Pete Recommends Weekly highlights on cyber security issues May 16, 2020

Subject: Zoom bolsters policy and engineering teams as it courts government
Source: fedscoop
https://www.fedscoop.com/zoom-bolsters-policy-engineering-teams/

Zoom added to its government-relations leadership and acquired an encryption company this week, as it continues to address cybersecurity issues that have caught the attention of federal agencies and lawmakers.

Seven agencies currently use the government platform: the Centers for Disease Control and Prevention, Corporation for National and Community Service, Customs and Border Protection, Department of Agriculture, Department of Health and Human Services, Department of Homeland Security, and United States Forest Service.

But adding end-to-end encryption could help. E2EE is particularly desirable for government uses, with Cisco Webex, Signal, Skype for Business, and Wickr among the applications that offer such security.

Keybase’s team will help create a new E2EE solution where logged-in, paying users generate public cryptographic identities stored in a network repository. Meeting hosts will generate an ephemeral, per-meeting symmetric key distributed between clients.

Zoom plans to publish a detailed draft cryptographic design on May 22 that, along with its new policy hires, will factor into the company’s 90-day plan for strengthening security and government trust.


Subject: Millions of products have been 3D printed for the coronavirus pandemic – but they bring risks
Source: GCN
https://gcn.com/articles/2020/05/08/covid-3d-printing.aspx

With the COVID-19 pandemic, an urgent need has risen worldwide for specialised health and medical products. In a scramble to meet demand, “makers” in Australia and internationally have turned to 3D printing to address shortfalls.

The global supply chain for these vital products has been disrupted by widespread lockdowns and reduced travel. Now, 3D printing is proving more nimble and adaptable manufacturing methods. Unfortunately, it’s also less suited for producing large numbers of items, and there are unanswered questions about safety and quality control.

Many designs are freely shared online through platforms such as the NIH 3D Print Exchange. This US-based 3D printing community recently partnered with the Food and Drug Administration (FDA) and the Department of Veterans Affairs, to assist with validating designs uploaded by the community. So far, 18 3D-printable products have been approved for clinical use (although this is not the same as FDA approval).

Opportunity vs risk

But despite the good intent behind most 3D printing, there are complications.

Do these opportunities outweigh the risks of unregulated, untested product used for critical health care situations? For instance, if the SARS-CoV-2 virus can survive two to three days on plastic surfaces, it’s theoretically possible for an infected maker to transfer the virus to someone else via a 3D-printed product.


Subject: Protecting Privileged Identities In A Post-COVID-19 World
Source: Forbes
https://www.forbes.com/sites/louiscolumbus/2020/05/10/protecting-privileged-identities-in-a-post-covid-19-world/

Securing Infrastructure Needs To Come First

Conclusion

Improving customer experiences needs to be at the center of any digital transformation effort. As every business digitally transforms itself to survive and grow in a post-COVID-19 world out of necessity, they must also improve how they secure access to their cloud and on-premises infrastructure. Legacy PAM was designed for a time when all privileged access was constrained to resources inside the network, accessed by humans, using shared/root accounts.

Legacy PAM was not designed for cloud environments, DevOps, containers, or microservices. Furthermore, privileged access requesters are no longer limited to just humans, but also include machines, services, and APIs.

Privileged access requesters need greater agility, adaptability, and speed to support DevOps’ growing roadmap of self-service and increasingly safer apps and platforms. While privileged identities must be protected, DevOps teams need as much agility and speed as possible to innovate at the rapidly changing pace of how customers choose to buy in a post-COVID-19 world.


Subject: How to Set Your Facebook, Twitter, and Instagram to Control Who Sees What
Source: WIRED
https://www.wired.com/story/lock-down-social-media-privacy-security-facebook-twitter/

Pick who sees your tweets, Facebook posts, and Instagram stories—and choose what you want to see, too.

Social media can bring us together, and even distract us sometimes from our troubles—but it also can expose us to scammers, hackers, and…less than pleasant experiences.

Don’t panic though: you can keep the balance towards the positive with just a few common-sense steps, and we have some of the most vital ones below. When it comes to staying safe on Facebook, Instagram and Twitter, a lot of it is common sense, with a sprinkling of extra awareness.

category https://www.wired.com/category/security/

https://www.wired.com/feed/security/rss


Subject: ‘NOVID’: CMU Professor Creates Anonymous Coronavirus Contact Tracing App
Source: CBS Pittsburgh
https://pittsburgh.cbslocal.com/2020/05/12/cmu-anonymous-coronavirus-contact-tracing/

PITTSBURGH (KDKA) – NOVID is the first major anonymous contact tracing app to use ultrasound and bluetooth technology to accurately gauge the distance between people.“NOVID is a fully anonymous way of keeping track of who you’ve been around without having any clue of who they are,” said Po-Shen Loh.

Po-Shen Loh is an associate math professor at Carnegie Mellon University. He came up with the idea of NOVID, then mobilized a team of researchers to make it happen.

You don’t have to identify yourself in any way. It generates what’s called a random user identifier. The app will pick up someone else near you using NOVID, but you won’t know who that person is.


