Pete Recommends – Weekly highlights on cyber security issues, April 20, 2024

Subject: UK flooded with forged stamps despite using barcodes — to prevent just that
Source: BleepingComputer

Royal Mail, the British postal and courier service began switching all snail mail stamps to barcoded stamps last year. The purpose of the barcode was to enhance security, deter stamp reuse, and possibly prevent forgeries—which it has failed to do.

Fast forward to this year, several senders were left appalled to see their mail returned and being slapped with a £5 fine for use of “counterfeit stamps,” despite the senders insisting that they had bought legitimate stamps.

China accused of flooding UK with 1 million stamps

As Royal Mail transitioned towards barcoded stamps last year, the public had until the end of July 2023 to swap out their old paper stamps with ones carrying a 2D data matrix barcode at no cost.

Ironically, “security features,” such as these unique barcodes believed to prevent stamp re-use and forgeries in the future failed at just that.

Hundreds of senders saw their mail items returned by Royal Mail last month, and each had a “£5 penalty” notice slapped on them for the use of “counterfeit stamps.”



Subject: Chinese Mafias’ New US Goldmine: Gift Cards
Source: ProPublica via Newser

ProPublica: ‘Card draining’ is a thing, and the feds have established a task force. It’s not your typical story about organized crime—ProPublica reports that Chinese mafia groups are ripping off American consumers and stores through mundane gift cards. And for the first time, the Department of Homeland Security has launched a task force to fight what’s known as “card draining.” The way it typically works is that low-level “runners” for the criminal gangs steal cards from stores, record the numbers and PINS, repair the packaging, then return them. “What they do is they just fly into the city and they get a rental car and they just hit every big-box location that they can find along a corridor off an interstate,” says Adam Parks of the DHS. When legit customers buy a tampered card and load money onto it, the gangs can access the money. Meaning, when a customer finally goes to use it, the balance reads zero.

Read the full story, which details how card draining is only one aspect of the various scams centering on gift cards. (Or read other longform recaps.)

… the plaintiffs alleged that the companies have failed to secure the packaging of gift cards and to monitor their displays. “The tampering of Gift Cards purchased from Target is rampant and widespread and Target is well-aware of the problem, yet Target continues to sell unsecure Gift Cards susceptible to tampering without warning consumers of this fact,” reads the complaint in the Target case.

Subject:  It’s time to close the loophole that lets tech run wild
Source: The Hill

[labeled OPINION] A quiet, agreeable and incredibly important hearing was recently held by the House committee that oversees the tech industry a few days ago. While too many congressional​​ ​hearings can quickly devolve into showmanship, this one remained thoughtful and bipartisan. What was the topic that generated such agreement? Changing a fundamental law that governs the way the Internet — particularly social media companies — operate.

Section 230 of the Communications Decency Act of 1996 has remained untouched since it was crafted nearly 30 years ago. This provision has long been hailed as a cornerstone of the internet, granting platforms immunity from liability for content posted by users.

Although there’s been plenty of empty talk on the Hill in previous years of amending Section 230, something different is in the air. Members of Congress in both parties seem to get it: Tech companies shouldn’t have blanket immunity any longer — they’re hurting our kids, our mental health and our democracy. As one of the witnesses, Professor Mary Ann​e​ Franks from George Washington University, testified: “There is no justification for exempting the tech industry from the liability that virtually all individuals and industries face when they contribute to harm.”


Subject: Crickets from Chirp Systems in Smart Lock Key Leak
Source: Krebs on Security

The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The lock’s maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp’s parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents.

On March 7, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) warned about a remotely exploitable vulnerability with “low attack complexity” in Chirp Systems smart locks.

“Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access,” CISA’s alert warned, assigning the bug a CVSS (badness) rating of 9.1 (out of a possible 10). “Chirp Systems has not responded to requests to work with CISA to mitigate this vulnerability.”

Matt Brown, the researcher CISA credits with reporting the flaw, is a senior systems development engineer at Amazon Web Services. Brown said he discovered the weakness and reported it to Chirp in March 2021, after the company that manages his apartment building started using Chirp smart locks and told everyone to install Chirp’s app to get in and out of their apartments.

