Pete Recommends – weekly highlights on cyber security issues – May 6 2018

Subject: How Looming Privacy Regulations May Strengthen Facebook and Google
Source: The New York Times
https://www.nytimes.com/2018/04/23/technology/privacy-regulation-facebook-google.html

SAN FRANCISCO — In Europe and the United States, the conventional wisdom is that regulation is needed to force Silicon Valley’s digital giants to respect people’s online privacy. But new rules may instead serve to strengthen Facebook’s and Google’s hegemony and extend their lead on the internet. That could begin playing out next month, when Europe enacts sweeping new regulations that prioritize people’s data privacy. The new laws, which require tech companies to ask for users’ consent for their data, are likely to hand Google and Facebook an advantage. That’s because wary consumers are more prone to trust recognized names with their information than unfamiliar newcomers. And the laws may deter start-ups that do not have the resources to comply with the rules from competing with the big companies.


Subject: The Golden State Killer Is Tracked Through a Thicket of DNA, and Experts Shudder
Source: The New York Times
https://www.nytimes.com/2018/04/27/health/dna-privacy-golden-state-killer-genealogy.html

The arrest of a suspect has set off alarms among some scientists and ethicists worried that consumer DNA may be widely accessed by law enforcement. Genetic testing services have become enormously popular with people looking for long-lost relatives or clues to hereditary diseases. Most never imagined that one day intimate pieces of their DNA could be mined to assist police detectives in criminal cases. Even as scientific experts applauded this week’s arrest of the Golden State Killer suspect, Joseph James DeAngelo, 72, some expressed unease on Friday at reports that detectives in California had used a public genealogy database to identify him. Privacy and ethical issues glossed over in the public’s rush to embrace DNA databases are now glaringly apparent, they said. “This is really tough,” said Malia Fullerton, an ethicist at the University of Washington who studies DNA forensics. “He was a horrible man and it is good that he was identified, but does the end justify the means?”


Subject: Mysterious cyber worm targets medical systems, is found on X-ray machines and MRI scanners
Source: ZDNet
https://www.zdnet.com/article/mysterious-cyber-worm-targets-medical-systems-found-on-x-ray-machines-and-mri-scanners/

Orangeworm hacking group carefully selects victims in highly targeted attacks. A newly-discovered cybercriminal group is installing custom malware onto the systems of organisations in healthcare and related sectors in order to conduct corporate espionage. These targeted attacks are carried out against a small number of selected organisations as well as the supply chains which serve them, with the tactics and use of custom malware suggesting the attacks are the work of a cybercriminal group working for its own ends and not that of a government. Uncovered by researchers at Symantec, the previously unknown group dubbed Orangeworm is installing custom malware known as ‘Kwampirs’ onto the systems of large international corporations across the US, Europe and Asia – with a particular focus on healthcare, with 40 percent of victims operating in the sector.


NB

RSS feed for topic SECURITY:
https://www.zdnet.com/topic/security/rss.xml


Subject: Local governments’ cybersecurity crisis in 8 charts
Source: The Conversation
https://theconversation.com/local-governments-cybersecurity-crisis-in-8-charts-94240

We know this because in 2016, in partnership with the International City/County Management Association, we conducted the first-ever nationwide survey of local government cybersecurity. Among other things, the survey data showed just how poorly local governments practice cybersecuriy.

Under near-constant attack, but not fully aware – Nearly half – 44 percent – of all the respondents told us they experience cyberattacks at least daily. Based on prior research, we are confident that rate is actually much higher.

Topics


Subject: Your genome may have already been hacked
Source: The Conversation
https://theconversation.com/amp/your-genome-may-have-already-been-hacked-95763

On April 25, California law enforcement announced the possible capture of a long-sought serial killer. Shortly after, it was reported that police had used public DNA databases to determine his identity. This extraordinary event highlights that when you send off a cheek swab to one of the private genome companies, you may sacrifice not just your own privacy but that of your family and your ancestors. In a time of widespread anxiety over the misuse of social media, Americans should also be concerned over who has access to their genetic information. For-profit genome testing companies like 23andMe make money, in part, by selling anonymized genomic data. Many people may not realize that re-identifying genomes – that is, identifying an individual from their genetic profile – is a relatively straightforward process. In one study, researchers could re-identify five of 10 people, as well as their families.


Subject: U.S. Supreme Court to hear Google privacy settlement dispute
Source: Reuters via Yahoo
https://finance.yahoo.com/news/u-supreme-court-hear-google-privacy-settlement-dispute-133936041–finance.html

(Reuters) – The U.S. Supreme Court on Monday agreed to hear an internet privacy case involving Google that could put the brakes on an increasingly common form of settlement in class action suits that funnels money to unrelated third parties and charities instead of to people affected by the alleged wrongdoing.

The justices will take up an appeal by opponents, led by a conservative group, challenging the $8.5 million that Google agreed to pay in 2013 to settle claims that the search engine operator allowed other websites to see users’ search queries, violating their privacy rights. The settlement was upheld by a lower court. Google is part of Alphabet Inc.

