Pete Recommends – Weekly highlights on cyber security issues, May 14, 2022

Subject: Every ISP in the US Must Block These 3 Pirate Streaming Services
Source: WIRED

A federal judge has ordered all internet service providers in the United States to block three pirate streaming services operated by Doe defendants who never showed up to court and hid behind false identities.

The blocking orders affect,, and, as well as related domains listed in the rulings and any other domains where the copyright-infringing websites may resurface in the future. The orders came in three essentially identical rulings (see here, here, and here) issued on April 26 in the US District Court for the Southern District of New York.

Each ruling provides a list of 96 ISPs that are expected to block the websites, including Comcast, Charter, AT&T, Verizon, and T-Mobile. But the rulings say that all ISPs must comply even if they aren’t on the list:

In all three cases, none of the defendants responded to the complaints or appeared in court, the judge’s rulings said. “Defendants have gone to great lengths to conceal themselves and their ill-gotten proceeds from Plaintiffs’ and this Court’s detection, including by using multiple false identities and addresses associated with their operations and purposely deceptive contact information for the infringing Website,” the rulings say.


Ars Technica
Digital Millennium Copyright Act

Subject: Caramel credit card stealing service is growing in popularity
Source: Bleeping Computer

A credit card stealing service is growing in popularity, allowing any low-skilled threat actors an easy and automated way to get started in the world of financial fraud.Credit card skimmers are malicious scripts that are injected into hacked e-commerce websites that quietly wait for customers to make a purchase on the site.

Once a purchase is made, these malicious scripts steal the credit card details and send them back to remote servers to be collected by threat actors.

Threat actors then use these cards to make their own online purchases or sell the credit card details on dark web marketplaces to other threat actors for as little as a few dollars.

The Caramel skimmer-as-a-service. The new service was discovered by Domain Tools, which states that the platform is operated by a Russian cybercrime organization named “CaramelCorp.”

This service supplies subscribers with a skimmer script, deployment instructions, and a campaign management panel, which is everything a threat actor needs to launch their own credit card stealing campaign.


Subject: Microsoft launches new managed service category
Source: VentureBeat

Today, Microsoft announced the launch of a new managed service category called Microsoft Security Experts. The service provides organizations with support from external security experts who can conduct tasks like threat hunting,and managed detection and response.For organizations, the service enables on-site security teams to extend their capabilities with support from off-site Microsoft experts who will investigate the environment for security incidents, and handover contextual alert information alongside remediation instructions to determine how they can respond.

This means overburdened security teams can access extra support so they can more effectively manage their security, compliance, identity, and privacy strategies.

The first Microsoft Defender Experts for Hunting will be available later this summer for organizations with a robust SOC and will help proactively hunt for threats. The second is Microsoft Defender Experts for XDR, an extended managed detection and response service that’s going into private preview this fall.

Subject: What to Do If You Can’t Log In to Your Google Account
Source: WIRED

Locked outside your calendar or Gmail? Here’s how to get un-stuck—and prevent it from happening in the first place.

The web is filled with advice and shortcuts on what to do in this situation, from tapping your password manager to turning off two-factor authentication (not recommended!).

Rather than use Google’s most popular tool, Search, for the answer, we decided to ask the company directly what happens when users can’t get in and what steps they should take to recover their account. Guemmy Kim, director of account safety and security at Google, guided us through our questions.

Subject: Lincoln College to close after 157 years due ransomware attack
Source: Bleeping Computer

Lincoln College, a liberal-arts school from rural Illinois, says it will close its doors later this month, 157 years since its founding and following a brutal hit on its finances from the COVID-19 pandemic and a recent ransomware attack.This decision was made even harder with the college having survived multiple disasters, including a major fire in 1912, the Spanish flu, the Great Depression, the World Wars, and the 2008 global financial crisis.

However, a December ransomware attack was the final straw that made the decision to shut down on May 13, 2022, one that just couldn’t be avoided.

This Illinois liberal-arts school is one of the few rural American colleges that the Department of Education has qualified as a predominantly Black institution, as NBC first reported.

“All systems required for recruitment, retention, and fundraising efforts were inoperable. Fortunately, no personal identifying information was exposed.

In November, a call to action from multiple US Senators asked the US Department of Education and the Department of Homeland Security (DHS) to strengthen cybersecurity defenses at K-12 schools across the nation to keep up with a massive incoming wave of attacks.

