Pete Recommends – Weekly highlights on cyber security issues, October 25, 2020

Subject: Campaigns sidestep Cambridge Analytica crackdown with new methods
Source: AFP vias MSN

“Your early vote has not been recorded,” one text message said, with a link for more information. Other messages tell voters they are not registered, or offer unverified information about a political opponent.Fraudulent messages like these are drawing attention as political campaigns ramp up data collection and voter targeting using their own technology to circumvent restrictions imposed by social media platforms following the Cambridge Analytica scandal.

Facebook barred apps which scraped data on users and their contacts after revelations about the now-defunct British consulting group. But in response, President Donald Trump’s campaign and some activist groups are using their own methods.

US lawmakers held hearings after revelelations that consultancy Cambridge Analytica harvested data on tens of millions of Americans for political purposes; researchers say some campaigns are doing similar things, but circumventing Facebook” data-hash=”ptunfelnmq3b-1603676442199″ />

“What we are seeing is almost more potent than in 2016,” said Samuel Woolley, a University of Texas professor who leads propaganda research at the school’s Center for Media Engagement. Woolley’s team, which examined messages such as the above-referenced ones, found that the Trump mobile app, and to a lesser extent those of Democrat Joe Biden and other political activist groups, scoop up data to create profiles to craft personalized, targeted messages by SMS, email or social media. Some messages are effectively campaign ads, but without the disclosure required by social media platforms and other media.

The FBI has launched a “protected voices” project investigating potential criminal violations in such messages.”Intentionally deceiving qualified voters to prevent them from voting is voter suppression — and it is a federal crime,” the FBI said in a September statement….

Microtargeting debate – “Microtargeting,” or delivering narrowly focused messages to specific individuals or groups, raised concerns in the 2016 elections but is a longstanding practice “and is not going away anytime soon,” said Costas Panagopoulos, chair of political science at Northeastern University.

Subject: Herd immunity letter signed by fake experts including ‘Dr Johnny Bananas’
Source: World news | The Guardian

An open letter that made headlines calling for a herd immunity approach to Covid-19 lists a number of apparently fake names among its expert signatories, including “Dr Johnny Bananas” and “Professor Cominic Dummings”. The Great Barrington declaration, which was said to have been signed by more than 15,000 scientists and medical practitioners around the world, was found by Sky News to contain numerous false names, as well as those of several homeopaths.

Others listed include a resident at the “university of your mum” and another supposed specialist whose name was the first verse of the Macarena.


Subject: Law enforcement prepping for potential clashes at polls on Election Day
Source: WTAJ

The department practices different scenarios, from inclement weather to traffic jams, power outages, and potential clashes outside of polling areas. “We walk through the different scenarios and the different concerns that we have and obviously what’s being highlighted now is concerns of safety at polling areas,” Brown said. It is illegal for a person or a corporation to mislead, threaten, or otherwise interfere with a voter and their right to support a candidate or position on the ballot.

Subject: Google: Chinese Hackers Are Posing as McAfee to Install Malware
Source: Gizmodo

The same Chinese government-linked hackers who targeted the campaigns of both 2020 presidential candidates earlier this year have been trying to trick users into installing malware by posing as the antivirus provider McAfee and using otherwise legitimate online services like GitHub and Dropbox.

Shane Huntley, the head of Google’s Threat Analysis Group, offered new details about the suspected state-sponsored cyberattackers, known as APT 31, and their latest tactics in a company blog post on Friday. In June, Google’s security team uncovered high-profile phishing scams by APT 31 and Iranian state-sponsored hackers intended to hijack the email accounts of campaign staffers with President Donald Trump and Democratic nominee Joe Biden. (All of these phishing attempts appeared to have failed, Google said at the time).

Subject: Amazon Faces Allegations It Harvested Sensitive Voice Data
Source: Gizmodo

Amazon is being hit with a class-action suit alleging that the tech giant’s severs are storing biometric voice data from countless callers, in contravention of an Illinois privacy law. At the center of the suit is Amazon Connect—a suite of call-center software that Amazon Web Services began licensing out under since 2017. One of the companies Amazon partnered with in order to offer this call-center service, Pindrop Security, specialized in creating what are known as “voiceprints,” which can be used to identify and “authenticate” callers by the cadence of their voice. These specific vocal quirks—much like an iris scan, a finger print, or a facial scan—fall under the umbrella of “biometric data” under Illinois’s Biometric Information Privacy Act (BIPA.) There’s a chance that Amazon ran afoul of the state law by collecting that data without obtaining callers’ consent, storing it on AWS servers, and failing to publicly disclosing its data retention policies.

It then goes on to explain that Pindrop offers its “biometric data software” as a service, and then distributes that software (and the resulting data) to its customers for a hefty fee, all without any consent on the caller’s behalf. Because the three plaintiffs behind the suit are Illinois-based, they were able to point out that this sort of profiteering directly violates some of the core tenants of BIPA. “Pindrop does not tell Plaintiffs it is profiting from its harvesting of their biological information, nor does it obtain their consent. Even if it did obtain consent—though it did not—Pindrop’s practice of profiting from Plaintiffs’ biometric data is a BIPA violation,” the suit claims.

