Pete Recommends – Weekly highlights on cyber security issues December 22 2018

Subject: El Chapo got wiretapped because the cartel’s IT guy screwed up
Source: VICE News
https://news.vice.com/en_us/article/439pv3/el-chapo-got-wiretapped-because-the-cartels-it-guy-screwed-upFrom the “never trust the system’s guy” dept …
The irony was that authorities were only able to obtain the call because the men were forced to use conventional cellphones while their secure network was down. Cifuentes called Cristián “an irresponsible person,” and said the engineer screwed up by forgetting to renew the license on the software they had purchased.

Subject: FEC: Lawmakers and staff may use campaign funds for personal cybersecurity
Source: FCW
https://fcw.com/articles/2018/12/14/fec-wyden-personal-cyber.aspx

The Federal Election Commission voted Thursday to allow members Congress to reallocate leftover campaign funds to protect personal electronic devices and accounts of members and staff.

FEC Commissioner Caroline Hunter wrote on behalf of the commission that spending on cyber hygiene and protective services would not constitute, “impermissible conversion of campaign funds to personal use.”

While members of Congress can draw from cybersecurity resources at the House and Senate Sergeant-At-Arms to protect their official devices and accounts, they were unable to do so for personal ones or those of their families.

RSS feed for site:
https://fcw.com/rss-feeds/all.aspx


Subject: Updated Trusted Internet Connection Draft Lays Framework For Flexible Policy
Source: Nextgov
https://www.nextgov.com/it-modernization/2018/12/updated-trusted-internet-connection-draft-lays-framework-flexible-policy/153571/

The White House released a draft Friday of its revamped Trusted Internet Connection policy—the last of the administration’s 2018 IT management updates. The policy directs the Homeland Security Department to create a set of case studies for how agencies can establish safe connections to various networks, though the draft offers little insight into what that guidance will look like.

Among a slew of IT management policy updates this fall, TIC 3.0 is one of the more nuanced and complicated, as the administration tries to rectify the dissonance of protecting the network perimeter at a time when the idea of a network boundary is becoming less tangible.

The policy update focuses on helping “us streamline agency efforts to move to multicloud environments where we need to look at a different approach to security and storage,” Federal Chief Information Officer Suzette Kent said during an event Thursday hosted by the Center for Strategy and International Studies.

The draft issued Friday is less an actual policy for agencies to follow and more of a roadmap for the Homeland Security’s guidance, which is forthcoming.

Topics:

Site RSS feed:
https://www.nextgov.com/rss/all/


Subject: New Zealand Official Blasts Google for Publishing Name of Murder Suspect in Trending Newsletter
Source: New York Times via Gizmodo
https://gizmodo.com/new-zealand-officials-blast-google-for-publishing-name-1831122720

The government of New Zealand “admonished” search giant Google for publicizing the name of a man charged in the killing of backpacker Grace Millane in Auckland, with justice minister Andrew Little demanding that the company change its algorithms to prevent it from happening again in the future, the New York Times reported on Friday.

According to the Times, at issue are laws designed to ensure a fair trial by allowing a criminal defendant to request their identity be withheld from publication.

Other GOOGLE articles in Gizmodo:
https://gizmodo.com/c/google

Site RSS feed:
https://gizmodo.com/rss


Subject: Russia and 2016: Troll group sought to recruit ‘assets’ through social media, Senate told
Source: CNN Business
https://www.cnn.com/2018/12/17/tech/russia-2016-election-social-media-report/index.html

In one instance, through its page “Army of Jesus,” which was targeting Christians, the group offered “free counseling to people with sexual addiction,” New Knowledge found.

The phony counseling service could have created an opportunity to blackmail or manipulate individuals who availed of it, the report notes. “Recruiting an asset by exploiting a personal vulnerability — usually a secret that would inspire shame or cause personal or financial harm if exposed — is a timeless espionage practice,” it says.

New Knowledge says that it is not known whether anyone took up the offer of counseling.

CNN has previously reported that the IRA co-opted unsuspecting Americans to coordinate protests in the U.S., in one instance even paying a Florida man to build a cage to bring to an event advocating for the imprisonment of Hillary Clinton.


Subject: The CEO of Blue Shield of California has a warning for Amazon in healthcare
Source: Business Insider
https://www.businessinsider.com/blue-shield-california-ceo-warning-amazon-healthcare-2018-12

“One of the things, I’d say an admonition, to all those companies including Amazon is that the privacy standards around data are a lot higher in healthcare than they are in other businesses,” Markovich said.


Subject: Information Security: Agencies Need to Improve Implementation of Federal Approach to Securing Systems and Protecting against Intrusions
Source: US GAO
https://www.gao.gov/products/GAO-19-105

Federal agencies reported 35,277 cybersecurity incidents for their IT systems in FY 2017.

While agencies have gotten better at preventing and detecting intrusions into their systems, they are still vulnerable to attacks such as “phishing”—emails designed to trick staff into clicking malicious links. Moreover, many agencies have not yet fully implemented effective security programs or practices, leaving them vulnerable to future attacks.

We recommended that the Department of Homeland Security and the Office of Management and Budget help agencies improve their intrusion detection and prevention capabilities.


Subject: Turning Off Facebook Location Services Doesn’t Stop Tracking
Source: Gizmodo
https://gizmodo.com/turning-off-facebook-location-tracking-doesnt-stop-it-f-1831149148

Korolova thought Facebook must be getting her location information from the IP addresses she used to log in from, which Facebook says it collects for security purposes. (It wouldn’t be the first time Facebook used information gathered for security purposes for advertising ones; advertisers can target Facebook users with the phone number they provided for two-factor protection of their account.) As the New York Times recently reported, lots of apps are tracking users’ movements with surprising granularity. The Times suggested turning off location services in your phone’s privacy settings to stop the tracking, but even then the apps can still get location information, by looking at the wifi network you use or your IP address.

