Pete Recommends – Weekly highlights on cyber security issues, September 26, 2020

Subject: FinCEN Files Show How Criminals Use Big-Name Banks To Manage Global Financial Corruption | beSpacific
Source: BuzzFeedNews

BuzzFeedNews: “A huge trove of secret government documents reveals for the first time how the giants of Western banking move trillions of dollars in suspicious transactions, enriching themselves and their shareholders while facilitating the work of terrorists, kleptocrats, and drug kingpins. And the US government, despite its vast powers, fails to stop it. Today, the FinCEN Files — thousands of “suspicious activity reports” and other US government documents — offer an unprecedented view of global financial corruption, the banks enabling it, and the government agencies that watch as it flourishes. BuzzFeed News has shared these reports with the International Consortium of Investigative Journalists and more than 100 news organizations in 88 countries.

These documents, compiled by banks, shared with the government, but kept from public view, expose the hollowness of banking safeguards, and the ease with which criminals have exploited them. Profits from deadly drug wars, fortunes embezzled from developing countries, and hard-earned savings stolen in a Ponzi scheme were all allowed to flow into and out of these financial institutions, despite warnings from the banks’ own employees. Money laundering is a crime that makes other crimes possible. It can accelerate economic inequality, drain public funds, undermine democracy, and destabilize nations — and the banks play a key role. “Some of these people in those crisp white shirts in their sharp suits are feeding off the tragedy of people dying all over the world,” said Martin Woods, a former suspicious transactions investigator for Wachovia. Laws that were meant to stop financial crime have instead allowed it to flourish. So long as a bank files a notice that it may be facilitating criminal activity, it all but immunizes itself and its executives from criminal prosecution. The suspicious activity alert effectively gives them a free pass to keep moving the money and collecting the fees…”

Subject: The Need for Unified Data Protection in the U.S.
Source: Nextgov

Innovative businesses should be fighting to get federal privacy legislation to get the most out of data while simultaneously protecting customer information. Consumer data in the United States is protected by a scattershot of local laws that are inconsistently enforced. The U.S. is also the only country in the Organisation for Economic Co-operation and Development (OECD) that does not have a data protection agency. This needs to change.

Centralizing data privacy lawmaking and enforcement at the federal level would provide far more stability than the current fractured approach of states and other localities making their own laws and using their own enforcement mechanisms. A national data protection act, or DPA, is important not just for the consumers, but also for companies who handle data and are responsible for implementing compliance controls. With a coherent national approach developed with input from all industry players and consumer and privacy groups, companies will be able to better understand their obligations and related enforcement, and therefore will be able to more effectively and efficiently protect their customers’ data.

Above all else, the most important thing for the legislative branches and companies to do at this point is to engage in open dialogue. A single federal data protection act, rather than a jumble of state policies, will ensure consumer data privacy while allowing strong US innovation. Legislation needs to be drafted with consideration of the complex nature of modern business and technology and the needs of individuals. This will provide more certainty to both consumers and companies striving to protect those consumers’ data.

Subject: Cyber Diplomacy: State Has Not Involved Relevant Federal Agencies in the Development of Its Plan to Establish the Cyberspace Security and Emerging Technologies Bureau
Source: U.S. GAO

The U.S. and its allies face expanding foreign cyber threats as international trade, communication, and critical infrastructure grow increasingly dependent on cyberspace. In 2019, the State Department said it would establish a Bureau of Cyberspace Security and Emerging Technologies to focus on the issue. State works with other federal agencies on international cyber issues. However, it has not informed or involved these partners in planning the new bureau, which increases the risks of duplicating efforts and more.

We recommended that State involve federal agencies that contribute to cyber diplomacy in planning its new bureau.

Subject: Cybercrime and the Law: Computer Fraud and Abuse Act and the 116th Congress
Source: CRS report via LC via beSpacific

CRS report via LC – Cybercrime and the Law: Computer Fraud and Abuse Act (CFAA) and the 116th Congress, September 21, 2020: “…Since the original enactment of the CFAA in 1984, technology and the human relationship to it have continued to evolve. Although Congress has amended the CFAA on numerous occasions to respond to new conditions, the rapid pace of technological advancement continues to present novel legal issues under the statute. For example, with increasing computerization has come a corresponding proliferation of Terms of Service (ToS) agreements—contractual restrictions on computer use. But federal courts disagree on whether the CFAA imposes criminal liability for ToS violations,and the United States Supreme Court is currently considering a case on this issue. Another technological development that has created tension under the CFAA is the rise of botnets, which are networks of compromised computers often used by cyber criminals. Although the CFAA prohibits creating botnets and using them to commit certain crimes, it is unclear if selling or renting a botnet violates the statute—a potential concern given that botnet access is often rented from botnet brokers. On a more basic level, another change that has prompted some reexamination of the CFAA is the seemingly-growing frequency of computer crime. Some contend that the prevalence and perniciousness of hacking requires private actors to defend themselves by hacking back—that is, initiating some level of intrusion into the computer of the initial attacker. The same provisions of the CFAA that prohibit hacking ostensibly also make it a crime to hack back, which some legislation has sought to change…”

