Pete Recommends – Weekly highlights on cyber security issues, March 2, 2024

Subject: Are security questions terrible for account security?
Source: Proton blog

[infomercial … ] What was your first pet’s name? In what city were you born? We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), making it a poor defense for your most valuable online accounts, personal data, and sensitive information.

Security questions are meant to help reset passwords, reopen locked accounts, and ultimately protect your digital spaces from attacks or breaches, but such safeguarding is widely considered flawed and unreliable (new window).

Answers to questions like “What is your mother’s maiden name?” are supposed to be information only you know or a select few — in theory, the more obscure the answer, the better the security.

However, experts have begun to question the effectiveness(new window) of this security layer due to the vulnerabilities that come with requiring people to remember information that can be forgotten, changed, or discovered by potential attackers digging around on the Internet.

Why security questions are a terrible idea…There are several reasons why leaning on security questions to protect you is a bad idea. It comes down to a pair of unfortunate realities: Potential attackers are more clever than you might think, and there’s more personal information online than you realize.

Subject: Financial risks for UnitedHealth after Change Healthcare cyberattack: Moody’s
Source: Becker’s Health IT [maybe this is why I had trouble with filling an Rx?]

UnitedHealth Group’s Change Healthcare has fallen victim to a cyberattack, marking a credit-negative event for the company, according to Moody’s. “The cyberattack against UnitedHealth Group, one of the largest U.S. commercial prescription processors, is credit negative for the company, as financial and reputational impacts may ensue,” Dean Ungar, vice president and senior credit officer for Moody’s Investors Service, told Becker’s in an emailed statement. “Reportedly, the impact is limited to its subsidiary Change Healthcare, which is relatively small compared to the consolidated company.”

Change Healthcare reported a “cybersecurity incident” on Feb. 21 that disrupted connectivity and healthcare operations nationwide.

The AHA has warned hospitals and health systems to disconnect from Change Healthcare systems. Danville, Pa.-based Geisinger is one of the organizations that has already done so.

Health systems disconnect from Change Healthcare amid attack

Subject: A Mysterious Leak Exposed Chinese Hacking Secrets
Source: WIRED – Security News This Week – five stories

Hundreds of documents linked to a Chinese hacking-for-hire firm were dumped online this week. The files belong to i-Soon, a Shanghai-based company, and give a rare glimpse into the secretive world of the industry that supports China’s state-backed hacking. The leak includes details of Chinese hacking operations, lists of victims and potential targets, and the day-to-day complaints of i-Soon staff.

“These leaked documents support TeamT5’s long-standing analysis: China’s private cybersecurity sector is pivotal in supporting China’s APT attacks globally,” Che Chang, a cyber threat analyst at the Taiwan-based cybersecurity firm TeamT5, tells WIRED. Chang says the company has been tracking i-Soon since 2020 and found that it has a close relationship with Chengdu 404, a company linked to China’s state-backed hackers.


  1. security roundup
  2. China
  3. hackers
  4. cybersecurity
  5. privacy
  6. national security
  7. Crime

Subject: A Vending Machine Error Revealed Secret Face Recognition Tech
Source: WIRED

Canada-based University of Waterloo is racing to remove M&M-branded smart vending machines from campus after outraged students discovered the machines were covertly collecting face recognition data without their consent. The scandal started when a student using the alias SquidKid47 posted an image on Reddit showing a campus vending machine error message, “Invenda.Vending.FacialRecognitionApp.exe,” displayed after the machine failed to launch a face recognition application that nobody expected to be part of the process of using a vending machine. “Hey, so why do the stupid M&M machines have facial recognition?” SquidKid47 pondered. The Reddit post sparked an investigation from a fourth-year student named River Stanley, who was writing for a university publication called MathNEWS.

Invenda Claims Machines Are GDPR-Compliant – MathNEWS’ investigation tracked down responses from companies responsible for smart vending machines on the University of Waterloo’s campus. Adaria Vending Services told MathNEWS that “what’s most important to understand is that the machines do not take or store any photos or images, and an individual person cannot be identified using the technology in the machines. The technology acts as a motion sensor that detects faces, so the machine knows when to activate the purchasing interface—never taking or storing images of customers.” According to Adaria and Invenda, students shouldn’t worry about data privacy because the vending machines are “fully compliant” with the world’s toughest data privacy law, the European Union’s General Data Protection Regulation (GDPR).


