Pete Recommends Weekly highlights on cyber security issues, February 19, 2022

Subject: Researchers Developing a Digital Fingerprint Tool Based on Text
Source: Gizmodo

The new tool would analyze stylistic differences in sentences to determine authorship, which researchers claim could combat disinformation.

Experts at the Intelligence Advanced Research Projects Activity, the research wing of the intelligence community, are using artificial intelligence and heaps of online text data to create just such an identity verification marker, NextGov notes in a recent report. The researchers hope one day this text “fingerprint,” could play a significant role in identifying individuals behind disinformation campaigns and fighting back against human trafficking.

The proposed text-based fingerprinting technique would reportedly work somewhat similar to other ways forensics experts currently determine someone’s identity based on their handwriting. Just as humans have tiny little individual differences and idiosyncrasies in the way they write a word, online authors similarly have their own tells when crafting sentences online.

Subject: A Hacker Group Has Been Framing People for Crimes They Didn’t Commit
Source: Gizmodo

[From the Never Trust a Computer dept …] A recent study shows the tactics and techniques of a cybercrime group that is known for planting incriminating evidence on the devices of activists in India.
For at least a decade, a shadowy hacker group has been targeting people throughout India, sometimes using its digital powers to plant fabricated evidence of criminal activity on their devices. That phony evidence has, in turn, often provided a pretext for the victims’ arrest. A report published this week by cybersecurity firm Sentinel One reveals additional details about the group, illuminating the way in which its digital dirty tricks have been used to surveil and target “human rights activists, human rights defenders, academics, and lawyers” throughout India.The group, which researchers have dubbed “ModifiedElephant,” is largely preoccupied with spying, but sometimes it intervenes to apparently frame its targets for crimes. Researchers write:

The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’—files that incriminate the target in specific crimes—prior to conveniently coordinated arrests.


Subject: How the metaverse could shape cybersecurity in 2022
Source: VentureBeat

“Metaverse” is a much-hyped concept that is being mentioned more and more frequently in conversations regarding technology and development. Although the idea has recently gained popularity, it is not entirely new. It first made an appearance in Neal Stephenson’s science fiction novel Snow Crash and since then, there have been many versions of the metaverse, especially as the gaming industry caught on to it. These versions have nurtured the idea, as evident through games like Second Life, Eve Online, or even GTA and Red Dead Online.

Despite its long-standing presence in the world of technology, the idea around the metaverse still seems somewhat hazy. It is probably because the recent construction of metaverse is set to happen through Facebook and promises to incarnate the next generation of the internet. It represents the idea of an immersive, next generational virtual 3D world, promising to connect all sorts of digital environments in almost like a digitized mimicry of the actual world we live in. And while the idea of a revolutionized digital world sounds exciting within itself, it has bubbled up several security concerns leading to that big question; how is the metaverse set to change cybersecurity in 2022?

Top cybersecurity concerns with the metaverse

Since most cyberattacks and frauds have started to occur, It is possible to predict scenarios like:

However, the largest concern looming about the Metaverse surrounds the data privacy and security that will most likely remain under threat for several reasons.

What will cybersecurity be like in 2022 with the metaverse?

Subject: The CIA Has Secretly Run a ‘Bulk Collection’ Program Affecting Americans + other stories
Source: WIRED

Plus: Vulnerability fixes, the return of EARN IT, and more of the week’s top security news. Cryptocurrency was everywhere this week, funding anti-Russian resistance groups and hacktivists in Ukraine and being seized by the US Department of Justice in a massive trove of laundered bitcoin worth $3.6 billion. If you’re just wading into crypto yourself and need a place to store your digital dough, we’ve got a guide for picking and setting up a cryptocurrency wallet. Microsoft took a huge security step this week by announcing that it will disable its often-abused macros feature by default in Microsoft Excel and Word files downloaded from the internet. Health privacy researchers published findings about medical and genetic-testing companies that left details about their third-party ad tracking and lead generation methods out of their privacy policies. And pro-democracy activists, many of whom are in hiding after Myanmar’s 2021 coup, fear that their phone records—and by extension the identities of their loved ones and resistance networks—could be at risk of falling into the junta’s hands.And if you’re getting freaked out about the possibility of being tracked using Apple AirTags, here’s our guide to scoping things out and protecting yourself.And there’s more. We’ve rounded up all the news here that we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there….


Subject: How to Set Up Lock Screens on All Your Devices
Source: WIRED

Your lock screen stands between your private data and unwelcome visitors — make sure you set it up correctly.

Subject: Open banking innovation: A race between developers and cybercriminals
Source: Help Net Security

In this interview with Help Net Security, Karl Mattson, CISO at Noname Security, explains the wide usage of open banking and how it can easily be exploited if adequate security measures are not implemented.

Can consumers trust open banking? What should they look out for?