When asked about this, Facebook said that’s exactly what it’s doing and that it considers this a completely normal thing to do and that users should know this will happen if they closely read various Facebook websites.

“There is no way for people to opt out of using location for ads entirely,” said a Facebook spokesperson by email. “We use city and zip level location which we collect from IP addresses and other information such as check-ins and current city from your profile to ensure we are providing people with a good service—from ensuring they see Facebook in the right language, to making sure that they are shown nearby events and ads for businesses that are local to them.”

At this point, Facebook disagrees. It feels IP address is a rough approximation of location that is forgivable to use. To avoid this, you could stop using the Facebook app on your phone (where IP addresses tend to be more precisely mapped) or use a VPN when you log into Facebook. Or, of course, there’s always the option to quit Facebook altogether.

NB other FB articles on Gizmodo:
https://gizmodo.com/c/facebook

Gizmodo RSS feed
https://gizmodo.com/rss


Subject: Essay – It’s Time for a Bill of Data Rights
Source: MIT Technology Review via beSpacific
https://www.bespacific.com/essay-its-time-for-a-bill-of-data-rights/

This essay argues that “data ownership” is a flawed, counterproductive way of thinking about data. It not only does not fix existing problems; it creates new ones. Instead, we need a framework that gives people rights to stipulate how their data is used without requiring them to take ownership of it themselves. The Data Care Act, a bill introduced on December 12 by US senator Brian Schatz, a Democrat from Hawaii, is a good initial step in this direction (depending on how the fine print evolves). As Doug Jones, a Democratic senator from Alabama who is one of the bills cosponsors, said, “The right to online privacy and security should be a fundamental one.” The notion of “ownership” is appealing because it suggests giving you power and control over your data. But owning and “renting” out data is a bad analogy. Control over how particular bits of data are used is only one problem among many. The real questions are questions about how data shapes society and individuals. Rachel’s story will show us why data rights are important and how they might work to protect not just Rachel as an individual, but society as a whole…” [h/t Alan Rothman]

In beSpacific
Subjects: Civil Liberties, Congress, Cybercrime, Cybersecurity, Internet, Legal Research, Legislation, Privacy, Social Media

MIT T.R. topic:
https://www.technologyreview.com/topic/connectivity/

Various T.R. RSS feeds:
https://www.technologyreview.com/rss/

E.g., T.R. RSS feed topic COMPUTING:
https://www.technologyreview.com/c/computing/rss/

[sorry, none for Connectivity /pmw1]


Subject: Amazon accidentally sends Alexa recordings to wrong person
Source: Business Insider
https://www.businessinsider.com/amazon-sends-alexa-shower-recordings-to-wrong-person-2018-12

  • Amazon accidentally sent 1,700 recordings of someone speaking to Alexa to the wrong person, according to a German magazine.
  • The magazine said that the recordings had lots of personal information and that it was easily able to find the person whose data was leaked.
  • The episode underscores that Amazon stores audio files when you speak to Alexa.
  • “This was an unfortunate case of human error and an isolated incident,” Amazon said in a statement. “We have resolved the issue with the two customers involved and have taken steps to further improve our processes. We were also in touch on a precautionary basis with the relevant regulatory authorities.”

It turns out that Amazon had not contacted him about the data breach, but as his story was about to become public, Amazon gave him new Echo devices and a Prime membership, according to the report.

The story underscores that Amazon does record and store your voice when you speak to Alexa. You can check what you’ve said to Alexa at Amazon.com/alexaprivacy and delete portions or the entirety of the stored audio files.


Subject: Hackers Find a Way to Bypass Gmail Two-Factor Authentication
Source: Digital Trends
https://www.digitaltrends.com/computing/hackers-bypass-two-factor-authentication-gmail/

Two-factor authentification has been hailed as a significant move forward in providing online security, letting us log in with confidence to sites such as Gmail. Websites that once required an insecure password now need a complex password with a second form of authentication from a mobile device, or implement other two-factor systems. However, as with everything, two-factor authentication isn’t impervious to flaws, and a new report by Amnesty International details how hackers have been phishing two-factor codes.

The Amnesty International report noted that hackers have begun to utilize an automated process that occurs by first phishing your password from a fraudulent website, then submitting the password to Gmail, triggering a two-factor text message, and finally having you submit that message into the fraudulent site.

Because some systems don’t requiring a user to re-authenticate for switching off two-factor, hackers can then quickly walk away with your account. Even without taking full control of an account, hackers can generate app-specific passwords, secondary passwords that can be used to access two-factor accounts without needing to re-authenticate each time.


Subject: Market volatility: Fake news spooks trading algorithms
Source: ZDNet
https://www.zdnet.com/article/market-volatility-fake-news-spooks-trading-algorithms/

Stock trading algorithms know how to read news headlines, but they don’t know what’s real.

Fake news and inaccurate headlines may have contributed to recent stock market volatility, as trading algorithms try to interpret market-related news.

Hugh Son, at CNBC reported that in a note written to clients by J.P. Morgan Chase’s top quant, Marko Kolanovic, blamed a media landscape that’s a mix of real and fake news, which makes it easy for others to amplify negative news. The effects can be seen that, in spite of a booming economy and positive signals, the markets are reacting strongly to this mix of negative news.

Topic: Artificial Intelligence

Related Topics:
Security Digital Transformation CXO Internet of Things Innovation Enterprise Software

Posted in: AI, Cybercrime, Cybersecurity, Economy, Email, Financial System, Privacy, Social Media