Pete Recommends – Weekly highlights on cyber security issues February 29, 2020

Subject: Google Warns Edge Users Against Installing Chrome Extensions
Source: Digital Trends

Microsoft has been promoting its Edge browser as a faster and more modern version of the much-hated Internet Explorer, as it is based on the same Chromium architecture as Google Chrome. That also means that it supports Chrome extensions. However, Google is trying to warn Edge users away from the extensions in its Chrome Web Store.First spotted by Windows Latest, Edge users see a banner at the top of the page when they view an extension in the Chrome Web Store. “Google recommends switching to Chrome to use extensions securely,” it reads, followed by a link to download the Google Chrome browser.

The banner doesn’t stop Edge users from downloading the extensions, and extensions will continue to work fine on Edge. But it’s clear that Google is trying to put users off using Edge and tempt them over to using its Chrome browser instead.

Google has used similar tactics in the past. It has displayed warnings on sites like Google Docs, Gmail, and YouTube Music when visitors access the sites using the Microsoft Edge browser. As both browsers use the same underlying technology, it appears that Google is engaged in scare tactics more than genuine concern about the security of particular extensions or sites when accessed using Edge.

RSS feed for category:

Subject: Report: FedRAMP must evolve to meet demand, emerging tech
Source: FCW

A new report argues that the Federal Risk and Authorization Management Program must evolve to better automate its laborious processes for approving cloud service providers and adapt to emerging technologies like Internet of Things and artificial intelligence.The report by the Center for Cybersecurity Policy and Law, a trade association run out of the Washington D.C, law firm Venable, draws on documents and interviews with federal agencies and cloud service providers who have worked with FedRAMP. It characterizes the current state of the program as “well intended and partially successful” but also “no longer optimized for modern security solutions.”

The report also argues that FedRAMP in was designed for legacy IT environments and is ill-suited for the increasingly complex security add-ons for cloud products as well as emerging technologies like connected IoT devices and artificial intelligence, which are nevertheless becoming more integrated and relevant to government cloud environments.

Subject: Privacy Concerns Raised Over New Google Chrome Feature
Source: BleepingComputer

With the release of Google Chrome 80, Google quietly slipped in a new feature that allows users to create a link directly to a specific word or phrase on a page. A Brave Browser researcher, though, sees this as a potential privacy risk and is concerned Google added it too quickly. In February 2019, we reported about a new web feature created by Google called ‘Scroll To Text Fragment’ that allows users to create links to a specific word on a web page and automatically highlight it.

To use this feature, users would need to create a special URL using the,startText,endText,-suffix format as outlined in the Scroll To Text Fragment WICG draft.

As text fragment URLs can be a bit complicated to make, Google Chrome developer Paul Kinlan created a bookmarklet that makes the task easy.

As an example, to create a link to the phrase “man with a beret” in the XKCD Wikipedia article, you would use the URL.

When Chrome 80 users click on this link, they will be brought directly to this phrase and the phrase will automatically be highlighted…


Subject: Will tech companies prevent misuse of platforms in 2020 election? Few in U.S. are confident.
Source: Pew Research Center Fact Tank

Nearly three-quarters of Americans (74%) express little or no confidence in technology companies like Facebook, Twitter and Google to prevent the misuse of their platforms to influence the 2020 presidential election, according to a Pew Research Center survey conducted in January. At the same time, 78% say these companies have a responsibility to prevent such misuse.Confidence in technology companies to prevent the misuse of their platforms is even lower than it was in the weeks before the 2018 midterm elections, when about two-thirds of adults had little confidence these companies would prevent election influence on their platforms.

Overall, just a quarter of adults say they are confident in tech companies to prevent their platforms from being exploited for undue influence in the election, with 20% saying they are somewhat confident and only 5% saying they are very confident. An overwhelming majority expresses low confidence in tech companies, including 43% who say they are not too confident and about three-in-ten (31%) who say they are not at all confident….

in blog:


Subject: TSA to Employees: Stop Using TikTok
Source:  Newser and News wires

(Newser) – The Transportation Security Administration said Sunday it has stopped allowing employees to use the China-owned video app TikTok to create social media posts for the agency after the Senate’s top Democrat raised concerns about potential national security issues. Sen. Chuck Schumer sent a letter Saturday to TSA Administrator David Pekoske, months after news reports that the US government launched a national security review of the app, which is popular with millions of US teens and young adults, the AP reports. Schumer also cited a Department of Homeland Security policy prohibiting TikTok on agency devices. He also noted in the letter that Chinese laws compel companies to cooperate with China’s government and intelligence collection.

