Pete Recommends – Weekly highlights on cyber security issues December 29, 2019

Dear Readers:

Issue V2#48 represents the 100th publication of the column Pete Recommends – Weekly highlights on cyber security issues column here on LLRX.

Each posting is from my (longer) email security Newswire which is a LISTSERV-based distribution list.  For the most part, each item is selected from various security, privacy, and cyber-related RSS feeds.

The postings for each weekly column are edited and curated by Sabrina I. Pacifici, solo founder/editor/publisher of LLRX.

The sources for each posting are referenced at the beginning of each summary and include information at the end of the summary that provides additional content and content – both on the web and via RSS feeds.

The full archives of Pete Recommends and some other topics including RSS usage can be found here: https://llrx.com/author/pete-weiss/.

Of course it too, has an RSS feed: https://llrx.com/author/pete-weiss/feed/

Regards,

Pete Weiss, Penn State, Systems Engineer for Teleprocessing, retired.

Editor’s note – it is a singular honor for LLRX to publish this column by Pete Weiss every week. His expert focus on identifying current and emerging threats to our privacy, in every sphere, is an asset to LLRX readers. His knowledge contributes to the choices we can and should make when buying, installing, and agreeing to (yes, read the very long fine print section) use a myriad of gadgets, gizmos, apps, products and services served up by Big Tech. Look all around – inside our homes, on the streets and highways, in our offices, schools, public and private buildings, hospitals, airports, stores (online and brick and mortar) and well, everywhere – we are being tracked and monitored. Data that identifies us in multifaceted ways – where and when we travel, what we buy, eat, read, the content of our medical records – and what we share on social media…and with whom, 24 hours a day – is aggregated, sold and used for profit, without our express agreement or for the most part, our knowledge. As we welcome the new year, I am grateful that Pete will continue to inform LLRX readers about how and why new technologies have the potential to impact us, and the choices we can make in response to the “new normal.”

Subject: Facebook says a pro-Trump media outlet used artificial intelligence to create fake people and push conspiracies
Source: NBC News
https://www.nbcnews.com/tech/tech-news/facebook-says-pro-trump-media-outlet-used-artificial-intelligence-create-n1105951

The accounts pushed anti-impeachment and pro-Trump messages while otherwise posing as everyday Americans. Sometimes the accounts featured obvious errors. One moderator of a popular “BL” page was named “Ellen Dancey,” but featured an AI-generated face of a man. Dancey’s sole post to his profile page read “Hello, wellcom to my face book.”

Gleicher said using the AI-generated faces was more likely to get the bad actors caught than to help mask their identities.

“We detected these accounts because they were engaged in fake behavior. Using AI generated profiles as a way to make themselves look more real doesn’t actually help them,” Gleicher said, adding the fake profiles were more likely to trip automatic sensors of fake accounts. “The biggest takeaway here is the egregiousness of the network in using fake identities.”

Stephen Gregory, publisher of the U.S. editions of The Epoch Times, said in a statement that Epoch Media Group has no connection to BL, noting that it is a part of Epoch Times Vietnam.


Subject: Facebook Finally Fixes Its Two-Factor Mess
Source: WIRED
https://www.wired.com/story/facebook-two-factor-wawa-breach-russian-ship-security-news/
More Great WIRED Stories

Subject: What You’re Unwrapping When You Get a DNA Test for Christmas
Source: The New York Times
https://www.nytimes.com/2019/12/22/science/dna-testing-kit-present.html

To what extent is gifting a DNA test also a present for law enforcement?

So what do these developments mean for that DNA kit sitting under your Christmas tree? Men’s Journal calls them “one of the hottest gifting ideas,” and US Weekly promises that “they’re going to love it, no matter how tough of a critic they are.” But is using one of these kits also opening the door to letting the police use your DNA to arrest your cousin?

