Pete Recommends – Weekly highlights on cyber security issues, April 16, 2022

Subject: TSA’s Terrorist Watch List Comes for Amtrak Passengers
Source: WIRED

The US Transportation Security Administration confirmed on Friday that it has been screening some Amtrak rail passengers’ information against a terrorist watch list. Amtrak requested that the TSA begin the program, and the Department of Homeland Security announced its launch in December as part of an Amtrak Rail Passenger Threat Assessment. A report on Wednesday first highlighted a Privacy Impact Assessment that describes the ongoing screening. “To conduct the assessment, Amtrak will provide TSA with rail passenger personally identifiable information (PII) collected over the course of several months for TSA to match against the Threat Screening Center’s (TSC) Terrorist Screening Database (TSDB), commonly known as the ‘watchlist,’ ” DHS said in December. Those months have now occurred. If anyone flags on the screenings, the Privacy Impact Assessment says that, at least for now, TSA will only provide Amtrak with anonymized information about riders and not their names.

Subject: You don’t need to install an antivirus app on your phone
Source: Android Central

Many of us have been conditioned into thinking we need to install antivirus or malware protection apps on our phones lest we become a victim of some shady group of people who want our data.That’s bad information, which Check Point‘s recent report on alleged protection apps which steal folks’ banking information really drives home.

Yes, you read that right — apps that are listed as Android antivirus or anti-malware security software were actually stealing the banking data from users in Italy and the U.K. About 15,000 people in total were affected before the apps could be pulled from the Play Store.

Because these apps may exist in third-party app stores, I’m going to give them visibility. They all come from three developer accounts: Zbynek Adamcik, Adelmio Pagnotto, and Bingo Like Inc. If you see any applications from these developers, steer clear.

Subject: Eavesdropping scam: A new scam call tactic
Source: Help Net Security

Hiya has detected the newest scam call tactic, the eavesdropping scam. The new scam aims to get users to call back by leaving vague voicemail messages where an unknown voice is heard talking about the potential victim.If the victim calls back, the scammers attempt to steal personal information or money by offering fraudulent tax relief services.

How it works – The eavesdropping scam is quite sophisticated. First, the scammer calls a potential victim from an unknown number and, since 79% of unknown calls go unanswered, leaves a voicemail. In the message, the scammer is heard talking to another person about the potential victim, claiming: “I’m trying to get ahold of them right now.”

Similar to the Wangiri Scam, the eavesdropping scam relies on the victim being so interested that they choose to call back. Once the victim returns the call, the scammer can run a variety of scams, most commonly offering fraudulent tax relief services.

Subject: Mismanaged Cloud Services Put User Data at Risk
Source: Nextgov via The Conversation via PSU

Organizations’ failure to properly manage the servers they lease from cloud service providers can allow attackers to receive private data, research my colleagues and I conducted has shown.Cloud computing allows businesses to lease servers the same way they lease office space. It’s easier for companies to build and maintain mobile apps and websites when they don’t have to worry about owning and managing servers. But this way of hosting services raises security concerns.

Each cloud server has a unique IP address that allows users to connect and send data. After an organization no longer needs this address, it is given to another customer of the service provider, perhaps one with malicious intent. IP addresses change hands as often as every 30 minutes as organizations change the services they use.

When organizations stop using a cloud server but fail to remove references to the IP address from their systems, users can continue to send data to this address, thinking they are talking to the original service. Because they trust the service that previously used the address, user devices automatically send sensitive information such as GPS location, financial data and browsing history.

An attacker can take advantage of this by “squatting” on the cloud: claiming IP addresses to try to receive traffic intended for other organizations. The rapid turnover of IP addresses leaves little time to identify and correct the issue before attackers start receiving data. Once the attacker controls the address, they can continue to receive data until the organization discovers and corrects the issue.

Topic: Cloud

Subject: Jury: Former DHS watchdog official stole software, employees’ personal info
Source: FCW

As officials within the Department of Homeland Security’s Office of the Inspector General, they were supposed to be alerting the public to nefarious activity, but a former acting branch chief of the department’s information technology division is guilty—along with two others—of stealing federal property and government workers’ personal information, a jury found.Murali Y. Venkata, 56, of Aldie, Virginia, who was, “convicted of conspiracy to defraud the U.S. government, theft of government property, wire fraud, aggravated identity theft, and obstruction,” according to a Department of Justice press release Monday, “executed a scheme to steal confidential and proprietary software from the government along with the personally identifying information (PII) of hundreds of thousands of federal employees.”

