Pete Recommends – Weekly highlights on cyber security issues, August 15, 2021

Subject: Microsoft Edge’s ‘Super Duper Secure Mode’ Does What It Says
Source: WIRED
https://www.wired.com/story/microsoft-edge-super-duper-secure-mode-facebook-instagram-hacks-bans-security-new/

This week, Apple made an announcement as surprising as it was controversial. The company will begin scanning both iCloud and user devices for child sex abuse materials. It’s using clever cryptography to do so, and it won’t actually be able to view the images on a user’s iPhone, iPad, or Mac unless it detects multiple instances of CSAM. But some cryptographers sounded the alarm over how the technology could be used in the future, especially by authoritarian governments.This week also marked the kickoff of the Black Hat security conference, which means hacks aplenty. A Google researcher found eavesdropping vulnerabilities in several major messaging apps; they’ve all been patched by now, but it speaks to what appears to be an endemic problem with certain kinds of video calls. Pneumatic tubes found in lots of US hospital systems are vulnerable to attack, which could cause chaos and delays, though not necessarily in that order. A fix went out this week, but as with a lot of IoT updates it’s going to be a mixed bag as to who actually installs them and when. And we spoke with one hacker who says he figured out how to control the lights, fans, and convertible beds in a capsule hotel in Japan—and used that knowledge to torment a noisy neighboring guest.We took a look at how regulators in France have managed to move the needle on Google and privacy. We whipped up a primer on RCS, the texting standard that’s going to make your life a lot easier as soon as all the players get on board. And we tried Citizen’s controversial new app that charges $20 a month for a personal security service.

And there’s more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.


Subject: Cybersecurity
Source: Lawfare
https://www.lawfareblog.com/topic/cybersecurity

As our lives become increasingly dependent upon computer systems and cyber technologies grow ever more sophisticated, the internet has emerged as the new battleground of the 21st century. From criminals’ stealing credit card and social security number information to foreign governments’ hacking into American companies’ information systems, cyber attacks can take on myriad forms, prompting the government to formulate new measures to protect online security. Since cyberwarfare knows no territorial bounds, ensuring cybersecurity will also require international cooperation and an updated understanding of jus ad bellum, as it applies to cyber attacks

View all Topics [Note – There are dozens of topics specific to national and global issues – this is an excellent resource for legal/CI/BI researchers.]


Subject: The Ethics of Data: Anonymity Vs Analytics
Source: NISO via beSpacfic
https://www.bespacific.com/the-ethics-of-data-anonymity-vs-analytics/

NISO: “We are living in unprecedented times. We walk around with powerful computers in our pockets that can track our every move. We regularly offer up our location and vital information on what we buy, watch, and read to digital global powerhouses such as Facebook, Google, and Amazon.  This data is, of course, used to provide us with product and service suggestions designed to improve our lives. The technology now known as “big data” is a battleground for surveillance. Many feel we are living in a Big Brother world, where our every physical and online movement, purchase, and personal message is stored to create a picture of us that may or may not be accurate.  The age of big data is now firmly upon us, and we therefore …

Filed: https://www.niso.org/niso-io


Subject: Here’s How Amazon Third-Party Sellers Reportedly Hound Customers Who Leave Bad Reviews
Source: Gizmodo
https://gizmodo.com/heres-how-amazon-third-party-sellers-reportedly-hound-c-1847446648

Some companies are offering “reviewer lookup” services so sellers can hunt down unsatisfied customers.These days, most of the merchandise on Amazon’s online marketplace isn’t actually from Amazon. An estimated 56% of all products sold on the platform come from third-party sellers. Now, these sellers aren’t supposed to be able to email their Amazon customers directly, and doing so outside of Amazon’s official channels violates the platform’s terms of service.

However, a concerning new Wall Street Journal report shows that some sellers are still finding ways to get in touch with buyers and hound them about editing or deleting their negative reviews, and some companies even offer “email extraction” and “reviewer lookup” services so sellers can hunt down unsatisfied customers.

One such customer the Journal spoke with is New Yorker Katherine Scott, who said she left a negative review for a kitchen oil spray bottle that she bought in March after the product didn’t work as advertised. A week later, someone claiming to be a customer service rep from the seller reached out via email to offer her a refund in exchange for deleting her review.

When it comes to sharing information with third-party sellers, Amazon only releases “customers’ personal information related to those transactions with that third party,” according to its privacy notice. Qualified sellers have the option of using Amazon’s buyer-seller messaging service, but that uses a unique encrypted email address rather than the customer’s personal email.

“We do not share customer email addresses with third-party sellers,” an Amazon spokesperson told Journal.

Amazon’s customer product review policies for sellers explicitly prohibit them from asking a customer to change or remove their review. Sellers are also banned from offering “a refund or other compensation” to a reviewer in exchange for editing their review.

So what should you do if a seller tries to pressure you into changing your review? An Amazon spokesperson told the Journal that customers can report them by emailing [email protected] or click the “Report Abuse” link on the review page.


