Pete Recommends – Weekly highlights on cyber security issues, April 9, 2022

Subject: Wyze Security Cameras Contained Vulnerabilties That Weren’t Fully Fixed for Three Years
Source: Consumer Reports

Cybersecurity firm Bitdefender published a report (PDF) this week detailing three security vulnerabilities it found in Wyze security cameras, leading to a flurry of criticism around both the cybersecurity firm and the manufacturer. While Wyze finished patching the vulnerabilities in January 2022, both Bitdefender and Wyze have been criticized for their handling of the findings, as Bitdefender initially alerted Wyze to the vulnerabilities three years ago in March 2019. Besides making security software, Bitdefender has a research arm that tests products for vulnerabilities.

The first vulnerability allows hackers to bypass the account login process and access users’ cameras. The second allows hackers to run their own software code on exposed cameras. And the third allows hackers to access saved footage on cameras that use an SD card (Wyze also offers cloud video storage).

According to Wyze’s public statement on the findings, all of the vulnerabilities would require hackers to have access to the home’s WiFi network.

” … We strongly suggest that our customers no longer use EOL products as security and other critical updates are no longer provided, and we continue to urge Wyze Cam V1 owners to discontinue the use of these products.”

More on Home Security Cameras:

Subject: Blockchain can power up government processes, GAO says
Source: GCN

States have been experimenting with blockchain-based voting systems, smart contracts for ID management and fintech sandboxes, but implementation challenges exist.Seeing the potential of blockchain in sectors beyond finance, where it’s most commonly used today, the Government Accountability Office recently released four suggestions that could enhance the technology’s benefits and mitigate its challenges.

Blockchain is useful for some applications but limited or even problematic for others,” according to GAO’s technology assessment on blockchain. “For example, because of its tamper resistance, it may be useful for applications involving many participants who do not necessarily trust each other. But it may be overly complex for a few trusted users, where traditional spreadsheets and databases may be more helpful. Blockchain may also present security and privacy challenges and can be energy-intensive.”Areas with potential include voting, organizational structure and ID management. In fact, some states have said that using a blockchain-based voting system would enhance remote-voting security and election audibility. West Virginia was the first to experiment with it in 2018. Last year, a bill was introduced in Alaska proposing to adopt the technology in its voting security system….

Filed: Blockchain

Subject: Report: One in four employees who made security mistakes lost their job
Source: VentureBeat

One in four employees lost their job after making a mistake that compromised their company’s security, according to new research from email security company Tessian.The second edition of the report provides an updated look at the factors causing employees to make security mistakes at work, and the growing severity of consequences that follow them.

The report found that more people are falling for advanced and sophisticated attacks. In 2022, 52% of employees fell for phishing emails that impersonated a senior executive at the company — up from 41% in 2020 — and one-third were tricked by an SMS phishing (smishing) message. These data points validate some findings released in the annual FBI IC3 report last week, which found that phishing and Business Email Compromise scams are growing in sophistication and are far more pervasive than any other online threat.

To counter these mistakes, business and IT leaders must forego the expectations that employees will make the right decision 100% of the time.

[report is 24 pages …]

Subject: Adversarial AI and the dystopian future of tech
Source: VentureBeat

In an adversarial AI attack, AI is used to manipulate or deceive another AI system maliciously. Most AI programs learn, adapt and evolve through behavioral learning. This leaves them vulnerable to exploitation because it creates space for anyone to teach an AI algorithm malicious actions, ultimately leading to adversarial results. Cybercriminals and threat actors can exploit this vulnerability for malicious purposes and intent.

Although most adversarial attacks have so far been performed by researchers and within labs, they are a growing matter of concern. The occurrence of an adversarial attack on AI or a machine learning algorithm highlights a deep crack in the AI mechanism. The presence of such vulnerabilities within AI systems can stunt AI growth and development and become a significant security risk for people using AI-integrated systems. Therefore, to fully utilize the potential of AI systems and algorithms, it is crucial to understand and mitigate adversarial AI attacks.

The basic parallels of an adversarial attack are fundamentally the same: manipulating an AI algorithm or an ML model to produce malicious results. However, an adversarial attack typically entails the two following things:

  • Poisoning: the ML model is fed with inaccurate or misinterpreted data to dupe it into making an erroneous prediction
  • Contaminating: the ML model is fed with maliciously designed data to deceive an already trained model into conducting malicious actions and predictions.

