Pete Recommends – Weekly highlights on cyber security issues, July 9, 2022

Subject: Why more regulation of connected car technology is probably just up the road
Source: VentureBeat

Several months ago, I bought my first new car in years. I had planned to buy a used one, but decided a shiny new vehicle would be a pandemic treat. I’ve been amazed by the connected car technology, all the embedded software-driven programs that essentially have turned the car into APIs on wheels.I thought about this more in late January when a 19-year-old in Germany made international news with a creepy revelation: He was able to remotely access more than 25 Tesla vehicles and, if he wanted, could have controlled some of their functions, including unlocking the doors, opening the windows and even starting keyless driving.

The story had a happy ending. The teenager, David Colombo, is a white-hat hacker who uses his skills to identify security flaws. That’s how he discovered the holes in a third-party data logging app available to Tesla owners, TeslaMate, that allowed him to push commands to the cars. Colombo notified TeslaMate and Tesla, and a fix was quickly issued.

The proliferation of connected cars – But the incident has served as an unsettling reminder that security vulnerabilities are a clear and present risk to all the connected cars that are reshaping the auto industry, and the very nature of driving, and that better safeguards must become a higher priority. Even before electric vehicles started gaining momentum, the amount of software code in today’s cars had reached about 100 million lines [subscription required], and many experts expect that number to hit 300 million by 2030. To put that into context, a passenger plane has roughly 15 million lines of code, and a modern fighter jet has about 25 million.

Cars as “information clearinghouses: The discovery of the Tesla vulnerability came six and a half years after security researchers on a laptop 10 miles away caused [subscription required] an SUV to lose power, change its radio station, and switch on the windshield wipers by using the vehicle’s entertainment system that connected to a mobile data network.

The need for security regulations not just for autonomous cars, but for all connected cars. In April 2018, California implemented regulations mandating that autonomous vehicles meet appropriate industry standards for cybersecurity. That’s great, but such thinking needs to be broadened to the much larger universe of connected cars.

See also:

Subject: Police sweep Google searches to find suspects. The tactic is facing its first legal challenge.
Source: NBC News

Privacy advocates are watching the case closely, concerned that police could use reverse keyword searches to investigate people who seek information about abortions.

A teen charged with setting a fire that killed five members of a Senegalese immigrant family in Denver, Colorado, has become the first person to challenge police use of Google search histories to find someone who might have committed a crime, according to his lawyers.The pushback against this surveillance tool, known as a reverse keyword search, is being closely watched by privacy and abortion rights advocates, who are concerned that it could soon be used to investigate women who search for information about obtaining an abortion in states where the procedure is now illegal.

In documents filed Thursday in Denver District Court, lawyers for the 17-year-old argue that the police violated the Constitution when they got a judge to order Google to check its vast database of internet searches for users who typed in the address of a home before it was set ablaze on Aug. 5, 2020. Three adults and two children died in the fire.

The 17-year-old’s lawyers say the search, and all evidence that came from it, should be thrown out because it amounted to a blind expedition through billions of Google users’ queries based on a hunch that the killer typed the address into a search bar. That, the lawyers argued, violated the Fourth Amendment, which protects against unreasonable searches.

Now that the Supreme Court has overturned Roe v. Wade, privacy advocates and women’s rights groups worry that keyword searches could expand into investigations of illegal abortions in states that have outlawed them.

Subject: Free smartphone stalkerware detection tool gets dedicated hub
Source: BleepingComputer

Kaspersky has launched a new information hub to help with their open-source stalkerware detection tool named TinyCheck, created in 2019 to help people detect if their devices are being monitored. Stalkerware is software explicitly created to spy on people via their smartphones by monitoring their whereabouts, communications, photos, browsing history, and more.

These tools exploit vulnerabilities in the security of modern mobile operating systems to run stealthily in the background without raising suspicion on the victim.

The anti-stalkerware TinyCheck tool – Kaspersky’s TinyCheck is a program that can quickly identify activity associated with stalkerware in a non-invasive way by running on an external device (Raspberry Pi) and monitoring its outgoing traffic via WiFi.

TinyCheck will only look at the signs of abuse, like which servers receive communication from the device and won’t read the contents of the victim’s communications, like SMSs and emails.

Also, as explained in the tool’s privacy policy, captured packets, logs, and all the analysis results are kept locally on the device that runs TinyCheck, so nothing reaches Kaspersky or any other remote server.


