Pete Recommends – Weekly highlights on cyber security issues, July 26, 2020

Subject: Iran-Linked Hackers Left Their How-Tos on the Web
Source: Gizmodo

There’s a lot of intrigue and ~mystery~ surrounding the public conception of hacking, but the truth is, even the most elite hackers are regular people. And just like regular people, they screw up on the job more than you might think. We’ve seen cybercriminals screw themselves over in some of the dumbest ways imaginable over the years, but for some reason, we still see the same mistakes made time and time again.Case in point: A team of researchers out of IBM’s X-Force IRIS cybersecurity team have reported finding a server full of unencrypted data left out in the open by a hacker group affiliated with Iranian state authorities. According to the team, the trove included, among other things, roughly five hours’ worth of video explaining how to compromise accounts belonging to folks in the U.S. and Greek armed forces and how to siphon sensitive data out of those accounts once they’re crippled.

Apparently, the IBM team counted at least 75 websites that these Iranian ops tried to crack. At the end of the day, the IBM team suggests that the best way to protect yourselves from these sorts of shenanigans is to use a password manager capable of resetting your passwords at regular intervals, and ideally one that can use more than 14 characters, since longer passwords are all the tougher to crack. They also suggest using two-factor authentication as a last line of defense, in case your passwords get into the wrong hands.

Subject: Issue with Cloudflare’s DNS service shuts down half the web
Source: Gizmodo

Scores of websites and services went down Friday afternoon due to problems with Cloudflare’s DNS service, sparking rampant speculation about the cause. After all, a global DDOS attack would totally fit the real-life apocalypse movie that 2020 is increasingly turning into.The outage, which started shortly after 5 p.m. ET, brought down popular sites and services like Discord, Politico, Feedly, and League of Legends for roughly half an hour on Friday. Once connections were restored, Cloudflare issued an incident report stating that the issue “was not as a result of an attack” and that it “has been identified and a fix is being implemented.”

According to the incident report, this issue with Cloudflare’s DNS service impacted its data centers internationally, from Frankfurt to Paris and Schiphol, as well as several in major U.S. cities, including Los Angeles, Chicago, Seattle, Atlanta, and San Jose. Reports on Downdetector showed the outages appeared to be concentrated in the U.S. and northern Europe.

Subject: Most Dedicated VPN IP-addresses Are Not Anonymous
Source: TorrentFreak

…The Drawback of Dedicated VPN IP-Addresses – With a dedicated IP-address, which is often sold as an add-on, users get a unique IP-address as opposed to a shared one. This can be very convenient as it reduces annoying captchas and can bypass regular VPN blacklists. However, it comes at an anonymity cost.By connecting through a single IP-address, monitoring outfits can build up a profile of the user’s online activity. The real anonymity tradeoff, however, is that the VPN provider knows the user’s IP-address and can connect it to other account information it has on record. This sometimes includes an email address.

This may not be a concern for most people, but it’s certainly something to keep in mind for the small subset of subscribers that use a dedicated VPN IP-address.

site RSS:

Subject: Army re-orgs tech directorate
Source: FCW

The Army has replaced its cyber directorate with one that’s more expanded, covering everything from cyber and electronic warfare to enterprise IT networks and tactical communications.Under its G3/5/7 operations and planning directorate, the Department of the Army’s Management Office-Strategic Operations (DAMO-SO) has been around for several months and is holding itself as foundational for the Army’s more expansive technical priorities: cyber, artificial intelligence, data, enterprise IT, electronic warfare, electromagnetic spectrum, and space.

Brig. Gen. Martin Klein, who leads the new directorate, called the new office a “precursor” to the Army’s G6/chief information office.

The new office serves as an integrator for joint efforts and is also the lead entity for Joint All Domain Command and Control (JADC2). The strategic operations directorate also focuses on enabling spectrum, information dominance and cyber operations at the policy level by providing capabilities and synchronizing doctrine, Klein said. The directorate also works with the G6, which will soon be its own role, the CIO, and the Army chief data officer.

