Pete Recommends – Weekly highlights on cyber security issues, July 30, 2022

Subject: The January 6 Secret Service Text Scandal Turns Criminal
Source: Wired

“The Department of Homeland Security Inspector General told the Secret Service on Thursday to halt its investigation into the deletion of January 6 insurrection-related text messages because of an “ongoing criminal investigation” into the situation. Secret Service spokespeople have said conflicting things: that data on the phones was erased during a planned phone migration or factory reset, and that the erased messages were not relevant to the January 6 investigation. The Secret Service said it provided agents with a guide to backing up their data before initiating the overhaul process, but noted that it was up to the individuals to complete this backup.”


Subject: The biggest cyber-crime threat is also the one that nobody wants to talk about
Source: ZDNet

BEC attacks are built on using social engineering to trick victims into transferring a payment to cyber criminals. Often scammers will pose as a colleague, a client, your boss or a business partner to make their request seem legitimate.There are two main ways in which scammers attempt financial BEC frauds. The first is by sending emails from a spoofed account pretending to be someone you know, with a request to make a transfer.

The other is more sophisticated, with attackers stealing usernames and passwords to break into legitimate email accounts and using those accounts to make their requests for funds. Sometimes this happens midway through a real conversation, which makes it seem even more plausible in what’s called a conversation-hijacking attack.


Subject: Ransomware attacks against higher ed increase
Source: Inside Higher Ed

Colleges and universities experienced a surge in ransomware attacks in 2021, and those attacks had significant operational and financial costs, according to a new report.

“You can collect that money in a couple of hours,” a ransomware hacker’s representative wrote in a secure June 2020 chat with a University of California, San Francisco, negotiator about the $3 million ransom demanded. “You need to take us seriously. If we’ll release on our blog student records/data, I’m 100% sure you will lose more than our price what we ask.”

The university later paid $1.14 million to gain access to the decryption key.

Colleges and universities worldwide experienced a surge in ransomware attacks in 2021, and those attacks had significant operational and financial costs, according to a new report from Sophos, a global cybersecurity leader. The survey included 5,600 IT professionals, including 410 from higher education, across 31 countries. Though most of the education victims succeeded in retrieving some of their data, few retrieved all of it, even after paying the ransom.

Nearly three-quarters (74 percent) of ransomware attacks on higher ed institutions succeeded. Hackers’ efforts in other sectors were not as fruitful, including in business, health care and financial services, where respectively 68 percent, 61 percent and 57 percent of attacks succeeded. For this reason, cybercriminals may view colleges and universities as soft targets for ransomware attacks, given their above-average success rate in encrypting higher education institutions’ data. Despite high-profile ransomware attacks such as one in 2020 that targeted UC San Francisco, higher ed institutions’ efforts to protect their networks continued to fall short in 2021.

“It’s pretty much impossible to overstate the risk or the criticality of protecting any sort of organization,” Epstein said. “Everybody is vulnerable.”

Further, university administrators responsible for network security should not be lulled into thinking that a potential ransomware attack would be a one-and-done event.


Subject: How to Safely Lend Someone Else Your Phone
Source: WIRED

The next time someone wants to borrow your device to make a call or take a picture, take these steps to protect your privacy.

Subject: A Rogues’ Gallery of Robocallers
Source: Consumer Reports

The FTC and the FCC regularly bring actions against robocallers and Do Not Call violators in civil court, often with help from state authorities. Consumer Reports highlights some catches by the agencies.

The Federal Trade Commission and the Federal Communications Commission regularly bring actions against robocallers and Do Not Call violators in civil court, often with help from state authorities. Since 2003 the agencies have won more than $1.5 billion in penalties and restitution.

But only a small fraction of the money has been recovered because the culprits are difficult to track or the profits are spent.Here are some of the FTC and FCC’s recent catches….

