Pete Recommends – Weekly highlights on cyber security issues February 22, 2020

Subject: Security experts raise concerns about voting app used by military
Source: CNNPolitics
(CNN) Security researchers are reporting flaws in a smartphone-based voting app that’s been used by military voters overseas and is now being tested for use in the US.

The vulnerabilities could allow nation-state hackers to view, block or even change smartphone ballots before they’re counted, according to a new paper written by three researchers at the Massachusetts Institute of Technology.

The app is designed by the company Voatz, whose technology has been piloted so far in West Virginia, Colorado and Utah.

The company called the report “flawed” in a statement posted to its website Thursday.

“We want to be clear that all nine of our governmental pilot elections conducted to date, involving less than 600 voters, have been conducted safely and securely with no reported issues,” Voatz said in the statement. “The researchers’ true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion.”

“This study from MIT appears to have been structured with care in the way that the analysis was conducted,” said Andrea Matwyshyn, an election security expert at Penn State University.

The technology news site Coindesk said it obtained a copy of the DHS review and reported it on Friday, adding that while US officials found few major issues with Voatz, the review focused primarily on the company’s internal network and servers — not the app that was the subject of the MIT report.

Subject: Activate This ‘Bracelet of Silence,’ and Alexa Can’t Eavesdrop
Source: The New York Times

Mr. Zhao and Ms. Zheng are computer science professors at the University of Chicago, and they decided to channel their disagreement into something productive. With the help of an assistant professor, Pedro Lopes, they designed a piece of digital armor: a “bracelet of silence” that will jam the Echo or any other microphones in the vicinity from listening in on the wearer’s conversations.

The bracelet is like an anti-smartwatch, both in its cyberpunk aesthetic and in its purpose of defeating technology. A large, somewhat ungainly white cuff with spiky transducers, the bracelet has 24 speakers that emit ultrasonic signals when the wearer turns it on. The sound is imperceptible to most ears, with the possible exception of young people and dogs, but nearby microphones will detect the high-frequency sound instead of other noises.

“People fear that these devices are constantly listening and recording you. They’re not,” Mr. Choffnes said. “But they do wake up and record you at times when they shouldn’t.”

In 2016, Scott Urban, an eyewear maker in Chicago, developed a line of reflective frames that turned back visible and infrared light. When a surveillance camera films a person wearing the $164 frames, the reflected light blurs out the face. Mr. Urban called them Reflectacles.

Subject: The coronavirus patient in London showed up at the hospital in an Uber, and health officials say it’s a sign people aren’t following advice to contain the virus
Source:  Business Insider via Yahoo

  • The first coronavirus patient in London travelled in an Uber to turn up unannounced at A&E department of a hospital.
  • She did not come into contact with other patients and two staff members have been asked to stay home for a period of 14 days, according to The Guardian.
  • Uber told Business Insider that the account of the driver who transported the woman was “temporarily suspended.”
  • It’s unlikely the driver could get the virus, but said the woman’s actions went against advice by not calling an ambulance or using a private vehicle.

Subject: DHS employees might not know what personal information CDM collects or when it happens
Source: fedscoop
There is a risk that Department of Homeland Security personnel are unaware of the personal information and network activity Continuous Monitoring as a Service (CMaaS) collects and that inaccuracies won’t be corrected.
DHS conducted a privacy impact assessment (PIA) of CMaaS — specifically CDM agency dashboards — and found department personnel can’t be explicitly notified when their information is collected or what data was pulled.“[A]ll DHS personnel may reasonably expect that personal information may be used for administrative, managerial, and security functions at their agencies of employment,” reads the assessment released Wednesday.DHS launched the Continuous Diagnostics and Mitigation (CDM) program in 2013 to hold agency heads accountable for managing cybersecurity risks using CMaaS tools and sensors.Information collected through CMaaS is compiled into customized reports on agency dashboards alerting security personnel to the most critical cybersecurity risks. Summary information then feeds onto a federal dashboard managed by the Cybersecurity and Infrastructure Security Agency for all of government to see.CMaaS simply pulls data from authoritative sources that have already collected the information, and those systems may notify users, the assessment adds.Logon banners, user agreements and the PIA itself already notify users of computer network monitoring, so they can forgo using federal systems or use them selectively to transmit information, according to the assessment.

