Pete Recommends – Weekly highlights on cyber security issues, January 13, 2024

Subject: Swatting: The new normal in ransomware extortion tactics
Source: The Register

Extortionists are now threatening to swat hospital patients — calling in bomb threats or other bogus reports to the police so heavily armed cops show up at victims’ homes — if the medical centers don’t pay the crooks’ ransom demands.

After intruders broke into Seattle’s Fred Hutchinson Cancer Center’s IT network in November and stole medical records – everything from Social Security numbers to diagnoses and lab results – miscreants threatened to turn on the patients themselves directly.

The idea being, it seems, that those patients and the media coverage from any swatting will put pressure on the US hospital to pay up and end the extortion. Other crews do similar when attacking IT service provider: they don’t just extort the suppliers, they also threaten or further extort customers of those providers.

“We had another one where the victim organization decided not to pay, but then the ransomware actors went on to harass customers of that organization,” Rubin said. “They came back to us and said they regretted the decision [not to pay] because of the reputational impact of the threat actor going to their customers.”

It’s bad enough that these attacks have diverted ambulances and postponed critical care for patients, and now the criminals are inflicting even more pain on people. Last year this included leaking breast cancer patients’ nudes. Swatting seems to be the next, albeit abhorrent, step. ®



Subject: FTC Issues $10 Million Penalty to This Service Provider Facilitating Robocalls
Source: Cord Cutters News

The Federal Trade Commission reached a $10 million settlement with voice-over-internet protocol (VoIP) service provider XCast Labs over allegations the company facilitated hundreds of millions of illegal robocalls on its network after multiple warnings to stop.

On January 2, the Department of Justice filed a proposed court order on behalf of the FTC, which mandates XCast Labs implement a screening process to detect robocall activity and end partnerships with firms that do not comply with telemarketing laws.

The FTC had warned XCast Labs to halt illegal activity on its network since 2020 to no avail.

In 2020, the FTC sent letters to several VoIP providers, including XCast Labs, alerting the companies that assisting and facilitating illegal telemarketing or robocalling is against the law. XCast Labs accumulated dozens of “traceback” reports from the US Telecom’s Industry Traceback Group, which noted suspected illegal calls originating from XCast Lab’s network.

RSS feed:

Subject: Outlook is Microsoft’s new data collection service
Source: Proton

[infomercial … I do have the product]

[So far, I see none of this on web-based Outloook; I don’t use the app (neither windows nor android) /pmw1]

Published January 5, 2024 – With Microsoft’s rollout of the new Outlook for Windows (new window), it appears the company has transformed its email app into a surveillance (new window) tool for targeted advertising.

Everyone talks about the privacy-washing(new window) campaigns of Google and Apple as they mine your online data to generate advertising revenue. But now it looks like Outlook is no longer simply an email service(new window); it’s a data collection mechanism for Microsoft’s 772 external partners and an ad delivery system for Microsoft itself.

Here’s how and why. Microsoft shares your data with 772 third parties

Some European users who download the new Outlook for Windows will encounter a modal with a troubling disclosure about how Microsoft and several hundred third parties process their data:

The window informs users that Microsoft and those 772 third parties use their data for a number of purposes, including to:

Thanks to the EU’s General Data Protection Regulation, Europeans are at least informed that a small village of third parties will be able to look at their data. Americans, thanks to their government’s refusal to pass privacy legislation, are never even informed this is happening.

With the new Outlook, Microsoft forces users to enter maze-like privacy statements to seize back some control of their data. Of course, Microsoft knows that almost no one reads privacy policies (new window). If everyone understood those policies, revenue would be jeopardized.

Microsoft’s integration of Outlook with cloud services has raised privacy alarm bells(new window).

When you sync third-party email accounts from services like Yahoo or Gmail (new window) with the new Outlook, you risk granting Microsoft access (new window) to the IMAP (new window) and SMTP (new window) credentials, emails, contacts, and events associated with those accounts, according to the German IT blog Heise Online (new window).

“Although Microsoft explains that it is possible to switch back to the previous apps at any time, the data will already be stored by the company,” Heise reported. “This allows Microsoft to read the emails.”

Microsoft is enabling itself to access your email account at any time without your knowledge, allowing it to scan and analyze your emails — and share them with third parties.

