Pete Recommends – Weekly highlights on cyber security issues, August 8, 2020

Subject: How to hide from a drone – the subtle art of ‘ghosting’ in the age of surveillance
Source: The Conversation via LLRX

Drones of all sizes are being used by environmental advocates to monitor deforestation, by conservationists to track poachers, and by journalists and activists to document large protests. As a political sociologist who studies social movements and drones, I document a wide range of nonviolent and pro-social drone uses in my new book, “The Good Drone.” I show that these efforts have the potential to democratize surveillance.But when the Department of Homeland Security redirects large, fixed-wing drones from the U.S.-Mexico border to monitor protests, and when towns experiment with using drones to test people for fevers, it’s time to think about how many eyes are in the sky and how to avoid unwanted aerial surveillance. One way that’s within reach of nearly everyone is learning how to simply disappear from view.

Public opinion about the use and spread of drones is still up in the air, but burgeoning drone use has sparked numerous efforts to curtail drones. These responses range from public policies exerting community control over local airspace, to the development of sophisticated jamming equipment and tactics for knocking drones out of the sky.

Posted in: AIBig DataCivil LibertiesLegal ResearchPrivacy

Subject: Opinion | Data isn’t just being collected from your phone. It’s being used to score you.
Source: Washington Post

Operating in the shadows of the online marketplace, specialized tech companies you’ve likely never heard of are tapping vast troves of our personal data to generate secret “surveillance scores” — digital mug shots of millions of Americans — that supposedly predict our future behavior. The firms sell their scoring services to major businesses across the U.S. economy.

People with low scores can suffer harsh consequences.

CoreLogic and TransUnion say that scores they peddle to landlords can predict whether a potential tenant will pay the rent on time, be able to “absorb rent increases,” or break a lease. Large employers use HireVue, a firm that generates an “employability” score about candidates by analyzing “tens of thousands of factors,” including a person’s facial expressions and voice intonations. Other employers use Cornerstone’s score, which considers where a job prospect lives and which web browser they use to judge how successful they will be at a job.

Surveillance scoring is the product of two trends. First is the rampant (and mostly unregulated) collection of every intimate detail about our lives, amassed by the nanosecond from smartphones to cars, toasters to toys. This fire hose of data — most of which we surrender voluntarily — includes our demographics, income, facial characteristics, the sound of our voice, our precise location, shopping history, medical conditions, genetic information, what we search for on the Internet, the websites we visit, when we read an email, what apps we use and how long we use them, and how often we sleep, exercise and the like.

[this is almost laughable — the scoring done by CRAs and others are most obscure and had been around for alot longer — who validates? where are the biases? /pmw1]

The second trend driving these scores is the arrival of technologies able to instantaneously crunch this data: exponentially more powerful computers and high-speed communications systems such as 5G, which lead to the scoring algorithms that use artificial intelligence to rate all of us in some way.

The result: automated decisions, based on each consumer’s unique score, that are, as a practical matter, irreversible.

Surveillance scoring bears a faint resemblance to credit scoring in the 1960s. In that pre-computer era, private investigators working for banks, retailers and insurance companies tailed consumers and scoured newspapers for information about arrests, promotions, sexual orientation, drinking habits and cleanliness to decide a consumer’s creditworthiness –— until Congress established rules in the 1970s giving consumers the right to review and question their credit scores.

The tech industry insists that its every advance improves our lives. But that’s a myth. Surveillance scoring enables companies to cloak old-school discrimination in an aura of technological infallibility and wonder.

Consumers need a 21st-century solution to this emergent threat. Congress, awash in tech money, is mired in an outdated legal paradigm: “disclosure” of privacy policies and “consent” via a click. No one pretends that these industrial age contract law concepts will do anything to curb data larceny, let alone regulate or bar secret surveillance scores.

Subject: Information Technology: Federal Agencies and OMB Need to Continue to Improve Management and Cybersecurity
Source: GAO

The federal government has spent billions on information technology projects that have failed or performed poorly. Some agencies have had massive cybersecurity failures. These IT efforts often suffered from ineffective management.

We testified about 2 issues on our High Risk List: 1) IT acquisitions and operations management and 2) cybersecurity.

Since 2010, agencies have implemented 64% of our 1,376 recommendations on IT acquisitions and operations 79% of our 3,409 recommendations on cybersecurity.

Much remains to be done. For example, most agencies have not assigned key IT responsibilities to the chief information officer, as required.

