Pete Recommends – Weekly highlights on cyber security issues, August 1, 2020

Subject: Facebook offers $650 million to settle facial recognition class action
Source: USA Today

Three Illinois residents sued Facebook under a state law, the Biometric Information Privacy Act, which allows residents who have had their faces scanned for data without written consent to sue.

The lawsuit, which was certified as a class action, involved gathering facial data for a Facebook feature that suggests the name of people in users’ photos and could have exposed Facebook to billions in damages.

filed –

Subject: Is That ‘Contact Tracer’ Really a Scammer? How to Tell
Source: Nerd Wallet

Scammers are trying to take advantage of confusion over COVID-19 contact tracing. Here’s how to keep yourself safer. If you’re contacted about possible exposure to the coronavirus, make sure it’s legit. Scammers are masquerading as contact tracers, and it’s smart to verify calls or texts before giving out any information. A tracer’s job is to help contain the pandemic by reaching out to people who may be spreading the coronavirus. You could be called because your test was positive. Or perhaps someone who tested positive named you as someone they’d been in contact with, and now you need to be tested.

Fraudsters follow the news…First, simply pause – A call or text informing you that someone has “important health information to share” can be upsetting. And we don’t do our best thinking when we’re afraid, says Eva Velasquez, president and CEO of the nonprofit Identity Theft Resource Center.

Velasquez advises pausing rather than responding automatically. You don’t have to talk to the caller at that moment.Take time for due diligence, Velasquez suggests. If a caller says they’re a contact tracer from a county or state health department, take their name then hang up and call the department yourself to verify the information. Velasquez recommends looking up the number online; don’t rely on information provided in the initial contact. If the call seems to come from a legitimate source, you can talk to them when they call back…

Subject: Senate passes cybersecurity bolstering measure
Source: Homeland Preparedness News

A group of lawmakers are espousing the benefits of the Senate’s recent passage of a FY 2021 National Defense Authorization Act (NDAA) amendment designed to bolster cybersecurity.Sens. Rob Portman (R-OH), Maggie Hassan (D-NH), John Cornyn (R-TX), and Gary Peters (D-MI) said the amendment requires the Department of Homeland Security to establish a Cybersecurity State Coordinator position in every state. The measure now needs to be conferenced with the version passed by the House of Representatives, they added.

“Cybersecurity for state and local governments is just as important as efforts at the federal level, and frequently, they lack the resources, technical know-how, and situational awareness to secure their systems, or respond in the event of an attack,” Portman said. “I’m pleased that the Senate included this bipartisan proposal in the NDAA because it will strengthen the cybersecurity relationship between the federal government and state and local governments. This amendment is based on our bipartisan bill, the Cybersecurity State Coordinator Act.”

Subject: San Francisco Police Accessed Business District Camera Network to Spy on Protestors
Source: EFF via beSpacific

“The San Francisco Police Department (SFPD) conducted mass surveillance of protesters at the end of May and in early June using a downtown business district’s camera network, according to new records obtained by EFF. The records show that SFPD received real-time live access to hundreds of cameras as well as a “data dump” of camera footage amid the ongoing demonstrations against police violence. The camera network is operated by the Union Square Business Improvement District (BID), a special taxation district created by the City and County of San Francisco, but operated by a private non-profit organization. These networked cameras, manufactured by Motorola Solutions’ brand Avigilon, are high definition, can zoom in on a person’s face to capture face-recognition ready images, and are linked to a software system that can automatically analyze content, including distinguishing between when a car or a person passes within the frame. Motorola Solutions recently unveiled plans to expand its portfolio of tools for aiding public-private  partnerships with law enforcement by making it easier for police to gain access to private cameras and video analytic tools like license plate readers…

Subject: A Test and Trace Strategy for Reconnecting to Government Networks
Source: Nextgov

Agencies shifted to large-scale work from home operations but little thought has been given to how to secure these networks when workers return to the office. It is no secret that the COVID-19 pandemic has been a bonanza for cybercriminals. As millions of government workers shifted to remote work almost overnight, federal IT managers were suddenly charged with securing a vastly expanded network perimeter while fending off increasingly aggressive and innovative bad actors.