A deeper dive into Microsoft’s privacy policy shows what personal data it may extract (new window)


Subject: NIST Warns of Security and Privacy Risks from Rapid AI System Deployment
Source: The Hacker News

> As AI systems become integrated into online services at a rapid pace, in part driven by the emergence of generative AI systems like OpenAI ChatGPT and Google Bard, models powering these technologies face a number of threats at various stages of the machine learning operations.
> These include corrupted training data, security flaws in the software components, data model poisoning, supply chain weaknesses, and privacy breaches arising as a result of prompt injection attacks.
> “For the most part, software developers need more people to use their product so it can get better with exposure,” NIST computer scientist Apostol Vassilev said. “But there is no guarantee the exposure will be good. A chatbot can spew out bad or toxic information when prompted with carefully designed language.”
> Security and Privacy
> The attacks, which can have significant impacts on availability, integrity, and privacy, are broadly classified as follows –

“Despite the significant progress AI and machine learning have made, these technologies are vulnerable to attacks that can cause spectacular failures with dire consequences,” Vassilev said. “There are theoretical problems with securing AI algorithms that simply haven’t been solved yet. If anyone says differently, they are selling snake oil.”

Subject: Social engineer reveals effective tricks for real-world intrusions
Source: Help Net Security

In this Help Net Security interview, Jayson E. Street, Chief Adversarial Officer at Secure Yeti, discusses intriguing aspects of social engineering and unconventional methods for gathering target information.

Street explores the overlooked threat of physical security and the human tendency to neglect negative outcomes. He also shares insights on the potential damage from a physical attack on company workstations and recounts situations encountered in the field.

One of the most intriguing parts of social engineering is the homework or research phase. What unconventional methods have you seen or used to gather information about a target?


Subject: Don’t Sell Your Old Phone or Laptop Without Doing These 10 Things First
Source: MOU

Make Use Of:

  • Always back up your data before disposing of any hardware. Transfer valuable data to multiple mediums to ensure it is safe before disposal.
  • Remove connected accounts, log out of all applications, and remove devices from accounts to prevent unauthorized access.
  • Make hard drive data unreadable by utilizing data-wiping software or encryption methods to protect sensitive data on your hard drive.

Disposing of old tech is risky. Today, our devices, such as phones, laptops, and even TVs, are treasure troves of personal information. Selling your old phone or computer is a great way to make a few bucks, but make sure you’ve completely cleaned your data from it first.”

Quick Links

Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.

Subject: Google Wallet will support IDs from more states in the coming months
Source: Android Central

The trickiness in getting driver’s licenses and other forms of ID on smartphones has to do with the different rules and regulations among U.S. states. While mobile payments and digital payment cards have become somewhat standard, digital IDs are governed by each of the 50 states. Google needs to work with each state individually to get their IDs in the Google Wallet.

There are other logistical headaches that stand in the way of Google’s wallet-ditching goals. For example, while select states allow their IDs to be stored in digital wallets, some of those same states do not accept digital IDs on traffic stops. Physical ID cards are also required to drink alcohol or get documents notarized. Digital IDs, then, are only useful in a few places — like at TSA checkpoints in certain airports.

As of now, people in Arizona, Colorado, Georgia, and Maryland can store digital IDs in the Google Wallet. It’s unclear what other states are coming next, but we should find out soon if Kim’s comments are any indication.


Subject: In the fight over abortion rights, the government bans its first company from tracking medical visits

The Biden administration stopped a company from selling data on people’s medical visits on Tuesday, its first settlement on a privacy issue that has many Americans concerned about who can see their most sensitive personal data — particularly visits to abortion providers.

After an investigation, the Federal Trade Commission said it had reached a settlement with Outlogic, a location data broker formerly known as X-Mode Social, which had been collecting information on people’s visits to medical centers.

The settlement is the first major enforcement on location data since a 2022 executive order directed the government to ramp up privacy protections for anyone seeking an abortion.

The FTC has been cracking down on health privacy violations after the U.S. Supreme Court ruled there is no constitutional right to an abortion when it overturned Roe v. Wade in 2022. A Biden executive order in July 2022 directed federal agencies to protect people’s privacy related to reproductive health care services.

“The FTC’s action against X-Mode makes clear that businesses do not have free license to market and sell Americans’ sensitive location data,” FTC Chair Lina Khan said in a statement. “By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance.”

Filed under:

SEE also:

Subject: Chinese Experts Reportedly Breach AirDrop Encryption
Source: Time via Newser

Chinese experts have reportedly found a way to identify users of Apple’s encrypted AirDrop file-sharing service, a favorite form of communication for protesters critical of China’s strict control of its citizens. AirDrop allows iPhone users to share files with other iPhone users nearby via Bluetooth, without an internet connection. The device logs are supposed to be encrypted. But justice officials with Beijing’s municipal government said Monday that experts at the state-backed Beijing Wangshen Dongjian Justice Appraisal Institute had discovered a means of identifying a sender’s device log, allowing them to obtain the phone numbers and email addresses associated, in a “technological breakthrough,” per Time.

