Pete Recommends Weekly highlights on cyber security issues, January 29, 2022

Subject: The Internet’s Most Tempting Targets
Source: Threatpost

What attracts the attackers? David “moose” Wolpoff, CTO at Randori, discusses how to evaluate your infrastructure for juicy targets.

The number of exposed assets keeps climbing, but existing security strategies aren’t keeping up. Attack surfaces are getting more complex, and the excruciatingly hard part is figuring out where to focus. For every 1,000 assets on an attack surface, there is often only one that’s truly interesting to an attacker. But how is a defender supposed to know which one that is?

This becomes especially difficult in the wake of Log4j. Even Jen Easterly made a point to remind people that enumerating what’s on your attack surface is a key way to mitigate a Log4j incident.

Randori spent some time researching what internet-exposed software is most tempting to an attacker—we use six attributes we assess to determine a piece of software’s Temptation Score: enumerability, exploitability, criticality, applicability, post-exploitation potential, and research potential. Using some math and fancy algorithms we end up with a “Target Temptation” Score—basically calculating the attackability of an internet-facing asset.


Subject: Merck Awarded $1.4B Insurance Payout over NotPetya Attack
Source: Threatpost

Merck’s $1.75 billion property insurance policy will have to cover the damage the NotPetya attacks did to the company’s 40,000 computers, totaling more than $1.4 billion, according to the court filing.

The ruling also explains that any “ambiguity” in the language of an insurance policy should, by legal precedent, be interpreted to meet the “reasonable expectations” of the policy holder.

Insurance Policy Language

Insurance companies are already tightening up policy language to stave off nation-state cybersecurity claims.

“The growth of ransomware is pushing the financial boundaries of insurance companies, so they’ve been looking for escape hatches,” Netenrich threat hunter John Bambenek told Threatpost by email. “‘Act of war’ clauses are common in insurance contracts, but only in cybersecurity is there any real risk of that. Organizations will have to bake in this gap into their risk-mitigation plans, but the answer to cybersecurity has never been ‘more insurance’ anyway.”

Subject: Google Voice Authentication Scam Leaves Victims on the Hook
Source: Threatpost

[from early January … ]

The FBI is seeing so much activity around malicious Google Voice activity, where victims are associated with fraudulent virtual phone numbers, that it sent out an alert this week.

So they tell you they will send you a Google authentication code in the form of a voice call or a text message, and then ask you to repeat the number back to them to prove you’re real.

In reality, they’re setting up a Google Voice account in your name, using your phone number, and the “authentication” code is actually the two-step verification code needed to complete the set-up process.

Why Google Voice?

The Google Voice service offers virtual phone number that can be used to make domestic and international calls, or send and receive text messages from a browser. That account can be used to launch any number of scams, the FBI said, all without the ability to be traced directly back to the scammer. As well, the code can be used to gain access to, and hijack, Gmail accounts.

The scammers often use the Google Voice number in fraudulent ads on marketplace websites or for other criminal activity, hiding their true identity and leaving the victim looking like the guilty party. Sometimes the scammers are also looking for other information about the target that they can use to access online accounts or open new accounts in the victim’s name.

Anatomy of a Google Voice Scam

As the Federal Trade Commission (FTC) explained in October, this is how a Google Voice verification code scam typically works:

How to Avoid the Google Voice Scam

The FBI offered these ways for consumers to protect themselves from falling victims to such gambits:

[NB Also check your GV account to see what telephone numbers are linked to your account, and remove any that you don’t recognize /pmw1]

Subject: Hotel chain switches to Chrome OS to recover from ransomware attack
Source: The Record by Recorded Future

A Scandinavian hotel chain that fell victim to a ransomware attack last month said it took a novel approach to recover from the incident by switching all affected systems to Chrome OS.Nordic Choice Hotels, which operates 200 hotels across Northern Europe, fell victim to a ransomware attack on December 2, when hackers encrypted some of its internal systems using the Conti ransomware strain.

The attack prevented staff from accessing guest reservation data and from issuing key cards to newly arriving guests, as one of the hotel’s guests told The Record in an interview last month.