In 2018, an Office of the Director of National Security report highlighted several Adversarial Machine learning threats. Amidst the threats listed in the report, one of the most pressing concerns was the potential that these attacks had in compromising computer vision algorithms.

Therefore, while considering these examples and researches, it is easy to identify the impact of adversarial AI attacks on the cyber threat landscape…

Topics:AI AI Ethics AI, ML and Deep Learning Applied AI Data Decision Makers Security

Subject: State Department launches cyberbureau amid concerns over Russia and China’s digital authoritarianism
Source: CNNPolitics

The State Department’s new cybersecurity bureau formally launched on Monday in an effort to make digital rights issues an intrinsic part of US foreign policy at a time when Russia and China are increasingly trying to put their own authoritarian stamp on the internet.

The move essentially reshapes and greatly expands a bureaucratic structure, with a high-ranking cyber diplomat, that the Trump administration had effectively downgraded in the pursuit of cutting red tape. The new bureau is aimed at putting more diplomatic personnel and expertise toward State Department priorities such as shaping norms of responsible government behavior in cyberspace and helping US allies bolster their own cybersecurity programs.

Subject: MailChimp Hacked, Crypto Wallets Phished With Stolen Data
Source: Gizmodo

An unknown threat actor has targeted the email marketing company in a sophisticated scheme to phish physical cryptocurrency wallets. MailChimp, the well-known email marketing company, has been hacked. Cybercriminals infiltrated the company’s systems at some point last month, stealing information on over 100 users. The criminals then repurposed the stolen data to phish users of the popular crypto wallet Trezor Hardware.

The attack, which MailChimp staff became aware of on March 26, involved an unknown threat actor getting its hands on internal tools used by the company’s customer support staff for account administration. When reached for comment by Gizmodo, a MailChimp representative provided a statement from Siobhan Smyth, Mailchimp’s chief information security officer, further explaining the breach.

“The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised,” said Smyth. The hacker or hackers then used its access to the company to get its hands on subscriber data. “Based on our investigation, we believe that about 300 Mailchimp accounts were viewed and audience data was exported from 102 of those accounts,” Smyth said.

“As a result of the security incident, we’ve received reports of the malicious actor using the information they obtained from user accounts to send phishing campaigns to their contacts,” he said. The attack appears to have been designed to nab information on people in the crypto and finance industries, Smyth added.

Filed: TechPrivacy and Security

Subject: Security equipment rebates aim to boost community safety
Source: GCN

Chicago is offering residents and businesses rebates on security cameras, cloud storage and GPS-based vehicle trackers.
To promote safety through increased visibility, Chicago Mayor Lori E. Lightfoot, police officials and community leaders announced a rebate program that will reimburse residents and business owners for some of the costs for surveillance cameras and other security equipment.
The rebate program is open to anyone who lives or operates a business in the city and is part of a wider announcement of city-led initiatives designed to increase visibility in Chicago’s neighborhoods. Lightfoot noted a disparity in security technologies between the city’s more affluent neighborhoods and the communities “with a long history of violent crime,” the Chicago Sun-Times reported.

To be eligible for rebates, residents and business owners must register their cameras with the Chicago Police Department. The city states that the police will not have direct access to camera systems and will need to contact camera owners to request footage. Furthermore, community members are at no point required to provide footage to the department.


Subject: How Ukraine has defended itself against cyberattacks – lessons for the US
Source: The Conversation US

The invasion took place just weeks before the national cybersecurity competition was to be held for students from the program’s 14 participating universities. I believe that the training that the faculty and students received in protecting critical infrastructure helped reduce the impact of Russian cyberattacks. The most obvious sign of this resilience is the success Ukraine has had in keeping its internet on despite Russian bombs, sabotage and cyberattacks.

National cyber defense starts with governments and organizations evaluating risks and increasing their capacity to meet the latest cybersecurity threats. After President Biden’s warning, Neuberger recommended that organizations take five steps: adopt multifactor password authentication, keep software patches up-to-date, back up data, run drills and cooperate with government cybersecurity agencies.