Subject: PayPal files patent for new method to detect stolen cookies
Source: BleepingComputer

PayPal has filed a patent application for a novel method that can identify when “super-cookie” is stolen, which could improve the cookie-based authentication mechanism and limit account takeover attacks.The risk that PayPal wants to address is that of hackers stealing cookies containing authentication tokens to log into victim accounts without the need for valid credentials and bypassing two-factor authentication (2FA).

“The theft of cookies is a sophisticated form of cyberattack, where an attacker steals or copies cookies from a victim’s computer onto the attacker’s web browser,” PayPal says in the patent application.

“With stolen cookies often containing hashed passwords, the attacker can use a web browser on the attacker’s computer to impersonate the user (or authenticated device thereof) and gain access to secure information associated with the user’s account without having to manually login or provide authentication credentials,” it is further explained.

Related Articles: Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts

U-Haul says hacker accessed customer records using stolen creds

VoltSchemer attacks use wireless chargers to inject voice commands, fry phones

Ongoing Microsoft Azure account hijacking campaign targets executives

Mastodon vulnerability allows attackers to take over accounts


Subject: The Impact of Technology on the Workplace: 2024 Report

The impact of technology on the workplace over the last year has been nothing if not substantial. From the integration of generative AI platforms like ChatGPT to the increase in data breaches across the industry, keeping up with shifting trends is a full-time job at this point in history.Fortunately, you’ve got to help you out. In our inaugural annual report on this subject, we’ve embarked on an in-depth journey to quantify and explain a wide range of workplace trends, noting the influence of technology as a primary driver.

We surveyed over 1000 US business leaders to ensure an accurate depiction of the workplace heading in to 2024, and help you to strategize for the year ahead.

Below, we’ll introduce our 2024 workplace report and give you a preview of its key findings. Make sure to download the full report if you want the learn more about how the workplace is changing in the face of evolving technology.

Impact of Tech on the Workplace Report 2024: Key Findings
Our Impact of Tech on the Workplace report found a wide range of statistics that point to how the world is adapting to new technology. Here are some of the key findings we identified, which are further outlined below:

  1. Using more collaboration tools and AI results in higher productivity
  2. 59% of people who use AI have greater job satisfaction
  3. ChatGPT is the most popular AI tool used amongst businesses
  4. Digital natives and businesses that use AI are more open to the idea of a 4-day working week
  5. The majority of companies found it challenging to hire new staff – but remote working organizations find it easier
  6. Remote working organizations report higher levels of productivity
  7. Phishing attacks were the most common cause of a data breach

PDF is 43 pages –


Subject: Unsure if a link is safe?
Source: PC World

PCWorld – Use these anti-phishing tools to check: “A friend emails you a strange-looking link. Your mom sends you a text with an unknown website. A social media post promotes a new page. You might wonder about how safe it is to click these links…and then blank out on where you can turn to for a second opinion. Previously, you’d have to ask a trusted friend — but now, more free online services have begun cropping up to help you avoid phishing scams. Here’s how they work: You input a web address, questionable message or email, or even a screenshot of a QR code, and the tool checks for phishing attempts or malware lurking on the other side…[from the article … ]

But even with the minor limitations of these free tools (including the slowness of AI chat bots and their ongoing learning curve), they’re not a bad way to get a gut check. Especially since most of us probably already suspect that we shouldn’t click those links and should just contact the sender for more details. It never hurts to have reassurance that you’re on the right path.

[NB hopefully, those anti-phishing sites aren’t recording your URL data /pmw1]

Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.

Subject: Data watchdog stops staff face recog by outsourcing giant
Source: The Register

A data protection watchdog in the UK has issued an enforcement notice to stop Serco from using facial recognition tech and fingerprint scanning to monitor staff at 38 leisure centers it runs. During an investigation, the Information Commissioner’s Office, Britain’s regulator set up to enforce data protection law, found Serco Leisure and several associated community leisure trusts had unlawfully processed the biometric data of more than 2,000 employees at all 38 of the leisure facilities to check attendance and calculate pay.

