Pete Recommends – Weekly highlights on cyber security issues, January 20, 2024

Subject: State’s cyber bureau has ‘raised the U.S. profile on cyber globally,’ watchdog says
Source: Nextgov/FCW

The Government Accountability Office said the creation of the Bureau of Cyberspace and Digital Policy in 2022 has “helped to better position State to achieve its cyber diplomacy goals.”The State Department’s Bureau of Cyberspace and Digital Policy — or CDP — has been effective in helping the agency advance U.S. interests in cyberspace and develop stronger cyber alliances with global partners since its creation, according to a Government Accountability Office report released on Thursday.

The watchdog found that CDP’s establishment in April 2022 “helped to better position State to achieve its cyber diplomacy goals” by consolidating its digital efforts within one centralized component led by an ambassador at-large, rather than spreading them out across the department.

“CDP’s ambassador level leadership has enabled engagement with higher levels of foreign government officials and raised the U.S. profile on cyber globally,” GAO said.

State conducts a range of cyber diplomacy activities, including efforts to “counter threats to the U.S. digital ecosystem and reinforce global norms of responsible state behavior.” The report found that these activities have been bolstered by CDP’s creation, since the bureau now takes the lead in “working with multilateral organizations, such as the U.N., to fortify responsible state behaviors that member states have endorsed.”



Subject: How enterprises are using gen AI to protect against ChatGPT leaks
Source: VentureBeat

Reducing the risk of intellectual property loss without sacrificing speed 

ChatGPT’s greatest risk is having employees accidentally share intellectual property (IP), confidential pricing, cost, financial analysis and HR data with large language models (LLMs) accessible by anyone. Samsung and other companies accidentally divulging confidential data is still fresh in the minds of security and senior management leaders.

Given how urgent the issue is to solve and how it all pivots on guiding user behavior, many organizations are looking to generative AI-based approaches to solve the security challenge. That’s why there’s growing interest in generative AI Isolation and comparable technologies to keep confidential data out of ChatGPT, Bard and other gen AI sites. Every business wants to balance the competitive efficiency, speed, and process improvement gains ChatGPT provides with a solid strategy for reducing risk.


Subject: More Police Are Using Your Cameras for Video Evidence
Source: The Marshall Project

Los Angeles and Washington, D.C., are among major cities slated to launch a Real-Time Crime Center in the coming months, billed as a kind of “nerve center” for the integration of police technology and data.These centers vary, but tend to integrate public surveillance video with other police technology like license plate readers, facial recognition, drone cameras, body camera footage and gunshot detection software. As Wired Magazine reported last summer, the centers have been popping up across the country, with at least 135 now running, according to one count.

Proponents say the centers make it easier for police to solve crimes and find suspects. Opponents worry both about the invasion of privacy, and that increased surveillance will disproportionately target Black people and other marginalized communities.

Private security footage is nothing new to criminal investigations, but two factors are rapidly changing the landscape: huge growth in the number of devices with cameras, and the fact that footage usually lands in a cloud server, rather than on a tape.

In thousands of cities and towns, camera owners can opt into programs that give police access to their camera footage — sometimes live-streamed, sometimes after a specific request by police.

While some private cameras may stumble upon something relevant to the police, others go looking for it. This week, the city of St. Louis issued a cease-and-desist letter over an entrepreneur’s plan to operate a private drone security program pitched as a crime deterrent.




Subject: Why scammers are texting you pictures of wine bottles, selfies
Source: Nexstar Media Wire

(NEXSTAR) – Scammers are sending unsuspecting people seemingly innocent photos with intentions that aren’t so innocent, the Better Business Bureau warns.One such scam starts with a text out of the blue. The only thing the message contains is a photo of a disembodied hand holding up a wine bottle – no caption, no context.

But the scam has nothing to do with wine. The photo could be of anything – a person, a nature scene, it doesn’t matter. The whole point is to get you to respond, explains Melanie McGovern, direct of public relations and social media at the Better Business Bureau (BBB).

