Pete Recommends – Weekly highlights on cyber security issues, July 3, 2022

Subject: Biden Strengthens Cyber Coordination Between Feds and State, Local Government
Source: Route Fifty

President Joe Biden signed a bill to increase cybersecurity coordination between the Department of Homeland Security and state, local, tribal and territorial governments.State and local governments increasingly find themselves victims of cyberattacks, often because they do not have the expertise or resources to defend against sophisticated and persistent attackers.

The State and Local Government Cybersecurity Act improves collaboration between DHS and state and local governments in several key areas. The new law calls for the National Cybersecurity and Communications Integration Center (NCCIC) — DHS’s 24/7 cyber situational awareness, incident response and management center — to provide operational and technical cybersecurity training for state and local agencies related to threat indicators, defensive measures and incident response and management.

The bill sets up two-way information sharing. NCCIC is directed to help state and local agencies share threat indicators and information about cybersecurity risks and incidents with federal agencies and other SLTT organizations. For its part, NCCIC must notify state and local agencies about specific incident and malware that may affect them or their residents.


Subject: Americans report losing over $1 billion to cryptocurrency scams
Source: BleepingComputer

The U.S. Federal Trade Commission (FTC) says over 46,000 people Americans have reported losing more than $1 billion worth of cryptocurrency to scams between January 2021 and March 2022.This is a significant increase compared to last year’s report issued by the FTC, when the agency revealed that roughly $80 million were lost to cryptocurrency investment scams based on around 7,000 reports.

Today’s report aligns with the FBI’s 2021 Internet Crime Report [PDF]. The U.S. law enforcement agency said that tens of thousands of reports pointed to over $1.6 billion in cryptocurrency losses.

“In 2021, the IC3 received 34,202 complaints involving the use of some type of cryptocurrency, such as Bitcoin, Ethereum, Litecoin, or Ripple,” the FBI said [PDF].

“While that number showed a decrease from 2020’s victim count (35,229), the loss amount reported in IC3 complaints increased nearly seven-fold, from 2020’s reported amount of $246,212,432, to total reported losses in 2021 of more than $1.6 billion.”

“These scams often falsely promise potential investors that they can earn huge returns by investing in their cryptocurrency schemes, but people report losing all the money they ‘invest,'” the FTC said.

Subject: Cybersecurity and the metaverse: Identifying the weak spots
Source: VentureBeat

Understanding the metaverse:

In a nutshell, the metaverse is a new, enhanced version of the internet that uses virtual reality and augmented reality (AR/VR) to provide a fully immersive experience of the online world. It is, in other words, a version of the web in which “you,” in the form of your online avatar, can work, play, get an education, shop and socialize with friends — and feel as if you’re actually there.

The metaverse is, in essence, an alternative to our physical world, but without many of its limitations, such as the constraints of geographic distance or the hindrances of real, living bodies.

Sounds pretty exciting, right? Well, yes. However, there’s a downside. Experts predict that the metaverse is going to amplify the cybersecurity challenges that already exist online today while introducing a host of new ones, both those that we can predict as well as those we cannot as of yet.

Research shows, for example, that cybersecurity threats, as well as cybercrimes, are rapidly and dramatically increasing, rising by 50% or more, year over year. Recent predictions hold that the annual costs of cybercrime will exceed $10 trillion by the year 2025, and that the primary commercial targets are likely not to be finance or commerce. Rather, other key industries are being targeted for cybercrime, such as real estate, education and agriculture.

Identity security – The metaverse is designed to function through the use of digital avatars that each user creates for themselves. Ostensibly, this avatar will be both unique and secure, which will allow the real human it represents to use their personally identifiable information (PII) and other sensitive information to make purchases, do work and even receive healthcare.

In addition, through the avatar, the user can interact with others in the digital space, including working with colleagues in a virtual office.

The concern, however, is that because the avatar is, fundamentally, the skeleton key to your private offline information, from your PII to your financial accounts, if a hacker gains access to your avatar, then they can open the door to your entire life. This holds the potential to take identity theft to an unprecedented level.

NFT and bitcoin scams
The metaverse will function through its own forms of currency, including cryptocurrency like Bitcoin, as well as various types of nonfungible tokens (NFTs).

The takeaway – The metaverse is truly a brave new world, one that holds tremendous promise and potential. The metaverse may well revolutionize the ways we work, learn, play and socialize. However, the cybersecurity threats of the metaverse are very real, and it is incumbent upon metaverse creators, governments, corporations and private citizens to understand and guard against these dangers.



