Pete Recommends – Weekly highlights on cyber security issues, October 7, 2023

Subject: Need a VPN? Here Are the Ones You Can Officially Trust

In an effort to make sure that you can be truly confident when choosing the best cheap VPN for your needs, the Internet Infrastructure Coalition (i2 Coalition) has launched the VPN Trust Seal accreditation program.The new accolade builds on top of the VPN Trust Initiative, which was first launched in 2019 with the goal of strengthening trust and mitigating risks for VPN users, and the VTI principles that were published in 2020.

Now, the i2 Coalition has announced a list of trusted VPN providers that you can purchase with confidence, including some of our favorites like Surfshark with its incredible value $2.39 per month deal and NordVPN, which is nearly 70% off for a limited time.

The Most Trustworthy VPNs Revealed


Subject: H&R Block, Meta, and Google Slapped With RICO Suit
Source: Gizmodo

Gizmodo: “Anyone who has used H&R Block’s tax return preparation services in recent years may have unintentionally helped line Meta and Google’s pockets. That’s according to a new class action lawsuit which alleges the three companies “jointly schemed” to install trackers on the H&R Block site to scan and transmit tax data back to the tech companies which then used elements of the data to engage in targeted advertising. Attorneys bringing the case forward claim the three companies’ conduct amounts to a “pattern of racketeering activity” covered under the Racketeer Influenced and Corrupt Organizations Act (RICO), a tool typically reserved for organized crime. “H&R Block, Google, and Meta ignored data privacy laws, and passed information about people’s financial lives around like candy,” Brent Wisner, one of the attorneys bringing forward the complaint said. The lawsuit, filed in the Northern District of California this week, stems from a bombshell Congressional report released earlier this year detailing …–

Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.

Subject: Don’t Let Zombie Zoom Links Drag You Down
Source: Krebs on Security

Many organizations — including quite a few Fortune 500 firms — have exposed web links that allow anyone to initiate a Zoom video conference meeting as a valid employee. These company-specific Zoom links, which include a permanent user ID number and an embedded passcode, can work indefinitely and expose an organization’s employees, customers or partners to phishing and other social engineering attacks.At issue is the Zoom Personal Meeting ID (PMI), which is a permanent identification number linked to your Zoom account and serves as your personal meeting room available around the clock. The PMI portion forms part of each new meeting URL created by that account, such as:

Zoom has an option to include an encrypted passcode within a meeting invite link, which simplifies the process for attendees by eliminating the need to manually enter the passcode. Following the previous example, such a link might look something like this:

According to Akiri, here are several tips for using Zoom links more safely:

Zoom ; Zoom Personal Meeting ID

Subject: New is refreshing the conversation about Zero Trust

The General Services Administration Office of Government-wide Policy’s (OGP) Identity Assurance and Trusted Access Division has refreshed that gives government agencies one place to go to learn the latest news in cybersecurity and guidance for implementing Zero Trust. The new design makes information more accessible and learning more enjoyable for everyone.“Identity management is critical as we look to share more information with trusted individuals,” said Dan Pomeroy, deputy associate administrator for OGP’s Office of Technology Policy. “Our team’s work on provides all of the key resources for federal agencies to apply the best practices for information access.”

Zero Trust is an approach to cybersecurity that goes beyond “trust but verify” and treats all networks and correspondence as potential threats. can help federal agencies, vendors, acquisition professionals, program managers, and anyone else interested learn how to plan for, implement, and reach Zero Trust more quickly — enabling the right individual to access the right resource at the right time for the right reasons.

Visit the new to explore its resources for vendors, program managers, and acquisition professionals.

Subject: Delete your digital history from dozens of companies with this app
Source: WaPo

Washington Post: “A new iPhone and Android app [does not work on Mac or PC) called Permission Slip makes it super simple to order companies to delete your personal information and secrets. Trying it saved me about 76 hours of work telling Ticketmaster, United, AT&T, CVS and 35 other companies to knock it off.Did I mention Permission Slip is free? And it’s made by an organization you can trust: the nonprofit Consumer Reports. I had a few hiccups testing it, but …

Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.