Subject: Why emergency calls sometimes can’t get through
Source: GCN

We’re telecommunications guys, not gun violence experts, but we are in a position to sound the alarm on an issue that’s related to these types of emergencies, whether they’re the result of man-made violence or natural disasters such as fires, floods and hurricanes. In a crisis, victims, their families and friends and onlookers rush to their cell phones; over 80% of emergency calls are made from cell phones. This sharp increase in the number of calls all placed at the same time puts such a significant strain on networks that many calls simply don’t get through.

The nation’s 911 systems are in urgent need of improvement. The federal government certainly plays a role in determining next steps forward in modernizing Public Safety Answering Points (PSAPs). But ultimately, the cry for upgrades to emergency systems must come from the local and state government workers.

While the FCC claims it has the situation under control with the STIR/SHAKEN law, that’s far from the truth. We need an urgent upgrade to our telecommunications infrastructure to better manage the increasing intrusion of unwanted communications and their impact on emergency calls.

Jeff Pulver is an innovator in the field of Voice over Internet Protocol (VoIP). He was instrumental in changing how the FCC classified VoIP in 2004, paving the way for the development of video and voice internet communications. The co-founder of Vonage, Jeff has invested in over 400 start-ups.
Noah Rafalko is a pioneer in Telephone Number ID, a modern blockchain solution that restores trust in communications. Noah is founder and CEO of TSG Global, Inc. which provides voice, messaging and identity management services for SaaS companies and large enterprises.


Subject: Hackers scan for vulnerabilities within 15 minutes of disclosure
Source: Bleeping Computer

System administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed. According to Palo Alto’s 2022 Unit 42 Incident Response Report, hackers are constantly monitoring software vendor bulletin boards for new vulnerability announcements they can leverage for initial access to a corporate network or to perform remote code execution.

However, the speed at which threat actors begin scanning for vulnerabilities puts system administrators in the crosshairs as they race to patch the bugs before they are exploited.”The 2022 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced,” reads a companion blog post.


Subject: He Told Her How to Protect Her $230K. It Was a Scam
Source: Newser

Illinois woman, 74, fell prey to convincing scammer – (Newser) – Public safety officials in Langley, British Columbia promise to review the decision to issue public emergency alerts during a shooting rampage Monday, but they say the decision was appropriate, and they’re not happy with the way some citizens responded. Per CTV News, the first cellphone alert was issued at 6:20am as police were dealing with a deadly shooting rampage in the city. Irked by the early hour, some heavy-eyed residents dialed 911 to complain, provoking a scold from E-Comm, the province’s emergency service dispatch service, reminding everyone that “general questions and complaints do not belong on 911.”

Subject: Cyber insurance price hike hits local governments hard
Source: GCN

Insurance companies now require state and local governments to have updated software and firewall protections, a backup system, cyber training for staff, vulnerability testing and multi-factor authentication systemwide, including for remote work.

“The insurance companies have you over a barrel. There was not a lot of negotiation,” said Tim Oliver, the county’s chief information officer.

Across the United States, many local governments and states — as well as private companies — are in the same boat. They’re discovering their cyber insurance premiums have skyrocketed and that they must meet stricter guidelines if they want to get coverage or renew their policies.

To reduce risk and potential losses, insurers are becoming more diligent during the application process about which safeguards and technology an organization uses to protect itself against cyberattacks, according to Loretta Worters, spokesperson for the Insurance Information Institute, an industry trade group.

Cyber insurance typically covers a variety of services, such as providing forensic expertise to investigate the attack, legal support, hardware replacement, data recovery and notification of people whose personal data may have been breached. Some policies also include ransom negotiations with the hackers and payment of the ransom.

In 2021, there were at least 77 successful attacks on local and state governments and another 88 on school districts, colleges and universities, according to Brett Callow, a threat analyst for cybersecurity company, Emsisoft. This year, as of late June, there were at least 28 attacks on governments and 33 on schools.

