Pete Recommends – Weekly highlights on cyber security issues, May 4, 2024

Subject: 9 Disturbing Stories From People Who Say They Found Cameras in Their Airbnb
Source: Gizmodo

Airbnb announced in March that all indoor security cameras would be banned at its properties worldwide starting April 30. And if you read through online complaints about cameras that were discovered during Airbnb stays over the years, it’s easy to understand why it’s been such a controversial issue.

Hidden cameras have always been banned at Airbnb, but cameras in public areas like living rooms were allowed. Airbnb will officially ban all indoor cameras at its properties worldwide at the end of this month. And the company points out that there’s been at least one case in the past when someone thought they found a hidden camera, but it was actually just a wall outlet.

Subject: Stop Using Your Face or Thumb to Unlock Your Phone
Source: Gizmodo

Last week, the 9th Circuit Court of Appeals in California released a ruling that concluded state highway police were acting lawfully when they forcibly unlocked a suspect’s phone using their fingerprint. You probably didn’t hear about it. The case didn’t get a lot of coverage, especially because the courts weren’t giving a blanket green light for every cop to shove your thumb to your screen during an arrest. But it’s another toll of the warning bell that reminds you to not trust biometrics to keep your phone’s sensitive info private. In many cases, especially if you think you might interact with the police (at a protest, for example), you should seriously consider turning off biometrics on your phone entirely.The ruling in United States v. Jeremy Travis Payne found that highway officers acted lawfully by using Payne’s thumbprint to unlock his phone after a drug bust. The three-judge panel said cops did not violate Payne’s 5th Amendment rights against self-incrimination nor the 4th Amendment’s protections against unlawful search and seizure for the “forced” use of Payne’s thumb (which was more to say unlocking his phone was coerced, rather than physically placed on the screen by a third party). The court panel admitted from the outset “neither the Supreme Court nor any of our sister circuits have addressed whether the compelled use of a biometric to unlock an electronic device is testimonial.”

The 9th Circuit’s ruling was narrow and doesn’t necessarily create a new precedent, but it points out that the arguments surrounding the 5th Amendment and biometrics are still unsettled. The ruling was also complicated by the fact that Payne was on parole at the time, back in 2021, when he was stopped by California Highway Patrol where he allegedly had a stash of narcotics including fentanyl, fluoro-fentanyl, and cocaine. He was charged with possession with intent to sell.

What Do the Experts Say Regarding Biometrics and Police?

Subject: A glaring Android TV security flaw might put your Gmail at risk
Source: Android Central

What you need to know

  • A loophole in Android TV could allow unauthorized access to Gmail and other linked services if someone gains physical access to the device.
  • Through an Android TV box, individuals can potentially hack into the Google account of the last user, compromising Gmail and Google Drive.
  • Initially, Google implied the behavior was expected, but later acknowledged the security flaw and claimed to have fixed it on newer Google TV devices.


Subject: Many tech leaders like Sam Altman join federal AI safety board
Source: Android Headlines

The chief executives of several leading tech companies are joining the US government’s Artificial Intelligence Safety and Security Board. OpenAI’s CEO Sam Altman, Microsoft chief Satya Nadella, and Alphabet CEO Sundar Pichai are some of these tech leaders. The newly created federal advisory board will focus on the secure use of AI within the United States’ critical infrastructure.The AI board will advise the government on how to safely deploy AI in critical infrastructure

The newly created federal AI board will be working with and advising the Department of Homeland Security. Their main focus will be the safe deployment of artificial intelligence within the country’s critical infrastructure. They will create safety systems to protect the economy, medical care, and other major industries from any threats posed by AI. In addition, the board will prevent potential harm from utilizing artificial intelligence in the power grid and transportation.



Subject: Kaiser gave 13.4M people’s data to Microsoft, others
Source: The Register

Millions of Kaiser Permanente patients’ data was likely handed over to Google, Microsoft Bing, X/Twitter, and other third-parties, according to the American healthcare giant. Kaiser told The Register it has started notifying 13.4 million current and former members and patients that “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors,” when customers used its websites and mobile applications.

Kaiser has since removed that tech from its websites and apps, and said it is not aware of “any misuse of any member’s or patient’s personal information.”

In other words, this seems to be the result of Kaiser placing user tracking and analytics tools, offered by Big Tech and advertising brokers, on its websites and apps, and only realizing now what information exactly was being transmitted by that code when people visited and used those sites and applications.