Subject: Supreme Court to consider whether Americans with Disabilities Act ‘tester’ can sue hotels for non-compliance with the law
Source: CNN Politics

A district court dismissed Laufer’s complaint against the company, ruling that because she never intended to visit the hotel and she didn’t suffer the type of injury needed to bring her case. But an appeals court later ruled in Laufer’s favor, saying that her lawsuit could proceed because she experienced an “informational injury” as a result of the hotel’s lack of accessibility information.

“Laufer is a person with disabilities – not just any one of the hundreds of millions of Americans with a laptop – and personally suffered the denial of information the law entitles her, as a person with disabilities, to have,” the appeals court ruled.

Subject: CISA and NSA Release New Guidance on Identity and Access Management
Source: CISA

Today, CISA and the National Security Agency (NSA) published Identity and Access Management: Developer and Vendor Challenges, authored by the Enduring Security Framework (ESF), a CISA- and NSA-led working panel that includes a public-private cross-sector partnership. ESF aims to address risks that threaten critical infrastructure and national security systems.This publication, which follows ESF’s Identity and Access Management Recommended Best Practices Guide for Administrators, assesses and addresses challenges developers and technology manufacturers face in identity and access management (IAM). The guidance specifically addresses technology gaps that limit the adoption and secure employment of multifactor authentication (MFA) and single sign-on (SSO) technologies within organizations.

Although the publication primarily addresses challenges facing large organizations, it also provides recommendations applicable to smaller organizations. CISA encourages cybersecurity defenders to review this guidance and to speak to their software vendors about implementing its recommendations.

Subject: 3 Chatbot Privacy Risks and Concerns You Should Know About
Source: Make Use Of

MakeUseOf – “Chatbots have been around for years, but the rise of large language models, such as ChatGPT and Google Bard, has given the chatbot industry a new lease of life. Millions of people now use AI chatbots worldwide, but there are some important privacy risks and concerns to keep in mind if you want to try out one of these tools.”–

Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.

Subject: NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
Source: CISA

Cybersecurity Advisory – A plea for network defenders and software manufacturers to fix common problems.EXECUTIVE SUMMARY

The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations.

Through NSA and CISA Red and Blue team assessments, as well as through the activities of NSA and CISA Hunt and Incident Response teams, the agencies identified the following 10 most common network misconfigurations:

  1. Default configurations of software and applications
  2. Improper separation of user/administrator privilege
  3. Insufficient internal network monitoring
  4. Lack of network segmentation
  5. Poor patch management
  6. Bypass of system access controls
  7. Weak or misconfigured multifactor authentication (MFA) methods
  8. Insufficient access control lists (ACLs) on network shares and services
  9. Poor credential hygiene
  10. Unrestricted code execution

Subject: DHS to release AI guidance for critical infrastructure
Source: Nextgov/FCW

The agency hopes to serve as a “vanguard” in critical infrastructure’s safe and ethical use of AI, according to one official.The Department of Homeland Security’s efforts to codify the best cybersecurity practices to help protect U.S. critical infrastructure have expanded to cover emerging technology with upcoming guidance on how to leverage artificial intelligence technologies.

To facilitate this, Silvers said that DHS is working on developing guidance for critical infrastructure companies on how to securely deploy AI solutions in their operations. The scope of this forthcoming guidance will address how to successfully audit front and back end systems, when to incorporate humans in automated processes and how to mitigate widespread, severe system failure.

“When you’re looking at an application of AI technology, it’s important to understand what are the safety risks in absolute terms,” he said. “It’s also important to look on an imperative basis, how safe is that compared to what we do now?”



Posted in: AI, Congress, Cybercrime, Cybersecurity, Financial System, Firewalls, Legal Research, Legislative, Privacy, United States Law