Small and large organizations in the U.S. concerned about cyberattacks should seek a strong relationship with a wide-range of federal agencies responsible for cybersecurity. Recent regulations require firms to disclose information on cyberattacks to their networks. But organizations should turn to cybersecurity authorities before experiencing a cyberrattack.

U.S. government agencies offer best practices for training staff, including the use of tabletop and simulated attack exercises. As Ukrainians have learned, tomorrow’s cyberattacks can only be countered by preparing today.


Subject: Thieves hit on a new scam: Synthetic identity fraud
Source: GCN

Combining real Social Security numbers with mismatched or phony names to create new synthetic identities allowed swindlers to bilk the federal government out of nearly $1 million from the Paycheck Protection Program.

They combined real Social Security numbers with mismatched or phony names to create new identities, according to investigators. Prosecutors began the investigation in 2018 and charged them with 108 counts of illegal financial activity, mostly borrowing huge amounts of money they never intended to pay back, according to investigators.

The scheme was so fruitful that in May 2020, according to prosecutors, Arena apparently did it again.

Synthetic identity fraud schemes have proliferated in the past few years, becoming the largest form of identity theft in the nation, according to the financial company FiVerity, which in a report last year put the losses at an estimated $20 billion in 2020. About five years ago, the Federal Reserve estimated the losses at $6 billion.

With tax filing season in full swing, the IRS is warning taxpayers to look out for documents pertaining to unemployment benefits they never received. Those documents may indicate someone else filed for unemployment insurance using their information.

In addition, he said, consumers who have had their Social Security numbers stolen can be affected, even years later, when they apply for credit. Most of the synthetic identity schemes steal Social Security numbers from people who aren’t using credit, such as children, recent immigrants or lower-income older adults who may not have credit cards.



Subject: The Conversation
Source: How QR codes work and what makes them dangerous – a computer scientist explains

Among the many changes brought about by the pandemic is the widespread use of QR codes, graphical representations of digital data that can be printed and later scanned by a smartphone or other device.QR codes have a wide range of uses that help people avoid contact with objects and close interactions with other people, including for sharing restaurant menus, email list sign-ups, car and home sales information, and checking in and out of medical and professional appointments.

QR codes are a close cousin of the bar codes on product packaging that cashiers scan with infrared scanners to let the checkout computer know what products are being purchased.

Bar codes store information along one axis, horizontally. QR codes store information in both vertical and horizontal axes, which allows them to hold significantly more data. That extra amount of data is what makes QR codes so versatile.


Subject: VA, DOD Electronic Health Record System Suffers Nationwide Outage
Source: Nextgov

The three-hour outage prevented more than 95,000 clinician users from accessing and updating patient medical data.The electronic health record system used to manage patient data for the Defense Department, Coast Guard and a few Veterans Affairs Department medical centers went offline nationwide for almost three hours Wednesday, preventing clinicians from updating and, for a time, accessing medical records.

Three Oracle databases underpinning those systems went down shortly after 5 p.m. ET, preventing access to all electronic medical records at 66 DOD sites, 109 Coast Guard sites and 3 VA sites, a program official confirmed to Nextgov.

“Affected clinicians were unable to log into EHRM applications or retrieve EHRM data to legacy applications,” according to an IT ticket detailing the issue obtained by Nextgov.
All told, more than 95,000 users were affected by the outage. The EHRM program official said there was no evidence that any patients were harmed due to the outage.

The official also noted that while the main EHR was down, the system failed over to a backup “read-only” system, through which clinicians could review patient data but could not update that information.


Subject: Google Rolls Out New Privacy Guide to Help You Stay Safe on Chrome

Google has added a new privacy tool aimed at Chrome users called the Privacy Guide. According to Google, the guide is “a step-by-step guided tour of some existing privacy and security controls in Chrome” that lets Chrome users adjust all their important settings from a centralized location.

Adding a few hand-holding precautions is a move reminiscent of Apple’s decision to reconfigure their privacy settings a few years ago: Google’s working to help the average user gain a better understanding of how to remain secure and keep their data private in the modern age.

Posted in: AI, Blockchain, Cybercrime, Cybersecurity, Economy, Financial System, Healthcare, Legal Research, Privacy, Search Engines