Pete Recommends – Weekly highlights on cyber security issues, November 15, 2020

Subject: Older Android Phones Won’t Support Many Secure Websites in 2021
Source: Gizmodo

If you’re doomscrolling through your newsfeeds on an older Android phone, it might be time for an upgrade. One of the world’s top certificate authorities warns that phones running versions of Android prior to 7.1.1 Nougat will be cut off from large portions of the secure web starting in 2021, Android Police reported Saturday.

The Mozilla-partnered nonprofit Let’s Encrypt said that its partnership with fellow certificate authority IdenTrust will expire on Sept. 1, 2021. Since it has no plans to renew its cross-signing agreement, Let’s Encrypt plans to stop default cross-signing for IdenTrust’s root certificate, DST Root X3, beginning on Jan. 11 as the organization switches over to solely using its own ISRG Root X1 root.

It’s a pretty significant shift considering that as much as one-third of all web domains rely on the organization’s certificates. But since older software won’t trust Let’s Encrypt’s root certificate, this could “introduce some compatibility woes,” lead developer Jacob Hoffman-Andrews said in a blog post Friday.
The only workaround for these users would be to install Firefox since it relies on its own certificate store that includes Let’s Encrypt’s root, though that wouldn’t keep applications from breaking or ensure functionality beyond your browser.


Subject: Can I Stop Big Data Companies From Getting My Personal Information?
Source: Gizmodo

I am going to answer this one right here in the intro: no, you can’t. In 2020, it is hard to just to go to the grocery store without inadvertently surrendering 40 or 50 highly personal data-points on the walk over. Go ahead, delete your Facebook—it makes no difference. It wouldn’t make a difference if you’d never had one in the first place—as we know, Facebook has enough data to build “shadow profiles” for those who, somehow, have never joined the site. We’re at the stage of harm reduction, pretty much—trying at least to limit Big Data’s file on us. For this week’s Giz Asks, we reached out to a number of experts for advice on how we might go about doing that.

“…the most important thing you can do is to stop volunteering data.”

Filed to:

Source: CISA

CISA’s Role in Risk Management

Critical infrastructure are those assets, systems, and networks that provide functions necessary for our way of life. From generating electricity to supplying clean water, there are 16 critical infrastructure sectors that are part of a complex, interconnected ecosystem including communications, energy, transportation, emergency services, and water. Any threat to these sectors could have potentially debilitating national security, economic, and public health or safety consequences.

As the nation’s risk advisor, the Cybersecurity and Infrastructure Security Agency’s (CISA) mission is to ensure the security and resiliency of our critical infrastructure. However, in today’s digitizing world, as organizations are increasingly integrating cyber systems into their operations, they are also facing more diverse, sophisticated threats— cyber, physical, technological, or natural—that may have cross-sector impacts. The evolving risk landscape necessitates an evolved response.

Housed with CISA, the National Risk Management Center (NRMC) helps fulfill the Agency’s risk advisor role by leveraging sector and stakeholder expertise to identify the most significant risks to the nation, and to coordinate risk reduction activities to ensure critical infrastructure is secure and resilient both now and into the future.

National Risk Management Center (NRMC)
Since the nation’s critical infrastructure is largely owned and operated by the private sector, managing risk is a priority shared by industry and government. As the Agency’s planning, analysis, and collaboration center, the National Risk Management Center (NRMC) brings the private sector, government agencies, and other key stakeholders together to identify, analyze, prioritize, and manage the most significant risks to our critical infrastructure.

Quick Links

Subject: Zoom reaches settlement with the FTC over allegations it misled customers about video-call encryption
Source: Business Insider [subscription req’d … ]

  • The Federal Trade Commission announced Monday that it had reached a settlement with Zoom over allegations the company misled customers about encryption and “gave users a false sense of security.”
  • The FTC sued Zoom earlier this year, accusing the company of misrepresenting the security of its videoconferencing software by claiming to offer “end-to-end, 256-bit encryption.”
  • Zoom acknowledged in April that it did not in fact offer that level of security and subsequently committed to roll out end-to-end encryption to all users.
  • As part of the FTC settlement announced Monday, Zoom agreed not to make any misleading security claims in advertising and to continue to ramp up its security practices. There was no financial component to the settlement.

Subject: Tim Berners-Lee’s Inrupt launches Solid platform, step closer to decentralized net
Source: Business Insider

[subscription req’d]

  • Inrupt, the company founded by World Wide Web inventor Sir Tim Berners-Lee, announced Monday it’s releasing its data management platform Solid for enterprises.
  • It already has several big-ticket clients, including Britain’s National Health Service (NHS), NatWest bank, and the BBC.
  • Berners-Lee told Business Insider the ultimate goal of Solid is to give people more say over how their data can be used, and stop it ending up in “social network silos.”

In a blog post Berners-Lee called the announcement a “huge milestone,” adding that he hopes Solid getting out into the world will “drive groundbreaking new opportunities that not only restore trust in data but also enhance our lives.”

What is Solid?

In 2018, Berners-Lee announced his intention to help build a fairer, more decentralized internet using an open-source project he was working on, called Solid.

Solid aims to make people’s data massively more portable, giving individuals far more control over how all their personal data moves around the internet.

The goal of Solid isn’t to lock up people’s data where social media giants can’t find it. Instead, the idea is to make it much easier for individuals to control where their data can go, using various personalized hubs it calls “pods.”

Subject: What could a Biden administration mean for privacy, cybersecurity?
Source: IAPP

The International Association of Privacy Professionals: Policy neutral, we are the world’s largest information privacy organization.

After historic voter turnout for both political parties across the United States and days of tense scrutiny of vote counts in a handful of states, former Vice President Joe Biden and Sen. Kamala Harris, D-Calif., were projected Saturday to win the presidency. Though the Trump administration has not yet conceded the election, the Biden team has initiated and shared some of its transition plans.