Some local governments are switching to self-insurance, in which officials set aside a pot of money in reserve to be used in case of a cyberattack, according to Reynolds. Some are joining insurance pools with similar organizations and shopping for preferable rates.

In Lehigh County, Pennsylvania, with a population of about 375,000, officials also have had a stressful time getting their cyber insurance policy renewed, said Chief Information Officer Bob Kennedy. About a week before Christmas 2020, they learned that they wouldn’t be renewed because they didn’t have multi-factor authentication on all the computers accessed by staffers remotely.

Subject: Counties to Get Free Services to Better Defend Against Cyberattacks
Source: Route Fifty

New York Gov. Kathy Hochul announced a $30 million endpoint detection and response services program at no cost to 57 counties.To help its 57 counties better defend against ransomware and cyberattacks, New York state is offering counties endpoint detection and response services at no cost. In a July 21 statement, Gov. Kathy Hochul announced a $30 million shared services program designed to help counties secure government systems and protect against ransomware attacks.  The announcement comes after the February launch of the state’s Joint Security Operations Center in Brooklyn, a data sharing hub that brings bring together critical infrastructure partners with federal, state, county and local governments to improve incident response and provide a holistic view of the cyber threat landscape.

Subject: Cops Turn To Google Location Data To Pursue A Death Penalty For 2015 Murder
Source: Forbes

Cops in Kansas City are using a controversial “geofence” warrant to gain access to Google’s huge pool of location data that they hope will help prosecute two men for a series of crimes in 2015, including murder.

Every year, in increasing numbers, American cops are turning to what’s known as a Google geofence warrant to help them investigate crimes and gather evidence. The controversial warrants force Google to provide identifying information on all users who had location services turned on inside a specific area during a given time—potentially implicating anyone who was in the area of a crime, not just the suspects. Police have used them in all manner of cases, from arsons to robberies to the January 6 riot investigation. Now, a Google geofence warrant could be crucial in deciding whether or not two suspects live or die.

“Google’s newer location deletion policy is not automatically applied to any account that’s older than two years old? That’s shocking to me…”

As the FBI states in its geofence warrant application, “Google maintains these records indefinitely for accounts created before June 2020, unless the user deletes it or opts to automatically delete their location history and web and app activity after three or eighteen months.”

Though Google said it had sent messages to users about the policy change in 2020, Allan Butler, executive director of the Electronic Privacy Information Center (EPIC) in Washington, D.C., says Google should have made it clearer to users who had location settings turned on prior to the announcement that their location data was going to continue to be stored indefinitely. “Google’s newer location deletion policy is not automatically applied to any account that’s older than two years old? That’s shocking to me,” Butler adds. “To make that change only applicable to new users, I think, is really not fair to current users.”

Privacy advocates have long decried the dragnet searches, and some courts have ruled that such warrants are unconstitutional. Earlier this year, a Virginia judge said that a Google geofence order to determine who was present at the scene of a burglary was unconstitutional by breaching fourth amendment protections from unreasonable searches. Judges in Kansas and Illinois have made similar determinations in the last two years.

More articles from the author:

Subject: Lawmakers Question DOJ’s National Security Division on Cybersecurity, Surveillance
Source: Nextgov

The House Judiciary Committee raised concerns over three hostile foreign actors that breached court systems in early 2020, in addition to questions about the surveillance of Americans.
The House Committee on the Judiciary held a hearing on Thursday to discuss how the Department of Justice’s National Security Division is addressing threats to the nation, including a 2020 cybersecurity breach that impacted pending litigation.
Matthew G. Olsen, assistant attorney general for national security at the U.S. Department of Justice, noted that the NSD has a wide range of tasks and responsibilities, including prosecuting terrorists and spies, protecting against cyber attacks and enforcing export controls and sanctions laws, among other things….



Posted in: Congress, Criminal Law, Cybercrime, Cybersecurity, Education, Information Management, Legal Research