Pete Recommends Weekly highlights on cyber security issues June 6, 2020

Subject: Walmart Employees Are Out to Show Its Anti-Shoplifting AI Doesn’t Work
Source: WIRED

In January, my coworker received a peculiar email. The message, which she forwarded to me, was from a handful of corporate Walmart employees calling themselves the “Concerned Home Office Associates.” (Walmart’s headquarters in Bentonville, Arkansas, is often referred to as the Home Office.) While it’s not unusual for journalists to receive anonymous tips, they don’t usually come with their own slickly produced videos.The employees said they were “past their breaking point” with Everseen, a small artificial intelligence firm based in Cork, Ireland, whose technology Walmart began using in 2017. Walmart uses Everseen in thousands of stores to prevent shoplifting at registers and self-checkout kiosks. But the workers claimed it misidentified innocuous behavior as theft, and often failed to stop actual instances of stealing.

They told WIRED they were dismayed that their employer—one of the largest retailers in the world—was relying on AI they believed was flawed. One worker said that the technology was sometimes even referred to internally as “NeverSeen” because of its frequent mistakes. WIRED granted the employees anonymity because they are not authorized to speak to the press.

But the Concerned Home Office Associates said their worries about Everseen long predate the pandemic. Emails obtained by WIRED show that other corporate employees raised issues about the technology failing to prevent theft in both 2017 and 2018. The employees said they were particularly vexed by Walmart’s continued investment in Everseen because NCR Corporation, which makes the majority of Walmart’s registers, had acquired an Everseen competitor called StopLift. They considered the acquisition an endorsement, and were confused as to why StopLift’s technology wasn’t being further explored.

Everseen’s technology was designed in part to help solve a persistent problem with self-checkout. While allowing customers to scan and pay for their own items cuts down on labor costs for retailers, it has also led to more inventory loss, or “shrinkage,” due to shoplifting, employee theft, and other problems. “Theft through self-checkout lanes is exponentially higher than through traditional checkout lanes,” says Christopher Andrews, a sociology professor at Drew University and the author of The Overworked Consumer: Self-Checkouts, Supermarkets, and the Do-It-Yourself Economy.

filed under:

Subject: Choosing 2FA authenticator apps can be hard. Ars did it so you don’t have to

Source: Ars Technica

Last year, Sergio Caltagirone found himself in a tough spot. While traveling, his phone broke and stopped working completely. With no access to his Google and Microsoft authenticator apps, he lost access to two-factor authentication when he needed it most—when he was logging in from IP addresses not recognized by the 30 to 40 sites he had enrolled.“I had a whole bunch of sites [that] I had to go through a massively long account restoration process because I lost my 2FA,” said Caltagirone, who is senior VP of threat intelligence at security firm Dragos. “Every time, I had to contact customer service. I had different levels of requirements I had to go through for them to effectively disable 2FA on my account. Some required address verification. [For others,] I had to send a last bill. The number of those I went through was just insane.”

Thin blades

The experience shows the double-edged sword of multi-factor authentication. Requiring users to enter a password that’s pseudorandomly generated every 30 seconds makes account takeovers significantly harder, even when an attacker has phished or otherwise obtained the password. But in the event that second factor (in this case, the “something you have,” that is, the phone) isn’t available, that same protection can block legitimate users from logging in for unacceptably long periods of time.

The two authenticators that stood out were Duo and Authy. Both made backups easy, and gave me a reasonable level of confidence that they would keep the secret seeds secure and confidential under my threat models. Both authenticators focus primarily on enterprise customers, who pay to use them to log large numbers of employees into corporate portals and private networks.

Subject: How to Protest Safely in the Age of Surveillance
Source: WIRED

There are two main aspects of digital surveillance to be concerned about while at a protest. One is the data police could potentially obtain from your phone if you are detained, arrested, or they confiscate your device. The other is law enforcement surveillance, which can include wireless interception of text messages and more, and tracking tools like license plate scanners and facial recognition. You should be mindful of both.

After all, police across the country have already demonstrated their willingness to arrest and attack entirely peaceful protestors as well as journalists observing the demonstrations. In that light, you should assume that any digital evidence that you were at or near a protest could be used against you. “It’s clear the government is bringing the full force of the surveillance state to monitor these uprisings,” wrote Evan Greer, the deputy director of the activist organization Fight for the Future, in a Twitter thread laying out digital security advice. “Remember that taking these steps isn’t just about protecting yourself, it’s about protecting others who may be more at risk than you because they are undocumented, have a criminal record, [or] have an underlying health condition that would make an arrest life threatening.”

Protect Your Smartphone

The most important decision to make before leaving home for a protest is whether to bring your phone—or what phone to bring. A smartphone broadcasts all sorts of identifying information; law enforcement can force your mobile carrier to cough up data about what cell towers your phone connected to and when. US police have also been documented using so-called stingray devices, or IMSI catchers, that impersonate cell towers and trick all the phones in a certain area into connecting to them. This can give cops the individual mobile subscriber identity number of everyone at a protest at a given time, undermining the anonymity of entire crowds en masse.

“The device in your pocket is definitely going to give off information that could be used to identify you,” says Harlo Holmes, director of newsroom security at the Freedom of the Press Foundation,

Subject: More Cyber Training Does Not Mean Fewer Data Breaches
Source: Forbes

Allen Look, former CISO of the SI Group suggested that while user awareness was a big deal and training programs were key, a lot of organizations did not have a follow-up to training.

