Pete Recommends – Weekly highlights on cyber security issues, February 20, 2021

Subject: Maybe Set A Calendar Reminder For Summer: Your Virginia E-Z Pass May Be Inactive
Source: WAMU via DCist

Virginia is extending the expiration dates of E-Z Passes because of the pandemic.The commonwealth is one of two states (New Hampshire is the other) that deactivates drivers’ passes and closes their accounts after a year of inactivity. This is due to the requirements of the state’s unclaimed property regulations. With routines upended, many commuters would likely see their passes approach expiration come mid-March.

But now, drivers have until the summer to avoid losing their pass’s functionality. The Virginia Treasury Department has given the Virginia Department of Transportation (VDOT) a one-time, six-month moratorium on the deactivation rule because of the pandemic.

VDOT, which administers the passes, emails drivers before deactivation. Last week, a Reddit user posted a message they received encouraging them to use their E-Z Pass, login to their account or call to keep their account active. Those emails are on hold now that the expiration dates have been pushed back.

“E-Z Pass will resume sending inactive account notifications in mid-summer 2021,” David Caudill, VDOT’s division administrator for tolling operations, said in an email.

Subject: Government Demands for Amazon Data Shot Up 800 Percent in 2020
Source: WIRED

Plus: Smartmatic lawsuits, a fake WhatsApp, and more of the week’s top security news.

The last few years have seen a scourge of account takeovers across social media, with no more visible example than last year’s audacious Twitter hack. This week, Twitter, Instagram, and TikTok took part in a coordinated action to reclaim hundreds of accounts that had been used to facilitate trading of those ill-gotten handles within the so-called OGUsers community. It’s not going to solve the problem for good, but it’s at least something.

That’s more than can generally be said for streamer donation platforms Streamlabs and StreamElements, which have allowed far-right and white supremacist users to monetize their hate. Both services do take down accounts that violate their terms of service when reported, but they have yet to take proactive measures, as Twitter and Facebook have done in recent months.

Also having a hard time with moderation: Zoom, which despite introducing measures intended to stop “Zoom-bombing,” still suffers from the scourge. Researchers found that those mitigating features don’t do much good against inside jobs—a high school kid calling on 4chan to disrupt his class, for instance—which remain a prevalent source of attacks.

Speaking of attack sources, it turns out SolarWinds provided two of them. Not only did Russian hackers pull off a so-called supply chain attack by manipulating the company’s own code, Chinese hackers used a flaw in SolarWinds software to dig deeper into at least one network that they had already compromised.

Joe Biden’s got his work cut out for him fighting disinformation. A big update to how Chrome handles cookies is going to give advertisers fits, but it works out great for Google. And be sure to check out these recent feature stories: a look at the scary convergence of ubiquitous sensor data, and the second installment in our serialization of 2034, a novel about a fictional war with China that feels all too real.

And there’s more! Each week we round up all the news we didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.

+ abstracts + link


Subject: Paper – A First Look at Zoombombing
Source: Binghamton and Boston Universities via beSpacific

A First Look at Zoombombing. Chen Ling, Utkucan Balcı, Jeremy Blackburn, Gianluca Stringhini. Computers and Society. arXiv:2009.03822 [cs.CY].

“Abstract—Online meeting tools like Zoom and Google Meethave become central to our professional, educational, and personal lives. This has opened up new opportunities for large scale harassment. In particular, a phenomenon known as zoombombing has emerged, in which aggressors join online meetings with the goal of disrupting them and harassing their participants.In this paper, we conduct the first data-driven analysis of calls for zoombombing attacks on social media. We identify ten popular online meeting tools and extract posts containing meeting invitations to these platforms on a mainstream social network, Twitter, and on a fringe community known for organizing coordinated attacks against online users, 4chan. We then perform manual annotation to identify posts that are calling for zoombombing attacks, and apply thematic analysis to develop a codebook to better characterize the discussion surrounding calls for zoombombing.

Subject: They Stormed the Capitol. Their Apps Tracked Them.
Source: NYT via beSpacific

The New York Times – Times Opinion was able to identify individuals from a trove of leaked smartphone location data.”…The sacking of the Capitol was a shocking assault on the republic and an unwelcome reminder of the fragility of American democracy. But history reminds us that sudden events — Pearl Harbor, the Soviet Union testing an atomic bomb, the Sept. 11 attacks — have led to an overreach in favor of collective security over individual liberty that we’d later regret. And more generally, the data collected on Jan. 6 is a demonstration of the looming threat to our liberties posed by a surveillance economy that monetizes the movements of the righteous and the wicked alike….

Abstracted from beSpacific

Subject: Browser ‘Favicons’ Can Be Used as Undeletable ‘Supercookies’ to Track You Online
Source: Vice via beSpacific

Vice: “Favicons are one of those things that basically every website uses but no one thinks about. When you’ve got 100 tabs open, the little icon at the start of every browser tab provides a logo for the window you’ve opened. Twitter uses the little blue bird, Gmail is a red mail icon, and Wikipedia is the bold W. It’s a convenient shorthand that lets us all navigate our impossible tab situation.  According to a researcher, though, these icons can also be a security vulnerability that could let websites track your movement and bypass VPNs, incognito browsing status, and other traditional methods of cloaking your movement online. The tracking method is called a Supercookie, …Strehle has set up a website that demonstrates how easy it is to track a user online using a favicon. He said it’s for research purposes, has released his source code online, and detailed a lengthy explanation of how supercookies work on his website.

