Pete Recommends – Weekly highlights on cyber security issues, August 27, 2022

Subject: Russia’s ‘Oculus’ to use AI to scan sites for banned information
Source: Bleeping Computer

Russia’s internet watchdog Roskomnadzor is developing a neural network that will use artificial intelligence to scan websites for prohibited information. Called “Oculus,” the automatic scanner will analyze URLs, images, videos, and chats on websites, forums, social media, and even chat/messenger channels to locate material that should be redacted or taken down.

Examples of information targeted by Oculus include homosexuality “propaganda,” instructions on manufacturing weapons or drugs, and misinformation that discredits official state and army sources.

The system will also look for calls of mass protests, expressions of disrespect for the state, and even “signs” of extremism and terrorism.

The real-time scanning capacity of Oculus will be 200,000 images per day, or about 2.3 images per second, for which the vendor, Eksikyushn RDC LLC, will use 48 servers with powerful GPUs.

Oculus will be integrated onto the Unified Analysis Module, a network of monitoring systems currently under development, aiming to give the government a firm grip on controlling information flow.


Subject: Congress ordered agencies to use tech that works for people with disabilities 24 years ago. Many still haven’t

The Senate Aging Committee is conducting oversight to get agencies to comply with the rules.

Congress made a portion of the 1973 Rehabilitation Act known as Section 508, which asks federal agencies to make technology accessible, mandatory in 1998. But nearly a quarter century later, they are still failing to do so. And it’s not just about ordering lunch. Roughly 30 percent of the most popular federal websites don’t meet accessibility standards, according to a 2021 report by the Information Technology and Innovation Foundation. Enforcement is virtually nonexistent, and agencies are spending little effort or money to comply.

Most frustrating, the advocates said, is that making technology accessible isn’t difficult. It just requires forethought. And it’s important. More than a quarter of Americans have a disability.

The Information Technology and Innovation Foundation, a Washington, D.C., think tank that promotes the use of technology in policy solutions, audited federal websites in 2021. They found that 30 percent of them, including popular sites like, and, did not pass an automated accessibility test and nearly half had webpages that failed the test.

Filed under:

Subject: Deepfakes expose vulnerabilities in certain facial recognition technology
Source: Penn State University News

UNIVERSITY PARK, Pa. — Mobile devices use facial recognition technology to help users quickly and securely unlock their phones, make a financial transaction or access medical records. But facial recognition technologies that employ a specific user-detection method are highly vulnerable to deepfake-based attacks that could lead to significant security concerns for users and applications, according to new research involving the Penn State College of Information Sciences and Technology. The researchers found that most application programming interfaces that use facial liveness verification — a feature of facial recognition technology that uses computer vision to confirm the presence of a live user — don’t always detect digitally altered photos or videos of individuals made to look like a live version of someone else, also known as deepvfakes.

