Pete Recommends – Weekly highlights on cyber security issues, December 20, 2020

Subject: Vaccinated? Show Us Your App
Source: The New York Times

…But now, just as the United States is preparing to distribute the first vaccines for the virus, the entry ticket to the nation’s reopening is set to come largely in the form of a digital health credential.

In the coming weeks, major airlines including United, JetBlue and Lufthansa plan to introduce a health passport app, called CommonPass, that aims to verify passengers’ virus test results — and soon, vaccinations. The app will then issue confirmation codes enabling passengers to board certain international flights. It is just the start of a push for digital Covid-19 credentials that could soon be embraced by employers, schools, summer camps and entertainment venues.

The advent of electronic vaccination credentials could have a profound effect on efforts to control the coronavirus and restore the economy. They could prompt more employers and college campuses to reopen. They may also give some consumers peace of mind, developers say, by creating an easy way for movie theaters, cruise ships and sports arenas to admit only those with documented coronavirus vaccinations.

“Protecting public health has historically been used as a proxy for discrimination,” said Professor Michele Goodwin, a law professor who directs the Center for Biotechnology and Global Health Policy at the University of California, Irvine. “That is the real concern — the potential to use these apps as proxies for keeping certain people away and out.”

She added that tech developers often rush to deploy and scale innovations before governments have the chance to test and regulate them.

Clear, a security company that uses biometric technology to confirm people’s identities at airports and elsewhere, is already operating a Covid app. Called Health Pass, the app has been adopted by some professional sports teams and insurers, where employees may use it to confirm their coronavirus test results. Once vaccines become available, the company said, the app will be able to check users’ immunizations as well.

Filed –

Subject: U.S. treasury hacked by foreign government group – report | Hacking

Source: The Guardian [posted Sunday, 13 Dec: h/t Sabrina]

Hackers backed by a foreign government have been monitoring internal email traffic at the US treasury department and an agency that decides internet and telecommunications policy, according to people familiar with the matter.

“The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” said national security council spokesman John Ullyot.

There is concern within the US intelligence community that the hackers who targeted the treasury department and the commerce department’s national telecommunications and information administration used a similar tool to break into other government agencies, according to three people briefed on the matter. The people did not say which other agencies.

The hack is so serious it led to a national security council meeting at the White House on Saturday, said one of the people familiar with the matter.The hack involves the NTIA’s office software, Microsoft’s Office 365. Staff emails at the agency were monitored by the hackers for months, sources said.

See also:

Topics – related
Washington DC
US politics

Subject: 6 Privacy-Focused Alternatives to Maps, Messaging, Search, and More
Source: WIRED

Most of us are so used to the apps we rely on, it’s easy to stop thinking about how they work and what they do with our data. Most free services make their money from ads, and that means collecting data about our likes, our online activities, and our app usage.

There are better options: apps that will keep your data safe from unwelcome visitors and eager advertisers. And they might fit into your daily routine more easily than you expect.

Of course, Apple and Google take different approaches to user privacy—Apple makes money by selling hardware, whereas Google makes money selling ads, and that requires a lot of data collection and profiling. Even though Google promises to keep your actual personal data private, it does sell ads against the profile it creates.

By comparison, a lot of Apple’s apps are already fairly well locked down from a privacy standpoint: Safari, Mail, Apple Maps, and so on. However, we’ve avoided both Apple and Google in this rundown to give you options across multiple devices and platforms.

Topics –


Security Latest/RSS Feed

Subject: Facebook ‘Secretly’ Tracks Your iPhone Location—This Is How To Stop It
Source: Forbes

Facebook has a data addiction—it can’t help itself. The social media giant’s entire business model is built around collecting, processing and then monetizing our personal information. Facebook seemingly can’t contemplate user information that crosses its path which it doesn’t harvest and add to its data vault. And while its privacy settings are materially better than they were, there remain frightening gaps.

Much of this has been exposed by the ongoing battle between Facebook and Apple over the privacy of iPhone users—cutting access to tracking IDs and the location data limitations introduced with iOS 14. But there are still those gaps. If you tell Facebook not to collect location information from your iPhone, then it doesn’t, right? Wrong.