Subject: What Are Shadow IDs, and How Are They Crucial in 2022?
Source: The Hacker News

Just before last Christmas, in a first-of-a-kind case, JPMorgan was fined $200M for employees using non-sanctioned applications for communicating about financial strategy. No mention of insider trading, naked shorting, or any malevolence. Just employees circumventing regulation using, well, Shadow IT. Not because they tried to obfuscate or hide anything, simply because it was a convenient tool that they preferred over any other sanctioned products (which JPMorgan certainly has quite a few of.) Visibility into unknown and unsanctioned applications has been required by regulators and also recommended by the Center for Internet Security community for a long time. Yet it seems like new and better approaches are still in demand. Gartner has identified External Attack Surface Management, Digital Supply Chain Risk, and Identity Threat Detection as the top three trends to focus on in 2022, all of which are closely intertwined with Shadow IT.

“Shadow IDs,” or in other words, unmanaged employee identities and accounts in third-party services are often created using a simple email-and-password-based registration. CASBs and corporate SSO solutions are limited to a few sanctioned applications and are not widely adopted on most websites and services either. This means, that a large part of an organization’s external surface –as well as its user identities– may be completely invisible.

Above all, these Shadow IDs remain unmanaged even after employees leave the organization. This may result in unauthorized access to sensitive customer data or other cloud-based services. Employee-created, but business-related identities are unseen for most IDM/IAM tools also. The graveyard of forgotten accounts belonging to ex-employees or abandoned applications is growing every day, to infinity.

Subject: Italy Data Protection Authority Warns Websites Against Use of Google Analytics
Source: The Hacker News

Following the footsteps of Austria and France, the Italian Data Protection Authority has become the latest regulator to find the use of Google Analytics to be non-compliant with E.U. data protection regulations. The Garante per la Protezione dei Dati Personali, in a press release published last week, called out a local web publisher for using the widely used analytics tool in a manner that allowed key bits of users’ personal data to be illegally transferred to the U.S. without necessary safeguards.

This includes interactions of users with the websites, the individual pages visited, IP addresses of the devices used to access the websites, browser specifics, details related to the device’s operating system, screen resolution, and the selected language, as well as the date and time of the visits.

The website in question, Caffeina Media SRL, has been given a period of 90 days to move away from Google Analytics to ensure compliance with GDPR. In addition, the Garante drew webmasters’ attention to the unlawfulness of data transfers to the U.S. stemming from the use of Google Analytics, recommending that site owners switch to alternative audience measurement tools that meet GDPR requirements.

Earlier this month, the French data protection watchdog, the CNIL, issued updated guidance over the use of Google Analytics, reiterating the practice as illegal under the General Data Protection Regulation (GDPR) laws and giving affected organizations a period of one month to comply.

Subject: People Are Using Deepfakes to Apply to Remote Jobs, FBI Says
Source: Gizmodo

Imposters were reported using stolen identities, fake video, and doctored voices to access sensitive company data, according to the feds.Companies hiring for an open IT position might need to do more than scrutinize how prospective employees react to the question “What is your worst quality?” If the prospective hire sneezes or coughs without moving their lips, their worst quality might be that they’re not actually real.

The FBI wrote to its Internet Crime Complaint Center Tuesday that it has received multiple complaints of people using stolen information and deepfaked video and voice to apply to remote tech jobs.

According to the FBI’s announcement, more companies have been reporting people applying to jobs using video, images, or recordings that are manipulated to look and sound like somebody else. These fakers are also using personal identifiable information from other people—stolen identities—to apply to jobs at IT, programming, database, and software firms. The report noted that many of these open positions had access to sensitive customer or employee data, as well as financial and proprietary company info, implying the imposters could have a desire to steal sensitive information as well as a bent to cash a fraudulent paycheck.

Filed: Crime

Subject: Federal lawmakers aim to crack down on ‘dark patterns’ that trick users online
Source: Pennsylvania Capital-Star

The legislation would place limits on how internet firms with over 100M monthly users could ask for information. WASHINGTON – Tech companies sometimes lure users to sign up for a service or share information they might not have agreed to otherwise by using subtle tactics and marketing on their websites and apps, like surveys that mine for personal information or designs that hide privacy settings.

But these practices — commonly called “dark patterns” — are coming under increased scrutiny from the federal government.

U.S. Sen. Mark Warner, D-Va., has teamed up with a group of bipartisan lawmakers from the House and Senate on legislation known as the DETOUR Act that seeks to ban these practices.

