Pete Recommends – Weekly highlights on cyber security issues June 1, 2019

Subject: Facebook on fake Pelosi video: Being ‘false’ isn’t enough for removal

Facebook said Friday that a video doctored to depict House Speaker Nancy Pelosi slurring her words will remain on the social network because false information alone does not violate the site’s rules.

“We remove things from Facebook that violate our Community Standards, and we don’t have a policy that stipulates that the information you post on Facebook must be true,” a company spokesperson said in a statement shared with POLITICO.

The social network said it will, however, greatly reduce distribution of the video among Facebook users’ News Feeds and add context from two third-party fact checkers who deemed it false after Facebook asked them to review it. One of the two fact checkers, Politifact, gave the video its “Pants on Fire” appellation, reserved for the most egregious falsehoods making “ridiculous claim[s].”

Subject: Photos: Plum Island, restricted US site where DARPA preps for cyber war
Source: Business Insider

  • Every six months, DARPA stages mock cyber attacks a highly restricted island off the coast of New York.
  • Specialists war game a major cyber attack of the power grid on Plum Island, which people need US government clearance to set foot on.
  • The exercise involves figuring out how to jumpstart a large electricity system if it gets suddenly taken offline by enemy hackers.
  • A DARPA official sent Business Insider photos of the site during one of the drills.

“What scares us is that once you lose power it’s tough to bring it back online… Doing that during a cyber attack is even harder because you can’t trust the devices you need to restore power for that grid.”

Subject: First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records
Source: Krebs on Security

[is there an auditor in the house? /pmw1]

The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. [NYSE:FAF] leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.

Earlier this week, KrebsOnSecurity was contacted by a real estate developer in Washington state who said he’d had little luck getting a response from the company about what he found, which was that a portion of its Web site ( was leaking tens if not hundreds of millions of records. He said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link.

As noted in past stories here, these types of data exposures are some of the most common yet preventable. In December 2018, the parent company of Kay Jewelers and Jared Jewelers fixed a weakness in their site that exposed the order information for all of their online customers.

In August 2018, financial industry giant Fiserv Inc. fixed a bug reported by KrebsOnSecurity that exposed personal and financial details of countless customers across hundreds of bank Web sites.

In July 2018, identity theft protection service LifeLock corrected an information disclosure flaw that exposed the email address of millions of subscribers. And in April 2018, remedied a weakness exposing millions of customer names, email and physical addresses, birthdays and partial credit card numbers.

+ comments

site RSS feed:

Subject: Moody’s downgrades Equifax outlook to negative, cites cybersecurity
Source: CNBC

  • A Moody’s spokesperson said the downgrade is significant because “it is the first time that cyber has been a named factor in an outlook change.”
  • Equifax’s breach in 2017 will have a lasting effect on the company’s security spend and infrastructure costs, Moody’s said.

Moody’s cited Equifax’s recent $690 million first-quarter charge for the breach as contributing to the downgrade. The expense represents the company’s estimate for settling ongoing class action cases, as well as potential federal and state regulatory fines.

“We estimate Equifax’s cybersecurity expenses and capital investments will total about $400 million in both 2019 and 2020 before declining to about $250 million in 2021,” the note says. “Beyond 2020, infrastructure investments are likely to remain higher than they had been before the 2017 breach.”

“The heightened emphasis on cybersecurity for all data oriented companies, which is especially acute for Equifax, leads us to expect that higher cybersecurity costs will continue to hurt the company’s profit and free cash flow for the foreseeable future,” Moody’s said.

Subject: China internet censors on alert ahead of Tiananmen Square anniversary
Source: Business Insider

  • Censors at Chinese internet companies are on high alert ahead of the anniversary of the bloody pro-democracy protests at Tiananmen Square, a highly controversial event in China’s history.
  • Two employees at a Chinese firm said censorship of the Tiananmen crackdown, along with other highly sensitive issues including Taiwan and Tibet, is now largely automated.
  • In the lead-up to this year’s Tiananmen Square anniversary, censorship on social media has reportedly targeted LGBT groups, labor and environment activists and NGOs.

Censors at Chinese internet companies say tools to detect and block content related to the 1989 crackdown have reached unprecedented levels of accuracy, aided by machine learning and voice and image recognition.