Subject: Is identity theft insurance worth the money?
Source: NJ Money Help
https://njmoneyhelp.com/2021/08/is-identity-theft-insurance-worth-the-money/
Q. Is identity theft insurance worth the money? My kids are asking me if it is a scam.
— Mom A. With all the data breaches we’ve seen, identity theft is a real risk for just about everyone.

Subject: Digital ID left out of infrastructure bill
Source: FCW
https://fcw.com/articles/2021/08/12/infrastructure-digital-id-senate.aspx

The bipartisan $1.2 trillion infrastructure bill that passed the Senate on Monday night has billions in technology investments, but a plan to dramatically ramp up the federal government’s involvement in digital identity was left on the cutting-room floor.A draft version of the Senate infrastructure bill, which was obtained by FCW, included $500 million for the Department of Labor to institute a grant fund to supply states with digital identity proofing tools that are compliant with National Institute of Standards and Technology to combat fraud in unemployment insurance benefits.

Identity proofing is front of mind for some policymakers in part because of reports of very high levels of potential fraud in unemployment insurance after benefits were enhanced and expanded by the Coronavirus Aid, Relief and Economic Security Act. A February memo from the Labor Department Office of Inspector General warned that “potential fraud throughout the nation could easily range into the tens of billions of dollars.


Subject: Apple Can Scan Your Photos for Child Abuse and Still Protect Your Privacy – If the Company Keeps Its Promises
Source: Nextgov
https://www.nextgov.com/ideas/2021/08/apple-can-scan-your-photos-child-abuse-and-still-protect-your-privacy-if-company-keeps-its-promises/184483/

The company will use some clever math to sniff them for instances of child abuse without looking at the photos.

The way companies that provide cloud storage for your images usually detect child abuse material leaves you vulnerable to privacy violations by the companies – and hackers who break into their computers. On Aug. 5, 2021, Apple announced a new way to detect this material that promises to better protect your privacy.

As a computer scientist who studies cryptography, I can explain how Apple’s system works, why it’s an improvement, and why Apple needs to do more.

Who holds the key?

Digital files can be protected in a sort of virtual lockbox via encryption, which garbles a file so that it can be revealed, or decrypted, only by someone holding a secret key. Encryption is one of the best tools for protecting personal information as it traverses the internet.

Can a cloud service provider detect child abuse material if the photos are garbled using encryption? It depends on who holds the secret key.

Many cloud providers, including Apple, keep a copy of the secret key so they can assist you in data recovery if you forget your password. With the key, the provider can also match photos stored on the cloud against known child abuse images held by the National Center for Missing and Exploited Children.

But this convenience comes at a big cost. A cloud provider that stores secret keys might abuse its access to your data or fall prey to a data breach.

Filed:


Subject: Microsoft Edge’s ‘Super Duper Secure Mode’ Does What It Says
Source: WIRED
https://www.wired.com/story/microsoft-edge-super-duper-secure-mode-facebook-instagram-hacks-bans-security-new/

This week, Apple made an announcement as surprising as it was controversial. The company will begin scanning both iCloud and user devices for child sex abuse materials. It’s using clever cryptography to do so, and it won’t actually be able to view the images on a user’s iPhone, iPad, or Mac unless it detects multiple instances of CSAM. But some cryptographers sounded the alarm over how the technology could be used in the future, especially by authoritarian governments.This week also marked the kickoff of the Black Hat security conference, which means hacks aplenty. A Google researcher found eavesdropping vulnerabilities in several major messaging apps; they’ve all been patched by now, but it speaks to what appears to be an endemic problem with certain kinds of video calls. Pneumatic tubes found in lots of US hospital systems are vulnerable to attack, which could cause chaos and delays, though not necessarily in that order. A fix went out this week, but as with a lot of IoT updates it’s going to be a mixed bag as to who actually installs them and when. And we spoke with one hacker who says he figured out how to control the lights, fans, and convertible beds in a capsule hotel in Japan—and used that knowledge to torment a noisy neighboring guest.

We took a look at how regulators in France have managed to move the needle on Google and privacy. We whipped up a primer on RCS, the texting standard that’s going to make your life a lot easier as soon as all the players get on board. And we tried Citizen’s controversial new app that charges $20 a month for a personal security service.

And there’s more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.


Subject: Cybesecurity
Source: Lawfare
https://www.lawfareblog.com/topic/cybersecurity

As our lives become increasingly dependent upon computer systems and cyber technologies grow ever more sophisticated, the internet has emerged as the new battleground of the 21st century. From criminals’ stealing credit card and social security number information to foreign governments’ hacking into American companies’ information systems, cyber attacks can take on myriad forms, prompting the government to formulate new measures to protect online security. Since cyberwarfare knows no territorial bounds, ensuring cybersecurity will also require international cooperation and an updated understanding of jus ad bellum, as it applies to cyber attacks.

