Pete Recommends – Weekly highlights on cyber security issues, January 23, 2021

Subject: CISA details attacks on cloud services
Source: GCN

The Cybersecurity and Infrastructure Security Agency said it verified an incident where threat actors may have defeated multifactor authentication to log into an organization’s cloud services. They likely used a “pass-the-cookie” attack that uses stolen session cookies to authenticate to web applications and services, CISA said.The news came in a Jan. 14 analysis report that described attacks on cloud services that exploit phishing, email forwarding vulnerabilities and brute-force attacks. The bad actors generally infiltrated organizations by exploiting poor cyber hygiene associated with remote employees using both corporate laptops and personal devices to access their organization’s cloud services.

Phishing emails containing malicious links aimed to harvest user credentials for cloud service accounts. Some of those emails included a link to what appeared to be a secure message, and others what looked like a legitimate file hosting account login. After gaining access, the threat actors then sent emails from the victim’s account to phish other accounts within the organization. In some cases, CISA said, these emails included links to documents that appeared to be on the organization’s network.

Other articles:

Subject: The risks of DDoS attacks for the public sector
Source: GCN

Distributed denial of service cyberattacks have been around for decades, but they have become an even more acute problem in the last few years, especially to public institutions. Recent statistics suggest these types of attacks continue to increase in volume, as well as sophistication and severity. The number of DDoS attacks in 2020 is estimated by researchers at SecurityIntelligence to be 24% higher than in 2019.A DDoS attack involves generating malformed, problem network traffic that literally denies a particular “service” normally provided by a company. Services can include a specific website, an email server, an e-commerce system or any critical service essential for a government or nation, such as air traffic control. Attacks can even affect entire cloud service providers.

Types of DDoS attacks can include:

The consequences of DDoS attacks on public institutions

How are DDoS attacks conducted?

Organize a defense and set up a response plan

Regardless of the best practices agencies follow, it’s vital they practice their response plan as much as possible, using methods such as:

Subject: WhatsApp Postpones Its Controversial Policy Updates
Source: Gizmodo

After trying—and failing—to combat public outrage using a series of ostensibly well intentioned tweets, WhatsApp announced on Friday that it would postpone its plans to implement a spate of controversial changes to its privacy policy.The original plan that WhatsApp haphazardly rolled out earlier this month stated that countless users would be required to agree to the new terms by February 8, or risk their account shutting down. Now, users have until May 15.

It’s unclear what WhatsApp is hoping will happen over the course of the next few months. Partially because WhatsApp ended up accidentally misrepresenting exactly what this update was actually updating, countless users were left under the impression that Facebook would be getting access to snoop through their WhatsApp chats (it won’t), or that WhatsApp would disclose your banking information to its parent company (again, no).

Subject: Windows 10 privacy software Privatezilla update brings analysis mode
Source: gHacks Tech News

A new version of the Windows 10 privacy tool Privatezilla has been released this week; the new version comes with an improved analysis feature that reveals configured and not configured settings when it is used.Privatezilla is a portable tool that you can run right after you have downloaded and extracted the archive it is supplied in; an installation is not required. The program displays a list of available settings in a sidebar on the left.

You may select all or some of these — with some selected by default — and use the apply button to make the changes to the system.

Closing Words – Privatezilla is a popular Windows 10 tweak tool. The new feature improves it further, particularly for users who would like to get a list of tweaks that are already applied.



Subject: The Parler API was open without authentication. One or more third parties have done full downloads (Ars Technica)
Source: ARS via RISKS Digest

The Parler API was open without authentication. One or more third parties have done full downloads (Ars Technica) – “Bob Gezelter” <[email protected]> Tue, 12 Jan 2021.
It is important to design APIs so that they are reasonably secure. It is reported that the Parler API was open (e.g., did not require authentication). Further more, the geo-tagging inherent in JPEG was provided on public images. Reportedly, the entire contents of Parler’s database have been accessed by at least one third party.

I guess that the individuals who implemented Parler were not well-read on web security issues, and were not familiar with the OWASP guidance on the subject.

The full articles can be found at:

Subject: The NSA warns enterprises to beware of third-party DNS resolvers
Source: Ars Technica

DNS over HTTPS is a new protocol that protects domain-lookup traffic from eavesdropping and manipulation by malicious parties. Rather than an end-user device communicating with a DNS server over a plaintext channel—as DNS has done for more than three decades—DoH, as DNS over HTTPS is known, encrypts requests and responses using the same encryption websites rely on to send and receive HTTPS traffic.Using DoH or a similar protocol known as DoT—short for DNS over TLS—is a no brainer in 2021, since DNS traffic can be every bit as sensitive as any other data sent over the Internet. On Thursday, however, the National Security Agency said in some cases Fortune 500 companies, large government agencies, and other enterprise users are better off not using it. The reason: the same encryption that thwarts malicious third parties can hamper engineers’ efforts to secure their networks.

“DoH provides the benefit of encrypted DNS transactions, but it can also bring issues to enterprises, including a false sense of security, bypassing of DNS monitoring and protections, concerns for internal network configurations and information, and exploitation of upstream DNS traffic,” NSA officials wrote in published recommendations. “In some cases, individual client applications may enable DoH using external resolvers, causing some of these issues automatically.”

Subject: Lost Passwords Lock Millionaires Out of Their Bitcoin Fortunes
Source: The New York Times

Bitcoin owners are getting rich because the cryptocurrency has soared. But what happens when you can’t tap that wealth because you forgot the password to your digital wallet?Stefan Thomas, a German-born programmer living in San Francisco, has two guesses left to figure out a password that is worth, as of this week, about $220 million.

