Pete Recommends – Weekly highlights on cyber security issues, October 10, 2020

Subject: Privacy of biometric data in DHS hands in doubt, inspector general says
Source: Roll Call

The report found that Perceptics, a subcontractor hired to help CBP collect biometric data on border crossers, violated DHS privacy policies when an employee used an unencrypted USB drive to transfer a set of facial scans to its own networks without the agency’s authorization or knowledge. The data set was later obtained by hackers during a ransomware attack on Perceptics’ servers.

If that’s the case, the report has arrived at a tricky moment for DHS, which earlier this month proposed new regulations that would require both U.S. citizens and foreign nationals to submit biometric data in order to apply for a variety of immigration services, such as visas for themselves or family members. The proposal would allow for the collection of facial, iris and voice scans, along with DNA samples.

Subject: Why You Should Stop This ‘Hidden’ Location Tracking On Your iPhone
Source: Forbes

There’s no such thing as absolute privacy or absolute security when it comes to electronic information. The best way to keep something secret is not to capture and store it in the first place. And that’s the crux of the privacy versus convenience debate now redefining our applications and software-based services. Facebook and Google are usually painted as the main villains of the piece, with their huge tracking ecosystems that know more about your likes and dislikes than your closest friends and relatives. But it’s an endemic issue.

Apple has anointed itself privacy protector-in-chief. “The people who track on the internet know a lot more about you than if somebody’s looking in your window, a lot more,” CEO Tim Cook said last year. And iOS 14 is a testament to its privacy-first approach. Just look at the battle between Apple and Facebook over ad tracking. Exploitation of our personal data has become a commodity traded between the world’s largest organizations.

And so, with that in mind, many iOS users are surprised when some of Apple’s own location tracking is explained. Yes, maybe what happens on an iPhone stays on an iPhone, but some data should not be captured in the first place. Nothing more so than the significant invasiveness of Apple’s significant locations concept—a perfect illustration of just because you can, doesn’t mean you should. This is a continually building data repository of the locations you visit, along with times and dates, detailed maps, even the mode of transport to get you there and how long it took.



Subject: US begs people not to pay ransoms to hackers as ransomware skyrockets
Source: Business Insider

  • Ransomware attacks — in which hackers take over an organizations’ computer systems and demand ransom payments to return them — have reached an unprecedented new high.
  • The attacks have proliferated under COVID-19, when more businesses than ever are relying on online systems to function. Experts say the only way to stop the pattern is to cease paying ransoms.
  • The US Treasury issued new guidance this month urging people not to pay hackers, and noting that businesses could face civil penalties if they pay ransoms to hacker groups affiliated with sanctioned nation-states.
  • But some cybersecurity experts think governments should go further by passing an outright ban on paying ransoms to hackers.

Last week, a hack that bore signs of a ransomware attack debilitated the computer systems of one of the largest hospital chains in the US, taking computer systems offline and delaying procedures at more than 250 hospitals. The hospital chain, Universal Health Systems, is still attempting to restore its systems.


Subject: IRS under investigation for buying Americans’ smartphone location data
Source: Business Insider

  • The IRS is under investigation by the US Treasury’s Inspector General for reportedly buying Americans’ smartphone location data in order to track them.
  • Democratic Sens. Ron Wyden and Elizabeth Warren called for the investigation last month after IRS agents told the senators that the agency bought people’s smartphone location data from a company called Venntel.
  • Venntel sells location data scraped from people’s smartphones that are gathered from normal apps like games, exercise apps, and weather apps.
  • While government agencies typically need to obtain a search warrant before gathering personal information from people’s phones, buying location data directly from private companies like Venntel lets them sidestep that requirement.

In the letter, first reported by Motherboard, Inspector General J. Russel George writes that his office will investigate the IRS’ data collection practices after Democratic Sens. Ron Wyden and Elizabeth Warren voiced concerns that the agency could have violated the Constitution. Wyden’s office provided Business Insider with a copy of the letter Tuesday.

Venntel aggregates location data mined by normal weather apps and games that people download, then sells it in bulk to its clients. Because this location data is collected through apps and then sold by a middleman, there’s no way for individual users to check whether their location data has been collected.

Venntel is already the subject of a separate probe by House Democrats over similar contracts with the Department of Homeland Security. DHS used data from Venntel to track people unlawfully crossing the US-Mexico border, The Wall Street Journal revealed earlier this year.

Subject: DHS develops new technology to secure apps from cyber attackers
Source: Homeland Preparedness News

A new technology called Trusted Mobile System (TrustMS) developed by the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) is designed to secure apps from cyber attackers.

TrustMS, developed by the DHS Science and Technology Directorate (S&T) and Intelligent Automation, is designed to protect operating systems and apps on embedded platforms against most cyberattacks. It provides protections against exploits such as stack manipulation, buffer overflows, execution of unintended code, and even execution of an app’s code in the wrong order.

Thousands of apps and driver updates are released each year, which makes verifying that devices are secure a daunting challenge. More than 12,000 new common vulnerabilities were identified in 2019 alone.

The technology monitors a software’s execution as the program runs and detects attack scenarios. When a vulnerability is exploited, the system can detect the manipulation and prevent attackers from taking advantage of them, inoculating a device against most cyberattacks.


Subject: to be third-party assessed against NIST’s digital identity guidelines
Source: fedscoop

The General Services Administration wants to build trust in‘s ability to verify users’ identities for any agency using the service, so it’s having the technology assessed by a third party.

Kantara Initiative will assess the conformity of’s identity proofing and authentication with the National Institute of Standards and Technology‘s Special Publication (SP) 800-63-3, the government’s digital identity guidelines.



Subject: Google is giving data to police based on search keywords
Source: C|net via beSpacific

Cnet – Court records in an arson case show that Google gave away data on people who searched for a specific address. “There are few things as revealing as a person’s search history, and police typically need a warrant on a known suspect to demand that sensitive information. But a recently unsealed court document found that investigators can request such data in reverse order by asking Google to disclose everyone who searched a keyword rather than for information on a known suspect…”

Subject: Nearly 50,000 Ohio Voters Received Wrong Absentee Ballots, Officials Say
Source: AP via CBS News

With about 240,000 ballots mailed, that meant one in five voters received a wrong ballot. The error happened Saturday afternoon when someone changed a setting on a machine that places absentee ballots into mailing envelopes, Franklin County elections officials said Thursday.
Posted in: Civil Liberties, Criminal Law, Cybercrime, Cybersecurity, Financial System, Health, Legal Research, Privacy, Search Engines