Pete Recommends – Weekly highlights on cyber security issues, February 27, 2021

Subject: Facebook stops collection of user health data after New York investigation
Source: Becker’s Health IT

Facebook will no longer collect unauthorized data about people’s medical and other sensitive information following recommendations from a New York Department of Financial Services investigation, The Wall Street Journal reports. The state began investigating Facebook after a 2019 WSJ report claimed that personal health apps, including period and pregnancy tracker app called Flo, were quietly passing data to the social media giant.

Facebook’s official terms had prohibited app developers from giving the company data from children about health and other sensitive topics, but the company told the New York financial services department it had “routinely obtained” such information from developers, going against its own service terms and policies, according to the Feb. 18 report.

Subject: Bruce Schneier’s CRYPTO-GRAM, 15 Feb 2021
Source: RISKS Digest Bruce Schneier’s CRYPTO-GRAM, 15 Feb 2021 – Peter Neumann <[email protected]>Mon, 15 Feb 2021 10:52:16 PST

[I am including the ToC for this issue of Bruce Schneier’s CRYPTO-GRAM because it illustrates an incredible increase in the breadth and pervasiveness of serious security attacks. FYI. You might want your own subscription (it’s free) if this is of interest to you. PGN] For back issues, or to subscribe, visit Crypto-Gram’s web page. Read this issue on the web
  1. Cell Phone Location Privacy
  2. Injecting a Backdoor into SolarWinds Orion
  3. Sophisticated Watering Hole Attack
  4. SVR Attacks on Microsoft 365
  5. Insider Attack on Home Surveillance Systems
  6. Massive Brazilian Data Breach
  7. Dutch Insider Attack on COVID-19 Data
  8. Police Have Disrupted the Emotet Botnet
  9. New iMessage Security Features
  10. Including Hackers in NATO Wargames
  11. Georgia’s Ballot-Marking Devices
  12. More SolarWinds News
  13. Another SolarWinds Orion Hack
  14. Presidential Cybersecurity and Pelotons
  15. NoxPlayer Android Emulator Supply-Chain Attack
  16. SonicWall Zero-Day
  17. Web Credit Card Skimmer Steals Data from Another Credit Card Skimmer
  18. Ransomware Profitability
  19. Attack against Florida Water Treatment Facility
  20. Medieval Security Techniques
  21. Chinese Supply-Chain Attack on Computer Systems


Subject: Why Europe’s COVID Vaccine Passports Won’t Work
Source: Daily Beast via Yahoo!

ROME – Almost as soon as authorities in the Mediterranean announced that no one who has not been vaccinated for COVID-19 would be able to visit Sardinia, Cyprus, or the Greek islands this summer, fake vaccine certificates started popping up for sale on the black market for around €100 a piece. And now that Europe’s vaccination program is in full swing and the standardized state-mandated health cards one gets after receiving the COVID jabs are readily available to creative forgers to copy, it doesn’t take much imagination to see how a relatively cheap fake document could allow anyone who hasn’t been able or willing to get the actual vaccine but still wants a sunny beach holiday can sneak past entrance controls.

The president of the European Union Commission, Ursula von der Leyen, has adamantly supported the introduction of a “COVID passport” that would allow tourists to bypass quarantines and even invasive brain-tickling swab tests if they can prove they have been inoculated. “It is a medical requirement to have a certificate proving that you have been vaccinated,” she said last week, after a measure was introduced by Greece to make vaccination passports mandatory for E.U. travel, much like it is for those traveling to many African nations to prove they have had a Yellow Fever vaccine.

But none of these efforts to return to normalcy will work unless all countries agree to recognize proof of immunity, whether by antibodies or one of the many vaccines. “For certificates to work internationally, they must be recognized by countries around the world,” Sweden’s social minister, Lena Hallengren, said this week. And that may yet prove to be the biggest challenge.

