Pete Recommends – Weekly highlights on cyber security issues, September 6, 2020

Subject: Cybersecurity in the telework age
Source: FCW

As remote work becomes the “new normal,” federal customers who are new to this space are facing challenges in protecting and managing their endpoint devices. Each mission environment has distinct needs and resources that don’t always fit into a “one-size-fits-all” solution. Based on our experience in implementing remote work solutions for national security customers that have extremely strict security protocols, here are three important guidelines for secure endpoint device management.

Subject: Replication: Why We Still Can’t Browse in Peace: On the Uniqueness and Reidentifiability of Web Browsing Histories
Source: Proceedings of the Sixteenth Symposium on Usable Privacy and Security via beSpacific

Replication: Why We Still Can’t Browse in Peace: On the Uniqueness and Reidentifiability of Web Browsing Histories. Sarah Bird, Ilana Segall, Martin Lopatka – Mozilla. This paper is included in the Proceedings of the Sixteenth Symposium on Usable Privacy and Security.August 10–11, 2020978-1-939133-16-8. “Abstract – We examine the threat to individuals’ privacy based on the feasibility of reidentifying users through distinctive profiles of their browsing history visible to websites and third par-ties. This work replicates and extends the 2012 paper Why Johnny Can’t Browse in Peace: On the Uniqueness of Web Browsing History Patterns[48]. The original work demonstrated that browsing profiles are highly distinctive and stable.We reproduce those results and extend the original work to detail the privacy risk posed by the aggregation of browsing histories. Our dataset consists of two weeks of browsing data from ~52,000 Firefox users. Our work replicates the original paper’s core findings by identifying 48,919 distinct browsing profiles, of which 99% are unique. High uniqueness hold seven when histories are truncated to just 100 top sites. Wethen find that for users who visited 50 or more distinct do-mains in the two-week data collection period, ~50% can be reidentified using the top 10k sites. Reidentifiability rose to over 80% for users that browsed 150 or more distinct domains.Finally, we observe numerous third parties pervasive enough to gather web histories sufficient to leverage browsing history as an identifier.

Subject: FedRAMP – Ensuring Safe Use of Cloud Computing by Federal Agencies
Source: WatchBlog: Official Blog of the U.S. Government Accountability Office
Federal agencies increasingly use internet-based (cloud) services to fulfill their missions. However, those services pose cybersecurity risks when agencies don’t effectively implement related security controls.The 2011 Federal Risk and Authorization Management Program (or FedRAMP) aims to standardize the approach for federal use of cloud services. The FedRAMP program establishes security requirements and guidelines that are intended to help secure cloud computing environments used by agencies, helping protect agencies’ data, which could include information used to support their missions such as protecting public health.Today’s WatchBlog looks at the FedRAMP policies and how agencies’ compliance with policies are monitored.Other GAO reports have discussed various aspects of FedRAMP, including Department of Agriculture data centers, federal agencies’ use of cloud computing and the Federal Communications Commission’s information security measures.Tagged cloud computing, ITC, Office of Management and Budget

Subject: FBI worried Ring doorbells are spying on police, per leaked report
Source: Business Insider

  • The FBI is worried that personal home-security cameras, like Amazon’s Ring doorbell camera, could be used to tip off homeowners to police searches, according to a leaked report.
  • Since Ring was bought by Amazon in 2018, the service has become ubiquitous for homeowners looking for an extra layer of security.
  • It also has been used widely by law enforcement, with over 600 US police departments partnering with Ring to request footage from the home systems and their owners.
  • Motion-detection cameras could show officers’ locations in a standoff, surreptitiously record a search, or capture images of officers that could compromise their individual safety, the report claims.

The report, which was released in the “BlueLeaks” trove of hacked law enforcement documents and first published by The Intercept, highlights the complicated relationship between law enforcement and publicly available surveillance methods, as authorities grapple with being both the surveillers and surveilled.

Subject: Republicans flooding internet with deceptive videos and Big Tech isn’t keeping up
Source: CNN via beSpacific

CNN describes each of the false videos “A series of deceptively edited and misleading videos shared by prominent Republicans have run up millions of views across Facebook and Twitter in just the past few days. And while both companies have pledged to combat misinformation, their responses to these videos followed a familiar pattern: often they act too late, do too little, or don’t do anything at all. Between Sunday and Monday, high-profile Republicans, including President Donald Trump, shared at least four misleading videos online. One that circulated widely was a false video about Democratic presidential nominee Joe Biden posted to the Twitter account of House Minority Whip Steve Scalise. After an outcry, including from a person in the video who had words put in his mouth in order to distort what Biden was saying, Twitter took the action it takes in such instances, labeling the video as “manipulated media.”

