Pete Recommends Weekly highlights on cyber security issues, February 12, 2022

Subject: Here’s What’s Wrong With GDPR
Source: Gizmodo
https://gizmodo.com/gdpr-iab-europe-privacy-consent-ad-tech-online-advertis-1848469604

The EU’s landmark privacy law, GDPR, was supposed to change the world of tech privacy forever. What the hell happened?This week, European authorities struck a massive blow to the digital data-mining industrial complex with a new ruling stating that, quite simply, most of those annoying cookie alert banners that sites were forced to onboard en masse after GDPR was passed haven’t… actually been compliant with GDPR. Sorry.

The ruling, announced on Wednesday by Belgium’s Data Protection Authority, comes at the tail-end of a years-long investigation into one of the biggest advertising trade groups in EU, Interactive Advertising Bureau Europe (or IAB Europe, for short). In 2019, about a year after GDPR rolled out, the Data Protection Authority reports it started getting a stream of complaints against the IAB for “breaching various provisions of the GDPR” and countless people’s privacy with the technical standards it created to govern those consent pop-ups.

Now, three years later, it looks like those tips were right; the Authority fined IAB Europe $280,000, ordered the group to appoint a data protection officer, and gave a two-month deadline to get its tech into compliance. Any data that the group collected from this illicit tech also needs to be deleted.

The ruling is great news for privacy buffs that have been calling out those ugly, oftentimes downright manipulative cookie pop-ups from the get-go, but it’s also not necessarily a surprise. …

Simply put, when the GDPR asked the adtech industry to get consent from users before tracking them, the IAB responded with a set of guidelines with loopholes large enough that data could still get through, anyway, without consent. And now that these practices are out in the public, nobody seems sure how to make them stop.

Filed: https://gizmodo.com/tech/privacy-and-security


Subject: The MY2022 app is a required download for Olympians and looks like a security nightmare
Source: Android Central
https://www.androidcentral.com/my2022-app-required-download-olympians-and-looks-security-nightmare

A while back we heard that a handful of countries advised their respective Olympic teams to leave all personal electronics at home and use a “burner phone” while in Bejing. This was, of course, done because of concerns about the Chinese government’s heavy hand with the internet and all electronic communications. Sometimes, Big Brother really is watching.It turns out that this advice was pretty solid, as researchers have torn apart the Android and iOS versions of the MY2022 app — which is required to be used by all Olympians — and found some really interesting things. Not the good kind of interesting, either….

“Maybe the app can do these things, but there is no proof it has or will”


Subject: Republican senators demand briefing on IRS decision to require ID.me ‘selfies’
Source: ZDNet
https://www.zdnet.com/article/republican-senators-demand-briefing-on-irs-decision-to-require-id-me-selfies/

Jay Stanley, senior policy analyst at the ACLU, added that ID.me would not be subject to various oversight rules like the Freedom of Information Act and the Privacy Act of 1974, something the letter also notes.

The letter — signed by 15 Republican senators and addressed to IRS Commissioner Chuck Rettig — explains that using ID.me “appears to subject taxpayers to the terms of three separate agreements filled with dense legal fine print: a privacy policy agreement, terms of service agreement, and a ‘Biometric Data Consent and Policy.'”

They also expressed concern about the possibility of cyberattacks leaking the biometric data of millions of Americans who are being forced to entrust a private company with sensitive data.

“There is ample evidence to be very concerned about an IRS contractor’s ability to safely manage, collect and store this unprecedented level of confidential, personal data. To put this in perspective, in 2019 the IRS estimated it faced 1.4 billion cyber-attacks annually. It is highly likely, with personal information on a reported 70 million individuals, including biometric data, ID.me could be a top target for cyber-criminals, rogue employees, and espionage,” the Senators wrote.

“… Of concern, also, is that ID.me is not, to our knowledge, subject to the same oversight rules as a government agency, such as the Freedom of Information Act, the Privacy Act of 1974, and multiple checks and balances.”

Fight for the Future, Algorithmic Justice League, EPIC, and other civil rights organizations launched a website this week — called Dump ID.me — allowing people to sign a petition against the IRS plan.