Subject: EFF Unveils Its New Street Level Surveillance Hub
Source: EFF

“The Electronic Frontier Foundation (EFF) today unveiled its new Street Level Surveillance hub, a standalone website featuring expanded and updated content on various technologies that law enforcement agencies commonly use to invade Americans’ privacy. The hub has new or updated pages on automated license plate readers, biometric surveillance, body-worn cameras, camera networks, cell-site simulators, drones and robots, face recognition, electronic monitoring, gunshot detection, forensic extraction tools, police access to the Internet of Things, predictive policing, community surveillance apps, real-time location tracking, social media monitoring, and police databases. It also features links to the latest articles by EFF’s Street Level Surveillance working group.”

Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.

Subject: Child Abusers Are Getting Better at Using Crypto to Cover Their Tracks
Source: WIRED

Crypto tracing firm Chainalysis found that sellers of child sexual abuse materials are successfully using “mixers” and “privacy coins” like Monero to launder their profits and evade law enforcement.

Now, after years of evolution in that grim cat-and-mouse game, new evidence suggests that online vendors of what was once commonly called “child porn” are learning to use cryptocurrency with significantly more skill and stealth—and that it’s helping them survive longer in the internet’s most abusive industry.

“Growing sophistication makes identification harder. It makes tracing harder, it makes prosecution harder, and it makes rescuing victims harder,” says Eric Jardine, the researcher who led the Chainalysis study. “So that sophistication dimension is probably the worst one you could see increasing over time.”

To explain that new longevity for some of the most harmful actors on the internet, Chainalysis points to how CSAM vendors are increasingly laundering their proceeds with cryptocurrency mixers—services that blend users’ funds to make tracing more difficult—such as ChipMixer and Sinbad.


Subject: Fake 401K year-end statements used to steal corporate credentials
Source: BleepingComputer

Threat actors are using communication about personal pension accounts (the 401(k) plans in the U.S.), salary adjustments, and performance reports to steal company employees’ credentials.

Email security company Cofense warns that these attacks are becoming more frequent and even organizations with sound email security practices are having trouble against them.

Bogus 401k notices

401(k) is a popular retirement savings plan in the U.S. that offers a convenient way for employees to save for the future with tax benefits, often including additional contributions from their employer.

Cybercriminals take advantage of this topic and are sending targets 401(k) notifications posing as someone from their company’s Human Resources department alleging an important plan update or an increase in contributions.

Cofense says that throughout last year it has seen a sharp rise in QR codes embedded in those phishing emails, taking recipients to a fake login page designed to steal credentials.

Other lure types seen more often towards the end of the year include open enrollment, surveys, and salary restructuring communications.

Finally, Cofense warns about fake employee satisfaction surveys and assessment reports sent to targets from spoofed human resource departments.

Subject: IRS has ‘unconscionable delays’ in helping identity theft victims, taxpayer advocate says
Source: Nextgov/FCW

The average wait time for taxpayers trying to resolve fraudulent returns, coupled with legitimate filers being mistakenly flagged as fraudulent, has become a top challenge for the IRS, according to a new report.

Victims of identity theft had to wait over a year and a half on average for the IRS to resolve their cases and to get their tax refunds in fiscal 2023, according to a new report from the National Taxpayer Advocate, an independent IRS organization focused on taxpayer issues and rights.

At the end of last year, the IRS still had about 484,000 more cases remaining in its Identity Theft Victims Assistance unit to work through.

As a result, National Taxpayer Advocate Erin Collins has included IRS handling of identity theft issues and “unconscionable delays in assisting victims” as a top-ten challenge for the IRS — a change from last year — in her recently released annual report.

All this comes as reports of identity theft are on the rise, according to Federal Trade Commission data.

Flagged taxpayers get letters with instructions to verify their identities, with the most common of such letters giving recipients the option to do so online with vendor, over the phone or in-person, according to the report.

The IRS won’t process these returns until the person in question verifies themselves, but the taxpayer advocate says that “taxpayers experience difficulties authenticating their identity and return information.”

Collins also flagged low response rates to the letters sent to flagged filers and IRS processing delays in issuing pin numbers meant to protect taxpayers from identity theft as points of concern. These numbers, called identity protection pins, are also underutilized overall, the report argues.



Posted in: AI, Criminal Law, Cryptocurrency, Cybercrime, Cybersecurity, Data Mining, Financial System, Healthcare, Privacy