The settlement awarded most of the money to universities and organizations that promote internet privacy but nothing to the millions of Google users who the plaintiffs were to have represented in the class action.


Subject: Twitter urges users to change their passwords after discovering a bug that revealed them internally
Source: The Washington Post
https://www.washingtonpost.com/news/the-switch/wp/2018/05/03/twitter-urges-users-to-change-their-passwords-after-discovering-a-bug-that-revealed-them-internally/

Twitter on Thursday encouraged its more than 330 million users to change their passwords after the company discovered a bug that revealed the passwords in an unencrypted form in an internal log.

Twitter said in a blog post that “we have no reason to believe password information ever left Twitter’s systems or was misused by anyone.” But the company urged users to take action “out of an abundance of caution.”

In tweets Thursday afternoon, Twitter’s chief technology officer, Parag Agrawal, apologized for the error and said: “We are sharing this information to help people make an informed decision about their account security.”


Subject: Who Owns the Data Your Car Collects?
Source: Consumer Reports
https://www.consumerreports.org/automotive-technology/who-owns-the-data-your-car-collects/

“Cars are generating so much data, and all of it is incredibly valuable,” says Joseph Jerome, policy counsel for the Center for Democracy & Technology. “Carmakers are champing at the bit to find ways to monetize it.”

And there’s potentially plenty of money to be made: A 2016 white paper from industry research and consulting firm McKinsey projects a $450 billion to $750 billion industry for automotive data by 2030.

The questions of who owns the data and what can be done with it have brought the privacy debate into the modern car cockpit.

Generally, the automakers promised to provide clear notice about what kind of data is collected and who is receiving it. Under the industry pri nciples, consumers can review historical data from subscription services and certain information about car performance, maintenance, and driver behavior. But privacy advocates say the guidelines aren’t specific enough about how and when car companies need to disclose their practices to consumers.

And owners may be surprised to find out that the manufacturer of their car can access much of the information that comes from their vehicle and can sometimes make it public.

DATA COLLECTION DONE RIGHT

[what happens when those vehicles are sold? /pmw1]


Subject: NIST challenge targets better de-identification techniques for public data
Source: Fedscoop
https://www.fedscoop.com/nist-unlinkable-data-challenge/

One barrier to opening up valuable government datasets is making sure that all necessary personally identifiable information (PII) is removed beforehand — a process called de-identification. It’s a balancing act intended to protect individuals’ privacy while maintaining the integrity of the data.

The National Institutes of Standards and Technology (NIST) says existing de-identification techniques aren’t good enough, however, and in a new challenge on Challenge.gov, the agency asking for ways to improve them.

“Currently popular de-identification techniques are not sufficient,” the challenge page reads. “Either PII is not sufficiently protected, or the resulting data no longer represents the original data. This competition is about creating new methods, or improving existing methods of data de-identification, in a way that makes de-identification of privacy-sensitive datasets practical.”

Articles tags:
Challenge.gov, database, data privacy, de-identification, National Institute of Standards and Technology, NIST, PII, unlinkable data

NB other scoop brands:
https://www.fedscoop.com/contact/

RSS feed for fedscoop:
https://www.fedscoop.com/feed/

RSS feed for topic PII:
https://www.fedscoop.com/tag/pii/feed/


Subject: Business Insider
Source: How to delete your DNA data from genetics companies like 23andMe and Ancestry //
http://www.businessinsider.com/how-to-delete-dna-genetic-data-2018-5

Investigators say they cracked the cold case of the Golden State Killer with help from data on a genetics website.The investigators revealed that  they uploaded a suspect’s raw DNA signature — sourced from an old crime scene sample — to a site called GEDmatch.

The case has raised privacy concerns among people who have submitted their DNA data to similar genetics sites. Here’s how to delete your DNA and data from 23andMe, Ancestry, and Helix.

The recent arrest in one of California’s most infamous serial-killer cases was based in large part on a DNA sample submitted to a genetics website by a distant relative of the suspect.

If that news has you concerned about the security of your own genetic material, you may be wondering how to delete it from genetic databases kept by popular genetics testing companies like 23andMe and Ancestry.

Those two databases were not used by investigators to track down Golden State Killer suspect Joseph James DeAngelo. Instead, investigators used a service called GEDmatch, which lets customers upload a raw DNA signature. Investigators created a profile for the suspect using DNA sourced from a long-stored crime scene sample, and found matches between DeAngelo’s crime scene DNA and the DNA of a distant family member.

23andMe, Ancestry, and Helix (National Geographic’s genetics service) only accept saliva samples for genetics testing — an easy way of obtaining DNA. But a similar company called Family Tree DNA could likely accept hair or blood, according to Joe Fox, an administrator for one of the company’s surname projects.

Whichever way a company gets your DNA, privacy advocates say there’s cause for concern. Although genetic data is ostensibly anonymized, companies can and do sell your data to third parties like pharmaceutical companies. From there, it could find its way elsewhere, advocates say. Here’s how to delete your data from a few of these services…

Posted in: Cybercrime, Cybersecurity, Healthcare, Medical Research, Privacy, Social Media