Facial recognition is already used widely across multiple government agencies, alarming many who point to dozens of studies proving how flawed the technology is, particularly for people of color and women. Even the National Institute of Standards and Technology has found a higher rate of false positives on one-to-one algorithms for Asian and African American faces.

Topic: Government : US


Subject: $320 million stolen from Wormhole, bridge linking solana and ethereum
Source: CNBC
https://www.cnbc.com/2022/02/02/320-million-stolen-from-wormhole-bridge-linking-solana-and-ethereum.html

  • Wormhole, one of the most popular bridges linking the ethereum and solana blockchains, lost about $320 million in an apparent hack Wednesday afternoon.
  • The two blockchains are popular in the world of DeFi, where programmable contracts can replace lawyers and bankers in some transactions, and NFTs.
  • But few users stick with one blockchain exclusively, so bridges like Wormhole are a necessary go-between.

One of the most popular bridges linking the ethereum and solana blockchains lost more than $320 million Wednesday afternoon in an apparent hack.It is DeFi’s second-biggest exploit ever, just after the $600 million Poly Network crypto heist, and it is the largest attack to date on solana, a rival to ethereum that is increasingly gaining traction in the non-fungible token (NFT) and decentralized finance (DeFi) ecosystems.

Ethereum is the most used blockchain network, and it is a big player in the world of DeFi, in which programmable pieces of code known as smart contracts can replace middlemen like banks and lawyers in certain types of business transactions. A more recently introduced competitor, solana, is growing in popularity, because it is cheaper and faster to use than ethereum.

Crypto holders often do not operate exclusively within one blockchain ecosystem, so developers have built cross-chain bridges to let users send cryptocurrency from one chain to another.

Wormhole is a protocol that lets users move their tokens and NFTs between solana and ethereum.

Bridges like Wormhole work by having two smart contracts — one on each chain, according to Auston Bunsen, co-founder of QuikNode, which provides blockchain infrastructure to developers and companies. In this case, there was one smart contract on solana and one on ethereum. A bridge like Wormhole takes an ethereum token, locks it into a contract on one chain, and then on the chain at the other side of the bridge, it issues a parallel token.

“The $320 million hack on Wormhole Bridge highlights the growing trend of attacks against blockchains protocols,” said CertiK co-founder Ronghui Gu. “This attack is sounding the alarms of growing concern around security on the blockchain.”

Filed: https://www.cnbc.com/crypto-decoded/


Subject: Week in review: Samba vulnerability, phishing kits bypassing MFA, Patch Tuesday forecast
Source: Help Net Security
https://www.helpnetsecurity.com/2022/02/06/week-in-review-samba-vulnerability-phishing-kits-bypassing-mfa-patch-tuesday-forecast/

This site has a somewhat similar summary of articles on a weekly basis. The weekly submissions are tagged:

https://www.helpnetsecurity.com/tag/week_in_review/ – That tag has an RSS feed (just like we do):

https://www.helpnetsecurity.com/tag/week_in_review/feed/


Subject: Health Sites Let Ads Track Visitors Without Telling Them
Source: WIRED
https://www.wired.com/story/health-site-ad-tracking/

Privacy policies didn’t tell the whole story about third-party tools gathering personal information from the sites of medical and genetic-testing companies.

In a recent study from researchers at Duke University and the patient privacy-focused group the Light Collective, 10 patient advocates who are active in the hereditary cancer community and cancer support groups on Facebook—including three who are Facebook group admins—downloaded and analyzed their data from the platform’s “Off Facebook Activity” feature in September and October. The tool shows what information third parties are sharing with Facebook, and its parent company Meta, about your activity on other apps and websites. Along with the retail and media sites that typically show up in these reports, the researchers found that several genetic-testing and digital-medicine companies had shared customer information with the social media giant for ad targeting.

Downing and study coauthor Eric Perakslis, chief science and digital officer at Duke University’s Clinical Research Institute, emphasize that while targeted advertising is a broadly opaque ecosystem, the tracking can have particular implications for patient populations. In the process of reidentifying users across multiple sites, for example, a third-party tracking tool could gather together information about a user’s health status while also building a broader profile of their interests, profession, device fingerprints, and geographic region. And the interconnectedness of the ad ecosystem means that this composite picture can potentially pull in information from all sorts of web browsing, including activity on sites like Facebook. …

“The question in this experiment was ‘Can patients believe the terms and conditions they agree to on health-related sites? And if they can’t, do the companies even know that they can’t?’” Perakslis says. “And many of the companies we looked at aren’t HIPAA-covered entities, so this health-related data exists in an almost wholly unregulated space. Research has consistently shown that the flow of such information for advertising can disproportionately harm vulnerable populations.”

