Pete Recommends – Weekly highlights on cyber security issues, June 4, 2022

Subject: Bill Aims to Ban China’s Digital Currency from US App Stores
Source: Gizmodo

The proposed law would prevent the app store from carrying apps that accept payment in e-CNY.Three Republican Senators have proposed a bill to try and ban the use of apps that support China’s digital currency, also known as e-CNY or digital yuan, over concerns that the Chinese government could use the currency to spy on U.S. citizens.

The draft law was labeled as the “Defending Americans from Authoritarian Digital Currencies Act,” and calls for prohibiting app stores including Apple and Google from carrying any apps that accept purchases in the digital currency. That would include the popular messaging app WeChat, which announced that it would support e-CNY earlier this year.

China’s digital currency has raised concerns over safety and privacy issues. During the 2022 Olympic Games in Beijing, a group of republican lawmakers warned American athletes not to use digital yuan while in China, claiming that it could be tracked by the central bank.

Subject: Accused of Cheating by an Algorithm, and a Professor She Had Never
Source: NYT via Risks Digest

Accused of Cheating by an Algorithm, and a Professor She Had NeverJan Wolitzky <[email protected]> Fri, 27 May 2022 07:05:04 -0400

A Florida teenager taking a biology class at a community college got an upsetting note this year. A start-up called Honorlock had flagged her as acting suspiciously during an exam in February. She was, she said in an email to *The New York Times*, a Black woman who had been *wrongfully accused of academic dishonesty by an algorithm.* What happened, however, was more complicated than a simple algorithmic mistake. It involved several humans, academic bureaucracy and an automated facial detection tool from Amazon called Rekognition. Despite extensive data collection, including a recording of the girl, 17, and her screen while she took the test, the accusation of cheating was ultimately a human judgment call: Did looking away from the screen mean she was cheating? … see:

Subject: Scientists create new method to kill cyberattacks in less than a second – News
Source: Cardiff University

A new method that could automatically detect and kill cyberattacks on our laptops, computers and smart devices in under a second has been created by researchers at Cardiff University.Using artificial intelligence in a completely novel way, the method has been shown to successfully prevent up to 92 per cent of files on a computer from being corrupted, with it taking just 0.3 seconds on average for a piece of malware to be wiped out.

Publishing their findings in the journal Security and Communications Networks, the team say this is the first demonstration of a method that can both detect and kill malicious software in real-time, which could transform approaches to modern cybersecurity and avoid instances such as the recent WannaCry cyberattack that hit the NHS in 2017.

Using advances in artificial intelligence and machine learning, the new approach, developed in collaboration with Airbus, is based on monitoring and predicting the behaviour of malware as opposed to more traditional antivirus approaches that analyse what a piece of malware looks like.

Subject: Cybercriminals target metaverse investors with phishing scams
Source: CNBC

  • The metaverse, the new digital frontier where users can attend virtual concerts or purchase digital assets like land, has been hit with fraud.
  • Cybercriminals use phishing links that imitate the legitimate metaverse platforms to drain investors’ digital wallets of assets.
  • While metaverse platforms are increasing their security measures and educating consumers about fraud prevention, they say they’re not responsible for refunding money to phishing scam victims.

Investors across the country told CNBC that hackers stole their land in the metaverse by tricking them into clicking on links they believed were genuine portals to the virtual universe, but which turned out to be phishing sites designed to steal user credentials. What they wanted was a piece of the metaverse — a new, blockchain-based virtual set of platforms that has recently come to prominence because of significant involvement from celebrities, fashion shows and investors.

Instead, they say they got a lesson in the dangers of high-risk investing.

The rising popularity of investing in the metaverse – in which users purchase virtual “land” on various platforms with an expectation that it will increase in value – has also ushered in a new wave of high-tech fraud, according to authorities, interviews with victims and cybersecurity experts.

With cryptocurrency, users can buy and develop virtual land or attend fashion shows and concerts — all within the confines of their computer screens.
The concept is not new. For centuries, authors and inventors have fantasized about a novel, interactive 3D reality. The term “metaverse” was first coined by author Neil Stephenson in his 1982 science fiction novel, “Snow Crash,” in which the metaverse was a virtual reality used as a means of escape from a totalitarian world.

And in the decades since Stephenson’s novel, interactive online video games like Minecraft, Roblox and Fortnite have set the groundwork for blockchain-based games that have captivated the internet.

Buying virtual property –

The three most popular platforms for purchasing metaverse real estate are The Sandbox, Decentraland and SuperWorld. While the three platforms have existed for years, they only started selling blockchain-based plots of land during the past year.

Seven security researchers, five from the Zhejiang University, China and two from the Technical University of Darmstadt, Germany, have successfully demonstrated how to remotely hack and swipe smartphone touchscreens without actually touching them.The attack methodology, which has been named WIGHT (WIred GHost Touch), is claimed to be the first wired attack on touchscreens using ghost touches by way of charging cables.