Subject: Virus unleashes wave of fraud in US amid fear and scarcity
Source: A.P. via Yahoo
https://news.yahoo.com/virus-unleashes-wave-fraud-us-042106338.html

WASHINGTON (AP) — A 39-year-old former investment manager in Georgia was already facing federal charges that he robbed hundreds of retirees of their savings in a Ponzi scheme when the rapid spread of COVID-19 presented an opportunity. Christopher A. Parris started pitching himself as a broker of surgical masks amid the nationwide scramble for protective equipment in the first desperate weeks of the outbreak, federal authorities said. He was soon taking in millions of dollars.

Except there were no masks. Law enforcement officials say Parris is part of what they are calling a wave of fraud tied to the outbreak.

Homeland Security Investigations, an arm of the Department of Homeland Security, is leading a nationwide crackdown. It has opened over 370 cases and so far arrested 11 people, as part of “Operation Stolen Promise,” according to Matthew Albence, acting director of U.S. Immigration and Customs Enforcement.

Nationwide, investigators have turned up more than false purveyors of PPE. They have uncovered an array of counterfeit or adulterated products, from COVID-19 tests kits and treatments to masks and cleaning products.

As part of the alleged scheme, Parris and the others bought the businesses of investment advisers who were retiring and leveraged the trust those advisers had built up over the years to pitch the bogus investments, with relatively modest returns, to their newly acquired clients.


Subject: UK accidentally leaves contact-tracing app plans on open Google Drive
Source: Business Insider
https://www.businessinsider.com/uk-leaves-plans-contact-tracing-app-open-google-drive-2020-5

  • The UK government accidentally left documents outlining the the potential future for its contact-tracing app on a publicly accessible Google Drive, Wired UK reports.
  • The UK’s official contact-tracing app is not yet fully live, and is being tested on the Isle of Wight.
  • According to the documents future versions of the app might ask for more data, track geolocation, and allow people to set a “COVID-19 status.”

The UK government accidentally revealed some of its future plans for its COVID-19 contact-tracing app by leaving them on a publicly accessible Google Drive.

The drive was spotted by Wired UK, and contained documents including one entitled “Product Direction: Release One” and labelled “OFFICIAL – SENSITIVE.”

A link to the open drive was included in a batch of documents published intended to detail the data and privacy protections and risks of the contact-tracing app, known as a Data Privacy Impact Assessment (DPIA).

The Google Drive has now been made private after Wired alerted the Department of Health and NHSX (the digital wing of the NHS) to the fact it was accessible.


Subject: Journal Article: “The TRUST Principles for Digital Repositories”
Source: Scientific Data via LJ infoDOCKET
https://www.infodocket.com/2020/05/14/journal-article-the-trust-principles-for-digital-repositories/

Abstract – As information and communication technology has become pervasive in our society, we are increasingly dependent on both digital data and repositories that provide access to and enable the use of such resources. Repositories must earn the trust of the communities they intend to serve and demonstrate that they are reliable and capable of appropriately managing the data they hold.

Following a year-long public discussion and building on existing community consensus1, several stakeholders, representing various segments of the digital repository community, have collaboratively developed and endorsed a set of guiding principles to demonstrate digital repository trustworthiness. Transparency, Responsibility, User focus, Sustainability and Technology: the TRUST Principles provide a common framework to facilitate discussion and implementation of best practice in digital preservation by all stakeholders.


Subject: A Complete List of Coronavirus (COVID-19) Scams
Source: Self via beSpacific
https://www.bespacific.com/a-complete-list-of-coronavirus-covid-19-scams/

Self – “As anxiety around coronavirus increases, more scammers are taking advantage. While scams can happen any time, many companies are now preying on people’s fear about contracting COVID-19 and the financial uncertainty due to job and income loss caused by the virus, among others. Here’s what you need to know to help protect yourself from scams related to the Coronavirus. In this article:


Subject: The lack of women in cybersecurity leaves the online world at greater risk
Source: The Conversation
https://theconversation.com/the-lack-of-women-in-cybersecurity-leaves-the-online-world-at-greater-risk-136654

Women are highly underrepresented in the field of cybersecurity. In 2017, women’s share in the U.S. cybersecurity field was 14%, compared to 48% in the general workforce.The problem is more acute outside the U.S. In 2018, women accounted for 10% of the cybersecurity workforce in the Asia-Pacific region, 9% in Africa, 8% in Latin America, 7% in Europe and 5% in the Middle East.

Women are even less well represented in the upper echelons of security leadership. Only 1% of female internet security workers are in senior management positions.

I study online crime and security issues facing consumers, organizations and nations. In my research, I have found that internet security requires strategies beyond technical solutions. Women’s representation is important because women tend to offer viewpoints and perspectives that are different from men’s, and these underrepresented perspectives are critical in addressing cyber risks.

Increasing women’s participation in cybersecurity is good for women, good for business and good for society.

Topics:

Posted in: Cybercrime, Cybersecurity, E-Commerce, Healthcare, KM, Library Software & Technology, Privacy, RSS Newsfeeds, Social Media