Pete Recommends – Weekly highlights on cyber security issues December 7, 2019

Subject: New Chrome Password Stealer Sends Stolen Data to a MongoDB Database
Source: BleepingComputer

A new trojan has been discovered that attempts to steal passwords stored in the Google Chrome browser. While this is nothing unique, what stands out is that the malware uses a remote MongoDB database to store the stolen passwords.This trojan is called CStealer, and like many other info-stealing trojans, was created to target and steal login credentials that were saved in Google Chrome’s password manager.

RSS feed:

article tagged:

Subject: Improving Vulnerability Disclosure Together
Source: DHS – CISA

A VDP directive and you – Today, we are issuing a draft binding operational directive, BOD 20-01, which will require federal civilian executive branch agencies to publish a vulnerability disclosure policy (VDP). A VDP allows people who have “seen something” to “say something” to those who can fix it. It makes clear that an agency welcomes and authorizes good faith security research on specific, internet-accessible systems.

Taxonomy Topics

Subject: Do our algorithms have enough oversight?
Source: FCW

As companies continue to look to leverage artificial intelligence and other innovations in the workplace, tension has arisen between profit-seeking companies and the impact of the technologies they utilize, highlighting the ongoing need for oversight and research. At a Nov. 20, 2019 panel on “Artificial Intelligence At Work” hosted by Workday and Politico, industry experts stressed that while neural networks and other innovations had the ability to streamline or even automate work previously performed by human operators, managers were still needed to step in and make corrections when machines failed to account for human error such as ingrained algorithmic bias.

Subject: Credentialing private-sector emergency workers
Source: GCN

Identification cards available to government organizations for free can help public-safety officials know what private-sector workers – such as facilities staff, IT workers or a safety personnel — are permitted to access affected areas during emergencies. Recognizing that the personnel who need to get around during emergencies and recovery operations extends beyond those with government or medical badges, the Business Network of Emergency Resources (BNET) developed the Corporate Emergency Access System (CEAS) to make it easier for law enforcement officials to verify that someone claiming to be essential company personnel is in fact essential.

To prevent duplication and fakes, CEAS cards are outfitted with holograms and microtext — standard security features in ID cards, Picarillo said.

Subject: California Student Misty Hong Sues TikTok, Claims App and Parent Company ByteDance Are Sending User Data to Servers in China
Source: Reuters via Newser

(Newser) – In March or April of this year, Palo Alto college student Misty Hong says she downloaded the TikTok app, designed to create and share short videos. Now her complaints against the service have turned into a class-action lawsuit, alleging that TikTok has secretly taken user data and transferred it without users’ knowledge to servers in China, Reuters reports. Hong’s suit, filed Wednesday in California federal court, claims TikTok and parent company ByteDance covertly “vacuumed up and transferred to servers in China vast quantities of private and personally identifiable user data.” Per the Daily Beast, which first reported on the the suit, the complaint also says (an app that merged with TikTok in August 2018) also secretly scooped up such user data as location, age, phone numbers, and browsing histories, then allegedly sent that data to servers in China.

Subject: A security expert found that Apple’s latest iPhone can still track your location data, even if you toggle it off for every app
Source: Business Insider

  • Apple acknowledged that the iPhone 11 Pro can still collect location data when users tell it not to.
  • Location data can be turned off, but when location services are allowed but toggled off for every individual app and service, Apple will collect the data.
  • Security expert Brian Krebs first noticed this discrepancy, and others have had similar experiences.

Here’s what Apple’s policy says:

“If Location Services is on, your iPhone will periodically send the geo-tagged locations of nearby Wi-Fi hotspots and cell towers (where supported by a device) in an anonymous and encrypted form to Apple, to be used for augmenting this crowd-sourced database of Wi-Fi hotspot and cell tower locations.”

An Apple spokesperson responded to Krebs, saying that this was “expected behavior” and that the company doesn’t see any “security implications.” Apple did not immediately respond to Business Insider’s request for comment.

On Apple’s privacy page, the company goes even further, describing privacy as a “fundamental human right” and “core value.” The company states: “We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.”

Subject: How a National Lab is Securing Electric Vehicles and Smart Cars of the Future
Source: Nextgov

The reality of an all-connected world with interacting autonomous vehicles and heaps of communicating internet of things devices has yet to take effect—but researchers at Argonne National Laboratory are already working to outpace sophisticated cyber threats of the future.In a conversation with Nextgov Monday, Cybersecurity Analyst Roland Varriale offered an overview of several of the lab’s efforts to secure conventional, autonomous and electric vehicle ecosystems and guard against unseen risks.

