Pete Recommends – Weekly highlights on cyber security issues, June 17, 2023

Subject: 8 Times ‘Deepfake’ Videos Were Actually Real
Source: Gizmodo

The rise of convincing and ubiquitous deepfake technology is leading to scenarios where bad actors deny reality in court.

+ slideshow w/ commentary

Subject: Here’s how billions in COVID relief funds were stolen or wasted | WTAJ
Source: WTAJ via the AP

WASHINGTON (AP) — Much of the theft was brazen, even simple.Fraudsters used the Social Security numbers of dead people and federal prisoners to get unemployment checks. Cheaters collected those benefits in multiple states. And federal loan applicants weren’t cross-checked against a Treasury Department database that would have raised red flags about sketchy borrowers.

Criminals and gangs grabbed the money. But so did a U.S. soldier in Georgia, the pastors of a defunct church in Texas, a former state lawmaker in Missouri and a roofing contractor in Montana.

All of it led to the greatest grift in U.S. history, with thieves plundering billions of dollars in federal COVID-19 relief aid intended to combat the worst pandemic in a century and to stabilize an economy in free fall.

An Associated Press analysis found that fraudsters potentially stole more than $280 billion in COVID-19 relief funding; another $123 billion was wasted or misspent. Combined, the loss represents 10% of the $4.2 trillion the U.S. government has so far disbursed in COVID relief aid.

Never has so much federal emergency aid been injected into the U.S. economy so quickly. “The largest rescue package in American history,” U.S. Comptroller General Gene Dodaro told Congress.

The enormous scale of that package has obscured multi-billion dollar mistakes.

Subject: The dos and don’ts of using home security cameras that see everything
Source: Washington Post

Washington Post (free link via MSN)

Know who could be watching videos of your home and when, and how to lock your cameras down to keep the feed private. Private cameras are supposed to make people feel safer. The small internet-connected devices can be mounted outside your home to deter or record potential criminals, or inside to keep an eye on pets or elderly parents. Those same cameras can also put the people who own them at risk. They’re vulnerable to hacks, can collect personal data, and their sensitive footage can be mishandled by companies or their employees. The Federal Trade Commission recently asserted that the camera maker Ring allowed employees to access videos of customers and failed to use adequate security measures to protect the cameras against hacking. Amazon bought …

Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.

Subject: The U.S. Is Openly Stockpiling Dirt on All Its Citizens
Source: WIRED

Wired – The US Is Openly Stockpiling Dirt on All Its Citizens “A newly declassified report from the Office of the Director of National Intelligence reveals that the federal government is buying troves of data about Americans…Perhaps most controversially, the report states that the government believes it can “persistently” track the phones of “millions of Americans” without a warrant, so long as it pays for the information. Were the government to simply demand access to a device’s location instead, it would be considered a Fourth Amendment “search” and would require a judge’s sign-off. But because companies are willing to sell the information—not only to the US government but to other companies as well—the government considers it “publicly available” and therefore asserts that it “can purchase it.” It is no secret, the report adds, that it is often trivial “to deanonymize and identify individuals” from data that was packaged as ethically fine for commercial use because it had been “anonymized” first. Such data may be useful, …

“I’ve been warning for years that if using a credit card to buy an American’s personal information voids their Fourth Amendment rights, then traditional checks and balances for government surveillance will crumble,” Ron Wyden, a US senator from Oregon, says.

The report notes: “The government would never have been permitted to compel billions of people to carry location tracking devices on their persons at all times, to log and track most of their social interactions, or to keep flawless records of all their reading habits. Yet smartphones, connected cars, web tracking technologies, the Internet of Things, and other innovations have had this effect without government participation.”

NB 48-page PDF

Other reports:

2-page ToC starts on physical page 6

2-page Conclusion starts on physical page 46

Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.

Subject: Suicide Hotlines Promise Anonymity. Dozens of Their Websites Send Sensitive Data to Facebook
Source: The Markup

The Markup found many sites tied to the national mental health crisis hotline transmitted information on visitors through the Meta Pixel Websites for mental health crisis resources across the country—which promise anonymity for visitors, many of whom are at a desperate moment in their lives—have been quietly sending sensitive visitor data to Facebook, The Markup has found.

Dozens of websites tied to the national mental health crisis 988 hotline, which launched last summer, transmit the data through a tool called the Meta Pixel, according to testing conducted by The Markup. That data often included signals to Facebook when visitors attempted to dial for mental health emergencies by tapping on dedicated call buttons on the websites.