Subject: Forum on Risks to the Public in Computers and Related Systems
Source: The RISKS Digest
Many interesting articles/abstracts relating to “cyber” – The RISKS Digest – Volume 33 Issue 40 – Saturday, 20th August 2022. Forum on Risks to the Public in Computers and Related Systems ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Voters in the UK Cast Ballots Online, in Test for Internet Voting – WSJ
Plane fails to descend as pilots reportedly fell asleep during flight – CNN
Apple AirTag leads to arrest of airline worker accused of stealing at least $15,000 worth of items from luggage – NBC
‘Hackers Against Conspiracies’: Cybersleuths Take Aim at Election Disinformation – Maggie Miller
Software dev cracks Hyundai encryption with Google Search – The Register
Cryptoverse: Blockchain bridges fall into troubled waters – Reuters
On the Dangers of Cryptocurrencies and the Uselessness of Blockchain – CRYPTO-GRAM
Starbucks NFTs, Reddit karma points on the blockchain, Saylor fired, Telegram ICO slight return. David Gerard
Track carbon offsets with blockchain? Rob Slade
Deepfakes Expose Vulnerabilities in Facial Recognition Technology PSU
Email marketing firm hacked to steal crypto-focused mailing lists – Bleeping Computer
Pirates Infielder Suspended for Taking Cellphone Onto Basepaths – NYTimes
You can now tweet as you climb Mount Kilimanjaro thanks to new Wi-Fi network – NBC News
Massachusetts Registry of Motor Vehicles Cautions Customers to be Aware of Unofficial Third-Party Websites and Text/Phishing Scams Monty Solomon
How a Third-Party SMS Service Was Used to Take Over Signal Accounts – Vice
Posing as Contractors, Nigerians Scammed Project Owners for Nearly $6M, FBI Says – Engineering News-Record
Just 1 of 25 Apps That Track Reproductive Health Protect Users’ Data Shirin Ali
FTC sued by firm allegedly selling sensitive data on abortion clinic visits – Ars Technica
An Explosive New Report Could Upend More than a Decade of Alzheimer’s Research. How Did This Happen – Mother Jones
Dozens of Facebook contractors lost their jobs after an algorithm reportedly chose them ‘at random’ – Engadget
Microsoft Employees Exposed Own Company’s Internal Logins – Vice
#DEFCON: How US Teen Rickrolled His High School District – Infosecurity Magazine
Apple Warns of Security Flaw for iPhones, iPads, Macs – AP
Apple security updates fix 2 zero-days used to hack iPhones, Macs – Bleeping Computer
A Janet Jackson Song Could Crash Windows XP Laptops – Michael Kan
Made-Up Words Trick AI Text-to-Image Generators – Discover
Re: Meta finds new way of tracking users across websites – Steve Bacher
Info on RISKS (comp.risks)

Subject: Third-party app attacks: Lessons for the next cyber security frontier
Source: VentureBeat

Consider the following cyber security breaches – all from within the past three months: GitHub, the leading cloud-based source control service, discovered that hackers capitalized on stolen OAuth tokens issued to third-party applications to download data from dozens of customer accounts; Mailchimp, a leading e-marketing company, found a data breach where hundreds of customer accounts were compromised using stolen API keys; and Okta, the leading workforce authentication service, left 366 corporate customers vulnerable after hackers exploited a security breach to gain access to internal networks. These three incidents have one thing in common – they were all service supply chain attacks, meaning breaches in which the attackers took advantage of access granted to third-party services as a backdoor into the companies’ sensitive core systems.

Why this sudden cluster of related attacks? As digital transformation and the surge in cloud-based, remote or hybrid work continues, companies are increasingly weaving third-party applications into the fabric of their enterprise IT to facilitate productivity and streamline business processes. These integrated apps increase efficiency throughout the enterprise – thus their sudden rise in popularity. The same is true for low-code / no-code tools, which allow non-coding “citizen developers” to create their own advanced app-to-app integrations more easily than ever before.

Here’s why executives must confront this new generation of supply chain cyber attacks and how.

These applications are often integrated by employees into their workflows without undergoing the rigorous security review process that usually happens when enterprises procure new digital tools, exposing companies to an entirely new attack surface for cyber breaches.

Subject: TikTok’s In-App Browser Includes Code That Can Monitor Your Keystrokes, Researcher Says
Source: Forbes via JDB

When TikTok users enter a website through a link on the app, TikTok inserts code that can monitor much of their activity on those outside websites, including their keystrokes and whatever they tap on the page, according to new research shared with Forbes. The tracking would make it possible for TikTok to capture a user’s credit card information or password.TikTok has the ability to monitor that activity because of modifications it makes to websites using the company’s in-app browser, which is part of the app itself. When people tap on TikTok ads or visit links on a creator’s profile, the app doesn’t open the page with normal browsers like Safari or Chrome. Instead it defaults to a TikTok-made in-app browser that can rewrite parts of web pages.

TikTok can track this activity by injecting lines of the programming language JavaScript into the websites visited within the app, creating new commands that alert TikTok to what people are doing in those websites.

TikTok strongly pushed back at the idea that it’s tracking users in its in-app browser. The company confirmed those features exist in the code, but said TikTok is not using them.