“We’re looking at security more holistically—a lot of the time it’s more pigeonholed, almost like whack-a-mole, where we are looking for very specific solutions for very specific problems,” Varriale said. “But I think as a national lab, we should be looking at the larger problems, the more influential problems that drive the industry.”

Partly funded through the Energy Department’s Vehicle Technologies Office, the researchers could create a sort of blueprint for securely deploying such structures. Varriale said the hope is to ensure connections are installed properly and, ultimately, to define the sort of security measures that should be put in place to ensure they won’t be compromised.

“So a person that comes up and wants to charge their vehicle can’t maybe compromise the charging station and then from there pivot inside to the building’s network—and then cause any sort of malicious actions,” he said. Insiders anticipate soon publishing at least one paper on the work.

[sort of like open USB charging ports? hopefully the vehicle dealer techs can still customize for the new owner /pmw1]


Subject: The United States House Has Approved a New Anti-Robocall Bill
Source: Cord Cutters News

Today the United States House voted 417-3 to approve an anti-robocall bill that would help change rules to make it easier to crack down on unwanted calls. This new bill helps address problems with robocalls by strengthening penalties for intentional robocalling in violation of the prior consent requirement.The bill also requires telephone service providers to implement effective mechanisms for determining whether the number appearing on a call is authentic. If it is not an authentic call you will no be alerted.

The bill also requires providers to enable the option to block robocalls that cannot be authenticated.

filed in All News

Subject: Facebook Asks Supreme Court to Review Face Scan Decision
Source: EPIC
Facebook has filed a petition asking the Supreme Court to review a decision that allows lawsuits against Facebook for the unlawful collection of facial images. In Patel v. Facebook, the Ninth Circuit held that that an Illinois biometrics law protects “concrete privacy interests” and that violations of the law “pose a material risk of harm to those privacy interests.” EPIC filed an amicus brief in the case, arguing that users can sue companies that violate rights protected by privacy laws. EPIC has long advocated for limits on the use of biometric data and has opposed Facebook’s use of facial recognition software. EPIC and others recently called for a global moratorium on facial recognition. EPIC recently launched a campaign and resource page to ban face surveillance.

Subject: 50 countries ranked by how they’re collecting biometric data and what they’re doing with it
Source: comparitech via beSpacific

comparitech: “From passport photos to accessing bank accounts with fingerprints, the use of biometrics is growing at an exponential rate. And while using your fingerprint may be easier than typing in a password, just how far is too far when it comes to biometric use, and what’s happening to your biometric data once it’s collected, especially where governments are concerned? Here at Comparitech, we’ve analyzed 50 different countries to find out where biometrics are being taken, what they’re being taken for, and how they’re being stored. While there is huge scope for biometric data collection, we have taken 5 key areas that apply to most countries (so as to offer a fair country-by-country comparison and to ensure the data is available). Each country has been scored out of 25, with high scores indicating extensive and invasive use of biometrics and/or surveillance and a low score demonstrating better restrictions and regulations regarding biometric use and surveillance…” [Spoiler – U.S. ranks #4 of top 5 countries using biometric data]beSpacific Subjects: E-Government, E-Records, Privacy

comparitech category


Subject: Expanding GAO’s Science & Technology Expertise
Source: GAO Watchblog

We provide Congress with nonpartisan and fact-based analysis of technological and scientific developments that affect our society, environment, and economy. To enhance our ability to do this, we established the Science, Technology Assessment, and Analytics (STAA) team in January 2019.Today’s WatchBlog looks at our efforts to put more science and technology (S&T) analysis into the hands of Congress.Responding Quickly to Congress’s Priorities

In accordance with our STAA team plan, we have provided state-of-the-art scientific and technical information to the Congress, including:

We are also tackling additional topics to meet Congress’s growing demand for thorough and balanced analysis.

This entry was posted in About GAO, Mission Team, Science and Technology, Technology Assessment

and tagged John Neumann, science, Science Technology Assessment and Analytics, STAA, tech, Tim Persons.

Posted in: AI, Big Data, Communications Law, Congress, Cybercrime, Cybersecurity, Government Resources, KM, Legal Research, Privacy, Social Media, Technology Trends