Pete Recommends – Weekly highlights on cyber security issues March 9, 2019

Subject: Facebook and Instagram launch lawsuit over fake accounts and followers
Source: Business Insider

  • Facebook announced Friday that the company, along with Instagram, have filed a federal lawsuit over the sale of fake accounts, likes, and followers.
  • Facebook is suing four companies and three people based in China who have sold and promoted fake accounts, likes, and followers on Facebook, Instagram, Amazon, Apple, Google, LinkedIn, and Twitter.
  • “By filing the lawsuit, we hope to reinforce that this kind of fraudulent activity is not tolerated – and that we’ll act forcefully to protect the integrity of our platform,”Paul Grewal, vice president and deputy general counsel at Facebook wrote in a blog post.

This lawsuit will ask the court to prevent these companies and people from creating and promoting the sale of fake accounts, likes, and followers on Facebook and Instagram. In addition, it will ask the court to stop them from illegally using their trademarks on their websites and from using Facebook-branded domain names to run their websites.

Subject: Huawei Frightens Europe’s Data Protectors. America Does, Too
Source: Bloomberg technology

  • U.S. Cloud Act is raising concern about extraterritoriality
  • Act allows authorities to get data overseas, EU to negotiate

A foreign power with possible unbridled access to Europe’s data is causing alarm in the region. No, it’s not China. It’s the U.S.

As the U.S. pushes ahead with the “Cloud Act” it enacted about a year ago, Europe is scrambling to curb its reach. Under the act, all U.S. cloud service providers from Microsoft and IBM to Amazon — when ordered — have to provide American authorities data stored on their servers regardless of where it’s housed. With those providers controlling much of the cloud market in Europe, the act could potentially give the U.S. the right to access information on large swaths of the region’s people and companies.

The U.S. says the act is aimed at aiding investigations. Some people are drawing parallels between the legislation and the National Intelligence Law that China put in place in 2017 requiring all its organizations and citizens to assist authorities with access to information. The Chinese law, which the U.S. says is a tool for espionage, is cited by President Donald Trump’s administration as a reason to avoid doing business with companies like Huawei Technologies Co.

Subject: Robocalls Routed via Virtue Signaling Network?
Source: RISKS Digest and NYTimes – by Henry Baker <[email protected]>
Link to the New York Times article –

Why “exceptional access” is synonymous with “backdoors for black hats” Congresspersons will virtue signal all day long about robocalls, but will NEVER stop robocalls.  Why?  Precisely because Congresspersons utilize
robocalls *themselves* for their own re-election campaigns.

Who else loves robocalls?  Phone companies themselves.  Robocalls run up lucrative charges on accounts that would otherwise have *zero* traffic and minimum account charges.

Who else loves robocalls?  NSA/intelligence agencies.  Have a 3-hop or 2-hop maximum from a “person of interest”?  Any undergraduate computer scientist can code up an algorithm to provide enough “junk calls” to fill in that entire “who-called-whom” adjacency matrix so that *every* person is 2 hops from a “person of interest”.  Robocalls also enable metadata collection by exercising the SS7 network.  Robocalls enable the testing of “live” phone numbers which can later be used for SMS message scams and
malware^H^H^H^H^H^H^HNIT (“network investigative technique”) installation.

Of course, what’s good for the goose is good for the gander.  Exactly the same techniques utilized by “white hats” can also be utilized by “black hats” such as criminals and foreign intel agencies.

Let’s Destroy Robocalls: Finally, something worse than Donald Trump.

Subject: How to Use Two-Factor on Facebook Without a Phone Number
Source: TechChrunch via Gizmodo

Over the weekend, Facebook users were freaked out to learn that the social network allows “Everyone” to look them up with the phone number they provided for two-factor authentication (2FA) by default. This sneaky ad-targeting method disguised as a privacy tool really has no privacy benefits, but there’s still a way to protect yourself.

The Twitter thread by Emojipedia’s Jeremy Budge pointed out that Facebook’s settings, which control who is allowed to look up your account with a phone number that you’ve provided, do not include an option to completely opt-out of its “look up” service. The whole point of two-factor authentication is to give users an extra layer of login protection by requiring them to enter a code that’s texted to their phone in addition to their password. Gizmodo first reported back in September that Facebook also uses those phone numbers to help it serve targeted ads and to connect users with people they may know. As TechCrunch points out, the fact that Facebook provides no option to remove oneself from the “look up” feature prompted many users to cry foul, including Facebook’s former Chief Security Officer, Alex Stamos.

The bottom line is that you should absolutely use two-factor authentication on your Facebook account but remove your phone number from the equation. In order to do that, you’ll need to download a third-party authentication app like Google Authenticator or Duo Mobile on your phone. Then to go to this Facebook page and click the “Get Started” button. Choose the “Authentication App” option and click next. You then have the option to either enter a code into your third-party app or use it to scan a QR code. This will link the authentication app to Facebook. Now, when 2FA is needed to log in, you’ll find a unique, temporary code created by the authentication app.

Subject: Scam Alert: IRS Urges Taxpayers to Watch Out for Erroneous Refunds; Beware of Fake Calls to Return Money to a Collection Agency
Source: IRS Newsroom

IR-2018-27, Feb. 13, 2018

WASHINGTON — The Internal Revenue Service today warned taxpayers of a quickly growing scam involving erroneous tax refunds being deposited into their bank accounts. The IRS also offered a step-by-step explanation for how to return the funds and avoid being scammed.

