Pete Recommends – Weekly highlights on cyber security issues, January 16, 2021

Subject: Supreme Court May Consider If Fifth Amendment Covers Passwords
Source: Gizmodo

The American Civil Liberties Union and the Electronic Frontier Foundation, two of the nation’s largest defenders of digital privacy, are asking the Supreme Court to stop criminal prosecutors from forcing people to unlock their own cellphones, under the argument that the U.S. Constitution’s protection against self-incrimination applies equally to passwords.While the debate is hardly new, it’s yet to be considered by the country’s highest court.

As long as there have been cellphones, police have sought to access their contents, hoping to find a digital trace that could link a suspect to a crime. But as the technology has improved, it has also given police ever-increasing access to the most intimate details of a person’s life. It was inevitable then that the Supreme Court would be forced to consider how the rights of individuals caught up in criminal proceedings apply to the ubiquitous device.

The basic argument against these orders is simple: Compelling someone to give up the password to their phone is essentially no different than forcing them to verbally provide incriminating details about its contents. The Fifth Amendment, the courts have long held, protects a person from being forced to make statements that are self-incriminating or may otherwise lead investigators to material that’s incriminating.

Subject: Police let most Capitol rioters walk away. But cellphone data and videos could now lead to more arrests
Source: The Washington Post

Authorities looking to prosecute the mob of Trump supporters who overran the U.S. Capitol on Wednesday stand to get powerful help from cellphone records, facial recognition tools and other technologies to assist in the identification of anyone who was there that day.

The Capitol, more than most buildings, has a vast cellular and wireless data infrastructure of its own to make communications efficient in a building made largely of stone and that extends deep underground and has pockets of shielded areas. Such infrastructure, such as individual cell towers, can turn any connected phone into its own tracking device.

Phone records make determining the owners of these devices trivially easy. Congressional investigators and federal prosecutors can also identify devices and users who may have connected wittingly or automatically to congressional guest WiFi networks — unless rioters made a point of deactivating their devices or leaving them behind during the takeover.

Privacy advocates have warned that such a dramatic event could prompt an expansion in the use of the surveillance technologies in a way that could erode civil rights. But the investigation highlights how government officials already have broad legal authorities to use them how they see fit.

In some cases, people identified publicly already have lost their jobs or suffered other consequences, including arrest. One rioter who was photographed wearing his company ID badge in a lanyard around his neck was quickly fired. The Justice Department on Friday announced 13 charges against rioters suspected in the breach, which FBI director Christopher A. Wray said in a statement was “an affront on our democracy.”

The FBI’s software can scan through a database that includes more than 641 million photos of Americans’ faces, largely taken from jail mug shot photos, visa applications and driver’s licenses, according to a Government Accountability Office report in 2019. More than 390,000 facial recognition searches have been run by local, state and federal investigators over the last decade.

Subject: Amazon, Apple drop Parler app in wake of pro-Trump insurrection
Source: WHYY

Amazon and Apple on Saturday took steps to cut off access to the social media app Parler after calls for violence on the platform have continued following the pro-Trump attack on the U.S. Capitol.The app is a favorite of conservatives and extremist supporters of President Trump.

Apple on Saturday said it was suspending Parler from its app store, stopping iPhone users from being able to download the app. At around the same time, reports emerged that Amazon was cutting off the site from its web hosting service, meaning Parler will go offline unless it finds a new host.

BuzzFeed News reported Amazon’s letter to Parler, which an Amazon spokesperson confirmed as authentic.

Subject: Mozilla Calls for Sites to Do More Than Just Deplatform Bigots
Source: Gizmodo

Online platforms are hastily cutting ties with President Donald Trump and his ilk after years of milquetoast responses to the hateful and violent rhetoric fomenting under their watch, and all it took was a deadly insurgency at the nation’s capital. However, Mozilla says deplatforming doesn’t go far enough and has called for investigations and increased transparency into how sites target users for advertising and content recommendations.On Friday, Mozilla, the privacy and security nonprofit behind the Firefox browser, denounced this week’s events and the role it believes online platforms had in stoking the flames. Mozilla characterized the assault on the Capitol as “the culmination of a four-year disinformation campaign” by Trump.

“Donald Trump is certainly not the first politician to exploit the architecture of the internet in this way, and he won’t be the last,” wrote CEO Mitchell Baker in a company blog post. “We need solutions that don’t start after untold damage has been done.”