There is no clear way for staff to opt out of the system, increasing the power imbalance in the workplace and putting people in a position where they feel like they have to hand over their biometric data to work there.

More Context:


Subject: Trusted data is the heart of trustworthy AI
Source: Nextgov/FCW

According to NIST, AI models are now facing several threats, including corrupted training data, security flaws, supply chain weaknesses and privacy breaches.

Unsecure data used to train AI models is at the heart of these emerging threats, which leads to poor outcomes and results that decision makers can’t act on. With these risks, it’s vital that federal agencies have a data strategy that protects and safeguards sensitive information. Moving forward, investment in trusted data will be vital for the progress of AI in the public sector.

Topics include – Security, governance, and trusted data; Creating a proper data management strategy

Functional AI relies on clean, secure data. Secure data can be accomplished by the use of open data lake houses, which facilitate data literacy and data-driven operations by enhancing trust in data through governance.

Open data lakehouses are centralized repositories that allow for the storing and distribution of data.  They increase flexibility to expand AI and analytics while making data more accessible, providing self-service analytics, ensuring data quality and simplifying data security. Data lakehouses also provide end-to-end management and control capabilities throughout the data lifecycle.


Subject: The Supreme Court will hear challenges to Texas and Florida social media laws
Source: NPR

Legal experts say they’re the most important First Amendment cases in a generation. The question is whether states like Florida and Texas can force big social media platforms to carry content the platforms find hateful or objectionable.”There is nothing more Orwellian than the government trying to dictate what viewpoints are distributed in the name of free expression,” said Matt Schruers, president of the Computer & Communications Industry Association, a trade group for the social media companies that’s involved in the litigation. “And that’s what’s at issue in this case.”

The dispute intensified after the violent siege on the U.S. Capitol in 2021, when social media sites booted former President Donald Trump from their platforms, fearing his posts could provoke more unrest.

Republicans in Florida and Texas took action, signing sweeping laws that prevent the largest platforms from banning users based on their political viewpoints and require them to provide an individual explanation to users about why their posts have been edited or removed.

At stake, he said, is who controls what people hear, say and read online. “Everyone, left right or center, should oppose government control of speech,” Szabo said. “Because as it may be your person in the White House today, we know that that will not be forever. And that’s why the First Amendment is so important and so paramount.”

What the justices will have to decide – The justices will have to decide between radically different conceptions of what social media is. Are these platforms more like old-time phone companies: basically, open to everyone without filtering?

The social media giants are relying in part on a 1974 Supreme Court case, Miami Herald v Tornillo. Florida tried to force the newspaper to carry op-eds it didn’t want to publish. The high court sided with the Herald back then.

Today, the social media sites said, Florida is trying to make the big social media platforms print every single letter to the editor. Users don’t want that and neither do advertisers, they said.

Support for the tech companies – The two trade associations — NetChoice and CCIA — are backed by groups across the political spectrum, from the U.S. Chamber of Commerce and Americans For Prosperity, which is linked to Charles Koch, to the American Civil Liberties Union.

The state laws are not about protecting speech, the moderators wrote. Instead, they’re commandeering someone else’s microphone to spread a message.

Subject: FTC announces new rule prohibiting AI use to impersonate government agencies
Source: Nexstar Media via WTAJ

HARRISBURG, Pa. (WTAJ) — The Federal Trade Commission (FTC) has published a new rule focused on the use of AI to pose as a government agency or business.The new rule prohibits the use of AI to pose as any government agency or business, which the FTC hopes will deter scammers that prey upon consumers using the quickly-developing technology.

The rule allows the FTC to seek monetary relief in federal court from scammers who are using government seals or business logos, spoofing government or business email addresses and websites or falsely implying they are affiliated with a government agency or business.

