Pete Recommends – Weekly highlights on cyber security issues, October 12, 2019

Subject: Law enforcement officials warn Facebook off its encryption plans
Source: NPR via WHYY

The Justice Department is asking that Facebook hold off on its plans to fully encrypt its messaging services. In an open letter to the company’s CEO, Mark Zuckerberg, federal law enforcement officials and their counterparts in the U.K. and Australia said the end-to-end encryption proposal would block their access to users’ communications and interfere with their “ability to stop criminals and abusers in their tracks.”

At a summit Friday at the department’s headquarters in Washington, D.C., FBI Director Christopher Wray said court-authorized investigators must be able to view suspects’ communications — particularly to protect children from predators who film and disseminate images of sexual abuse.

Subject: Senators urge FTC not to weaken children’s online privacy protections
Source: UPI

The group of senators, which include Sens. Marsha Blackburn, R-Tenn., Richard Blumenthal, D-Conn., Josh Hawley, R-Mo., and Ed Markey, D-Mass., said they agree the act needs to be updated, but they’re worried the FTC doesn’t understand the threat “giant tech companies pose to children and parents.”

The senators cited a recent FTC settlement with Google “over blatant, widespread violations of COPPA,” and accused the agency of not including “sufficient structural injunctions to prevent future violations by Google.”

“Now is not the time to pull back,” the senators wrote. “As children’s use of technology continues to increase, so too does the appetite by tech giants for children’s personal information.



Subject: FBI investigating if attempted 2018 West Virginia voting app hack was linked to Michigan college course
Source: CNNPolitics

The sources told CNN that the FBI is investigating a person or people who tried to hack the app as a part of a University of Michigan election security course. Michigan is one of the main academic hubs of election security research in the country, housing the trailblazing Michigan Election Security Commission.

The office of West Virginia Secretary of State Mac Warner had previously communicated to Stuart that suspicious activity against the Voatz app came from IP addresses associated with the University of Michigan, one of the people familiar with the matter told CNN.

The FBI inquiry stemmed from a particular incident in the Michigan course, where students examined current and proposed mobile voting technology but were instructed not to meddle in existing election infrastructure, according to a person familiar with the matter. This spring, one of the students emailed their professors to say the FBI had obtained a search warrant for their phone, one of the people familiar with the matter said.

The matter highlights one of the most contentious issues in cybersecurity research: One of the best ways to find potential vulnerabilities in software is to have a researcher try to think like a hacker and try to break in. But the US’ primary hacking law, the Computer Fraud and Abuse Act, is strict and carries strong penalties for someone found to have gained “unauthorized access” to a system.

Subject: 10 Tips to Avoid Leaving Tracks Around the Internet
Source: The New York Times via beSpacific

The New York Times – “Google and Facebook collect information about us and then sell that data to advertisers. Websites deposit invisible “cookies” onto our computers and then record where we go online. Even our own government has been known to track us. When it comes to digital privacy, it’s easy to feel hopeless. We’re mere mortals! We’re minuscule molecules in their machines! What power do we possibly have to fight back?…” David Pogue offers good suggestions – remember – they will not work unless you implement them, and update them often.

beSpacific Subjects: E-Commerce, Internet, Privacy, Search Engine

NB You may be interested in this NYT topic:

Bonus RSS:

Subject: New Report: “World’s First Deepfake Audit Counts Videos and Tools on the Open Web”
Source: IEEE Spectrum via LJ infoDOCKET

From IEEE Spectrum: If you wanted to make a deepfake video right now, where would you start? Today, an Amsterdam-based startup has published an audit of all the online resources that exist to help you make your own deepfakes. And its authors say it’s a first step in the quest to fight the people doing so. In weeding through software repositories and deepfake tools, they found some unexpected trends—and verified a few things that experts have long suspected.

The deepfake apocalypse has been lurking just over the horizon since about 2017.

Learn More, Read the Complete Article

See Also: Mapping the Deepfake Landscape (via Deeptrace)

Direct to Download Report Cited in Article

NB RSS feed for Tech-Talk

Other site RSS feeds:

Subject: Proving You’re You: How Federal Agencies Can Improve Online Verification
Source: | WatchBlog: Official Blog of the U.S. GAO

So much of how we collect and share information in today’s world is done online. We get our news. We do our shopping and banking. We book appointments. And online access has even made it easier for us to apply for benefits and services within the federal government. But just how safe is our information out there in the federal cyber world?