Subject: Unsecured Microsoft Bing Server Exposed Users’ Search Queries and Location
Source: The Hacker News

Unsecured Microsoft Bing Server Exposed Users’ Search Queries and Location (The Hacker News)

A back-end server associated with Microsoft Bing exposed sensitive data of the search engine’s mobile application users, including search queries, device details, and GPS coordinates, among others. The logging database, however, doesn’t include any personal details such as names or addresses. The data leak, discovered by Ata Hakcil of WizCase on September 12, 2020 is a massive 6.5TB cache of log files that was left for anyone to access without any password, potentially allowing cybercriminals to leverage the information for carrying out extortion and phishing scams.

Subject: The RISKS Digest Volume 32 Issue 28 – Think Twice Before Using Facebook, Google, or Apple to Sign In Everywhere
Source: RISKS Digest via WiReD

Think Twice Before Using Facebook, Google, or Apple to Sign In Everywhere (Wired): So-called single sign-on options offer a lot of convenience. But they have downsides that a good old fashioned password manager doesn’t.

No surprise here; I keep reminding people of this.

Subject: Synack: Federal agencies and banks have made the most cybersecurity improvements
Source: TechRepublic

The overall Attacker Resistance Score for the IT sector dropped this year due in part to digital transformation work, according to the 2020 Trust Report. Banks and federal government agencies are holding up the best against cyberattacks while retail and manufacturing are faltering, according to a new report from Synack.

The 2020 Trust Report from the penetration testing company found that government and financial services scored 15% and 11% higher than all other industries in 2020. Government agencies earned the top spot due in part to reducing the time it takes to remediate  vulnerabilities by 73%. The overall score for government agencies is 61 in the third annual report, up from 47 in 2019. The overall score for financial service companies was down up two points to 59 this year.

E-commerce companies improved their security stance because organizations prioritized testing for new apps and quickly fixed problems, according to the report. Brick and mortar companies had a more difficult time switching to all-digital operations over the past six months, which is reflected in their lower score.


Subject: The High Privacy Cost of a “Free” Website
Source: The Markup via beSpacific

The Markup: ”…An array of free website-building tools, many offered by ad-tech and ad-funded companies, has led to a dizzying number of trackers loading on users’ browsers, even when they visit sites where privacy would seem paramount, an investigation by The Markup has found. Some load without the website operators’ explicit knowledge—or disclosure to users. Website operators may agree to set cookies—small strings of text that identify you—from one outside company. But they are not always aware that the code setting those cookies can also load dozens of other trackers along with them, like nesting dolls, each collecting user data. To investigate the pervasiveness of online tracking, The Markup spent 18 months building a one-of-a-kind free public tool that can be used to inspect websites for potential privacy violations in real time. Blacklight reveals the trackers loading on any site—including methods created to thwart privacy-protection tools or watch your every scroll and click. We scanned more than 80,000 of the world’s most popular websites with Blacklight and found more than 5,000 were “fingerprinting” users, identifying them even if they block third-party cookies. We also found more than 12,000 websites loaded scripts that watch and record all user interactions on a page—including scrolls and mouse movements. It’s called “session recording” and we found a higher prevalence of it than researchers had documented before…”

Subject: CIA’s New Innovation Lab Could Mean Big Paydays for Federal Scientists
Source: Nextgov

With sights set on enticing and retaining top tech personnel—and invigorating its spot within the nation’s broader research, development and innovation-pushing landscape—the Central Intelligence Agency set up its first-ever federal lab. Officially unveiled Monday, CIA Labs is meant to be “a federal laboratory and in-house research and development arm for CIA to drive science and technology breakthroughs for tomorrow’s intelligence challenges,” according to the agency’s announcement.

Through it, federal insiders can steer multidisciplinary research and development, testing and engineering across a range of on-the-rise areas, including advanced manufacturing, artificial intelligence and machine learning, biotechnology, blockchain, augmented reality, high performance and quantum computing—and more. Part of the agency’s intent in launching the lab is to offer its workforce new opportunities to commercialize their creations.

“While CIA has long conducted research and development, the federal lab mechanism provides an established pathway for partnership with other labs and academia and grants unprecedented opportunities for CIA officers to obtain patents and licenses for their intellectual property,” CIA Spokesperson Nicole de Haay told Nextgov Wednesday…

Posted in: Business Research, Competitive Intelligence, CRS Reports, Cybercrime, Cybersecurity, Economy, Government Resources, Intellectual Property, Legal Research, Privacy, Search Engines, Social Media, United States Law