Pete Recommends – Weekly highlights on cyber security issues February 1, 2020

Subject: Administration wants online retailers to do more to police counterfeit goods
Source: CNNPolitics
https://www.cnn.com/2020/01/24/politics/dhs-e-commerce-combat-counterfeit-goods/index.html
(CNN) – Officials from the Department of Homeland Security and the White House said Friday that they are taking steps to shift more of the burden of tackling counterfeit goods to e-commerce hubs like Amazon, a response to an April 2019 presidential memo.

Peter Navarro, director of the White House Office of Trade and Manufacturing Policy, said the shift is needed because the onus and cost have been on the government and intellectual property rights holders to “police the internet” for counterfeit goods.

“It just can’t work that way,” he said during a news conference Friday to announce the plans.
The United States loses $300 billion to $500 billion a year to intellectual property theft, Navarro said Friday.

He said that “for all practical purposes, these e-commerce hubs are basically laundries for counterfeiting” and the “thrust here of these recommendations is to get these e-commerce hubs to accept their share of the responsibility.”…

Wolf also called on consumers to inform themselves about the risks associated with counterfeit goods.


Subject: Why Apple needs backdoor access to your iPhone backups on iCloud
Source: USA Today
https://www.usatoday.com/story/tech/columnist/2020/01/26/why-apple-needs-backdoor-access-your-iphone-backups-icloud/4567858002/

When the company behind your smartphone’s software commits to backing up your device’s data online, how far should it go to have your back?A report Tuesday by Reuters on Apple’s iCloud backups brought fresh attention to this question. Citing “six sources familiar with the matter,” reporter Joseph Menn wrote that the firm “dropped plans to let iPhone users fully encrypt backups of their devices in the company’s iCloud service after the FBI complained that the move would harm investigations.

”What that means is that while the contents of your iPhone remain encrypted on Apple’s servers, you don’t have the only key to unlock them – the Cupertino, California, tech giant also has one.The company had announced intentions for full encryption of iCloud backups as far back as 2016. Apple did not comment to Reuters about the apparent reversal, nor did it respond to a USA TODAY query sent Wednesday.

Should you worry about Apple (or an adversary infiltrating its iCloud backup system) being able to unlock your backup for you? Maybe not: Without that fallback, forgetting the password to your backups means losing them forever….

See also related tech articles – https://www.usatoday.com/tech/


Subject: 8 cities that have been crippled by cyberattacks — and what they did to fight them
Source: Business Insider
https://www.businessinsider.com/cyberattacks-on-american-cities-responses-2020-1

  • Ransomware attacks have become a worryingly common threat against public systems including schools and local governments as hackers hold critical data and services hostage for massive ransoms.
  • Major cities like Baltimore and Atlanta have been crippled by such attacks in recent years, and officials have warned that attacks are a disturbing trend that governments must prepare for.
  • Here are some cities that were crippled by ransomware attacks, and what their responses could mean for future strikes.

Subject: If Cops Want Access to Your Data, Google is Making Them Pay
Source: Gizmodo
https://gizmodo.com/google-is-going-to-charge-cops-for-your-data-1841221086

Google announced that it was going to start charging law enforcement authorities for legal data disclosure requests, such as subpoenas and search warrants, related to its users. The company receives thousands of petitions from authorities every year and has decided to charge to help “offset the costs” associated with producing the information.The New York Times reports that Google sent out a notice announcing the new fees, which went into effect on Jan. 13, to law enforcement officials. The fees are legal, as federal law allows companies to charge reimbursement fees for these requests, and they are not new for Google. According to the Times, the company has charged to fulfill legal data requests in the past, and it is not the only company that charges for such work. Cell phone carriers have been charging to fulfill similar legal requests for years.

Google’s “Notice of Reimbursement” documented sent to law enforcement officials listed the following prices for different data requests.

  • Subpoena: $45
  • Order: $150
  • Search warrant: $245
  • PRTT (Pen register or trap and trace) order: $60
  • Wiretap order: $60

The Google spokesman told the Times that the company would not charge for requests in some cases, such as child safety investigations and life-threatening emergencies.