DHS also found there are no procedures allowing federal employees to access their data on agency dashboards or the CMaaS tools and sensors collecting the information — let alone correct inaccuracies or errors.

Subject: The ‘Robo Revenge’ App Makes It Easy to Sue Robocallers
Source: WIRED

Mac malware, a Bitcoin mixer, and more of the week’s top security news.[a linked summary of various cyber-articles]

Subject: Google burns down more than 500 private-data-stealing, ad-defrauding Chrome extensions installed by 1.7m netizens
Source: The Register

Google has removed more than 500 Chrome extensions in response to a report from a security researcher, who found the browser plugins distributed through the Chrome Web Store facilitated ad fraud and data theft.Using a free extension forensic analysis tool called CRXcavator, released last year by Cisco’s Duo Security, independent infosec bod Jamila Kaya spotted a set of similarly coded Chrome extensions “that infected users and exfiltrated data through malvertising while attempting to evade fraud detection on the Google Chrome Web Store,” said Kaya, and Jacob Rickerd, a security engineer at Duo, in a blog post this week.

We’re told “the Chrome extension creators had specifically made extensions that obfuscated the underlying advertising functionality from users. This was done in order to connect the browser clients to a command and control architecture, exfiltrate private browsing data without the users knowledge, expose the user to risk of exploit through advertising streams, and attempt to evade the Chrome Web Store’s fraud detection mechanisms.”

NB see also:


Subject: Iranian hackers have been hacking VPN servers to plant backdoors in companies around the world
Source: ZDNet

Iranian hackers have targeted Pulse Secure, Fortinet, Palo Alto Networks, and Citrix VPNs to hack into large companies.

A new report published today reveals that Iran’s government-backed hacking units have made a top priority last year to exploit VPN bugs as soon as they became public in order to infiltrate and plant backdoors in companies all over the world.

Subject: An invasion of propaganda: Experts warn that white supremacist messages are seeping into mainstream
Source: USA Today via Yahoo

Colin P. Clarke has been teaching a course on terrorism and insurgency at Carnegie Mellon University in Pittsburgh for four years, and much more of his class these days is devoted to white supremacy than in the past.So Clarke was not one bit surprised when a new report by the Anti-Defamation League’s Center on Extremism revealed that efforts to spread white supremacy propaganda – often through discriminatory fliers, banners and posters – more than doubled from 2018 to last year.

Moreover, the university is located just a short walk from the Tree of Life synagogue, and Clarke has seen up close the consequences of hateful words turning into violent action.

“It’s concerning because, for all the people who don’t move on to become threats of violence, some will, and some will get their start by seeing pieces of propaganda that will alert them to the fact this group exists,’’ Clarke said.

The ADL report represents a sobering warning about the reach of white supremacist groups, which can take advantage of the efficiency and anonymity provided by social media to disseminate their ideology with little fear of backlash.

NB Click here to view a PDF version of this blog. (20-page PDF)

Subject: A spotter’s guide to the groups that are out to get you
Source: ZDNet via beSpacific

ZDNet- From disorganised crime to state-backed hackers these groups can make the internet a dangerous place. Here’s a guide to the major menaces to avoid. “Criminals are drawn to the internet for as many different reasons as the rest of us. Some of them just want to break things, many want to get rich, and some want to change the world. Some are lone wolves, some are part of sophisticated criminal gangs and some even work with the tacit approval and support of their governments. But thanks to the borderless nature of the internet you could be unlucky enough to find that some — or all — of these groups could be targeting you. Just as the rise of the web created new business models …

Subject: Hackers expose personal data of 10.6 million MGM Resorts guests

Feb. 20 (UPI) — Personal details of more than 10.6 million customers who stayed at MGM Resort hotels were published online this week, a technology website and security research team reported.The technology news website ZDNet and researchers from the data breach monitoring service Under the Breach said Wednesday that hackers had dumped the personal details of millions of former hotel guests into an online forum, making them freely available to anyone with access.

Posted in: Big Data, Cybercrime, Cybersecurity, E-Commerce, Election Law, Healthcare, Privacy