The manipulated media label is just that, however — a label appearing below the video when people look at the specific tweet to which it has been applied. It’s small and potentially missed by users, and though it may potentially make some users pause before sharing a given video, it does not actually stop them if they decide to go ahead anyway…”

Filed in CNN

Subject: Facial Recognition: CBP and TSA are Taking Steps to Implement Programs, but CBP Should Address Privacy and System Performance Issues
Source: U.S. GAO

U.S. Customs and Border Protection uses facial recognition technology for identity checks at borders. As of May 2020, CBP had deployed this technology to 27 U.S. airports.We found that CBP’s privacy notices—which inform the public about its use of this technology—were not always current or available where this technology is being used or on CBP’s website. Also, CBP has only audited one of its 27 airline partners to ensure compliance with its facial recognition privacy policies.We recommended that CBP ensure its privacy notices are complete and available at locations using this technology, and that CBP develop a plan to audit its partners.Example of cameras and display screens used for facial recognition at the Port Canaveral Seaport …

View Report (PDF, 101 pages)

Subject: Amazon’s Alexa for Landlords Is a Privacy Nightmare in the Making
Source: Gizmodo

You know that clip of Steve Carell from The Office where he’s shouting “No, God! No, God, please no! No! No! Nooooooooo!” That’s how I feel about Amazon’s announcement that it’s adding a new service to Alexa for landlords. It’s called Alexa for Residential that, according to Amazon, “makes it easy for property managers to set up and manage Alexa-powered smart home experiences throughout their buildings.”Landlords can set special Alexa commands that will let their residents pay rent, submit maintenance requests, and manage other things that normally come with the territory of renting an apartment or other dwelling. And of course, it will still function as a regular smart speaker—dim the lights, get a weather report, all that jazz. Landlords can also remotely reset the device whenever someone moves out to give the device a clean slate for the next person.

Amazon claims in its press release that it’s taken the steps necessary to protect the privacy of residents. There’s just one issue that Amazon doesn’t address in its announcement: the Drop In feature on Amazon Echo devices.

Subject: How can you spot a tech support scam?
Source: FTC Consumer Information

Are you getting pop-up warning messages on your computer screen? Or maybe a phone call that your computer has a virus? That may well be a tech support scam. But how do you know? And what do you do?Start by watching this video on tech support scams.

Subject: This Email Could Wreak Havoc on the 2020 Election
Source: Nextgov

Beware of COVID-related phishing threats that target local voting. As we lurch towards Voting Day in November, it’s only natural to cast a nervous glance back at 2016, when Russia phished the presidential campaigns in a bid to tilt the election. But lately, cybersecurity pros are looking beyond the campaigns to the grassroots. In some worst-case scenarios, the attacks once again start with phishing, the simplest and most effective cyber-weapon ever—but this time they target city or county election officials, using the COVID-19 crisis to trick the unwary and unprepared.

Let’s look at three alarming scenarios that are just a click away….filed:

Subject: Trump Administration Releases Draft Framework for the Ethical Use of Data
Source: Nextgov
The draft Data Ethics Framework offers seven tenets for agencies to follow, complete with legal authorities, use cases and links to additional resources.A team of federal data experts released a draft Data Ethics Framework with seven core tenets their colleagues need to keep in mind as agencies increase their use of data for decision making.

Data—especially at the scale and granularity collected by the federal government—is a powerful tool. But democratic governments that fail to use data ethically run the risk of losing the public’s trust and, in turn, their willingness to give their personal data over to agencies.As part of the 20-point action plan to kick off implementation of the Federal Data Strategy in 2020, the General Services Administration was charged with creating a Data Ethics Framework “to help agency employees, managers and leaders make ethical decisions as they acquire, manage and use data.”“Decisions made with data touch every aspect of American life,” the framework notes, particularly when the data is collected by federal agencies and the decisions being made are on behalf of the entire country. The framework looks to guide federal officials’ decision making on the use of data “with the goal of protecting civil liberties, minimizing risks to individuals and society, and maximizing the public good.”…filed:

Posted in: Cybercrime, Cybersecurity, Email Security, Information Architecture, Privacy, Search Engines