“It’s fishing to see if the number is a real person, and how far they can get you down the rabbit hole,” says McGovern.

One person who reported the wine bottle scam to the BBB said they replied to the mystery texter, and it initially launched a conversation about wine. But then the wine bottle texter started asking for the recipient’s name and age, and that set off alarm bells.

These photo texts are all a type of “wrong number scams,” the BBB explains.

Subject: US court docs expose fake antivirus renewal phishing tactics
Source: BleepingComputer

In a seizure warrant application, the U.S. Secret Service sheds light on how threat actors stole $34,000 using fake antivirus renewal subscription emails.The now-executed seizure warrant was submitted by Special Agent Jollif of the United States Secret Service (USSS) to recover funds stolen in a fake Norton subscription renewal email that led to the threat actor gaining access to a victim’s PC and bank account.

According to the court document submitted by a Special Agent of the United States Secret Service, the stolen money is stored in a Chase bank account belonging to someone named “Bingsong Zhou,” associated with phishing scams impersonating Norton Antivirus renewal subscriptions.

These phishing emails claim that the recipient is about to be charged for renewing an antivirus subscription license and to call the enclosed number to cancel it.

The victim calls the phone number listed on the email, and from there, the scammers direct them to perform various actions such as installing remote access software on their computers, infecting themselves with malware, and entering their account credentials on a phishing page.

This type of scam has been ongoing for many years, but Jollif stated that the activity has recently risen to higher volumes.

Illusionary deposit – One case highlighted in the court document mentions a victim who received a phishing email on November 28, 2023, alleging that he would be charged $349.95 for a Norton antivirus subscription unless he canceled the charge.


Subject: Each Facebook User is Monitored by Thousands of Companies
Source: Consumer Reports via The Markup

By now most internet users know their online activity is constantly tracked. No one should be shocked to see ads for items they previously searched for, or to be asked if their data can be shared with an unknown number of “partners.”But what is the scale of this surveillance? Judging from data collected by Facebook and newly described in a unique study by non-profit consumer watchdog Consumer Reports, it’s massive, and examining the data may leave you with more questions than answers.

Using a panel of 709 volunteers who shared archives of their Facebook data, Consumer Reports found that a total of 186,892 companies sent data about them to the social network. On average, each participant in the study had their data sent to Facebook by 2,230 companies. That number varied significantly, with some panelists’ data listing over 7,000 companies providing their data.

The Markup helped Consumer Reports recruit participants for the study. Participants downloaded an archive of the last three years of their data from their Facebook settings, then provided it to Consumer Reports.

By collecting data this way, the study was able to examine a form of tracking that is normally hidden: so-called “server-to-server” tracking, in which personal data goes from a company’s servers to Meta’s servers. Another form of tracking, in which Meta tracking pixels are placed on company websites, is visible to users’ browsers.

Because the data came from a self-selected group of users, and because the results were not demographically adjusted, the study does not “make any claims about how representative this sample is of the U.S. population as a whole,” Consumer Reports noted. Participants were also likely more privacy conscious and technically inclined than typical users and more likely to be members of Consumers Reports.

Despite its limitations, the study offers a rare look, using data directly from Meta, on how personal information is collected and aggregated online.

How Can I See My Data? Facebook users can browse through the list of companies that have sent their data to Facebook by going to:

To see detailed information about these interactions, request a copy of your data.


Site RSS:

Subject: Cheap .cloud domains and Shark Tank fuel unhealthy scams
Source: The Register

Scammers are buying up cheap domain names to host sites that sell dodgy health products using fake articles, according to cybercrime disruption outfit Netcraft.The firm on Tuesday noted that purveyors of legal-but-dubious health products often run fake news campaigns to promote their offerings, often with layouts that mimic prominent news outlets. Some of the stories suggest that judges on entrepreneurial reality shows Shark Tank and Dragons’ Den have backed the products.

The fakery is sprayed across the internet, often to social media. Netcraft suggests it’s hosted on freshly-registered domain names from among the constellation of new global top-level domain names (gTLDs).

