Pete Recommends Weekly highlights on cyber security issues June 27, 2020

Subject: What Is a Side Channel Attack?
Source: WIRED

Computers constantly give off more information than you might realize—which hackers can use to pry out their secrets.

Side channel attacks take advantage of patterns in the information exhaust that computers constantly give off: the electric emissions from a computer’s monitor or hard drive, for instance, that emanate slightly differently depending on what information is crossing the screen or being read by the drive’s magnetic head. Or the fact that computer components draw different amounts of power when carrying out certain processes. Or that a keyboard’s click-clacking can reveal a user’s password through sound alone.

For a sufficiently clever hacker, practically any accidental information leakage can be harvested to learn something they’re not supposed to. As computing gets more complicated over time, with components pushed to their physical limits and throwing off unintended information in all directions, side channel attacks are only becoming more plentiful and difficult to prevent. Look no further than the litany of bugs that Intel and AMD have struggled to patch over the last two years with names like Meltdown, Spectre, Fallout, RIDL, or Zombieload—all of which used side channel attacks as part of their secret-stealing techniques.

filed in


Subject: Making .gov More Secure by Default
Source: DotGov

When the public sees information on a .gov website, they need to trust that it is official and accurate. This trust is warranted, because registration of a .gov domain is limited to bona fide US-based government organizations. Governments should be easy to identify on the internet and users should be secure on .gov websites.HTTPS is a key protection for websites and web users. It offers security and privacy when connecting to the web, and provides governments the assurance that what they publish is what is delivered to users. In the last few years, HTTPS has become the default connection type on the web. Browsers that were once telling users to “watch for a green lock!” are now removing the lock icons. Instead, the browser warns users when sites are not using HTTPS.

HSTS and preloading – An additional protection, HTTP Strict Transport Security (HSTS), is a simple standard that protects visitors by ensuring that their browsers always enforce an HTTPS connection to a website. It also eliminates the ability to click through a certificate error–protecting users from attack.

For a user to take advantage of HSTS, however, their browser has to see the HSTS header on a site at least once. This means that users are not protected until after their first successful secure connection to a given domain, which may not occur in certain cases.

Subject: US designates 4 more Chinese media organizations as foreign diplomatic missions
Source: CNNPolitics

Washington (CNN) The Trump administration announced that it will designate four more Chinese media organizations as foreign diplomatic missions, arguing that they are under the control of the Chinese Communist Party.

David Stilwell, the State Department’s assistant secretary for east Asia and Pacific affairs, said Monday that China Central Television, China News Service, People’s Daily and the Global Times would have to report details of their US staffing and what their US real estate holdings are to the State Department.

“These entities are not independent news organizations; they are effectively controlled by the Chinese Communist Party … also known as propaganda outlets,” Stilwell said. “Furthermore … our action will increase transparency on the control of information, not just among their state propaganda outlets but also amongst legitimate journalists and news gatherings in China.”

“While the Chinese Communist Party has always tightly controlled China’s state news agencies, its control has tightened in recent years, decades, particularly under” Xi, Stilwell said.
“These people are doing more than just propaganda, right, and to understand exactly what that is we have to know who they are. It’s about understanding what’s going on inside your own country; we’re a free nation,” Stilwell added.
Earlier this year, the US had designated five other Chinese outlets as foreign missions and capped the number of Chinese journalists working for those outlets in the US.

Subject: Digital Security Advice for Journalists Covering the Protests Against Police Violence
Source: EFF via beSpacific

This guide is an overview of digital security considerations specific to journalists covering protests. For EFF’s comprehensive guide to digital security, including advice for activists and protesters, visit Legal advice in this post is specific to the United States. As the international protests against police killings enter their third week, the public has been exposed to shocking videos of law enforcement wielding violence against not only demonstrators, but also the journalists who are tasked with documenting this historic moment. EFF recently issued Surveillance Self-Defense tips for protesters who may find their digital rights under attack, either through mass surveillance of crowds or through the seizure of their devices. However, these tips don’t always reflect the reality of how journalists may need to do their jobs and the unique threats journalists face. In this blog post, we attempt to address the digital security of news gatherers after speaking with reporters, photographers, and live streamers who are on the ground, risking everything to document these protests…”beSpacific Subjects: Cybercrime, Cybersecurity, Internet, Legal Research, Privacyfrom the EFF Deeplinks blog:

Bonus! RSS:

Subject: German court orders Facebook to comply with data collection order
Source: Business Insider

  • A top German court has dealt a blow to Facebook’s data collection efforts.
  • The American social media giant is ensnared in an antitrust battle in the country.
  • On Tuesday, it was ordered to comply with an order to curb data collection.
  • The broader antitrust case is still ongoing.

The country’s antitrust watchdog had objected in particular to how Facebook pools data on people from third-party apps – including its own WhatsApp and Instagram — and online tracking of people who do not have accounts via Facebook “like” or “share” buttons.