Consumers benefit from open banking by opening a new universe of services and benefits for their financial needs. However, the consumer is at a distinct disadvantage with respect to knowing how to evaluate risks to their personal information. For example, a banking customer may have little insight or control over how these services are delivered on the backend by their financial institution.

As well, there are few data points for consumers to consider when evaluating whether a new FinTech service offering is truly secure. The average consumer is still largely dependent on quality oversight by financial industry regulators to be the gatekeepers of responsible risk management and data protections.

Can innovation actually set back the financial services industry security wise? How can it embrace innovation while ensuring security?

Subject: Nametag launches ‘Sign in with ID’ to access online accounts securely
Source: ZDNet

Nametag’s multi-factor identity solution ensures that security is centered around the user — and not just the login details.You can now verify your identity with more than just your username and password with this user-centric authentication mechanism.

Your online accounts tend to be linked to your username and password, with an added layer of SMS verification to provide two-factor authentication. However, these types of accounts can be compromised by phishing or social engineering to gain access to your accounts.

To solve this issue, New York-based ID authentication company Nametag has launched “Sign in with ID” to access online accounts using its multifactor authentication technology combined with biometric identity verification.

There are four steps to signing in with ID: scan a QR code on a website, which invokes the Nametag sign in screen; scan your ID (when you first use Nametag, you must upload your official ID); take a selfie; and tap to confirm and share what information is necessary for the transaction.

The company says it has also completed steps necessary for AICPA SOC2 Type 1 certification and is currently undergoing a SOC2 Type 1 examination with an independent auditor, with a planned completion date of March 2022.

The product uses the face matching technology of hyperscale cloud providers, benefiting from their investments in recognition accuracy. Cosmetic appearance changes, such as gaining/losing weight, do not impact matching.

Nametag has also built the product to accommodate gender, name, address, and other factors — confident that it maintains security and matching. A user is never locked out even if they lose their phone, access to their email, or get a new driver’s license.

Topic: Security

Subject: Technology is revolutionizing how intelligence is gathered and analyzed – and opening a window onto Russian military activity around Ukraine
Source: GCN

Government analysts are filling the need for intelligence assessments using information sourced from across the internet instead of primarily relying on classified systems or expensive sensors high in the sky or arrayed on the planet.As the U.S. and other NATO member governments monitor Russia’s activities and determine appropriate policy responses, the timely intelligence they rely on no longer comes solely from multimillion-dollar spy satellites and spies on the ground.

Social media, big data, smartphones and low-cost satellites have taken center stage, and scraping Twitter has become as important as anything else in the intelligence analyst toolkit. These technologies have also allowed news organizations and armchair sleuths to follow the action and contribute analysis.
Governments still carry out sensitive intelligence-gathering operations with the help of extensive resources like the U.S. intelligence budget. But massive amounts of valuable information are publicly available, and not all of it is collected by governments.

This democratization of intelligence collection in most cases is a boon for intelligence professionals. Government analysts are filling the need for intelligence assessments using information sourced from across the internet instead of primarily relying on classified systems or expensive sensors high in the sky or arrayed on the planet.

However, sifting through terabytes of publicly available data for relevant information is difficult. Knowing that much of the data could be intentionally manipulated to deceive complicates the task.


Subject: FTC warns VoIP providers: Share your robocall info or get sued
Source: Bleeping Computer

The US Federal Trade Commission (FTC) said today that it will take legal action against Voice-over-Internet Protocol (VoIP) service providers who do not hand over information requested during robocall investigations.”Companies that receive FTC Civil Investigative Demands must promptly produce all required information,” said Samuel Levine, the Director of FTC’s Bureau of Consumer Protection.

“These demands are not voluntary. Companies that don’t respond fully, or don’t respond at all, will have to answer to a federal district court judge, as these cases demonstrate.”

The Commission charged Alcazar Networks in December 2020 with facilitating illegal telemarketing calls after it provided VoIP services to an Indian company that used “911” as the caller ID and impersonated the Social Security Administration.

“The Commission frequently issues Civil Investigative Demands (CIDs) to VoIP service providers that carry potentially illegal calls to collect important information to help stop the calls, including information about the company’s customers and efforts to comply with the Telemarketing Sales Rule,” the FTC said.

… tagged:

Subject: Cyber primer for local
Source: GCN

The Center for Technology in Government has created a basic, no-nonsense primer to help local leaders identify, respond to and recover from security breaches.
To help local government leaders better understand the cybersecurity threats facing an interconnected network infrastructure, the Center for Technology in Government (CTG) has issued a primer designed to help them identify, respond to and recover from security breaches and take steps to increase their ability to manage cyber risks.

The primer answers basic questions like, “What does it mean to detect a potential cyberattack?” and provides definitions of common cyberattack techniques. Links to relevant state and local laws and regulations governing cybersecurity are included as are basic prevention strategies and discussions of the importance of cyber risk management and incident response plans.