To change the “dangerous dynamics” online that facilitated this kind of violent uprising, Baker urged platforms to be more open about their ad targeting practices by revealing who has been funding ad campaigns, how much they paid, and who they targeted. All of which is inarguably in users’ best interest to know, if the 2016 presidential election has taught us anything.

Subject: Insecure wheels: Police turn to car data to destroy suspects’ alibis
Source: NBC News

Digital frontiers

In recent years, investigators have realized that automobiles — particularly newer models — can be treasure troves of digital evidence. Their onboard computers generate and store data that can be used to reconstruct where a vehicle has been and what its passengers were doing. They reveal everything from location, speed and acceleration to when doors were opened and closed, whether texts and calls were made while the cellphone was plugged into the infotainment system, as well as voice commands and web histories.

But that boon for forensic investigators creates fear for privacy activists, who warn that the lack of information security baked into vehicles’ computers poses a risk to consumers and who call for safeguards to be put in place.

“I hear a lot of analogies of cars being smartphones on wheels. But that’s vastly reductive,” said Andrea Amico, founder of Privacy4Cars, which makes a free app that helps people delete their data from automobiles and makes its money by offering the service to rental companies and dealerships. “If you think about the amount of sensors in a car, the smartphone is a toy. A car has GPS, an accelerometer, a camera. A car will know how much you weigh. Most people don’t realize this is happening.”

But compared with the security on smartphones, the security on the systems is much flimsier, digital forensic and privacy experts say. Drivers typically don’t have to unlock a vehicle’s infotainment system with a passcode or a fingerprint, as they do with smartphones. That means that, with a warrant, law enforcement officials can sometimes extract incriminating text messages, calls or files from an automobile far more easily than they could from a suspect’s cellphone.

Data misuse

Just as the trove of data can be helpful for solving crimes, it can also be used to commit them, Amico said. He pointed to a case in Australia, where a man stalked his ex-girlfriend using an app that connected to her high-tech Land Rover and sent him live information about her movements. The app also allowed him to remotely start and stop her vehicle and open and close the windows.

In 2016, the Federal Trade Commission warned about the privacy risks associated with rental cars’ infotainment systems and said that unless user data is deleted, it will be “accessible by third parties including future renters, rental car employees, or even hackers.”

In May, a hacker known as GreenTheOnly showed how he could access personal details and passwords from buying used infotainment computers for Tesla cars on eBay.

His company, Privacy4Cars, recently sent mystery shoppers to test-drive used cars at 72 dealerships. While they were in the vehicles, they checked the infotainment systems to see whether there was any remnant personal information from previous owners. Eighty-eight percent of the shoppers found personal data left on the vehicles, such as home addresses or phone numbers.

Subject: IT cleanup at U.S. Capitol presents massive challenge
Source: GCN

Federal IT staff have a massive job ahead of them cleaning up after the rioters who broke into the U.S. Capitol building, some of whom rifled through lawmakers offices. While improving physical security for the building and for lawmakers and staff who work there is the first priority, experts have said the rioters’ unprecedented access to offices, files and computers can have serious cybersecurity ramifications….

“Anytime there’s a physical breach of a space, I automatically assume it was a digital compromise as well,” Kelvin Coleman, executive director of the National Cyber Security Alliance, who formerly worked in the Department of Homeland Security and National Security Council, said. “This is just a bad, bad storm that we find ourselves in, and cybersecurity is absolutely included in that.”

Subject: The evolving threat of ransomware: Beware of cyber extortion in 2021
Source: GCN

And herein lies a crucial point that should continue to influence the cybersecurity strategy of every organization reliant on highly connected digital systems and infrastructure. Ransomware in its current form presents an existential threat that can throw healthy and effective agencies into turmoil without warning.

This type of extortion is not the only tactical shift at play. Whereas the activation of ransomware was once primarily an exercise in distribution to the widest possible audience, bad actors are now targeting their attacks against those whose data is considered more valuable, or for whom the reputational damage will be most severe and who are therefore more likely to pay the ransom –hospitals, for example.

New threats require an intelligent response
For a security operations perspective, a big part of the challenge lies in detecting and investigating potential ransomware attacks using indicators of compromise, such as suspicious and/or blacklisted IP addresses, known phishing URLs and malicious file signatures. However, with new ransomware strains and techniques appearing all the time, security teams face a constantly moving target. The problem is, once an organization becomes a victim of ransomware, its security operation center (SOC) is unable to rely on IOCs alone to accurately identify the scope of the attack as it progresses throughout the network.

