Pete Recommends – Weekly highlights on cyber security issues December 9 2018

Subject: Marriott Starwood hotel hack: How to find out if you were affected
Source: Business Insider

Additionally, Marriott says it will pay for guests to sign up for a year-long membership for WebWatcher software, which monitors where your personal information is shared online. However, this enrollment, as well as the availability of paid-for fraud consultation services and reimbursement coverage, is only available to customers in the U.S., U.K., and Canada.

Marriott also recommends that if you use the same or a similar password as the one associated with your SPG guest account, you should change it, and be on the lookout for any phishing emails asking for your login details.

Subject: U.S. wants new aviation standard to expand passenger data collection
Source: Reuters via Yahoo

MONTREAL (Reuters) – The United States is pushing for a new global aviation standard by late 2019 that would expand the collection of passenger records from airlines, a high-ranking state department official said on Friday, in a move that would help combat terrorism while raising privacy concerns.

Nathan Sales, the U.S. counter-terrorism coordinator, urged the United Nations’ aviation agency in Montreal “to act with all deliberate speed” to come up with a new standard that would vastly expand the number of countries that collect passenger information like frequent flyer numbers, email addresses and credit card booking information.

The International Civil Aviation Organization (ICAO) cannot impose rules on governments, but wields clout through its safety and security standards which are made mandatory through domestic legislation passed by its 192 member states.

The U.S.-led effort follows a 2017 U.N. Security Council Resolution that creates new obligations for countries to deter terrorist travel.

Henrik Hololei, director general for Mobility and Transport at the European Commission, told Reuters in an interview that any ICAO standard would have to comply “with data protection rules in Europe.”

Subject: Marriott Breach is Reminder of Need for Stronger Data Security Laws
Source: Consumer Reports:

Justin Brookman, director of privacy and technology policy for Consumer Reports, said, “We see breach after breach, and they generate a lot of headlines, but they still haven’t generated enough action by government and industry to curb the problem and hold companies accountable.  The details of the Marriott breach are still rolling out, but the size alone is another reminder of why we need Congress and states to put stronger data security requirements in place for companies that collect so much private information about us. Fewer than half the states have general data security requirements, and federal protections are unclear and contested.

Issues Tech & Privacy

[sorry: no topical RSS feeds /pmw1]

Subject: How The Wall Street Journal is preparing its journalists to detect deepfakes
Source: Nieman Journalism Lab

“We have seen this rapid rise in deep learning technology and the question is: Is that going to keep going, or is it plateauing? What’s going to happen next?”

Artificial intelligence is fueling the next phase of misinformation. The new type of synthetic media known as deepfakes poses major challenges for newsrooms when it comes to verification. This content is indeed difficult to track: Can you tell which of the images below is a fake?

We at The Wall Street Journal are taking this threat seriously and have launched an internal deepfakes task force led by the Ethics & Standards and the Research & Development teams. This group, the WSJ Media Forensics Committee, is comprised of video, photo, visuals, research, platform, and news editors who have been trained in deepfake detection. Beyond this core effort, we’re hosting training seminars with reporters, developing newsroom guides, and collaborating with academic institutions such as Cornell Tech to identify ways technology can be used to combat this problem.

Here’s an overview for journalists of the insights we’ve gained and the practices we’re using around deepfakes.

Subject: Who lives with you? Facebook seeks to patent software to figure out profiles of households
Source: Los Angeles Times

[I thought NSA already did this? or even those free online telephone lookup in more limited fashion? /pmw1]

Facebook Inc. is applying to patent software that it could use to create profiles of users’ households by making educated guesses about how many people live in the household, what their relationships to each other are, what interests they share and what electronic devices they use.

The system would draw on the wealth of information Facebook already has about its users — including their photos, comments, messaging history and web browsing activities — and could be used to help target ads, according to the patent application.

“Without such knowledge of a user’s household features, most of content items that are sent to the user are poorly tailored to the user and are likely ignored,” says the patent application, which was filed last year and made public Thursday.

The software would analyze images posted to Instagram or Facebook. (Even users who never upload photos still can be tagged in other users’ photos.) To help determine whether people live in the same home, the patent application says, the software could look at how often people are tagged in pictures together and at the photos’ captions. The software would not be limited to using photos that include everyone in the household; rather, the patent application shows, it would take into account pictures of individuals and pairs.

Subject: What the Marriott Breach Says About Security
Source: Krebs on Security

What the Marriott Breach Says About Security

We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.


For companies, this principle means accepting the notion that it is no longer possible to keep the bad guys out of your networks entirely. This doesn’t mean abandoning all tenets of traditional defense, such as quickly applying software patches and using technologies to block or at least detect malware infections.

It means accepting that despite how many resources you expend trying to keep malware and miscreants out, all of this can be undone in a flash when users click on malicious links or fall for phishing attacks. Or a previously unknown security flaw gets exploited before it can be patched. Or any one of a myriad other ways attackers can win just by being right once, when defenders need to be right 100 percent of the time.

