Pete Recommends – Weekly highlights on cyber security issues, March 27, 2021

Subject: How to Wipe a Computer Clean of Personal Data
Source: Consumer Reports

Theoretically, however, a determined hacker may be able to use advanced data recovery software to unearth your old files, even if you’ve performed a factory reset. That’s why Richard Fisco, who oversees electronics testing for Consumer Reports, cautions that some consumers may feel more comfortable removing the hard drive altogether before sending the laptop off to its new home.

“The gold standard in hard drive security consists of using a pointy nail and a few swift swings of a hammer,” he says half-jokingly. “Just make sure you’re wearing safety glasses.”

Of course, you’ll want to back up any important data you may have to another drive, or to the cloud, before you perform a factory reset (or, perhaps, break out the hammer and nails). But once that’s over and done with, and you’ve verified that the data has been safely backed up, actually carrying out a factory reset is simple whether you’re on a Mac, Chromebook, or Windows PC.

Subject: Tesla: Now a National Security Threat to China
Source: Gizmodo

[If it’s good for the goose, it’s good for the gander dept…]Members of the People’s Liberation Army desperate to drive to work with all the style and panache afforded by Elon Musk’s overhyped cars are apparently out of luck. Citing “national security” concerns, the Chinese government has reportedly banned the use of Tesla vehicles by state and military employees on certain government properties.

Per reports from the Wall Street Journal and Bloomberg, the People’s Republic of China is allegedly concerned that Tesla’s high-tech cars could be a source of data leaks or foreign spying. Of particular concern is the high number of internal sensors and cameras installed in Tesla vehicles—the likes of which could be used to funnel sensitive data “back to the U.S.,” government officials worry.

Subject: Massive camera hack exposes the growing reach and intimacy of American surveillance
Source: WaPo via beSpacific

Washington Post – A breach of the camera start-up Verkada ‘should be a wake-up call to the dangers of self-surveillance,’ one expert said: “‘Our desire for some fake sense of security is its own security threat.”  In one video, a woman in a hospital room watches over someone sleeping in an intensive-care-unit bed. In another, a man and three young children celebrate one Sunday afternoon over a completed puzzle in a carpeted playroom. The private moments would have, in some other time, been constrained to memory. But something else had been watching: An Internet-connected camera managed by the security start-up Verkada, which sells cameras and software that customers can use to watch live video from anywhere across the Web. With a single breach, those scenes — and glimpses from more than 149,000 security cameras — were suddenly revealed to hackers, who had used high-level log-in credentials to access and plunder Verkada’s vast camera network. A hacker shared some of the materials with The Washington Post to spotlight the security threat of widespread surveillance technologies that subject the public to near-constant watch…”

WaPo filed

The breach, which was first reported by Bloomberg News, highlighted a central vulnerability undermining the modern Web: As more companies race to amass vast stores of sensitive data, they are also becoming more fruitful targets for attack and making it that much easier for thousands of unaware people to be suddenly exposed.

Subject: UK Police Warn Against Using Sci-Hub’s 85 Million Documents of Pirated Research
Source: Gizmodo

Police in the UK issued a warning over the weekend against visiting Sci-Hub, a website that offers over 85 million free research papers that are typically behind paywalls. Police claim that people associated with Sci-Hub are dangerous because they “steal” login credentials from students and faculty at universities, a claim the website’s administrators have previously denied.  “If you’re tricked into revealing your log-in credentials, whether it’s through the use of fake emails or malware, we know that Sci-Hub will then use those details to compromise your university’s computer network in order to steal research papers,” Max Bruce, London police’s cyber protection officer, said in a press release.

UK Police did not provide explicit evidence for claims that Sci-Hub steals login credentials, but did allege that “42 UK universities” have “been hacked by Sci-Hub,” through phishing techniques. Police also warned students that accessing the website from the UK is “illegal” because the site “hosts stolen intellectual property.”

Sci-Hub has been successfully sued twice in U.S. court but remains online tenuously and is often forced to change domain names. An active version of the website currently has a top-level domain name registered with the Dominican Republic.