Subject: Biden signs cybercrime tracking bill into law
Source: The Register

US President Joe Biden has signed into law a bill that aims to improve how the federal government tracks and prosecutes cybercrime.The Better Cybercrime Metrics Act, which Biden signed late last week, requires the Department of Justice to work with the National Academy of Sciences to develop a taxonomy that law enforcement can use to categorize different types of cybercrime.

It also gives the Department of Justice two years to establish a category in the National Incident-Based Reporting System for the collection of cybercrime reports from federal, state, and local officials.

Additionally, it requires the Government Accountability Office to report on the effectiveness of existing cybercrime mechanisms and highlight disparities in reporting cybercrime data versus other types of crime data.

And it requires the National Crime Victimization Survey to add questions related to cybercrime in its surveys.

Washington’s push to improve cybersecurity reporting

The law is part of a larger push by the Feds to improve cybersecurity incident reporting, and comes amid the growing threat from Russia as Putin’s war against Ukraine grinds on.

In March, Biden signed the Strengthening American Cybersecurity Act of 2022 into law, which requires critical infrastructure owners and operators to report cyberattacks within 72 hours.

That same month, the SEC proposed a rule that would force public companies to disclose cyberattacks within four days along with periodic reports about their cyber-risk management plans.

Additionally, the Department of Homeland Security in February established a public-private Cyber Safety Review Board to review “significant” cybersecurity events and help government and the private sector better protect US networks and infrastructure.

Subject: Cryptocurrency hype spawns email attacks, FBI says
Source: GCN

An increasing number of recent business email compromise complaints involve the use of cryptocurrency, according to the FBI’s Internet Crime Complaint Center.

Business email compromise scams continue to grow and evolve, according to the FBI’s Internet Crime Complaint Center. Between July 2019 and December 2021, IC3 reported a 65% increase in global exposed losses, partly due to the increase in virtual business as a result of the pandemic.

BEC or email account compromise targets government agencies, businesses and individuals responsible for transferring funds. Scammers trick email or text recipients by posing as a manager or company vendor and asking them to transfer money into fake accounts.

In recent BEC scams, criminals send victims text messages that look like bank fraud alerts asking for confirmation that they transferred funds through a digital payment app. If the victim responds to the alert, the cybercriminal then calls from a number that appears to match the financial institution’s legitimate 1-800 support number. Thinking the caller is helping them reverse the fake money transfer, victims are tricked into sending payment to the criminal’s bank account.

The popularity of cryptocurrency is also spawning BEC attacks.


Subject: Clearview AI agrees to stop selling facial recognition database to private entities

May 9 (UPI) — Facial recognition software company Clearview AI agreed Monday to limit sales of its face database in the United States to government agencies.The company came to the agreement to no longer sell its database of more than 20 billion facial photos to most private individuals and businesses in the United States as part of a settlement with the American Civil Liberties Union in a lawsuit filed in Illinois state court.

The ACLU filed the lawsuit in May 2020 on behalf of groups representing victims of domestic violence, undocumented immigrants and sex workers accusing Clearview of violating Illinois’s Biometric Information Privacy Act, which prohibits private entities from using algorithmic maps of citizens’ faces and other bodily identifiers without consent.

Clearview created an opt-out form allowing Illinois residents to request that their photos not show up in its search results and said it will spend $50,000 on online ads raising awareness about the form, while also filtering out photos taken in or uploaded from the state.

Clearview also agreed to stop offering free trial accounts to individual police officers without approval from their supervisors.

Subject: Canon Printer Owners Targeted With Scam Driver Websites
Source: Gizmodo

There are few tasks more tiresome than getting a new printer properly set up. Somehow, it never works on the first try, no matter the make or model. The device will probably function for three tries and then break down again. It is a universal frustration. But there are a few people who have experienced more lasting hardship than you’d expect while setting up their printer. Scammers have for years been preying on the unsuspecting, desperate people who need to download setup software for their new printer. And it’s a big problem for Canon, one of the world’s biggest printer brands, in particular.Gizmodo has found several fake websites run by scammers who claim to offer legit Canon printer drivers, a type of software that allows your operating system to control a specific piece of hardware. Gizmodo discovered the fake websites by filing a FOIA request with the Federal Trade Commission (FTC) for consumer complaints about Canon. FTC Complaints about Robinhood, Binance, AirBnb, Venmo, and Tinder have revealed similar patterns in the problems users face when using these internet companies’ services.

