Pete Recommends – Weekly highlights on cyber security issues December 15 2018

Subject: U.S. will charge Chinese hackers with widespread attacks on tech service providers

Chinese intelligence services have spent years trying to hack the managed service providers that remotely administer IT systems for large companies, according to warnings from the Department of Homeland Security and PwC. Access to these providers’ systems would give the hackers a jumping-off point into the databases of their primary targets, exposing vast troves of sensitive corporate data.

The charges are the latest example of a broad pressure campaign against Beijing over its theft of U.S. trade secrets. At DOJ, a new “China Initiative” will prioritize Chinese IP theft cases, including government-backed hacking. On Oct. 30, the U.S. indicted Chinese intelligence officers and their hired hackers for trying to steal a wide range of intellectual property, including plans for a jet engine.

This article tagged under:

An RSS feed — A daily briefing on politics and cybersecurity

Subject: How to delete old tweets from Twitter
Source: Business Insider

  • In case you haven’t noticed, it doesn’t pay to keep around your old tweets — just ask James Gunn, or Kevin Hart.
  • People have lost their jobs or seriously damaged their careers because old, immature, or otherwise inappropriate tweets were unearthed.
  • The things you say on the internet generally follow you — especially on Twitter.
  • If you’re using Twitter, and you care at all about your career, you should be deleting your old tweets on a regular basis.
  • Thankfully, there are some easy ways, and even some services, to do just that.

Subject: How to Avoid Buying Counterfeit Products Online
Source: Consumer Reports

There’s a growing risk that the brand you buy online is actually a fake. Here’s how to protect yourself.

The sale of fake brand-name goods, which once seemed limited to occasional street carts and going-out-of-business stores, has increasingly expanded to major e-commerce platforms, such as Amazon and The problem encompasses a wide range of products, everything from electronics to cosmetics to household items.

The odds of encountering counterfeits can be especially high if you buy through a third-party vendor—meaning other sellers besides the brand or the authorized retailer—on an online marketplace, according to a recent study by the U.S. Government Accountability Office.

After buying and testing products from third-party vendors on five popular online consumer websites, the GAO found that 20 out of 47 brand-name products purchased—including shoes, travel mugs, cosmetics, and UL-certified chargers—were counterfeit. For three of the four product types, at least one item that was purchased was determined to be counterfeit, according to the study.

[too bad that authorized dealers aren’t linked to the product page at size such as Amazon /pmw1]

More on Shopping
When Are Sales Too Good to Be True?
Holiday Shipping Deadlines for 2018
The Art of the Online Discount
The Many Benefits of Online Haggling When Buying Electronics

Subject: Cybercrime and malware, 2019 predictions
Source: ZDNet

2019 Predictions

It has now become a tradition among cyber-security firms to issue a series of predictions for the upcoming year. While some companies have their malware analysts or their CEOs put out small lists of predictions, others go completely overboard with podcasts and 100-page reports that are just a few pages short of a full book.

ZDNet’s Zero Day security blog has taken a look over most of these reports, has even reached out to some selected researchers, and has compiled a list of predictions we also agree are most likely to happen next year.If users would like to take a deeper dive into these predictions, here’s a list of the reports we’ve pooled for this gallery: McAfee, Forrester, RiskIQ, Kaspersky Lab [1, 2, 3], WatchGuard, Nuvias, FireEye, CyberArk, Forcepoint, Sophos, and Symantec.

Also, we have skipped APT, cyber-espionage, and cyberwar predictions, as we have dedicated a special article for those.

Related Topics: Security; Security TV Data Management CXO Data Centers

Subject: How to Stop Package Thieves
Source: Digital Trends

During 2016-17, nearly one in five people in the U.S. had a package stolen, and the holidays are a time when package thefts tend to spike. Most people trying to thwart porch pirates already know tricks regarding delivery options, like requiring a signature, using Amazon Locker, or scheduling a delivery when they’re home. But, with some of those options, you lose out on the convenience that online shopping is supposed to provide. How can you protect yourself from porch pirates this holiday season? Here are some tips to help prevent package theft.

Other Smart Home articles:


Subject: Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret
Source: NY Times — Interactive

An app on the device gathered her location information, which was then sold without her knowledge. It recorded her whereabouts as often as every two seconds, according to a database of more than a million phones in the New York area that was reviewed by The New York Times. While Ms. Magrin’s identity was not disclosed in those records, The Times was able to easily connect her to that dot.

The app tracked her as she went to a Weight Watchers meeting and to her dermatologist’s office for a minor procedure. It followed her hiking with her dog and staying at her ex-boyfriend’s home, information she found disturbing.

“It’s the thought of people finding out those intimate details that you don’t want people to know,” said Ms. Magrin, who allowed The Times to review her location data.

