Pete Recommends – Weekly highlights on cyber security issues, September 22, 2019

Subject: Privacy Tips That Do Less Than You Think
Source: Consumer Reports
https://www.consumerreports.org/privacy/privacy-tips-that-do-less-than-you-think/

We love tips and tricks for protecting your privacy. But some widely repeated techniques aren’t as helpful as you might expect. An online pseudonym, for example, won’t fully conceal your identity. Nor does the incognito mode on your web browser. While both offer some safeguards, it’s important to understand their shortcomings before you use them. The same goes for the other techniques listed below.

“I wouldn’t discourage anyone from taking these steps,” says Justin Brookman, director of privacy and technology policy for Consumer Reports. “You just need to know that they aren’t bulletproof. They’re effective at slowing down infringements on your privacy and security as long as you have a clear picture of their limitations.”

More on Privacy

The Right to Remain Private: Where U.S. Law Lets You Down
30-Second Privacy Fixes: 5 Simple Ways to Protect Your Data
Smart Speakers That Listen When They Shouldn’t
Wipe Data From Your Car Before Selling It
Guide to Digital Security & Privacy


Subject: The Dark Web: A guide for business professionals
Source: Tech Republic via beSpacific
https://www.bespacific.com/the-dark-web-a-guide-for-business-professionals/

“The Dark Web is used to sell stolen data, drugs, and weapons—but it’s also used by legitimate outfits, like news organizations and the UN. This ebook looks at what the Dark Web is and how it affects you. The Dark Web is a network of websites and servers that use encryption to obscure traffic. Dark Web sites require the .onion top-level domain, use non-memorable URL strings, and can be accessed only by using the open source, security-focused Tor browser. Because it’s portable and disposable, Tails, a Linux-based operating system that boots from a flash drive, adds a layer of security to Deep Web activity. Because the tools required to access Dark Web sites help protect user—and server—anonymity, …

beSpacific Subjects: Civil Liberties, Cybersecurity, E-Commerce, E-Government, Legal Research, Search Engines

Tech Republic Resource Library’s Whitepapges:
https://www.techrepublic.com/resource-library/content-type/whitepapers/

TR’s Resource Library RSS feed:
https://www.techrepublic.com/rssfeeds/resource-library/


Subject: Science & Tech Spotlight: Blockchain & Distributed Ledger Technologies
Source: U.S. GAO
https://www.gao.gov/products/GAO-19-704SP

The technology that allows Bitcoin and other cryptocurrencies to function could profoundly change the way government and industry do business. Distributed ledger technology allows the secure transfer of digital assets without management by a central authority. Instead, participants share synchronized copies of a ledger that records assets and transactions. Changes are visible to all participants.

Questions remain about the technology, including where it may be most useful, how best to regulate it, and how to mitigate its use in illegal activities. How blockchain, a form of distributed ledger technology, acts as a means of payment for cryptocurrencies.

+ graphic

Additional Materials:
Full Report:
View Report (PDF, 2 pages)


Subject: Privacy Tips That Do Less Than You Think
Source: Consumer Reports
https://www.consumerreports.org/privacy/privacy-tips-that-do-less-than-you-think/

We love tips and tricks for protecting your privacy. But some widely repeated techniques aren’t as helpful as you might expect.

An online pseudonym, for example, won’t fully conceal your identity. Nor does the incognito mode on your web browser.

While both offer some safeguards, it’s important to understand their shortcomings before you use them. The same goes for the other techniques listed below.

“I wouldn’t discourage anyone from taking these steps,” says Justin Brookman, director of privacy and technology policy for Consumer Reports. “You just need to know that they aren’t bulletproof. They’re effective at slowing down infringements on your privacy and security as long as you have a clear picture of their limitations.”

More on Privacy

The Right to Remain Private: Where U.S. Law Lets You Down
30-Second Privacy Fixes: 5 Simple Ways to Protect Your Data
Smart Speakers That Listen When They Shouldn’t
Wipe Data From Your Car Before Selling It
Guide to Digital Security & Privacy


Subject: The Dark Web: A guide for business professionals
Source: Tech Republic via beSpacific
https://www.bespacific.com/the-dark-web-a-guide-for-business-professionals/