“It’s entirely expected from my perspective that findings like this keep coming up for the category that I call ‘health-ish’ data that does not cleanly fall under the limited privacy protections that currently exist in US laws,” says Andrea Matwyshyn, a professor and researcher at Penn State Law and a former FTC advisor. “The evolution of terms of use when combined with privacy policies has created a murky picture for users, and when you try to analyze the data flows, you end up in this often endless spiral.”


Subject: How to stop the spread of ransomware attacks
Source: VentureBeat
https://venturebeat.com/2022/02/06/how-to-stop-the-spread-of-ransomware-attacks/

Ransomware is currently one of the most common types of cyberattacks. It’s essential to be aware of the different variations of ransomware and how they can affect businesses, particularly small and midsized enterprises. As such, let’s outline what ransomware is, why it’s so dangerous for business owners, and identify steps that you can take to protect your company against this threat.

What is ransomware? Ransomware is malware that infects devices and locks users out of their data or applications until a ransom is paid. This is costly for businesses because they may have to pay a large sum of money to regain access to their files. It has been revealed that some users have paid enormous fees to obtain the decryption key. The fees can range from a hundred dollars to thousands of dollars, which are typically paid to cybercriminals in bitcoin.


Subject: How Phishers Are Slinking Their Links Into LinkedIn
Source: Krebs on Security
https://krebsonsecurity.com/2022/02/how-phishers-are-slinking-their-links-into-linkedin/

If you received a link to LinkedIn.com via email, SMS or instant message, would you click it? Spammers, phishers and other ne’er-do-wells are hoping you will, because they’ve long taken advantage of a marketing feature on the business networking site which lets them create a LinkedIn.com link that bounces your browser to other websites, such as phishing pages that mimic top online brands (but chiefly Linkedin’s parent firm Microsoft). At issue is a “redirect” feature available to businesses that chose to market through LinkedIn.com. The LinkedIn redirect links allow customers to track the performance of ad campaigns, while promoting off-site resources. These links or “Slinks” all have a standard format: “https://www.linkedin.com/slink?code=” followed by a short alphanumeric variable.

Here’s the very first Slink created: http://www.linkedin.com/slink?code=1, which redirects to the homepage for LinkedIn Marketing Solutions. The trouble is, there’s little to stop criminals from leveraging newly registered or hacked LinkedIn business accounts to create their own ad campaigns using Slinks.

Filed:
https://krebsonsecurity.com/category/latest-warnings/


Subject: Air Force taps Clearview AI to research face-identifying augmented reality glasses
Source: NYT via beSpacific
https://www.bespacific.com/air-force-taps-clearview-ai-to-research-face-identifying-augmented-reality-glasses/

The New York Times: “The U.S. Air Force is looking into keeping its airfields safer with help from the facial recognition start-up Clearview AI. The Air Force Research Laboratory awarded Clearview $49,847 to research augmented reality glasses that could scan faces to help with security on bases. Bryan Ripple, a spokesman for the lab, described the work as a three-month study to figure out the “scientific and technical merit and feasibility” of using such glasses for face recognition. “

See also via The New York Times:


Subject: FCC gets $5.6 billion in requests to access $1.9 billion pot for ripping out Huawei and ZTE
Source: ZDNet
https://www.zdnet.com/article/fcc-gets-5-6-billion-in-requests-to-access-1-9-billion-pot-for-ripping-out-huawei-and-zte/#ftag=RSSbaffb68

The US Federal Communications Commission (FCC) said on Friday it has seen a “robust” response to its Secure and Trusted Communications Networks Reimbursement Program.Under the program, carriers that have under 10 million customers as well as some schools, libraries, and healthcare providers are able to access funds to rip out and replace network equipment and services from Huawei and ZTE, if they provide broadband services. For the purpose of the program, equipment would need to be capable of speeds above 200kbps in either direction.