Subject: A Cyber Insurance Backstop
Source: Schneier on Security

A Cyber Insurance BackstopIn the first week of January, the pharmaceutical giant Merck quietly settled its years-long lawsuit over whether or not its property and casualty insurers would cover a $700 million claim filed after the devastating NotPetya cyberattack in 2017. The malware ultimately infected more than 40,000 of Merck’s computers, which significantly disrupted the company’s drug and vaccine production. After Merck filed its $700 million claim, the pharmaceutical giant’s insurers argued that they were not required to cover the malware’s damage because the cyberattack was widely attributed to the Russian government and therefore was excluded from standard property and casualty insurance coverage as a “hostile or warlike act.”

At the heart of the lawsuit was a crucial question: Who should pay for massive, state-sponsored cyberattacks that cause billions of dollars’ worth of damage?
One possible solution, touted by former Department of Homeland Security Secretary Michael Chertoff on a recent podcast, would be for …

Like terrorist attacks, catastrophic cyberattacks are difficult for insurers to predict or model because there is not very good historical data about them—and even if there were, it’s not clear that past patterns of cyberattacks will dictate future ones.

Tags: computer security, cyber, cyberattack, insurance

Subject: State-sponsored hackers know enterprise VPN appliances inside out
Source: Help Net Security

Suspected Chinese state-sponsored hackers leveraging Ivanti Connect Secure VPN flaws to breach a variety of organizations have demonstrated “a nuanced understanding of the appliance”, according to Mandiant incident responders and threat hunters.They were able to perform a number of modifications on the device and deploy specialized malware and plugins aimed at achieving persistence across system upgrades, patches, and factory resets.

“While the limited attempts observed to maintain persistence have not been successful to date due to a lack of logic in the malware’s code to account for an encryption key mismatch, it further demonstrates the lengths UNC5325 [one of the threat groups] will go to maintain access to priority targets and highlights the importance of ensuring network appliances have the latest updates and patches,” Mandiant’s specialists noted.


Subject: Registrars can now block all domains that resemble brand names
Source: Bleeping Computer

Registrars can now block people from registering tens of thousands of domain names that look like, are spelling variations of, or otherwise infringe on brand names.GlobalBlock, a solution already in use by leading registrars like GoDaddy Corporate Domains, 101domain, and MarkMonitor lets businesses pay a subscription fee to reserve a part of the domain space, as a means to protect their trademark. But, is there more to this than meets the eye?

Blocks similar domains, even homoglyphs

Free speech concerns – No doubt, a solution like GlobalBlock, when implemented by leading registrars can save brands the hassle of registering every domain that has its echoes. But, I couldn’t help but wonder if an automated solution this vast could end up providing an undue advantage to companies in hoarding up the domain space.

Should a company or celebrity reserve their name and use “unlimited blocking of main labels,” this would effectively prevent registration of a domain with that term.

In other words, could a famous JohnSmith now block you from registering, or your next-door ‘iPhone Repair Shop’ be compelled to find a domain name that is free from a trademark?


Subject: How to stop your devices from listening to you
Source: PopSci

[I’m not sure that all of this PopSci info is up to date /pmw1] PopSci: “Our smartphones and smart speakers can listen for specific voice commands and take action accordingly, but maybe you don’t want your devices always having one digital ear open. Aside from privacy concerns, the smart assistants  …

From one of the PopSci RSS feeds:

Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.

Subject: What To Do If You Think You’ve Been Shadowbanned on Instagram
Source: USA Today via The Markup

As The Markup was investigating whether Instagram practiced shadowbanning—covertly hiding what people post without telling them—we heard from so many Instagram users that they felt helpless after the platform removed their content or kept them from commenting and posting.

If you think you’ve been shadowbanned on Instagram—or if the app has notified you that it has removed your content or limited your account in some way—here’s what you can do.

One note: Instagram often changes app settings without notice, so these steps work as of the time this story was published—but if they don’t, you may want to hunt around in a “Help” section.

Subject: CISA Releases Resource Guide for University Cybersecurity Clinics
Source: CISA

Today, CISA released a Resource Guide for Cybersecurity Clinics to outline ways CISA can partner with and support cybersecurity clinics and their clients.University cybersecurity clinics train students from diverse backgrounds and academic expertise to strengthen the digital defenses of non-profits, hospitals, municipalities, small businesses, and other under-resourced organizations. They can help address the national cyber workforce gap by developing a talent pipeline for cyber civil defense and helping students see themselves in a cybersecurity career.