Subject: COVID fueled 2020
Source: GCN

The coronavirus was a driving force behind cyber activities in 2020 from both criminal and nation-state actors who tried to acquire information related to the virus and possible vaccines or extort the health care industry, according to a new Crowdstrike report….

Subject: Why non-human workers can increase security issues in your business
Source: TechRepublic

Most organizations don’t give the same thought and attention to their non-human workers, such as bots, RPAs and service accounts, as they do human workers and identity lifecycles.The term non-human worker conjures up several images. In this case, we’re talking about “non-living workers,” so no worries about mistreating any animals. Some examples include chatbots, robotic process automation, robots and more. They’re now likely to be working alongside us in the office.

SEE: Robotics in the enterprise (free PDF) (TechRepublic) “The number of non-human workers is growing, particularly as global organizations increasingly prioritize cloud computing, DevOps, Internet of Things devices, and other digital transformation initiatives,” said David Pignolet, CEO of SecZetta, in an email interview.Pignolet does not have a problem with non-human workers; his concern is the lack of identity management regarding non-human workers and the increasing number of cyberattacks and data breaches caused by subverting the access privileges given to non-human workers.

See also The Forrester Research article How To Secure And Govern Non-Human Identities

Subject: FedScoop
Source: VPNs pose challenges for agencies sustaining remote work private networks

(VPNs) are presenting some agencies with added challenges as they increase remote work during the COVID-19 pandemic. Some agencies had to make emergency acquisitions for more VPN licenses and are now looking to segment their data because the technology provides more internet exposure than advocates of models like zero-trust security are comfortable with. Infrastructure, not cloud, remains the focus as agencies attempt to remotely connect employees to network assets that may still be on-premise, and zero-trust security architectures are preferable, said Dan Jacobs, director of cloud adoption and cybersecurity within the General Services Administration Centers of Excellence.

According to a Zscaler risk report released this month, among 357 IT and cybersecurity professionals — 25 of them in government — 93% said their organization had deployed VPN services despite 94% acknowledging cybercriminals exploit their vulnerabilities to access network assets. Social engineering, ransomware and malware are the most common ways to compromise VPNs.

“Right now VPN just throws open the fire hose and gives me access to everything I had when I was in the building,” Feibus said. “Do I necessarily need that when I’m remote?”

Subject: Dealing with Weather Emergencies
Source: FTC Consumer Information

It’s one thing to prepare your family, pets, and property for extreme weather situations. It’s another to protect your personal information and finances from scammers who use weather emergencies to cheat people. This page has information to help you prepare for, deal with, and recover from a weather emergency.


Subject: The Best Law You’ve Never Heard Of
Source: NYT via beSpacific

The New York Times – Taking back control of our personal data can feel like a lost cause. But there’s hope! “Americans should feel angry about companies harvesting every morsel of our data to sell us sneakers or rate our creditworthiness. But a data protection law that few of us know about should also give us hope. I’m talking about the Biometric Information Privacy Act of Illinois, or BIPA. It’s one of the toughest privacy laws in the United States. And it passed in 2008, when most of us didn’t have smartphones and couldn’t have imagined Alexa in our kitchens. It applies only to Illinois residents and limits no more than what companies do with data from our bodies, like face scans and fingerprints. But its principles and legacy show that effective laws can wrest a measure of control from information-hogging companies. BIPA may also show that states can be America’s best laboratory for tackling the downsides of digital life….

Subject: How to Find Hidden Cameras Using Your Mobile Phone
Source: MakeUseOf via beSpacific

“Have reason to be suspicious of a partner or employer? Feel that someone is watching you, perhaps with a hidden camera? You could discover the truth if only you had some way of detecting the presence of a hidden camera. Fortunately, apps are available to help you find hidden surveillance cameras using just your smartphone. Ready to find those secret cameras?…”

Subject: Algorithms That Curate Feeds & Tech Company Secrecy
Source: Consumer Reports

The algorithms influence which videos and products you see online, and how social media posts are moderated

Later this month, your Facebook feed will start looking less political. The company says it’s testing a tweak that will surface fewer politics-related posts in users’ feeds, in a bid to keep political content from “taking over” what people see—an adjustment Facebook says users often ask for. But it’s not clear what the change will look like. In its announcement and in comments made to Consumer Reports, Facebook didn’t share any details about how its systems would assemble the new feeds, or even decide what counts as political content. And if you like your feed just the way it is, well, too bad—you don’t have a say in the matter.