Such domains have proliferated in recent years after ICANN decided to allow new gTLDs in 2011.

“The cheap domain pricing on these TLDs allows criminals to cost-effectively spread their campaigns over a large number of domains,” Netcraft’s analysts wrote. “This makes it harder to perform countermeasures against cyber-attacks, as the campaign can be spread across more infrastructure.”

Subject: How Walmart’s Financial Services Became a Fraud Magnet
Source: ProPublica

Scammers have duped consumers out of more than $1 billion by exploiting Walmart’s lax security. The company has resisted taking responsibility while breaking promises to regulators and skimping on training.

America’s largest retailer has long been a facilitator of fraud on a mass scale, a ProPublica investigation has found. For roughly a decade, Walmart has resisted tougher enforcement while breaking promises to regulators and skimping on employee training, according to more than 50 interviews, internal documents supplied by former industry executives, court filings and other public records.

Walmart has a financial incentive to avoid cracking down. It makes money each time a Walmart gift card is used and earns a fee when another brand of card is bought. And it receives one commission when a person sends a money transfer and a second when the recipient picks it up. The company’s financial services business generates hundreds of millions in annual profits. (Its filings do not provide specific figures for gift cards and money transfers.)

Subject: How a 27-Year-Old Codebreaker Busted the Myth of Bitcoin’s Anonymity
Source: WIRED

Just over a decade ago, Bitcoin appeared to many of its adherents to be the crypto-anarchist holy grail: truly private digital cash for the internet.Satoshi Nakamoto, the cryptocurrency’s mysterious and unidentifiable inventor, had stated in an email introducing Bitcoin that “participants can be anonymous.” And the Silk Road dark-web drug market seemed like living proof of that potential, enabling the sale of hundreds of millions of dollars in illegal drugs and other contraband for bitcoin while flaunting its impunity from law enforcement.

This is the story of the revelation in late 2013 that Bitcoin was, in fact, the opposite of untraceable—that its blockchain would actually allow researchers, tech companies, and law enforcement to trace and identify users with even more transparency than the existing financial system. That discovery would upend the world of cybercrime. Bitcoin tracing would, over the next few years, solve the mystery of the theft of a half-billion dollar stash of bitcoins from the world’s first crypto exchange, help enable the biggest dark-web drug market takedown in history, lead to the arrest of hundreds of pedophiles around the world in the bust of the dark web’s largest child sexual abuse video site, and result in the first-, second-, and third-biggest law enforcement monetary seizures in the history of the US Justice Department.

That 180-degree flip in the world’s understanding of cryptocurrency’s privacy properties, and the epic game of cat-and-mouse that followed, is the larger saga that unfolds in the book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency, out this week in paperback.

All of it began with the work of a young, puzzle-loving mathematician named Sarah Meiklejohn, the first researcher to pull out traceable patterns in the apparent noise of Bitcoin’s blockchain. This excerpt from Tracers in the Dark reveals how Meiklejohn came to the discoveries that would launch that new era of crypto criminal justice.

Subject: Inside Biden’s secret surveillance court
Source: Flipboard via Politico

At an undetermined date, in an undisclosed location, the Biden administration began operating a secretive new court to protect Europeans’ privacy rights under U.S. law. Officially known as the Data Protection Review Court, it was authorized in an October 2022 executive order to fix a collision of European and American law that had been blocking the lucrative flow of consumer data between American and European companies for three years.

The court’s eight judges were named last November, including former U.S. Attorney General Eric Holder. Its existence has allowed companies to resume the lucrative transatlantic data trade with the blessing of EU officials. The details get blurry after that.

And critics worry it will tie the hands of U.S. intelligence agencies with an unusual power: It can make binding decisions on surveillance practices with federal agencies, which won’t be able to challenge those decisions.

The global trade in personal data is a large and growing business, up to $7.1 trillion between the U.S. and the EU alone, but governed by legal regimes that differ sharply across borders.

