Pete Recommends – Weekly highlights on cyber security issues, November 2, 2019

Subject: PennDOT won’t give drivers license information to U.S. Census
Source: WPMT FOX43

Pennsylvania’s Department of Transportation is denying a request from the U.S. Census bureau for drivers license data.

In a letter to the Bureau, Department Secretary Leslie Richards states, “we have reviewed the request and will not be participating in the project.”

See the entire letter here.

PennDOT spokesperson Alexis Campbell said of the request that asked for 5 years worth of information, “it was a lot of data that they asked for.”.

Campbell said the Census bureau claimed it wanted the information from Pennsylvania and other states for a data sharing program and for statistical purposes. But, PennDOT turned down the request because, “PennDOT has a responsibility under federal and state law to be stewards of the Commonwealth’s drivers license data. And, we didn’t feel like their request was something we needed to comply with.”

Subject: ‘SIM-swap’ scams expose risks of using phones for secondary I.D.
Source:  FTC via WHYY

Once scammers control your number, they can get your text messages — including the verification codes many online services send when customers reset their passwords.

These are different from verification codes generated by two-factor apps or hardware keys, which are more secure because they don’t depend on a phone number. But companies often use the text-message version because it’s simple to use.

Bennett says the scammers used text-message verification codes to get into his email accounts, and from there it was open season.

“Phone numbers have suddenly become valuable,” says Allison Nixon, director of security research at Flashpoint, a company that tracks cyber crime. She says phone numbers have become an irresistible target for scammers because so many companies now use the numbers to help confirm customers’ identities.

“Financials, health care, social media, email — all of these different companies, by policy, require a phone number from you. And that’s what creates the vulnerability,” Nixon says.

Here’s what you can do to protect yourself from a SIM card swap attack:

filed under:

Sample RSS feed:

Subject: VA Left Vets Vulnerable to Identity Theft
Source: Washington Free Beacon

The Department of Veterans Affairs illegally granted roughly 25,000 people access to veterans’ personal information including social security numbers, addresses, and medical histories, according to a government watchdog.

The agency’s inspector general found that numerous VA and agency-affiliated employees across the country had access to sensitive information stored on unprotected shared servers, even if they had no official reasons to be privy to such information. Those practices left veterans “at significant risk” of having their identities misused or stolen.

This entry was posted in Issues and tagged Veterans Affairs

RSS feed for tag:

Subject: A Health Care Algorithm Offered Less Care to Black Patients
Source: WIRED

Care for some of the sickest Americans is decided in part by algorithm. New research shows that software guiding care for tens of millions of people systematically privileges white patients over black patients. Analysis of records from a major US hospital revealed that the algorithm used effectively let whites cut in line for special programs for patients with complex, chronic conditions such as diabetes or kidney problems.

The hospital, which the researchers didn’t identify but described as a “large academic hospital,” was one of many US health providers that employ algorithms to identify primary care patients with the most complex health needs. Such software is often tapped to recommend people for programs that offer extra support—including dedicated appointments and nursing teams—to people with a tangle of chronic conditions.

Researchers who dug through nearly 50,000 records discovered that the algorithm effectively low-balled the health needs of the hospital’s black patients. Using its output to help select patients for extra care favored white patients over black patients with the same health burden.


Artificial Intelligence

Subject: The Ransomware Superhero of Normal, Illinois
Source: ProPublica

Thanks to Michael Gillespie, an obscure programmer at a Nerds on Call repair store, hundreds of thousands of ransomware victims have recovered their files for free.

The FBI and local law enforcement agencies have had little success in curbing ransomware. Local departments lack the resources to solve cybercrime, and the ransoms demanded have often been below the threshold that triggers federal investigations. Security researchers like Gillespie have done their best to fill the gap. There are almost 800 known types of ransomware, and Gillespie, mostly by himself but sometimes collaborating with other ransomware hunters, has cracked more than 100 of them. Hundreds of thousands of victims have downloaded his decryption tools for free, potentially saving them from paying hundreds of millions of dollars in ransom.

“He took that deep dive into the technical stuff, and he just thrives on it,” said Lawrence Abrams, founder of a ransomware assistance website called “Every time a new ransomware comes out, he checks it out. ‘Can it be decrypted? Yes, it can be decrypted. OK, I’ll make the decryptor.’ And it’s just nonstop. He just keeps pumping them out.”

Subject: Comcast Trying to Stop Google From Encrypting Browsing Histories: Report
Source: Motherborard via Multichannel News

According to a presentation intercepted by Motherboard, cable operator and other ISPs are lobbying to stop scheme that would limit what ISPs could see about their customers.

Comcast is lobbying the U.S. government to stop Google from implementing a plan that would make it harder for internet service providers to see their customer’s browsing history.

Last week, Vice-ran website Motherboard reported that it had intercepted a lobbying presentation, allegedly prepared by Comcast and other ISPs, objecting to the plan, which also involves Mozilla, maker of the popular Firefox browser.

Under the plan, Google and Mozilla would encore the encryption of DNS data made using the Chrome and Firefox browsers, respectively.

Privacy activists have praised the move. But according to Motherboard, ISPs including Comcast say, “This change would make a fundamental shift in the decentralized nature of the internet’s architecture and give one provider control of internet traffic routing and vast amounts of new data about customers and competitors.”


Sample tag RSS feed

Filed under


Subject: Religious-Based Hate Crimes: DOJ Needs to Improve Support to Colleges Given Increasing Reports on Campuses
Source: U.S. GAO

Religious-based hate crimes are on the rise on America’s college campuses, according to data from the Departments of Education and Justice.

DOJ offers publications, webpages, and educational activities to help colleges and campus law enforcement monitor and address these crimes. However, much of DOJ’s information is outdated and difficult to find in one place. In addition, many colleges are unaware of what resources are available.

We recommended that DOJ update, centralize, and share its information to make it easier to use.

Additional Materials:

Subject: US proposes cutting off funds for Chinese telecom equipment
SourceAP via Yahoo

U.S. regulators have proposed cutting off funding for Chinese equipment in U.S. telecommunications networks, citing security threats.

The Federal Communications Commission will vote next month on a proposal to bar telecom companies from using government subsidies to pay for networking equipment from Huawei and ZTE. The move mostly affects small, rural companies, as larger U.S. wireless companies do not use equipment from those Chinese companies.

The agency is also exploring the impact of requiring companies to rip out their current Huawei and ZTE equipment. The government is seeking comments on how it can help companies financially if they have to do that. Bills in Congress have proposed setting $700 million to $1 billion aside for telecom companies to replace their networks.

Subject: Microsoft Reports Global Cyberattacks on Sporting and Anti-Doping Organizations from Russian Espionage Actors
Source: DHS CISA via CERT

Microsoft publicly released information revealing an uptick in cyberattacks globally targeting anti-doping authorities and sporting organizations. The Microsoft Threat Intelligence Center (MSTIC) routinely tracks malicious activity originating from the Russian advanced persistent threat (APT) group 28, also known as Fancy Bear, STRONTIUM, Swallowtail, Sofacy, Sednit, and Zebrocy. According to Microsoft, APT28 is targeting sporting and anti-doping organizations using spearphishing, password spraying (a brute force technique), fake Microsoft internet domains, as well as open-source and custom malware to exploit internet-connected devices…

Posted in: Civil Liberties, Cybercrime, Cybersecurity, Health, Legal Research, Privacy, Search Engines, Social Media, Spyware