Pete Recommends – Weekly highlights on cyber security issues June 16, 2019

Subject: New RCE vulnerability impacts nearly half of the internet’s email servers
Source: ZDNet

A critical remote command execution (RCE) security flaw impacts over half of the Internet’s email servers, security researchers from Qualys have revealed today. The vulnerability affects Exim, a mail transfer agent (MTA), which is software that runs on email servers to relay emails from senders to recipients.

According to a June 2019 survey of all mail servers visible on the Internet, 57% (507,389) of all email servers run Exim — although different reports would put the number of Exim installations at ten times that number, at 5.4 million.

Qualys said the vulnerability can be exploited instantly by a local attacker that has a presence on an email server, even with a low-privileged account.

But the real danger comes from remote hackers exploiting the vulnerability, who can scan the internet for vulnerable servers, and take over systems.

Vulnerability patched… by accident – The vulnerability was patched with the release of Exim 4.92, on February 10, 2019, but at the time the Exim team released v4.92, they didn’t know they fixed a major security hole.

Filed under Topic: Security


Subject: This ID Scanner Company is Collecting Sensitive Data on Millions of Bargoers
Source: OneZero

  • PatronScan says it sells security. Privacy advocates worry it’s selling mass surveillance.
  • PatronScan allows bars to do just that. The PatronScan kiosk, placed at the entrance of a bar or nightlife establishment, can verify whether an ID is real or fake, and collect and track basic customer demographic data. For bars, accurate ID scanners are valuable tools that help weed out underage drinkers, protecting the establishments’ liquor licenses from fines and scrupulous state alcohol boards. But
  • PatronScan’s main selling point is security. To some onlookers, PatronScan’s product raises a number of concerns about privacy, surveillance, and discrimination. PatronScan’s reports reveal the company logged where customers live, the household demographics for that area, how far each customer travelled to a bar, and how many different bars they had visited. According to the company’s own policies, the company readily shares the information it collects on patrons, both banned and not, at the request of police. In addition to selling its kiosks to individual bars and nightlife establishments, PatronScan also advertises directly to cities, suggesting that they mandate the adoption of their service.
  • Pete Weiss adds – is this service compatible with EU data protection laws?

According to a “Public Safety Report,” the average length of bans handed out to customers in Sacramento, California was 19 years.


Sample RSS tag:

Subject: Schools Are Deploying Massive Digital Surveillance Systems. The Results Are Alarming
Source: Education Week

To human eyes, the post seems innocuous.

But in an age of heightened fear about mass school shootings, it tripped invisible alarms.

The local Brazosport Independent School District had recently hired a company called Social Sentinel to monitor public posts from all users, including adults, on Facebook, Twitter, and other social media platforms. The company’s algorithms flagged Lafrenais’s tweet as a potential threat. Automated alerts were sent to the district’s superintendent, chief of police, director of student services, and director of guidance. All told, nearly 140 such alerts were delivered to Brazosport officials during the first eight months of this school year, according to documents obtained by Education Week.

Among the other “threats” flagged by Social Sentinel:

[lot’s more … ]

RSS feed:

All RSS feeds:


BLOG Index:

Subject: GitHub shocks top developer: Access to 5 years’ work inexplicably blocked
Source: ZDNet

Three incidents in the past week illustrate the sometimes unavoidable risks involved in relying on cloud providers.

The developer yesterday posted a warning on Twitter about the potential risk to developers of using GitHub “for your life’s work” after he was abruptly locked out, apparently following a single complaint from another user.

“If you’re thinking about using @github for your life’s work, FYI, they may remove it without any warning or notice, based on some user ‘report’ made out of spite. That happened today for the 5+ years of One Hour One Life work that I’m hosting there. They didn’t even email me,” Rohrer wrote.

Rohrer added he was “astounded by the completely unprofessional behavior” of the services he’s using to run One Hour One Life.

“If you want to position yourself as a cornerstone, you’ve got to behave like a cornerstone,” he noted.

GitHub CEO Nat Friedman offered Rohrer an apology on Twitter over the block and confirmed Rohrer’s account has been restored, also promising an investigation into why the block was implemented in the first place.

