Pete Recommends – Weekly highlights on cyber security issues October 14 2018

Editor’s Preface: Most of these columns by Pete Weiss reference RSS feeds that he identified on each respective web site that he is highlighting, or via his expert research.  To learn more about the value of using RSS, please see Pete’s LLRX article on this topic – What is RSS and How to Use it Effectively.


Subject: Manufacturing expert says it’s possible that spies could insert malicious chips into servers.
Source: Business Insider
https://www.businessinsider.com/manufacturing-expert-possible-spies-insert-malicious-chips-servers-2018-10

  • Could spies actually insert malicious chips into server circuit boards, as alleged in a bombshell Bloomberg report?
  • Even if the story isn’t completely accurate, it’s plausible, a manufacturing expert explains.

Could Chinese spies covertly insert malicious chips into computer circuit boards sold in the United States to the military, Apple, and Amazon? It’s a wild possibility to think about — but that’s exactly what Bloomberg reported in a deeply reported investigative story this week. It claimed that a supplier named SuperMicro, which manufactures the motherboards, was infiltrated by the spies several years ago.

[but] Muddying the waters, all parties involved vigorously deny the report even as Bloomberg stands by its reporting. Amazon said the inaccuracies are “hard to count.” Apple published a rare 750-word statement in response, calling the report untrue.


Subject: How to Find Hidden Cameras in Your Airbnb Rental
Source: Digital Trends
https://www.digitaltrends.com/home/how-to-find-hidden-cameras/

Is someone watching you? Use these tips to make sure your Airbnb rental is camera-free Let’s face it, there are creepy people in the world. That’s why we lock our doors at night, and why we don’t want to walk alone in a dark alleyway. When we rent a place, like a hotel or vacation home, we typically don’t expect someone to be watching us. We expect a rental space to be private, so we can go about our regular routines in private, undress in private, and be intimate with our partner in private. It’s one thing to have security cameras to protect property and provide safety on the outside of buildings, but it’s something else to have hidden cameras in areas like bathrooms and bedrooms.

Voyeurism isn’t all that unheard of though. In Toronto, a couple recently found a hidden camera inside of an alarm clock in their Airbnb rental. The camera was pointing toward the bed. The couple’s experience is just one of many, as several reports of Airbnb hidden cameras have surfaced over the past few years. As disturbing as it is to hear about incidences like these, keep in mind these cases are the exception and not the norm. If you’re worried about someone filming you in your Airbnb rental, here are some steps you can take to make sure your rental space isn’t under surveillance.

Editors’ Recommendations:


Subject: Democrats Drop ‘Internet Bill of Rights’ to Entice Voters Sick of Facebook’s Crap
Source: Gizmodo – Tech Policy
https://gizmodo.com/democrats-drop-internet-bill-of-rights-to-entice-voters-1829559542

Hoping to seize upon the universal disdain the electorate feels for tech companies that abuse their privacy, the Democrats have concocted a plan to beat back the data vampires—a little incentive for those still on the fence in this November election. They’re calling it an “Internet Bill of Rights.”

Laid out in a New York Times column Friday, Rep. Ro Khanna, Democrat of California, has proposed a series of 10 principals that, should his party reclaim control of the House of Representatives, he hopes to pass next year in the form of law. Khanna’s list states foremost that users should have access to all of the information collected about them by private companies and full knowledge of how that information is being used. It further states that Americans have the right to opt-in consent with regard to the collection and sharing of their personal data.

Below are the ten principals that make up Khanna’s draft bill of rights.

Tech Policy articles from Gizmodo: https://gizmodo.com/c/tech-policy


Subject: Is This True? A Fake News Database
Source: Politico
https://www.politico.com/interactives/2018/is-this-true/

Disinformation is everywhere. We’re tracking it down and explaining why it’s fake, where it appeared and who shared it. We’re asking readers to submit hoaxes [bogus, fabricated reports]impostors [websites or social media content masquerading as known, reliable news sources] and doctored items [visuals altered to deliberately misinform]. Read more about the project and share disinformation you see.