A brand new type of smartphone ‘ghost touch’ remote attack

In a newly published paper titled ‘WIGHT: Wired Ghost Touch Attack on Capacitive Touchscreens‘ the researchers say they had success when tested on a Samsung Galaxy S20 FE and Apple iPhone SE (2020) as well as devices from Huawei, LG, and Xiaomi. The connection is that this is an attack methodology requiring a capacitive touchscreen, as used by most smartphones today. The actual hack, though, has another connection. Quite literally in fact: the charging cable connected to the device.

The attack requires the phone to be connected to what the researchers call a “malicious charging port” and works via Lightning, USB-A, USB-CF and Micro charging cables. The hack works, they say, across multiple power adapters and isn’t stopped by USB data blockers.

Essentially, what they are doing is injecting noise through the charging cable so as not to be filtered while still enabling the capacitive touchscreen measurement mechanism to be impacted. By syncing this ‘malicious noise’ with the touchscreen scanning cycle, the researchers found they were able to achieve three different types of remote attacks.

Subject: Threats in the shadows: Combatting RF attacks with geofencing
Source: VentureBeat

There are no shortages of attack vectors that cybercriminals can use to infiltrate an enterprise. From phishing and malware to routers and HVAC systems, security teams are already spread thin, and now they can add shadow IT to their list of security concerns.Shadow IT is a broad term covering the use of systems, devices, software, applications, and services without the knowledge or approval of IT departments. Of particular concern are mobile and IoT devices being brought into an office, facility or campus. Many of these devices contain radio frequency (RF) vulnerabilities that can be exploited from outside the facility.

Dangers and threats of shadow IT

And it’s not just smartphones. IoT devices are vulnerable to attacks. Smartwatches are also at risk of being hacked. A hacked smartwatch can potentially allow cybercriminals to access sensitive data, track location and even listen in on conversations.

Improved security: Spotting suspicious devices lurking in the shadows

Simply banning mobile and IoT devices from entering a whole facility is easier said than done. Many employees use their devices for work-related purposes. Bring Your Own Device (BYOD), for all its benefits, also presents multiple security concerns including potential breaches, network intrusions and data loss. Implementing an approved device-only policy is hard to enforce as many security teams lack the visibility to identify devices entering the sensitive parts of facilities. An honor system is problematic as well, employees interpret the “no devices” policy. Examples we see all the time:

To protect their facilities and ensure higher security, it is imperative for security professionals to implement solutions that deliver the visibility to detect and locate all of the authorized and unauthorized RF devices operating on Cellular, Wi-Fi, ZigBee, Bluetooth, Bluetooth Low Energy (BLE) and other RF protocols.

Subject: Global tech industry objects to India’s new infosec regime
Source: The Register

Eleven significant tech-aligned industry associations from around the world have reportedly written to India’s Computer Emergency Response Team (CERT-In) to call for revision of the nation’s new infosec reporting and data retention rules, which they criticise as inconsistent, onerous, unlikely to improve security within India, and possibly harmful to the nations economy.

The rules were introduced in late April and are extraordinarily broad. For example, operators of datacenters, clouds, and VPNs, are required to register customers’ names, dates on which services were used, and even customer IP addresses, and store that data for five years.

Another requirement is to report over 20 types of infosec incident, even port scanning or attempted phishing, within six hours of detection. Among the reportable incidents are “malicious/suspicious activities” directed towards almost any type of IT infrastructure or equipment, without explanation of where to draw the line between malicious and suspicious activity.

The new rules attracted plenty of local criticism on grounds that a six-hour reporting window is too short, the requirement to record VPN users’ details is an attack on privacy, and that the requirements are too broad and therefore represent an onerous compliance burden.

Among the objections raised by the letter are:

Similar topics

Broader topics

Subject: Firefox Translations: Firefox’s offline translate feature is making progress
Source: gHacks Tech News

Most translate services require an Internet connection to work. Google Chrome communicates with the company’s Google Translate service to return translated content to the user. While that is handy, some users dislike the privacy implications of translate services.

Some browser makers have integrated privacy-friendly translate services as a response. Vivaldi Technologies, maker of the Vivaldi browser, integrated such a service in Vivaldi 4.3. Instead of using a cloud-based third-party service or untrusted translate feature, Vivaldi Technologies is hosting its own translate service instance.

The holy grail from a privacy perspective is a browser that supports local translations that do not require an Internet connection at all. Mozilla has been working on that for some time now for its Firefox web browser. Mozilla integrated Firefox Translations in the Nightly version of the browser in mid 2021, but it stopped working eventually and little information was released on the status of the project.