The information given to third parties includes individuals’ “IP address, name, information that could indicate a member or patient was signed into a Kaiser Permanente account or service, information showing how a member or patient interacted with and navigated through the website, and mobile applications, and search terms used in the health encyclopedia,” according to Kaiser’s statement to us.

Subject: Google Chrome’s new post-quantum cryptography may break TLS connections
Source: BleepingComputer

Some ​Google Chrome users report having issues connecting to websites, servers, and firewalls after Chrome 124 was released last week with the new quantum-resistant X25519Kyber768 encapsulation mechanism enabled by default.Google started testing the post-quantum secure TLS key encapsulation mechanism in August and has now enabled it in the latest Chrome version for all users.

The new version utilizes the Kyber768 quantum-resistant key agreement algorithm for TLS 1.3 and QUIC connections to protect Chrome TLS traffic against quantum cryptanalysis.

“After several months of experimentation for compatibility and performance impacts, we’re launching a hybrid postquantum TLS key exchange to desktop platforms in Chrome 124,” the Chrome Security Team explains.

“This protects users’ traffic from so-called ‘store now decrypt later’ attacks, in which a future quantum computer could decrypt encrypted traffic recorded today.”

These errors are not caused by a bug in Google Chrome but instead caused by web servers failing to properly implement Transport Layer Security (TLS) and not being able to handle larger ClientHello messages for post-quantum cryptography.



Subject: 8 best password managers of April 2024
Source: CNBC

CNBC: “Keep all of your passwords safe, secure and in one place with these top-rated password managers. Cybersecurity experts recommend that every password you create be long, complex and unique. So between online bank and investment accounts, credit card accounts, email accounts and other types of accounts, you may wind up with dozens of passwords to manage. Instead of keeping them on sticky notes or in easily accessible notebooks, a safer option would be to use a password manager. Password managers can store all your account information, like your username, email, or password, and protect them from unauthorized access. They can help you generate strong passwords and sync them across all your devices and often offer additional features like dark web monitoring, secure password sharing and email masking. To determine which password managers are best, CNBC Select reviewed dozens of password managers and narrowed down our top picks based on eight categories. The password managers we selected use 256-bit Advanced Encryption Standard (AES) encryption or stronger, are compatible with various types of devices and browsers, use a zero-knowledge system and have not had a major data breach within the last two years. (See our methodology for more information on how we chose the best password managers.)..”–

Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.

Subject: How Netflix and Other Streaming Services Charge You Forever
Source: Gizmodo

Canceling or switching credit cards doesn’t stop recurring charges, thanks to a hidden banking system that tracks your financial life.Millions of Americans pay for Netflix, doling out anywhere from $6.99 to $22.99 a month. It’s a common belief that you can get out of recurring charges like this by canceling your credit card. Netflix won’t be able to find you, and your account will just go away, right? You wouldn’t be crazy for believing it, but it’s a myth that canceling a credit card will stop your recurring charges.

“Banks may automatically update credit or debit card numbers when a new card is issued. This update allows your card to continue to be charged, even if it’s expired,” Netflix says in its help center.

2-page PDF on how to opt-out:

Subject: White House touts AI controls put in place over 180 days since Biden executive order

April 29 (UPI) — The White House announced on Monday some of the steps the Biden administration has taken to regulate the use of artificial intelligence for safety and worker’s rights 180 days after the president’s executive order.In October, Biden signed an executive order that applied new requirements on AI tech developers to manage and mitigate the risk associated with AI. It represented some of the strongest government guardrails to date on machine-learning technology.

Subject: FCC fines major wireless carriers $200M for illegally selling customer location data
Source: Nextgov/FCW

The Federal Communications Commission on Monday said it fined the largest U.S. wireless carriers $200 million on grounds that the companies sold their customers’ location data to third parties without consent while not taking steps to protect that info from security compromises.The fines hit Sprint and T-Mobile — which merged in 2020 after the agency’s initial investigation began — some $12 million and $80 million, respectively, while AT&T and Verizon were respectively fined over $57 million and nearly $47 million.

The agency’s enforcement arm said the providers sold customer location info to data brokers, who then resold that packaged data to third-party service providers who use location information for profit-making purposes. The carriers circumvented their obligation to protect customer location data and broke rules that barred them from selling off that data without first getting permission from their users, the FCC said.

“This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access,” the agency said in a statement.