The Canon scam is specific. The complaints are filled with tales of people who were simply trying to find a Canon driver for their printers. The hapless users found themselves on a number of different sites where the fake drivers would fail to download. After that, a chat box would appear and “customer service” would offer to diagnose the problem. Sometimes, the scammers would simply ask for money to fix the imaginary problem. Other times, the scammers would lure the unsuspecting victims into handing over remote access to their computers.

Subject: Identity Theft, DMV Fraud, and Document Fraud | Nationwide | Identity, DMV, Document Fraud
Source: Fraud of the Day

Commission’s Consumer Sentinel Network Data Book reveals that 29.4 percent of complaints filed with the online database in 2020 were related to identity theft. (That’s more than any other type of fraud reported.) Amongst the many types of identity theft fraud that exist, the government documents or benefits fraud category tops the list with 406,375 reports from citizens who said their information was misused to apply for a government document or benefit. (This includes documents like birth certificates, passports, driver’s licenses, or benefits such as unemployment insurance.) The Consumer Sentinel Network Data Book also breaks down the category into subtypes and the percentage difference from 2019 including: driver’s license issued/forged (up 23%); government benefits applied for/received (up 2,920% — WOW!); other government documents issued/forged (up 42%); and, passport issued/forged (up 85%). So, what’s the bottom line here? (Sadly folks, it’s not good news.) This type of fraud is projected to continue to rise.One example of government document fraud includes Orvil Perez-Jiminez, 34, of Dundalk Md….While this all sounds very negative, there is some good news. There’s a lot you can do to protect your identity from being stolen. The Identity Theft Resource Center (ITRC) offers the opportunity to search across multiple data breaches to see if your phone number and email has been compromised. The website also gives some helpful tips that can help you protect your identity on physical documents, cards, devices, online, and on accounts with electronic access….

Other Fraud Trends:

Subject: EV Infrastructure Vulnerabilities Put Cars, the Grid at Risk
Source: Route Fifty

Hackers that target electric vehicle infrastructure can lock drivers out of their vehicles, steal payment information and even compromise electrical grids.Electrifying the nation’s vehicles and transportation infrastructure exposes drivers and cities to new risks. If cybercriminals hack into electric vehicles, they could not only penetrate the vehicle itself, but also compromise the entire connected infrastructure — including charging stations, electrical grids, back office utilities and the cloud, according to experts at NextGov’s May 6 Cyber Defenders event.

When heavy duty vehicles start charging at multi-megawatt plazas, they can strain cities’ power systems. If these systems are not managed or secured properly, attackers can shut down electrical grids and cause blackouts for entire city blocks, Chhaya said.

Fleets of publicly owned vehicles like electric buses, trucks and emergency response vehicles are also at risk. Officials should ensure the vehicles and infrastructure are secure, as disruptions would have a major impact on city and emergency services, the panelists said.

“Every component [of EV infrastructure] is designed with very limited knowledge of how it interacts with the rest of the system,” Chhaya said. Cars have a few, specific interfaces with EV infrastructure, but they have not been designed to account for upstream actions, he said.

To ensure security on all fronts, EV infrastructure designers must ensure “that every aspect of the system – from the customer, to the endpoints, vehicles, back office utilities and cloud providers – is operating on one set of requirements,” Chayya said. “There has not been any activity that has looked at the entire system end to end.”

NEXT STORY: EV Charging Station Map Highlights Disparities



Subject: Digital Investigation Techniques: A NIST Scientific Foundation Review
Source: NIST via beSpacific

NIST: “The National Institute of Standards and Technology (NIST) has published Digital Investigation Techniques: A NIST Scientific Foundation Review. This draft report, which will be open for public comment for 60 days, reviews the methods that digital forensic experts use to analyze evidence from computers, mobile phones and other electronic devices. The purpose of NIST scientific foundation reviews is to document and evaluate the scientific basis for forensic methods. These reviews fill a need identified in a landmark 2009 study by the National Academy of Sciences, which found that many forensic disciplines lack a solid foundation in scientific research. …

To conduct their review, the authors examined peer-reviewed literature, documentation from software developers, test results on forensic tools, standards and best practices documents and other sources of information. They found that “digital evidence examination rests on a firm foundation based in computer science,” and that “the application of these computer science techniques to digital investigations is sound.”


