Pete Recommends – Weekly highlights on cyber security issues, December 12, 2020

Subject: IRS Rolls Out Identity Protection PIN for All Tax Filers
Source: Gizmodo

In a statement, the IRS said that it will open its Identity Protection PIN Opt-In Program to anyone who’d like to apply. Previously, the program was only available to taxpayers who’d been victims of tax fraud or identity theft in the past. The PIN is just a six-digit code that’s used to prevent others from trying to file a tax claim with your Social Security number. It’s like a Social Security number for your Social Security number, woohoo!

Unfortunately, it’s not as simple as just asking for a number and writing it down. You’ll first have to make it through the authentication process and provide a bunch of personal info. If something gets screwed up in that process, there are options to complete the authentication by mail, fax, or appointment. (Details are here.)

Once you’ve made it through the application, you should be given a PIN number for authenticating the use of your Social Security number through your mobile phone. The number will only be valid for one fiscal year.

Subject: Best practices for securing teleworkers
Source: GCN
When the U.S. government rapidly transitioned to telework earlier this year, mobile devices and BYOD policies played a significant role in easing that transition. The very same devices that made productivity easier away from the office, however, introduced new cybersecurity risks.Government cybersecurity authorities recognize the challenges telework poses and have offered recommendations and tips to support the shift. In October, the Cybersecurity and Infrastructure Security Agency (CISA) released its Telework Essentials Toolkit that detailed best practices for executive leaders, IT professionals and teleworkers to stay secure while working from home.As agencies extend teleworking, they must think about the devices their workers use the most — tablets and smartphones. These tools enhance employees’ ability to stay productive, but they also become potential entryways for cyberattackers to compromise an agency’s infrastructure. To ensure the agency is secure, IT leaders must make sure workers understand mobile devices’ unique risks. Additionally, they should also extend zero-trust architecture to include a modern endpoint security solution.

Subject: DOD eyes blockchain for medical use cases
Source: GCN

With the security of the medical supply chain top of mind now that COVID-19 vaccines are on the verge of delivery, the military is taking a closer look at the opportunities blockchain provides — not only to improve logistics and secure supply chain operations, but also to authenticate the identities of health care workers and facilitate rapid decision-making.Distributed ledger technology could facilitate multifactor authentication, ensuring that the people entering data into the system are who they say they are – that they have the proper medical credentials and are authorized to access equipment and patient data, said Dr. Bruce Doll, assistant vice president for technology research and innovation at the Uniformed Services University, the government’s health academy supporting the military. Speaking at FCW’s Dec. 2 Health IT workshop, Doll said blockchain could also help protect the privacy of medical records and speed delivery and acceptance of orders or decisions because the need to evaluate the source of the directive would be eliminated.

Subject: A Broken Piece of Internet Backbone Might Finally Get Fixed“
Source: WIRED

This spring, services from heavy hitters like Google and Facebook seemed glitchy or inaccessible for people worldwide for more than an hour. But it wasn’t a hack, or even a glitch at any one organization. It was the latest mishap to stem from design weaknesses in the “Border Gateway Protocol,” the internet’s foundational, universal routing system. Now, after years of slow progress implementing improvements and safeguards, a coalition of internet infrastructure partners is finally turning a corner in its fight to make BGP more secure.Today the group known as Mutually Agreed Norms for Routing Security is announcing a task force specifically dedicated to helping “content delivery networks” and other cloud services adopt the filters and cryptographic checks needed to harden BGP. In some ways the step is incremental, given that MANRS has already formed task forces for network operators and what are known as “internet exchange points,” the physical hardware infrastructure where internet service providers and CDNs hand off data to each others’ networks. But that process coming to the cloud represents tangible progress that has been elusive up until now.


Subject: Google Search too powerful
Source: The Risks Digest

Google Search too powerful – Dan Jacobson <[email protected]Sat, 21 Nov 2020 13:48:01 +0800

Customer: “Yes you do sell vegan pizza. It’s right there on your web page!” Staff: “We are not responsible for pages you find on our website that are no longer linked from our homepage. No matter if you used Google to find them, or other nefarious means.”

Subject: Never click on this kind of Zoom invite. You’ll thank us forever
Source: FastCompany via beSpacific

Fast Company: “…According to the IT security company Check Point Software Technologies, 16,004 Zoom-related domains were registered between late April and today. Con artists are impersonating Microsoft Teams and Google Meet, too. “For people who are in this business of doing phishing schemes, it becomes the scam du jour. What’s popular now? How can I capitalize on something that’s in people’s minds, that they use?” explains Edgar Dworsky, founder of the consumer education website Consume World. “The timeliness and popularity is something they look for.” The videoconferencing platform, after all, has seen its number of daily meeting participants zoom upward to 350 million. Even successfully conning 1% of Zoomers would be lucrative…Getting a message from the videoconferencing platform makes sense when so much of socializing and business happens there every day. That’s the open door for phishing scams….