The fund was established with a pot of $1.9 billion, but the FCC has received requests amounting to $5.6 billion.

The fund was first proposed in 2019, with the FCC officially designating Huawei and ZTE as national security threats in July 2020.

Last month, the FCC removed the ability for China Unicom to operate in the US for national security reasons.


Subject: The IRS Says It Will Ditch ID.me’s Facial Recognition
Source: Gizmodo
https://gizmodo.com/irs-abandons-facial-recognition-plans-1848494491

The major reversal comes after weeks of criticism from privacy advocates, experts, and lawmakers.In a major reversal, the Internal Revenue Service says it will transition away from using ID.me’s controversial facial recognition identity verification software following weeks of public controversy and criticism from privacy groups.

Starting this summer, the IRS had planned to require users attempting to access their IRS account online to submit facial recognition scans through ID.me’s third-party identity verification services. The IRS and ID.me claimed this process would have helped reduce fraud. ID.me meanwhile has come under renewed scrutiny after CEO Blake Hall admitted that, under some circumstances, the company does run user face scans against a database of faces, a fact they hadn’t made clear previously.

“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” IRS Commissioner Chuck Rettig said in a statement. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”

“We’re glad to see that grassroots activism and backlash from lawmakers and experts has forced the agency to back down,” Campaign Director at Fight for the Future Caitlin Seeley George said in an email to Gizmodo. “No one should be coerced into handing over their sensitive biometric information to the government in order to access essential services.”

The IRS’ reversal came just hours after Oregon Senator and Senate Finance Committee Chairman Ron Wyden wrote a letter to the IRS commissioner urging the IRS to end its use of facial recognition. In his letter, Wyden expressed concerns over the technology’s well-documented struggles to accurately identify women and people of color and said it was, “unacceptable to force Americans to submit to scans using facial recognition technology as a condition of interacting with the government online.”

Now, according to Fight for the Future’s Seeley George, the focus may turn to other federal agencies and at least 30 states currently partnered with ID.me. “The lawmakers who led the charge against the IRS use of this technology should immediately call for an end to other agencies’ contracts, and there should be a full investigation into the Federal government’s use of facial recognition and how it came to spend taxpayer dollars contracting with a company as shady as ID.me,” the activist said.

Filed – https://gizmodo.com/tech/news

NB

https://www.nextgov.com/cio-briefing/2022/02/irs-backs-away-facial-recognition-technology/361678/

https://fcw.com/it-modernization/2022/02/irs-grapples-idme-whats-next-logingov/361637/


Subject: NIST suggests agencies accept the word of software producers per executive order
Source: GCN
https://gcn.com/cybersecurity/2022/02/nist-suggests-agencies-accept-word-software-producers-executive-order/361656/

The standards agency said an attestation from vendors themselves would be sufficient when screening for cybersecurity, unless an agency’s risk calculus suggests otherwise. Federal procurement officials should err on the side of accepting declarations software vendors make about their products, in part to address concerns about cost and the protection of intellectual property, according to the National Institute of Standards and Technology.

The recommendation came in one of five documents NIST published Friday to meet its obligation under Executive Order 14028. The order was issued in response to a hacking campaign called ‘SolarWinds,’ after a government-contracted IT management firm that adversaries leveraged to infect their targets, including federal agencies, with malware.

“Accept first-party attestation of conformity with [Secure Software Design Framework] practices unless a risk-based approach determines that second or third-party attestation is required,” NIST wrote in guidance for federal officials with procurement responsibilities. “First-party attestation is recommended for meeting the EO 14028 requirements.”