Subject: Google Flagged Parents’ Photos of Sick Children as Sexual Abuse
Source: Gizmodo

Two fathers, one in San Francisco and another in Houston, were separately investigated by the police on suspicion of child abuse and exploitation after using Android phones (owned by Google) to take photos of their sons’ genitals for medical purposes. Though in both cases the police determined that the parents had committed no crime, Google didn’t come to the same conclusion—permanently deactivating their accounts across all its platforms, according to a report from The New York Times.The incidents highlight what can go wrong with automatic photo screening and reporting technology, and the thorny territory tech companies wade into when they begin relying on it. Without context, discerning an innocent image from abuse can be near-impossible—even with the involvement of human screeners.

Google, like many companies and online platforms, uses Microsoft’s PhotoDNA—an algorithmic screening tool meant to accurately suss out photos of abuse. According to the company’s self-reported data, it identified 287,368 instances of suspected abuse in the first six months of 2021 alone. According to Google, those incident reports come from multiple sources, not limited to the automated PhotoDNA tool. …

Subject: President’s NSTAC advisory committee proposes real-time monitoring of operational technology across federal agencies
Source: FedScoop

The President’s National Security Telecommunications Advisory Committee (NSTAC) has put forward proposals that would require all executive civilian branch agencies to monitor operational technology systems in real-time. In a draft report issued Tuesday, NSTAC said the Cyber security and Infrastructure Security Agency should issue a binding operational directive that would mandate federal departments to continuously monitor how any in-use operational technology (OT) devices connect with other systems.

Operational technology is hardware and software that detects or can cause a change through the direct monitoring or control of industrial equipment and assets, such as electrical substations, water treatment plants and manufacturing facilities.

In February last year, an unidentified hacker broke into the computer system of a water treatment plant for a town outside of Tampa, Florida, and temporarily changed the plant’s sodium hydroxide setting to a potentially dangerous level. Concerns over such an attack were further raised this week following news that hackers may have accessed industrial control systems at a South Staffordshire Water filtration plant in the U.K.

-In this Story-
Cyber security and Infrastructure Security Agency (CISA), National Security Council, NSTAC, Office of the National Security Director, SolarWinds

Subject: Baltimore police to upgrade cell phone tracking tech
Source: GCN

The city approved a $920,000 purchase of a cell site simulator, known as a “stingray,” that police said helps further investigations.

The Baltimore Police Department is set to upgrade its cellphone tracking technology after the city’s Board of Estimates approved the $920,000 purchase of a cell site simulator.

The simulator, also known as a “stingray,” allows investigators to track calls, texts and data from cell phones during investigative work by transmitting a signal that is stronger than that coming from surrounding cell towers. This strong signal tricks phones into thinking it is the best cell tower to connect to, allowing the stingray to identify and track the device.

BPD first started using the technology in 2007 and has used it thousands of times since.

Lt. Habib Kim, who oversees the special activities section at the department, said during the Aug. 23 meeting of the Board of Estimates that the BPD’s existing simulator is becoming obsolete and cannot operate where 5G networks are present, forcing detectives to move into an area without 5G connectivity to keep monitoring a phone.

The current simulator technology is also showing its age by unexpectedly shutting down when in use, he said.

The device is only deployed after a judge signs a search and seizure warrant authorizing its use, or under exigent circumstances, which Kim said are typically a “life or death situation” like a potential suicide or an instance of domestic violence.

Kim said in addition to the required warrant, the cell site simulator is kept in a secure garage that requires biometric authentication to open. It also requires more than one person to operate it, creating what he called a “built-in safeguard.”


Subject: Video scans of students’ rooms during online tests ruled unconstitutional

Aug. 25 (UPI) — A federal judge agreed with an Ohio college student, saying using webcams to scan students’ rooms before taking online tests is unconstitutional.

The case was brought by Aaron Ogletree, a chemistry student at Cleveland State University. Before he started an exam last year, he was asked to show the virtual proctor his bedroom. According to the court documents, the recording data was stored by Honorlock, one of the school’s third-party proctoring tools used to prevent cheating.