“The Dark Web is used to sell stolen data, drugs, and weapons—but it’s also used by legitimate outfits, like news organizations and the UN. This ebook looks at what the Dark Web is and how it affects you. The Dark Web is a network of websites and servers that use encryption to obscure traffic. Dark Web sites require the .onion top-level domain, use non-memorable URL strings, and can be accessed only by using the open source, security-focused Tor browser. Because it’s portable and disposable, Tails, a Linux-based operating system that boots from a flash drive, adds a layer of security to Deep Web activity. Because the tools required to access Dark Web sites help protect user—and server—anonymity, …

beSpacific Subjects: Civil Liberties, Cybercrime, Cybersecurity, E-Commerce, E-Government, Internet, Search Engines

Tech Republic Resource Library’s Whitepapges:
https://www.techrepublic.com/resource-library/content-type/whitepapers/

TR’s Resource Library RSS feed:
https://www.techrepublic.com/rssfeeds/resource-library/


Subject: Science & Tech Spotlight: Blockchain & Distributed Ledger Technologies
Source: U.S. GAO
https://www.gao.gov/products/GAO-19-704SP

The technology that allows Bitcoin and other cryptocurrencies to function could profoundly change the way government and industry do business. Distributed ledger technology allows the secure transfer of digital assets without management by a central authority. Instead, participants share synchronized copies of a ledger that records assets and transactions. Changes are visible to all participants.

Questions remain about the technology, including where it may be most useful, how best to regulate it, and how to mitigate its use in illegal activities.

How blockchain, a form of distributed ledger technology, acts as a means of payment for cryptocurrencies.

+ graphic

Additional Materials:
Full Report:
View Report (PDF, 2 pages)


Subject: Colorado becomes first state to ban barcodes for counting votes over security concerns
Source: CNNPolitics
https://www.cnn.com/2019/09/16/politics/colorado-qr-codes-votes/index.html
New York (CNN)Citing security concerns, Colorado has become the first state to stop counting ballots with printed barcodes.

The state’s secretary of state told CNN she felt it was a necessary step to ensure Colorado maintains its position as a national leader on election security. The decision is a further step toward prioritizing the role of human eye, rather than computers to count votes.

In recent years — after researchers have repeatedly demonstrated it’s possible to hack many voting machines in particular circumstances and the US intelligence community detailed Russia’s interference in the 2016 election — both government and industry leaders have reached a general consensus that the US needs to use paper ballots so that elections can be properly audited.

But some states have purchased voting machines that print out a paper receipt with either a QR (short for “quick response”) or a more traditional barcode — something a computer can read, but a human cannot — which can then be easily scanned and tallied to represent a voter’s choices.

But those codes are still controversial and experts warn that even though they’re on paper, elections still need to be audited before results are certified.

“A voter can verify the ovals, the candidates they chose, but how it gets tabulated is actually through an encrypted QR code,” Colorado Secretary of State Jena Griswold told CNN. “Is it really a voter verified paper trail if a voter cannot verify the encrypted QR code?”


Subject: 2019 CWE Top 25 Most Dangerous Software Errors
Source: MITRE via CWE
https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html

Introduction – The Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Errors (CWE Top 25) is a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software. These weaknesses are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working. The CWE Top 25 is a community resource that can be used by software developers, software testers, software customers, software project managers, security researchers, and educators to provide insight into some of the most prevalent security threats in the software industry.

To create the list, the CWE Team used a data-driven approach that leverages published Common Vulnerabilities and Exposures (CVE®) data and related CWE mappings found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each of the CVEs. A scoring formula was then applied to determine the level of prevalence and danger each weakness presents. This data-driven approach can be used as a repeatable, scripted process to generate a CWE Top 25 list on a regular basis with minimal effort.


Subject: Google Calendar Settings Gaffes Exposes Users’ Meetings, Company Details
Source: Threatpost
https://threatpost.com/google-calendar-settings-gaffes-exposes-users-meetings-company-details/148384/

A configuration setting in Google Calendars does not sufficiently warn users that it makes their calendars public to all, a researcher argues. Google has come under fire for a configuration setting tied to its Google Calendar service, which has left hundreds of calendars inadvertently open to the public – and could potentially expose billions more.

It’s important to note that no actual vulnerability exists in the settings of Google Calendar. What is at issue is the ease of making a privacy blunder when configuring Google Calendar to be shared with others. Researcher Avinash Jain, who detailed the issue in a Tuesday post, asserts that Google’s Calendar settings don’t sufficiently warn users that sharing a Google Calendar with others using a link can expose that calendar to the public – also making the link available to be indexed by Google.

