Pete Recommends – Weekly highlights on cyber security issues, March 16, 2024

Subject: UnitedHealth restoring Change Healthcare services by mid-March: 6 updates
Source: Becker’s Health IT

Change Healthcare, a technology company part of UnitedHealth Group’s Optum, expects to have its key system functionalities restored by mid-March following a “cybersecurity incident” on Feb. 21 that obstructed its healthcare connectivity and operations nationwide.

Latest articles on Cybersecurity:

‘Significant financial disruption’: AMA urges more from Change Healthcare restoration efforts
Hackers say they sold Lurie Children’s Hospital data for $3.4M

Kaiser, John Muir Health affected by Change Healthcare attacks


RSS feed:

Subject: Microsoft Under Constant Attack by Russian Hackers, Filing Says
Source: Gizmodo

Hackers linked to the Russian government keep trying to penetrate Microsoft’s systems using information stolen in a hack from late 2023, according to an announcement from the tech company. The latest intrusion was serious enough that Microsoft filed a report with the SEC.

The Russian hackers have been dubbed Midnight Blizzard, previously known as Nobelium, which the U.S. and UK governments believe is attached to Russia’s Foreign Intelligence Service. The group has been around since at least early 2018.

“To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised,” the announcement continued.

Microsoft says it’s seen an increase in the number of brute force password-guessing, known as password sprays, noting a 10-fold increase in February compared to the “already large volume” the company saw in January.

Subject: How Fraudsters Break Into Social Security Accounts and Steal Benefits
Source: The New York Times [sharable link]

Thousands of people receiving Social Security benefits have had their money diverted into criminal accounts. Here’s what to know.

When the deposit didn’t arrive in January, they logged into Marge’s Social Security account, where they found some startling clues: the last four digits of a bank account number that didn’t match her own, at a bank they didn’t recognize.

“Someone had gotten in,” said Ms. Birenbaum, of Chappaqua, N.Y. “Then I hit a panic button.”

Ms. Birenbaum immediately started making calls to set things right. When she finally connected with a Social Security representative from a local office in a Bloomington, Minn., the rep casually mentioned that this happens “all the time.”

Social Security-related scams, overall, are pervasive — fraudsters pose as employees to try to extract both money and valuable identifying details from people in a variety of evolving schemes. [10-page PDF] But this particular fraud — where criminals use stolen personal information to break into online Social Security accounts or create new ones, and divert benefits elsewhere — has plagued people for a more than a decade.

Once fraudsters gain access to an individual’s online Social Security account, they can change a beneficiary’s address and direct deposit information, or request replacement cards.

“A lot of consumers are letting us know they found out that their direct deposit was redirected to another account or a fraudulent account,” said Maria Mayo, associate director of the F.T.C.’s division of consumer response and operations. “A lot of times they are saying they got an impostor call and they provided their information, and they believe that is how that information was used to redirect the benefit.”

You need a Social Security number to establish an online account with the agency, but you don’t need the entire nine-digits to crack open an existing one.

Just months before Marge’s benefits were redirected, the O.I.G. issued a report that said the administration’s portal, called my Social Security, did not fully comply with federal requirements for identity verification: It said it didn’t go far enough to verify and validate new registrants’ identities, in all cases. And once an account is established through one of two identity verification portals, which is required to access the my Social Security account, the agency does not require users to reverify their identities using strong enough proof (such as presenting a driver’s license along with, say, a selfie).

The Social Security Administration sends notices to beneficiaries through the mail asking them to contact the agency if they didn’t authorize a recent change to their direct deposit information, which has thwarted millions of dollars in benefits from being diverted and lost, O.I.G. officials said. It is also possible to block changes to the accounts.

Ms. Birenbaum’s brother visited their mother’s local Social Security office and became Marge’s “representative payee,” [this is relatively painless to setup online] which allows him to handle her affairs (Social Security does not accept powers of attorney). They had to find ways to make the correction without bringing Marge to the office, which Ms. Birenbaum said would have been a “herculean task.”

