Pete Recommends – Weekly highlights on cyber security issues July 19, 2019

Subject: Trump is rattling sabers in cyberspace — but is the U.S. ready?

While U.S. cyber defenses are improving, some experts worry about how the nation would recover from an even larger strike — such as one on the scale of the suspected Russian cyber-assault that blacked out power to more than 200,000 Ukrainians in 2015.

“We are clearly not ready to recover from a cyberattack” of that magnitude, said Art House, the chief cybersecurity risk officer for Connecticut and the former chairman of the state’s utilities commission. “Very few states have ever simulated a cyberattack on their public infrastructure. It poses challenges we haven’t faced before.”

filed under

Subject: Microsoft Office 365: Now Illegal In Many Schools in Germany
Source: ZDNet via Slashdot

“Schools in the central German state of Hesse [population: 6 million] have been told it’s now illegal to use Microsoft Office 365,” reports ZDNet: The state’s data-protection commissioner has ruled that using the popular cloud platform’s standard configuration exposes personal information about students and teachers “to possible access by US officials”.

That might sound like just another instance of European concerns about data privacy or worries about the current US administration’s foreign policy. But in fact the ruling by the Hesse Office for Data Protection and Information Freedom is the result of several years of domestic debate about whether German schools and other state institutions should be using Microsoft software at all.

Other Slashdot articles on Privacy:

ZDNET category Cloud:

Subject: Revealed: This Is Palantir’s Top-Secret User Manual for Cops
Source: Motherboard Tech by Vice

Motherboard obtained a Palantir user manual through a public records request, and it gives unprecedented insight into how the company logs and tracks individuals.

Palantir is one of the most significant and secretive companies in big data analysis. The company acts as an information management service for Immigration and Customs Enforcement, corporations like JP Morgan and Airbus, and dozens of other local, state, and federal agencies. It’s been described by scholars as a “secondary surveillance network,” since it extensively catalogs and maps interpersonal relationships between individuals, even those who aren’t suspected of a crime.

Palantir software is instrumental to the operations of ICE, which is planning one of the largest-ever targeted immigration enforcement raids this weekend on thousands of undocumented families. Activists argue raids of this scale would be impossible without software like Palantir. But few people outside the company and its customers know how its software works or what its specific capabilities and user interfaces are.

Through a public record request, Motherboard has obtained a user manual that gives unprecedented insight into Palantir Gotham (Palantir’s other services, Palantir Foundry, is an enterprise data platform), which is used by law enforcement agencies like the Northern California Regional Intelligence Center.

The document obtained by Motherboard for this story is public and viewable on DocumentCloud.


Example RSS feed for a tag:

Subject: How To Clear Out Your Zombie Apps and Online Accounts
Source: WIRED

In these predominantly digital times, it’s all too easy to build up a long trail of unused accounts that are now gathering dust: free trials that you never followed up on, streaming services you abandoned, on-demand clothing boxes that in the end weren’t quite what you were looking for, and so on. In some ways these old accounts aren’t doing any harm besides gathering virtual dust or sending you the occasional email nag. But having too many dormant logins can cause problems from a security perspective. Consider what would happen if the developer behind the app suddenly went rogue, or if the hackers breached the service’s database.

Not only would personal details like your email address or even home address get exposed, it might also give bad actors a route into your bigger, more important, more sensitive accounts. That’s either because you’ve used a major service to log into the smaller one, or because you’re sharing usernames and passwords between different accounts—something you shouldn’t do for this very reason.

The more unused, unloved accounts you’ve got hanging around, the more targets would-be hackers have got to aim at. It’s therefore good practice to tidy up the digital trail you leave behind you, and shut down accounts you’re not regularly using. Unfortunately, there’s no big button you can press to do this all at once, but with a little bit of detective work and a few minutes of your spare time, you can effectively erase your tracks.

filed under:

Subject: Cheap automatic license plate readers are creeping into neighborhoods
Source: Slate

Creeping Into Neighborhoods Across the Country. Cheap surveillance software is changing how landlords manage their tenants and what laws police can enforce.

Automatic license plate readers, or ALPRs, have been part of law enforcement’s toolkit for well over a decade. However, the technology has evolved rapidly in the past couple of years, radically changing who is able to access ALPRs and what they’re able to do with them. Startups like OpenALPR (recently acquired by Rekor) and Flock Safety have jumped into the scene. The software now can read much more than license plates. It can detect dents on cars. It can search for specific bumper stickers and for Lyft tags. And while until recently, acquiring ALPRs meant buying custom-built cameras that cost at least $10,000 a pop, OpenALPR is strictly a software company. Its system works with any internet-enabled camera (one user I spoke to purchased “really good” cameras for less than $150 each), and licenses cost less than $100 per device. Matt Hill, founder of OpenALPR, says that one city (he wouldn’t name it) recently purchased 1,000 licenses. The city already had traffic cameras in place, so all it had to do was buy the software.