Filed – https://gcn.com/cybersecurity/


Subject: The country inoculating against disinformation
Source: BBC via beSpacific
https://www.bespacific.com/the-country-inoculating-against-disinformation/

BBC: “Subjected to repeated disinformation campaigns, the tiny Baltic country of Estonia sees media literacy education as part of its digital-first culture and national security. For two days riots raged in Estonia’s capital Tallinn. Protestors clashed with police and looters rampaged after the violence was sparked by controversy about a decision to move a military statue erected during Soviet rule. The flames of outrage among Estonia’s Russian-speaking minority were fanned by false news spreading online and in Russian news reports. The disinformation campaign then escalated into what is considered the first cyber-attack against an entire country. The attack, which was linked to Russia, shut down websites of Estonia’s government, banks and media outlets. In the aftermath of the attack in 2007, Estonia decided to take action. The country has now become a cyber-security leader, aimed at protecting its online infrastructure from future attacks. But the country has done something else in its attempt to protect itself from digital aggression – the tiny Baltic country is using media literacy education to help its citizens spot and be wary of disinformation. Since 2010 Estonian public schools – from kindergarten through to high school – teach media literacy to their pupils. Students in 10th grade also take a mandatory 35-hour “media and influence” course. Media literacy education is now accepted “as important as maths or writing or reading”, says Siim Kumpas, former strategic communication adviser to Estonia’s government. He was recently appointed as a policy officer at the European External Action Service, the European Union’s diplomatic service…”From the BBC website:You might also be interested in:

There are other global media literacy initiatives such as the European Commission’s Media Literacy Week and the National News Literacy Week in the US, which took place earlier this month. Unesco, the United Nations’ education and culture agency, also sponsors an annual media literacy week and promotes online media literacy courses.


Subject: New app tracks terrorism-linked events in local U.S. communities
Source: GCN
https://gcn.com/public-safety/2022/02/new-app-tracks-terrorism-linked-events-local-us-communities/361706/

It marks an enhancement of the information-sharing capabilities the National Counterterrorism Center offered before.The National Counterterrorism Center or NCTC designed and launched a new mobile app and website that provide unclassified intelligence reports, training materials and breaking alert notifications tracking terrorist-associated events.

Dubbed “aCTknowledge,” this new digital tool was produced with—and explicitly for—U.S. law enforcement officers, first responders and homeland security professionals. It will be frequently updated based on their feedback going forward.

The new aCTknowledge resource is meant to be a one-stop-shop for NCTC analyses, training materials and real-time alerts, among other assets. Users can search for specific topics of interest, which will also inform new features it could include down the line.

Officials are required to register with their official government email address after downloading the application, and vetting information must also be submitted.

Filed:


Subject: Critical Infrastructure Protection: Agencies Need to Assess Adoption of Cybersecurity Guidance
Source: U.S. GAO
https://www.gao.gov/products/gao-22-105103

The U.S. has 16 critical infrastructure sectors that provide clean water, gas, banking, and other essential services. To help protect them, in 2014 the National Institute of Standards and Technology developed cybersecurity standards and procedures that organizations within these sectors may voluntarily use. Federal agencies are charged with leading efforts to improve sector security.We found agencies have measured the adoption of these standards and procedures for 3 of 16 sectors and have identified improvements across 2 sectors. For example, the EPA found a 32% increase in the use of recommended cybersecurity controls at 146 water utilities.


Subject: Selfies now optional for ID.me verification
Source: GCN
https://gcn.com/cybersecurity/2022/02/selfies-now-optional-idme-verification/361856/

The company’s government customers can now verify users without using automated facial recognition technology. After the IRS walked back the proposed requirement that taxpayers use ID.me’s photo verification service, the company announced it would offer a new option to government customers – one that verifies identity without using automated facial recognition.

ID.me’s service verifies users’ identities by comparing an image on a uploaded government document, like a driver’s license, to a live photo or selfie. The company’s facial recognition technology verifies that the person in both photos is the same.

“We have listened to the feedback about facial recognition and are making this important change, adding an option for users to verify directly with a human agent to ensure consumers have even more choice and control over their personal data,” ID.me Founder and CEO Blake Hall said in a press statement. “In recent weeks, we have modified our process so government agencies can empower people to choose to verify their identity with an expert human agent without going through a selfie check.”

Additionally, all ID.me users will be able to delete their selfie or photo at account.ID.me starting March 1, Hall said.

The service is also used in Pennsylvania, Idaho and Indiana to verify identity for unemployment benefits.

See also  the Washington Post: IRS abandons facial recognition plan after firestorm of criticism

Posted in: AI, Big Data, Blockchain, Cybercrime, Cybersecurity, E-Government, Government Resources, Healthcare, Legal Research, Privacy, Social Media, Spyware