The companies run by leaders and corporate board members with advanced security maturity are investing in ways to attract and retain more cybersecurity talent, and arranging those defenders in a posture that assumes the bad guys will get in.

Theassume you’re compromised” philosophy involves freezing your credit files with the major credit bureaus, and regularly ordering free copies of your credit file from to make sure nobody is monkeying with your credit (except you).

It means planting your flag at various online services before fraudsters do it for you, such as at the Social Security Administration, U.S. Postal Service, Internal Revenue Service, your mobile provider, and your Internet service provider (ISP).

[make sure you follow the above link “planting your flag” — something that was intuitive but not previously well-articulated /pmw1 ]

Subject: Grandparents Increasingly Targeted By Impostors Who Know ‘Everything’ About Them
Source: CBS Pittsburgh

(CBS News/CBS Local)– The government is releasing new information about a growing scam targeting older Americans. It tricks people into mailing cash to people pretending to be their grandchildren. Victims reportedly lose an average of $9,000.

“I’m the last person, I thought, would ever fall for a scam like this,” Franc Stratton told CBS News correspondent Anna Werner.

The retired Tennessean spent his career working in intelligence, first for the Air Force and later as a cybersecurity programmer. But his expertise still didn’t prepare him for the scam that began with a morning phone call in April.

“I hear, ‘Don’t be afraid, but I’m the public defender from Austin, Texas. They have put your grandson in jail after a wreck, and he has a DUI offense,’” Stratton said.

The man said Stratton could bail out his grandson if he sent $8,500 cash via FedEx, something that might sound ridiculous, except that Stratton had actually done just that for a family member once in the past.

He’s not the only victim. The Federal Trade Commission (FTC) said Americans lost up to $41 million in the scam this year, nearly twice as much as last year. The FTC said people 70 and older are increasingly being scammed, and the criminals do their research, sometimes using social media to learn more about their targets.

The FTC warns if you receive a call like this, get in touch with that family member or friend before sending anything. Be careful about what you post on social media because scammers can use those details.

Subject: Paper – Common-Knowledge Attacks on Democracy
Source: Farrell, Henry John and Schneier, Bruce, Common-Knowledge Attacks on Democracy (October 2018). Berkman Klein Center via beSpacific

Farrell, Henry John and Schneier, Bruce, Common-Knowledge Attacks on Democracy (October 2018). Berkman Klein Center Research Publication No. 2018-7. Available at SSRN: or /a>

“Existing approaches to cybersecurity emphasize either international state-to-state logics (such as deterrence theory) or the integrity of individual information systems. Neither provides a good understanding of new “soft cyber” attacks that involve the manipulation of expectations and common understandings. We argue that scaling up computer security arguments to the level of the state, so that the entire polity is treated as an information system with associated attack surfaces and threat models, provides the best immediate way to understand these attacks and how to mitigate them.

Subjects: Cybercrime, Cybersecurity, Internet

Subject: Measuring the “Filter Bubble”: How Google is influencing what you click
Source: Duck Duck Go via beSpacific

Duck Duck Go: “Over the years, there has been discussion of Google’s “filter bubble” problem. Put simply, it’s the manipulation of your search results based on your personal data. In practice this means links are moved up or down or added to your Google search results, necessitating the filtering of other search results altogether. These editorialized results are informed by the personal information Google has on you (like your search, browsing, and purchase history), and puts you in a bubble based on what Google’s algorithms think you’re most likely to click on.’

beSpecific Subjects: Internet, Knowledge Management, Legal Research, Search Engines

DDGo Filed under Privacy

Subject: The web really isn’t worldwide – every country has different access
Source: The Conversation

What the internet looks like to users in the U.S. can be quite different from the online experience of people in other countries. Some of those variations are due to government censorship of online services, which is a significant threat to internet freedom worldwide. But private companies – many based in the U.S. – are also building obstacles to users from around the world who want to freely explore the internet.

Website operators and internet traffic managers often choose to deny access to users based on their location. Users from certain countries can’t visit certain websites – not because their governments say so, or because their employers want them to focus on work, but because a corporation halfway around the world has made a decision to deny them access.

This geoblocking, as it’s called, is not always nefarious. U.S. companies may block traffic from certain countries to comply with federal economic sanctions. Shopping websites might choose not to have visitors from countries they don’t ship goods to. Media sites might not be able to comply with other nations’ privacy laws. But other times it’s out of convenience, or laziness: It may be easier to stop hacking attempts from a country by blocking every user from that country, rather than increasing security of vulnerable systems.

As a team of internet freedom researchers, my colleagues and I investigated the mechanics of geoblocking, including where geoblocking is happening, what content was being blocked and how websites were practicing geoblocking.

We used a service called Luminati, which provides researchers remote, automated access to residential internet connections around the world. Our automated system used those connections to see what more than 14,000 sites look like from 177 countries, and compared the results in each country.


Example RSS feed for a topic:

Posted in: Big Data, Cybercrime, Cybersecurity, Freedom of Information, Internet Filtering, KM, Legal Research, Privacy, Search Engines