Subject: Critical Infrastructure Protection: Additional Actions Needed to Identify Framework Adoption and Resulting Improvements
Source: U.S. GAO

Q: How does the government help keep banks, water systems, and other critical infrastructure from getting hacked?

A: A federal agency that issues standards and procedures—NIST—has a cybersecurity framework that critical infrastructure organizations can adopt.

All 12 organizations in our review were voluntarily using the framework, and told us they’ve seen benefits. For example, one organization said that the framework allowed it to better identify and address cybersecurity risks.

However, the agencies with lead roles in protecting critical infrastructure are not collecting or reporting on improvements from using the framework as we recommended.

Additional Materials – Highlights Page: (PDF, 1 page) – Full Report: View Report (PDF, 61 pages)

NB many GAO Topics’ RSS feeds + RYO!

Subject: Health officials warn about spread of coronavirus to U.S.
Source: WHYY [sorry to say that this article doesn’t say much /pmw1 – Please also see the CDC Site on Coronavirus and The New York Times Coronavirus Live Updates]

So Americans need to do things like start making plans to care for their children should schools and day care centers close, she said. They should talk to their employers about how they could work from home. And they should find out if there might be a way to get medical care remotely, such as through telemedicine, Messonnier said.

Subject: How Google Is Stopping Malicious Office Docs From Targeting Gmail Users
Source: PC Magazine via beSpacific

PC Magazine: “At the RSA security conference today, Google offered a rare look into the kinds of malicious attachments hackers will send to Gmail users. It turns out Microsoft Office documents secretly rigged to download malware are in vogue. In recent weeks, about 56 percent of the malicious attachments detected and blocked by Gmail’s filters have been Microsoft Office documents, according to Google’s anti-abuse research leader, Elie Bursztein. These malicious Office documents can often contain “macros,” or series of automated commands in the file. If you enable the macros, the malicious document will be able to download and execute the hacker’s desired malware. The remaining 44 percent of the malicious documents Google will block include Adobe PDF documents, archived files, and HTML-based documents, among others. (By default, Gmail will also prevent users from attaching .exe programs and Javascript files to email messages.) …”

beSpacific Subjects: Cybercrime, Cybersecurity, E-Mail, E-Records, Microsoft

Subject: Clearview AI, Facial Recognition Company That Works With Law Enforcement, Says Entire Client List Was Stolen
Source: The Daily Beast

Clearview AI, which contracts with law enforcement after reportedly scraping 3 billion images from the web, now says someone got “unauthorized access” to its list of customers.A facial-recognition company that contracts with powerful law-enforcement agencies just reported that an intruder stole its entire client list, according to a notification the company sent to its customers.

In the notification, which The Daily Beast reviewed, the startup Clearview AI disclosed to its customers that an intruder “gained unauthorized access” to its list of customers, to the number of user accounts those customers had set up, and to the number of searches its customers have conducted. The notification said the company’s servers were not breached and that there was “no compromise of Clearview’s systems or network.” The company also said it fixed the vulnerability and that the intruder did not obtain any law-enforcement agencies’ search histories.

The notification did not describe the breach as a hack. David Forscey, the managing director of the no-profit Aspen Cybersecurity Group, said the breach is concerning.


Subject: Firefox enables network privacy feature for users in US
Source: CNET via beSpacific
Mozilla has begun enabling a Firefox privacy feature for everyone in the US that should make it harder for ISPs or others to track you online. The technology, called DNS over HTTPS — DOH for short — protects a crucial internet addressing technology with encryption. Testing has been underway for months, but on Tuesday [February 25, 2020] Mozilla will start enabling DOH for everyone in the US. The gradual spread to all Firefox users should take a few weeks as Mozilla checks for problems…”
Posted in: AI, Big Data, Cybercrime, Cybersecurity, Data Mining, E-Government, Government Resources, Health, Internet Resources - Web Links, Legal Research, Privacy, Search Engines, Search Strategies, Social Media, Technology Trends