This isn’t the first time that BIPA’s been invoked against a major tech player. Last year, Apple was hit with a similar class action alleging the company unlawfully stored the countless voiceprints collected from people using Siri every day. Just a few months earlier, Google was hit with a similar class action suit over its Google Assistant feature. At the time, the company tried to dodge the claims by (incorrectly) alleging that the plaintiffs needed to prove real, tangible harm coming from this sort of voiceprint collection—something that’s notably not required under the Illinois Supreme Court.

Filed to: Privacy

Subject: Trump Administration Develops Governmentwide Office Reopening Guidelines, With Contractor Help
Source: Nextgov

The Trump administration has put together a set of recommendations that agencies throughout government can use when bringing employees back to their offices, contracting with a private sector firm to compile the suggestions.The administration has faced criticism from Congress and watchdogs for its failure to create a comprehensive plan to safely return employees to their offices, but the General Services Administration this summer quietly paid the architecture and design firm Gensler $128,000 to develop a “comprehensive federal playbook” to develop such strategies. The Return to Work Strategy Book is now available on GSA’s website, featuring an array of tips for agencies to follow including requiring masks, enforcing distancing, bringing employees to the office on alternate days or weeks and installing sensors to track employee movement and avoid overcrowding.


Subject: Deconstructing Deepfakes—How do they work and what are the risks?
Source: WatchBlog: Official Blog of the U.S. G.A.O.

Deepfakes rely on artificial neural networks, which are computer systems that recognize patterns in data. Developing a deepfake photo or video typically involves feeding hundreds or thousands of images into the artificial neural network, “training” it to identify and reconstruct patterns—usually faces.

How can you spot a deepfake?

The figure below illustrates some of the ways you can identify a deepfake from the real thing. To learn more about how to identify a deepfake, and to learn about the underlying technology used, check out our recent Spotlight on this technology.



Subject: USPS looks to monetize its mapping data
Source: FCW

The U.S. Postal Service wants to use its thousands of mail delivery vehicles that traverse the country every day to collect geospatial data it could provide to other agencies on an as-a-service basis. Lauren Lee, the Postal Service’s director of digital business services, said USPS is looking to leverage its vast mail delivery infrastructure for additional revenue streams. Geospatial address location data currently collected by its more than 220,000 mail vehicles is a significant part of that infrastructure, and a valuable resource that other agencies could use.“We know a lot about mapping,” Lee said in an Oct. 22 presentation hosted by the General Services Administration’s Technology Transformation Services. “We pick up data from the carriers as they’re traversing their routes in one-second breadcrumbs or geocode of locations. … Sometimes our carriers are in areas before mapping companies even know there are roads there.”

When fully developed, the service will join other USPS data-as-a-service offerings. USPS has been working with the FBI on a fingerprinting-as-a-service at over 100 post offices across the country, according to Heather Dyer, director of identity and access management at the USPS chief information security office.

The agency began that pilot in 2018. The program is aimed at identity verification for the public for background checks, visa applications and child adoptions. The USPS takes fingerprints at the post offices and passes them off to the FBI for processing. The service, said Dyer, has shortened a weeks-long process to hours, or even minutes.

Subject: Viewpoint: Why hospital cybersecurity strategies fail
Source: Becker’s Health IT

Cybersecurity must be strengthened among hospitals and health systems now more than ever as health services increasingly move to remote and online formats, according to Josephine Wolff, PhD.In an Oct. 17 op-ed for The New York Times, Dr. Wolff, an assistant cybersecurity policy professor at Medford, Mass.-based Tufts University, highlighted issues with hospital cybersecurity: “Hospital networks are notoriously insecure due to a combination of inadequate resources, a lack of clear and effective cybersecurity guidelines and the large number of people and systems involved in operating a hospital, all of whom need some degree of access to its network,” she wrote.

In addition to network inadequacies, Dr. Wolff also wrote that because hospitals rely on specialized equipment, such as ventilators and MRI machines, they must ensure that the specialized equipment is compatible with more secure software. However the update process can often be slow and expensive, which is why some continue using old software that is more vulnerable to attacks.

More articles on cybersecurity:
Michigan health system goes offline after malware attack: 4 details
Russian hackers charged in 2017 malware attack against Pennsylvania health system: 4 details
Michigan Medicine error exposes patients’ email address, health info: 3 details


Subject: New Bill Aims to Stop President From Shutting Down the Internet
Source: Gizmodo

Two members of Congress have introduced legislation that would prevent the president from taking action to restrict the U.S. public’s access to the internet, the Preventing Unwarranted Communications Shutdowns Act (PUCSA). In an announcement, Representatives Anna Eshoo, a California Democrat, and Virginia Republican Morgan Griffith wrote that while they are aware the internet cannot be “shut down” due to its decentralized nature, the president can nonetheless take action to effectively cut off most Americans from the internet under §706(d) of the Communications Act of 1934. That act authorizes the president to override all rules and regulations pertaining to facilities or stations involved in wire or radio communications, cause their closure and “removal therefrom of its apparatus and equipment,” or simply take them over.

As the Brookings Institute noted, the president simply needs to declare a national emergency to invoke that authority. While this may be particularly disconcerting considering made-up national emergencies are something the Trump administration is very fond of declaring—and has repeatedly indicated it may go to extreme lengths to retain power regardless of the outcome of the 2020 elections—any future White House could abuse this authority.

Filed to internet shutdown

Posted in: Civil Liberties, Communications, Congress, Cybercrime, Cybersecurity, Data Mining, Government Resources, Health, Healthcare, Legal Research, Legislative, Privacy, Social Media, United States Law