The answer in this rapidly evolving realm depends largely on which sites you join and the boxes you check off when you do. And even if you never join any of these sites, their policies could affect you so long as one of your 800 closest relatives has.

Longer answer: Each of these databases is big enough to identify nearly all 300 million Americans’ DNA through their cousins, researchers have found. This makes them a tantalizing tool for law enforcement officials, who say the data could help them solve thousands of violent crimes and identify unknown victims if only they could put a name to associated DNA.

To identify a suspect’s blood, for example, investigators do not need to find the person who cut his hand smashing through a window. They just need to match to a couple of his second or third cousins in a DNA database. From there, a genetic genealogist can puzzle out how these cousins are related to one another and the suspect by building out a series of family trees. Often this leads to an arrest.


Subject: DNS Over HTTPS: Not As Private As Some Think?
Source: Slashdot
DNS over HTTPS has been hailed as part of a “poor mans VPN”. Its use of HTTPS to send DNS queries makes it much more difficult to detect and block the use of the protocol.But there are some kinks in the armor. Current clients, and most current DoH services, do not implement the optional passing option, which is necessary to obscure the length of the requested hostname. The length of the hostname can also be used to restrict which site a user may have access [to].The Internet Storm Center is offering some data to show how this can be done.
Their article is by Johannes B. Ullrich, Ph.D. and Dean of Research at the SANS Technology Institute.It notes that Firefox “seems to be the most solid DoH implementation. Firefox DoH queries look like any other Firefox HTTP2 connection except for the packet size I observed.” And an open Firefox bug already notes that “With the availability of encrypted DNS transports in Firefox traffic analysis mitigations like padding are becoming relevant.”

Subject: Fake and dangerous kids products are turning up for sale on Amazon
Source: CNN Wire via WPMT FOX43
https://fox43.com/2019/12/23/fake-and-dangerous-kids-products-are-turning-up-for-sale-on-amazon/

Under current US case law, Amazon is not liable when third-party products sold on its site directly infringe on intellectual property or have safety defects. The liability lies with the third-party seller. This is fundamentally different from how the law treats brick-and-mortar retailers like Target or Walmart or even your corner grocery. If you find a product at a physical store that infringes on your trademark, or you buy something defective there, you can sue the store even though they didn’t make the product. Counterfeits are a problem for many ecommerce platforms, not just Amazon, but Amazon is the world’s largest ecommerce platform and its dominance is growing.


Subject: Ring’s Security Woes Cause Some Tech Review Sites to Rethink Glowing Endorsements
Source: Gizmodo
https://gizmodo.com/rings-security-woes-cause-some-tech-review-sites-to-rec-1840634944

At least two tech review sites are discussing whether to rescind their positive recommendations of Ring’s home surveillance cameras, a leading digital-rights organization announced this week. In the wake of reporting by Gizmodo and other outlets this year concerning Ring’s troubled security and privacy practices, Fight for the Future has launched a campaign calling on tech review sites, such as Consumer Reports and PC Magazine, to suspend recommending Ring products.

“Tech reviews and guides play an important role in people deciding which devices to buy,” said Evan Greer, deputy director of Fight for the Future.

Ring has placed the blame for these incidents on the device owners themselves, saying they failed to adopt unique passwords or make use of the two-factor authentication security feature offered by the company. Ring otherwise says its devices are helping to curb crime in neighborhoods by dissuading package thieves and would-be burglars.//

A group of U.S. senators—worried that control of Amazon’s vast surveillance network could fall into the hands of hackers and foreign spies—expressed their concerns about Ring to Amazon CEO Jeff Bezos in a letter last month. “Ring devices routinely upload data, including video records, to Amazon’s servers. Amazon therefore holds a vast amount of deeply sensitive data and video footage detailing the lives of Americans in and near their homes,” the letter said.

More from Gizmodo:


Subject: The privacy worries with smart cities
Source: Axios via beSpacific
https://www.bespacific.com/the-privacy-worries-with-smart-cities/

Axios – Momentum for smart cities projects, which has been fed by big promises from industry and big hopes in government, is slowing down in the face of a wave of public skepticism.