Subject: The Ethics of Data: Anonymity Vs Analytics
Source: NISO via beSpacfic
https://www.bespacific.com/the-ethics-of-data-anonymity-vs-analytics/

NISO: “We are living in unprecedented times. We walk around with powerful computers in our pockets that can track our every move. We regularly offer up our location and vital information on what we buy, watch, and read to digital global powerhouses such as Facebook, Google, and Amazon.  This data is, of course, used to provide us with product and service suggestions designed to improve our lives. The technology now known as “big data” is a battleground for surveillance. Many feel we are living in a Big Brother world, where our every physical and online movement, purchase, and personal message is stored to create a picture of us that may or may not be accurate.  The age of big data is now firmly upon us, and we therefore …filed:https://www.niso.org/niso-io


Subject: Here’s How Amazon Third-Party Sellers Reportedly Hound Customers Who Leave Bad Reviews
Source: Gizmodo
https://gizmodo.com/heres-how-amazon-third-party-sellers-reportedly-hound-c-1847446648

Some companies are offering “reviewer lookup” services so sellers can hunt down unsatisfied customers.These days, most of the merchandise on Amazon’s online marketplace isn’t actually from Amazon. An estimated 56% of all products sold on the platform come from third-party sellers. Now, these sellers aren’t supposed to be able to email their Amazon customers directly, and doing so outside of Amazon’s official channels violates the platform’s terms of service.

However, a concerning new Wall Street Journal report shows that some sellers are still finding ways to get in touch with buyers and hound them about editing or deleting their negative reviews, and some companies even offer “email extraction” and “reviewer lookup” services so sellers can hunt down unsatisfied customers.

One such customer the Journal spoke with is New Yorker Katherine Scott, who said she left a negative review for a kitchen oil spray bottle that she bought in March after the product didn’t work as advertised. A week later, someone claiming to be a customer service rep from the seller reached out via email to offer her a refund in exchange for deleting her review.

When it comes to sharing information with third-party sellers, Amazon only releases “customers’ personal information related to those transactions with that third party,” according to its privacy notice. Qualified sellers have the option of using Amazon’s buyer-seller messaging service, but that uses a unique encrypted email address rather than the customer’s personal email.

“We do not share customer email addresses with third-party sellers,” an Amazon spokesperson told Journal.

Amazon’s customer product review policies for sellers explicitly prohibit them from asking a customer to change or remove their review. Sellers are also banned from offering “a refund or other compensation” to a reviewer in exchange for editing their review.

So what should you do if a seller tries to pressure you into changing your review? An Amazon spokesperson told the Journal that customers can report them by emailing [email protected] or click the “Report Abuse” link on the review page.

Filed: https://gizmodo.com/tech/amazon


Subject: Is identity theft insurance worth the money?
Source: NJ Money Help
https://njmoneyhelp.com/2021/08/is-identity-theft-insurance-worth-the-money/

Q. Is identity theft insurance worth the money? My kids are asking me if it is a scam.
— MomA. With all the data breaches we’ve seen, identity theft is a real risk for just about everyone.

Subject: Digital ID left out of infrastructure bill
Source: FCW
https://fcw.com/articles/2021/08/12/infrastructure-digital-id-senate.aspx

The bipartisan $1.2 trillion infrastructure bill that passed the Senate on Monday night has billions in technology investments, but a plan to dramatically ramp up the federal government’s involvement in digital identity was left on the cutting-room floor.A draft version of the Senate infrastructure bill, which was obtained by FCW, included $500 million for the Department of Labor to institute a grant fund to supply states with digital identity proofing tools that are compliant with National Institute of Standards and Technology to combat fraud in unemployment insurance benefits.

Identity proofing is front of mind for some policymakers in part because of reports of very high levels of potential fraud in unemployment insurance after benefits were enhanced and expanded by the Coronavirus Aid, Relief and Economic Security Act. A February memo from the Labor Department Office of Inspector General warned that “potential fraud throughout the nation could easily range into the tens of billions of dollars.”


Subject: Apple Can Scan Your Photos for Child Abuse and Still Protect Your Privacy – If the Company Keeps Its Promises
Source: Nextgov
https://www.nextgov.com/ideas/2021/08/apple-can-scan-your-photos-child-abuse-and-still-protect-your-privacy-if-company-keeps-its-promises/184483/

The company will use some clever math to sniff them for instances of child abuse without looking at the photos.

The way companies that provide cloud storage for your images usually detect child abuse material leaves you vulnerable to privacy violations by the companies – and hackers who break into their computers. On Aug. 5, 2021, Apple announced a new way to detect this material that promises to better protect your privacy.

As a computer scientist who studies cryptography, I can explain how Apple’s system works, why it’s an improvement, and why Apple needs to do more.

Who holds the key?

Digital files can be protected in a sort of virtual lockbox via encryption, which garbles a file so that it can be revealed, or decrypted, only by someone holding a secret key. Encryption is one of the best tools for protecting personal information as it traverses the internet.

Can a cloud service provider detect child abuse material if the photos are garbled using encryption? It depends on who holds the secret key.

Many cloud providers, including Apple, keep a copy of the secret key so they can assist you in data recovery if you forget your password. With the key, the provider can also match photos stored on the cloud against known child abuse images held by the National Center for Missing and Exploited Children.

But this convenience comes at a big cost. A cloud provider that stores secret keys might abuse its access to your data or fall prey to a data breach.

Filed:

Posted in: Congress, Cybercrime, Cybersecurity, Email Security, Encryption, Information Management, KM, Legal Research, Legislative, Privacy, Search Strategies