Pete Recommends – Weekly highlights on cyber security issues, May 8, 2021

Subject: Ransomware Reality Shock: 92% Who Pay Don’t Get Their Data Back
Source: Forbes

According to the Sophos State of Ransomware 2021 report, the number of organizations deciding to pay a ransom has risen to 32% in 2021 compared to 26% last year. Here’s the thing though, that same global survey discovered that only 8% of them got all their data back despite doing so. Nearly a third, 29%, couldn’t recover more than half the encrypted data.

Cost of ransomware recovery has doubled across 12 months. The Sophos research suggests that average ransomware recovery costs are now $1.85 million compared to $761,106 a year ago.

Ransomware is a business, a dirty, criminal business but one nonetheless. The gangs behind the attacks are well organized and used to the negotiation process, amenable to talking numbers. Of course, the value of that stolen data increasingly comes into play, and it may be that the auction price exceeds what an organization is prepared to pay. Still, that Sophos concludes the average total cost of ransomware attack recovery is ten times the average ransom payment is food for thought. The cybercriminals know this, and it’s yet another piece of the extortion leverage picture.

The brutal truth: it doesn’t pay to pay

Subject: Can zero trust really protect government from cyberattacks?
Source: GCN

It’s clear from the recent spate of cyberattacks on government networks, be it the SolarWinds incident or the Russian intelligence breach of the Treasury and Commerce Departments, our adversaries are finding new ways to infiltrate government systems. Once considered impenetrable, the U.S. now lags behind in cyberwarfare.As Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, recently explained to lawmakers on the Homeland Security and Government Affairs Committee, “Our adversaries have advanced, they are no longer using the same infrastructure to target us repeatedly.” It is imperative that we adapt our security practices.

One of the approaches under discussion is zero trust. Zero trust is based on the assumption that everyone, inside or outside the network, could be a threat. It is the strategy of skeptics, which in the field of security, pays significant dividends.

Practically speaking, zero trust involves adopting very granular, rigid user identification policies, strict authentication, role-based access, time and/or location access, and a host of other conditions that define when, where and how employees can access systems and digital assets. Data and resources are segmented down to the personal level. There is a new level of control so that any threat, even an internal one, can be contained.

Subject: Your Old Phone Number Could Get You Hacked, Researchers Say
Source: Gizmodo

When you get a new phone number, mobile carriers will often “recycle” your old one—assigning it to a new phone and, therefore, a new customer. Carriers say the reason they do this is to stave off a hypothetical future of “number exhaustion”—a sort of “peak oil” for phone numbers, when every possible number that could be assigned to a phone has been taken.However, the act of number recycling actually brings with it a host of security and privacy risks, a new study conducted by Princeton University researchers shows. More often than not, recycled numbers allow new customers access to old customer information, opening up opportunities for a variety of invasive, potentially exploitative encounters.

For one thing, new number owners will often continue to get personalized updates meant for the former owner. This can be quite invasive—for both parties: The study relates one particular incident in which a user of a new number was “bombarded with texts containing blood test results and spa appointment reservations” that were obviously meant for someone else. While this may sound more comical than concerning, the access presented by a phone number can obviously be a lot more dire.


Subject: Report – how law enforcement can extract sensitive data from your car
Source: The Verge via beSpacific

The Verge: “A new report from The Intercept has shed light on a worrying new technology that lets law enforcement agencies extract personal data from people’s cars. It reports that US Customs and Border Protection (CBP) recently made an order worth hundreds of thousands of dollars from Swedish data extraction firm MSAB which included iVe “vehicle forensics kits” made by US firm Berla. Here’s what MSAB advertises the kits can do, according to The Intercept:…

Subject: Covid vaccination card fraud prompts CDC action
Source: NBC News

Specific directions showing how to forge Covid-19 vaccination cards have proliferated on conspiracy, pro-Trump and anti-vaccination forums throughout the internet in recent weeks, as users have exploited a largely makeshift verification system. The cards, distributed by the Centers for Disease Control and Prevention, have been handed out to the more than 140 million Americans who have already received at least one dose of a Covid-19 vaccination. The Biden administration has declared it wouldn’t create a federal vaccination database, citing privacy concerns, paving the way for the cards to become the country’s default national way to verify if someone has been vaccinated.

