Pete Recommends Weekly highlights on cyber security issues, February 26, 2022

Subject: Humans Find AI-Generated Faces More Trustworthy Than the Real Thing
Source: Scientific American

Viewers struggle to distinguish images of sophisticated machine-generated faces from actual humans

The startling realism has implications for malevolent uses of the technology: its potential weaponization in disinformation campaigns for political or other gain, the creation of false porn for blackmail, and any number of intricate manipulations for novel forms of abuse and fraud. Developing countermeasures to identify deepfakes has turned into an “arms race” between security sleuths on one side and cybercriminals and cyberwarfare operatives on the other.

A new study published in the Proceedings of the National Academy of Sciences USA provides a measure of how far the technology has progressed. The results suggest that real humans can easily fall for machine-generated faces—and even interpret them as more trustworthy than the genuine article. “We found that not only are synthetic faces highly realistic, they are deemed more trustworthy than real faces,” says study co-author Hany Farid, a professor at the University of California, Berkeley. The result raises concerns that “these faces could be highly effective when used for nefarious purposes.”

Subject: Facial recognition firm Clearview AI tells investors it’s seeking massive expansion beyond law enforcement
Source: Washington Post via MSN via beSpacific

Washington Post via MSN: “The facial recognition company Clearview AI is telling investors it is on track to have 100 billion facial photos in its database within a year, enough to ensure “almost everyone in the world will be identifiable,” according to a financial presentation from December obtained by The Washington Post. Those images — equivalent to 14 photos for each of the 7 billion people on Earth — would help power a surveillance system that has been used for arrests and criminal investigations by thousands of law enforcement and government agencies around the world.

Subject: 83% of employees continue accessing old employer’s accounts
Source: Help Net Security

In a recent study, Beyond Identity gathered responses from former employees across the United States, the United Kingdom, and Ireland and found 83% of employees admitted to maintaining continued access to accounts from a previous employer. The cybersecurity threat this poses is coupled with the fact that 56% of these employees said they had used this continued digital access with the specific intent of harming their former employer.

The most common hacks and infractions included logging into corporate social media (36%), looking through company emails (32%), and taking company files and documents (31%). More than one in four former employees even went so far as to log in to the back end of the company’s website.

Fortunately, there was a saving grace for companies. According to the survey, a professional, detailed offboarding process could accomplish two important things: prevent unauthorized access by former employees by eliminating their passwords and other insecure authentication methods, and simultaneously generate goodwill, thereby lessening the motivation to harm a former employer.

Subject: SIM Swaps Are on the Rise
Source: Newser

(Newser) – Beware the SIM swap. The FBI says the sophisticated scam that involves hackers getting access to first your cell phone and then your financial accounts is on the rise, Fox News reports. It starts with scammers getting someone’s personal details, which can be done via phishing emails, phishing calls, or simply buying stolen information on the dark web. Then, they call the victim’s wireless carrier impersonating the victim and claiming their SIM card, the computer chip inside the phone that contains a unique ID number, has been lost or stolen. They then ask for the victim’s phone number to be transferred to a new SIM card—which, of course, is in the scammer’s possession, not the victim’s.The scammer can then submit password reset or account recovery requests for the victim’s accounts, and any calls or texts that come in to verify the requests will go to the scammer, not the victim.

Subject: Shady App Is Masquerading as Trump’s Social Network on Android
Source: Gizmodo

An apparent rip-off of Donald Trump’s social media network Truth Social has racked up downloads in the six figures on Google’s Play Store, causing confusion by MAGA types who failed to realize the distinction. Insider first reported that the app, which is titled “MAGA Hub — Truth Social Trump” on the Play Store, has crossed 100,000 downloads as of Tuesday. While the app itself was launched in August 2021, well before news broke that Trump was pursuing the “Truth” branding for his social network, most of the downloads appear to have been in the last few weeks. Trump Media & Technology Group recently released a beta version of Truth Social via Apple’s App Store, but it has yet to open the platform to Android users. The “MAGA Hub” app has stepped up to fill that void, appearing at the top of search results for an official release on the Play Store.

MAGA Hub, for what it’s worth, contains $28.99 in-app purchases with an unclear purpose and automatically subscribes users to a global chat group which Insider reports sends out “a constant stream of memes and messages.”

Some users theorized MAGA Hub is a Democratic psyop of some kind. Others charged that, actually, Democrats were the cause of its technical problems or low reviews (which were actually surprisingly generous, averaging at just over 3 stars with over 8,000 reviews).