I’ve warned on the risks of image metadata before. When you take a photo with your iPhone, data is embedded in the image file. Much of this EXIF (Exchangeable Image File) metadata is technical, relating to the camera and the photograph settings, but EXIF also includes the date and time the photo was taken, the phone model, “iPhone 12 Pro Max,” for example, the version of iOS and, critically, the precise location.

Perhaps given the focus on location tracking and privacy in iOS 14, Apple needs to add EXIF management to a future release, giving us full control of what data is shared and taking the opportunity for another swipe at Facebook’s invasive practices.

Filed – Cybersecurity

Subject: Microsoft: New malware can infect over 30K Windows PCs a day
Source: Bleeping Computer

Microsoft has warned of an ongoing campaign pushing a new browser hijacking and credential-stealing malware dubbed Adrozek which, at its peak, was able to take over more than 30,000 devices every day. On compromised computers, Adrozek injects ads into search engine results pages and it can hijack Microsoft Edge, Google Chrome, Yandex Browser, and Mozilla Firefox.

The malware uses malicious scripts downloaded from servers controlled by its operators to inject ads after altering the hijacked web browser’s settings and components. “End users who find this threat on their devices are advised to re-install their browsers,” the Microsoft 365 Defender Research Team said.

“If not detected and blocked, Adrozek adds browser extensions, modifies a specific DLL per target browser, and changes browser settings to insert additional, unauthorized ads into web pages, often on top of legitimate ads from search engines.”

Browser Hijacker
Info Stealer
Web Browser

Subject: U.S. Schools Are Buying Phone-Hacking Tech That the FBI Uses to Investigate Terrorists
Source: Gizmodo via beSpacific

Gizmodo: “In May 2016, a student enrolled in a high-school in Shelbyville, Texas, consented to having his phone searched by one of the district’s school resource officers. Looking for evidence of a romantic relationship between the student and a teacher, the officer plugged the phone into a Cellebrite UFED to recover deleted messages from the phone. According to the arrest affidavit, investigators discovered the student and teacher frequently messaged each other, “I love you.” Two days later, the teacher was booked into the county jail for sexual assault of a child. The Cellebrite used to gather evidence in that case was owned and operated by the Shelby County Sheriff’s Office.

But these invasive phone-cracking tools are not only being purchased by police departments. Public documents reviewed by Gizmodo indicate that school districts have been quietly purchasing these surveillance tools of their own for years…While companies like Cellebrite have partnered with federal and local police for years, that the controversial equipment is also available for school district employees to search students’ personal devices has gone relatively unnoticed—and serves as a frightening reminder of how technology originally developed for use by the military or intelligence services, ranging from blast-armored trucks designed for use in war zones to invasive surveillance tools, keeps trickling down to domestic police and even the institutions where our kids go to learn…”


Subject: Don’t Use US-Based Virtual Private Networks
Source: Your IT Consultant

We’ve said it many times in our security presentations. Not all VPNs are created equal. It’s not just about whether there are vulnerabilities or if the VPN is fast at processing data. One of the reasons you select a particular VPN is for privacy reasons. CNET has its recommendation that you should look to a different country if privacy is a primary focus. It really doesn’t matter how strong the encryption is. The issue is whether the company will hand over your information if requested by the government. There are specific examples cited in the CNET post.

Posted in Internet  Security Software NB

Subject: That Social Media Meme Might Be a Security Risk
Source: lifehacker

This should be common sense at this point, but the fact that they continue to trend on social media suggests plenty of people need the reminder: Stop participating in those weird memes that ask you to provide seemingly innocuous personal information (your full name + the street your grew up on + your first car, etc.) in order to generate your stripper name, or your porn star name, or your witness protection name. Not only does no one actually care, but these “fun” little internet time-wasters pose a big security risk.

As for why, it should be obvious. A number of these quizzes or silly internet chain messages ask the same sorts of account-recovery questions you’d encounter when attempting to log in to a secure online account. I can’t count the number of times I’ve seen an app or service ask for the “street you grew up on,” “the city you were born in,” “childhood elementary school,” or other similar questions as part of its account-recovery mechanism.

Yes, this would require an attacker to know something about your accounts already—such a the email you use for a particular service—and also track you down on social media to see if you’ve answered questions like these. Still, automating a tool for doing that doesn’t seem out of the question. If you’re posting this kind of information publicly, you’re only putting yourself at risk.