And while one state — New York — has embraced a vaccination verification app, there is scant evidence that others are close behind.

Seven universities that already have plans in place to ask students to be vaccinated before attending this fall — American University, Bowdoin College, the University of Colorado Boulder, Fairleigh Dickinson University, Fort Lewis College, Rutgers University and Wesleyan University — all said the verification process would consist of asking students to upload their CDC cards, at least if they’re coming from out of state.

But since the cards are marked by hand, don’t contain much information, are printed on easily obtainable heavy white paper and are impossible to quickly verify, it leaves an opportunity for the anti-vaccine community to beat the system by sharing directions on how to forge them.

On conspiracy and anti-government forums throughout the web, users have linked to card templates that were left visible on the websites of state governments, including high-resolution PDFs from the websites of both the Wyoming and Missouri health departments.

On the extremist forum 4chan, users were told to download a template from Wyoming’s Department of Health website, then given specific directions for the thickness of cardstock needed to replicate the cards. The directions note that some vaccination centers affix stick-on labels on cards to denote the date, so the recommended resolution for the printed labels is also provided.

Despite how easy the cards are to forge, digital privacy advocates say that a paper-based system is still preferable to a central online database or smartphone app. More programs like New York’s Excelsior program — so far the only statewide smartphone app that functions as a vaccine passport — would create more ways for individuals’ data to be monitored, said Hayley Tsukayama, a legislative activist at the Electronic Frontier Foundation, a digital rights nonprofit.

“Setting up massive systems for tracking folks, collecting their information, and then with no kind of exit plan, how is that data going to be treated?” she said.


Subject: Google Plans to Automatically Enroll Users In 2FA
Source: Gizmodo

“Soon we’ll start automatically enrolling users in 2SV [two-step verification] if their accounts are appropriately configured,” writes Mark Risher, Google’s director of product management, identity, and user security. “Using their mobile device to sign in gives people a safer and more secure authentication experience than passwords alone.” Risher then pointed to Android’s built-in security keys and the Google Smart Lock app for iOS password managers as other examples of efforts to make 2FA less cumbersome. He also highlighted Chrome’s built-in password manager, as well as the recently launched Password Import feature, which lets you upload 1,000 passwords from third-party sites into Google’s password manager for free.

Subject: State laws hint at privacy best practices
Source: GCN

California’s landmark 2018 privacy law, the California Consumer Privacy Act (CCPA), was a turning point for privacy laws in the United States. Today, some 28 states have privacy bills either passed into law or working their way into legislation.These various state privacy laws will not directly impact government agencies, as there are specific carve-outs for them in every major regulation. Instead, federal agencies must meet the standards of the Privacy Act of 1974, while state and local municipalities will be governed by state-specific rules. However, it is important for government IT teams to be familiar with how these new laws apply to commercial entities because they generally represent best practices for handling sensitive information.  And after all, much has changed since 1974.

Deliver disclosures through a privacy policy – The privacy policy is the main vehicle to deliver disclosures prior to collection of personal data. The content of the disclosure should include at least the following:

Subject: Ransomware attack leads to shutdown of major U.S. pipeline system
Source: Washington Post

Colonial Pipeline says it transports 45 percent of the fuel consumed on the East Coast, reaching 50 million Americans. A ransomware attack caused a major East Coast fuel pipeline operator to shut down its entire network on Friday, according to two U.S. officials familiar with the matter.The attack on top U.S. fuel pipeline operator Colonial Pipeline appears to have been carried out by a criminal group, but federal officials and the private security firm Mandiant are still investigating the matter, one official said.
Posted in: Computer Security, Cybercrime, Cybersecurity, Government Resources, Healthcare, Legal Research, Legislative, Privacy, Travel