Pete Recommends – Weekly highlights on cyber security issues July 28 2018

Subject: INFOdocket / Library Journal – Gary Price
Source: Oxford Internet Institute via LJ infoDOCKET

From the Executive Summary: The manipulation of public opinion over social media platforms has emerged as a critical threat to public life. Around the world, a range of government agencies and political parties are exploiting social media platforms to spread junk news and disinformation, exercise censorship and control, and undermine trust in the media, public institutions, and science. At a time when news consumption is increasingly digital, artificial intelligence, big data analytics, and “blackbox” algorithms are being leveraged to challenge truth and trust: the cornerstones of our democratic society. In 2017, the first Global Cyber Troops inventory shed light on the global organization of social media manipulation by government and political party actors.

This 2018 report analyses the new trends of organized media manipulation, and the growing capacities, strategies and resources that support this phenomenon…

Subject: Why social media has taken over your life—and you need to sign off now

Jaron Lanier says social media is turning us into highly manipulable addicts. The only solution is for users to pay—and own their own data.

For those who worry social media is running—or ruining—their lives, tech guru Jaron Lanier offers no reassurance. However, he does have a plan. In his wryly titled new book, Ten Arguments for Deleting Your Social Media Accounts Right Now, Lanier sets out why he believes the likes of Facebook, Instagram and Twitter are making their users more belligerent and less happy, and he suggests an entirely new system whereby the programs are responsible to their users.

Q: The likes of Facebook do make it hard for you to see anything posted to their service if you don’t have an account. Is there a productive way of using these services without giving too much away?

A: I’ve gotten this question from world leaders and all kinds of prominent people: “Well, I only use social media in this very limited way. Is there a problem?” And yeah, there is. Let’s say you never post on Twitter at all; you just have an account. You’re still under surveillance based on what you look at. If you use any of the Facebook[-owned] programs, including WhatsApp or Instagram or Messenger, you install software that puts you under constant surveillance, and then your data is adding to the machine, where correlations between you and people who have something in common with you are used to try to form better behaviour predictors so that people can be manipulated. The stream of stuff you see [on] the services is still designed to grab, addict and modify you, but also, you’re contributing to that effect for other people.

Filed under:

Subject: Doctors, hospitals sue patients posting negative online comments
Source: USA Today

CLEVELAND – Retired Air Force Colonel David Antoon agreed to pay $100 to settle what were felony charges for emailing his former Cleveland Clinic surgeon articles the doctor found threatening and posting a list on Yelp of all the surgeries the urologist had scheduled at the same time as the one that left Antoon incontinent and impotent a decade ago.

He faced up to a year in prison.

Antoon’s 10-year crusade against the Cleveland Clinic and his urologist is unusual for its length and intensity, as is the extent to which Cleveland Clinic urologist Jihad Kaouk was able to convince police and prosecutors to advocate on his behalf.

“It would be great if the regulators of hospitals and doctors were more diligent about responding to harm to patients, but they’re not, so people have turned to other people,” says Lisa McGiffert, former head of Consumer Reports’ Safe Patient Project. “This is what happens when your system of oversight is failing patients.”

Experts say doctors take on extra risk when they resort to suing a patient.

Subject: ‘Data is a fingerprint’: why you aren’t as anonymous as you think online
Source: The Guardian – US Edition

So-called ‘anonymous’ data can be easily used to identify everything from our medical records to purchase histories

Names and other identifying features were removed from the records in an effort to protect individuals’ privacy, but a research team from the University of Melbourne soon discovered that it was simple to re-identify people, and learn about their entire medical history without their consent, by comparing the dataset to other publicly available information, such as reports of celebrities having babies or athletes having surgeries.

The government pulled the data from its website, but not before it had been downloaded 1,500 times.

In later work, Sweeney showed that 87% of the population of the United States could be uniquely identified by their date of birth, gender and five-digit zip codes.

In later work, Sweeney showed that 87% of the population of the United States could be uniquely identified by their date of birth, gender and five-digit zip codes.

“Location data is a fingerprint. It’s a piece of information that’s likely to exist across a broad range of data sets and could potentially be used as a global identifier,” De Montjoye said.


NB The Guardian-US RSS feed:

Privacy RSS feed:

Subject: How to Secure Your Accounts With Better Two-Factor Authentication
Source: Wired

“Unfortunately, it isn’t that hard for thieves to impersonate you to your mobile phone carrier and hijack your mobile phone number—either with a phone call to customer support or walking into a phone store,” says Lorrie Cranor, a computer scientist at Carnegie Mellon University and former FTC technologist who had her own SIM stolen in 2016. Authenticator apps are not vulnerable to this problem, and thus are a more secure way to do two-factor verification.

The most popular authenticator apps are Authy, but password managers 1Password and LastPass offer the service as well, if that helps you streamline. If you’re heavy into Microsoft’s ecosystem, you might want Microsoft Authenticator. While they all differ somewhat in features, the core functionality is the same no matter which one you use.