Closing Words

Built-in translate functionality that is privacy friendly could give Firefox a much needed boost once it is integrated into the stable version of the browser. There is no fixed date yet. Mozilla still has work to do, including adding more languages and improving the performance of the service further.


Subject: A Face Search Engine Anyone Can Use Is Alarmingly Accurate
Source: New York Times via beSpacific

The New York Times – “For $29.99 a month, a website called PimEyes offers a potentially dangerous superpower from the world of science fiction: the ability to search for a face, finding obscure photos that would otherwise have been as safe as the proverbial needle in the vast digital haystack of the internet. A search takes mere seconds. You upload a photo of a face, check a box agreeing to the terms of service and then get a grid of photos of faces deemed similar, with links to where they appear on the internet. The New York Times used PimEyes on the faces of a dozen Times journalists, with their consent, to test its powers. PimEyes found photos of every person, some that the journalists had never seen before, even when they were wearing sunglasses or a mask, or their face was turned away from the camera, …

Abstracted from beSpacific
Copyright © 2022 beSpacific, All rights reserved.

Subject: Seven years in the making, DHS’s new cyber talent system boasts just one hire
Source: FCW

The Department of Homeland Security spent seven years building a special human resources system to attract and hire cybersecurity specialists. So far, just one employee has started work at the department under the new system.

Agency cited the need for more awareness of CTMS among DHS hiring managers and human resources officials and noted that market pressures are having an impact on hiring in and out of government, and that keen competition for cybersecurity talent plays a role as well.

The biggest challenge with CTMS so far has been “convincing people how awesome it is,” CISA’s Deputy Director Nitin Natarajan told FCW. CISA has been working to educate applicants as well as hiring managers on how the new system works.

Subject: Report details 5G security assessment process
Source: GCN

The agencies demonstrated, in a sample “5G Security Evaluation Process Investigation,” released May 26, how agencies can use the National Institute of Standards and Technology’s Risk Management Framework in conjunction with various tools, including those crafted by industry, toward authorizing 5G projects as security standards for the technology are still being developed.

In a blog post accompanying the release, CISA Executive Assistant Director for Cybersecurity Eric Goldstein said the agencies are “excited to introduce a proposed five-step 5G security evaluation process that is derived from research and security analyses.”

Subject: Cybersecurity Initiative to Give Consumers New Digital Security Tools
Source: Consumer Reports

Consumer Reports announced today that it is launching a new program with the goal of helping consumers protect themselves and their communities from cybersecurity threats.

Under the initiative, which is being funded with a $5 million grant from Craig Newmark Philanthropies, CR will expand its security evaluations of consumer products and services, provide new tools people can use to protect themselves from digital threats, and organize public campaigns to advocate for both companies and the government to raise standards for cybersecurity.

“Today, we know that consumers are increasingly vulnerable to cyberthreats, and the tools to secure our data are often complicated, or they don’t even work,” says Marta Tellado, president and CEO of Consumer Reports. “This new initiative will help us educate people so they can better protect themselves, and stand up to demand that industry and government do better.”

The announcement comes three years after CR launched the Digital Lab, also with support from Newmark, to create standards for evaluating the privacy and security of internet-connected products and to promote consumers’ rights in the digital world. CR’s resources for consumers include privacy and security testing of products such as password managers, routers, TVs, security cameras, and VPNs (virtual private networks). The CR Security Planner is a tool that enables people to devise a personalized list of steps to protect their privacy and security.

More on Digital Privacy and Security:

Subject: Tech Experts Urge Congress to Fight Crypto Influence
Source: Gizmodo

A group of technology experts is trying to warn the government of the dangers of the crypto industry. In a letter to U.S. policy makers, 26 computer scientists and engineers called on lawmakers to block efforts to create a ‘regulatory safe haven’ for cryptocurrency. They want leaders in Washington to instead focus on what they’re calling ‘responsible fintech policy.’

“The claims that the blockchain advocates make are not true,” Harvard professor Bruce Schneier, a member of the group behind the recent warning against crypto, told the Financial Times. “It’s not secure, it’s not decentralized. Any system where you forget your password and you lose your life savings is not a safe system.”

The letter calls on lawmakers to resist lobbying efforts by advocates of the crypto industry who don’t want the government to regulate cryptocurrency. Lobbying for crypto has in fact bolstered up in the past couple of years, with spending on crypto lobbying to influence cryptocurrency policy in Washington quadrupling since 2018, according to an analysis by Public Citizen. Stakeholders from the industry have spent about $4.4 million on federal lobbying in the U.S. in the first quarter of this year, according to The Block, with the largest U.S. cryptocurrency exchange company Coinbase spending $760,000 on lobbying alone during that period.


Posted in: Blockchain, Cryptocurrencies, Cybercrime, Cybersecurity, Privacy, Search Engines, Search Strategies, Spyware