Subject: Jeff Bezos Phone Hacking – WhatsApp Hack – Is WhatsApp Safe?
Source: Popular Mechanics
https://www.popularmechanics.com/technology/security/a30666361/jeff-bezos-whatsapp-hack/

Last week week, The Guardian reported that Mohammed bin Salman, the crown prince of Saudi Arabia, may have been responsible for hacking Amazon CEO Jeff Bezos’s cell phone and extracting information that led to the death of Jamal Khashoggi and the revelations of Bezos’s extramarital affair. The shocking secret is that in order to access all of this information, the billionaire prince simply sent the billionaire CEO a video. When Bezos downloaded the video, he unknowingly downloaded malicious code that then accessed a huge amount of data. Bezos and his team didn’t know about the hack until it was much, much too late. That begs the question: If the richest man in the world’s phone can be hacked, why can’t yours?

Online messaging platforms like WhatsApp are generally more secure than text messaging platforms because they use end-to-end encrypted technology and internet protocols for transferring messages rather than mobile internet connection. They’re highly recommended for general communications as well as the transference of sensitive information—regardless of your net worth. Having safe internet habits like using secure messaging, updating your software, and being careful about what you send and accept makes you safe.

Still, Little Limbago says there are key themes we should all be aware of to protect ourselves from less well-funded, but equally malicious attacks. You should know that…

In the case of Bezos’s WhatsApp attack, the spyware was linked to the firm NSO Group. “There is a growing marketplace for spyware, and private companies across the globe are stepping up to meet this growing demand,” Little Limbago says. “NSO group is just the most prominent, but the Bezos hack demonstrates the market push for hackers-for-hire.”

To check if you’ve been targeted…[following includes detailed steps to identify and remediate]…

“The Bezos incident is a microcosm of how warfare and influence campaigns of the future will be carried out through big, dramatic hacks, like this one, and little, minute, daily hacks,” Eliza Campbell, Associate Director of the Middle East Institute Cyber Program, tells Popular Mechanics. “And we all need to know about and understand both.”

Will Your WhatsApp Be Hacked?

See more Security articles: https://www.popularmechanics.com/technology/security/


Subject: You Are Now Remotely Controlled Surveillance capitalists control the science and the scientists, the secrets and the truth
Source: NYTimes Opinion via beSpacific
https://www.bespacific.com/you-are-now-remotely-controlled/

The New York Times Opinion By Shoshana Zuboff author of The Age of Surveillance Capitalism.
…Privacy is not private, because the effectiveness of these and other private or public surveillance and control systems depends upon the pieces of ourselves that we give up — or that are secretly stolen from us. Our digital century was to have been democracy’s Golden Age. Instead, we enter its third decade marked by a stark new form of social inequality best understood as “epistemic inequality.” It recalls a pre-Gutenberg era of extreme asymmetries of knowledge and the power that accrues to such knowledge…
Follow @privacyproject on Twitter and The New York Times Opinion Section on Facebook and Instagram.

Subject: How Corporate Lawyers Made It Harder to Punish Companies That Destroy Electronic Evidence
Source: ProPublica
https://www.propublica.org/article/how-corporate-lawyers-made-it-harder-to-punish-companies-that-destroy-electronic-evidence

Federal judges were penalizing big companies for destroying emails and other evidence. So the companies lobbied to have the rules changed. Since then, a ProPublica analysis shows, the rate at which judges issue penalties has fallen by more than half.

In the early 2000s, a series of civil lawsuits against giant corporations illustrated the disastrous consequences that could ensue if a defendant failed to provide electronic evidence such as company emails or records. In one suit against tobacco giant Philip Morris in 2004, U.S. District Judge Gladys Kessler concluded that the company deliberately deleted troves of emails that contained incriminating information. She fined the company $2.7 million for the breach, levied $250,000 fines against each of the company supervisors found culpable and barred them from testifying at the trial.Big corporations rallied for changes and got them. In 2006, the rules that govern federal litigation were changed to create a “safe harbor” that would protect companies from consequences for failing to save electronic evidence as long as they followed a consistent policy and, when put on notice of imminent litigation, preserved all relevant materials.