Subject: Google Adds Dozens Of Hack-For-Hire Groups To Its Blacklist
Source: Android Headlines

Google has launched a campaign against hack-for-hire groups and blocked their domains globally.As per Google’s announcement on its Threat Analysis Group (TAG) page, they have added 37 new domains and websites to the Safe Browsing feature. Most of the blacklisted groups are located in the UAE, India, and Russia. Also, they have been fighting with these groups since 2012.

According to Google’s director of TAG, Shane Huntley, the company’s CyberCrime Investigation Group is in contact with law enforcement agencies and is sharing relevant data with them.

You can see the full list of blocked domains here.

Also, Google is asking its users, especially high-profile individuals, to enable Advanced Protection and Google Account Level Enhanced Safe Browsing. Also, they should make sure their endpoints are updated.

Filed: Google News

Subject: Attackers are using deepfakes to snag remote IT jobs
Source: Help Net Security

FBI’s warning – The FBI’s warning tells about a recent increase in complaints they’ve been receiving of individuals using deepfakes and stolen PII to apply for a variety of remote jobs and work-at-home positions, some of which “include access to customer PII, financial data, corporate IT databases and/or proprietary information.”

These individuals are using stolen PII to try to bypass pre-employment background checks, and voice spoofing – or potentially voice deepfakes – during online interviews.

“In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking. At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually,” the FBI explained.

Subject: Cyberattacks against law enforcement are on the rise – Help Net Security
Source: Help Net Security

Resecurity, a Los Angeles-based cybersecurity company protecting Fortune 500 companies worldwide, has registered an increase in malicious activity targeting law enforcement agencies at the beginning of Q2 2022. Threat actors are hacking email and other accounts which belong to law enforcement officers and their internal systems.The emerging trend consists of threat actors sending fake subpoenas and EDR’s (Emergency Data Requests) to their victims from the hacked law enforcement email accounts. Using such capabilities, the threat actors are targeting major technology companies such as Apple, Facebook (Meta), Snapchat, and Discord are to name a few, to collect sensitive information about targets of interest. The replies received by the bad actors contain sensitive details which could/are being used for leverage extortion, or cyberespionage. Such incidents have become especially notable in cybercriminal group activities such as LAPSUS$ and Recursion Group.

Resecurity has been observing multiple Dark Web marketplaces where cybercriminals are monetizing their efforts by selling credentials belonging to police officers of various foreign countries (e-mails, VPNs, SSO, etc.). One example of an email account previously used to send fake EDR requests on behalf of the Bangladesh Police was recently covered in a Bloomberg article illustrating the risk of such tactics.

Subject: Ubiquitous Surveillance by ICE
Source: Georgetown’s Center on Privacy and Technology via Schneier on Security

Ubiquitous Surveillance by ICE – Report by Georgetown’s Center on Privacy and Technology published a comprehensive report on the surprising amount of mass surveillance conducted by Immigration and Customs Enforcement (ICE).

Our two-year investigation, including hundreds of Freedom of Information Act requests and a comprehensive review of ICE’s contracting and procurement records, reveals that ICE now operates as a domestic surveillance agency. Since its founding in 2003, ICE has not only been building its own capacity to use surveillance to carry out deportations but has also played a key role in the federal government’s larger push to amass as much information as possible about all of our lives. By reaching into the digital records of state and local governments and buying databases with billions of data points from private companies, ICE has created a surveillance infrastructure that enables it to pull detailed dossiers on nearly anyone, seemingly at any time. In its efforts to arrest and deport, ICE has ­ without any judicial, legislative or public oversight ­ reached into datasets containing personal information about the vast majority of people living in the U.S., whose records can end up in the hands of immigration enforcement simply because they apply for driver’s licenses; drive on the roads; or sign up with their local utilities to get access to heat, water and electricity.



Subject: FCC orders carriers to stop delivering auto warranty robocalls

July 7 (UPI) — The Federal Communications Commission on Thursday announced it has told carriers to stop delivering auto warranty robocalls, citing it as a top complaint from consumers.The FCC said it has authorized all U.S.-based voice service providers to stop carrying traffic from Roy Cox Jr., Aaron Michael Jones, their Sumco Panama companies and other international associates believed to be behind the more than 8 billion robocalls generated since 2018.

Consumers should be aware that scammers are skilled at endeavoring to gain trust from their victims and that consumers should not provide any personal information to anyone who calls unexpectedly.

Posted in: Civil Liberties, Cybercrime, Cybersecurity, Gadgets/Gizmos, Health, Human Rights, Legal Research, Privacy, Search Engines, Technology Trends