In some cases, filling out contact forms on the sites transmitted hashed but easily unscrambled names and email addresses to Facebook.

From the series — Pixel Hunt, Privacy, and Impact

RSS feed:

Subject: CISA’s new directive targets devices that can be configured over public internet
Source: Nextgov

The Cybersecurity and Infrastructure Security Agency has issued a new binding operational directive requiring agencies to enhance protections for devices on federal information systems that use network protocols for remote management over public internet — or remove them from their networks.The new directive applies to devices like routers, switches, firewalls and load balancers that allow agency administrators to provide remote configurations through a management interface accessible over public internet using HTTP, remote login services or file transfer protocols, among other methods.

Many federal agencies employ consumer devices that provide configuration and management capabilities over the public internet. Under the new directive, agencies can only leverage devices that feature management interfaces exclusively accessible from inside the enterprise network through a management jumpbox separate from the device or through enforcement points that employ zero trust principles.


Subject: Privacy Guides: The Expert’s Guide to Online Privacy in 2023
Source: Privacy Tools

Protect your digital footprint with the expert’s guide to online privacy. Our comprehensive guides cover everything you need to know to stay safe online.ToC:

Privacy Guides

Subject: Americans Told Not to Mail Checks Anymore
Source: AP via Newser

If you must do so, don’t send it via your mailbox. Check fraud is back in a big way, so much so that postal authorities and bank officials are warning Americans to avoid mailing checks if possible, or at least to use a secure mail drop such as inside the post office. Banks issued roughly 680,000 reports of check fraud to the Financial Crimes Enforcement Network, also known as FinCEN, last year. That’s up from 350,000 reports in 2021. Meanwhile the US Postal Inspection Service reported roughly 300,000 complaints of mail theft in 2021, more than double the prior year’s total, reports the AP.

Today’s check fraud criminals aren’t small operations or lone individuals. They’re often sophisticated criminal operations, with participants infiltrating post office distribution centers, setting up fake businesses, or creating fake IDs to deposit the checks. The AP has the story of a small-business owner who found himself a victim: Eric Fischgrund, who runs FischTank PR, a 30-person public relations firm in New York, had about 15 checks that were being mailed to him from clients stolen after they all went through the same Postal Service distribution center. Ten of them were successfully cashed by criminals.

Subject: EU boss Breton: Chinese comms kit unsafe to use in Europe
Source: The Register

European commissioner Thierry Breton wants Huawei and ZTE barred throughout the EU, and revealed plans to remove kit made by the Chinese telecom vendors from the Commission’s internal networks.”We cannot afford to maintain critical dependencies that could become a weapon against our interests,” he declared in a Thursday speech.

The Chinese vendors’ presence in foreign networks has been a point of concern for years. There are concerns that backdoors in Huawei equipment could allow China to spy on foreign nations, given Chinese law requires local businesses to share info with Beijing. However, Huawei has repeatedly rejected the claims of backdoors, insisted it follows the law of the land wherever it operates, and denied that Chinese laws would see it sell out customers.

Those protestations haven’t stopped the US, UK, and at least ten EU countries from banning the manufacturer’s kit from their networks. ZTE has also run afoul of regulators.

Implementing a US-style rip-and-replace program won’t, however, come cheap. In the US, the federal government agreed to subsidize replacement of Huawei and ZTE tech at a cost of $5.6 billion, according to an FCC report from early 2022.

Whitepapers, Webcasts and tech resources from The Register:


Subject: Social Engineering And The Disinformation Threat In Cybersecurity
Source: Forbes

Disinformation is one of the world’s most debated topics. From Vote Leave’s now infamous Brexit bus; to Donald Trump’s hysterical “fake news” allegations; to Vladimir Putin’s warmongering rhetoric, disinformation – whether real or imagined – is an inescapable reality of the modern world.But disinformation campaigns aren’t restricted to the political sphere – according to research from Weber Shandwick, 87% of executives say the spread of disinformation is one of the most significant reputational risks to businesses today.

Despite the internet’s irrefutable role in modern disinformation campaigns, we don’t typically see disinformation as a cybersecurity threat. This misconception could prevent security teams from effectively tackling such campaigns, with potentially disastrous consequences.

This article will outline what disinformation is, how it relates to social engineering and cybersecurity, and how security teams can fight back.

More articles by David Balaban:


Posted in: Cybercrime, Cybersecurity, Economy, Gadgets/Gizmos, Privacy