Driving the news: Alphabet-owned Sidewalk Labs, which has proposed a futuristic smart-city development for Toronto’s waterfront, has pledged not to sell personal data collected at the project or use it for advertising to assuage privacy concerns. Instead, if the plan is approved, local government entities will take the lead on managing data.

Context: “The U.S. has a general optimism that technology can make our lives easier if used in right way. But that’s countered by mistrust of intentions or capabilities of state and local governments,” said Todd Daubert, chair of the communication and technology practice at Dentons, a law firm that works on smart city developments. There’s also distrust of the tech companies that see cities as a huge market for selling their data-guzzling tools.

beSpacific Subjects: E-Commerce, E-Records, Economy, Internet, Knowledge Management, Legal Research, Privacy, Social Media

Axios RSS: https://api.axios.com/feed/technology/


Subject: Smart Home Tech, Police, and Your Privacy: Year in Review 2019
Source: ETF via beSpacific
https://www.bespacific.com/smart-home-tech-police-and-your-privacy-year-in-review-2019/

EFF: “If 2019 confirmed anything, it is that we should not trust the microphones and cameras that large corporations sell us to put inside and near our homes. Thanks to the due diligence of reporters, public records requesters, and privacy researchers and activists, consumers have been learning more and more about how these “smart” home technologies can be hacked, exploited, or utilized by the police and other law enforcement agencies. Because many technologies that record audio and video store their data on a cloud maintained by the company, police can gain access to stored content by presenting a warrant to those companies—bypassing consumers altogether. For instance, in November, police in Florida obtained a warrant for the recordings from an Amazon Echo that may have overheard a crime. This means that whether people think their Alexa is listening or not, their Alexa could be listening. Because Amazon stores and maintains that data, things said in the device’s presence can be made accessible to police via a warrant presented to the company…”


Subject: Ring and Amazon sued in federal court over security concerns
Source: Business Insider
https://www.businessinsider.com/ring-amazon-sued-federal-court-security-hacking-2fa-2019-12

  • Home camera maker Ring and parent company Amazon have been sued in federal court in California over claims that they failed to protect users’ privacy and security.
  • The lawsuit alleges that, as a manufacturer of security products, Ring failed to meet its “most basic obligation by not ensuring its Wi-Fi enabled cameras were protected against cyber-attack.”
  • It also argues that Ring and Amazon sought to avoid responsibility by blaming users for not implementing proper security measures despite knowing the risks of not requiring things like two-factor authentication.

Home security camera maker Ring and parent company Amazon are facing a lawsuit in federal court that claims that they failed to implement proper security measures in their products, leaving users vulnerable to cyberattacks.

More: Ring Amazon Lawsuits Hacks


Subject: New Tech Opens New Doors for Public Safety
Source: Route Fifty
https://www.routefifty.com/public-safety/2019/12/new-tech-public-safety/162060/

COMMENTARY | The growing use of artificial intelligence will offer cities more advanced methods to detect safety and security threats. In 2018, the Center for Homeland Defense and Security reported 110 K-12 school shooting incidents. That’s more than twice as many as the year prior and a record high since the center began compiling data on school shootings in 1970. Alarming statistics like these signal that it’s time to examine the old methods of detecting and mitigating danger in schools and other municipal infrastructure with a more critical eye.

Cities are beginning to recognize the need for newer, more technologically advanced methods of detecting both violent and nonviolent threats—and that also means reevaluating previous advances by asking how can we embrace new technology.

The revolution in artificial intelligence over the last few years has fueled the development of new security methods. Three new technologies, in particular, can help keep cities, residents and municipal buildings safer…

filed in:

Posted in: AI, Civil Liberties, Cybercrime, Cybersecurity, Economy, Privacy, Social Media