As automatic license plate readers proliferate in smaller towns and redder states, there are not always organizations in place ready to push back against them. And this means that police and property managers are left to regulate themselves. Sara Rose is an attorney for the Pennsylvania ACLU in Allegheny County, and she’s been involved in a bill that would provide some basic restrictions on ALPR in her state (although not nearly enough, in her opinion). I asked her if she was aware of the “complaint” about misconduct that Hudson had mentioned to me. She hadn’t been. “But I think it shows the need for government entities to put policies in place to prevent misuse of this technology before they start using it rather than after the fact,” she told me. “We’re just missing very basic limits on what police can do with this.”

filed under:

Subject: Some providers fear ‘brave new world’ of freed patient health data

Hospital executives, with some support in Congress, are lobbying for more regulation to protect health information from unscrupulous data mongers. But HHS is pushing forward with rules that leave that responsibility in patients’ hands.

As federal rule-makers grapple with making patient data more easily shareable, some health leaders fear that their actions could lead to a proliferation of apps selling or exploiting medical data. They worry that patients are likely to sign away their rights to data — perhaps including detailed family histories — without realizing what they’re doing.

“There’s going to be new apps coming online every single day,” said Steven Lane, clinical informatics director of Sutter Health and a member of ONC’s HIT Advisory Committee. Patients should be able to access their data, but “most patients who are using these tools don’t fully understand the privacy implications.”

Patients may not understand the boundaries of HIPAA, said Leslie Krigstein, a vice president of the College of Healthcare Information Management Executives. CHIME backs a section of the Lower Health Care Costs Acts of 2019 calling for a GAO report on privacy protections for health data, and has urged Congress to ensure that health data shared with third-party apps is secure and private.

The Office for Civil Rights, which enforces HIPAA, has stated that providers aren’t responsible for what third-party apps do with patient data if the patient agrees to share it, McGraw noted. Under FTC rules, apps are required to abide by clear privacy policies and to report security breaches, she said. “It is not the case that there is no cop on the block.”

This article tagged under:

Example RSS feed for a tag:

Subject: Army researchers develop metrics for cyber defenders’ agility
Source: FCW

Army researchers have developed a cyber agility framework – a new way to train defensive cyber operators to thwart attackers.

As with a set of rules or an algorithm, application of the framework can help organizations better understand the effectiveness of their cybersecurity efforts. It also serves as a foundation for developing software.

“Historically, when dealing with cybersecurity, analysts are looking at screens full of numbers, trying to identify where, and what kind of, cyberattacks are taking place by looking for patterns,” Purush Iyer, division chief of network sciences at Army Research Office, which is a part of Army Research Laboratory, told FCW. “The cyber agility framework offers a better way of identifying (and predicting) attacks, by taking into account past history of traffic, and allowing an analyst to concentrate on higher order reasoning. It’s a big step in enhancing cybersecurity predictability.”

The framework uses a suite of 14 metrics to measure agility based on timeliness and effectiveness, he said, namely how long it takes for a cyber defender to counter an attacker and adapt. Xu said cyber practitioners can use the framework on real-world cyber datasets — even classified or sensitive ones.

Subject: School cyberattacks more common as educational tech grows
Source: The AP via

Over six weeks, the vandals kept coming, knocking the school system’s network offline several times a day.

There was no breach of sensitive data files, but the attacks in which somebody deliberately overwhelmed the Avon Public Schools system in Connecticut still proved costly. Classroom lesson plans built around access to the internet had come to a halt.

“The first time I called the FBI, their first question was, ‘Well, what did it cost you?'” said Robert Vojtek, the district’s technology director. “It’s like, ‘Well, we were down for three quarters of a day, we have 4,000 students, we have almost 500 adults, and teaching and learning stopped for an entire day.’ So how do you put a price tag on that?”

This story was reported by The Associated Press. 

Subject: Casting the Dark Web in a New Light
Source: MIT Sloan Management Review via beSpacific

MIT Sloan Management Review – By examining cybercrime through a value-chain lens, we can better understand how the ecosystem works and find new strategies for combating it. “…Attackers always seem to be one or two steps ahead of the defenders. Are they more technically adept, or do they have a magical recipe for innovation that enables them to move more quickly? If, as is commonly believed, hackers operated mainly as isolated individuals, they would need to be incredibly skilled and fast to create hacks at the frequency we’ve seen. However, …

beSpacific Subjects: Cybercrime, Cybersecurity, Economy, Internet, Knowledge Management, Legal Research, Search Engines

MIT SMR Tags: Cybersecurity, Data Security, Hacking, Privacy, Security

Site RSS feed:

Subject: The catastrophic data leak via browser extensions
Source:  DataSpii via beSpacific

DataSpii: The catastrophic data leak via browser extensions Sam Jadali – Abstract – “We present DataSpii (pronounced data-spy), the catastrophic data leak that occurs when any one of eight browser extensions collects browsing activity data — including personally identifiable information (PII) and corporate information (CI) — from unwitting Chrome and Firefox users. Our investigation uncovered an online service selling the collected browsing activity data to its subscription members in near real-time. In this report, we delineate the sensitive data source types relevant to the security of individuals and businesses across the globe. We observed two extensions employing dilatory tactics …

Posted in: Civil Liberties, Cybercrime, Cybersecurity, Health, Internet Trends, KM, Privacy