The shift in executive leadership will affect the privacy landscape, particularly with regard to a potential federal privacy law, new leadership in government agencies and renewed efforts to work with the EU on data transfers, post-“Schrems II.”

“We can expect privacy to be an area of greater focus and attention during a Biden administration,” Perkins Coie Partner Janis Kestenbaum told the IAPP.


Privacy Law
Transborder Data Flow

Subject: IoT Security Bill Nears Passage as New Consortium Tackles Open 5G
Source: Nextgov

A bill that would require certain internet-connected devices purchased by the government to include basic security features is closer to becoming law, Sen. Mark Warner, D-Va., said during the launch of a consortium that will be testing the open architecture for fifth-generation networking that U.S. policymakers are counting on to counter reliance on Chinese providers.

“I’ve got bipartisan legislation that I was hoping to be able to announce by today,” Warner said regarding the legislation, which he said would at least require the devices be patchable and avoid hard-coded passwords. “It’s passed the House. It’s close to passing the Senate, we’re getting through a last run through.”


Subject: Move to Telehealth Strains Therapists and Their Clients
Source: Nextgov

A big issue was client access to technology and reliable internet services.

The COVID-19 outbreak has significantly affected how therapists deliver health services, which had to move from in-person therapy to remote telehealth, researchers report.

For a new study in Community Mental Health Journal, researchers surveyed 238 behavioral health care providers throughout New York—one of the early epicenters of the pandemic in the U.S.—on the challenges they faced regarding providing services remotely, maintaining safety practices in person, and the ability for clients to use technology to receive services, which are often more effectively provided in-person.

“Understanding this impact is particularly important as these services support vulnerable populations that may be at higher risk for coronavirus infection as well as other negative consequences,” says lead author Kenneth Gill, chair of the department of psychiatric rehabilitation and counseling professions at the Rutgers School of Health Professions.

Here, he discusses his findings, including the big stressors for both patients and providers:

The reliance on telehealth has highlighted the digital divide that exists for people with lower socioeconomic resources, those with disabilities, and those who live in rural areas. A big issue was client access to technology and reliable internet services. Many also had limited cell phone plans, which made even phone appointments difficult.


Subject: Here are the IT and cyber experts helping with the Biden transition
Source: FedScoop

Written by Jackson Barnett, Dave Nyczepir and Sara Wilson
Nov 11, 2020 | FEDSCOOP
As President-elect Joe Biden prepares to lead the federal government come January 21, 2021, his office has tapped several former government IT leaders to volunteer on his transition team.

The Biden transition team includes hundreds of officials who are prepared to continue operations across agencies, many of which are in the midst of IT modernization initiatives. The current administration has so far refused to acknowledge the election results and stymied agencies from collaborating with the Biden transition team — a move experts warn as damaging to governance and security.

The list includes some former high-ranking technology officials, with most teams including at least one or two technology- or cyber policy-focused volunteers. The Biden transition team posted the full list of agencies and their review teams on its website Tuesday. Several names are familiar from the Obama administration: Michael Hornsby, a former acting CIO in the White House; the first U.S. CTO, Aneesh Chopra; former deputy U.S. CTO, Nicole Wong; and many alums of the U.S. Digital Service, set up under the Obama White House to help agencies modernize.

The vast majority of people currently working on agency review teams are not paid, with a handful receiving compensation from the Transition entity itself, according to the website. Once the Trump administration recognizes Biden’s election, federal employees will be detailed to work on the transition and paid through funds appropriated to the General Services Administration.

-In this Story-

Department of Defense (DOD), Department of Health and Human Services (HHS), Joe Biden, OSTP, presidential transition, U.S. Digital Services, United States Postal Service (USPS)

Sample topic RSS feed:

Subject: Trump Is Now Reportedly Gunning for Top Cybersecurity Officials
Source: Gizmodo

And the fact is, it appears that some kind of targeted mass-firing is occurring at CISA. This afternoon, Reuters reported that Christopher Krebs, the director of CISA and the first person to ever hold that title for the relatively young agency, expects to be fired soon.

Citing “three sources familiar with the matter,” Reuters reports that Krebs has gotten Trump’s attention because CISA’s Rumor Control web portal keeps debunking false conspiracy theories that the President would prefer the public to believe. (Here’s an archive link for that site if it disappears.) According to the sources, the White House has asked for specific items within the fact-checking hub to be edited or removed, a request that CISA has so far denied. Luke Barr of ABC News and Natasha Bertrand of Politico have also confirmed that Krebs expects to be fired.

Filed to: November Massacre

Subject: Gifting a gadget? Check its creep factor on Mozilla’s ‘Privacy not included’ list of shame
Source: TechCrunch via beSpacific

TechCrunch: “Buying someone a gadget is a time-honored tradition, but these days it can be particularly fraught, considering you may buy them a fitness tracker that also monitors emotions, or a doorbell that snitches to the cops. Mozilla has put together a helpful list of popular gadgets with ratings on just how creepy they are. “Privacy not included” has become an annual tradition for the internet rights advocate, and this year has an especially solid crop of creepy devices, given the uptick in smart speakers, smart security cameras and smart litterboxes. On the “creepy” end of the spectrum is… pretty much everything by Amazon except the Kindle. The devices in question send tons of data to Amazon by design, of course, but Mozilla feels the company hasn’t yet earned the trust to make that sort of thing acceptable. Facebook’s Portal earns a creepy spot for a similar reason…”

beSpacific Subjects: E-Commerce, Internet, Privacy

Posted in: Cybercrime, Cybersecurity, Gadgets/Gizmos, Government Resources, Health, Healthcare, Leadership, Privacy