In today’s WatchBlog, we look at our report on federal online verification processes. Read on and listen to our podcast with Nick Marinos, a director in our Information Technology & Cybersecurity team.

How the federal government is responding

This fraud risk prompted the National Institute of Standards and Technology to issue guidance in 2017 that prohibits federal agencies from using such knowledge-based verification process for sensitive applications. Alternative methods are available that offer stronger security, such as comparing a photo of an ID card captured on a cell phone to documentation on file.

Until these agencies take steps to eliminate their use of knowledge-based verification, however, the public that they serve may remain at increased risk of identity fraud. We made 6 recommendations, including that the National Institute of Standards and Technology provide guidance on implementing these alternative methods. The U.S. Postal Service has recently addressed one of our recommendations by implementing a remote identity verification solution for its Informed Delivery service that does not rely on knowledge-based verification.

Check out our report to learn more.

This entry was posted in About GAO, Information Security, Information Technology, Mission Team and tagged best practices, cloud computing, cybersecurity, data security, Department of Defense, Department of Veterans Affairs, Greg Wilshusen, high risk, information security, information systems, information technology, ITC, medicare, Nick Marinos, Secret Service, Valerie Melvin.


Pete’s Questions: how do you prove that you are not “you?’ i.e., if someone steals you identity, proving that you are not the person who did the nasty deeds? Corollary, if you are IDed as somebody else, proving that you are not them. And, will it matter to the investigator?

Subject: N.J. high court weighs science behind drug recognition experts
Source: WHYY

The New Jersey Supreme Court is deciding whether to take a closer look at a methodology long used by police officers to charge people with driving under the influence of drugs.

Law enforcement officials say the protocol is crucial to securing drugged driving convictions since toxicology tests for drugs are unreliable. But defense attorneys and civil rights advocates argue the method is not based on science and should be banned as expert testimony in court.

filed under:

sample RSS

Subject: Americans and Digital Knowledge
Source: Pew Research Center

For example, just 28% of adults can identify an example of two-factor authentication – one of the most important ways experts say people can protect their personal information on sensitive accounts. Additionally, about one-quarter of Americans (24%) know that private browsing only hides browser history from other users of that computer, while roughly half (49%) say they are unsure what private browsing does.

Table of Contents



Category RSS

Subject: Decades-old code is putting millions of critical devices at risk
Source: WiReD via The RISKS Digest Volume 31 Issue 45

Gabe Goldberg <[email protected]> Wed, 2 Oct 2019 23:49:58 -0400

Nearly two decades ago, a company called Interpeak created a network protocol that became an industry standard. It also had severe bugs that are only now coming to light.

In early August, the enterprise security firm Armis got a confusing call from a hospital that uses the company’s security monitoring platform. One of its infusion pumps contained a type of networking vulnerability that the researchers had discovered in a few weeks prior. But that vulnerability had
been found in an operating system called VxWorks—which the infusion pump didn’t run.

Hospital representatives wondered if it was just a false positive. But as Armis researchers investigated, they started to see troubling signs of a connection between VxWorks and the infusion pump’s operating system. What they ultimately discovered has disturbing implications for the security of countless critical systems—patient monitors, routers, security cameras, and more—across dozens of manufacturers.

Today Armis, the Department of Homeland Security <>, the Food and Drug Administration and a broad swath of so-called real-time operating system and device companies disclosed that Urgent/11, a suite of network protocol bugs, exist in far more platforms than originally believed. The RTO systems are used in the always-on devices common to the industrial control or health care industries. And while they’re distinct platforms, many of them incorporate the same decades-old networking code that leaves them vulnerable to denial of service attacks or even full takeovers. There are at least seven affected operating systems that run in countless IoT devices across the industry.

Subject: This mysterious hacking campaign snooped on a popular form of VoiP software
Source: ZDNet via The RISKS Digest Volume 31 Issue 45

Gene Wirchenko <[email protected]> Mon, 07 Oct 2019 10:08:48 -0700

Danny Palmer | 4 Oct 2019
Researchers uncover a campaign that is snooping on call data and recordings of conversations – and could even spoof calls.

selected text:

Security researchers have traced the initial attacks back to between February and July 2018, when an attacker was performing scans on over 600 companies across the world that use Asterisk FreePBX—a popular form of open source VoiP software.

The attacker then went quiet for months before re-emerging this year, targeting a US-based server owned by an engineering company that provides services to the oil, gas and chemical industries.

Posted in: Computer Security, Congress, Cybersecurity, E-Government, Privacy, Search Engines, Search Strategies, Social Media