Pete Recommends – Weekly highlights on cyber security issues, July 18, 2020

Subject: Inside TikTok’s dystopian Chinese censorship machine
Source: The Telegraph

Exclusive: Documents reveal how TikTok’s Chinese version, Douyin, uses facial recognition to police foreigners. And that’s just the start. Comically affronted parents, drunken piano concerts and viral conspiracy theories about trafficked children hidden in wardrobes: it’s a fairly ordinary evening on TikTok, the video-sharing app enjoyed by more than 500m people across the Western world.

Things do not seem so different on Douyin, the Chinese version of TikTok, where a live streaming boom has minted new social media millionaires. Behind the scenes, however, Chinese streamers are subject to an elaborate regime of automated surveillance and censorship. One system can use facial recognition to scan live streamers’ broadcasts and guess their age, reporting them to a human moderator if they appear under 16. Another checks whether users’ faces match their state ID cards before letting them stream, automatically excluding foreigners and people from Hong Kong.

All these methods are laid bare in a little-known document published by TikTok and Douyin’s parent company, ByteDance, which explains how the apps have adapted China’s strict internet censorship laws to the unprecedented speed and chaos of live streaming. The document raises difficult questions for TikTok, which faces privacy probes in the US and UK and has already been banned in India, about whether and how it applies the same technologies to its Western users.

Related Topics:

Subject: Secret Service forms Cyber Fraud Task Forces
Source: Homeland Preparedness News

Secret Service officials said the agency is merging its Electronic Crimes Task Forces (ECTFs) and Financial Crimes Task Forces (FCTFs) to form the Cyber Fraud Task Forces (CFTFs).The action stems from the recognition of the convergence of cyber and traditional financial crimes.

“The creation of the new Cyber Fraud Task Force (CFTF) will offer a specialized cadre of agents and analysts, trained in the latest analytical techniques and equipped with the most cutting-edge technologies,” Michael D’Ambrosio, Secret Service assistant director, said. “Together with our partners, the CFTFs stand ready to combat the full range of cyber-enabled financial crimes. As the nation continues to grapple with the wave of cybercrime associated with the COVID-19 pandemic, the CFTFs will lead the effort to hold accountable all those who seek to exploit this perilous moment for their own illicit gain.”

topical RSS feed:

Subject: EFF Launches Searchable Database of Police Agencies and the Tech Tools They Use to Spy on Communities
Source: EFF via beSpacific
“San Francisco—The Electronic Frontier Foundation (EFF), in partnership with the Reynolds School of Journalism at the University of Nevada, Reno, today launched the largest-ever collection of searchable data on police use of surveillance technologies, created as a tool for the public to learn about facial recognition, drones, license plate readers, and other devices law enforcement agencies are acquiring to spy on our communities.  The Atlas of Surveillance database, containing several thousand data points on over 3,000 city and local police departments and sheriffs’ offices nationwide, allows citizens, journalists, and academics to review details about the technologies police are deploying, and provides a resource to check what devices and systems have been purchased locally.  Users can search for information by clicking on regions, towns, and cities, such as Minneapolis, Tampa, or Tucson, on a U.S. map. They can also easily perform text searches by typing the names of cities, counties, or states on a search page that displays text results. The Atlas also allows people to search by specific technologies, which can show how surveillance tools are spreading across the country…”

Subject: Microsoft neuters Office 365 account attacks that used clever ruse
Source: Ars Technica

Microsoft has neutered a large-scale fraud campaign that used knock-off domains and malicious apps to scam customers in 62 countries around the world. The software maker and cloud-service provider last week obtained a court order that allowed it to seize six domains, five of which contained the word “office.” The company said attackers used them in a sophisticated campaign designed to trick CEOs and other high-ranking business leaders into wiring large sums of money to attackers rather than trusted parties. An earlier so-called BEC, or business email compromise, that the same group of attackers carried out in December used phishing attacks to obtain unauthorized access. The emails used generic business themes such as quarterly earnings reports. Microsoft used technical means to shut it down.

“This scheme enabled unauthorized access without explicitly requiring the victims to directly give up their login credentials at a fake website or similar interface, as they would in a more traditional phishing campaign,” Tom Burt, Microsoft’s corporate vice president for Customer Security & Trust, wrote. “After clicking through the consent prompt for the malicious web app (pictured below), the victim unwittingly granted criminals permission to access and control the victims’ Office 365 account contents, including email, contacts, notes and material stored in the victims’ OneDrive for Business cloud storage space and corporate SharePoint document management and storage system.”

Beware of OAuth – It’s not the first time attackers have tricked targets into granting network access to malicious apps. Last year, researchers disclosed at least two others, both of them designed to gain access to Google accounts. One was carried out by hackers working for Egypt, according to a report from Amnesty International. The other targeted the iOS and Android devices of Tibetans.

Both campaigns relied on OAuth, an open standard that allows users to give websites or apps access to network resources without having to give them a password. As Microsoft said, such attacks often fly under the radar of users trained to spot phishing, since there’s no request to enter a password into a fake site. In some cases, the OAuth technique may have the ability to bypass two-factor authentication, which in addition to a password, requires users to enter a temporary password or to connect a physical security key to the device that’s being authenticated.

site RSS

Subject: Mozilla Launches VPN for $5 a Month
Source: Gizmodo

Mozilla, the privacy and security nonprofit and maker of the Firefox browser, is launching its very own VPN. Following a beta testing period, the organization is now officially rolling out the Mozilla VPN for $5 per month. VPNs are used for accessing out-of-region information and protecting yourself when browsing on public networks. (For more on why you should be using a VPN, see this post.) With the Mozilla VPN, a single subscription can be used on up to five devices, there are no bandwidth limitations, and it’s immediately available for users in the United States, Canada, the United Kingdom, Singapore, Malaysia, and New Zealand. The company said it plans to expand to other countries later on this year.

