Pete Recommends – Weekly highlights on cyber security issues, March 21, 2021

Subject: Microsoft’s Dream of Decentralized IDs Enters the Real World
Source: WIRED

The company will launch a public preview of its identification platform this spring—and has already tested it at the UK’s National Health Service.

For years, tech companies have touted blockchain technology as a means to develop identity systems that are secure and decentralized. The goal is to build a platform that could store information about official data without holding the actual documents or details themselves. Instead of just storing a scan of your birth certificate, for example, a decentralized ID platform might store a validated token that confirms the information in it. Then when you get carded at a bar or need proof of citizenship, you could share those pre-verified credentials instead of the actual document or data. Microsoft has been one of the leaders of this pack—and is now detailing tangible progress toward its vision of a decentralized digital ID.

At its Ignite conference today, Microsoft announced that it will launch a public preview of its “Azure Active Directory verifiable credentials” this spring. Think of the platform as a digital wallet like Apple Pay or Google Pay, but for identifiers rather than credit cards. …

“In the NHS system, at each hospital health care workers go to, it used to take months of effort to verify their credentials before they could practice,” Chik says. “Now it literally takes five minutes to be enrolled in the hospital and starting to treat patients.”

Microsoft formally started its work on a decentralized identity scheme in 2017 and has slowly open protocol called Sidetree to add records of transactions—in this case, identity verifications—to the blockchain. Microsoft says Azure Active Directory verifiable credentials uses a custom but still open source implementation of Sidetree called Identity Overlay Network. Organizations will be able to run their own ION “node” to verify and store identifiers for their members, like citizens, students, or employees.

Microsoft says that its new decentralized identity platform will be set up so that even if an account is compromised, attackers can’t just start using your verified credentials to get a student discount on purchases or apply for a loan in your name.

“Beyond just controlling access, developers can further secure user data by encrypting that data using keys from their decentralized identifiers,”  a Microsoft spokesperson told WIRED in a statement. “Based on such an approach, a bad actor may gain access to a system or datastore but can’t decrypt the data without keys that reside with individual user.”


Subject: CEO of Sky Global encrypted chat platform indicted by US
Source: Bleeping Computer

The US Department of Justice has indicted the CEO of encrypted messaging company Sky Global, and an associate for allegedly aiding criminal enterprises avoid detection by law enforcement.

Sky Global is the developer of an encrypted chat app known as Sky ECC that claims to be the “most secure messaging app available anywhere in the world today.”

Earlier this week, Europol announced that law enforcement in Belgium and the Netherlands made arrests after monitoring the Sky ECC encrypted chat platform for illegal activity.

“As of mid-February, authorities have been able to monitor the information flow of approximately 70 000 users of Sky ECC. Many users of EncroChat changed over to the popular Sky ECC platform, after EncroChat was unveiled in 2020.”

“By successfully unlocking the encryption of Sky ECC, the information acquired will provide insights into criminal  activities in various EU Member States and beyond and will assist in expanding investigations and solving serious and cross-border organised crime for the coming months, possibly years,” Europol disclosed in a statement this week.

Last night, the United States Department of Justice announced that they had indicted the CEO of Sky Global, Jean-Francois Eap, and one of his associates, Thomas Herdman, for allegedly violating federal racketeering laws (RICO). Herdman is said to be a former global distributor of Sky Global devices.

The Department of Justice further states that Sky Global’s has generated hundreds of millions of dollars by operating a secure communications platform to facilitate narcotics distribution worldwide.

Related Articles: Europol ‘unlocks’ encrypted Sky ECC chat service to make arrests



Subject: Herbert Alford Sues Hertz Over Lost Receipt That Was His Murder Alibi
Source: The NYT

A Michigan man has sued Hertz, the car rental company, saying it failed to produce a receipt that would have proved his innocence before he was convicted of a 2011 murder.