Hotel chain uses CloudReady to migrate affected systems – But in a press release today, Nordic Choice said that instead of contacting the hackers and negotiating a ransom for the decryption key that would have unlocked the infected devices, the hotel chose to migrate its entire PC fleet from Windows to Chrome OS.

“[I]n less than 24 hours, the first hotel was operating in the Chrome OS ecosystem from Google. And in the following two days, 2000 computers were converted all over the company consisting of 212 hotels in five different countries,” the hotel chain explained.

For the migration process, Nordic Choice said they used a tool called CloudReady, which can prepare and port old Windows and macOS computers to Chrome OS setups.

Subject: Ethics and ownership of AI-powered identities
Source: VentureBeat

With the tremendous advances in how AI/ML technologies are being deployed, one of the most exciting, controversial, and rapidly evolving advances relates to human voice. One particular example jumps out as encapsulating the complex of issues and emotions tied to AI-powered voices.Last summer, AI technology was used to give voice to some of the late Anthony Bourdain’s writings, words that he never spoke or read aloud but were nevertheless his; voice cloning technology brought the text to life in Roadrunner: A Film About Anthony Bourdain. Some in the audience felt duped that it wasn’t really Bourdain, others thought the move was a misstep as Bourdain was not alive to give permission to manipulate his voice in such a way, while many felt it was simply a creative storytelling device.

The Bourdain example highlights two key issues that will rise to the forefront of how AI-based voice technologies will be used in the future….On the surface, it is something that can be addressed simply enough through licensing deals and contracts with the entertainer’s estate or, ideally, determined while the artist is still alive. As the practice becomes more common, we should be prepared to see a sort of name, image, voice, likeness clause within a person’s Will, particularly one that governs their posthumous wishes or appoints a manager for overseeing the career of their virtual self — much the same way they have a business manager in life….Virtual identity will become a currency that should be regarded similar to their physical assets, one in which they can specify their wishes in life and death, and appoint managers and executors to approve its usage moving forward. This may sound far-fetched, but digital voices don’t age, nor do avatars. With the metaverse going mainstream, our virtual selves can live well beyond our years.

Subject: Google deceived consumers about how it profits from their location data, attorneys general allege in lawsuits
Source: WaPo via beSpacific

Washington Post: “Attorneys general from D.C. and three states sued Google on Monday, arguing that the search giant deceived consumers to gain access to their location data. The lawsuits, filed in the District of Columbia, Texas, Washington and Indiana, allege the company made misleading promises about its users’ ability to protect their privacy through Google account settings, dating to at least 2014. The suits seek to stop Google from engaging in these practices and to fine the company. The complaints also allege the company has deployed “dark patterns,” or design tricks that can subtly influence users’ decisions in ways that are advantageous for a business. The lawsuits say Google has designed its products to repeatedly nudge or pressure people to provide more and more location data, “inadvertently or out of frustration.” The suits allege this violates various state and D.C. consumer protection laws…”

Subject: Part I: Billions Of Dollars Of Unemployment Aid Stolen From State Likely Won’t Be Recovered
Source: CBS Pittsburgh

Trisch is just one of hundreds of thousands of Pennsylvanians victimized by unemployment ID theft. While the couple struggles to get by in their small Rankin home, cyber criminals have gotten rich, siphoning off billions of dollars from the state’s unemployment system.

And as state and federal authorities are prosecuting about a dozen domestic thieves, Haywood Talcove, the CEO of government business for the security firm LexisNexis, said the lion’s share of the money is now in the hands of international cyber criminal organizations in places like Nigeria, China, Russia and Romania.

“That money — 70 percent of it — went overseas to transnational criminal groups,” he said. “They will never be able to arrest the individuals who did this because 70 percent of them don’t live in this country. They’ve converted that money into anonymous wallets, then converted it into bitcoin, and it’s now being used for nefarious purposes.”

MORE NEWS: Part II: Billions Of Dollars Of Unemployment Aid Stolen From State Likely Won’t Be Recovered

Other articles:

Subject: GSA Working to Expand on Social Security Administration’s Digital Identity System
Source: Nextgov

There’s a solid cybersecurity argument for electronic verification, but equity can’t be neglected, observers say.