This article tagged under:


Subject: Voice Phishing Scams Are Getting More Clever
Source: Krebs on Security via beSpacific
https://www.bespacific.com/voice-phishing-scams-are-getting-more-clever/

Krebs on Security: “Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it’s easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams. Think you’re too smart to fall for one? Think again: Even technology experts are getting taken in by some of the more recent schemes (or very nearly)…”

beSpacific Subjects: Cybercrime, Cybersecurity, Privacy

Krebs Tags: Cabel Sasser, caller ID spoofing, Matt Haughey, MetaFilter, Panic Inc., phone phishing, Slack, phvishing

RSS feeds available for Tags e.g.,
https://krebsonsecurity.com/tag/phone-phishing/

RSS feed for this article’s COMMENTS:
https://krebsonsecurity.com/2018/10/voice-phishing-scams-are-getting-more-clever/feed/


Subject: Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities
Source: U.S. Government Accountability Office (GAO)
https://www.gao.gov/products/GAO-19-128

In recent cybersecurity tests of major weapon systems DOD is developing, testers playing the role of adversary were able to take control of systems relatively easily and operate largely undetected. DOD’s weapons are more computerized and networked than ever before, so it’s no surprise that there are more opportunities for attacks. Yet until relatively recently, DOD did not make weapon cybersecurity a priority. Over the past few years, DOD has taken steps towards improvement, like updating policies and increasing testing. Federal information security—another term for cybersecurity—has been on our list of High Risk issues since 1997. Today’s weapon systems are heavily computerized, which opens more attack opportunities for adversaries (represented below in a fictitious weapon system for classification reasons).

Explore our Key Issues on National Defense – GAO RSS Feeds:

https://www.gao.gov/about/contact-us/stay-connected/
e.g., National Defense:
https://www.gao.gov/rss/topic/National_Defense


Subject: FBI chief says threats from drones to U.S. ‘steadily escalating’
Source: Reuters via Yahoo!
https://www.yahoo.com/news/fbi-chief-says-threats-drones-u-steadily-escalating-154629883.html

WASHINGTON (Reuters) – FBI director Christopher Wray told a U.S. Senate panel on Wednesday that the threat from drones “is steadily escalating” even as Congress gives agencies new tools to address threats.

Wray told the Senate Homeland Security committee that the FBI assesses that “given their retail availability, lack of verified identification requirement to procure, general ease of use, and prior use overseas, (drones) will be used to facilitate an attack in the United States against a vulnerable target, such as a mass gathering.” Wray made his comments days after President Donald Trump signed into law legislation that gives the Department of Homeland Security (DHS) and the FBI new powers to disable or destroy drones that pose a threat to government facilities.

Senator Ron Johnson, who chairs the committee, said earlier this year that the number of drone flights over sensitive areas or suspicious activities has jumped from eight incidents in 2013 to an estimated 1,752 incidents in 2016, citing federal statistics…


Subject: NCCIC Releases Joint Alert on Worldwide Malicious Activity Using Publicly Available Tools
Source: DoHS US-CERT
https://www.us-cert.gov/ncas/current-activity/2018/10/11/NCCIC-Releases-Joint-Alert-Worldwide-Malicious-Activity-Using

NCCIC, in collaboration with the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the New Zealand National Cyber Security Centre, and the United Kingdom National Cyber Security Centre, has released a joint Activity Alert that highlights five publicly available tools frequently observed in cyber incidents worldwide. The Activity Alert provides an overview of each tool, its capabilities, and recommended best practices network defenders can use to protect their networks against these tools.

NCCIC encourages users and administrators to review the joint Activity Alert AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide for more information.

more alerts:
https://www.us-cert.gov/ncas/alerts

RSS:
https://www.us-cert.gov/ncas/alerts.xml


Subject: Removing Additional Inauthentic Activity from Facebook
Source: Facebook Newsroom
https://newsroom.fb.com/news/2018/10/removing-inauthentic-activity/

By Nathaniel Gleicher, Head of Cybersecurity Policy and Oscar Rodriguez, Product Manager 

People need to be able to trust the connections they make on Facebook. It’s why we have a policy banning coordinated inauthentic behavior — networks of accounts or Pages working to mislead others about who they are, and what they are doing. This year, we’ve enforced this policy against many Pages, Groups and accounts created to stir up political debate, including in the US, the Middle East, Russia and the UK. But the bulk of the inauthentic activity we see on Facebook is spam that’s typically motivated by money, not politics. And the people behind it are adapting their behavior as our enforcement improves. One common type of spam has been posts that hawk fraudulent products like fake sunglasses or weight loss “remedies.” But a lot of the spam we see today is different. The people behind it create networks of Pages using fake accounts or multiple accounts with the same names. They post click bait posts on these Pages to drive people to websites that are entirely separate from Facebook and seem legitimate, but are actually ad farms.