But that harbor, it turned out, wasn’t safe enough. Chipmaker Qualcomm was hit with an $8.7 million fine for destroying evidence in 2008, and the number of such penalties kept climbing. And so lawyers for companies, including Exxon Mobil, General Electric and Microsoft, along with the U.S. Chamber of Commerce, waged a multiyear effort to push for a more permissive rule.

The 2006 rule was open-ended and left much up to the judge. It read in its entirety: “Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.” In practice, according to experts, the burden rested on a defendant to prove it hadn’t intentionally destroyed evidence.


Filed under:


Subject: Symposium at U.S. Capitol seeks solutions to election security
Source: PSU News Release
https://news.psu.edu/story/605891/2020/01/29/public-events/symposium-us-capitol-seeks-solutions-election-security
WASHINGTON D.C. — A thriving democracy requires fair elections, but U.S. elections face real threats from multiple sources, including state election infrastructure attacks and social engineering on social media platforms. As the 2020 election approaches, lawmakers, election officials, Congressional staffers, researchers, members of the intelligence communities, academics, candidates and media will come together in the U.S. capital for the first-ever “Hacking the U.S. Election: How Can We Make U.S. Elections More Secure?” symposium to work to secure U.S. elections.

The symposium will be held Feb. 24 at the U.S. Capitol Visitor Center from 8:30 a.m. to 1 p.m.

“This symposium is aimed at promoting bipartisan legislative efforts and supporting the work of state election officials, researchers and the intelligence community to detect and combat these attacks on our electoral process,” said Anne Toomey McKenna, Penn State Dickinson Law’s Distinguished Scholar of Cyber Law and Policy, Penn State Institute for Computational and Data Sciences co-hire, and one of the symposium’s organizers.


Subject: New web service can notify companies when employees get phished
Source:  ZDNet via beSpacific
https://www.bespacific.com/new-web-service-can-notify-companies-when-employees-get-phished/

ZDNet – “Starting today, companies across the world have a new free web service at their disposal that will automatically send out email notifications if one of their employees gets phished. The service is named “I Got Phished” and is managed by Abuse.ch, a non-profit organization known for its malware and cyber-crime tracking operations. Just like all other Abuse.ch services, I Got Phished will be free to use…”

beSpacific Subjects: Cybercrime, Cybersecurity, E-Mail, E-Records, Privacy

ZDNet Topic: Security


Subject: Ring Doorbell App Packed with Third-Party Trackers
Source: EFF via beSpacific
https://www.bespacific.com/ring-doorbell-app-packed-with-third-party-trackers/

EFF: “Ring isn’t just a product that allows users to surveil their neighbors. The company also uses it to surveil its customers. An investigation by EFF of the Ring doorbell app for Android found it to be packed with third-party trackers sending out a plethora of customers’ personally identifiable information (PII). Four main analytics and marketing companies were discovered to be receiving information such as the names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers. The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user’s device. This cohesive whole represents a fingerprint that follows the user as they interact with other apps and use their device, in essence providing trackers the ability to spy on what a user is doing in their digital lives and when they are doing it. All this takes place without meaningful user notification or consent and, in most cases, no way to mitigate the damage done. Even when this information is not misused and employed for precisely its stated purpose (in most cases marketing), this can lead to a whole host of social ills…”

beSpacific Subjects: Civil Liberties, Legal Research, Privacy

EFF category- https://www.eff.org/deeplinks/

RSS – https://www.eff.org/rss/updates.xml

 

Posted in: Congress, Cybercrime, Cybersecurity, E-Discovery, Election Law, Email, Email Security, Encryption, Firewalls, Gadgets/Gizmos, Intellectual Property, Privacy