Subject: How to make sure Google automatically deletes your data on a regular basis
Source: Vox via beSpacific
Vox: “…The company announced on Wednesday that auto-delete will be the default setting for user account activity settings. That said, this “default” setting only applies to new accounts or existing accounts that now turn on data retention after having it disabled. And the default auto-delete time still gives Google as much as three years of your data, as opposed to manual auto-delete settings that keep as little as three months’ worth. Google also announced that its account privacy and security settings will soon be accessible through its search page. You’ll also be able to switch over to Chrome’s Incognito mode in its apps more easily — simply press down on your profile photo for a second or two. Incognito mode lets you browse the internet “privately,” which means Google Chrome won’t save your history or cookies on your computer. It does not, however, mean that the websites you visit or the server you use can’t see what you’re doing.
The Google announcement comes just a couple days after rival Apple announced some new privacy features for its software. More on that in a second. If you have a Google account and use Google products like Gmail, YouTube, or Chrome, you’re probably logged in all the time. In this case, your activity while using those apps and services can be tracked by Google, which will then use that data to target ads to you, among other things. Over the years, Google has introduced privacy controls over the data you send the company and has made efforts to make those features more obvious to users. You can find most of these privacy controls in your account settings by clicking on “Manage your data & personalization.” From there, you can click on “Manage your activity controls.” This is the section where you can save your web and app activity, location history, and YouTube history if you want Google to use that data to give you what it calls a “more personalized experience.” Or you can just ask Google not to save anything and have an impersonal, but more private, experience…”

Subject: Open IPP Report – Exposed Printer Devices on the Internet
Source: The Shadowserver Foundation

Since July 2019, The Shadowserver Foundation has been participating in a EU CEF (Connecting Europe Facility) funded project called VARIoT. The main goal of the VARIoT (Vulnerability and Attack Repository for IoT) project is to create new services that provide actionable security-related information about the Internet of Things (IoT). One of The Shadowserver Foundation’s roles in the project involves expanding our internet wide daily port scanning capability to enable the mapping of exposed IoT devices on the Internet. The aim is to alert National CSIRTs and network owners of exposed and potentially vulnerable IoT devices, as well as to build higher level statistics about IoT device types observed on a per-country level, which can be shared via the European Data Portal with the general public.

We scan by sending an IPP Get-Printer-Attributes request to TCP port 631. We started regular scanning of all 4 billion routable IPv4 addresses on the 5th of June 2020 and added Open IPP reporting as part of our daily public benefit remediation network reports on the 8th of June 2020. Our IPP scans uncover around 80,000 open devices (printers) per day. Obviously these counts only represent devices that are not firewalled and allow direct querying over the IPv4 Internet.

Subject: Wrongfully Accused by an Algorithm
Source: ars technica + others via beSpacific

ars technica: “Civil rights activists have filed an official complaint against the Detroit police, alleging the department arrested the wrong man based on a faulty and incorrect match provided by facial recognition software—the first known complaint of this kind. The American Civil Liberties Union filed the complaint (PDF) Wednesday on behalf of Robert Williams, a Michigan man who was arrested in January based on a false positive generated by facial recognition software. “At every step, DPD’s conduct has been improper,” the complaint alleges. “It unthinkingly relied on flawed and racist facial recognition technology without taking reasonable measures to verify the information being provided” as part of a “shoddy and incomplete investigation.”…

beSpacific Subjects: AI, Civil Liberties, E-Records, Internet, Knowledge Management, Legal Research, Privacy

Subject: Library officials warn: Stop microwaving books to kill COVID-19
Source: Detroit Free Press via beSpacific

People are getting creative when it comes to staying safe from COVID-19 and it has prompted at least one Michigan library to issue a public warning: Stop microwaving books.A burned book was returned to Kent District Library after being damaged in a microwave. Don’t microwave anything, library officials say.

Library books have metal in the security radio frequency identification (RFID) tags,  which are located inside of the book. When the metal entered the microwave, a hole was burned into the cover.

“I don’t know if it was something that they saw on the news — that they thought maybe the heat would kill COVID-19,” said Elizabeth Guarino-Kozlowicz, regional manager of Kent District Library.

Abstracted from beSpacific

Subject: Demographic report on protests shows how much info our phones give away
Source: Buzzfeed via beSpacific

Buzzfeed: “On the weekend of May 29, thousands of people marched, sang, grieved, and chanted, demanding an end to police brutality and the defunding of police departments in the aftermath of the police killings of George Floyd and Breonna Taylor. They marched en masse in cities like Minneapolis, New York, Los Angeles, and Atlanta, empowered by their number and the assumed anonymity of the crowd. And they did so completely unaware that a tech company was using location data harvested from their cellphones to predict their race, age, and gender and where they lived. Just over two weeks later, that company, Mobilewalla, released a report titled “George Floyd Protester Demographics: Insights Across 4 Major US Cities.” In 60 pie charts, the document details what percentage of protesters the company believes were male or female, young adult (18–34); middle-aged 35º54, or older (55+); and “African-American,” “Caucasian/Others,” “Hispanic,” or “Asian-American.” “African American males made up the majority of protesters in the four observed cities vs. females,” Mobilewalla claimed. “Men vs. women in Atlanta (61% vs. 39%), in Los Angeles (65% vs. 35%), in Minneapolis (54% vs. 46%) and in New York (59% vs. 41%).” The company analyzed data from 16,902 devices at protests — including exactly 8,152 devices in New York, 4,527 in Los Angeles, 2,357 in Minneapolis, and 1,866 in Atlanta. Sen. Elizabeth Warren told BuzzFeed News that Mobilewalla’s report was alarming, and an example of the consequences of the lack of regulation on data brokers in the US…”

beSpacific Subjects: Civil Liberties, Congress, E-Records, Knowledge Management, Legal Research, Privacy

Buzzfeed topic:

Posted in: AI, Civil Liberties, Cybercrime, Cybersecurity, Education, Government Resources, Healthcare, Legal Research, Libraries & Librarians, Privacy, Search Engines, Social Media, Technology Trends