Subject: Guidelines for secure AI system development
Source: NCSC UK

Executive summary – This document recommends guidelines for providers of any systems that use artificial intelligence (AI), whether those systems have been created from scratch or built on top of tools and services provided by others. Implementing these guidelines will help providers build AI systems that function as intended, are available when needed, and work without revealing sensitive data to unauthorised parties. This document is aimed primarily at providers of AI systems who are using models hosted by an organisation, or are using external application programming interfaces (APIs). We urge all stakeholders (including data scientists, developers, managers, decision-makers and risk owners) to read these guidelines to help them make informed decisions about the design, development, deployment and operation of their AI systems.


Guidelines for secure AI system development – Guidelines for providers of any systems that use artificial intelligence (AI), whether those systems have been created from scratch or built on top of tools

See also CISA AI:

Subject: Amazon ebooks: Are the Mikkelsen twins running a scam? Here’s our investigation
Source: Vox

It’s partly AI, partly a get-rich-quick scheme, and entirely bad for confused consumers.

Right now, navigating the ebook and audiobook marketplaces is like being back on those sites. There are a thousand banner ads larded with keywords, and they’re all trying to get your clicks.

Take, for example, when tech journalist Kara Swisher’s Burn Book came out this February. A host of other books hit the Kindle store along with it. They all had bizarre, SEO-streamlined titles, like those new businesses that are named Plumbing Near Me to game the Google algorithm.

“I found ‘Kara Swisher: Silicon Valley’s Bulldog,’ and ‘Kara Swisher Book: How She Became Silicon Valley’s Most Influential Journalist,’ and ‘Kara Swisher Biography: Unraveling the Life and Legacy,’ by a ‘guy’ who ‘wrote’ four biographies this month,” said Ben Smith when he interviewed Swisher for Semaforum.

Here is almost certainly what was going on: “Kara Swisher book” started trending on the Kindle storefront as buzz built up for Swisher’s book. Keyword scrapers that exist for the sole purpose of finding such search terms delivered the phrase “Kara Swisher book” to the so-called biographer, who used a combination of AI and crimes-against-humanity-level cheap ghostwriters to generate a series of books they could plausibly title and sell using her name.

Now, generative AI has made it possible to create cover images, outlines, and even text at the click of a button.

If, as they used to say, everyone has a book in them, AI has created a world where tech utopianists dream openly about excising the human part of writing a book — any amount of artistry or craft or even just sheer effort — and replacing it with machine-generated streams of text; as though putting in the labor of writing is a sucker’s game; as though caring whether or not what you’re reading is nonsense is only for elitists. The future is now, and it is filled with trash books that no one bothered to really write and that certainly no one wants to read.

The saddest part about it, though, is that the garbage books don’t actually make that much money either. It’s even possible to lose money generating your low-quality ebook to sell on Kindle for $0.99. The way people make money these days is by teaching students the process of making a garbage ebook. It’s grift and garbage all the way down — and the people who ultimately lose out are the readers and writers who love books.

Subject: The invisible seafaring industry that keeps the internet afloat
Source: The Verge

The Verge: “The world’s emails, TikToks, classified memos, bank transfers, satellite surveillance, and FaceTime calls travel on cables that are about as thin as a garden hose. There are about 800,000 miles of these skinny tubes crisscrossing the Earth’s oceans, representing nearly 600 different systems, according to the industry tracking organization TeleGeography. The cables are buried near shore, but for the vast majority of their length, they just sit amid the gray ooze and alien creatures of the ocean floor, the hair-thin strands of glass at their center glowing with lasers encoding the world’s data. If, hypothetically, all these cables were to simultaneously break, modern civilization would cease to function.

As US Federal Reserve staff director Steve Malphrus said at a 2009 cable security conference, “When communications networks go down, the financial services sector does not grind to a halt. It snaps to a halt.” A map of the world showing the dozens of fibre optic cable systems which stretch across the oceans, connecting continents and island chains. Some of these cables are extremely long. The map animates to show the cables laid down between 1989 and the present, with planned cables up to 2027 also displayed…”

[+ interesting pictures]

Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.

Subject: 5 outdated security practices you shouldn’t use anymore
Source: PCWorld

PCWorld: “When I was younger, I was told “never use your real name on the internet.” But the world has changed, and I don’t follow that advice anymore. Likewise, there’s a lot of well-meaning online security advice that has outlasted its usefulness. There’s a core of truth to each one of the security practices I criticize below, but you shouldn’t blindly follow these old tips. At best, you’ll be wasting your time. At worst, you’ll be putting yourself more at risk. Read on to learn more about the five outdated security practices you shouldn’t use anymore.”

Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.

Subject: Fair Digital Finance Framework
Source: Consumer Reports – Advocacy

Fair Digital Finance Framework – Consumer Reports’ vision for a Fair Digital Financial Marketplace is one in which digital finance products let consumers spend, save, borrow, and invest safely; respect their privacy and data; provide the benefits they expect; and protect them from discriminatory and predatory practices; all while helping them achieve their financial goals. We will promote that vision by providing timely, independent, and reliable reviews of technology-driven digital finance products and services.

Consumer Reports has developed the Fair Digital Finance Framework to evaluate digital finance products to raise standards, strengthen consumer protections, and empower consumers.

What We Do

Digital Rights
Financial Fairness

Subject: 911 service largely restored after outages were reported in at least 4 states but the cause is unclear
Source: CNN

Service has been mostly restored after law enforcement agencies in at least four states reported 911 service interruptions Wednesday evening, though the cause of the outages remains unclear.

Authorities in South Dakota, Texas, Nebraska and Nevada had announced outages in multiple cities, with some urging residents in need of assistance to either text 911 or call using a landline. Within hours, however, the outages had been largely addressed, including in metropolitan areas like Sioux Falls and Rapid City, South Dakota, and Las Vegas.

Officials have not detailed a cause for the 911 service interruptions, and they have not been found to be malicious. The Del Rio Police Department attributed its outage to a “major cellular carrier,” noting “the issue is with the carrier, and not the City of Del Rio Systems.”

The Federal Communications Commission confirmed on X that it was “aware of reports of 911-related outages and we are currently investigating.”

Subject: Hospital group raises concerns over cybersecurity penalties
Source: Becker’s Health IT

The American Hospital Association submitted a statement to the House Energy and Commerce Health Subcommittee stating its concerns for potential penalties for hospitals and health systems that do not meet cybersecurity standards outlined by the Biden administration.

President Biden’s budget for 2025 suggests imposing fines on hospitals and health systems if they do not follow what the administration sees as essential cybersecurity practices. For example, starting in 2029, the administration plans to enforce important practices in hospitals. Those that do not meet these standards could lose up to 100% of their yearly payment increase. Starting in 2031, they might face extra penalties of up to 1% of their base payment.


Subject: 1st-of-its-kind law protects ‘neural data’
Source: Becker’s Health IT

With the increasing number of technologies that track brain activity, a new Colorado law aims to protect people’s “neural data” from falling into the wrong hands, The New York Times reported.

Colorado Gov. Jared Polis signed the first-of-its-kind legislation April 17 that gives neural data collected from people’s brains the same protections as other biometric data, such as fingerprints and facial images, according to the April 17 story. Legislatures in California and Minnesota are discussing similar bills.

The legislation comes as startups like Elon Musk’s Neuralink are implanting devices in human brains to stimulate neurological activity and other companies offer headbands that monitor brain activity to help treat anxiety and depression, the news outlet reported.

While neural data derived from clinical settings is already covered by HIPAA, the Colorado legislation extends the protections to consumer technologies, the newspaper reported.

Subject: Justice Department seizes four Russian cybercrime web domains
Source: Nexstar Media via WTAJ

PITTSBURGH, Pa. (WTAJ) — Four web domains that were used to create over 40,000 spoofed websites that were storing personal information of more than a million victims were seized by the Justice Department.

According to court records, the United States obtained authorization to seize the domains as part of an investigation of the spoofing service operated through the domain (LabHost), which resolves to a Russian internet infrastructure company. Customers of LabHost used its services to create and manage spoofed websites designed to look like the legitimate websites of businesses such as Amazon, Netflix, Wells Fargo, Bank of America and Chase Bank.

LabHost customers used the spoofed websites to lure unwitting victims into disclosing their personally identifiable information, date of birth, email address, password, address and credit card information on the websites the victims believed were legitimate.

The domain seizures in the United States occurred in conjunction with the international arrests of dozens of LabHost administrators and customers facing criminal charges in more than a dozen foreign countries.

Posted in: AI, Criminal Law, Cybercrime, Cybersecurity, Economy, Financial System, Government Resources, Healthcare, Legal Research, Legislative, Privacy, United States Law