Download the full draft report. [82-page PDF]

NIST Topics:

Forensic Science
Digital evidence
Information technology
Software research
Software testing
Public safety
Law enforcement

Subject: Thousands of Popular Websites See What You Type—Before You Hit Submit
Source: WIRED via beSpacific

Wired – “A surprising number of the top 100,000 websites effectively include keyloggers that covertly snag everything you type into a form. When you sign up for a newsletter, make a hotel reservation, or check out online, you probably take for granted that if you mistype your email address three times or change your mind and X out of the page, it doesn’t matter. Nothing actually happens until you hit the Submit button, right? Well, maybe not. As with so many assumptions about the web, this isn’t always the case, according to new research: A surprising number of websites are collecting some or all of your data as you type it into a digital form. Researchers from KU Leuven, Radboud University, and University of Lausanne crawled and analyzed the top 100,000 websites…

Filed in WIRED category:

Subject: Alvaro Bedoya’s confirmation to the FTC gives Lina Khan her Democratic majority
Source: Vox Recode

“Alvaro’s knowledge, experience, and energy will be a great asset to the FTC as we pursue our critical work,” Khan said in a statement. “I’m excited to begin working with him, along with our other Commissioners, once his appointment is made final by President Biden.”

Bedoya comes to the FTC from Georgetown Law’s Center on Privacy and Technology, of which he was the founding director. His nomination, made way back in September, was welcomed by privacy advocates. Bedoya said in his confirmation hearing last year that he intended to focus on privacy issues, including data and facial recognition. With no federal consumer privacy law, the FTC’s powers are limited, but it still can — and has — gone after companies for privacy issues.


Subject: ICE Has Assembled a ‘Surveillance Dragnet’ with Facial Recognition and Data, Report Says
Source: Nextgov

Immigration and Customs Enforcement, or ICE, “now operates as a domestic surveillance agency,” according to a new report by Georgetown Law’s Center on Privacy and Technology based on a two-year investigation.The report details how, since the agency was established in post-9/11 legislation, ICE has moved beyond cooperating primarily with other law enforcement agencies to assemble an infrastructure that enables it to pull detailed information on Americans, immigrants and non-immigrants alike, with data from private data brokers and state and local governments.

ICE’s “surveillance dragnet” also uses facial recognition, especially the scanning of driver’s license photos for immigration enforcement, according to the report, which involved hundreds of Freedom of Information Act Requests and reviews of the agency’s contracting and procurement records.

Between 2008 and 2021, ICE spent about $96 million on biometrics, a category that also includes fingerprinting and DNA testing, according to the report.

The sharing of data handed over to get essential services has already created evidence of a “chilling effect,” or the deterrence of immigrants from interacting with government systems and enrolling in critical services, the report states.

The report does include recommendations, urging Congress to reform immigration laws, enact new data protections, update laws that limit the disclosure of information given by Americans to the DMV and conduct more oversight of ICE, including the agency’s use of biometrics.
It also includes recommendations for state lawmakers on the use of water, gas, electricity, phone and internet records for immigraiton enforcement and ICE access to DMV data.`

Subject: Survey: 93% of Americans Fear Cyberwarfare Against US
Source: Route Fifty

The survey, which polled more than 1,000 U.S. consumers, found 93% harbor concerns that a foreign country could wage cyber warfare against the U.S. Conversely, only 19% of those surveyed were “100% confident” in the government’s ability to protect citizens against cyber warfare. The survey comes amid increased reports of cyber activity in Ukraine and Russia, even as the Chinese government continues to conduct cyber campaigns into U.S. government systems.“Cyber warfare is carried out for many different reasons and between a variety of groups. Even during peacetime, we’ve seen concerted online efforts by Russia, China and others to interfere with the democratic processes of the U.S. and other allies,” Daniel Markuson, digital privacy expert with NordVPN, said in a statement. According to the survey, more than one-third of Americans (35%) are

Subject: New Tool Lets You Analyse TikTok Hashtags
Source: Bellingcat via beSpacific

