites-pushing-hydroxychloroquine-chloroquine-scams-report-2020-4

  • Scammers are creating hundreds of shady websites to trick people searching for information about certain drugs with shaky links to COVID-19 treatment, according to a new report.
  • President Trump has repeatedly promoted antimalarial drugs chloroquine and hydroxychloroquine as coronavirus treatments, but scientists say it’s too soon to tell whether the treatment works.
  • Researchers found many scam websites created in recent weeks that aim to capitalize on people’s interest in the drugs and trick them into spending money or handing over personal information.

Scientists say there isn’t enough evidence to show that the drugs, which can have serious side effects, could treat or prevent COVID-19. But that hasn’t stopped the president’s remarks from gaining traction with people desperate for potential coronavirus treatments.

Researchers with security rating service NormShield have identified at least 362 new websites pushing questionable coronavirus drugs that have appeared since January. The vast majority of them mention hydroxychloroquine or chloroquine, while others mention Remdesivir, a potential coronavirus treatment still in early testing.


Subject: Half of Americans decided not to use something over privacy concerns in past year
Source: Pew Research Center
https://www.pewresearch.org/fact-tank/2020/04/14/half-of-americans-have-decided-not-to-use-a-product-or-service-because-of-privacy-concerns/

At a time when many Americans believe their personal information is less secure and are concerned with how companies and the government use their personal data, a substantial share of the public has opted out of using a product or service because of privacy concerns, according to a Pew Research Center survey conducted June 3-17, 2019.About half (52%) of U.S. adults said they decided recently not to use a product or service because they were worried about how much personal information would be collected about them.

As far as the reasons for not using these things, the most cited concern was that they must share personal information (15%) in order to get access to the product or service. The second largest concern was that the product or service is untrustworthy (9%). A similar share (8%) cited surveillance as a concern. Smaller shares mentioned concerns such as giving payment information, potential third-party involvement and the risk of spam.


Subject: How to Cover Your Tracks Every Time You Go Online
Source: Wired via beSpacific
https://www.bespacific.com/how-to-cover-your-tracks-every-time-you-go-online/

Wired – Online tracking can often feel downright invasive. From using VPNs to clearing browser histories, we’ve got your back. “Venture online nowadays and your presence is immediately logged and tracked in all manner of ways. Sometimes this can be helpful—like when you want to see new movies similar to ones you’ve watched in the past—but very often it feels invasive and difficult to control. Here we’re going to show you how to cover some of those tracks, or not to leave any in the first place. This isn’t quite the same as going completely invisible online or encrypting every single thing you do. But it should help you sweep up most records of your online activity that you’d rather disappear…”


Subject: Sharing Senior Photos On Social Media Enables Data Mining, Better Business Bureau Warns
Source: CBS Pittsburgh
https://pittsburgh.cbslocal.com/2020/04/15/sharing-senior-photos-on-social-media-enables-data-mining-better-business-bureau-warns/

(CBS Local) — A tribute to high school seniors who are missing the traditional send-offs due to coronavirus shelter-in-place orders has set off alarm bells from the Better Business Bureau. People who wanted to show support for this year’s class of graduates of all ages recently began participating in the #Classof2020 Facebook challenge, sharing photos of their senior year with their high school name and graduation year.But the BBB says scammers can use that information to answer common online security questions.“All it takes is an internet search to reveal more information about you, such as family members, your real name, birthdate or even where you live,” the BBB warned in blog post on Monday….The BBB urges consumers to follow these tips to stay safe on social media…


Subject: Guidance on the Essential Critical Infrastructure Workforce
Source: DHS CISA
https://www.cisa.gov/publication/guidance-essential-critical-infrastructure-workforce


Guidance on the Essential Critical Infrastructure Workforce
March 28, 2020Read the Guidance on the Essential Critical Infrastructure Workforce

MEMORANDUM ON IDENTIFICATION OF ESSENTIAL CRITICAL INFRASTRUCTURE WORKERS DURING COVID-19 RESPONSE                      FROM: Christopher C. Krebs. Director – Cybersecurity and Infrastructure Security Agency (CISA)

This list is advisory in nature. It is not, nor should it be considered, a federal directive or standard. Additionally, this advisory list is not intended to be the exclusive list of critical infrastructure sectors, workers, and functions that should continue during the COVID-19 response across all jurisdictions. Individual jurisdictions should add or subtract essential workforce categories based on their own requirements and discretion.  

Attachment: “Guidance on the Essential Critical Infrastructure Workforce: Ensuring Community and National Resilience in COVID-19 Response Version 2.0”

THE IMPORTANCE OF ESSENTIAL CRITICAL INFRASTRUCTURE WORKERS

CONSIDERATIONS FOR GOVERNMENT AND BUSINESS

IDENTIFYING ESSENTIAL CRITICAL INFRASTRUCTURE WORKERS

HEALTHCARE / PUBLIC HEALTH

LAW ENFORCEMENT, PUBLIC SAFETY, AND OTHER FIRST RESPONDERS

FOOD AND AGRICULTURE

ENERGY

WATER AND WASTEWATER

TRANSPORTATION AND LOGISTICS

PUBLIC WORKS AND INFRASTRUCTURE SUPPORT SERVICES

COMMUNICATIONS AND INFORMATION TECHNOLOGY

OTHER COMMUNITY- OR GOVERNMENT-BASED OPERATIONS AND ESSENTIAL FUNCTIONS

CRITICAL MANUFACTURING

HAZARDOUS MATERIALS

FINANCIAL SERVICES

CHEMICAL

DEFENSE INDUSTRIAL BASE

COMMERCIAL FACILITIES

RESIDENTIAL/SHELTER FACILITIES AND SERVICES 

HYGIENE PRODUCTS AND SERVICES

Taxonomy Topics

Guidance on the Essential Critical Infrastructure Workforce: Ensuring Community and National Resilience in COVID-19 Response


“…Privacy and data protection issues vary greatly depending on the types of data, use cases, and actors involved. And countries around the world have very different baselines and practices in place determining how such rights are protected. European law puts forth the strongest legal protections that also govern the processing of personal data used to fight COVID-19. The European Data Protection Board recently clarified how the EU General Data Protection Regulation and other data protection laws apply to the current situation. With respect to mobile phone data, the ePrivacy Directive requires that such data be anonymized or only shared with the consent of the individual, unless member states introduce specific emergency legislation. Such emergency measures have to put in place adequate safeguards and accountability mechanisms. In the U.S., protections are unfortunately much less robust, given a patchwork of laws that leave open massive privacy gaps. The use of consumer data in the U.S. is largely governed by the privacy policies of the various service providers, affording only limited privacy protections, as the past few decades have taught us the hard way. In my view, the current crisis further demonstrates the urgent need for comprehensive federal privacy legislation…”–

beSpacific Subjects: Civil Liberties, EU Data Protection, Health Care, Internet, Knowledge Management, Legal Research, Legislation, Privacy

HLT Topics:

Bonus RSS sample: https://today.law.harvard.edu/topic/ethics/feed/

Posted in: Civil Liberties, Cybersecurity, Healthcare, Medical Research, Privacy, Social Media