Subject: Phishers’ perfect targets: Employees getting back to the office
Source: Help Net Security

Phishers have been exploiting people’s fear and curiosity regarding breakthroughs and general news related to the COVID-19 pandemic from the very start, and will continue to do it for as long it affects out private and working lives. Cybercriminals continually exploit public interest in COVID-19 relief, vaccines, and variant news, spoofing the Centers for Disease Control (CDC), U.S. Internal Revenue Service (IRS), U.S. Department of Health and Human Services (HHS), World Health Organization (WHO), and other agencies and businesses.

Phishers targeting employees – According to Inky researchers, employees who have slowly been returning to work in offices and other company premises can expect cyber crooks to impersonate their colleagues and their company’s leadership. Judging by previously detected campaigns, the attackers will be hitting employees with emails made to look like they are coming from the HR or some other department, or from the CEO.

“Of course, we would be remiss if we didn’t mention that even if you’re one of the many companies remaining remote after the pandemic, you’re still at great risk of an email phishing attack,” the researchers noted.


Subject: Firefox 87 to limit the referrer for all cross-origin requests
Source: gHacks Tech News

Mozilla announced plans to trim the referrer that the Firefox web browse sends when requests are made for all cross-origin requests today to improve privacy.Requests made by the web browser, e.g. to load a webpage, image, CSS stylesheet, or advertisement, includes the referrer. The referrer is usually the URL that users see in the browser’s address bar.

Up until now, Firefox and most other browsers, trimmed the referrer only when requests were made from secure sites, e.g. those using HTTPS, to non-secure sites, e.g. those using HTTP.

The change is made silently in the background for all users of Firefox 87 or newer. Firefox 87 will be released on March 23, 2021 to the public.

Subject: CISA Will Use New Authority Over Internet Service Providers to Fight Ransomware, Official Says
Source: Netxtgov

In just about two more months the Cybersecurity and Infrastructure Security Agency plans to activate its newly minted power to force internet service providers to supply the identity of their customers, so officials can warn them about vulnerabilities in their systems.“It’s an important new authority, one that the agency has been pushing for for a couple of years, and we’re actually getting ready to bring it live, as we’ve finished up some of our procedures and training, in the next 60 days or so,” said Brandon Wales, CISA’s acting director.

Wales spoke with Auburn University’s Frank Cillufo during an event on the ransomware threat Monday. Cillufo, who is a member of the congressionally mandated Cyberspace Solarium Commission as well as the Homeland Security Department’s Advisory Council, asked how the operational technology of industrial control systems, in particular, is faring under rolling waves of ransomware attacks targeting state and local critical infrastructure.

The risk ransomware presents to the industrial control systems is increasing, Wales said, noting that another water facility was recently targeted. In this case, the facility was used for monitoring not treatment, so the impacts were minimal, he said, but he used the example to describe the vulnerability of the sector.

In the last National Defense Authorization Act, Congress gave CISA the authority to subpoena ISPs to hand over the contact information of entities where the agency observes an opening for exploitation.

Subject: Feds lead in DMARC use
Source: GCN

The federal government is the leading user of DMARC, an authentication protocol used to protect email against spoofing, which enables phishing and other e-mail based attacks or scams.Domain-based Message Authentication, Reporting and Conformance, a vendor-neutral authentication protocol, allows email domain owners to protect their domain from unauthorized use, or spoofing.Seventy-eight percent of all federal domains have published a DMARC record, and 74% of those records have an enforcement policy, meaning that 74% of federal domains are now protected from spoofing.Those numbers come from the “Email Fraud Landscape: Spring 2021” report that Valimail, a maker of zero-trust, identity-based anti-phishing solutions, released today. “This high rate of deployment and enforcement is a direct result of a 2017 directive from the Department of Homeland Security, BOD 18-01, which mandated DMARC enforcement for all executive branch domains, except for intelligence- and defense-related ones,” the report states. It credits the detailed documentation and enabling tools that DHS provided with the order for the high level of compliance.