That’s almost always the case when tech companies tweak their algorithmic decision-making systems. These are the systems that determine which products people see when they search for a power drill; what they learn about vaccinations, rolling blackouts, or election results from social media or Google search results; and which of their friends’ posts they see at the top of their feeds—plus the posts they never notice because they are buried so deep.

More on algorithms:

Subject: ‘We’ve Been Trying To Reach You:’ Robocalls Soar During Pandemic, How To Avoid Them
Source: CBS Pittsburgh

Driscoll says there are also call blocking apps you can download to your phone but be careful.

“For example with a call blocking app permissions may be necessary to provide all of the contacts in your phone book, or it could be a concern if the app is also requiring access to your text messages and other information that may not actually be necessary to provide that service,” she warned.

For Android users anytime you get a robocall, go into your phone and block that number. iPhone users can go to settings, select ‘Phone’, then ‘silence unknown callers and make sure that is turned on. That will automatically send to voice mail any call from a number that is not in your contacts or that you have not reached out to either by phone or text.

As for blocking apps, a critical point to consider is how often they update their software.

Robocallers regularly switch numbers and mask them as local numbers. So you may block the number coming from Turtle Creek only to get the next call from Oakmont.

The best thing to do if you get a call from an unknown number decline it, or just let it go to voicemail.

Other robocall articles:

Subject: National Lab Creates Technology to Detect Cryptocurrency Mining Malware
Source: NectGov

Idaho National Laboratory officials invented a means to speedily detect hidden malware that exploits infected computing systems’ resources to mine digital currencies.Now, they’re searching for an external partner with expertise to bring it to market.

“Advanced cryptocurrency mining algorithms, including Monero and Lightning, that have been surreptitiously embedded into legitimate High-Performance Computing (HPC) applications present an increasing threat to research data centers and HPC systems throughout the world,” a technology licencing opportunity post published this week reads.

Access to the full solicitation is restricted to those who submit a contract security form, but the post offers some details about the recently produced technology.

More than 2,000 types of cryptocurrencies exist, officials wrote in the post. But mining Bitcoin and other online currencies is expensive and demands heaps of hardware. Rates of energy and electricity consumed in the practice can match those of some small countries and grow with demand. The officials point to cryptojacking—or using HPC assets without authorization to mine the money—as one way some have opted to reduce cost.


Subject: Public Employees’ Use of Personal Phones, Tablets Puts Local Governments at Risk
Source: Route Fifty

A cybersecurity report found that 25% of state and local government employees use personal digital devices to telework while only 9% of federal employees do so. Nearly a quarter of state and local government employees use personal phones and tablets for work, putting them at higher risk for phishing attacks and other cyber intrusions, according to a new cybersecurity report.

Local governments have battled an onslaught of ransomware attacks and cybersecurity threats in recent years, including this month’s breach of a water treatment plant in Florida. But as government employees shifted to work from home during the coronavirus pandemic, the report from mobile security firm Lookout highlights one way that telework can put agencies at greater risk.

Using personal devices can provide employees greater flexibility to work from home, but “these unmanaged personal devices are more frequently exposed to phishing sites than managed devices,” the Lookout report found. “This is because personal un-managed devices connect to a broader range of websites and use a greater variety of apps.”

“With the proper protection in place, I think it’s perfectly acceptable for government employees to use personal devices,” he added.


Posted in: AI, Big Data, Blockchain, Cybercrime, Cybersecurity, Economy, Environmental Law, Financial System, Gadgets/Gizmos, Health, Healthcare, Privacy, Social Media