Pete Recommends – Weekly highlights on cyber security issues, September 12, 2021

Subject: As flood alerts lit up phones, did ‘warning fatigue’ set in?
Source: Associated Press with The Republic

NEW YORK — Cellphones across New York and New Jersey pulsed with urgent warnings of catastrophic flooding as the fury of Hurricane Ida’s remnants, carrying torrential rains, approached upper New Jersey and New York City on Wednesday. The first alerts of severe weather blared across millions of phones at 8:41 p.m. that night when the National Weather Service warned of dangerous flash flooding from the looming storm. Officials would issue three more alerts, late into the night, urging people to immediately head for higher ground and to stay out of rising floodwaters.

A barrage of other alerts from a litany of apps lit up phone screens throughout the night — prompting some to wonder if people were just too inundated with information to take the threat seriously.

The weather service acknowledged that in the past, alerts were being pushed out too often. There’s been lots of handwringing over how to get more people to heed warnings.

“It’s either they don’t believe the information that they’re hearing — they can’t verify it — or there’s some other reason that is completely out of anybody’s control,” said Ross Dickman, the meteorologist in charge of the National Weather Service in New York.

Last year, the federal weather service revamped its criteria for issuing alerts, mindful that it might have been overusing the Wireless Emergency Alert system, which first went into operation in 2012 and now broadcasts urgent warnings to more than 300 million cellular devices.

Subject: Russia Blocks Six VPNs for ‘Violating Legislation’

The move bans well-known VPN brands including NordVPN, Express VPN, Hola! VPN and IPVanish. The Russian government has announced that it has blocked six VPNs, claiming that they provide easy access to prohibited information and resources.

If this sounds familiar, there’s a reason. It’s not the first time that Russia has blocked VPNs, and is unlikely to be the last. While VPNs aren’t strictly illegal in Russia, they do need to be government approved. Despite the Russian government’s distrust of VPNs, they have actually become a much relied upon tool, globally, for businesses and consumers during the pandemic.


Subject: ProtonMail Shares Activist’s IP Address With Authorities Despite Its “No Log” Claims
Source: The Hacker News

End-to-end encrypted email service provider ProtonMail has drawn criticism after it ceded to a legal request and shared the IP address of anti-gentrification activists with law enforcement authorities, leading to their arrests in France.The Switzerland-based company said it received a “legally binding order from the Swiss Federal Department of Justice” related to a collective called Youth for Climate, which it was “obligated to comply with,” compelling it to handover the IP address and information related to the type of device used by the group to access the ProtonMail account.

“There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case),” the company said in a lengthy response posted on Reddit.

“Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities,” ProtonMail founder and CEO Andy Yen tweeted, adding “It’s deplorable that legal tools for serious crimes are being used in this way. But by law, [ProtonMail] must comply with Swiss criminal investigations. This is obviously not done by default, but only if legally forced.”

Subject: Zero trust and cybersecurity: Here’s what it means and why it matters
Source: ZDNet

However, NCSC acknowledges that not every organization will be ready to adopt a zero trust architecture. It also stressed it isn’t a standard or specification, but rather “an approach to designing a network” — meaning it can be difficult to know if you’re doing it right.

On top of this, there may be direct and indirect costs that arise from a migration to a zero trust network design. Direct costs include new products, devices, and services. Indirect costs include training engineers, new licensing costs, and subscriptions. NCSC notes that these ongoing costs could, however, be less than the cost of maintaining and refreshing existing network services.

“Moving to a zero trust architecture can be a very disruptive exercise for an organisation,” NCSC warns. “It can take several years to migrate to a “fully zero trust” model due to the extent to which changes may need to be made across your enterprise.

“Defining an end state for a migration is difficult when the model you’re aiming for may evolve during rollout.”

Finally, NCSC warns of vendor lock-in and cloud lock-in that may restrict an organization’s ability to move some systems to other services in the future.

NCSC lays out five reasons why zero trust might be a good philosophy to adopt:

Topic: Security

See also:

Subject: U.K. Government Pays Firms To Bypass Facebook Encryption
Source: Forbes

The U.K. government is reportedly offering firms over $100,000 each if they can develop technologies that will bypass Facebook’s end-to-end encryption.The cash awards are the U.K. Home Secretary’s latest salvo in a long-running dispute with the social network over end-to-end encryption. Priti Patel has repeatedly argued that encrypting messaging services makes it harder for law enforcement to track child abusers and terrorists on services such as WhatsApp and Facebook Messenger.

This money will “be awarded based on their potential for innovative solutions to detect images or videos showing sexual abuse of children while ensuring end-to-end encryption is not compromised”. Quite how the firms could intercept the content of messages without breaking encryption is far from clear.

Facebook has repeatedly defended its use of end-to-end encryption. A statement published earlier this year by Gail Kent, the company’s Messenger policy director stated that: “There is a clear need to balance the privacy and security of people’s messages with maintaining a safe environment and providing data to law enforcement in response to potential real-world harms.”


Subject: Education Department Updates Rules and Criminal Penalties for Accessing Agency Data
Source: Nextgov

A new filing updates the department’s policies on who can access IT systems and data, as well as the fines and prison terms for unauthorized access or failing to secure data. The Education Department is rolling out new rules for accessing and handling agency data by third parties—including students, parents and loan companies—with updated criminal penalties for anyone not following the new statutes.

The new rules intend to bring the department into compliance with the 2019 Stop Student Debt Relief Scams Act and the 2020 revision to the Higher Education Act of 1965, which “explicitly makes unauthorized access to the department’s IT systems and the misuse of identification devices issued by the department a criminal act,” according to a notice set to publish Friday in the Federal Register.

The update defines an access device as any “card; plate; code; account number; electronic serial number; mobile identification number; other telecommunications service, equipment or instrument identifier; or other means of account access that can be used alone or in conjunction with another access device to obtain money, goods, services or any other thing of value or to initiate a transfer of funds.”

These devices cannot be shared, “including through a power of attorney,” the notice states.

The notice defines the acceptable use of systems, including who may be deemed an authorized user: students, borrowers or parents; a guaranty agency, eligible lender or third-party agency acting on their behalf; or a licensed attorney representing one of these groups.


Subject: 8 Easy Ways to Stay Anonymous Online
Source: PC Magazine

“…There are always going to be good reasons for people to go online without being tracked. For one, anonymity may be the only way for a real whistleblower to reveal corruption, considering how some have been treated. But there’s nothing wrong with wanting to stay anonymous, no matter what you’re doing. Is it even possible to take control of your own personal privacy online? Ultimately, the only way to stay truly anonymous online is…not to go online at all. That’s not a real option for most of us, though. Here’s a rundown of what you can do to minimize spying, targeted ads, and ID theft as you explore the online world…”

Posted in: Cybercrime, Cybersecurity, Email Security, Encryption, International Legal Research, Legal Research, Privacy, Social Media