“The FCC order lacks both legal and factual merit. It unfairly holds us responsible for another company’s violation of our contractual requirements to obtain consent, ignores the immediate steps we took to address that company’s failures, and perversely punishes us for supporting life-saving location services like emergency medical alerts and roadside assistance that the FCC itself previously encouraged,” an AT&T spokesperson told Nextgov/FCW.

The agency’s recent restoration of net neutrality rules has been used as a basis to augment internet security because it would allow the agency to legally stamp out foreign broadband providers deemed national security risks. The FCC recently asked major providers to provide an update on how they are refurbishing their networks to prevent spies and cybercriminals from exploiting wireless signaling protocols that could let bad actors track targets.



Subject: The White House Has a New Master Plan to Stop Worst-Case Scenarios
Source: WIRED

President Joe Biden will update the directives to protect US critical infrastructure against major threats, from cyberattacks to terrorism to climate change.

The Biden administration is updating the US government’s blueprint for protecting the country’s most important infrastructure from hackers, terrorists, and natural disasters.

On Tuesday, President Joe Biden will sign a national security memorandum overhauling a 2013 directive that lays out how agencies work together, with private companies, and with state and local governments to improve the security of hospitals, power plants, water facilities, schools, and other critical infrastructure.
Biden’s memo, which is full of updates to the Obama-era directive and new assignments for federal agencies, arrives as the US confronts an array of serious threats to the computer systems and industrial equipment undergirding daily life.

The memorandum has three core purposes: to formalize the role of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as the lead agency tasked with protecting infrastructure from bad actors and natural hazards; to improve partnerships with the private sector through faster, more comprehensive information sharing; and to lay out the groundwork for minimum cybersecurity requirements for sectors that currently lack them.

The new memo, Durkovich says, “prepares us for the next decade—what the president calls the decisive decade—and what lies out on the horizon.”

Subject: Are VPNs Legal To Use?
Source: TechRepublic

Are virtual private networks legal to use? Discover if VPNs are legal, restricted or banned in your geolocation and what activities are legal vs. illegal when using a VPN.

Using a virtual private network to protect personal data or online activities during web browsing is legal in many countries, like the United States, United Kingdom and France. However, this legality has some limits and can vary based on the specific activities conducted through the VPN. For instance, using a VPN to engage in activities like hacking or piracy is still illegal, regardless of the VPN’s legality in your country. On the other hand, some countries like Russia, China, North Korea and Iran have restricted or outright banned VPN services primarily for control and censorship purposes.

Table of Contents


RSS feed:

Subject: Over decade of Washington, D.C., protests, police scanned social media for ‘disrupters’
Source: StateScoop

Over the last ten years, the Metropolitan Police Department in Washington, D.C., has used automated, online surveillance tools to monitor individuals’ social media activity during protected activities, such as protests, and even employed fake social media accounts, according to a report released Tuesday.The report, which was a collaboration between the Brennan Center for Justice at NYU Law and the Data for Black Lives collective, shared the results of a 2020 Freedom of Information Act request that yielded more than 700,000 pages of internal documents from the Washington police department. The documents showed how MPD police used the online surveillance tools between 2014 and 2021, monitored social media activity, amassed user data and surveilled protest activity though online posts.

City documents acquired through the records request revealed that MPD employed a company called Dataminr, which is an official partner of the social media website X. Dataminr claims to use artificial intelligence to provide its clients real-time alerts about “high-impact events” by monitoring social media posts. According to the Brennan Center report,

Dyson said the social media vendors used by the District police department, which purport to collect massive amounts of data, often do so against the social media platforms’ terms and conditions agreements. Last year, Meta — the parent company of Facebook and Instagram — sued Voyager for scraping user data with dummy accounts.

Dyson said that to avoid chilling free speech and First Amendment-protected activities such as protesting, it’s important for law enforcement agencies to be transparent about their technology policies. That advisement is a key part of the Brennan Center’s social media use policies for law enforcement, a rubric of best practices that also takes into account the risks of automated social media monitoring software.

Subject: Unauthorized AirTag tracking set to become illegal in Pennsylvania
Source: AP News via Android Headlines

According to AP News, Pennsylvania has recently taken action [not yet law /pmw1] to penalize individuals who use Bluetooth-enabled devices like AirTags to track others without their consent, joining a growing number of states in the USA with similar legislation….