Bellingcat: “In just a few years, TikTok has become one of the world’s most successful social networks. The company claims that its platform is used by over a billion people every month. TikTok’s role during the invasion of Ukraine has changed the common misconception of a website predominantly used by its young users to post videos of lip-synced songs or dance challenges. During Russia’s military buildup, users posted videos of military equipment being transported to the Ukrainian border. Since that equipment crossed that border, numerous TikToks have shown missiles, destroyed buildings or the daily life of Ukrainians who have to spend their days in shelters, leading some commenters to even call this a “TikTok war”. But this isn’t the first time TikTok has played a role for open source investigators. Videos that appeared on TikTok in Myanmar in early 2021 showed men in uniform threatening to kill anti-coup protesters. During search efforts to find the disappeared US travel blogger Gabby Petito, TikTokers reportedly uploaded information that helped solve the case…. TikTok’s API (Application Programming Interface) presents more obstacles to developers. It can change frequently, making it harder for developers to use and harder for researchers to draw wider insights from trends as they develop over weeks and months. Bellingcat’s Investigative Tech Team has therefore created the Bellingcat TikTok Analysis Tool (built on the basis of a TikTok scraper offered by Github user drawrowfly) that allows researchers to collect a dataset of TikToks associated with specific hashtags over lengthier periods. The tool also allows researchers to analyse what other topics appear together with selected hashtags most frequently. When reviewing large datasets, it can be particularly interesting to discover which hashtags are regularly added to TikToks which already share one specific tag. Many TikToks contain multiple hashtags, …


The Bellingcat Investigative Tech Team develops tools for open source investigations and explores tech-focused research techniques. It consists of Aiganysh Aidarbekova, Tristan Lee, Miguel Ramalho, Johanna Wild and Logan Williams. Do you have a question about applying these methods or tools to your own research, or an interest in collaborating? Contact us here.

Subject: What exactly is Web3?
Source: Becker’s Health IT

Web3 is touted as an inevitable game changer for the internet by advocates, while others think its overhyped project with impossible barriers to mount. This new, decentralized and blockchain backed version of the internet is worth talking about, according to a May 10 Harvard Business Review article.Web3 is a shorthand for the project that aims to change the internet by using blockchain to disrupt how information is stored, shared and owned. In theory it could break the monopolies of a select few companies who control information. Some argue that it will create new products, economies and democratize the web, creating a web that you can read, write and own.



Subject: Creating a Framework for Supply Chain Trust in Hardware and Software
Source: Lawfare Institute via beSpacific
A Report of the Lawfare Institute’s Trusted Hardware and Software Working Group May 2022: “In a world of growing dependence on technology, consumers of information and communications technology (ICT) goods face increasingly important questions: How, and to what extent (if any), can they be confident that the systems on which they rely are worthy of trust? One need only think of the controversies surrounding hardware and software systems manufactured in China but used in Western commerce to understand the political and practical salience of the problem. To answer that question, the Lawfare Institute convened a working group of experts to articulate and justify a set of trustworthiness principles—concepts that, ex ante, would justify accepting a digital artifact as worthy of being trusted. Although we concluded that a dispositive assessment of trustworthiness would never be feasible, the report develops a comparative checklist of steps an organization can take that significant stakeholders might agree demonstrates its products to be trustworthy—what one might call a functional definition of trustworthiness. Even without the prospect of precisely assessable levels of trustworthiness, the report concludes that a framework for assessments can be made with a relatively high degree of confidence. The value of a framework based on agreed-upon principles should be evident. Using these principles—as well as acceptable evidence—as a guideline, ICT manufacturers and users, including organizations and consumers, can analyze comparative risks and make reasoned risk-benefit and resource-allocation decisions. The framework identifies multiple principles of trustworthiness organized around four core values: maximize transparency, ensure accountability, allow for independence of evaluation and prefer provable analytic means of trust verification over axiomatic, unverifiable means of assessment..”

Subject: The bioeconomy is in desperate need of security from hackers
Source: Beacker’s Health IT

The U.S. bioeconomy, which encomapsses the biomedical, bioindustrial and biomanufacturing world, is at risk from hackers if it doesn’t receive adequate resources to secure itself, reported Wired May 12.As cybersecurity becomes a bigger issue for a broader variety of companies, organizations part of the bioeconomy are now realizing that they are vulnerable to cyberattack. Political actors alongside hackers looking for cash may be targeting bioeconomy companies. For example, Russia and China both raced to hack vaccine makers for intelligence gathering throughout the pandemic, which could have been disruptive to operations.

While some parts of the industry, including healthcare and agriculture, are designated as critical industries, the entirety of the bioeconomy is not given its far reaching nature. Instead it is given the label “critical emerging tech,” which means it is unable to access some of the funding and resources for security given to those with critical industry designations.

Latest articles on cybersecurity: CISA sounds alarm on malicious cyber activity targeting managed service providers

Posted in: AI, Big Data, Computer Security, Criminal Law, Cybercrime, Cybersecurity, Legal Research, Privacy