The primer presents a set of questions agencies should answer before they connect any new technology to their networks – and why the answers matter. For example, if data that is collected, stored, used or shared is protected by a specific law or regulation, local leaders must understand how the classification of that data will dictate the policy and technical controls for both government and the vendor.


Subject: GAO sustains contract award challenge brought using evidence from LinkedIn
Source: FedScoop

The Government Accountability Office has recommended the exclusion of a vendor from a task order after the awardee was found to have misstated the experience of a staff member in its bid submission.GAO in a ruling late last year recommended that a contract awarded to Maryland-based A P Ventures be terminated and its proposal excluded from competition after it was found to have made a material misrepresentation over the experience of staff.

The award challenge was brought by Insight Technology Solutions, which cited the LinkedIn profile of an A P Ventures employee that showed fewer than five years’ work experience as evidence.

GAO in its decision said that the misstated employment history was material and that neither A P nor DHS meaningfully disputed the work history as it appeared on the social networking website.

In this StoryCIO-SP3, Department of Homeland Security (DHS), <ahref=”” target=”_blank” rel=”noreferrer nofollow noopener”>Government Accountability Office (GAO)

Subject: Google launches ‘Privacy Sandbox’ to limit data from Android phone users

Feb. 16 (UPI) — Tech giant Google announced on Wednesday that it’s starting a multi-year project to safeguard privacy for Android smartphone users and work toward advertising methods that rely less on users’ private data.

Google said the initiative is called the Privacy Sandbox and it expects to develop the project over several years.
The goal of the move, the company said, is developing “effective and privacy enhancing advertising solutions” that let users know that their personal information is protected.

“Mobile apps are a core part of our everyday lives. Currently over 90% of the apps on Google Play are free, providing access to valuable content and services to billions of users. Digital advertising plays a key role in making this possible,” Anthony Chavez, Google vice president of product management and Android security, said in a blog post.


Subject: Researcher ‘reverses’ redaction, extracts words from pixelated image
Source: Bleeping Computer

Using pixelation to redact images? Those pixels may not actually be hiding anything.A researcher has demonstrated how he was able to successfully recover text that had been redacted using the pixelation technique. Further, the researcher has released a GitHub tool that can be used by anyone to reconstruct text from obscure, pixelated images.

Reversing obscure pixels

This week, Dan Petro, Lead Researcher at offensive security firm Bishop Fox has demonstrated how he was able to completely recover text from an image redacted via the pixelation method.

When publishing sensitive images online, pixelation or blurring is often used as a redaction technique by media outlets and researchers alike.

But Petro shows why it might be safer to just stick good old opaque bars over the text you want to hide, rather than chancing it with alternate techniques—especially with pixelation.

“The bottom line is that when you need to redact text, use black bars covering the whole text. Never use anything else. No pixelization, no blurring, no fuzzing, no swirling,” warns Petro.

Subject: FBI warns of BEC attackers impersonating CEOs in virtual meetings
Source: Bleeping Computer

The Federal Bureau of Investigation (FBI) warned today that US organizations and individuals are being increasingly targeted in BEC (business email compromise) attacks on virtual meeting platforms.BEC scammers are known for using various tactics (including social engineering, phishing, and hacking) to compromise business email accounts with the end goal of redirecting payments to their own bank accounts.

In this type of attack, the crooks target small, medium, and large businesses alike, as well as individuals. The success rate is also very high since the fraudsters usually pose as someone the employees trust, like business partners or CEOs.

Crooks impersonating CEOs in virtual meetings

In a Public Service Announcement issued today, the FBI said it noticed scammers switching to virtual meeting platforms matching the overall trend of businesses moving to remote work during the pandemic.

“Between 2019 through 2021, the FBI IC3 has received an increase of BEC complaints involving the use of virtual meeting platforms to instruct victims to send unauthorized transfers of funds to fraudulent accounts,” the FBI said [PDF].

As explained in FBI’s PSA, the criminals are using such collaboration platforms in their attacks in various ways, including impersonating CEOs in virtual meetings and infiltrating meetings to harvest business information:


Subject: Missouri ends effort to prosecute ‘view source’ journalist
Source: The Register

Despite all logic, state governor still insists hitting F12 in a web browser is ‘hacking’

Subject: How to stop those annoying spam texts
Source: WaPo via beSpacific

Washington Post: “Spam texts are the new spam calls. Thankfully, there are ways to cut down…First, the bad news: These texts aren’t going away any time soon. A report from spam-blocking app RoboKiller found that spam texts increased 58 percent in 2021 from 2020. That’s a big jump, and it’s likely because scammers are realizing that people are too familiar with phone scams to fall for them at the same rate, RoboKiller vice president Giulia Porter said. Now, the good news: You can take steps to receive fewer spam texts, and if you do fall for one, there are ways to pump the breaks before scammers further mess with your accounts, devices or wallet…”
Posted in: Computer Security, Criminal Law, Cybercrime, Cybersecurity, Email Security, Government Resources, Legal Research, Privacy, Social Media, Spyware, Technology Trends