How to Protect Yourself From Social Security Fraud

Subject: Chrome users now have a defense against extension subversion
Source: The Register

Under New Management is an early-warning system for potential poisoning of add-ons with malware. Millions of Chrome users now have a way to guard against the threat of extension subversion, that is, if they don’t mind installing yet another browser extension.

Matt Frisbie, a software developer and programming book author, has released a Chrome add-on called Under New Management to alert users when installed extensions have changed owners.

In the GitHub repo for Under New Management, Frisbie explains why this may be useful. Basically: Extensions can be developed for entirely innocent, useful purposes, but when they are sold or hand over to others, those new owners can – and have – sneakily adjusted the code so that it turns against the user, stealing their info or injecting ads. This kind of hijacking can affect millions of netizens at a time.

“Extension developers are constantly getting offers to buy their extensions,” Frisbie says. “In nearly every case, the people buying these extensions want to rip off the existing users.

“When an acquisition goes through, and the new publisher tries to abuse the existing user base, the Chrome team usually is able to detect if the new publisher sends out a malicious update, but this is the only line of defense,” he said. “What’s more, this doesn’t account for cases where the new update isn’t necessarily malicious, but might export and abuse a user’s data, inject ads, or use it in a way that they did not intend when they installed the extension.”

Hopefully, if it, itself, is ever sold, it will also alert the user 😉



Subject: 10 free cybersecurity guides you might have missed
Source: Help Net Security

This collection of free cybersecurity guides covers a broad range of topics, from resources for developing cybersecurity programs to specific guides for various sectors and organizations.Whether you work for a small business, a large corporation, or a specific industry, these guides provide insights into cybersecurity best practices, strategies to combat threats, and advice for using online services safely.

More to consider:

Subject: Airbnb Bans All Indoor Security Cameras
Source: WIRED

Airbnb will soon ban hosts from watching their guests with indoor security cameras, as the company is reversing course on its surveillance policies.As of April 30, hosts around the world must remove indoor cameras and disclose other outdoor monitoring tech to guests before they book. Airbnb previously allowed hosts to install security cameras in common areas of a home, like hallways and living rooms. But it also required hosts to disclose them, make them clearly visible, and keep the cameras out of places like sleeping areas and bathrooms.

[what about all of those Alexa Show’s built-in camera?]

Subject: Driving fast or braking hard? Your connected car may be telling your insurance company
Source: ZDNET

The era of connected cars is presenting a new privacy problem – and it could drive up your insurance bill, too.

Automakers like General Motors (GM) are sharing customers’ detailed driving behavior data with insurance companies, a practice that can lead to higher premiums for some drivers. According to a report in The New York Times today, the practice is fueling concerns over privacy and consent in the IoT world.
The Times report focused on the experience of Kenn Dahl, a driver who saw his car insurance rates jump by 21%, seemingly out of the blue. When Dahl decided to shop around with other insurance companies, he found competing quotes to be just as high. One agent explained that this was due to his LexisNexis report.

When Dahl requested a copy of that report, LexisNexis sent him a 258-page document that included every single trip he or his wife drove in their Chevy Bolt during the preceding six months. The report included a total of 640 trips, complete with dates, start and end times, distances driven, and comprehensive data on driving habits, like speeding, hard braking, and rapid accelerations.

According to The Times, GM, Kia, Subaru, and Mitsubishi contribute to LexisNexis’ “Telematics Exchange,” which has gathered real-world driving behavior from more than 10 million vehicles as of 2022.

[What happens when the vehicle is sold — does the new driver get “stuck” with the old info?  prove it]

Subject: House Passes Bill to Force Sale of TikTok
Source: Phone Scoop

The US House of Representatives has passed a bill that would force Chinese company ByteDance to sell TikTok within six months or face a complete ban on the app in the US. It would also grant the President the power to include other foreign-owned apps in the future. This specific bill (H.R. 7521, or the “Protecting Americans from Foreign Adversary Controlled Applications Act”) moved quickly from proposal to vote, and received broad bipartisan support, passing 352 – 65. President Biden has indicated he supports the measure and would sign it….

The EFF and civil rights groups oppose this bill, arguing that it would be both ineffective and unconstitutional. They also argue that only tighter regulation of how personal data can be collected and handled — by all companies and apps — can achieve the goal of protecting the personal data of US persons from falling into the wrong hands.