The plan, according to court documents and the indictment from March, 2020, was to create a commercial version of a case-management system to sell back to government agencies from a company Venkata’s accomplice and former boss Charles K Edwards founded in 2015. Edwards, who was DHS’ acting inspector general at the time, pleaded guilty to the charges in January. Another DHS OIG official—Sonal Patel—entered a guilty plea for related charges in April, 2019.

The three stole Microsoft products worth almost $350,000 by using activation keys managed by the DHS OIG office and the PII for about 246,167 DHS employees and 6,723 postal workers, according to the charges.



Subject: You’re muted… or are you? Videoconferencing apps may listen even when mic is off
Source: Tech Xplore

“It turns out, in the vast majority of cases, when you mute yourself, these apps do not give up access to the microphone,” says Fawaz. “And that’s a problem. When you’re muted, people don’t expect these apps to collect data.”

After their initial testing, Fawaz and Yang, along with colleagues from Loyola University Chicago, conducted a more formal investigation of just what happens when videoconferencing software microphones are muted. They will present their results at the Privacy Enhancing Technologies Symposium in July.

They found that all of the apps they tested occasionally gather raw audio data while mute is activated, with one popular app gathering information and delivering data to its server at the same rate regardless of whether the microphone is muted or not.

Whether or not the data is being accessed or used, the findings raise privacy concerns.

[I wonder how this applies to telephone desksets and headsets? /pmw1]

Subject: Data From Friends and Strangers Show Where You Are
Source: Nextgov

Movement patterns of people you know contain 95% of the information needed to predict your location.Turning off your data tracking doesn’t mean you’re untraceable, a new study warns.

Data about our habits and movements are constantly collected via mobile phone apps, fitness trackers, credit card logs, websites visited, and other means. But even with it off, data collected from acquaintances and even strangers can predict your location.

“Switching off your location data is not going to entirely help,” says Gourab Ghoshal, an associate professor of physics, mathematics, and computer science at the University of Rochester.

Ghoshal and colleagues applied techniques from information theory and network science to find out just how far-reaching a person’s data might be. The researchers discovered that even if individual users turned off data tracking and didn’t share their own information, their mobility patterns could still be predicted with surprising accuracy based on data collected from their acquaintances.

“Worse,” says Ghoshal, “almost as much latent information can be extracted from perfect strangers that the individual tends to co-locate with.”


By applying information theory and measures of entropy—the degree of randomness or structure in a sequece of location visits—the researchers learned that the movement patterns of people who are socially tied to an individual contain up to 95% of the information needed to predict that individual’s mobility patterns.

However, even more surprisingly, they found that strangers not tied socially to an individual could also provide significant information, predicting up to 85% of an individual’s movement.


Subject: Facial recognition not required as tax ID – yet. But the tech spreads.

Facial recognition identification verification technology can potentially protect government resources and personal information.But some cities have banned the technology, the IRS dropped a requirement to use it to access individual tax accounts, and a congressional committee is investigating the IRS facial recognition contractor over concerns about privacy, security, and the technology’s potential to discriminate.

Use of the facial recognition technology is now optional for taxpayers.

A handful of agencies use facial recognition to control building access. Agencies like the Department of Homeland Security use the technology for domestic law enforcement, including for leads in criminal investigations, and border security. Beyond the IRS, some federal agencies are moving ahead with facial recognition technology and 10 plan to expand its use by 2023.

“Ten years from now, we’ll look back on this problem and say, ‘Well, that was the beginning when people were nervous,’” says John Koskinen, a former IRS commissioner and current board member at the National Academy of Public Administration. “The purpose of all this is to protect [people] and protect their data.”

Subject: Industry Groups Butt Heads on SEC’s Incident Reporting Rules
Source: Nextgov

A major trade association for relevant financial-sector entities is asking the regulatory agency to hold off in favor of incident reporting rules being implemented at the non-regulatory Cybersecurity and Infrastructure Security Agency. Members of corporate boards and groups lobbying on behalf of the companies they govern are on opposite sides of a debate over the Securities and Exchange Commission’s proposal to require that publicly traded companies regularly disclose any cybersecurity incidents they experience, along with how they’re managing such risks.

“The SEC’s actions in the past year, paired with recently released rules, draw a line under the critical role of management and boards in protecting not just investors and customers, but also the sound functioning of American business,” said Friso van der Oord, senior vice president of content at the National Association of Corporate Directors. “Preparing effective disclosure of material cyber risks and incidents has long been a key principle of cyber risk oversight advocated by NACD.”


Posted in: AI, Big Data, Criminal Law, Cybercrime, Cybersecurity, Economy, Financial System, Privacy, Social Media, Travel