NB RSS feed for WIRED:

Ed Note: DUO Mobile works well, too.

Subject: How to keep EHRs secure and safe from cybercriminals
Source: TechRepublic

Electronic healthcare records are in high demand with cybercriminals; however, there are ways for businesses handling EHRs to thwart the bad guys. Here are four tips for securing EHRs.

“Personal medical information remains one of the most sought-after types of data for cybercriminals to steal,” writes Brad Spannbauer in this MedPage Today commentary. “And while this should concern all of us as patients and consumers of healthcare services, it also creates a priority-one level of urgency for any healthcare provider that has not yet implemented the strongest measures possible to secure its patients’ data.”

The Accenture report Are You One Breach Away from Losing a Healthcare Consumer? based on the company’s 2017 Consumer Survey on Cybersecurity and Digital Trust, gives credence to Spannbauer’s claim, saying that approximately one-in-four consumers (26%) have had their EHR compromised in a data breach.

Spannbauer states that organizations suffering a data breach involving EHRs are in significant trouble, adding, “For healthcare organizations the stakes of a data breach can be enormous: steep fines and penalties from HIPAA regulators at the federal and state level, the potential for costly lawsuits, public outcry, and publicity damaging to a company’s reputation.”

Since the onus is on organizations that have been entrusted with patient EHRs, Spannbauer offers the following suggestions for securing the highly-sensitive digital files.

Related Topics:
Software CXO Hardware Mobility Data Centers Cloud

Bonus RSS Feed for SECURITY:

Subject: U.S. GAO
Source: Identity Theft: IRS Needs to Strengthen Taxpayer Authentication Efforts

IRS estimates that in 2016 criminals used false identities to try to claim billions in tax refunds. IRS kept $10.5 billion out of their hands, but criminals got at least $1.6 billion. To help address this high risk issue, IRS works to verify the identities of millions of taxpayers each year.

We reviewed IRS’s taxpayer authentication efforts and made 11 recommendations to help IRS stay ahead of fraudsters, including:

  • prioritizing its authentication initiatives,
  • estimating the funding and other resources it will need to implement these initiatives, and
  • developing a process to evaluate potential authentication technologies.

Subject: Google’s 85,000 employees all avoid phishing attempts with a $20 YubiKey security key
Source: Business Insider

In October 2017, Google launched an advanced protection program for people who may have the highest risk of being phished, including journalists, business leaders, and activists, using YubiKey devices. Google has worked with various industry groups, such as the FIDO Alliance, to develop security key technology called U2F.

A 2016 Google study showed that the text-message or app-based two-factor authentication, sometimes called “one-time-password,” had an average failure rate of 3%. But the same study showed the U2F, or security key approach, had a 0% failure rate.

There are more details about how Google’s approach to authentication and login security is starting to pay off over at Krebs On Security.

Subject: Close Isn’t Good Enough Under the Tax Code
Source: Ed Slott and Company, LLC

There’s an old saying that being close only counts in horseshoes and hand grenades. Such is the case with the U.S. Tax Code. In this arena, deadlines and timing really matter. Trying to do a 60-day rollover 61 days after the actual receipt of withdrawn funds doesn’t work. Taking your annual required minimum distribution on January 2nd, instead of December 31st, isn’t good enough.

Similarly, all of the exceptions to the 10% early distribution penalty contain specific requirements which must be met. Some exceptions apply to both IRAs and qualified plans whereas others are only available to one of the two. One of the most important requirements each exception shares is timing. For example,    …

The takeaway here is that, under the Tax Code, timing matters. Deadlines are generally firm. Being close won’t get you a cigar, but it could give you an unwelcome tax bill.

Subject: Supreme Court struggles to define ‘searches’ as technology changes
Source: The Conversation

Beyond a physical inspection, what constitutes a search?

What the Fourth Amendment to the U.S. Constitution means when it protects citizens against an unreasonable search by government agents isn’t entirely clear. It certainly includes police physically entering a person’s home, but for almost 100 years, the Supreme Court has tried to define what else might qualify, including keeping the law up-to-date with new technologies – as a recent case illustrates.

In that case, the FBI used cellphone records to show that a crime suspect’s mobile phone had been near the location of several robberies. The agency had gotten those records, without a warrant, from the company that provided the suspect with mobile service. The suspect argued that because the records were so invasive of his privacy – by revealing his physical locations over a period of time – obtaining them should be considered a search under the Constitution, and therefore require a warrant. The Supreme Court agreed.

To someone like me, who teaches law students about the relationship between the Constitution and police investigations, this case is another milestone in the back-and-forth between the police and the citizenry over technology and privacy.

An early wiretapping case – As technology has developed, police have found new ways of collecting incriminating information without trespassing onto the suspect’s property. A century ago…

Posted in: Computer Security, Cybersecurity, Email Security, Healthcare, Privacy, Social Media