Subject: Theft of FireEye Red Team Tools
Source: CISA

FireEye has released a blog addressing unauthorized access to their Red Team’s tools by a highly sophisticated threat actor. Red Team tools are often used by cybersecurity organizations to evaluate the security posture of enterprise systems. Although the Cybersecurity and Infrastructure Security Agency (CISA) has not received reporting of these tools being maliciously used to date, unauthorized third-party users could abuse these tools to take control of targeted systems. The exposed tools do not contain zero-day exploits.CISA recommends cybersecurity practitioners review FireEye’s two blog posts for more information and FireEye’s GitHub repository for detection countermeasures:

FireEye’s GitHub repository: Red Team Tool Countermeasures 

Subject: Cloudflare And Apple’s New ‘Oblivious’ Protocol Could Mean an End to Snooping Telecos
Source: Gizmodo

Today, the security company and network Cloudfare announced a plan to stop your internet service provider from creeping on your web activity. Co-developed by engineers at Apple and Fastly, the Oblivious DNS-over-HTTPS (ODoH) standard works to decouple your IP address from your queries. ODoH is billed as an improvement to the domain name system (DNS)—the process in web browsing that’s roughly analogous to your looking up a name in the phone book and retrieving that person’s number. When you type “” into an address bar, DNS is what translates that into Google’s IP address ( default, the DNS resolver is typically owned by your internet service provider, such as Comcast or Verizon or AT&T. The plan with ODoH is to insert one more step between the user and the DNS resolver. If you’re wondering why ODoH is “oblivious,” it’s because this additional step—a proxy—keeps the IP address of the user’s machine hidden from the resolver.We don’t really know to what extent service providers use query information, one known application is advertising. (AT&T, for example, says that it may collect information like your age and gender and combine that with your use of their services to deliver ads.) Thanks to a bill Trump signed into law, ISPs don’t need your permission to track and sell that data, either. Although several ISPs have vowed to provide an opt-out option, that’s usually buried under a mountain of jargon. As the Electronic Frontier Foundation has pointed out some adtech companies admit that they collect data from unnamed telecoms. Perhaps that makes you uncomfortable, in which case, you’re one of the groups of people who might relish ODoH in the near future.

Subject: National Cyber Security Centre Cyber Awareness Campaign
Source: NCSC via CISA

The United Kingdom (UK) National Cyber Security Centre (NCSC) has launched a new cyber security campaign encouraging the public to adopt six behaviors to stay safe online.The six Cyber Aware behaviors recommended by the NSCS are:

  1. Use a separate password for your email
  2. Create strong passwords using three random words
  3. Save your passwords in your browser
  4. Turn on multi-factor authentication
  5. Update your devices
  6. Back up your data

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the official NCSC website as well as CISA’s Tips page for more information and additional resources.

Subject: Brave browser-maker launches privacy-friendly news reader
Source: Ars Technica via beSpacific

Ars Technica – By design, Brave Today doesn’t let the company or third parties build user profiles – “Brave Software, maker of the Brave Web browser, is introducing a news reader that’s designed to protect user privacy by preventing parties—both internal and third party—from tracking the sites, articles, and story topics people view. Brave Today, as the service is called, is using technology that the company says sets it apart from news services offered by Google and Facebook. It’s designed to deliver personalized news feeds in a way that leaves no trail for Brave, ISPs, and third parties to track. The new service is part of Brave’s strategy of differentiating its browser as more privacy-friendly than its competitors’…”–

From Brave Today:

The Brave Today news reader ranks stories locally for the user from hundreds of popular RSS feeds using an algorithm that weighs several factors, including the user’s browser history and article published date. This stream is designed to help people discover interesting new content throughout the day while respecting the user’s privacy.

By using Brave’s new private CDN to deliver RSS feeds to the browser anonymously, there is no data trail available for third parties to collect or track. This makes Brave Today a unique news reading experience when compared to other apps and platforms that track users’ reading activities. Nobody can track the content that Brave users are reading, including Brave itself.

The news reader renders content in a stream of cards, and users can customize it by simply adding or removing sources and categories of content. Users will also be able to manually add their favorite RSS feeds in an upcoming release, making Brave Today a fully extensible news reader.

Brave Today’s 15 categories of content are: Top News, Business, Cars, Crypto, Culture, Entertainment, Fashion, Food, Fun, Health, Home, Science, Sports, Technology, Travel, plus content from Brave and Brave Partners.

Posted in: Cybercrime, Cybersecurity, KM, Privacy, Search Engines