The court never officially opened for business, at least not publicly. The closest thing to an announcement was Merrick Garland’s press conference last November, naming the eight judges who would hear cases.

Filed under:

Subject: The worst privacy washing of 2023 and trends to expect in 2024
Source: Proton Blog[FYI: an infomercial — mostly “info” but some com”mercial” ]

The biggest new threat to privacy in 2023 wasn’t any surveillance program. It was the false advertising Big Tech companies use to trick people into thinking their products are private. Like oil companies claiming fossil fuels are “green”, Google, Apple, Microsoft, and others increasingly try to convince people their surveillance-based advertising models are “private” when they’re not. This sneaky marketing practice is known as privacy washing(new window).

We expect this trend to increase in the coming years, and it’s important for everyone to understand the reality that surveillance capitalism is incompatible with privacy.

Three factors are pushing privacy washing to new extremes:

  • The increasing consumer demand for online privacy
  • Stronger privacy regulations around the world
  • Pressure on ad revenue because of ad blockers and other privacy-protecting technologies

Privacy washing year in review – 2023 was the year of privacy washing. We worked to expose some of the most egregious examples.


Subject: SEC Chair Gensler sounds alarm on risks of large AI-fueled financial models
Source: FedScoop

The Securities and Exchange Commission chair has “macro” concerns about financial sector reliance on a couple large AI base models, especially since regulators would have no oversight power.

Artificial intelligence will ultimately be a “net positive” for “efficiency and access in the financial markets,” Securities and Exchange Commission Chairman Gary Gensler said Wednesday. But the financial sector needs to keep in mind that the technology “comes with risks.”

“The whole financial sector, indirectly, will be relying on those central nodes,” Gensler said. “And if those nodes have it wrong, the monoculture goes one way, well, then there’s a risk in society and the financial sector at large.”

The SEC last July proposed rules to prohibit investment firms from using predictive data analytics, including AI, that put their interests above those of their clients. Those rules followed March 2022 recommendations from the agency’s Investor Advisory Committee, which called for ethical guidelines regarding AI models used by investment firms and financial institutions.

Subject: US Gov warn drones can be tools for Chinese espionage
Source: The Register

Two US government agencies, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), warned on Wednesday that drones made in China could be used to gather information on critical infrastructure.“The People’s Republic of China (PRC) has enacted laws that provide the government with expanded legal grounds for accessing and controlling data held by firms in China. The use of Chinese-manufactured unmanned aircraft systems (UAS) in critical infrastructure operations risks exposing sensitive information to PRC authorities,” according to a a statement on the CISA website. The statement does not name any brands.

Those expanded legal grounds include regulations that require companies to send data to Beijing, such as China’s 2017 National Intelligence Law, 2021’s Data Security Law and the 2021 Cyber Vulnerability Reporting Law.

Between those three measures, Beijing reserves the right to gain access to data collected by Chinese companies worldwide or businesses operating in the Middle Kingdom.

Subject: How to Opt Out of Comcast’s Xfinity Storing Your Sensitive Data
Source: WIRED

One of America’s largest internet providers may collect data about your political beliefs, race, and sexual orientation to serve personalized ads.

Your internet service provider could have a good idea of who you’re planning to vote for in the 2024 election as well as the gender of the last person you slept with—and it’s saving that information for later. Major internet providers, like Comcast’s Xfinity, stockpile more revealing data than users might initially realize.

The good news is that you can take steps to opt out of Comcast’s data storage—although there are limitations on how far the privacy options go. Also, if you live in a state with supplemental privacy legislation, then you might have the right to request and receive more details about your collected data.

How to Change Your Sensitive Personal Information Settings – You don’t have to log in to the Xfinity website with your username and password to make this settings change, but be forewarned: You will be asked to fork over your email, phone number, and location.

[I followed these instructions and realized that I still had certain privacy functions not set as desired /pmw1]

Posted in: AI, Cybercrime, Cybersecurity, Email Security, Privacy, Social Media