Meanwhile, the Federal Trade Commission, the government’s consumer protection agency, has said it will ramp up enforcement against dark patterns that are already illegal and can trick consumers into subscriptions. The FTC also announced this month that it will undertake a wide-ranging overhaul of its overarching guidance on digital advertising.

A 2019 Princeton University study scanned 11,000 shopping websites and found instances of dark patterns on 11 percent of the sites. The more popular shopping sites were more likely to have dark patterns, according to the study.

Subject: Google Asks for Permission to Flood Inboxes With Campaign Spam
Source: Gizmodo

The GOP complained that too many conservative fundraising emails were going to spam. Now, Google wants to make political emails exempt from filtering. After years of grumbling from Republicans in Congress, Google has requested that the Federal Election Commission allow a pilot program in which political campaign emails would be exempt from spam filtering.

The new program would allow emails from “authorized candidate committees, political party committees and leadership political action committees registered with the FEC,” to bypass Gmail’s spam categorization system, the filing read. That is, as long as those messages don’t violate the platform’s other rules around phishing, malware, or illegal activity.

Google seems to be trying to get ahead of a proposed bill. South Dakota Sen. John Thune and 25 other Republican legislators introduced an act on June 16 aiming to make it “unlawful for an operator of an email service to use a filtering algorithm to apply a label to an email sent to an email account from a political campaign unless the owner or use of the account took action to apply such a label.”

Instead of being screened by Gmail’s spam filter, all qualifying political emails from would instead go directly to users’ inboxes. From there, users would get a “prominent” nudge to either keep receiving emails from the same sender, or to opt out, according to the filing.

Subject: FTC sues Walmart, alleging money transfers fleeced customers of $197 million

June 29 (UPI) — The Federal Trade Commission sued Walmart, alleging that the retailer turned a blind eye to scammers using its money transfer services to defraud Walmart customers of more than $197 million.The FTC said in a statement Tuesday that it sued Walmart “for allowing its money transfer services to be used by fraudsters, who fleeced consumers out of hundreds of millions of dollars.” v

“While scammers used its money transfer services to make off with cash, Walmart looked the other way and pocketed millions in fees,” FTC Bureau of Consumer Protection Director Samuel Levine said in the statement.

“The FTC’s complaint distorts the facts and the law to try and hold Walmart responsible for a miniscule amount of reported fraud, even though we had an extensive program to try to stop such fraud, and continuously improve our anti-fraud efforts to this day,” Walmart’s statement said.

“In many cases, older consumers (ages 65 and older) have been financially exploited by sending money transfers in connection with common telemarketing scams, such as grandparent scams, Good Samaritan scams, lottery or prize scams, and romance scams, from Walmart locations,” the FTC alleged in the suit.

Subject: FCC Commissioner to Google, Apple: Pull TikTok From App Stores
Source: Gizmodo

Commissioner Brendan Carr railed against the popular Chinese-owned social platform, alleging it was handing over U.S. citizen’s data to Beijing. TikTok promises to keep its U.S. users’ data safe and sound are not satisfying at least one member of the Federal Communications Commission. FCC Commissioner Brendan Carr said in a blistering letter Wednesday that the Chinese company has proved it can’t be trusted with the information users give it, and should bundled up and tossed out the airlock.

Carr posted an open letter sent to both Google and Apple on his Twitter account Tuesday. In it, he called on the companies to jettison the TikTok app from their app stores. Carr cites multiple cases of the company being exceptionally data-hungry. Most recently, BuzzFeed News reported that the Chinese government had gained access to American users’ data despite TikTok’s claims that it kept U.S. user info on servers on U.S. soil, far from from the prying eyes of Beijing. Carr said in his letter that both Apple and Google parent company Alphabet should remove TikTok from the app stores or else send him a letter by July 8 explaining themselves.

Filed: News

Subject: Facial Recognition Technology: Federal Agencies’ Use and Related Privacy Protections
Source: U.S. GAO

Fast Facts – We testified about our work on agency use of facial recognition technologies and related privacy issues.For example, 18 of 24 agencies reported using this technology in FY 2020, mostly for building and computer access and law enforcement.

In another survey, 14 of 42 agencies with law enforcement officers told us they used the technology in criminal investigations. We found 13 of them didn’t track employee use of non-federal (e.g., state and commercial) systems, which could put agencies at risk of violating privacy rules.

Agencies generally agreed with our recommendations on tracking use of this technology and assessing related privacy risks.

States and Localities that Own Facial Recognition Technology Systems Accessed by Federal Agencies in FY 2020.

Subject: Firefox: remove known tracking parameters from URLs in all modes
Source: gHacks Tech News

Mozilla launched Firefox 102 this week, and with it came support for the new query parameter stripping functionality to boost user privacy….