Truth Social’s iOS launch has itself been far from spotless. While it took the number one position on the App Store, it also launched with numerous bugs ranging from irritations like eternal waitlists for new users to partial server outages and the accidental use of another company’s logo. Truth Social, like MAGA Hub, does not appear to have a browser version ready yet, although one is apparently in the works.


Subject: How much can you trust your printer?
Source: Help Bew Security via beSpacific

Help Net Security: “Cybercriminals often leverage printer devices to gain access to networks and sensitive data in various ways. Their goal is to find a way to execute arbitrary, untrusted code on the target platform. This is a key reason why printer firmware updates so often. Printer OEMs are well aware of these threats, and constantly patch security vulnerabilities that attackers and malicious users might try to exploit. Of course, a successful exploit means that malicious software becomes operational within the network-attached printer, which can wreak havoc on cybersecurity within a corporate LAN setting…”

Subject: New Data Shows FTC Received 2.8 Million Fraud Reports from Consumers in 2021
Source: Federal Trade Commission

Newly released Federal Trade Commission data shows that consumers reported losing more than $5.8 billion to fraud in 2021, an increase of more than 70 percent over the previous year.

The FTC received fraud reports from more than 2.8 million consumers last year, with the most commonly reported category once again being imposter scams, followed by online shopping scams.

Prizes, sweepstakes, and lotteries; internet services; and business and job opportunities rounded out the top five fraud categories.

Of the losses reported by consumers, more than $2.3 billion of losses reported last year were due to imposter scams—up from $1.2 billion in 2020, while online shopping accounted for about $392 million in reported losses from consumers—up from $246 million in 2020.

In addition to taking consumer reports directly from people who call the FTC’s call center or report online, Sentinel also includes reports filed with other federal, state, local, and international law enforcement agencies, as well as other organizations, like the Better Business Bureau and Publishers Clearing House.

Subject: Can Police Use Facial Recognition Scans at Traffic Stops?
Source: Gizmodo

At least some law enforcement agents are reportedly considering the practice which legal experts say may violate U.S. law.Law enforcement’s use of facial recognition technology during investigations has blossomed in recent years thanks in no small part to a booming surveillance industry built on the back of an ever-expanding buffet of publicly available biometric data. The limits on where and how that technology can be used though remain legally murky and are constantly evolving. Now, it appears at least some law enforcement agents are flirting with the idea of using facial recognition at otherwise seemingly benign traffic stops, a potential loosening of the tech’s use that has legal and privacy experts on edge.

Subject: House Bill Would Create FTC Bureau to Oversee Online Platforms
Source: Nextgov bill takes a different route to big tech oversight than other legislation.

House Democrats introduced new legislation this week that they believe would hold big tech companies—and their widely used internet platforms—accountable to users and regulators.The Digital Services Oversight and Safety Act of 2022 would create a Bureau of Digital Services, Oversight and Safety within the Federal Trade Commission that would investigate systemic risks on online platforms and issue transparency requirements and guidance.

The bureau would be staffed with “at least” 500 employees—comprised of technologists, constitutional lawyers and a mix of other experts, such as statisticians and child development specialists—that could provide evidence-based research to inform policymakers and enforcement actions.

“This legislation will take the long-overdue step of giving federal regulators insight into how these companies operate, so they can issue evidence-based guidance and hold them accountable,” Schiff said.


Subject: Meet The Secretive Surveillance Wizards Helping The FBI And ICE Wiretap Facebook And Google Users
Source: Forbes

[If unable to read, clear your cookies or go into private / incognito mode … ] PenLink might be the most pervasive wiretapper you’ve never heard of.

The Lincoln, Nebraska-based company is often the first choice of law enforcement looking to keep tabs on the communications of criminal suspects. It’s probably best known, if it’s known at all, for its work helping convict Scott Peterson, who murdered his wife Laci and their unborn son in a case that fomented a tabloid frenzy in the early 2000s. Nowadays the company has been helping cops keep tabs on suspected wrongdoing by users of Google, Facebook and WhatsApp – whatever web tool that law enforcement requests.

With $20 million revenue every year from U.S. government customers such as the Drug Enforcement Administration, the FBI, Immigration Customs Enforcement (ICE) and almost every other law enforcement agency in the federal directory, PenLink enjoys a steady stream of income. That doesn’t include its sales to local and state police, where it also does significant business but for which there are no available revenue figures. Forbes viewed contracts across the U.S., including towns and cities in California, Florida, Illinois, Hawaii, North Carolina and Nevada.

“PenLink is proud to support law enforcement across the U.S. and internationally in their effort to fight wrongdoing,” the company said. “We do not publicly discuss how our solution is being utilized by our customers.”