Some of the biggest things to consider when shopping around for a VPN is who’s behind it, what it’s logging, and your individual needs in terms of features and speed. Every company needs to make money, and it’s important to consider what an organization is getting in return for making its product low-cost or free to you.



Subject: Utility company calling? Don’t fall for it
Source: FTC Consumer Information

Every day, millions of people who have lost their jobs are making difficult choices about how to pay their bills. As the Coronavirus continues to spread, scammers are taking advantage of people’s heightened economic anxiety. Their latest ploy is posing as representatives from utility companies to dupe people out of their cash and personal information by convincing them their utilities will be shut off if they don’t pay.

If you get a call from someone claiming to be your utility company, here are some things you can do…

Tagged with: coronavirus, fraud, imposter
Blog Topics: Homes & Mortgages

Subject: Google Sued for Allegedly Tracking App Users After They Opt Out
Source: Consumer Reports

The lawsuit suggests how hard it is to follow all the ways Google touches consumer data

Is Google tracking you as you move around the internet, even if you’ve opted out of data collection? A lawsuit filed in California is making that claim. The issues are complicated, but one thing seems clear: The suit highlights the sprawling nature of Google’s business, and how hard it is for consumers to understand all the ways the company can collect and use their personal data.

It reads, in part, “Google…intercepts, tracks, collects and sells consumer mobile app browsing history and activity data regardless of what safeguards or ‘privacy settings’ consumers undertake to protect their privacy.”

There’s No Avoiding Google

“At its heart, Google is a marketing platform,” says Serge Egelman, chief technical officer for AppCensus, a firm that analyzes technology for privacy and security, and a researcher at the University of California, Berkeley.

One of the tools Google provides to more than a million apps is called Firebase. It can help developers perform tasks such as counting how many people use an app and monitoring what they do with it, along with some other functions. (Consumer Reports uses Firebase in its own mobile apps.)

How to Change Your Google Settings – The lawsuit doesn’t allege that Google continues to collect your search history and other consumer data if you use the company’s Web & App Activity settings.

Among other data, Google says the setting controls whether the company can record “Searches and other things you do on Google products and services, like Maps and Play,” “Sites and apps that partner with Google to show ads,” and “Sites and apps that use Google services, including data that apps share with Google.”

Consumer Reports also has instructions on how to use other Google privacy settings, from an auto-delete feature to location history.

Subject: Malicious Activity Targeting COVID-19 Research, Vaccine Development
Source: CISA via US-CERT

In response to malicious activity targeting COVID-19 research and vaccine development in the United States, United Kingdom (UK), and Canada, the Cybersecurity and Infrastructure Security Agency (CISA), UK’s National Cyber Security Centre (NCSC), Canada’s Communications Security Establishment (CSE), and the National Security Agency (NSA) released a Joint Cybersecurity Advisory to expose the threat. A malicious cyber actor is using a variety of tools and techniques to target organizations involved in COVID-19 research and vaccine development. Tools include SOREFANG, WELLMESS, and WELLMAIL malware.CISA encourages users and administrators to review the Joint Cybersecurity Advisory and the following Malware Analysis Reports for more information and to apply the mitigations provided.

Subject: AI for Self-Driving Cars Doesn’t Account for Crime
Source: Nextgov

Most ethical discussions about self-driving cars focus on whether the vehicle should choose between protecting itself or doing the least damage to humans. What if users have more nefarious motives?Existing approaches to artificial intelligence for self-driving cars don’t account for the fact that people might try to use the autonomous vehicles to do something bad, researchers report.

For example, let’s say that there is an autonomous vehicle with no passengers and it’s about to crash into a car containing five people. It can avoid the collision by swerving out of the road, but it would then hit a pedestrian.

Most discussions of ethics in this scenario focus on whether the autonomous vehicle’s AI should be selfish (protecting the vehicle and its cargo) or utilitarian (choosing the action that harms the fewest people). But that either/or approach to ethics can raise problems of its own. “Current approaches to ethics and autonomous vehicles are a dangerous oversimplification—moral judgment is more complex than that,” says Veljko Dubljević, an assistant professor in the Science, Technology & Society (STS) program at North Carolina State University and author of a paper outlining this problem and a possible path forward.

Subject: Twitter hack reveals national security threat as election approaches
Source: USA Today

“Twitter is the fastest wire service we have ever known. This is why we need really strict protocols in place,” Grygiel said. “We have never had more evidence than we do now that there is a public risk to world leaders using a commercial product that has not been vetted for national security. It’s a huge problem.”

With only 22% of U.S. adults reporting they use the social media service, Twitter is not the most popular online hangout but it still has the most powerful bullhorn. The platform’s short, rapid-fire messages ricochet around the world in seconds in today’s public square.

A fake alert in 2013 from the hacked Twitter account of the Associated Press, one of the nation’s most trusted news sources, temporarily caused the Dow Jones to plunge: “Breaking: Two Explosions in the White House and Barack Obama is injured.”

Editor’s Note: via the New York Times, July 17, 2020 – Hackers Tell the Story of the Twitter Attack From the Inside – Several people involved in the events that took down Twitter this week spoke with The Times, giving the first account of what happened as a pursuit of Bitcoin spun out of control. [Spoiler Alert – “The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother.”]
Posted in: AI, Business Research, Computer Security, Cybercrime, Cybersecurity, Email Security, Healthcare, Legal Research, Privacy, Search Engines, Social Media, Technology Trends