Subject: This Free VPN Leaked Millions of User Records

Bean VPN, a free VPN service, stored 18GB of user data in an unprotected database of 25 million user records.

You get what you pay for. At least, that appears to be the case with one free VPN service, Bean VPN, that has been storing swaths of user data on an unsecured database.

Virtual Private Network (VPN) services are designed to keep your data safe. By encrypting your internet traffic, these digital tools provide individuals and businesses alike with an added layer of security to safely surf the web.Unfortunately, free VPNs often don’t utilize the same level of security for its users, as Bean VPN users are finding that their data may have been readily available to hackers.

Bean VPN User Records Leaked – Discovered by cybersecurity experts from Cybernews, …

If this story hasn’t scared you off yet, let us reiterate the point that using even the best free VPN on the market poses a notable threat to your personal and professional security. From logging policies to encryption strength, these VPNs are often lacking in some significant way, which leaves you open to security gaps that could cost you a lot of money.


Subject: Updated digital forensics database speeds criminal investigations
Source: FCW

To make it easier for forensic investigators to find relevant data on computers, cellphones and other electronic equipment seized in police raids, the National Institute of Standards and Technology has released a major update to its National Software Reference Library.

The first major update to NSRL in 20 years improved the search capabilities and increased both the number and types of records to reflect the variety of software investigators might encounter. The new features will make it easier to filter out large quantities of unimportant data so they can focus attention on finding relevant evidence, NIST said in its announcement.

“There are hardly any major crimes that don’t have connections to digital technology, because criminals use cellphones,” said Doug White, a NIST computer scientist who helps maintain the NSRL. “Only some of the data on a phone or other device might be relevant to an investigation, though. The update should make it easier for police to separate the wheat from the chaff.”

The expanded NSRL includes a hash, or electronic fingerprint, of more than a billion software records – up from half that in 2019 — that can be used to help forensic investigators sift through the computer’s data. White said he expects NSRL’s growth to continue as entries from internet-of-things devices get added.

Subject: USPS: It’s Up to Mailers to Comply With State Laws on Abortion Pills
Source: Route Fifty

The Postal Service says it will not crack down on the mailings, while the Biden administration promises to use the mail to expand access to the pills.

Advocates have increasingly pointed to the prescription drugs mifepristone and misoprostol—which, when taken in tandem, can safely terminate pregnancies—to help boost access to abortion services for those in states with limited or no other options. The Food and Drug Administration eased the delivery of the pills in December when it permanently lifted a requirement that they be administered in person. With abortion services now illegal in several states—a number expected to grow significantly in the coming weeks—it remains unclear how accessible the pills will remain. Medication abortion accounts for 54% of abortions in the United States, according to the Guttmacher Institute, a reproductive health organization.

[but?] “The mailer is responsible for ensuring that all Postal Service requirements, as well as all federal and state laws and local ordinances that apply to the shipment of hazardous, restricted, and perishable matter, have been met,” Frum said. She added USPS is bound by its “universal service obligation” to provide mail to all 161 million U.S. addresses.

Subject: Vendors prep for new cyber rules of the road
Source: FCW

Federal policy is shifting to impose tighter cybersecurity requirements on government contractors and Congress appears poised to impose new standards throughout the private sector.

SAN FRANCISCO — There may soon come a day when it will be nearly impossible for companies to do business with the federal government, defense or civilian agencies, without first providing binding assurances that certain cybersecurity measures have been met.

Right now, there are two trends that could have a long-term impact on companies: the Defense Department’s ongoing implementation of a unified cybersecurity standard for contractors and the burgeoning regulatory efforts targeting the private sector and how companies secure consumer data and privacy.

For the latter, it could mean increased scrutiny from federal watchdog agencies like the Securities and Exchange Commission and Federal Trade Commission. For the former, it means companies that want to work with the Pentagon will have to meet specific standards of the Cybersecurity Maturity Model Certification (CMMC) program.

Participation in that program will eventually become a part of all contracts and requires companies to attest or be evaluated by an approved third party organization. Failure to comply could simply mean a company loses a customer but that might not be good for business.

Vendor cybersecurity at DOD

“I think that you are naturally going to see legal teams, compliance teams, and privacy teams, assisting security teams, and working together with security teams to really raise the bar whether or not you see an evolutionary development in national cybersecurity laws in the United States.

Posted in: Big Data, Cryptocurrencies, Cybercrime, Cybersecurity, Economy, Email Security, Financial System, Legal Research, Privacy, Search Engines