The password will let him unlock a small hard drive, known as an IronKey, which contains the private keys to a digital wallet that holds 7,002 Bitcoin. While the price of Bitcoin dropped sharply on Monday, it is still up more than 50 percent from just a month ago, when it passed its previous all-time high of around $20,000.

But the cryptocurrency’s unusual nature has also meant that many people are locked out of their Bitcoin fortunes as a result of lost or forgotten keys. They have been forced to watch, helpless, as the price has risen and fallen sharply, unable to cash in on their digital wealth.

Of the existing 18.5 million Bitcoin, around 20 percent — currently worth around $140 billion — appear to be in lost or otherwise stranded wallets, according to the cryptocurrency data firm Chainalysis. Wallet Recovery Services, a business that helps find lost digital keys, said it had gotten 70 requests a day from people who wanted help recovering their riches, three times the number of a month ago.

What Is Bitcoin, and How Does It Work?

“Even sophisticated investors have been completely incapable of doing any kind of management of private keys,” said Diogo Monica, a co-founder of a start-up called Anchorage, which helps companies handle cryptocurrency security. Mr. Monica started the company in 2017 after helping a hedge fund regain access to one of its Bitcoin wallets.

Subject: DHS Gets Sued Over Its Social Media Surveillance Tactics
Source: Gizmodo

The Department of Homeland Security is being slammed with a new lawsuit after spending just over a year failing to respond to repeated attempts at investigating its long-term data hoovering practices.The suit was filed last week by the Center for Democracy & Technology (CDT)—a tech policy-centric nonprofit based out of Washington DC—over allegations that two immigration agencies falling under the DHS’s purview failed to respond to three separate FOIA requests the CDT initially filed in 2019. Per the complaint, both the CBP (Customs and Border Protection) and USCIS (United States Citizenship and Immigration Services) went silent on the CDT’s request for records discussing how the two agencies routinely tap into a given social media account both when deciding whether or not to grant a person US citizenship and when deciding the sort of benefits package that person earns once they’re in the country for good.Two of the CDT’s three filed FOIA’s stemmed from a so-called “Privacy Impact Assessment” on CBP’s social media monitoring initiatives that discussed the sorts of safeguards that agency officials take when handling user data. Specifically, the CDT was looking for records concerning two topics that the DHS alluded to: training material “on the treatment of First Amendment protected activity,” on these platforms, and a document that outlined the “rules of behavior” that current CBP officials are expected to follow. Alongside these FOIA’s, the CDT fired off a third request to the USCIS that broadly asked for certain documents discussing how it uses social media data when “adjudicating immigration benefits.”

Subject: This Site Published Every Face From Parler’s Capitol Riot Videos
Source: WiReD

Late last week, a website called Faces of the Riot appeared online, showing nothing but a vast grid of more than 6,000 images of faces, each one tagged only with a string of characters associated with the Parler video in which it appeared. The site’s creator tells WIRED that he used simple open source machine learning and facial recognition software to detect, extract, and deduplicate every face from the 827 videos that were posted to Parler from inside and outside the Capitol building on January 6, the day when radicalized Trump supporters stormed the building in a riot that resulted in five people’s deaths. The creator of Faces of the Riot says his goal is to allow anyone to easily sort through the faces pulled from those videos to identify someone they may know or recognize who took part in the mob, or even to reference the collected faces against FBI wanted posters and send a tip to law enforcement if they spot someone.

Aside from the clear privacy concerns it raises, Faces of the Riot’s indiscriminate posting of faces doesn’t distinguish between lawbreakers—who trampled barriers, broke into the Capitol building, and trespassed in legislative chambers—and people who merely attended the protests outside. An upgrade to the site today adds hyperlinks from faces to the video source, so that visitors can click on any face and see what the person was filmed doing on Parler. The Faces of the Riot creator, who says he’s a college student in the “greater DC area,” intends that added feature to help contextualize every face’s inclusion on the site and differentiate between bystanders, peaceful protesters, and violent insurrectionists.

Despite its disclaimers and limitations, Faces of the Riot represents the serious privacy dangers of pervasive facial recognition technology, says Evan Greer, the campaign director for digital civil liberties nonprofit Fight for the Future. “Whether it’s used by an individual or by the government, this technology has profound implications for human rights and freedom of expression,” says Greer, whose organization has fought for a legislative ban on facial recognition technologies.

Subject: DOD’s Cybersecurity Certification Requirements to Appear in DHS Contracts
Source: Nextgov

The Department of Defense is figuring out how to incorporate its Cybersecurity Maturity Model Certification program in contracts offered by the Department of Homeland Security, according to the official helming the initiative.The CMMC program will ultimately require all defense contractors have their cybersecurity practices certified by a system of independent third party auditors. As it is now, companies simply pledge their adherence to security controls detailed in standards issued by the National Institute of Standards and Technology.

Rules to implement the program are expected to be finalized as early as next month and have caused some heartburn within the contracting community. But the program is being rolled out in phases—15 prime contractors, and all their subcontractors, are being selected to undergo assessments this year—and won’t be fully applicable until 2025.

other cybersecurity articles:

Posted in: Congress, Criminal Law, Cybercrime, Cybersecurity, Digital Archives, Financial System, KM, Privacy, Social Media, Technology Trends