“We sometimes say that the artificial intelligence is a scalpel, and a human is a machete,” said one content screening employee at Beijing Bytedance Co Ltd, who asked not to be identified because they are not authorized to speak to media.

The Tiananmen crackdown is a taboo subject in China 30 years after the government sent tanks to quell student-led protests calling for democratic reforms. Beijing has never released a death toll but estimates from human rights groups and witnesses range from several hundred to several thousand.

While companies censorship tools are becoming more refined, analysts, academics and users say heavy-handed policies mean sensitive periods before anniversaries and political events have become catch-alls for a wide range of sensitive content.

In the lead-up to this year’s Tiananmen Square anniversary, censorship on social media has targeted LGBT groups, labor and environment activists and NGOs, they say.

Companies, which are largely responsible for their own censorship, receive little in the way of directives from the CAC, but are responsible for creating guidelines in their own “internal ethical and party units”, the official said.

Subject: You’re Not Alone When You’re on Google
Source: The New York Times via beSpacific

The New York Times – We know that. But the “privacy paradox” means we still act like we are. “…To fully apprehend our vulnerabilities as digital creatures would require far too much time and energy. More than that: It would require an entirely new set of instincts, a radically different cognitive framework from the one we now possess…So we carry on. Even though everyone is mutely collecting our queries, preferences, fetishes, anxieties. Google. Amazon. Facebook. YouTube. Pandora. Pinterest. The Weather Channel. Reddit. Wikipedia. Major League Baseball. PornHub. Zillow. Your newspaper. Your bank. Your phone carrier. Everyone. Danah Boyd, the founder of the Data & Society Research Institute, perhaps put it best when she wrote we are “public by default, private through effort.”…

beSpacific Subjects: Cybercrime, Cybersecurity, ID Theft, Privacy, Search Engines, Social Media
Sample RSS feed:

Subject: US Navy wants 350 billion social media posts
Source: BBC News

The military project team has not specified which social media platform it intends to collect the data from.
The posts must be publicly available, come from at least 100 different countries and include at least 60 different languages.
They should also date between 2014 and 2016.
The details were revealed in a tender document from the Naval Postgraduate School for a firm to provide the data.
Applications have now closed.
Additional requirements included…

Subject: Amazon Filed A Patent To Record You Before You Even Say “Alexa”
Source: BuzzFeed News

Amazon Echo devices could one day capture, process, and record audio spoken before the wake word for commands like “Play some music, Alexa.”
Amazon has filed a patent application with the US Patent and Trademark Office describing a technology that would allow the Echo and other Alexa-enabled devices to capture what you say before a wake word, like “Alexa,” is uttered. Currently, Alexa devices only record and send audio to Amazon servers if a wake word is detected. Should Amazon decide to develop or implement the technology, an Alexa-enabled device would constantly record and delete what you say using the device’s local memory storage.

The patent application, which was made public today, offers insight into Amazon’s ambitions to expand the capabilities of its voice recognition technology. Alexa devices currently can’t understand commands when the wake word comes after or in the middle of a sentence. But images in the patent application offer “Play some music, Alexa” and “Play some music, Alexa. The Beatles, please” as examples.

filed under TECH:

Topics In This Article

  1. Amazon
  2. Privacy

Subject: Opinion: We Live In The Safest Big City, But Citizen Is Scaring The Hell Out Of People
Source: BuzzFeed News – Opinion

Just as crime hits historic lows, people are consuming a freakout-inducing stream of every single 911 call in their neighborhood.

I’m in line to grab a coffee at Dunkin’ Donuts when suddenly I see four cop cars swarm the parking lot like gangbusters. Turns out some teenagers were squabbling and one of them ran into the Dunkin’ Donuts bathroom to hide. Everyone disperses. A few minutes later, I look at my phone. The Citizen app says, “Report of Attempted Robbery” at the Dunkin’ Donuts.There was no robbery, attempted or otherwise. I knew this, because I was literally right there, just like I was at the intersection the other night. But for anyone else sitting on their couch with their phone buzzing every five minutes announcing another crime in progress, it might feel like it’s time to lock yourself inside your apartment and never come out.

This is my problem with the Citizen app.

But does Citizen really keep us safe? Or does it just scare the hypervigilant shit out of us?

Posted in: AI, Cybercrime, Cybersecurity, Financial System, Intellectual Property, Privacy