This could lead unsuspecting users to inadvertently expose what they though was a private Google Calendar to the public. The problem is not new to tech. Similar  issues have surfaced around data settings for digital tools and social media sites like Facebook and more. The common thread is that even experienced internet users are sometimes guilty of easily overlooking privacy and data sharing settings that may unintentionally leave private data exposed.

topics:

Sample topic RSS: https://threatpost.com/category/web-security/feed/


Subject: A facial recognition ban is coming to the US, says an AI policy advisor
Source: MIT Technology Review via beSpacific
https://www.bespacific.com/a-facial-recognition-ban-is-coming-to-the-us-says-an-ai-policy-advisor/

MIT Technology Review: “San Francisco and Oakland, California, and Somerville, Massachusetts, have outlawed certain uses of facial recognition technology, with Portland,  Oregon, potentially soon to follow. That’s just the beginning, according to Mutale Nkonde, a Harvard fellow and AI policy advisor. That trend will soon spread to states, and there will eventually be a federal ban on some uses of the technology, she said at MIT Technology Review’s EmTech conference. …

beSpacific Subjects: AI, Civil Liberties, E-Records, Government Documents, Legal Research, Privacy

filed in MIT TR – https://www.technologyreview.com/artificial-intelligence/face-recognition/

MIT TR RSS feeds: https://www.technologyreview.com/rss/


Subject: Secret F.B.I. Subpoenas Scoop Up Personal Data From Scores of Companies
Source: The New York Times
https://www.nytimes.com/2019/09/20/us/data-privacy-fbi.html

The F.B.I. has used secret subpoenas to obtain personal data from far more companies than previously disclosed, newly released documents show.

The requests, which the F.B.I. says are critical to its counterterrorism efforts, have raised privacy concerns for years but have been associated mainly with tech companies. Now, records show how far beyond Silicon Valley the practice extends — encompassing scores of banks, credit agencies, cellphone carriers and even universities.

The demands can scoop up a variety of information, including usernames, locations, IP addresses and records of purchases. They don’t require a judge’s approval and usually come with a gag order, leaving them shrouded in secrecy. Fewer than 20 entities, most of them tech companies, have ever revealed that they’ve received the subpoenas, known as national security letters.

[Keep reading The Times by creating a free account or logging in.]


Subject: Associations Go After Google
Source: Cablefax
https://www.cablefax.com/regulation/associations-go-after-google

Google is in the crosshairs of NCTA and lobbying association brethren CTIA and US Telecom. The trio sent a letter Thursday to Commerce, Homeland Security and Judiciary committees expressing concern about a new internet browser protocol that Google intends to implement.

“Google is beginning to implement encrypted Domain Name System lookups into its Chrome browser and Android operating system through a new protocol for wireline and wireless service, known as DNS over HTTPS. If not coordinated with others in the internet ecosystem, this could interfere on a mass scale with critical internet functions, as well as raise data competition issues,” the groups said.


Subject: Colorado becomes first state to ban barcodes for counting votes over security concerns
Source: CNNPolitics
https://www.cnn.com/2019/09/16/politics/colorado-qr-codes-votes/index.html
New York (CNN)Citing security concerns, Colorado has become the first state to stop counting ballots with printed barcodes.

The state’s secretary of state told CNN she felt it was a necessary step to ensure Colorado maintains its position as a national leader on election security.

The decision is a further step toward prioritizing the role of human eye, rather than computers to count votes.

In recent years — after researchers have repeatedly demonstrated it’s possible to hack many voting machines in particular circumstances and the US intelligence community detailed Russia’s interference in the 2016 election — both government and industry leaders have reached a general consensus that the US needs to use paper ballots so that elections can be properly audited.

But some states have purchased voting machines that print out a paper receipt with either a QR (short for “quick response”) or a more traditional barcode — something a computer can read, but a human cannot — which can then be easily scanned and tallied to represent a voter’s choices.

But those codes are still controversial and experts warn that even though they’re on paper, elections still need to be audited before results are certified.

“A voter can verify the ovals, the candidates they chose, but how it gets tabulated is actually through an encrypted QR code,” Colorado Secretary of State Jena Griswold told CNN. “Is it really a voter verified paper trail if a voter cannot verify the encrypted QR code?”


