Pete Recommends – Weekly highlights on cyber security issues, February 13, 2021

Subject: Maybe Set A Calendar Reminder For Summer: Your Virginia E-Z Pass May Be Inactive
Source: WAMU via DCist
https://dcist.com/story/21/02/02/virginias-e-z-pass-has-one-odd-rule-you-need-to-know/

Virginia is extending the expiration dates of E-Z Passes because of the pandemic.

The commonwealth is one of two states (New Hampshire is the other) that deactivates drivers’ passes and closes their accounts after a year of inactivity. This is due to the requirements of the state’s unclaimed property regulations. With routines upended, many commuters would likely see their passes approach expiration come mid-March.
But now, drivers have until the summer to avoid losing their pass’s functionality. The Virginia Treasury Department has given the Virginia Department of Transportation (VDOT) a one-time, six-month moratorium on the deactivation rule because of the pandemic.
VDOT, which administers the passes, emails drivers before deactivation. Last week, a Reddit user posted a message they received encouraging them to use their E-Z Pass, login to their account or call to keep their account active. Those emails are on hold now that the expiration dates have been pushed back.
“E-Z Pass will resume sending inactive account notifications in mid-summer 2021,” David Caudill, VDOT’s division administrator for tolling operations, said in an email.

Subject: Government Demands for Amazon Data Shot Up 800 Percent in 2020
Source: WIRED
Plus: Smartmatic lawsuits, a fake WhatsApp, and more of the week’s top security news.
The last few years have seen a scourge of account takeovers across social media, with no more visible example than last year’s audacious Twitter hack. This week, Twitter, Instagram, and TikTok took part in a coordinated action to reclaim hundreds of accounts that had been used to facilitate trading of those ill-gotten handles within the so-called OGUsers community. It’s not going to solve the problem for good, but it’s at least something.
That’s more than can generally be said for streamer donation platforms Streamlabs and StreamElements, which have allowed far-right and white supremacist users to monetize their hate. Both services do take down accounts that violate their terms of service when reported, but they have yet to take proactive measures, as Twitter and Facebook have done in recent months.
Also having a hard time with moderation: Zoom, which despite introducing measures intended to stop “Zoom-bombing,” still suffers from the scourge. Researchers found that those mitigating features don’t do much good against inside jobs—a high school kid calling on 4chan to disrupt his class, for instance—which remain a prevalent source of attacks.
Speaking of attack sources, it turns out SolarWinds provided two of them. Not only did Russian hackers pull off a so-called supply chain attack by manipulating the company’s own code, Chinese hackers used a flaw in SolarWinds software to dig deeper into at least one network that they had already compromised.
Joe Biden’s got his work cut out for him fighting disinformation. A big update to how Chrome handles cookies is going to give advertisers fits, but it works out great for Google. And be sure to check out these recent feature stories: a look at the scary convergence of ubiquitous sensor data, and the second installment in our serialization of 2034, a novel about a fictional war with China that feels all too real.
And there’s more! Each week we round up all the news we didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.
+ abstracts + link

Subject: Paper – A First Look at Zoombombing
Source: Binghamton and Boston Universities via beSpacific
A First Look at Zoombombing. Chen Ling, Utkucan Balcı, Jeremy Blackburn, Gianluca Stringhini. Computers and Society. arXiv:2009.03822 [cs.CY].
“Abstract—Online meeting tools like Zoom and Google Meethave become central to our professional, educational, and personal lives. This has opened up new opportunities for large scale harassment. In particular, a phenomenon known as zoombombing has emerged, in which aggressors join online meetings with the goal of disrupting them and harassing their participants.In this paper, we conduct the first data-driven analysis of calls for zoombombing attacks on social media. We identify ten popular online meeting tools and extract posts containing meeting invitations to these platforms on a mainstream social network, Twitter, and on a fringe community known for organizing coordinated attacks against online users, 4chan. We then perform manual annotation to identify posts that are calling for zoombombing attacks, and apply thematic analysis to develop a codebook to better characterize the discussion surrounding calls for zoombombing.

Subject: They Stormed the Capitol. Their Apps Tracked Them.
Source: NYT via beSpacific

https://www.bespacific.com/they-stormed-the-capitol-their-apps-tracked-them/</a

The New York Times – Times Opinion was able to identify individuals from a trove of leaked smartphone location data.  ” …The sacking of the Capitol was a shocking assault on the republic and an unwelcome reminder of the fragility of American democracy. But history reminds us that sudden events — Pearl Harbor, the Soviet Union testing an atomic bomb, the Sept. 11 attacks — have led to an overreach in favor of collective security over individual liberty that we’d later regret. And more generally, the data collected on Jan. 6 is a demonstration of the looming threat to our liberties posed by a surveillance economy that monetizes the movements of the righteous and the wicked alike.