Following up on a Security Summit alert issued Feb. 2, the IRS issued this additional warning about the new scheme after discovering more tax practitioners’ computer files have been breached. In addition, the number of potential taxpayer victims jumped from a few hundred to several thousand in just days. The IRS Criminal Investigation division continues its investigation into the scope and breadth of this scheme.

These criminals have a new twist on an old scam. After stealing client data from tax professionals and filing fraudulent tax returns, these criminals use the taxpayers’ real bank accounts for the deposit.

Thieves are then using various tactics to reclaim the refund from the taxpayers, and their versions of the scam may continue to evolve.

Subject: National Security Agency halts surveillance program
Source: CNNPolitics

(CNN)The National Security Agency has stopped using a surveillance program in recent months that relied on bulk data collected from US domestic phone records, according to a Republican congressional official.

The program authorized under the USA Freedom Act, requires reauthorization at the end of the year and the Trump administration may not seek to extend it, according to Luke Murry, national security adviser to House Minority Leader Kevin McCarthy.

Murry’s comments came on a podcast produced by Lawfare, a national security legal affairs website. The New York Times earlier reported on the comments.

The NSA did not respond to CNN’s request for comment.

NB you may be interested in Lawfare’s RSS feed for serveillance:

Other topics available, too.

Subject: Phone numbers are the new Social Security numbers
Source: Axios via beSpacific

Axios: “Cellphone numbers have become a primary way for tech companies like Facebook to uniquely identify users and secure accounts, in some ways becoming a proxy for a national ID.Why it matters: That over-reliance on cellphone numbers ironically makes them a less effective and secure authentication method. And the more valuable the phone number becomes as an identifier, the less willing people will be to share it for communication.

beSpacific: Subjects: Cybercrime, Cybersecurity, Government Documents, Internet, Privacy, Social Media

Axios tagged:

Subject: Internet Privacy and Data Security: Additional Federal Authority Could Enhance Consumer Protection and Provide Flexibility
Source: U.S. GAO

This testimony focuses on the Federal Trade Commission’s authority to oversee Internet privacy and security. Without a comprehensive federal data privacy law, the United States relies in part on FTC to use its broad authority to protect consumers from unfair and deceptive trade practices.

Most industry representatives we interviewed favored the current approach and warned that further regulations could hinder innovation. Consumer advocates and most of the former FTC and FCC commissioners we interviewed favored having FTC issue and enforce regulations. We previously recommended Congress consider comprehensive Internet privacy legislation.

View Report (PDF, 13 pages)

Subject: Guess what? Facebook still tracks you on Android apps (even if you don’t have a Facebook account)
Source: Privacy International

Tuesday, March 5, 2019

In December 2018, we revealed how some of the most widely used apps in the Google Play Store automatically send personal data to Facebook the moment they are launched. That happens even if you don’t have a Facebook account or are logged out of the Facebook platform (watch our talk at the Chaos Communication Congress (CCC) in Leipzig or read our full legal analysis here).

Today, we have some good news for you: we retested all the apps from our report and it seems as if we have made some impact. Two thirds of all apps we retested, including Spotify, Skyscanner and KAYAK, have updated their apps so that they no longer contact Facebook when you open the app.

Here’s the bad news: seven apps, including Yelp, the language-learning app Duolingo and the job search app Indeed, as well as the King James Bible app and two Muslim prayer apps, Qibla Connect and Muslim Pro, still send your personal data to Facebook before you can decide whether you want to consent or not. Keep in mind: these are apps with millions of installs.

Since we published our report, could also confirm that apps on iOS exhibit similar behaviour.

How can I protect myself?

We care about third-party tracking on mobile apps because it causes unique privacy issues. You can block some unwanted cookies and tracking technology in web browsers, but it’s excruciatingly difficult to do the same in apps. For example, no mainstream operating system, including Android and iOS, allows users to opt out of third-party tracking in apps, which leaves people vulnerable to exploitative data practices.

Still, everybody can take steps to reduce app tracking on Androids, even if it won’t affect the kind of tracking that we described in our report (sorry!):

Expose Data Exploitation: Data, Profiling, and Decision Making

Location / Region / Locale
European Union
United States of America

Challenging Data Exploitation


Campaign name
Uncovering the Hidden Data Ecosystem

Type of Intervention

site RSS feed:

Subject: Phishing Scams: Is Your Financial Institution Helping Cyberthieves?
Source: Consumers’ Checkbook via RISKS Forum #31.10

Phishing Scams: Is Your Financial Institution Helping Cyberthieves? (Washington Consumers’ Checkbook) Gabe Goldberg <[email protected]>

It’s bad enough when financial institutions don’t practice what they preach, but it only compounds the confusion when they promise one thing and do the opposite. For example, Merrill Lynch recently posted this online alert: “Recently, some Merrill Lynch clients have reported receiving emails that appear to be from Merrill Lynch but which have, in fact, been sent by imposters. … How can you tell the difference? Fraudulent emails typically include website links, and/or request you to provide personal information. Merrill Lynch has not and will not initiate a request for sensitive information via email.” But when we reviewed a legitimate email sent by Merrill Edge, it did contain website links and invitations to click to `view statements’. When the link is clicked, it takes you to an account login page where Merrill requests sensitive information, in the form of your user ID and password. Thus, Merrill’s own legitimate email is similar to the emails it warns could be bogus. The risk? Nothing new, just same old clueless companies.

Posted in: Big Data, Congress, Cybersecurity, Economy, Encryption, Financial System, Government Resources, Privacy, Social Media