Perhaps employees should be frequently tested to ensure they’re up-to-date on policies, or be rewarded when they spot phishing scams.

While the survey data may suggest that there was some fatigue caused by excessive training, Jim Gumbley, cyber security principal at technology consultancy ThoughtWorks, suggested this may not be the case and that there are many factors in play at the same time.

“From experience, quality can be more important than quantity. If training is dry and carried out for compliance purposes only, it will not have much effect. To change behaviour, the training needs to be engaging and lock into the things which influence how folks think about security and act around sensitive data – this includes highlighting ‘why’,” he says.


Enterprise & Cloud

Subject: How to take back the information you’ve given to all your favorite apps and websites
Source: Popular Science via beSpacific

Popular Science: “Social media networks know a lot about you. In fact, that’s their primary job. They want to collect information about you and use that to sell advertisements that you can’t resist. In return for your data, these companies give you a chance to interact with other users and share your life no matter how interesting or banal. Recently, instructions have been floating around the web about how to see the secret interests Instagram thinks you want to see ads about. The results are sometimes hilariously wrong, but they can also be worryingly accurate. Your information is a product that companies leverage. In a perfect world, this exchange would result in a harmonious civilization in which people find others with similar interests and we enjoy our hobbies in peace. In real life, however, our information crawls around the dark corners of the web where it’s compromised, sold, leveraged, and otherwise abused. And that’s not even mentioning what happens when one of these social media sites flickers out of existence and takes all of your stuff with it. This article provides a quick primer on how to see what data sites have collected about you, as well as how to download and delete it. It’s handy information to have before the next site shuts down or accidentally tells a bunch of bad guys your favorite movie and your cellphone number…”

[filed under The Countries That You Don’t Want to PO … ]

Subject: Drug Safety: COVID-19 Complicates Already Challenged FDA Foreign Inspection Program
Source: U.S. GAO

The outbreak of COVID-19 has called greater attention to the United States’ reliance on foreign drug manufacturers. Much of the drug manufacturing for the U.S. market happens overseas—and drugs for treating COVID-19 are no exception.

Food and Drug Administration inspections of foreign and domestic drug manufacturers are critical to ensuring drug safety and effectiveness.

But FDA began to postpone almost all inspections of foreign manufacturing establishments in March 2020 due to COVID-19. We testified that this lack of foreign inspections removes a critical source of information about the quality of drugs manufactured for the U.S. market.

Most Foreign Drug Manufacturing Establishments Shipping to the United States Are in 10 Countries

Additional Materials:


Subject: Google faces $5 billion lawsuit in U.S. for tracking ‘private’ internet use
Source: Reuters via beSpacific

Reuters: “Google was sued on Tuesday in a proposed class action accusing the internet search company of illegally invading the privacy of millions of users by pervasively tracking their internet use through browsers set in “private” mode. The lawsuit seeks at least $5 billion, accusing the Alphabet Inc unit of surreptitiously collecting information about what people view online and where they browse, despite their using what Google calls Incognito mode. According to the complaint filed in the federal court in San Jose, California, Google gathers data through Google Analytics, Google Ad Manager and other applications and website plug-ins, including smartphone apps, regardless of whether users click on Google-supported ads. This helps Google learn about users’ friends, hobbies, favorite foods, shopping habits, and even the “most intimate and potentially embarrassing things” they search for online, the complaint said. Google “cannot continue to engage in the covert and unauthorized data collection from virtually every American with a computer or phone,” the complaint said…”…

filed Reuters Tech News:

Subject: USPS Provides Recommendations for Successful 2020 Election Mail Season
Source: SPS General Counsel via beSpacific

I wonder how this letter was delivered? email, USPS, Priority???

Subject: Keeping water and energy secure

Source: Penn State University Newswire

UNIVERSITY PARK, Pa. — Water and energy systems do not typically come to mind as cyber hacker targets, but those systems are often most vulnerable to such attacks, according to Javad Khazaei, assistant professor of electrical engineering at Penn State Harrisburg.Khazaei, an affiliate professor of architectural engineering in the College of Engineering at Penn State University Park, is leading a 15-month seed-grant-funded project investigating the vulnerability of water and energy infrastructure systems and developing detection methodologies to counteract such criminal acts.

Technologically advanced, or “smart,” cities often integrate water and energy systems, which are controlled automatically by sensors and remote monitoring systems, according to Khazaei. If hackers gain access to these advanced metering infrastructures and inject false data readings, they can cause failures without detection.

To examine the feasibility of such attacks and understand cyber attackers’ strategies, the researchers will use multi-objective mathematical formulations to create an attack model like one a hacker would use to carry out an attack. The models will be critical in identifying the vulnerability of interlinked water and energy systems and understand what would cause blackouts or water cutoffs.

In tandem with the attack models, the researchers will develop two big data analytics-based detection methodologies — a recursive least-square estimation method and a machine learning-based bad data detection strategy that can detect stealthy attacks.

“Cybersecurity for water treatment and supply networks is only loosely monitored at the federal and state levels, where the primary focus is often on water quality,” she said. “There is an urgent nationwide need for cybersecurity expertise. Javad’s research will provide needed background information for officials at both the federal and state level to make reforms and protect the nation’s critical infrastructure.”

Posted in: AI, Computer Security, Cybercrime, Cybersecurity, Encryption, Energy, Government Resources, Health, Healthcare, KM, Legal Research, Privacy, Search Engines, Social Media