CISA encourages clinics to engage with CISA and leverage the CISA resources outlined in the guide. CISA also encourages more universities to consider starting their own cybersecurity clinics as they play an important role in strengthening the cybersecurity posture of small organizations at the local level.

Subject: The Best VPNs to Protect Yourself Online
Source: Wired

Wired – It won’t solve all of your privacy problems, but a virtual private network can make you a less tempting target for hackers. A virtual private network (VPN) is like a protective tunnel you can use to pass through a public network, protecting your data from outside eyes. Whether you’re worried about hiding your browsing activity from your internet service provider so it doesn’t sell your data to advertisers, or you want to stay safe on a public Wi-Fi hot spot to keep nearby digital snoops from capturing your passwords, a VPN can help protect you. However, while a VPN will keep you safe at your local coffee shop, it comes with a cost. Using a VPN means your VPN provider will know everything about your browsing habits. This makes VPN providers a target for hackers. Be sure you even need one before you read on. Picking the right VPN service is serious business.

But most of the heavily used web is already encrypted in some form. Lord pointed to how nearly 93 percent of all page loads in Firefox in the U.S. are over HTTPS. That’s compared to around 25 percent in January 2014. Huge portions of the internet have been encrypted thanks to Let’s Encrypt, the nonprofit Certificate Authority (CA) which offers encryption certificates to websites for free. Let’s Encrypt was started in 2012, and today over 250 million websites use the organization’s certificates, according to Let’s Encrypt’s website. Whereas it used to cost money for a website administrator to get a HTTPS certificate, now essentially any site can get one.


Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.

Subject: Congressional Black Caucus launches AI Policy Series spotlighting discrimination
Source: Nextgov/FCW

The new series of discussions hosted by the House’s Congressional Black Caucus will focus on ensuring AI systems are working for, not against, Black communities.The Congressional Black Caucus has launched a new Artificial Intelligence Policy Series that will spotlight the potential AI systems have to discriminate against marginalized Black communities in the U.S.

Echoing the broader federal mission to harness the benefits of AI systems while controlling for the problematic possibilities of deploying more generative technologies, CBC members will focus on the specific impact AI systems can have on Black communities and address the potential for AI algorithms to further promulgate bias and discrimination.

“Given the rapid emergence of new AI technologies, we owe it to the communities that we serve to be out front on the trends that will have significant impacts on the lives and the livelihoods of the constituents that we serve,” CBC Chairman Rep. Steven Horsford, D-Nev., said during a briefing on Wednesday.

One such focus will center on algorithmic decision=making in the context of economic opportunities for Black Americans, particularly surrounding the discrimination related to housing, health care and financial opportunities.



Subject: Using AI to fight fraud is paying off, Treasury says
Source: Nextgov/FCW

The tech has helped recover over $375 million since Treasury began using it over a year ago. Specifically, the new tool is meant to address check fraud — which the department says has skyrocketed since the start of the pandemic — by looking for abnormalities and helping to alert banks before fraudulent checks are cashed, the department told CNN.

The number of suspicious activity reports related to check fraud nearly doubled between 2021 and 2022, when there were 680,000 check fraud-related SARS filed, according to Treasury.

Early last year, the Financial Crimes Enforcement Network issued an alert about the surging numbers of fraudsters targeting mail to obtain and then manipulate checks.

The department says that fraud is also increasing for checks sent by Treasury itself.


Subject: The FBI Is Using Push Notifications to Catch Sexual Predators
Source: Gizmodo
Most people turn on mobile push notifications and then promptly forget about them. However, it turns out that if you’re up to no good, those notifications could get you thrown in prison. The Washington Post reports that the FBI has been using mobile push notification data to unmask people suspected of serious crimes, like pedophilia, terrorism, and murder.The Post did a little digging into court records and found evidence of at least 130 search warrants filed by the feds for push notification data in cases spanning 14 states. In those cases, FBI officials asked tech companies like Google, Apple, and Facebook to fork over data related to a suspect’s mobile notifications, then used the data to implicate the suspect in criminal behavior linked to a particular app, even though many of those apps were supposedly anonymous communication platforms, like Wickr.
How exactly is this possible?…If finding new ways to catch pedophiles and terrorists doesn’t seem like the worst thing in the world, the Post article highlights the voices of critics who fear that this kind of mobile data could be used to track people who have not committed serious crimes—like political activists or women seeking abortions in states where the procedure has been restricted.