Subject: CEO of Data Privacy Company Founded Dozens of People-Search Firms
Source: Krebs on Security

The data privacy company bills itself as a Virginia-based service for helping people remove their personal information from almost 200 people-search websites. However, an investigation into the history of finds this company is operating out of Belarus and Cyprus, and that its founder has launched dozens of people-search services over the years.

Onerep also markets its service to companies seeking to offer their employees the ability to have their data continuously removed from people-search sites.
Customer case studies published on state that it struck a deal to offer the service to employees of Permanente Medicine, which represents the doctors within the health insurance giant Kaiser Permanente. Onerep also says it has made inroads among police departments in the United States.
But a review of Onerep’s domain registration records and that of its founder reveal a different side to this company.

Site RSS feed:

Subject: The Change Healthcare Cyberattack and Response Considerations for Policymakers
Source: Congressional Research Service (CRS)

IN12330| The Change Healthcare Cyberattack and Response Considerations for Policymakers

The Change Healthcare Cyberattack and Response Considerations for Policymakers. Updated March 14, 2024 – On February 21, 2024, UnitedHealth Group Incorporated disclosed that one of its companies’ units—Change Healthcare—was experiencing a cyberattack. The BlackCat/ALPHV ransomware group—a Russia-linked cybercrime organization—claimed responsibility. Repercussions from this cyberattack are reportedly affecting some individuals’ ability to access health care services nationwide.

Subject: Record mega breach in France impacts up to 43 million people
Source: The Register

Zut alors! Department for registering and helping unemployed people broken into

A French government department – responsible for registering and assisting unemployed people – is the latest victim of a mega data breach that compromised the information of up to 43 million citizens.

France Travail announced on Wednesday that it informed the country’s data protection watchdog (CNIL) of an incident that exposed a swathe of personal information about individuals dating back 20 years.

The department’s statement reveals that names, dates of birth, social security numbers, France Travail identifiers, email addresses, postal addresses, and phone numbers were exposed.

Passwords and banking details aren’t affected, at least.

“The database allegedly extracted illicitly contains the personal identification data of people currently registered, people previously registered over the last 20 years as well as people not registered on the list of job seekers but having a candidate space on,” the statement reads, which was translated electronically from French.

“It is therefore potentially the personal data of 43 million people which have been exfiltrated.”


Subject: Who Is Collecting Data from Your Car?
Source: The Markup

Today’s cars are akin to smartphones, with apps connected to the internet that collect huge amounts of data, some of which is highly personal.

Most drivers have no idea what data is being transmitted from their vehicles, let alone who exactly is collecting, analyzing, and sharing that data, and with whom. A recent survey of drivers by the Automotive Industries Association of Canada found that only 28 percent of respondents had a clear understanding of the types of data their vehicle produced, and the same percentage said they had a clear understanding of who had access to that data.
Welcome to the world of connected vehicle data, an ecosystem of dozens of businesses you never knew existed.

The Markup has identified 37 companies that are part of the rapidly growing connected vehicle data industry that seeks to monetize such data in an environment with few regulations governing its sale or use.

While many of these companies stress they are using aggregated or anonymized data, the unique nature of location and movement data increases the potential for violations of user privacy.

This nascent industry faces challenges, as it is under pressure to reap profits in order to attract and satisfy investors; at the same time, the disclosure of sensitive and potentially identifying information from smartphones has prompted U.S. lawmakers to threaten sweeping crackdowns on the collection, transfer, and sale of location data, an effort that could create barriers for the industry as it grows.

Recently, Porsche announced it was rolling out new fine-grained privacy controls in its luxury Taycan SUV model. In a press release announcing the strategic elevation of user privacy, Porsche’s chief privacy officer and director of group privacy Christian Völkel wrote, “The customer is given full transparency and control over data processing in the vehicle, with simple controls for privacy settings. ‘The customer is in the driver’s seat.’ ”

Posted in: Cybercrime, Cybersecurity, Economy, Financial System, Government Resources, Healthcare, Privacy, Securities Law