For the first time ever, access to sensitive data and applications was almost exclusively driven by external users rather than on-premise demand. Securing this new edge-centric world has been especially challenging as the number of cyberthreats has risen and bad actors take advantage of fears of the pandemic to launch phishing campaigns and spread malware.

Despite these threats, federal agencies have largely managed. But today, over three months after agencies shifted to large-scale work from home operations, scant thought has been given to how to secure these networks when workers return to the office.

A potential disaster looms—and securing these networks will not be a one-time event that IT managers can focus on intensely for a moment in time and then forget about. Instead, as telework and rotating telework arrangements remain prevalent for some time, devices that are found to be malware-free upon returning to the office risk being infected (or re-infected) when they return home, and once again risk bringing malware back into the network.


Subject: Election admins vulnerable to email attacks
Source: GCN

In the run up to the 2020 elections, candidates and election officials alike appear vulnerable to phishing attacks and other cyber threats that could cause havoc in November. According to a new report from cybersecurity firm Area 1 on the email security controls, a handful of election administrators and at least 50 candidates for public office in the 2020 are still using versions of vulnerable Exim mail servers known to have been used by threat actors linked to the Russian military.

In May, the National Security Agency issued an advisory that Russian cyber actors from the GRU Main Center for Special Technologies, known as the Sandworm team, had been exploiting a vulnerability in Exim mail transfer agent software for Unix-based systems since at least August 2019.  A remote code execution allows an unauthenticated remote attacker to send “a specially crafted email to execute commands with root privileges allowing the attacker to install programs, modify data, and create new accounts,” NSA said in its an advisory

See also [paywall] – Election Officials Are Vulnerable to Email Attacks, Report Shows – Six jurisdictions used software that Russian spies have targeted in cyberattacks.

Subject: Navy shifts to zero trust mindset to deal with COVID-related telework
Source: FCW

The Navy’s top cyber official said he expects the department to move “aggressively” towards a zero trust security model to secure government systems while a critical mass of employees continues work from home and log in from personal devices due to the COVID-19 pandemic. Shortly after the virus started spreading across the U.S., the Navy set up an internal collaboration tool called Commercial Virtual Response, according to Chief Information Security Officer Chris Cleary. While operational and classified work was still routed through secure facilities, the tool allowed hundreds of thousands of Navy employees to continue working while under stay-at-home orders by accessing agency information through the cloud on their government, mobile or even personal device.

Zero trust – a model of cybersecurity built on the assumptions that there is no meaningful network perimeter and that access controls should be tightly regulated and monitored even for high-level employees – has been steadily gaining popularity within private and public sector organizations over the past decade. Government auditors say federal agencies still remain tethered to an outdated concept; namely that the best way to protect data is by shifting defensive resources toward the network boundary.

He attributed the problem to a lack of security governance within the c-suite at many agencies, along with an unhealthy emphasis on buying tools without a solid understanding of how they fit into broader strategies. For example, some agencies have turned to machine learning sensors in order to monitor their network activity. However, they often fail to set up the corresponding data feeds that largely power and guide the accuracy of such algorithms.

Some other articles:

Subject: New ‘Shadow Attack’ can replace content in digitally signed PDF files
Source: ZDNet

Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents.The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others, according to new research [PDF] published this week by academics from the Ruhr-University Bochum in Germany.

Academics have named this technique of forging documents a Shadow Attack.

According to the research team three variants of a Shadow Attack exist:

Posted in: AI, Competitive Intelligence, Computer Security, Criminal Law, Cybercrime, Cybersecurity, Email Security, Healthcare, KM, Privacy, Social Media