Subject: How 5G and AI Are Creating an Architectural Revolution
Source: Nextgov

Driving down the road in a Tesla, you’re essentially sitting inside an edge compute node. In our last article, we began to illustrate the degree to which edge computing and the hybrid cloud are intrinsically linked to artificial intelligence and 5G. If we look at combat vehicles, hospital systems, or even coronavirus data collection, we can see this interconnection at play. In simplest terms, edge computing and cloud hosting offer the foundation for an architectural revolution that will allow 5G to power tech of the future, AI and automation included.In this article, we will elaborate on the potential for 5G to transform IT from the bottom-up and, most importantly, outline what this revolution means for security.

The Digitization of Everyday Life

Many people think of 5G primarily with regard to consumer communications. Cell carriers have been touting the potential for 5G, with its higher bandwidth and faster speed, to deliver more content-rich services to your smart device, from 4K video to immersive augmented reality. But enterprise 5G is an enabler of another kind—one that can make machine-to-machine (M2M) communications possible. This is a far cry from 4G not just because of increased bandwidth, but because it shifts us from a closed, proprietary system to an open, virtualized one. The age of 5G is the age of dynamic, software-defined architecture.

How to Secure Dynamic Architecture

The question, of course, is what 5G means for security. Because we are no longer working with a closed, proprietary system, we can no longer rely on an old-school model of simply encrypting data and thinking we are secure. It’s too limited and narrow. Compliance checklists, to be blunt, are outdated the day they are published and cannot keep up with the current threat environment. And yet, many organizations budget for compliance only. Every company that was breached in the last 15 years was compliant, though. 

The Bottom Line

Artificial intelligence and 5G—two of tech’s biggest buzzwords—are closely tied to edge computing and the hybrid cloud. While the underlying architecture may be more complex in this new era, software simplifies it, allowing for the rapid development and distribution of new applications. But agencies must make sure they shift their entire paradigm, security posture included. As 5G allows agencies to deploy smarter programming to the edge and make sense of growing pools of data in real-time, their security must cover the entire data lifecycle and must adapt to ever-changing levels of risk.

Subject: Scraped Parler data is a metadata gold mine
Source: TechChrunch via beSpacific

Tech Crunch: “Embattled social media platform Parler is offline after Apple, Google and Amazon pulled the plug on the site after the violent riot at the U.S. Capitol last week that left five people dead. But while the site is gone (for now), millions of posts published to the site since the riot are not. A lone hacker scraped millions of posts, videos and photos published to the site after the riot but before the site went offline on Monday, preserving a huge trove of potential evidence for law enforcement investigating the attempted insurrection by many who allegedly used the platform to plan and coordinate the breach of the Capitol…”

Subject: Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments
Source: CISA

CISA is aware of several recent successful cyberattacks against various organizations’ cloud services. Threat actors used a variety of tactics and techniques, including phishing and brute force logins, to attempt to exploit weaknesses in cloud security practices.In response, CISA has released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services which provides technical details and indicators of compromise to help detect and respond to potential attacks.

CISA encourages users and administrators to review AR21-013A and apply the recommendations to strengthen cloud environment configurations.

Subject: What if opting out of data collection were easy?
Source: Penn State University News Release

“Different privacy regulations grant users the right to revoke how their data can be used by companies,” said Carnegie Mellon University CyLab’s Norman Sadeh, a professor in the School of Computer Science at Carnegie Mellon University and the principal investigator on the study. “But as it stands, most websites don’t offer users easy and practical access to these choices, effectively depriving them of these rights.”

Added Wilson, “Our goal is to connect people with choices about privacy that are typically buried in privacy policies. This should give people better control over how their personal information is used by companies.”

To help make opt-out choices more accessible to users, the team developed a browser extension — Opt-Out Easy — in collaboration with the University of Michigan School of Information. The extension is now available for download to Chrome users.

By clicking on the plugin’s icon, users are presented with opt-out links found in the privacy policy of the website they are currently visiting, allowing them to, for example, opt out of analytics or limit marketing emails.

[who verifies that opt-out options are effective? /pmw1]

Posted in: AI, Criminal Law, Cybercrime, Data Mining, Information Architecture, KM, Privacy, Social Media, Technology Trends