Topic: Cloud


Subject: China Summons Tech Giants to Warn Against Cooperating With Trump Ban
Source: The New York Times

SAN FRANCISCO — The Chinese government this past week summoned major tech companies including Microsoft and Dell from the United States and Samsung of South Korea, to warn that they could face dire consequences if they cooperate with the Trump administration’s ban on sales of key American technology to Chinese companies, according to people familiar with the meetings.

Held on Tuesday and Wednesday, the meetings came soon after Beijing’s announcement that it was assembling a list of “unreliable” companies and individuals.

That list was widely seen as a way of hitting back at the Trump administration for its decision to cut off Huawei, the Chinese electronics giant, from sales of American technology. The United States has accused Huawei of stealing trade secrets and conducting surveillance on behalf of Beijing.

Details about the meetings, the latest move in two weeks of high-stakes economic brinkmanship between the United States and China, were shared by two people familiar with them, who asked not to be named because they were not authorized to discuss them and could face retribution.

filed under category:


Subject: A Premium Version of Firefox Is Coming – Would You Pay for It?
Source: Gizmodeo

What’s going to separate premium Firefox from regular old Firefox? Basically, VPN and cloud storage capabilities. Beard’s answers sounded more hypothetical in detail than the announcement of guaranteed features, but he did give some insight into what a premium Firefox might offer. One example Beard gave was a hypothetical situation where a user wanted to do some online banking over public wifi. That user would get a “certain amount of free VPN bandwidth, and then offer a premium level over a monthly subscription.”

Subject: Exclusive: Some big tech firms cut employees’ access to Huawei, muddying 5G rollout
Source: Reuters via Yhaoo
Loose lips synch chips …

NEWPORT BEACH, Calif./NEW YORK (Reuters) – Some of the world’s biggest tech companies have told their employees to stop talking about technology and technical standards with counterparts at Huawei Technologies Co Ltd in response to the recent U.S. blacklisting of the Chinese tech firm, according to people familiar with the matter.

Subject: DOD IG: Cybersecurity upgrades are not being properly implemented
Source: fedscoop

The Joint Regional Security Stack (JRSS) program, a key part of the Department of Defense’s network consolidation and cybersecurity changes, is not being fully implemented properly, a Pentagon inspector general’s report found.

The June 4 report states that operators of the suite of network security equipment were not properly trained, resulting in the security system’s implementation “not fully achieving the expected outcomes.” The report also notes the JRSS has reduced the number of enemy attacks on DOD networks, but the training gaps could lead to exploits in the system that would harm DOD IT networks. The project is more than $1.7 billion over its initial budget of $520 million, according to the report.

This is not the first report that found flaws in JRSS. The DOD Director of Operational Test & Evaluation’s 2018 report found JRSS “is unable to help network defenders protect the network against operationally realistic cyber-attacks.”

-In this Story-
cyberecurity, Department of Defense (DOD), JIE, Joint Information Environment, JRSS

Sample RSS tag feed:

Subject: National Archives and Records Administration (NARA) Considers Blockchain to Verify Records Amid Rise in Deepfake Videos
Source: Federal News Network via LJ infoDOCKET

Federal News Network:

The National Archives and Records Administration is exploring whether blockchain technology can help records management officials keep track of their vast stores of information, following the successful rollout of the emerging technology elsewhere in government.


NB FNN RSS feed for Technology:

Subject: Artificial intelligence-enhanced journalism offers a glimpse of the future of the knowledge economy
Source: The Conversation

Much as robots have transformed entire swaths of the manufacturing economy, artificial intelligence and automation are now changing information work, letting humans offload cognitive labor to computers. In journalism, for instance, data mining systems alert reporters to potential news stories, while newsbots offer new ways for audiences to explore information. Automated writing systems generate financial, sports and elections coverage.

A common question as these intelligent technologies infiltrate various industries is how work and labor will be affected. In this case, who – or what – will do journalism in this AI-enhanced and automated world, and how will they do it?

The evidence I’ve assembled in my new book “Automating the New: How Algorithms are Rewriting the Media” suggests that the future of AI-enabled journalism will still have plenty of people around. However, the jobs, roles and tasks of those people will evolve and look a bit different. Human work will be hybridized – blended together with algorithms – to suit AI’s capabilities and accommodate its limitations.


Sample topic RSS feed:

Posted in: AI, Cybercrime, Cybersecurity, E-Government, Economy, Email, Email Security, KM, Privacy