Pete Recommends – Weekly highlights on cyber security issues, December 17, 2022

Subject: VICTORY! Apple Commits to Encrypting iCloud, Drops Phone-Scanning Plans
Source: Electronic Frontier Foundation
https://www.eff.org/deeplinks/2022/12/victory-apple-commits-encrypting-icloud-and-drops-phone-scanning-plans

Today Apple announced it will provide fully encrypted iCloud backups, meeting a longstanding demand by EFF and other privacy-focused organizations.

We applaud Apple for listening to experts, child advocates, and users who want to protect their most sensitive data. Encryption is one of the most important tools we have for maintaining privacy and security online. That’s why we included the demand that Apple let users encrypt iCloud backups in the Fix It Already campaign that we launched in 2019.

Apple’s on-device encryption is strong, but some especially sensitive iCloud data, such as photos and backups, has continued to be vulnerable to government demands and hackers. Users who opt in to Apple’s new proposed feature, which the company calls Advanced Data Protection for iCloud, will be protected even if there is a data breach in the cloud, a government demand, or a breach from within Apple (such as a rogue employee). Apple said today that the feature will be available to U.S. users by the end of the year, and will roll out to the rest of the world in “early 2023.”

Related Issues: Privacy

Filed: https://www.eff.org/deeplinks

Subject: Tricking antivirus solutions into deleting the wrong files on Windows
Source: gHacks Tech News
https://www.ghacks.net/2022/12/11/tricking-antivirus-solutions-into-deleting-the-wrong-files-on-windows/

Security research Or Yair discovered a method to trick antivirus and endpoint security solutions into deleting legitimate files on Windows systems. Yair found out that he could manipulate endpoint detection and response and antivirus programs so that these programs would function as data wipers on Windows devices.The discovered security issue can be exploited from unprivileged user accounts to delete system files and other files the user has no delete permissions for. The exploit could be used to remove important files from a system and this could result in an unbootable system or a system that lacks certain functionality….

In other words, all it took to delete legitimate files on Windows was the following:

  1. Create a malicious file on the system using a special path.
  2. Hold it open so that security solutions can’t delete it.
  3. Delete the directory.
  4. Create a junction that points from the deleted directory to another.
  5. Reboot.

Yair tested 11 different security and endpoint solutions. Six of these were vulnerable to the file wiping exploit, including Microsoft Defender, Microsoft Defender for Endpoint, Avast Antivirus, SentinelOne EDR and TrendMicro Apex One. Microsoft, TrendMicro and Avast/AVG released updates.

Categories:

Security
Windows

Subject: VICTORY! The Safe Connections Act is Now Law
Source: Electronic Frontier Foundation
https://www.eff.org/deeplinks/2022/12/victory-safe-connections-act-now-law

In the 21st century, it is difficult to lead a life without a cell phone. It is also difficult to change your number—you’ve given it to all your friends, family, doctors, children’s schools, and so on. It’s especially difficult if you are trying to leave an abusive relationship where your abuser is in control of your family’s phone plan and therefore has access to your phone records.Thankfully, a bill to change that just became law.

We would have preferred a bill that did not require survivors to provide paperwork to “prove” their abuse. For many survivors, providing paperwork about their abuse from a third party is burdensome and traumatic, especially when it is required at the very moment when they are trying to free themselves from their abusers. However, this new law is a critical step in the right direction, and it is encouraging that Congress and the President agreed.

Related Issues:

Privacy

Filed: https://www.eff.org/deeplinks/

Subject: FCC May Mandate Security Updates for Phones
Source: Phone Scoop
https://www.phonescoop.com/articles/article.php?a=22932

FCC Commissioner Nathan Simington is calling for the FCC to mandate that device manufacturers “explicitly commit to supporting their wireless devices with security updates for a defined period.” Phones and other wireless devices that are in active use but no longer receiving security patches represent a national security risk, according to Simington. Some manufacturers have committed to providing security updates for up to five years for their high-end devices, while other companies make no specific promises. New security vulnerabilities are regularly discovered in both new and old versions of Android, iOS, and other OSes. Left unpatched, older devices become susceptible to more and more of these issues over time, providing an open door for malware, spyware, ransomware, and more.

Site RSS feed: https://www.phonescoop.com/rss/news.php

Subject: TikTok pushes harmful content promoting eating disorders and self-harm into young users’ feeds
Source: Center for Countering Digital Hate Report
https://www.bespacific.com/tiktok-pushes-harmful-content-promoting-eating-disorders-and-self-harm-into-young-users-feeds/

Center for Countering Digital Hate Report – Deadly By Design: [48-page PDF] “Two-thirds of American teenagers use TikTok, and the average viewer spends 80 minutes a day on the application. The app, which is owned by the Chinese company, Bytedance, rapidly delivers a series of short videos to users and has overtaken Instagram, Facebook, and YouTube in the bid for young people’s hearts, minds, and screen time. And yet most people understand very little about how TikTok works or the potential dangers of the platform. Journalists love to talk about Twitter, their platform of choice. Facebook remains the most used platform worldwide, giving politicians, brands, and bad actors an unparalleled pool of potential users to target, and it has received proportionate scrutiny. But TikTok reveals a generational gap in usage and understanding. This report seeks to break down those barriers and give parents and policymakers insight into the content and algorithms shaping young lives today. For our study, Center for Countering Digital Hate researchers set up new accounts in the United States, United Kingdom, Canada, and Australia at the minimum age TikTok allows, 13 years old. These accounts paused briefly on videos about body image and mental health, and liked them. What we found was deeply disturbing…

–Abstracted from beSpacific
Copyright © 2022 beSpacific, All rights reserved.

ToC:Contents1. Introduction 5
2. Executive Summary 7
3. Methodology 9
4. TikTok’s algorithm carries mental health risks 12
5. TikTok bombards teens with body image and mental health content every 39 seconds 14
6. TikTok shows some teens eating disorder, self-harm and suicide content in minutes 19
7. TikTok targets the most vulnerable teens with more harmful content, not less 24
8. Mental health and body image videos shown to vulnerable teens every 27 seconds 35
9. TikTok is hosting an eating disorder community with over 37
13.2 billion views
10. Recommendations 40
Endnotes 45

Subject: DOJ Seizes Dozens of Websites as Part of Cyberattack-for-Hire
Source: Gizmodo
https://gizmodo.com/cyberattack-doj-fbi-cyber-crime-1849898562

The FBI charged six people who were allegedly involved in large-scale cyberattacks on Wednesday.The Department of Justice announced on Wednesday it took down 48 internet domains and charged six people who allegedly offered cyberattack-for-hire services. The defendants are each charged with allegedly offering booter services and operating at least one website that offered distributed denial-of-service (DDoS) services as well as subscriptions that varied in length and attack volume.

The U.S. obtained a court order to seize the 48 websites, and the FBI is currently in the process of seizing the sites, according to the DOJ.

DDoS services commonly refer to themselves as “stresser” or “booter” tools and the sites seized by the FBI include royalstresser and supremesecurityteam, among others.

The sites permitted users to pay to launch DDoS attacks that flooded targeted computers with white noise to prevent them from accessing the internet. Educational institutions, government agencies, gaming platforms, and millions of individuals, were all included in attacks both in the U.S. and abroad, according to the DOJ

Filed: https://gizmodo.com/tech/cybersecurity

LinkedIn
Posted in: Cybercrime, Cybersecurity, Food & Drug Law, Healthcare, Privacy, Social Media, Viruses & Hoaxes