“Everything about’s process is invasive, creepy and unsafe. The federal government should abandon plans to require millions of Americans to use this facial recognition system to complete their taxes … the company alleges in-person verification options, but has no information on their site about where and how to access these options.”
Lam said the in-person option is a must-have for identity verification systems, as many of the people seeking government services may not have a smartphone.


Subject: How to Download Everything Amazon Knows About You (It’s a Lot)
Source: Lifehacker via beSpacific

Likehacker – “Alexa has been keeping tabs on you. Here’s how to see what it knows. Here’s a fun thought experiment; picture the amount of personal data you think tech companies keep on you. Now, realize it’s actually way more than that (hmm, maybe this isn’t that fun). Even as privacy and security become more talked about in consumer tech, the companies behind our favorite products are collecting more and more of our data. How much? Well, if you want to know the information, say, Amazon has on you, there is a way to find out. And it’s a lot. To be clear, data collection is far from an Amazon-specific problem; it’s pretty much par for the course when it comes to tech companies. …[fast path:]

Subject: White House clamps down on federal cybersecurity after big hacks
Source: CNN Politics

Washington (CNN) The White House plans to release an ambitious strategy Wednesday to make federal agencies tighten their cybersecurity controls after a series of high-profile hacks against government and private infrastructure in the last two years, according to a copy shared with CNN.

It’s one of the biggest efforts yet by the Biden administration to secure the computer networks that the government relies on to do business.

Under the strategy, federal employees will need to sign on to agency networks using multiple layers of security and agencies will have to do a better job of protecting their internal network traffic from hackers. The strategy gives agencies until the end of the 2024 fiscal year to meet these benchmarks and others.

The strategy seeks to apply a cybersecurity concept known as “zero trust,” which is popular at big corporations, to the federal government. “Zero trust” dictates that no computer user or system inside or outside an organization is inherently trusted. Continuous security checks are needed to ensure that hackers aren’t impersonating someone, and systems should be isolated when possible to keep malicious code from spreading.

Subject: A Former Hacker’s Guide to Boosting Your Online Security
Source: ProPublica

More stolen personal data is available online than ever before. A man who once ran a website that prosecutors called the Amazon of stolen identity information offers his tips on the best ways to protect your data.

… it’s impossible to create an impenetrable shield. But here are some of his tips for how you can mitigate your risks, along with some other practical online security advice.

Filed under: Technology

Subject: How’s Face Recognition for IRS, Unemployment Works
Source: Gizmodo

New statements from the company’s CEO show it may use a more expansive facial recognition system than previously known.Privacy groups are demanding transparency following news that—the biometric identity verification system used by the IRS and over 27 states—has failed to be entirely transparent in how its facial recognition technology works.

In a LinkedIn post published on Wednesday, founder and CEO Blake Hall said the company verifies new enrolling users’ selfies against a database of faces in an effort to minimize identity theft. That runs counter to the more privacy-preserving ways has pitched its biometric products in the past and has drawn scrutiny from advocates who argue members of the public compelled to use for basic government tasks have unclear information.

“The IRS needs to immediately halt its plan to use facial recognition verification, and all government agencies should end their contracts with,” Seeley George wrote. “We also think that Congress should investigate how this company was able to win these government contracts and what other lies it might be promoting.”

“The fact that they [] weren’t transparent about this is just another sign we’re making up important policies for how Americans relate to their government by letting private companies make things up as they go along in secret,” Stanley said. “If this company was a government agency they would be subject to FOIA and the Privacy Act and other checks and balances that have been developed over many decades to forestall the kinds of problems that can emerge.”

“More fundamentally, we have to ask why Americans should trust this company with our data if they are not honest about how our data is used. The IRS shouldn’t be giving any company this much power to decide how our biometric data is stored.”


[what’s amazing is that this anti-fraud process seems to require much the same info as when applying for a Real ID … too bad that couldn’t be used/leveraged /pmw1]

Subject: FTC Warns of 18-Fold Surge in Investment, ‘Romance’ Scams on Social Media
Source: Nextgov

More than 95,000 Americans were bilked over social media in 2021 resulting in losses approaching $1 billion. [Almost in time for Valentine’s Day … ] Be careful about lending that attractive new Facebook friend or Instagram follower money, the Federal Trade Commission warned this week.According to an FTC report, American consumers lost about $770 million to fraud schemes originating on social media in 2021, an 18-fold increase over money lost over social media in 2017. The “massive surge” of fraud originating on social platforms is being driven chiefly by investment scams involving cryptocurrency and “romance scams,” the agency warned.