Subject: 2019 CWE Top 25 Most Dangerous Software Errors
Source: MITRE via CWE
https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html

Introduction – The Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Errors (CWE Top 25) is a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software. These weaknesses are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working. The CWE Top 25 is a community resource that can be used by software developers, software testers, software customers, software project managers, security researchers, and educators to provide insight into some of the most prevalent security threats in the software industry.

To create the list, the CWE Team used a data-driven approach that leverages published Common Vulnerabilities and Exposures (CVE®) data and related CWE mappings found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each of the CVEs. A scoring formula was then applied to determine the level of prevalence and danger each weakness presents. This data-driven approach can be used as a repeatable, scripted process to generate a CWE Top 25 list on a regular basis with minimal effort.


Subject: Google Calendar Settings Gaffes Exposes Users’ Meetings, Company Details
Source: Threatpost
https://threatpost.com/google-calendar-settings-gaffes-exposes-users-meetings-company-details/148384/

A configuration setting in Google Calendars does not sufficiently warn users that it makes their calendars public to all, a researcher argues. Google has come under fire for a configuration setting tied to its Google Calendar service, which has left hundreds of calendars inadvertently open to the public – and could potentially expose billions more.

It’s important to note that no actual vulnerability exists in the settings of Google Calendar. What is at issue is the ease of making a privacy blunder when configuring Google Calendar to be shared with others. Researcher Avinash Jain, who detailed the issue in a Tuesday post, asserts that Google’s Calendar settings don’t sufficiently warn users that sharing a Google Calendar with others using a link can expose that calendar to the public – also making the link available to be indexed by Google.

This could lead unsuspecting users to inadvertently expose what they though was a private Google Calendar to the public. The problem is not new to tech. Similar  issues have surfaced around data settings for digital tools and social media sites like Facebook and more. The common thread is that even experienced internet users are sometimes guilty of easily overlooking privacy and data sharing settings that may unintentionally leave private data exposed.

topics:

Sample topic RSS: https://threatpost.com/category/web-security/feed/


Subject: A facial recognition ban is coming to the US, says an AI policy advisor
Source: MIT Technology Review via beSpacific
https://www.bespacific.com/a-facial-recognition-ban-is-coming-to-the-us-says-an-ai-policy-advisor/

MIT Technology Review: “San Francisco and Oakland, California, and Somerville, Massachusetts, have outlawed certain uses of facial recognition technology, with Portland,  Oregon, potentially soon to follow.  That’s just the beginning, according to Mutale Nkonde, a Harvard fellow and AI policy advisor. That trend will soon spread to states, and there will eventually be a federal ban on some uses of the technology, she said at MIT Technology Review’s EmTech conference. …

beSpacific Subjects: E-Records, Government Documents, Legal Research, Privacy

filed in MIT TR – https://www.technologyreview.com/artificial-intelligence/face-recognition/

MIT TR RSS feeds: https://www.technologyreview.com/rss/


Subject: Secret F.B.I. Subpoenas Scoop Up Personal Data From Scores of Companies
Source: The New York Times
https://www.nytimes.com/2019/09/20/us/data-privacy-fbi.html

The F.B.I. has used secret subpoenas to obtain personal data from far more companies than previously disclosed, newly released documents show.

The requests, which the F.B.I. says are critical to its counterterrorism efforts, have raised privacy concerns for years but have been associated mainly with tech companies. Now, records show how far beyond Silicon Valley the practice extends — encompassing scores of banks, credit agencies, cellphone carriers and even universities.

The demands can scoop up a variety of information, including usernames, locations, IP addresses and records of purchases. They don’t require a judge’s approval and usually come with a gag order, leaving them shrouded in secrecy. Fewer than 20 entities, most of them tech companies, have ever revealed that they’ve received the subpoenas, known as national security letters.


Subject: Associations Go After Google
Source: Cablefax
https://www.cablefax.com/regulation/associations-go-after-google

Google is in the crosshairs of NCTA and lobbying association brethren CTIA and US Telecom. The trio sent a letter Thursday to Commerce, Homeland Security and Judiciary committees expressing concern about a new internet browser protocol that Google intends to implement.

“Google is beginning to implement encrypted Domain Name System lookups into its Chrome browser and Android operating system through a new protocol for wireline and wireless service, known as DNS over HTTPS. If not coordinated with others in the internet ecosystem, this could interfere on a mass scale with critical internet functions, as well as raise data competition issues,” the groups said.

Posted in: AI, Civil Liberties, Cybercrime, Cybersecurity, Economy, Election Law, Financial System, KM, Legal Research, Privacy