The man, Herbert Alford, was convicted in 2016 of second-degree murder in the fatal shooting of Michael Adams, 23, in Lansing, Mich. Mr. Alford insisted that he was innocent and that a car rental receipt from the Hertz location at the Lansing airport would prove that he was nowhere near the scene of the murder when it occurred in October 2011.

The company produced the receipt in 2018, and the charges against Mr. Alford were dropped last year.

Mr. Alford, 47, filed the lawsuit against Hertz on Tuesday in circuit court in Ingham County, Mich. It says that Hertz’s “actions, inactions and negligence” had helped keep Mr. Alford in jail and then prison for a total of five years. The lawsuit is seeking unspecified monetary damages.

Subject: How to poison the data that Big Tech uses to surveil you
Source: MIT Technology Review

Every day, your life leaves a trail of digital breadcrumbs that tech giants use to track you. You send an email, order some food, stream a show. They get back valuable packets of data to build up their understanding of your preferences. That data is fed into machine-learning algorithms to target you with ads and recommendations. Google cashes your data in for over $120 billion a year of ad revenue.

Increasingly, we can no longer opt out of this arrangement. In 2019 Kashmir Hill, then a reporter for Gizmodo, famously tried to cut five major tech giants out of her life. She spent six weeks being miserable, struggling to perform basic digital functions. The tech giants, meanwhile, didn’t even feel an itch.

Now researchers at Northwestern University are suggesting new ways to redress this power imbalance by treating our collective data as a bargaining chip. Tech giants may have fancy algorithms at their disposal, but they are meaningless without enough of the right data to train on.

In a new paper being presented at the Association for Computing Machinery’s Fairness, Accountability, and Transparency conference next week, researchers including PhD students Nicholas Vincent and Hanlin Li propose three ways the public can exploit this to their advantage:

But overall, Vincent, Li, and Alkhatib are optimistic that data leverage could turn into a persuasive tool to shape how tech giants treat our data and our privacy. “AI systems are dependent on data. It’s just a fact about how they work,” Vincent says. “Ultimately, that is a way the public can gain power.”

Filed –

Subject: Google Can Be Sued for Tracking Users in Private Browsing Mode
Source: Gizmodo

A U.S. district judge in California has stated that Google can be sued for collecting data on users even when they use “private browsing mode” on their selected browsers.

The lawsuit in question is a class action brought forward by three Google users—Chasom Brown, Maria Nguyen, and William Byatt—who used private browsing mode in Chrome and in Safari, Apple’s web browser, in recent years. It claims that Google tracks and collects consumer browsing history and other web activity data “no matter what safeguards” users implement. In this case, Brown v. Google, the specific safeguard referenced is private browsing mode, a feature offered by many browsers. On Google’s Chrome browser, this is referred to as “Incognito mode.”

Nonetheless, the complaint alleges that Google still tracks users in private browsing mode using Google Analytics, Google Ad Manager, the Google app on mobile devices, and the Google sign-in button for websites.

Filed –

Subject: White House tees up cyber labeling policy
Source: FCW

The Biden administration is considering two new policies to give government, corporate and individual tech consumers assurance that products are being designed with cybersecurity in mind.

In the wake of two massive cybersecurity breaches, one involving the SolarWinds remote IT management software and the other exploiting four vulnerabilities in Microsoft Exchange Server software, the government is looking to move fast to elevate cybersecurity standards for products used by government, industry and consumers.

During a background briefing on March 12, a senior administration official told reporters that executive actions are coming in the “next couple of weeks” to give security grades to software companies and to add security labels to internet-of-things devices.

The Cybersecurity Solarium Commission, in its final report, recommended that Congress establish a new nongovernmental, nonprofit entity called the “National Cybersecurity Certification and Labeling Authority.” The new organization would be charged with “establishing and managing a voluntary cybersecurity certification and labeling program for information and communication technologies,” covering a broad range of products including software, devices, cloud services, industrial control systems and more.