Subject: A new lawsuit aims to change the Facebook news feed
Source: Android Headlines

Social media users have constantly been at war against algorithmic feeds. It’s something that affects pretty much all social media apps and sites including Facebook, Instagram, TikTok, Threads, X, Etc. The Knight First Amendment Institute at Columbia University (on behalf of a researcher there) has filed a lawsuit against Meta over how the company is protecting its Facebook news feed. Also, the researcher wants to bring an extension that will allow people to essentially turn off their news feeds.Most people don’t like being fed algorithmic news feeds. A lot of the time, it’s mostly just the company pushing content that it thinks you want to see based on what’s popular. However, many users slam this method. This is why companies have been forced to offer chronological feeds.

A user filed a lawsuit against Meta over the Facebook news feed. The person who established the lawsuit is named Ethan Zuckerman. He’s not seeking money for the lawsuit. Rather, he wants Meta to enable a Facebook extension that he’s developed. It’s called Unfollow Everything 2.0. What this extension would do is essentially turn off your news feed.

Subject: Google Play Store adding ‘Government’ badge to identify official apps
Source: Android Central

What you need to know

  • Google announced last year that it would start adding badges to official government apps, and this change is rolling out now.
  • Over 3,000 state and federal apps from 12 countries now show a visual badge displaying that they are official government apps.

Since government apps often require users to provide identifying or banking information, this is a way for users to make sure they’re sharing private data with the right app.

Google says that it started testing the new program with “a small percentage of users” over the past few months. It’s now widely rolling out with support for over 3,000 official state and federal apps in 12 countries. For now, only certain apps in Australia, Canada, Germany, France, the United Kingdom, Japan, South Korea, the United States, Brazil, Indonesia, India, and Mexico can feature a government badge.


RSS Feed:

Subject: Huawei has been investing in US research despite being banned
Source: Android Headlines

It’s been a while since the US has restricted Huawei from working with US-based companies. The US has also imposed restrictions on     Chinese semiconductor firms linked to Huawei. The trade sanctions have no doubt slowed down the technological advancement of the Chinese giant. The FCC plans to prevent Huawei from certifying wireless equipment heading towards the US.In the latest news, Bloomberg reveals that not everything between the company and the US has been stopped. Huawei has been funding cutting-edge research happening at universities in the US despite being banned. The researchers are getting the money through an independent Washington-based research foundation.

Huawei has been secretly funding researchers in the US..

Funding research intended for publication is not illegal for Huawei even if it’s banned Huawei funding researchers in the US is not illegal. It does not fall under the preview of the trade restrictions. Huawei funds similar competitions in other places as well, although those are all public. The Chinese giant provided $1 million per year and Optica kept the source secret.


RSS Feed:

Subject: Brokewell: do not go broke from new banking malware
Source: Threat Fabric Fabric

Threat Fabric: “Constant monitoring of the threat landscape allows us to spot new threats and actors early and take immediate action—evaluating the threat and preparing for it. Our Threat Intelligence shows that device takeover capabilities remain crucial for any modern banking malware family, and new players entering the landscape are no exception. In most cases, remote access capabilities are built in from the start of the development cycle. Thus, it comes as no surprise that ThreatFabric analysts recently discovered a new mobile malware family, “Brokewell,” with an extensive set of Device Takeover capabilities. The analysis of the samples revealed that Brokewell poses a significant threat to the banking industry, providing attackers with remote access to all assets available through mobile banking. The Trojan appears to be in active development, with new commands added almost daily. During our research, we discovered another dropper that bypasses Android 13+ restrictions. This dropper was developed by the same actor(s) and has been made publicly available, potentially impacting the threat landscape. In this blog, we discuss Brokewell’s primary features that pose significant risks to financial institutions’ customers and identify a new actor emerging in the mobile banking malware field.”

Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.

Subject: CEO who sold fake Cisco devices to US military gets 6 years in prison
Source: BleepingComputer

Onur Aksoy, the CEO of a group of companies controlling multiple online storefronts, was sentenced to six and a half years in prison for selling $100 million worth of counterfeit Cisco network equipment to government, health, education, and military organizations worldwide.The 40-year-old Florida man was arrested in Miami on June 29, 2022, and was charged the same day with multiple counts of trafficking counterfeit goods and committing mail and wire fraud.

Posted in: AI, Cyberlaw, Cybersecurity, Financial System, Government Resources, Healthcare, Legal Research, Privacy, Social Media