Subject: 4 considerations for launching an effective digital ID system
Source: Route Fifty

States are accelerating efforts to launch digital identification programs, aiming to make it easier and safer to use a state ID in a range of circumstances—from airport security checkpoints to age verification at retail locations. Many states already offer digital IDs and driver’s licenses for Apple and Android devices and to Apple and Google Wallet users. The Transportation Security Administration now accepts digital IDs from 6 states at airport security checkpoints, and 31 states are exploring or implementing digital IDs.  California recently launched a digital ID pilot with the goal of enrolling up to 1.5 million residents.There are also efforts underway at the federal level. For example, the Department of Homeland Security announced plans to ensure the public can use mobile IDs, developing a proposed regulation temporarily waiving certain REAL ID requirements for federal agencies accepting state-issued mobile driver’s licenses.

there are several key challenges to address to ensure successful rollouts and adoption.


Subject: These Video Doorbells Have Terrible Security. Amazon Sells Them Anyway
Source: Consumer Reports

Consumer Reports – “The devices are also sold by Walmart, Sears, and other retailers—and big platforms have faced few consequences for shipping flawed products. On a recent Thursday afternoon, a Consumer Reports journalist received an email containing a grainy image of herself waving at a doorbell camera she’d set up at her back door. If the message came from a complete stranger, it would have been alarming. Instead, it was sent by Steve Blair, a CR privacy and security test engineer who had hacked  …[from the article:]

Anyone who can physically access one of the doorbells can take over the device—no tools or fancy hacking skills needed. Let’s imagine that an abusive ex-boyfriend wants to watch the comings and goings of his former partner and her children. He’d simply need to create an account on the Aiwit smartphone app, then go to his target’s home and hold down the doorbell button to put it into pairing mode. He could then connect the doorbell to a WiFi hotspot and take control of the device.

Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.

Subject: A government watchdog hacked a US federal agency to stress-test its cloud security
Source: TecCrunch

[h/t Sabrina] A U.S. government watchdog stole more than 1GB of seemingly sensitive personal data from the cloud systems of the U.S. Department of the Interior. The good news: The data was fake and part of a series of tests to check whether the Department’s cloud infrastructure was secure.

The experiment is detailed in a new report by the Department of the Interior’s Office of the Inspector General (OIG), published last week. The goal of the report was to test the security of the Department of the Interior’s cloud infrastructure, as well as its “data loss prevention solution,” software that is supposed to protect the department’s most sensitive data from malicious hackers. The tests were conducted between March 2022 and June 2023, the OIG wrote in the report:

The OIG said it conducted more than 100 tests in a week, monitoring the government department’s “computer logs and incident tracking systems in real time,” and none of its tests were detected nor prevented by the department’s cybersecurity defenses.

“Our tests succeeded because the Department failed to implement security measures capable of either preventing or detecting well-known and widely used techniques employed by malicious actors to steal sensitive data,” said the OIG’s report. “In the years that the system has been hosted in a cloud, the Department has never conducted regular required tests of the system’s controls for protecting sensitive data from unauthorized access.”

See other TechCrunch Security articles:


Subject: CISA News and Directives
Source: CISA [see news and directives about Ivanti vulnerabilities h/t Sabrina] News & Events

Read and watch the latest news, multimedia, and other important communications from CISA. View a calendar of upcoming events CISA hosts and participates in.

Featured Articles – CISA, U.S. and International Partners Warn of Ongoing Exploitation of Multiple Ivanti Vulnerabilities

Content regularly includes links to: Congressional Testimony; Alerts & Directives; Upcoming Events.

RSS Feeds:

Amid the introduction of large-scale artificial intelligence implementation and initiatives across the federal government, NIST released a publication warning in January regarding privacy and security challenges arising from rapid AI deployment.

Posted in: AI, Cybercrime, Cybersecurity, Economy, Email Security, Financial System, Healthcare, Privacy