Abstracted from beSpacific

Subject: Section 230 and Big Tech
Source: Consumer Reports
Twenty-five years ago, Congress passed a little-noticed law that shielded online platforms from liability for the content posted by users. In the decades since, Section 230 of the Communications Decency Act, signed into law by President Bill Clinton on Feb. 8, 1996, has paved the way for the internet as we know it.
For the better: by enabling everything from unfiltered opinion in the comments sections of news sites to the phenomenon of social media, as well as giving platforms the option to moderate that online content. And for the worse: by facilitating the mass distribution of disinformation, hate speech, and other objectionable content.
“It affects every aspect of the internet from online safety to online shopping,” says Laurel Lehman, policy analyst for Consumer Reports.
And now, as it celebrates its silver anniversary, Section 230 finds itself under attack from across the political spectrum, including legislators and others ready to revise the law and with it the digital lives of millions of U.S. consumers. Here’s what you need to know about this important provision and its uncertain future…

Subject: Browser ‘Favicons’ Can Be Used as Undeletable ‘Supercookies’ to Track You Online
Source: Vice via beSpacific
Vice: “Favicons are one of those things that basically every website uses but no one thinks about. When you’ve got 100 tabs open, the little icon at the start of every browser tab provides a logo for the window you’ve opened. Twitter uses the little blue bird, Gmail is a red mail icon, and Wikipedia is the bold W. It’s a convenient shorthand that lets us all navigate our impossible tab situation.  According to a researcher, though, these icons can also be a security vulnerability that could let websites track your movement and bypass VPNs, incognito browsing status, and other traditional methods of cloaking your movement online. The tracking method is called a Supercookie…

Strehle has set up a website that demonstrates how easy it is to track a user online using a favicon. He said it’s for research purposes, has released his source code online, and detailed a lengthy explanation of how supercookies work on his website.

The scariest part of the favicon vulnerability is how easily it bypasses traditional methods people use to keep themselves private online. According to Strehle, the supercookie bypasses the “private” mode of Chrome, Safari, Edge, and Firefox. Clearing your cache, surfing behind a VPN, or using an ad-blocker won’t stop a malicious favicon from tracking you.

Subject: NSF pushing for agency-specific cyber-physical research
Source: GCN
With the growing importance of cyber-physical systems, the National Science Foundation’s research program aims to uncover cross-cutting principles, tools and hardware and software components that can accelerate the transition of CPS research into the real world.
CPS tightly integrates computing devices and networking infrastructure to deliver sensing of the physical world. It relies on data analytics, machine learning, autonomy, internet of things, networking, privacy, security and verification and may include human-aided control. Architectures may be distributed or centralized and feature multi-level hierarchical control and coordination of physical and organizational processes.
“CPS technology will transform the way people interact with engineered systems — just as the Internet has transformed the way people interact with information,” NSF said in its program announcement.
The Department of Homeland Security’s Science & Technology Directorate, the Federal Highway Administration (FHWA), the National Institutes of Health and the Department of Agriculture are sponsoring the research.
DHS S&T’s Technology Centers Division is interested in CPS research that protects industrial controls from cyberattacks and that helps systems identify, predict or recover from faults. Privacy and managing the use of sensitive data is of interest, as is validation, verification and certification that speed up design cycles while ensuring high confidence in system safety and functionality.
[shhh, don’t tell’m about Stuxnet from more than a decade ago /pmw1]

Subject: U.S. Reps. Wexton, Speier urge DNI to update security clearance guidelines
Source: Homeland Preparedness News
U.S. Reps. Jennifer Wexton (D-VA) and Jackie Speier (D-CA) are urging the Director of National Intelligence (DNI) Avril Haines to adopt new security clearance guidelines to prevent individuals involved in extremist groups from accessing classified information.
Specifically, Wexton and Speier are asking the DNI to update current guidelines to directly screen for threats from white supremacists, neo-Nazis, and other far-right extremists. Currently, individuals are not explicitly required to self-report involvement with extremist groups unless the organization professes to be a terrorist organization, seeks to overthrow the United States government, or uses violence.

Subject: Joseph Chase Oaks Of Alabama Accused Of Targeting Hundreds Of People Across The Country In Cell Phone Number Scam
Source: CBS New York and Pittsburgh
Wednesday, the Manhattan District Attorney’s office announced an even more sophisticated scam called SIM swapping.
Joseph Chase Oaks, from Alabama, is charged with grand larceny and identity theft, accused of targeting 300 people in New York and across the country to steal identities and $150,000 in cryptocurrency like bitcoin.

Subject: Google Chrome’s engineering director discusses how the company is trying to preserve digital advertising after tracking cookies are killed off
Source: Markets Insider
Google, owner of the world’s most popular web browser, set the countdown clock ticking last year when it said it wouldend support for third-party cookies in Chrome by 2022. It’s been experimenting with tools in its “Privacy Sandbox” that are designed to allow advertising to continue to work on the web but in a less privacy encroaching way.
Last month, Google said one of those new techniques – Federated Learning of Cohorts (also known as FLoC) – was “nearly as effective as cookie-based approaches” in its own tests. FLoC uses machine learning algorithms that run on a user’s device to cluster people into interest-based groups based on behavior like their browsing history. It’s now preparing to let other adtech companies experiment with some of its proposals.
Other companies have been adding feedback and discussing their own proposals for cookie alternatives in subcommittees of the World Wide Web consortium, or W3C, a key web standards group.
Insider spoke with Justin Schuh, security and privacy engineering director for Google Chrome, who is leading its Privacy Sandbox efforts. Schuh discussed how Chrome is attempting to assuage ad industry concerns about its cookie replacements, his ambitions for other browsers and platforms to adopt Privacy Sandbox-like solutions, and how Chrome is thinking about ways to give users more control how their data is used.

This interview has been edited for clarity and length.

Posted in: AI, Big Data, Congress, Cybersecurity, KM, Legal Research, Legislative, Privacy, Search Engines, Search Strategies, Technology Trends