Subject: High-Risk Series: Federal Government Needs to Urgently Pursue Critical Actions to Address Major Cybersecurity Challenges
Source: GAO

The federal government needs to move with greater urgency to improve the nation’s cybersecurity as the country faces grave and rapidly evolving threats.This report reiterates that the government needs to take 10 critical actions to address 4 major challenges we identified in 2018, including securing federal systems and protecting critical infrastructure. Since then, the government has made some improvements, but weaknesses remain—as seen in the Dec. 2020 discovery of a major cyberattack on agencies, infrastructure, and the private sector.

Ensuring the Cybersecurity of the Nation remains on our High Risk List.

What GAO Found – GAO reiterates the importance of addressing the four major cybersecurity challenges and the 10 associated critical actions listed below. Four Major Cybersecurity Challenges and 10 Associated Critical Actions

Full Report (101 pages)
Highlights Page (2 pages)

Subject: The Riskiest ‘Smart City’ Technologies, According to Cybersecurity Experts
Source: Route Fifty

Technology like sensors built into infrastructure and emergency alerts has possible benefits, but in a new study dozens of experts weigh in on where some of the more significant pitfalls may lie. Certain “smart city” technologies are likely to be far more vulnerable to cyberattacks and attractive to hackers than others, according to a new report. It’s something local governments may want to consider as they build out higher-tech infrastructure.Researchers at University of California, Berkeley’s Center for Long-Term Cybersecurity asked 76 cybersecurity experts to rank nine different types of smart city technology based on its underlying technical vulnerabilities, attractiveness to hackers and the potential consequences of a serious and successful cyberattack.People who responded to the poll pointed to emergency alert systems, street video surveillance and smart traffic signals as posing some of the greater risks. Those surveyed identified these technologies as the most vulnerable from a technical standpoint, as well as having a high potential for negative consequences if hacked, and said they are likely to be more attractive targets for sophisticated, nation-state attackers….

High-tech waste and recycling bins and satellite water leak detection systems were two of the technologies that carry the least cybersecurity risks, according to poll respondents.


Subject: Anyone with an iPhone can now make deepfakes | beSpacific
Source: WaPo via beSpacific

Washington Post – “We aren’t ready for what happens next. Realistic videos of people doing things that never really happened have become shockingly easy to create. Now is the time to put in some guardrails. The past few months have brought advances in this controversial technology that I knew were coming, but am still shocked to see. A few years ago, deepfake videos — named after the “deep learning” artificial intelligence used to generate faces — required a Hollywood studio or at least a crazy powerful computer. Then around 2020 came apps, like one called Reface, that let you map your own face onto a clip of a celebrity.
Now with a single source photo and zero technical expertise, an iPhone app called Avatarify lets you actually control the face of another person like a puppet. Using your phone’s selfie camera, whatever you do with your own face happens on theirs. Avatarify doesn’t make videos as sophisticated as pro fakes of Tom Cruise that have been flying on social network TikTok — but it has been downloaded more than 6 million times since February alone. (See for yourself in the video I made on my phone to accompany this column.)  Another app for iPhone and Android devices called Wombo turns a straight-on photo into a funny lip-sync music video. It generated 100 million clips just in its first two weeks…”

Subject: 5 Common Cybercrime Attack Vectors and How to Avoid Them
Source: MakeUseOf via beSpacific

Cybercriminals rely on the same group of attack vectors to attempt to fool you. Learn what those vectors are and avoid them.

MakeUseOf – “The threat landscape has significantly expanded with the proliferation of the internet and digital connectivity. As of March 2020, there were more than 677 million new malware detections. This figure by Statista indicates a growing threat of cyberattacks against individuals and businesses. Cybercriminals take advantage of cyberattack vectors to bypass your basic security defenses. These vectors fall into several categories, each of which uses a different approach to compromise your system’s security. In this post, we’ll take you through some of the most common vectors of attacks and the countermeasures you can take to effectively combat these threats…”filed

Abstracted from beSpacific

Posted in: Criminal Law, Cybercrime, Cybersecurity, E-Government, Email Security, Financial System, Government Resources, KM, Privacy, Technology Trends