Subject: After news of SolarWinds breach, Capitol Hill turns attention to CISA

Source: FedScoop

Cyber-savvy members of Congress were just beginning to respond, as of Tuesday morning [December 15, 2020], to news of breaches of at least three federal agencies’ networks by foreign hackers, but the early reaction from Capitol Hill focused on supporting the Cybersecurity and Infrastructure Security Agency to do more work to protect the government.

Sen. Angus King, D-Maine, offered one of the more nuanced early responses in advocating that CISA should get expanded authority to hunt for threats on the .gov network.

CISA gave agencies using SolarWinds products until noon Monday to review their networks and disconnect or power down the company’s vulnerable Orion software, but now its cyber protection teams must begin the daunting task of rooting out malware and restoring compromised security.

“This is going to continue,” King said in a statement. “[Vladimir] Putin can hire 8,000 hackers for the price of one jet fighter, and this is a way that he can attack this country and do relative damage at a very low cost.”

“As we learned in the NotPetya attacks, software supply chain attacks of this nature can have devastating and wide-ranging effects — whether it’s via niche Ukrainian tax software or, as here, network management tools relied upon by some of the world’s largest companies,” said Sen. Mark Warner, D-Va, vice chairman of the Intelligence Committee, in a statement. “As we gather more information on the impact and goals of these malign efforts, we should make clear that there will be consequences for any broader impact on private networks, critical infrastructure or other sensitive sectors.”

A public assessment of SolarWinds’ full federal footprint remains difficult, however, in part because 48 different resellers were awarded some of the 204 known federal contracts for Orion products since

Subject: Can people be identified from drone videos?
Source: GCN

As a result, IARPA said it wants to apply the advances in facial recognition to identifying other aspects of a human form — such as shape, gait or measurement — to determine the “universal, unique and permanent” WB biometric signals that can be used for verification, recognition or identification. The Biometric Recognition and Identification at Altitude and Range (BRIAR) is asking researchers to develop algorithms that can perform biometric identification of people in visible-band video captured under challenging range, atmospheric and view conditions.

See also:

Subject: Tom Bossert, ex-DHS adviser under Trump, calls for urgent action to address suspected Russian cyberattack
Source: CNNPolitics

Washington (CNN) – President Donald Trump’s former homeland security adviser described the massive data breach of multiple US federal agencies, which US officials suspect is the work of Russian-linked hackers, in urgent terms Wednesday night, calling for immediate and decisive action by the President.

“The magnitude of this ongoing attack is hard to overstate,” Tom Bossert, who headed the administration’s cybersecurity efforts, including its response to Russian interference in the 2016 election before he was pushed out in April 2018, wrote in a New York Times op-ed. He added that it will “take years to know for certain which networks the Russians control and which ones they just occupy.”

“The remediation effort alone will be staggering,” he writes, adding that “entire new networks need to be built — and isolated from compromised networks.”
US officials are grappling with the widespread cyberattack after the cybersecurity firm FireEye and the software company SolarWinds, used by a number of federal civilian agencies for network management, recently confirmed that their systems were compromised.

Subject: All the privacy apps you should have downloaded in 2020
Source: Mashable via beSpacific

In case there were any lingering doubts, 2020 swooped in hard to remind us all that life is now mediated through devices. The ongoing pandemic, the murder of George Floyd and resultant Black Lives Matters protests, and the still-in-progress attempt to overturn the will of the American people: We’ve navigated these public health and political upheavals, with varying degrees of success, through screens.

But simply because we’re more dependent on phones now than in years past doesn’t mean the contents of that digital-forward life is anyone’s business besides the person who’s living it. Thankfully, there are apps to help ensure that what should be private stays that way.

From messaging to web browsing to email, to open-source camera apps that watch for overzealous authorities pawing through your stuff, phones have the potential to be more than just surveillance-enabling tools.

Below is a list of apps that you should have downloaded in 2020. Your privacy doesn’t need to be another casualty of a brutal year. These apps will help you protect it.

Mashable Topics:
privacy, Tech

Posted in: Communications, Computer Security, Cybercrime, Cyberlaw, Cybersecurity, Email Security, Government Resources, Military, Privacy, Social Media, Spyware, Technology Trends