Like many consumers, Ms. Magrin knew that apps could track people’s movements. But as smartphones have become ubiquitous and technology more accurate, an industry of snooping on people’s daily habits has spread and grown more intrusive.

[Learn how to stop apps from tracking your location.]

To evaluate location-sharing practices, The Times tested 20 apps, most of which had been flagged by researchers and industry insiders as potentially sharing the data. Together, 17 of the apps sent exact latitude and longitude to about 70 businesses. Precise location data from one app, WeatherBug on iOS, was received by 40 companies. When contacted by The Times, some of the companies that received that data described it as “unsolicited” or “inappropriate.”

“There are really no consequences” for companies that don’t protect the data, he said, “other than bad press that gets forgotten about.”

Subject: CBP Officers Aren’t Deleting Data After Warrantless Device Searches, IG Says
Source: Nextgov

An inspector general report found Border Patrol officers didn’t follow standard procedures during device searches, mostly because those procedures weren’t clearly laid out.

“Based on our physical inspection, as well as the lack of a written policy, it appears [the Office of Field Operations] has not universally implemented the requirement to delete copied information, increasing the risk of unauthorized disclosure of travelers’ data should thumb drives be lost or stolen,” the report states.

For their part, Schwartz said EFF was heartened by the fact that the investigation took place and considers the recommendations sound. That said, the foundation would like CBP and the IG to go further.

“I would say it is good the inspector general has done this study and brought these issues to light,” he said. “But our primary reaction is concern that there are so many problems concerning how they’re gathering and storing this sensitive traveler information.”

Homeland Security

Subject: House Cmte Investigation Issues Scathing Report on Equifax Breach
Source: The Hill via beSpacific

The Hill: “The House Oversight and Government Reform Committee, following a 14-month probe, released a scathing report Monday saying the consumer credit reporting agency aggressively collected data on millions of consumers and businesses while failing to take key steps to secure such information. The breach is estimated to have harmed 148 million consumers.

Subject: Machine learning identifies cryptocurrency scams before they happen
Source: MIT Technology Review via beSpacific

MIT Technology Review – Pump-and-dump schemes have become increasingly common in cryptocurrency markets. Now security researchers have learned how to spot them in advance.

beSpacific Subjects: AI, Economy, Financial System

MIT Business Impact:

RSS Emerging Technology from the arXiv – MIT Technology Review:

Subject: Marriott Data Breach Is Traced to Chinese Hackers as U.S. Readies Crackdown on Beijing
Source: The New York Times

WASHINGTON — The cyberattack on the Marriott hotel chain that collected personal details of roughly 500 million guests was part of a Chinese intelligence-gathering effort that also hacked health insurers and the security clearance files of millions more Americans, according to two people briefed on the investigation.

The hackers, they said, are suspected of working on behalf of the Ministry of State Security, the country’s Communist-controlled civilian spy agency. The discovery comes as the Trump administration is planning actions targeting China’s trade, cyber and economic policies, perhaps within days.

Those moves include indictments against Chinese hackers working for the intelligence services and the military, according to four government officials who spoke on the condition of anonymity. The Trump administration also plans to declassify intelligence reports to reveal Chinese efforts dating to at least 2014 to build a database containing names of executives and American government officials with security clearances.

Other options include an executive order intended to make it harder for Chinese companies to obtain critical components for telecommunications equipment, a senior American official with knowledge of the plans said.

Subject: How HTTPS Everywhere Keeps Protecting Users On An Increasingly Encrypted Web
Source: EFF via beSpacific

EFF: “Way back in 2010, we launched our popular browser extension HTTPS Everywhere as part of our effort to encrypt the web. At the time, the need for HTTPS Everywhere to protect browsing sessions was as obvious as the threats were ever-present. The threats may not be as clear now, but HTTPS Everywhere is still as important to users as ever. In 2010, HTTPS Everywhere was a novel extension. It allowed users to automatically use the secure version of websites that offered both insecure HTTP and secure, encrypted HTTPS. Sites such as Google had only recently exposed to users the option to search using HTTPS. Facebook had not yet allowed users to browse the site securely. The dangers of insecure browsing were demonstrated by the powerful browser extension Firesheep, which intercepted HTTP packets and allowed attackers on the same WiFi network as their victims to hijack browsing sessions when logged in to popular sites. Firesheep provided a simple point-and-click interface to perform this “session hijacking” attack – no need for terminal screens or complicated command-line tools. Tools with similar functionality had existed for a while, but anyone could install Firesheep with minimal effort.

Subjects: Cybercrime, Cybersecurity, Internet

Posted in: Civil Liberties, Congress, Cybercrime, Cybersecurity, E-Commerce, Financial System, Legal Research, Privacy