“Losses to romance scams have climbed to record highs in recent years. More than a third of people who said they lost money to an online romance scam in 2021 said it began on Facebook or Instagram,” the FTC reports. “These scams often start with a seemingly innocent friend request from a stranger, followed by sweet talk, and then, inevitably, a request for money.”

While romance scams accounted for only 9% of total reports to the FTC, they were the most cost-effective for fraudsters, accounting for 24% of all money lost to fraud over 2021, or about $190 million.

Investment scams accounted for 37% of all losses, while the most common report originated from Americans trying to buy something marketed or for sale on social media. In total, 45% of all reports of money lost to social media were related to online shopping, according to the report.


Subject: Report: Emerging Tech Has Become a Tool for Government Censorship
Source: Nextgov

The U.S. International Trade Commission released a report Thursday, which found that some foreign governments employ technology like data localization rules to coerce compliance with censorship policies, and that emerging technologies, namely artificial intelligence, are used to monitor and subsequently suppress online activity. This in turn affects foreign market participation within these countries.“The advance of technology has not only provided more outlets for speech, but also created more technical levers to suppress speech,” the report said.

“Governments are using multiple levers—from data and personnel localization requirements to threats of retaliation—to pressure compliance with censorship policies,” the USITC continued. “Technological developments, such as the growing reliance on artificial intelligence by governments and internet companies to identify and suppress large quantities of online content, also present substantial challenges.”

Authored at the request of the U.S. Senate Finance Committee back in April 2021, the first of two reports reviewed the censorship tactics and corresponding policies in several critical foreign markets.

“The consequences of censorship-related policies and practices can be significant for U.S. firms, especially U.S.-based content producers and digital services firms, as they may restrict trade, impede market access, increase operational costs and reputational risks, or discourage foreign direct investment.”

Subject: Teamwork, trust and threat sharing key to cybersecurity
Source: GCN

Teamwork was the prevailing theme during a webinar in which state and local government officials and industry experts hashed out the details of what’s needed for better cybersecurity.“Cybersecurity is a team sport and you have to have everyone engaged. It can’t just be an IT issue,” Amanda Crawford, executive director of the Texas Department of Information Resources (DIR) and the state’s CIO, said during ITI’s “A Cyber Plan for State and Local Governments” event on Jan. 26, 2022. “It has to be a business issue and a leadership issue, where it comes from the top down that cybersecurity is a priority.”

She pointed to the successful mitigation of a 2019 coordinated ransomware attack that affected 23 local Texas governments. “We had prepared and had an incident response plan … that we had practiced through tabletops,” Crawford said. Additionally, the state had legislative processes in place so that Gov. Greg Abbott could declare a cybersecurity emergency and trigger help from the Texas Department of Emergency Management, the state National Guard, Texas A&M University and other organizations.

Trust is at the heart of such collaboration, added Florida CIO James Grant. “Trust is honestly at the forefront – trust that when we show up, we’re capable of doing what we say we’re going to do and that [when] we say we’re going to do it, that we actually will do it,” he said.

Partnerships with industry can also bolster cybersecurity. Crawford cited the Texas Information Sharing and Analysis Organization, a legislative mechanism that allows for threat sharing between the public and private sectors, and is free to join.

Procurement changes are also necessary for cyber advancement, Grant said. It needs to be simpler to increase the number of people who can understand, identify and purchase solutions to solve problems.

But procurement must also align with cybersecurity frameworks like the National Institute of Standards and Technology’s Cybersecurity Framework or StateRAMP’s for procurement compliance, added Ben Caruso, Juniper Networks’ state and local government practice leader.


NB see also: &

Posted in: AI, Communications, Cybercrime, Cybersecurity, Data Mining, E-Commerce, Ethics, Free Speech, Freedom of Information, Government Resources, KM, Legal Research, Privacy, Search Engines, Social Media, Telecommuting