The scariest part of the favicon vulnerability is how easily it bypasses traditional methods people use to keep themselves private online. According to Strehle, the supercookie bypasses the “private” mode of Chrome, Safari, Edge, and Firefox. Clearing your cache, surfing behind a VPN, or using an ad-blocker won’t stop a malicious favicon from tracking you.

Subject: NSF pushing for agency-specific cyber-physical research
Source: GCN

With the growing importance of cyber-physical systems, the National Science Foundation’s research program aims to uncover cross-cutting principles, tools and hardware and software components that can accelerate the transition of CPS research into the real world.CPS tightly integrates computing devices and networking infrastructure to deliver sensing of the physical world. It relies on data analytics, machine learning, autonomy, internet of things, networking, privacy, security and verification and may include human-aided control. Architectures may be distributed or centralized and feature multi-level hierarchical control and coordination of physical and organizational processes.

“CPS technology will transform the way people interact with engineered systems — just as the Internet has transformed the way people interact with information,” NSF said in its program announcement.

The Department of Homeland Security’s Science & Technology Directorate, the Federal Highway Administration (FHWA), the National Institutes of Health and the Department of Agriculture are sponsoring the research.

DHS S&T’s Technology Centers Division is interested in CPS research that protects industrial controls from cyberattacks and that helps systems identify, predict or recover from faults. Privacy and managing the use of sensitive data is of interest, as is validation, verification and certification that speed up design cycles while ensuring high confidence in system safety and functionality.

[shhh, don’t tell’m about Stuxnet from more than a decade ago /pmw1

Subject: Google Chrome’s engineering director discusses how the company is trying to preserve digital advertising after tracking cookies are killed off
Source: Markets Insider

Google, owner of the world’s most popular web browser, set the countdown clock ticking last year when it said it would end support for third-party cookies in Chrome by 2022. It’s been experimenting with tools in its “Privacy Sandbox” that are designed to allow advertising to continue to work on the web but in a less privacy encroaching way.

Last month, Google said one of those new techniques – Federated Learning of Cohorts (also known as FLoC) – was “nearly as effective as cookie-based approaches” in its own tests. FLoC uses machine learning algorithms that run on a user’s device to cluster people into interest-based groups based on behavior like their browsing history. It’s now preparing to let other adtech companies experiment with some of its proposals.

Other companies have been adding feedback and discussing their own proposals for cookie alternatives in subcommittees of the World Wide Web consortium, or W3C, a key web standards group.
Insider spoke with Justin Schuh, security and privacy engineering director for Google Chrome, who is leading its Privacy Sandbox efforts. Schuh discussed how Chrome is attempting to assuage ad industry concerns about its cookie replacements, his ambitions for other browsers and platforms to adopt Privacy Sandbox-like solutions, and how Chrome is thinking about ways to give users more control how their data is used. This interview has been edited for clarity and length.

Subject: 30 popular mobile health apps vulnerable to cyberattacks, PHI [Protected Health Information] exposure
Source: Becker’s Health IT

Thirty of the most downloaded mobile health apps are highly vulnerable to application programming interface cyberattacks, which could let hackers gain access to patient health records and protected health information, according to a recent Knight Ink and Approov report.For its report, API cybersecurity company Approov and cybersecurity content company Knight Ink tapped Alissa Knight to analyze the leading mHealth apps over a six-month period to assess cybersecurity vulnerabilities. Ms. Knight is a cybersecurity analyst and partner at Knight Ink. The mHealth app developers agreed to participate in the study as long as the results were not directly attributed to the app vendors.

other cybersecurity articles:

Subject: Incomplete fixes for security flaws make hackers’ job easy, Google says
Source: MIT Technology Review via Becker’s Health IT

Research from Google shows that hackers can quickly find security flaws in previously patched bugs. Maddie Stone, a security researcher at Google, said that bugs are often only partially fixed allowing for previously undetected flaws, known as zero-day vulnerabilities, to be exploited repeatedly, reports MIT Technology Review. Ms. Stone is part of a security team known as Project Zero, which has tracked more than 150 zero-day bugs over the past six years. According to Ms. Stone, security teams often fix software vulnerabilities incompletely, and hackers can get back in by changing a few lines of code or adding a few tweaks.

Ms. Stone said security teams at software firms are often working with limited resources and time, which may contribute to zero-day vulnerabilities. Security teams, she said, are often focused on fixing a specific flaw instead of the root cause of the flaw in its entirety.

Subject: States Push Internet Privacy Rules in Lieu of Federal Standards
Source: WSJ

A growing mosaic of state-level internet privacy proposals in lieu of a nationwide framework could provide new protections for consumers and additional question marks for businesses. Lawmakers in Virginia are nearing passage of data protection legislation in a rapid-fire legislative session slated to conclude this month. Washington state officials are considering compromises over enforcement of a potential privacy law for the third time. States including New York, Minnesota, Oklahoma and Florida are pushing ahead with similar proposals of their own. The movement in recent weeks comes as the coronavirus pandemic has pushed daily life further online, privacy experts say, adding to consumer fears of potential abuses. Executives warn the emerging landscape for how companies can collect and use personal data could create headaches for firms that do business across state lines.

“The notion that you can divide up your business to treat consumers in California differently than you do in Washington or Virginia is silly,” said Tanya Forsheit, chair of the Privacy & Data Security Group at law firm Frankfurt Kurnit Klein+Selz PC.

Many businesses have warned of a patchwork of privacy laws since California passed its landmark statute in 2018 and as elected officials in Washington, D.C. have clashed over a federal baseline.


Posted in: Cybercrime, Cybersecurity, E-Commerce, Economy, Healthcare, Legal Research, Privacy, Technology Trends, Travel