Sometimes it takes a spy to get transparency from a surveillance company. Jack Poulson, founder of technology watchdog Tech Inquiry, went incognito at the National Sheriffs’ Association’s winter conference in Washington. He recorded a longtime PenLink employee showing off what the company could do for law enforcement and discussing the scale of its operations. Not only does the recording lift the lid on how deeply involved PenLink is in wiretapping operations across the U.S., it also reveals in granular detail just how tech providers such as Apple, Facebook and Google provide information to police when they’re confronted with a valid warrant or subpoena.

PenLink’s work wouldn’t be possible without the compliance of tech providers, who, according to Granick, “are storing too much data for too long, and then turning too much over to investigators. Social media companies are able to filter by date, type of data, and even sender and recipient. Terabytes of data are almost never going to be responsive to probable cause, which is what the Fourth Amendment requires.”


Subject: The end of passwords
Source: MIT Technology Review via beSpacific

MIT Technology Review: “Companies are finally shifting away from notoriously insecure alphanumerics to other methods of authentication…enterprise-oriented companies like Okta and Duo, as well as personal identity providers like Google, offer ways for people to log in to apps and services without having to enter a password. Apple’s facial recognition system has taken biometric login mainstream. Most notably, Microsoft announced in March 2021 that some of its customers could go completely passwordless, and it followed up in September by telling people to delete their passwords altogether. Those other methods of authentication? They’re finally winning…”

Filed in MIT TR:

Subject: When should feds use a burner phone abroad?
Source: FCW

The Federal Chief Information Officers Council released new guidance on toting government-issued mobile phones and devices on foreign trips – and when to leave official gear at home.New guidance [31-page PDF] from the Federal Chief Information Officers Council is designed to educate feds on the risks and best practices for traveling outside of the continental United States with government furnished mobile devices like mobile phones, laptops and tablets.The council’s International Travel Guidance for Government Mobile Devices is meant to help government employees, contractors and detailees who use government mobile devices protect government data, back-end enterprise systems and the information of the user themselves when they travel.

For some, the risk is enough that the latest report recommends forgoing usual devices in favor of a burner phone.


Subject: The Advantages And Risks Of Biometric Security
Source: Android Headlines

You’re probably already using biometric technology on a regular basis, even if you aren’t aware of it. According to ExpressVPN, biometric is the use of distinct biological features, like fingerprints, facial structure, or even voice, to determine or confirm identity. If you use a thumbprint to unlock your phone or let your laptop read your face to allow access, you’re using biometrics.Yes, the use of biometrics can make getting into your favorite device faster and more convenient. But is it everything it’s cracked up to be? There are some definite pros and cons to consider when using biometrics.

Current Trends and What’s to Come with Biometrics – Biometrics are starting to make their way into more public arenas. Once reserved for high-level security needs, like scientific labs and government buildings, an automated identity confirmation is making its way into airports, regular places of employment, and academic campuses.


Subject: Agencies underscore software vulnerabilities in supply chain assessments
Source: FedScoop

Several Cabinet agencies published reports Thursday citing the current software ecosystem as a key weakness across supply chains crucial to U.S. economic prosperity and national security. The departments of Commerce and Homeland Security found open-source software and firmware within the information and communications technology (ICT) industry vulnerable to exploitation by foreign adversaries and crime groups in their joint report, while the Department of Energy‘s report deemed untrusted software developers a key vulnerability within the clean energy supply chain.

President Biden’s executive order on America’s Supply Chains issued in February 2021 gave seven Cabinet agencies a year to assess six critical industries for supply chain vulnerabilities, software being a big one.

“The ubiquitous use of open-source software can threaten the security of the software supply chain given its vulnerability to exploitation,” reads Commerce and DHS’s report. “Furthermore, the complexity of the ICT supply chain has led many original equipment manufacturers (OEMs) to outsource firmware development to third-party suppliers, which introduces risks related to the lack of transparency into suppliers’ programming and cybersecurity standards.”

The pandemic revealed an overreliance on software developers with opaque supply chains and a high risk of “cascading effects” should their products be compromised, according to DOE’s report.

– In this Story – artificial intelligence (AI), Cyber-Supply Chain Risk Management (C-SCRM), Cybersecurity, Department of Commerce (DOC), Department of Defense (DOD), Department of Energy (DOE), Department of Homeland Security (DHS), Information Sharing, machine learning, software, supply chain
Posted in: AI, Cybercrime, Cybersecurity, Data Mining, Economy, Education, Email Security, Financial System, Government Resources, Legal Research, Privacy, Spyware, Technology Trends