Ogletree sued the university, alleging that the room scan violates the Fourth Amendment right against “unreasonable searches and seizures.”

Subject: LastPass developer systems hacked to steal source code
Source: BleepingComputer

Password management firm LastPass was hacked two weeks ago, enabling threat actors to steal the company’s source code and proprietary technical information.The disclosure comes after BleepingComputer learned of the breach from insiders last week and reached out to the company on August 21st without receiving a response to our questions.Sources told BleepingComputer that employees were scrambling to contain the attack after LastPass was breached.After sending questions about the attack, LastPass released a security advisory today confirming that it was breached through a compromised developer account that hackers used to access the company’s developer environment.

“In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm,” explains the LastPass advisory.


Subject: Tech news you may have missed: August 18 – 25
Source: TechRepublic

Apple updates, cookie theft, tech tips and a 5G cheat sheet top this week’s most-read news on TechRepublic.Too busy this week to catch all of the latest tech news? Have no fear: We’ve compiled and summarized TechRepublic’s top stories for Aug. 18 – 25….Filed:


Subject: Leaving your job? Take these steps before returning your work devices
Source: WaPo via beSpacific

Washington Post: “You’ve decided to leave your job and now it’s time to turn in your devices. But what should you do first? Grab all your personal documents and delete them? Do a factory reset to ensure none of your personal data gets left behind? Or do you turn the devices back in as they are, with your two-year-old’s photos and medical documents in tow? These are common questions workers face as they switch jobs, which became increasingly popular during the Great Resignation. And it’s become particularly tricky as many workers’ professional and personal lives — and their corresponding data — have become intertwined during the pandemic with new flexible working styles. But properly navigating how to keep track of what’s yours, what’s not and how best to transfer your data may be the difference between an uneventful departure and one that could spur internal investigations or even civil or criminal charges…”

Abstracted from beSpacific
Copyright © 2022 beSpacific, All rights reserved. Filed in beSpacific: Subjects: E-Mail, E-Records, Internet, Knowledge Management

Subject: U.S. and Israeli agencies use new agreement to defend against cyber attacks
Source: CNNPolitics
Washington (CNN) – The US and Israeli governments have shared key details of unrelated cyber attacks on their infrastructure — one from suspected pro-Russia hackers and the other from possible Iranian hackers — as part of heightened efforts in recent months to bolster cyber defense between the two allies, a senior U.S. Treasury official told CNN.

The exchange of the intelligence, enabled by a finalized agreement the Treasury Department will announce Thursday, underscores the value both governments place in tapping data gathered by their private sectors to guard against an array of hacking threats from governments and cyber criminals alike.

It also shows that, despite the revelation in February that Israeli-made spyware had allegedly been used against US diplomats, Jerusalem and Washington are still in lockstep on some cyber-related issues.

One of the hacking incidents, which hasn’t been previously reported, involved hackers unsuccessfully trying to overwhelm the US Treasury Department’s computer servers and knock them offline in February and March, around the time that Russia waged war in Ukraine and the US slapped sanctions on the Kremlin, according to Todd Conklin, deputy assistant Treasury for cyber security and critical infrastructure protection.

But the new agreement means officials in the Israeli finance ministry and the U.S. Treasury will have a formal means — rather than an ad hoc arrangement that relies on personal relationships — of rapidly sharing hacking threats to their respective financial sectors. The agreement could also lead to more cyber attack drills involving big U.S. financial firms and their Israeli counterparts, Conklin said.The malicious cyber activity — known as a distributed denial of service (DDoS) attack — did not impact Treasury operations, Conklin said, but it was significant enough that US officials passed detailed information on it to their Israeli counterparts so they could check their systems for the threat. Officials did not pinpoint the culprit but Conklin said he suspected hackers sympathetic to Russia may have been responsible.
Posted in: AI, Cybercrime, Cybersecurity, Free Speech, Freedom of Information, KM, Privacy, Social Media