Subject: DOD, FBI, DHS release info on malware used in Chinese government-led hacking campaigns
Source: CyberScoop via beSpacific

CyberScoop: ”The U.S. government publicly put forth information Monday that exposed malware used in Chinese government hacking efforts for more than a decade. The Chinese government has been using malware, referred to as Taidoor, to target government agencies, entities in the private sector, and think tanks since 2008, according to a joint announcement from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Department of Defense, and the FBI. The Chinese Communist Party has been using the malware, in conjunction with proxy servers, “to maintain a presence on victim networks and to further network exploitation,” according to the U.S. government’s malware analysis report (MAR). In particular, Taidoor has been used to target government and private sector organizations that have a focus on Taiwan, according to previous FireEye analysis. It is typically distributed to victims through spearphishing emails that contain malicious attachments. U.S. Cyber Command, the DOD’s offensive cyber unit, has also shared samples of Taidoor through malware-sharing platform VirusTotal so information security professionals can further examine it…”

-In this Story- China, Chinese hackers, Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), Federal Bureau of Investigation (FBI), taiwan, U.S. Cyber Command

Subject: Ransomware: Your biggest security headache refuses to go away
Source: ZDNet via beSpacific

ZDNet – “Ransomware has been around for more than three decades, so it’s hardly an unexpected threat. And yet, organisations large and small are still being taken completely by surprise by the file-encrypting malware, leaving them to decide between rebuilding many of their computer systems from scratch to rid themselves of the ransomware or paying up to the crooks in the hope that they will hand over the encryption keys. So why aren’t we learning the lessons from all the companies that have already been hit by ransomware over the years? Here are a few reason..”

Subject: This Tool Could Protect Your Photos From Facial Recognition
Source: NYT via beSpacific

The New York Times – Researchers at the University of Chicago want you to be able to post selfies without worrying that the next Clearview AI will use them to identify you. “…A start-up called Clearview AI…scraped billions of online photos to build a tool for the police that could lead them from a face to a Facebook account, revealing a person’s identity. Now researchers are trying to foil those systems. A team of computer engineers at the University of Chicago has developed a tool that disguises photos with pixel-level changes that confuse facial recognition systems. Named Fawkes in honor of the Guy Fawkes mask favored by protesters worldwide, the software was made available to developers on the researchers’ website last month. After being discovered by Hacker News, it has been downloaded more than 50,000 times. The researchers are working on a free app version for noncoders, which they hope to make available soon…”

Subject: Lawsuit claims TikTok steals kids’ data and sends it to China
Source: NPR via WHYY

Dozens of families are suing TikTok in what has turned into a major legal action in federal court. More than 70 minors, through their parents, are alleging that the video-sharing app collects information about their facial characteristics, locations and close contacts, and quietly sends that data to servers in China.

Twenty separate but similar federal lawsuits were filed over the past year on behalf of TikTok users in California, where the company has offices, and Illinois, which requires that technology companies receive written consent before collecting data on a person’s identity.

The Illinois law, known as the Biometric Information Privacy Act, “has been striking fear in the heart of many companies in the United States for fear that claims like this will be brought,” said Leslie Weaver, one of the 33 plaintiffs’ lawyers involved in the litigation against TikTok.

Lawyers for TikTok say the app is not capturing users’ biometric information, nor sending any data to China. But TikTok’s legal team also argues that the company can transfer data to Beijing, if it so chooses, without breaking any laws.

Subject: NSA Releases Guidance on Limiting Location Data Exposure
Source: NSA via CISA

The National Security Agency (NSA) has released an information sheet with guidance on how to limit location data exposure for National Security System (NSS) / Department of Defense (DoD) system users, as well as the general public. NSA outlines mobile device geolocation services and provides recommendations on how to prevent the exposure of sensitive location information and reduce the amount of location data shared.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators and users to review NSA’s guidance on Limiting Location Data Exposure and CISA’s Security Tip on Privacy and Mobile Device Apps for information on protecting mobile location data.

Subject: VPN security alert: 900 servers hit by huge data breach
Source: Tom’s Guide

[thx Dale] A cyber crook has posted the IP addresses of over 900 VPN enterprise servers online, as well as plaintext usernames and user-access passwords, plus user session cookies, administrator details and private encryption keys.

The hacker posted a link to a plaintext list containing the stolen data to a Russian-language cybercrime forum. Each of the breached corporate VPNs was running an unpatched version of Pulse Secure VPN software as recently as a month ago.

Trove of data – Pulse Secure issued a fix for this flaw in April 2019, but exploits of the flaw began appearing in August 2019, a year ago.

According to ZDNet, the list contains data concerning enterprise users of Pulse Secure VPN, such as IP addresses, firmware versions of individual servers, SSH keys, details of local users, their password hashes, cookies for different VPN sessions and observed remote logins to the servers, the usernames and passwords for which are in plaintext.


Subject: Getting unordered seeds and stuff in the mail?
Source: FTC Consumer Information

Those mysterious seeds from China have been in the headlines, but we’re also hearing about other stuff that people are getting that looks connected to the seed mystery. There could be a few things going on, so let’s start unraveling the Great Unwanted Goods Mystery of 2020.

First, DON’T PLANT MYSTERY SEEDS. And don’t throw them away. Instead, follow the USDA’s advice on what to do.

Did you order something and get seeds or other junk instead? If that’s you, dispute the charges for the thing you didn’t get. We hear that some sellers might be sending stuff so they can show payment companies the tracking numbers to prove they delivered something to you.

Posted in: AI, Big Data, Cybercrime, Cybersecurity, Email, Email Security, KM, Legal Research, Privacy