Pete Recommends – Weekly highlights on cyber security issues, August 29, 2020

Subject: How Smartphone Location Tracking Works, and What You Can Do About It
Source: The New York Times

How can I opt out?

If you want to prevent Cuebiq from collecting your data, the easiest way is to disable the advertising ID on your phone. If you disable it, Cuebiq will no longer keep track of your device.

These instructions provide a good overview for disabling the ID on different Android phones. Apple provides a guide for iPhones here.

Subject: PIV encryption: The solution to federal email insecurity
Source: GCN

Sixteen years after Homeland Security Presidential Directive 12 (HSPD-12) called for the creation of a common, interoperable identification credential for both physical and logical access that would work governmentwide, much has been achieved.After many years of investment, personal identity verification credentials are now indeed government wide, but there is one area where the existing PIV infrastructure is not fully utilized: securing cross-agency email communication.

At a recent webinar, a group of experts in deploying PIV identity and encryption technologies in the federal space, including myself, evaluated the state of email encryption, why it is not being used as it should across agencies and what can be done to make better use of PIV credentials and encryption.

While most agencies use PIV credentials and encryption, they generally do not deploy it between agencies and with PIV-I contractors, stated Kyle Neuman, a PKI and cryptography expert and managing director of SAFE Identity, an industry consortium and certification body supporting identity assurance in healthcare.

Related Articles


Subject: Voice phishing attacks on the rise, CISA, FBI warn private sector
Source: FCW

The FBI and Cybersecurity and Infrastructure Security Agency are warning private businesses about an ongoing “vishing” — or voice phishing – campaign targeting employees who are working from home during the coronavirus pandemic.According to the alert, the campaign has been ongoing since at least mid-July, with attackers registering domains to create spoofed websites that duplicate the internal VPN login page for victim companies. They then obtained SSL certificates and used URL add-ons to make it appear as if the requests were coming internally from IT support.

ZDNet first reported on the alert, and the New York State government later published the document on its coronavirus response website.

Similar to phishing, vishing involves social engineering and impersonation by an attacker, usually over the phone, in order to trick a victim into giving up their account credentials. In this case, the attackers used Voice over Internet Protocol numbers to call victims on their personal cellphones, and in some cases were even able to spoof legitimate numbers from other employees and offices. They then convinced their target that they needed to use a different login page for their VPN, including any necessary one-time passwords or two-factor authentication information.

Subject: Providers may unknowingly be posting patient PHI from medical images online, ACR warns
Source: Becker’s Health IT

New search engine capabilities on Google, Bing and other vendors may expose identifying patient information from slide presentations published online, according to the American College of Radiology.In an Aug. 20 notice published to its website, the ACR, Radiological Society of North America and Society of Imaging Informatics in Medicine urged radiologists and other medical professionals to follow new guidance to ensure no protected health information is included in slide presentations.

Search engines such as Google and Bing can now extract large-scale information from previously stored files, including source images contained in PowerPoint presentations and Adobe PDF files. An image that has embedded patient information can be indexed by this process, meaning that when explicit patient information is associated with images in the search engine database, the identifying information can be linked to subsequent internet searches on the patient’s personal information.

To avoid exposing patient PHI online, medical professionals should only include images without identifying information in presentations, disable patient information overlays or use an anonymization algorithm to prevent PHI exposure.

More articles on cybersecurity:
NY hospital back online with EHR 3 weeks after malware attack: 5 details
New York medical practice reports 1,789 patients’ info missing from bank deposit bags
Pennsylvania health system’s lawsuit over malware attack dismissed: 4 details


Subject: At one university, students’ steps are tracked to stop the coronavirus
Source: NBC News via Yahoo

Newfound freedom is part of the allure of going off to college, but COVID-19 changes things. At Oklahoma State University, the school tracks where students are at all times on campus to slow the spread of the disease. Oklahoma State tracks the location data of students and staff who are signed on to campus Wi-Fi routers. The school also uses student card swipes, campus purchases and course attendance to complete contact tracing.

Posted in: AI, Civil Liberties, Cybercrime, Education, Email Security, Encryption, Gadgets/Gizmos, Health, KM, Legal Research, Privacy, Social Media