Keyword – Cybersecurity

Subject: California Bans “Dark Patterns” Under Landmark Privacy Law
Source: Gizmodo

New regulations were approved under California’s Consumer Privacy Act on Monday that will prohibit the use of so-called dark patterns — tricks deployed by websites or apps that seek to frustrate or bamboozle users into doing things they wouldn’t normally do.

In a Monday press release, California Attorney General Xavier Becerra announced the new regulations, approved by the state’s Office of Administrative Law, and said that the updated restrictions will strengthen the landmark CCPA legislation approved in August 2020.

“California is at the cutting edge of online privacy protection, and this newest approval by OAL clears even more hurdles in empowering consumers to exercise their rights under the California Consumer Privacy Act,” Becerra said. “These protections ensure that consumers will not be confused or misled when seeking to exercise their data privacy rights.”

Subject: Everything You Need to Know About Evolving Threat of Ransomware
Source: The Hacker News

The cybersecurity world is constantly evolving to new forms of threats and vulnerabilities. But ransomware proves to be a different animal—most destructive, persistent, notoriously challenging to prevent, and is showing no signs of slowing down.

Falling victim to a ransomware attack can cause significant data loss, data breach, operational downtime, costly recovery, legal consequences, and reputational damage.

In this story, we have covered everything you need to know about ransomware and how it works.

Subject: Ulysses Group Claims It Can Track Nearly Any Car in Real-Time
Source: Gizmodo

A defense contractor that claims to have access to motor vehicle location data on a global scale says it wants to use that data to help U.S. federal agencies conduct more efficient spying and military operations.

The Ulysses Group, which offers “cutting edge operational and intelligence services, support, and equipment” to government clients, says it can “access over 15 billion vehicle locations” worldwide every month. This data, which can be viewed “historically” or in real-time, should be used operationally by U.S. agencies, the company says.

A document obtained by the office of Sen. Ron Wyden, which was first reported by Motherboard and shared with Gizmodo, shows Ulysses claims to be able to “remotely geolocate” cars in “nearly any country,” with the exceptions of Cuba and North Korea. In the document, the firm explains how this might be useful to a government agency:

Maybe the worst thing about this whole story is that it’s not entirely clear where a company like Ulysses gets all its data from. Andrea Amico, the founder of Privacy4Cars told Vice that, due to the convoluted nature of vehicle data collection, there are a whole variety of sources where locations might be procured from: “the company that provides the map itself, for instance, would have access to it; the company that provides the infotainment system may have access to it; the company that provides the traffic data may have access to it; the company that provides the parking data may have access to it. Right there and then you’ve got five companies that are getting your location.”

A call to the Ulysses Group wasn’t immediately returned. A call to the Alliance of Automobile Manufacturers for commentary on this story didn’t garner a response either (the group represents the interests of car giants like Ford, Honda, Subaru, Hyundai, BMW, Chrysler and others, and has previously published a set of consumer data privacy guidelines for the industry). We will update this story if we hear back.

Filed Privacy and Security

Subject: Please Stop Using Text Messaging to Receive Login Codes
Source: Life Hacker via beSpacific

Life Hacker – “This week, a stunning story from revealed how easy it is for an attacker to siphon away your text messages. They don’t need access to your phone; they don’t even need your SIM card. They just need to pay a trivial sum, convince a VoIP wholesaler that they’re a reseller (also a trivial matter), and sign a form swearing that they’re allowed to route messages to your number to another. …We’ve said it before, and we’ll keep saying it until all sites and services finally listen: It’s not secure enough to simply use a text message, or two-step authentication, to protect one’s account from unauthorized access. Whenever possible, you should be using a dedicated two-factor authentication app that requires physical access of your hardware—typically your phone—to finish the login process for an account. Text messages are not as secure as you might think. While you might never be the victim of a text-hijacking yourself, this week’s news shows it’s far from an impossibility…”


Posted in: AI, Big Data, Cybercrime, Cyberlaw, Cybersecurity, Data Mining, Healthcare, Legal Research, Legislative, Privacy, Spyware, Technology Trends