Facebook Newsroom RSS feed:
https://newsroom.fb.com/feed/


Subject: Do Courts Have Inherent Authority to Release Secret Grand Jury Materials?
Source: CRS Legal Sidebar via FAS via beSpecific
https://www.bespacific.com/do-courts-have-inherent-authority-to-release-secret-grand-jury-materials/

CRS Legal Sidebar via FAS – Do Courts Have Inherent Authority to Release Secret Grand Jury Materials? Michael A. Foster, Legislative Attorney, October 5, 2018. “The U.S. Constitution requires that any prosecution of a serious federal crime be initiated by “ a presentment or indictment of a Grand Jury.” The “[g]rand [j]ury” contemplated by the Constitution is a temporary, citizen-comprised body that obtains evidence and considers whether it is sufficient to justify criminal charges in a particular case. Though a grand jury works with federal prosecutors and functions under judicial auspices, it is considered an independent“ constitutional fixture in its own right ” that“ belongs to no branch of the institutional Government, serving as a kind of buffer…between the Government and the people.” One long-established principle that has been deemed essential to the grand jury’s functioning and independence is that matters occurring before it are to be kept secret.

beSpacific Subjects: Courts, Government Documents, Legal Research, Privacy

CRS Reports on Secrecy and Information Policy:
https://fas.org/sgp/crs/secrecy/

Orther CRS Reports:
https://fas.org/sgp/crs/index.html


Subject: How to get in touch with loved ones during and after a disaster
Source: AccuWeather and Ready.gov
https://www.accuweather.com/en/weather-news/how-to-get-in-touch-with-loved-ones-during-and-after-a-disaster/70005400

The Department of Homeland Security’s Ready.gov recommends discussing four main topics, including the shelter plan, evacuation route, communication plan and how you’ll receive emergency alerts or warnings.

The Federal Emergency Management Agency (FEMA) offers a family communication plan template to simplify the process of creating an emergency strategy.

“The plan should include what the family will do if an event occurs – ‘What do we do?’, ‘Where do we go?’”, said Dr. Steve Goldman, an instructor and crisis management expert at the Massachusetts Institute of Technology.

“If the disaster is local, they should discuss whether to meet at home, with a friend or a neighborhood landmark, and if the neighborhood is in trouble, then maybe a nearby hospital or a community center,” Goldman said.

Designating a leader to implement the emergency plan can help a family stay organized when disaster strikes, according to Goldman.

RELATED:
Evacuation checklist: How to get your family out safely in the face of an imminent disaster
6 ways to prepare now for hurricanes
Why you should evacuate ahead of a hurricane
Psychology of warnings: Why do people ignore important weather alerts?

“A lot of community organizations, like the Red Cross, have these resource lists available online, but I would suggest printing them out in case the internet is down,” Lindsey said.


Subject: 23andMe and Ancestry genetic tests are making it extremely easy for cops to track all white people
Source: VICE News
https://news.vice.com/en_us/article/qv9mmm/23andme-and-ancestry-genetic-tests-are-making-it-extremely-easy-for-cops-to-track-all-white-people

So many white people have bought into consumer genetic testing that it’s now possible for law enforcement agencies to use genetic data to hunt down virtually anyone of European descent — even if they’ve never spit in a trendy tube themselves — by tracking their distant relatives who have already been lured to companies like 23andMe and Ancestry.com. According to a study published in the academic journal Science, it’s not all that difficult to find someone in the U.S. based on existing, easily accessible ancestral data.

“Each individual in the database is like a beacon of genetic information, and this beacon illuminates hundreds of individuals — distant relatives connected to this person via their family tree,” Yaniv Erlich, the chief science officer of the genetics company MyHeritage and lead author of the Science study, told the Washington Post.

RSS feed:
https://news.vice.com/en_us/rss

Posted in: Cybersecurity, E-Government, Government Resources, Privacy, RSS Newsfeeds, Terrorism
CLOSE
CLOSE