The directorate also aims to unify data practices and architectures across the force. Klein said data, and by extension cloud infrastructure and provider-agnostic software, were key to connecting the Army’s systems.

Subject: Sustaining large-scale, long-term remote telework security
Source: GCN

In response to the COVID-19 pandemic, the Office of Management and Budget made an unprecedented call for agencies to maximize telework arrangements, resulting in some cases with almost 100% <> of an agency’s employees working remotely. Now, as federal agencies commence reopening efforts, the question remains: Is a maximized telework approach here to stay? <> And with so many federal workers working remotely, how can agencies ensure that appropriate cybersecurity controls are in place?According to our recent report <>, 89% of cybersecurity professionals surveyed said COVID-19 has been a stress test for every security control and policy within their organizations. Ninety-four percent  said they are more concerned about security now than before the COVID-19 pandemic. Given the stress of COVID-required telework, are federal agencies prepared to sustain a secure approach to a mostly remote workplace?Likely not. After all, it’s one thing to say that there’s no perimeter, and another thing entirely to suddenly be forced to operate without a perimeter. When the workforce is no longer bound by perimeter, we have to think a lot more strategically.What must security teams do in order to sustain a large-scale, long-term approach in a mostly remote environment?

Build upon best practices.


Subject: Help fight Medicare fraud
Source: Medicare

Stay alert for fraud during the coronavirus national emergency. Con artists like to take advantage of people when they’re distracted.

Con artists may try to get your Medicare Number or personal information so they can steal your identity and commit Medicare fraud. Medicare fraud results in higher health care costs and taxes for everyone.

Protect yourself from Medicare fraud. Guard your Medicare card like it’s a credit card. Remember:

  • Medicare will never contact you for your Medicare Number or other personal information unless you’ve given them permission in advance.
  • Medicare will never call you to sell you anything.
  • You may get calls from people promising you things if you give them a Medicare Number. Don’t do it.
  • Medicare will never visit you at your home.
  • Medicare can’t enroll you over the phone unless you called first.

Learn more tips to help prevent Medicare fraud.

Check regularly for Medicare billing fraud. Review your Medicare claims and Medicare Summary Notices for any services billed to your Medicare Number you don’t recognize.

Subject: Your Genetic Data Isn’t Safe
Source: Consumer Reports

CR says better protections are needed for the intimate data you share when you take a direct-to-consumer genetic test

In exchange for your mailed sample of saliva, direct-to-consumer (DTC) genetic testing companies promise insights about your ancestry, your family connections, and even your health. These widely used tests—from companies such as 23andMe and Ancestry—are advertised as a way to learn more about your family history, better understand your health, and more. They’re often touted as thoughtful gifts, especially around the holidays.

But many people might not have a clear understanding of what happens to their personal genetic data after they mail a tube of spit to a private company for analysis. In a new white paper (PDF) published today, Consumer Reports’ privacy experts argue that part of the reason for this uncertainty is a gap in the regulatory framework surrounding consumers’ genetic data privacy.

Right now, companies write their own privacy policies that consumers agree to when they buy a test. But few laws regulate what companies must do to keep your data private and secure.“Ideally we’d like to see federal and state laws enacted that will empower consumers to control who has access to their genetic information,” says Justin Brookman, Consumer Reports’ director of privacy and technology policy.

In one 2018 study of DTC genetic testing companies’ privacy policies, Vanderbilt University researchers found that 71 percent of companies used consumer information internally for purposes other than providing the results to consumers. Sixty-two percent said they use data for internal research and development, while 78 percent said they provided genetic information to third parties in de-identified or aggregate forms without additional consumer consent.

Why Existing Rules Are Not Enough

Unlike your credit card number or your bank account password, if your genetic information is stolen or simply given away without your consent by a company that possesses it, it can’t be changed. And recent studies of sites (PDF) such as GEDmatch (where users can publicly post their genetic data) have found that it’s possible for people with nefarious intentions to reidentify individuals from supposedly de-identified genetic data.

Posted in: Big Data, Computer Security, Cybercrime, Cybersecurity, Health, KM, Military, Privacy, Telecommuting